IPMP with two subnets

Hello from Spain,
I have configured IPMP with two interfaces on Solaris 10. It works.
Now I need to configure a zone with a different subnet mask because I need the zone to be invisible to global, but not to the firewall, because I need to exit with this zone.
Here is an example of what I'm trying to do
Global
/etc/hosts
172.24.100.20 WK1
172.24.100.21 WK1-bge0
172.24.100.22 WK1-bge1
/etc/netmasks
172.24.100.0 255.255.255.0
172.24.110.0 255.255.255.0
/etc/defaultrouter
172.24.100.1
/etc/hostname.bge0
WK1 netmask + broadcast + group localhost up addif WK1-bge0 deprecated -failover netmask + broadcast + up
/etc/hostname.bge1
WK1-bge1deprecated -failover netmask + broadcast + group localhost up
Zone IP's
172.24.100.101 zone1 (global see it, it sees global and firewall)
172.24.110.101 zone2 (global see it, it sees global, but doesn't see firewall)
zone2 /etc/defaultrouter
172.24.110.1
¿Is it possible to do this? ¿any ideas?
Thanks.
Pd. Excuse my english

General advice, since you don't indicate which type of zone you have (shared IP or exclusive IP):
if you are dealing with zones and routing, best to configure your local zones as "exclusive IP" (bge can do this) meaning you dedicate a physical interface to the local zone and configure the interface from within the new zone. Otherwise all interfaces and routing belong to the global zone and routing can be a problem. Then you can configure IPSEC or ipf to allow/deny access as desired b/t the zones or other network nodes.
If you have S10 u4 (8/07), exclusive IP is available:
docs.sun.com Home > Solaris 10 System Administrator Collection > System Administration Guide: Solaris Containers-Resource Management and Solaris Zones > Zones > 17. Non-Global Zone Configuration (Overview) > Zone Components > Zone Network Interfaces > Solaris 10 8/07: Exclusive-IP Non-Global Zones
docs.sun.com Home > Solaris 10 System Administrator Collection > System Administration Guide: Solaris Containers-Resource Management and Solaris Zones > Zones > 17. Non-Global Zone Configuration (Overview) > Zone Components > Zone Network Interfaces > Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones

Similar Messages

  • Two subnets with different mask on a single router?

    router 1941
    Hello. I'm needing assistance with the setup of two subnets within a single router.
    Here's my information:
    Router has only two GigabitEthernet interfaces.
    GigabitEthernet0/0 has 172.20.0.1 ip and 255.255.252.0 mask.
    GigabitEthernet0/1 has 172.21.0.1 ip and 255.255.128.0 mask
    Now, on each side there is a Switch with two computers.
    I need to have 1 computer on each side on the same subnet, and the other one on a different subnet, meaning a pc on the same side cannot communicate with the other computer on its side, but can with another computer on the other side.
    I have no idea how to configure this on the router, can anyone please help me?
    Thanks in advance!

    >>> So you want PC1 and PC3 to be able to talk to each other but you don't want them to be able to >>>talk to PC2 and PC4 and vice versa.
    This is correct.
    >>>If so you don't need a router, you can just a switch (or switches)  and  use two vlans with no L3 >>>interfaces.
    Unfortunately they are not giving me the choice of making my own net design. I need to setup this with all the devices mentioned (1 router, 2 switches, 4 pcs).
    >>>If so you don't need a router, you can just a switch (or switches)  and  use two vlans with no L3 >>>interfaces.
    As long as they communicate with the appropiate PC, it doesnt matter if they communicate to other devices or not.
    Thanks again!

  • URGENT !!! Two physical network interface with two completely different subnets - No bridges - cannot connect both

    This is my urgent problem:
    I have a physical machine with two physical network interfaces. I have a VMWARE player installed and a virtual machine that must use both cards on two different subnets, one directly public on the router and one intranet inside the company.
    How can I just tell one net card to go on that sub and the other on the public sub ?  Going crazy. Please help.
    Thanks,
              P.

