Intermittent Routing between Shared IP Zones
I've setup a single machine with zones for apache and mail services which use the global zone's external data link. I've setup the zones as shared-ip zones:
zonename: apache
net:
address: 192.168.0.1/24
physical: bge1
defrouter not specified
zonename: mail
net:
address: 192.168.0.2/24
physical: bge1
defrouter not specified
The zones have their routing setup in the global some as such:
route add public apache -interface
route add public mail -interface
And the global ifconfig is as such:
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone mail
inet 127.0.0.1 netmask ff000000
lo0:2: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
zone apache
inet 127.0.0.1 netmask ff000000
bge1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2
inet XXX.XXX.XXX.XXX netmask fffffff8 broadcast XXX.XXX.XXX.XXX
ether 0:23:8b:aa:15:6b
bge1:1: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2
zone mail
inet 192.168.0.2 netmask ffffff00 broadcast 192.168.0.255
bge1:2: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2
zone apache
inet 192.168.0.1 netmask ffffff00 broadcast 192.168.0.255
The global zone is configured with NAT to map and rdr between the global ip address and the zone's local ip address.
The configuration works and runs ok, but i keep getting connection timeouts about 50% of the time.
I've snooped the tcp connections from the global zone but they are going unanswered even though the zones are running and responding correctly. The ipmon log shows the same behaviour with in requests but no mapped out responses during the connection timeouts.
I think this might be a problem with routing between zones with shared-ip but i'm not sure what i can do to fix the problem?
I'm running Solaris 10 10/09.
Thanks,
Cam
sowmini wrote:
The zones have their routing setup in the global some as such:
route add public apache -interface
route add public mail -interfaceit's not clear what "apache" and "mail" are, in your example above: are these the IP addresses assigned to
each of the non-global zones? (I'm assuming "public" is a subnet that you want the NGZ's to reach?)
yes, apache and mail are the local hostname of the 2 zones which are running those services which is specified in /etc/hosts
apache is 192.168.0.1/24
mail is 192.168.0.2/24
public is the subnet of the global zone's only ip address and external network
>
The global zone is configured with NAT to map and rdr between the global ip address and the zone's local ip address.
The configuration works and runs ok, but i keep getting connection timeouts about 50% of the time.What does "netstat -s -P ip" show? that may tell you where the packets are sporadically getting dropped
Here's the output of running the command:
bash-3.00# netstat -s -P ip
IPv4 ipForwarding = 1 ipDefaultTTL = 255
ipInReceives =8454948 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 152 ipForwProhibits = 0
ipInUnknownProtos = 114 ipInDiscards = 3
ipInDelivers =64396846 ipOutRequests =6476680
ipOutDiscards = 0 ipOutNoRoutes = 238
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 3 udpNoPorts = 2435
udpInCksumErrs = 0 udpInOverflows = 0
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 0
i found this discussion on the networking forum which sounds very similar to what i'm seeing but i've tried to set a static arp for the public router but it doesn't seem to have made much difference:
Solaris Server timeouts
when all is working the media table looks like this:
bash-3.00# netstat -pn
Net to Media Table: IPv4
Device IP Address Mask Flags Phys Addr
bge1 XXX.XXX.XXX.137 255.255.255.255 o 00:0c:31:ec:1b:01
bge1 192.168.0.1 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 192.168.0.2 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 XXX.XXX.XXX.138 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00
and then every half hour to an hour, the router gets dropped and the table is flushed out before getting re-created:
Net to Media Table: IPv4
Device IP Address Mask Flags Phys Addr
bge1 192.168.0.1 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 192.168.0.2 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 XXX.XXX.XXX.138 255.255.255.255 SPLA 00:23:8b:aa:15:6b
bge1 224.0.0.0 240.0.0.0 SM 01:00:5e:00:00:00
Similar Messages
-
Route between global and non-global zones
Hi Folks,
I haven't been able to find an answer to this question searching the archives, so I'll try here. My global zone gets her IP (10.153.197.n) via DHCP, and I've had to use 192.168.1.n addresses for the non global zones. Is there a simple route statement I can issue to allow communication between the global and non global zones? I'm running Solaris 10 x86 03/2005.