    Using VMware Player Virtual Network Editor, create a additional bridged VMnet and bind each bridged VMnet to a different physical network adapter... on virtual machine, create a virtual network adapter to each subnet, and bind each virtual network adapter to a different bridged VMnet.
    For additional help with virtual network editor, check this KB: VMware KB: Using the Virtual Network Editor in VMware Workstation

  • ASA 5510 context base configuration in HA Mode with two different subnet

    Hi
    Please someone help me to configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
    IP Details are below.....:
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 10.10.10.2 255.255.255.0 standby 10.10.10.3
    interface Ethernet0/1
    no nameif
    security-level 0
    no ip address
    interface Ethernet0/1.101
    description INSIDE1
    vlan 101
    nameif INSIDE1
    security-level 90
    ip address 172.22.0.2 255.255.255.0 standby 172.22.0.3
    interface Ethernet0/1.102
    description INSIDE2
    vlan 102
    nameif INSIDE2
    security-level 80
    ip address 172.22.1.2 255.255.255.0 standby 172.22.1.3
    interface Ethernet0/3
    description LAN Failover Interface
    failover
    failover lan unit primary
    failover lan interface FAILOVER Ethernet0/3
    failover replication http
    failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2
    route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

    Hi Sanjeev,
    If it is a context based configuration  that you are doing then, you would need to configure context on the ASA first, you can refer to this document for it:
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
    Thanks,
    Varun Rao
    Security Team,
    Cisco TAC

  • Issues with multiple subnets - ASA5510 to Vigor 2820 VPN

    Hi there,
    I am hoping someone here can help.  I have been struggling for some time to sort out issues in a VPN we have between our main London office and the Edinburgh branch office.  We have an ASA 5510  in London, talking to a Vigor 2820 in Edinburgh. 
    The London office has a 192.168.0.0/24 subnet, with the default gateway as a Cisco Catalyst at 192.168.0.254, and the Cisco ASA at 192.168.0.254 as the firewall. 
    The Edinburgh office has the subnet 192.168.2.0/24, with the Vigor running on 192.168.2.1, providing routing, DHCP and firewall services there. 
    I have the VPN working fine, correctly routing traffic between those two subnets over the IPsec tunnel.  However, I have had much trouble adding additional subnets for our VLANs in London.
    What I want to happen is traffic from 192.168.2.0/24 to be able to get to and from 192.168.50.0/24 and several similar networks.
    Upon tracing it using the Cisco packet tracer, I can see that the packets for the 192.168.50.0/24 subnet are not making it over the tunnel, having being stopped by the VPN: subtype: encrypt rules.  Looking at these rules though, I can't spot the problem.  Multiple changes of order of the rules, and reloads have not sorted out the problem.  When I run a packet trace on the main subnet it works fine.  I have attached some of the configuration (below) as well as the output from the packet tracer, and the config of the Vigor router.
    I apologise in advance for the length of the post, but I have tried to include all relevant information to see if anyone can help.
    Firstly, here's the ASA config that seemed relevant.  I tried to remove some since we have quite a few site-to-site tunnels set up, and these are probably not relevant (and are all working correctly).
    access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip any 192.168.0.192 255.255.255.192 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list insideOutboundNonatAclnat (inside) 9 access-list vpnNatAclnat (inside) 10 192.168.30.5 255.255.255.255nat (inside) 10 192.168.0.0 255.255.255.0nat (inside) 10 192.168.20.0 255.255.255.0nat (inside) 10 192.168.30.0 255.255.255.0nat (inside) 10 192.168.50.0 255.255.255.0access-list inside_in extended permit ip 192.168.0.0 255.255.255.0 any access-list inside_in extended permit tcp host 192.168.5.2 host 192.168.0.2 eq domain access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.50.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.10.0 255.255.255.0 any access-list inside_in extended permit ip host 192.168.2.1 192.168.30.0 255.255.255.0 inactive access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-group inside_in in interface insideaccess-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 route inside 192.168.20.0 255.255.255.0 192.168.0.254 1route inside 192.168.50.0 255.255.255.0 192.168.0.254 1route inside 192.168.30.0 255.255.255.0 192.168.0.254 1route inside 192.168.40.0 255.255.255.0 192.168.0.254 1crypto ipsec transform-set ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET mode transportcrypto ipsec transform-set TRANS_VPN_SET_2 esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_VPN_SET_2 mode transportcrypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outsidecrypto dynamic-map core_vpn_dyn_map 20 set transform-set ESP_3DES_MD5 ESP_DES_MD5 TRANS_VPN_SET TRANS_VPN_SET_2crypto dynamic-map core_vpn_dyn_map 40 set pfs crypto dynamic-map core_vpn_dyn_map 40 set transform-set ESP_3DES_SHA ESP_DES_MD5crypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs crypto map outside_map 2 set peer [branch peer ip]crypto map outside_map 2 set transform-set ESP_3DES_MD5crypto isakmp identity address crypto isakmp identity address crypto isakmp policy 25 authentication pre-share encryption 3des hash md5     group 1      lifetime 28800crypto isakmp nat-traversal  30crypto isakmp disconnect-notifygroup-policy DfltGrpPolicy attributes banner none  wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth enable group-lock none pfs disable  ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable  backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable  nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule nonetunnel-group [branch peer ip] type ipsec-l2ltunnel-group [branch peer ip] ipsec-attributes pre-shared-key *
    Note: [branch peer ip] replaces any instances of the branch office outside IP address
    I appreciate there may be some duplicated/redundant rules here - I have been playing with config to try to fix the problem.  I'd really appreciate any suggestions on how to track this down. 
    Here's the vigor config:
    So it looks to match ok to me at both ends, unless there is something I missed.  The vigor routing table shows:
    Key: C - connected, S - static, R - RIP, * - default, ~ - private*             0.0.0.0/         0.0.0.0 via [ISP gateway server],   WAN1S         [branch peer ip]/ 255.255.255.255 via [branch peer ip],   WAN1S~       192.168.40.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.50.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.10.0/   255.255.255.0 via [London office ip],    VPNS~        192.168.0.0/   255.255.255.0 via [London office ip],    VPNC~        192.168.2.0/   255.255.255.0 is directly connected,    LANS~        192.168.7.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.30.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.20.0/   255.255.255.0 via [London office ip],    VPN*     [ISP dns server]/ 255.255.255.255 via [ISP gateway server],   WAN1
    I have replaced IPs here as is shown.  You can see the vigor seems to want to route the appropriate traffic over the VPN.
    Finally, here is the packet trace output:
    ciscoasa# packet-trace input outside tcp 192.168.2.1 echo 192.168.50.10 echo d$Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.50.0    255.255.255.0   insidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group outsideInAcl in interface outsideaccess-list outsideInAcl extended permit ip 192.168.2.0 255.255.255.0 any Additional Information: Forward Flow based lookup yields rule: in  id=0x4529e48, priority=12, domain=permit, deny=false        hits=362922, user_data=0x4529e08, cs_id=0x0, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 4      Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in  id=0x44057f0, priority=0, domain=permit-ip-option, deny=true        hits=2693939, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 5      Type: NAT-EXEMPTSubtype: rpf-checkResult: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in  id=0x44fe9a0, priority=6, domain=nat-exempt-reverse, deny=false        hits=12, user_data=0x44fe800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 6      Type: NAT     Subtype: rpf-checkResult: ALLOW Config:       nat (inside) 10 192.168.50.0 255.255.255.0  match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Forward Flow based lookup yields rule: out id=0x4b80e80, priority=1, domain=nat-reverse, deny=false hits=32, user_data=0x4b80ce0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 7Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 10 192.168.50.0 255.255.255.0  match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Reverse Flow based lookup yields rule: in  id=0x4b80fa0, priority=1, domain=host, deny=false hits=2811, user_data=0x4b80ce0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 8Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: in  id=0x4469ef8, priority=0, domain=permit-ip-option, deny=true        hits=2010804, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 9      Type: VPN     Subtype: encryptResult: DROP  Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4887aa8, priority=70, domain=encrypt, deny=false        hits=10, user_data=0x0, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.50.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0Result:       input-interface: outsideinput-status: upinput-line-status: upoutput-interface: insideoutput-status: upoutput-line-status: upAction: drop  Drop-reason: (acl-drop) Flow is denied by configured rule
    So it seems to find the rule, which it ought to match, but then returns DENY.  What's going on here?  Perhaps this is misleading and the issue is elsewhere, but it isn't clear from the output here.
    For further information, this is output for the WORKING subnet - I have just taken a small part here though:
    Phase: 10     Type: VPN     Subtype: encryptResult: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4b86418, priority=70, domain=encrypt, deny=false        hits=332214, user_data=0x7da5c, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.0.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0
    Thanks very much in advance for any help you can provide - I've been really stuck on this one!
    Chris

    Hi,
    Can you issue the packet-tracer with the direction beeing your London office -> Remote office?
    Also issue the command twice.
    Personally I've used packet-tracer with some L2L VPNs to test if the remote end has the configurations correct. Also I've noticed that the first packet-tracer test never goes through. So issue that command twice and show how it goes.
    Though I imagine you have tried to connect through the L2L VPN with real host machines and not just the firewalls packet-tracer?
    Also I imagine the original info has a typo. You say your ASAs LAN gateway IP and the local L3 switches IP address is the same, 192.168.0.254.
    Basically the hardest part regarding L2L VPNs should be the initial setup of the VPN connection. Even though it should be simple people still tend to mess up PSKs or Phase1/2 parameters. But as your L2L VPN is already in working order and you are just adding networks to it, it should be pretty simple.
    When you add network and dont require any special NAT configurations, your NAT0 and Encryption domain access-list should look pretty much the same.
    And looking at your configurations, it should be like this
    access-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
    access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
    Btw what is the network 192.168.7.0/24? It seems to have a VPN rule at the remote site but not at the HO site. Though there is a NAT0 rule for that traffic on the HO site.
    EDIT: I imagine the VPN network rules should be an exact mirror image of eachother. Though it seems this doesnt stop devices from negotiating the VPN up but who knows if some other device type is picky about that one. Only thing in your situation that I see is the network 192.168.7.0/24 that is not included in the other ends configurations.
    EDIT2: Also the reason your test for the already existing rule might be going through without a problem might be because the tunnel is up and working for the networks in question.
    EDIT3: Does your Vigor device also have NAT0 rules configured for the new networks?
    - Jouni