Thanks very much,
-Adam vonNiedaIf you're only interested in passing traffic between the global zone and the non-global zones, just add a virtual interface to the global zone.
For example, in the global zone:
ifconfig ce0:4 plumb 192.168.1.x netmask + broadcast + up
Then you will be able to pass traffic between the global and non-global zones.
If you're looking for the global zone to proxy traffic between the non-global zones and the rest of the network, take a look at http://balance.sf.net -
Auto attendant intermittently routes call to out of region/not in dial plan UM server
Hi all,
Exchange 2013 on prem, hardware not virtual. CU5 w/Lync 2013
I've got calls that get intermittently routed to UM servers that are out of region and not in the dial plan. The out of region UM server sees the call is outside of business hours & sends helpdesk calls to voicemail instead of the appropriate phone
menu.
Additionally, when Exchange admins who are in different time zones look at the GUI w/the AA's business hours they see a time skew even though the time displayed is listed as Eastern. I think the mis-routing & the time zone skew are related. When
the Tokyo server gets the call it checks the time: 3AM? Not in business hours even though in Eastern Time where the call is supposed to go, it is in business hours.
In the Lync client log (as seen via the snooper tool) this is the last message before the call gets transferred:
“ms-diagnostics:
15032;reason="Re-directing request to the destination in 302”
Additionally the time zone on the AA schedule is set to Eastern Time. Why is the TYO UM server ignoring this and applying local time?
Any tips to point me in the right direction would be appreciated.
AdamNumber two was correct! The affected site did not have an arbitration mailbox. Details follow.
I still have the underlying problem of AA's getting the time zone of the UM server applied rather than the time zone they are allegedly set to (for example Beijing business hours served from a TYO UM server getting TYO time).
With the help of MS support we resolved the immediate problem: calls getting routed to our TYO site.
It turns out that every AD site with Exchange servers needs to have an arbitration mailbox with the grammar generator role set & ready. If a site with UM servers does not have an arbitration mailbox it will proxy the call to another site that does.
In our case, it would route them to our Tokyo site that applied the wrong hours to the auto attendant.
Here's how we created the arbitration mailbox
[PS] C:\temp\autoattendant>New-Mailbox -Arbitration -Name "A new UM Grammar Mailbox" -Database <some db hosted in site> -UserPrincip
alName [email protected] -DisplayName "A new UM Grammar Mailbox"
C:\temp\autoattendant>Set-Mailbox [email protected] -Arbitration -UMGrammar:$true
This keeps the call from going out of site to an Exchange UM server in a different time zone.
The tricky bit is that this does not immediately work. The mailbox needs to pick up the OrganizationCapabilityUMGrammarReady capability which it will only get when the grammar generator runs. In 2010 you were able to kick this off manually. In
2013 it runs once a day. You have to wait until Get-Mailbox -Arbitration | fl name, servername, persistedcapabilities shows the OrganizationCapabilityUMGrammarReady has been assigned to the mailbox.
I still have not yet resolved the underlying problem of why UM servers are ignoring the time zone setting on AA's business hours. -
What is difference between Shared ,Exclusive and Exclusive but not commulat
what is difference between Shared ,Exclusive and Exclusive but not commulative lock modes plese tell me
Lock objects are used to synchronize access to the same data by more than one program.
The lock mode controls whether several users can access data records at the same time. The lock mode can be assigned separately for each table in the lock object. When the lock is set, the corresponding lock entry is stored in the lock table of the system for each table.
There are three types of lock modes
1.Exclusive
2.Shared
3.Exclusive not cummulative
Exclusive lock: The locked data can only be displayed or edited by a single user. A request for another exclusive lock or for a shared lock is rejected.
Shared lock: More than one user can access the locked data at the same time in display mode. A request for another shared lock is accepted, even if it comes from another user. An exclusive lock is rejected.
Exclusive but not cumulative: Exclusive locks can be requested several times from the same transaction and are processed successively. In contrast, exclusive but not cumulative locks can be called only once from the same transaction. All other lock requests are rejected.
please go through these links:
http://help.sap.com/saphelp_nw04/helpdata/en/a2/3547360f2ea61fe10000009b38f839/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/af/22ab01dd0b11d1952000a0c929b3c3/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/cf/21eeb2446011d189700000e8322d00/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/cf/21eebf446011d189700000e8322d00/frameset.htm
http://help.sap.com/saphelp_nw04/helpdata/en/cf/21eed9446011d189700000e8322d00/frameset.htm
briefly :
You can lock the table or record by using following types of locking:
1) Exclusive (E) the locked data can only be displayed or modified by single user i.e the owner of the object. Access to other users is denied.
2) Shared (S) several users can access the same record simultaneously, but only in display mode and except the first one, who has asked for the data in update mode.
3) Exclusive not cumulating (X) it is similar to exclusive lock. It allows only a single user access. E can be called several times from the same transaction. In contrast, a lock type X can be called only once during the transaction. Any other call for this lock is rejected.
Activation of Lock Object
1) When you activate the lock object, the functions are automatically generated. And these are ENQUEUE-EZN and DEQUEUE-EZN. EZN is name of the lock object.
2) While ENQUEUE is used in program to set the code over the selected data depending upon the lock object arguments. DEQUEUE is used to release the lock.
Thanks
Seshu -
Problem of routing between inside and outside on ASA5505
I have a ASA5505 with mostly factory default configuration. Its license allows only two vlan interfaces (vlan 1 and vlan 2). The default config has interface vlan 1 as inside (security level 100), and interface vlan 2 as outside (security level 0 and using DHCP).
I only changed interface vlan 1 to IP 10.10.10.1/24. After I plugged in a few hosts to vlan 1 ports and connect port Ethernet0/0 (default in vlan 2) to a live network, here are a couple of issues I found:
a) One host I plugged in is a PC, and another host is a WAAS WAE device. Both are in vlan 1 ports. I hard coded their IP to 10.10.10.250 and 10.10.10.101, /24 subnet mask, and gateway of 10.10.10.1. I can ping from the PC to WAE but not from WAE to the PC, although the WAE has 10.10.10.250 in its ARP table. They are in the same vlan and same subnet, how could it be? Here are the ping and WAE ARP table.
WAE#ping 10.10.10.250
PING 10.10.10.250 (10.10.10.250) from 10.10.10.101 : 56(84) bytes of data.
--- 10.10.10.250 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
WAE#sh arp
Protocol Address Flags Hardware Addr Type Interface
Internet 10.10.10.250 Adj 00:1E:37:84:C9:CE ARPA GigabitEthernet1/0
Internet 10.10.10.10 Adj 00:14:5E:85:50:01 ARPA GigabitEthernet1/0
Internet 10.10.10.1 Adj 00:1E:F7:7F:6E:7E ARPA GigabitEthernet1/0
b) None of the hosts in vlan 1 in 10.10.10.0/24 can ping interface vlan 2 (address in 172.26.18.0/24 obtained via DHCP). But on ASA routing table, it has both 10.10.10.0/24 and 172.26.18.0/24, and also a default route learned via DHCP. Is ASA able to route between vlan 1 and vlan 2? (inside and outside). Any changes I can try?
Here are ASA routing table and config of vlan 1 and vlan 2 (mostly its default).
ASA# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.26.18.1 to network 0.0.0.0
C 172.26.18.0 255.255.255.0 is directly connected, outside
C 127.1.0.0 255.255.0.0 is directly connected, _internal_loopback
C 10.10.10.0 255.255.255.0 is directly connected, inside
d* 0.0.0.0 0.0.0.0 [1/0] via 172.26.18.1, outside
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
All other ports are in vlan 1 by default.I should have made the config easier to read. So here is what's on the ASA and the problems I have. The ASA only allows two VLAN interfaces configured (default to Int VLAN 1 - nameif inside, and Int VLAN 2 - nameif outside)
port 0: in VLAN 2 (outside). DHCP configured. VLAN 2 pulled IP in 172.26.18.0/24, default gateway 172.26.18.1
port 1-7: in VLAN 1 (inside). VLAN 1 IP is 10.10.10.1. I set all devices IP in VLAN 1 to 10.10.10.0/24, default gateway 10.10.10.1
I have one PC in port 1 and one WAE device in port 2. PC IP set to 10.10.10.250 and WAE set to 10.10.10.101. PC can ping WAE but WAE can't ping PC. Both can ping default gateway.
If I can't ping from inside interface to outside interface on ASA, how can I verify inside hosts can get to outside addresses and vise versa? I looked at ASA docs, but didn't find out how to set the routing between inside and outside. They are both connected interfaces, should they route between each other already?
Thanks a lot -
Cisco ASA 5505 Routing between internal networks
Hi,
I am new to Cisco ASA and have been configuring my new firewall but one thing have been bothering. I cannot get internal networks and routing between them to work as I would like to. Goal is to set four networks and control access with ACL:s between those.
1. Outside
2. DMZ
3. ServerNet1
4. Inside
ASA version is 9.1 and i have been reading on two different ways on handling IP routing with this. NAT Exempt and not configuring NAT at all and letting normal IP routing to handle internal networks. No matter how I configure, with or without NAT I cannot get access from inside network to DMZ or from ServerNet1 to DMZ. Strange thing is that I can access services from DMZ to Inside and ServerNet1 if access list allows it. For instance DNS server is on Inside network and DMZ works great using it.
Here is the running conf:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,DMZ) source static obj-192.168.2.0 obj-192.168.2.0 destination static obj-192.168.2.0 obj-192.168.2.0 no-proxy-arp
object network obj_any
nat (inside,outside) dynamic interface
nat (DMZ,outside) after-auto source dynamic obj_any interface destination static obj_any obj_any
nat (ServerNet1,outside) after-auto source dynamic obj-192.168.4.0 interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymousHi Jouni,
Yep, Finnish would be good also =)
In front of ASA is DSL modem, on the trunk ports is Hyper-V host that uses the trunk ports so that every VM has their VLAN ID defined in the VM level. Everything is working good on that end. Also there is WLAN Access Pois on one of the ASA ports, on the WLAN AP there is the management portal address on DMZ that i have been testing agains (192.168.3.4)
If i configure Dynamic PAT from inside to the DMZ then the traffic starts to work from inside to all hosts on DMZ but thats not the right way to do it so no shortcuts =)
Here is the conf now, still doesnt work:
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 20
interface Ethernet0/2
switchport access vlan 19
interface Ethernet0/3
switchport access vlan 10
switchport trunk allowed vlan 10,19-20
switchport trunk native vlan 1
interface Ethernet0/4
switchport access vlan 10
interface Ethernet0/5
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/6
switchport access vlan 10
switchport trunk allowed vlan 10-11,19-20
switchport trunk native vlan 1
switchport mode trunk
interface Ethernet0/7
switchport access vlan 10
interface Vlan10
nameif inside
security-level 90
ip address 192.168.2.1 255.255.255.0
interface Vlan11
nameif ServerNet1
security-level 100
ip address 192.168.4.1 255.255.255.0
interface Vlan19
nameif DMZ
security-level 10
ip address 192.168.3.1 255.255.255.0
interface Vlan20
nameif outside
security-level 0
ip address dhcp setroute
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 3:00 last Sun Oct 4:00
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj-192.168.2.0
subnet 192.168.2.0 255.255.255.0
object network obj-192.168.3.0
subnet 192.168.3.0 255.255.255.0
object network DNS
host 192.168.2.10
description DNS Liikenne
object network Srv2
host 192.168.2.10
description DC, DNS, DNCP
object network obj-192.168.4.0
subnet 192.168.4.0 255.255.255.0
object network ServerNet1
subnet 192.168.4.0 255.255.255.0
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network RFC1918
object-group network InternalNetworks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
object-group service DM_INLINE_SERVICE_1
service-object tcp destination eq domain
service-object udp destination eq domain
service-object udp destination eq nameserver
service-object udp destination eq ntp
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
port-object eq ftp
port-object eq ftp-data
object-group service rdp tcp-udp
description Microsoft RDP
port-object eq 3389
object-group service DM_INLINE_TCP_2 tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group service DM_INLINE_SERVICE_2
service-object tcp destination eq domain
service-object udp destination eq domain
object-group network DM_INLINE_NETWORK_1
network-object object obj-192.168.2.0
network-object object obj-192.168.4.0
object-group network DEFAULT-PAT-SOURCE
description Default PAT source networks
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
network-object 192.168.4.0 255.255.255.0
access-list dmz_access_in extended permit ip object obj-192.168.3.0 object obj_any
access-list dmz_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object DNS eq domain
access-list DMZ_access_in extended permit object-group TCPUDP object obj-192.168.3.0 object-group DM_INLINE_NETWORK_1 object-group rdp
access-list DMZ_access_in extended deny ip any object-group InternalNetworks
access-list DMZ_access_in extended permit tcp object obj-192.168.3.0 object obj_any object-group DM_INLINE_TCP_2
access-list inside_access_in extended permit ip object obj-192.168.2.0 object-group InternalNetworks
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj_any object-group rdp
access-list inside_access_in extended permit tcp object obj-192.168.2.0 object obj_any object-group DM_INLINE_TCP_1
access-list inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object Srv2 object obj_any
access-list inside_access_in extended permit object-group TCPUDP object obj-192.168.2.0 object obj-192.168.3.0 object-group rdp
access-list ServerNet1_access_in extended permit object-group DM_INLINE_SERVICE_2 any object DNS
access-list ServerNet1_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu ServerNet1 1500
mtu inside 1500
mtu DMZ 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711-52.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
access-group ServerNet1_access_in in interface ServerNet1
access-group inside_access_in in interface inside
access-group DMZ_access_in in interface DMZ
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
http 192.168.4.0 255.255.255.0 ServerNet1
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 192.168.4.0 255.255.255.0 ServerNet1
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous -
SG300: How to set up routing between VLANs?
I have recently purchased a Cisco SG300-10. I need it to perform routing between two VLANs on the switch. Seems like this should be quick and easy to do from the built in GUI. When I configure it according to the documentation, it does not ropute between the VLANs.
I have set the system mode to L3 (for level 3 switching).
I have followed the instructions on pages 26 through 33 of the attached PDF (which I obtained from the Cisco site). I used the same ports on the switch and the same IP addresses as shown in the document.
Everything works until I attempt the step "ping 10.1.1.10" on page 33. This is the step to verify the level 3 switching between the 2 PCs (on separate VLANs).
The switch Firmware Version (Active Image): 1.3.5.58
I have attached the running configuration from the switch. It is the file named "running-config.txt".
The 2 PCs that I am using are running Windows 7 and Windows 8.Hi jkst,
There is a very minimum requirement to obtain layer 3 intervlan routing
1- 2 VLAN in layer 3 mode assigned an IP address
config t
vlan database
vlan 2
int vlan 1
ip address 192.168.1.1 /24
int vlan 2
ip address 192.168.2.1 /24
2 - Active link state on each VLAN - Define a port for the second vlan then connect an IP device to that port and another device to another port since the rest of the ports will default to vlan 1
config t
int gi2
switchport mode access
switchport access vlan 2
3 - Assign your device #1 that connects to any port an ip address on the same subnet as vlan 1
Computer in vlan 1 IP info=
192.168.1.100
255.255.255.0
192.168.1.1
Computer in vlan 2 IP info-
192.168.2.100
255.255.255.0
192.168.2.1
Assuming these devices respond to ping and do not have external wireless communication, this will provide basic IP connectivity through the switch across vlans.
-Tom
Please mark answered for helpful posts -
How e-mail is routed between two servers
Hi ,
Please anybody tell me how e-mail is routed between two servers , from the software point of view as well as hardware point of view .
And how Java mail API related to that .
Thanks,
KizIf you're looking for a simple answer there isn't one. Here's a place to start.
http://community.roxen.com/developers/idocs/rfc/rfc974.html -
Prevent routing between 2 logical networks without a VLAN
Background: We have some older hubs in our network. As such, we cannot implement a VLAN yet. We have a 10/100 ethernet network across our campus for our production users. We have multiple buildings on the campus and one physical network. We are installing Cisco 1100 WAPs to provide our guests with wireless internet access. Our DHCP server is configured to hand out 192.168.1.x addresses to our guests. Our DHCP server has 192.168.0.x reservations for our production machines.
Questions:
1) Would this ACL prevent traffic from routing between the 192.168.0.x and 192.168.1.x networks?
access-list 105 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
2) Does anyone have a better solution for preventing our guests from accessing our production machines? Once all the hubs are replaced with switches, we plan to implement a VLAN.
TIA,
MarkAre you sure you want to protect your Guest WLAN from your production Network, not the otherway round? Your access-list states that the .0 network (production) is not allowed to access the .1 (wlan) network. Then, i don't see in your config the activation of any of your access-list. They are just defined without being activated on any of your interfaces. Plus there is missing the allow at the end of the access-list, because there is an implicite deny at the end of any access-list.
-
Can u proxy between two LOCAL zones on a Gatekeeper?
Is it possible to proxy a call between two local zones on the same gatekeeper?
Thanks for any replies.I also tried this last year to overcome issues with Access Control Lists preventing school sites from directly communicating with each other, and unfortunately the answer is no! The proxy will only work with calls to remote zones.
However from version 12.3 (4)T of the MCM gatekeeper IOS, there is also a feature included called IP to IP gateway, which will do what you want, and will actually work better than the proxy as it is codec transparent (the proxy will re-encode your VC to H.261 and G.711).
More info can be found here:
http://www.cisco.com/en/US/products/sw/voicesw/ps5640/products_qanda_item09186a00801da69b.shtml -
Master Data basis-- difference between a Xportation zone and tariff zone?
What is the difference between a transportation zone and tariff zone, & why would a transportation zone be different from a tariff zone?
What is the difference between a transportation zone and tariff zone, & why would a transportation zone be different from a tariff zone?
-
I have updated my IOS to IOS 6 of my iphone 4.
When i ask for route between two famous places, it gives reply that direction not found between places.
I dont understand
Whats thisI had the same experience with a new iPhone 5 that I bought last week. Did not have a chance to measure battery life before the 6.0.2 upgrade installed but I set up my phone exactly like my 4S and immediately started running out of power after short periods. Went to Xmas get together with fully charged 5 and 4S. Heading home the iPhone 5 shut down for low battery and the 4S had 65% power. Both phones had two half phone calls on then and no data usage.
That night I fully charged the iPhone 5 and, without lighting it up, put it on my night table. Next morning I picked it up and looked at battery indicator and I had 42% charge with NO activity!
Tried it again next night and wound up with 37% charge. (Slept longer).
Today I called the carrier and reactivated the 4S. Took the 5 to Apple Store and they kindly gave me choice of new replacement phone or refund. I took the refund. Uniquely, the Apple Store said it was Verizon CDMA phones that were coming back.
The are other strings on this with temporary solutions, but from my experience with 7 firmware changes on an HTC 4G phone the problem will continue because the solution will be hardware caused. We are in the days where RTM means Rush to Market - not Release To Manufacturing.
I fear the only solution is to either wait for the next model (I did not notice a really major change in performance over the 4S in LTE heavy Seattle area) - or switch to another manufacturer.
It might be useful for these forums to indicate if you have a GSM or CDMA phone to see which have more problems.
Discouraged.... -
WOL - add router between ADSL modem and computer?
Hi
My computer is connected to a Livebox ADSL modem (the Sagem F@ast 3202).
I am trying set the system up so it wakes up from sleep at the reception of a magic packet from the internet. I have forwarded port 9 as per instrux on the web. The computer wakes up only sporadically though.
I read long ago somewhere online (but can't for the life of me find it) that one can add another router (between the Livebox and the computer, I assume) which would "listen" for the magic packet and then wake up the computer.
I happen to have an old DLink DSL-604+. Is this something I could add to the chain of equipment to make the setup more stable? If so, how should the DLink be configured?
Thanks for any insight.
/pThanks for the suggestion.
I've looked in the settings on the Livebox and find, under the Firewall tab, something called Access control. It lets me defined a username, password and port using which I may access the Livebox's setup page from the internet.
Apart from this, I find under the Firewall tab something called Policies and NAT but neither appears to be relevant to me. If there's any other disconnect setting I can't find it. I guess it could be in the flash ROM somewhere.
My test indicates that I can access the Livebox setup page without the computer having to be on (obvious). Is there some way to start a sleeping computer from within such a setup page (longshot)?
/p -
Hi all,
Am currently using oracle database 10gR2 that contains some spatial data of the city of auckland, nz. I am using oracle maps to display the data and the normal navigational features as such. But what I want to do is determine a route between two locations on the map. There is a distance tool that just measures the distance between two points. But I'm not sure how to go about finding a route between two points. In the tabe in the database there are columns for F_NODE and T_NODE which I'm guessing is the start and end node of each line? Any help in this matter is greatly appreciated.
Kind Regards,
AvinashAvi
Did not worked with Mapviewer and Networks as such, but the Ora App Server Map Viewer User Guide has a section on Networks 2.3.7 Network Themes starting on page 83.
http://download.oracle.com/otn/other/mapviewer/pdf/mapviewer_10131_ug.pdf
I hope this can give you a start.
Luc -
I have an Aironet 1242AG AP,
I am interested in creating two different SSIDs with different security levels (eg. No Enc. and WPA2 Enc.).
I am also interested in routing between the two (such that one will function like a "backup" connection, which sees and connects to everything that the other one sees and connects to).
Can I please get some examples of configuration? And maybe some written guide?Creating 2 different SSID's on one AP with different encryption is only possible if you use VLAN's on the switch and AP.
Maybe you are looking for
-
Report on current stock and safety stock
Hi, I want to have the report on current stock and safety stock. In MC.9 it gives wrong safety stock. When I go to cross check the safety stock in material master & in MC.9 I see differences. Thanks, Kiran
-
How to tranfer purchases with iTunes 11.0.4.4
HI All, I've just connected my iPhone 4 to iTunes (which i've not done for a while) but I can't seem to find the transfer purchases option which used to be available in previous versions of the software. To confirm the PC is authorised under my accou
-
Purchase Requisition created from Maintenance Order can not deleted
Hi Gurus, I've create a Maintenance Order for External Service (Control Key: PM02) and Purchase Requisition already created related to this Maintenance Order. But when I want to cancel/delete the Purchase Requisition, there is error message "This ite
-
Delete save configuration files in /configuration folder
How to delete the historic stored (generated by our ssh script) configuration files in /configuration folder on Ironport appliance? thanks. Leo
-
Do I have to use opmn:ormi in the JNDI Service Provider URL?
Trying to create a new Enterprise Message Source (JMS) and it's not updating the Data Object. Tested the OC4J queue using a Java POJO listener ... sending and receiving text message seems okay. I created a basic Plan (there's only one data element fo