  • How can i split Client Network traffic and My exchange traffic with two differnet ip address?

    Hello Everyone
    sorry for my bad English and also my bad explaine
    here is my network looks like
    all the client on one subnet and network is 192.168.0.0
    i have Dsl router that connect to Tmg server
    i have Tmg with two NIC
    1-192.168.0.4
    2- 2 Public Ip address
    i want to do this
    i want to split user's traffic and my exchange traffic
    i mean i want to route user's traffic with one public ip addresss
    and my exchange server's traffic with another public address
    but when i add additional ip address at Tmg or create new NIC card
    all of my traffic route with one public ip Address what should i do?

    Hi Uhan,
    You need to use ENAT fuction on TMG to achive this
    On the External NIC assing the Second IP as Additionl IP address (VIP)
    Create a network Rule to NAT traffice From Exchange server IP address to the required Public IP which you need the E NAT.
    Ensure you are creating rule only from Exchange server IP and not all INternal.
    Look at the below Doc you step by step config
    http://www.isaserver.org/articles-tutorials/configuration-general/Configuring-One-to-One-NAT-TMG-2010.html

  • Bridge with two Cisco AP's

    Hello Everyone,
    So I have a scenario here and I’m wondering if this plan I have will work flawlessly or is there anything I have to lookout for?
    So I'm going to bridge two Cisco AP's 1260 and 3500, which have an 880 router on each side.
    (Currently I have a VPN set-up through the internet for the two locations to communicate)
    (Naturally they are currently in different subnets)
    Will absolutely change this and set up as one subnet.
    There is VLANs setup on each router (same VLANs)
    VLAN 1
    And
    VLAN 10
    Everything is configured on the Routers and AP's for these VLANs (works flawlessly over the VPN).
    So now since I’m going to get rid of the VPN and set-up a bridge with two AP's, will having same VLANs across both routers be a problem?
    Will VLANs work OK through the bridge?
    Besides using (IP helper address DHCP-IP) command on the non-root bridge side router to forward DHCP requests to the root bridge side router,
    Is there anything else I have to consider?
    Also I want to be able to route internet traffic on the non-root bridge side through the WAN port, and only route LAN traffic through the bridge...
    Will I have to use Access list for this?
    Sorry everyone...
    I know this is a lot I'm throwing out there...
    Thanks in Advance
    Regards,
    Ed

    Also, if the IP Helper command is used to relay DHCP request to the root bridge side router.....
    will the VLAN settings (trunks) on non-root bridge side router work ok since I will need to remove the DHCP pools configured there...... Or is it a better idea to keep it there and just exclude addressees that are available to the other side, and vice versa???
    I say this because the non-root bride is also going to serve for wireless clients as well, and has VLANs setup on it so I'm guessing the non-root bridge side router needs the DHCP pools for both VLANs intact, for VLANs to operate correctly.
    Please give me your insight on this....

  • Two subnets in one VLAN.

    I'm just practicing VLANs.
    I created two subnets in VLAN1. And while trying to enable communication between the devices in both subnets, i configured Fa0/0 interface of router as 10.0.1.254/24 (But as i expected it didn't enabled communication). I believe i'm missing something.
    Can someone please help me in this ?
    Regards,
    Chandu

    Chandu
    Each VLAN represents only one subnet, so when you say VLAN it is the logical meaning of a subnet ID, so let me give another definition.
    10.1.1.0/24 (VLAN 1)
    10.1.2.0/24 (VLAN 2)
    So, for example, Subnets 10.1.1.0/24 and 10.1.2.0/24 can't be on the same VLAN, they have to be in 2 different VLANs, and to enable communication between different VLANs, there are 3 options.
    a) Router on a stick: by configuring one FastEthernet Router port with sub interface commands:
    Router(config)#interface FastEthernet 0/0
    Router(config-if)#no ip address
    Router(config-if)#no shutdown
    Router(config-if)#exit
    Router(config)#interface FastEthernet 0/0.1
    Router(config-if)#encapsulation dot1q "VLAN-ID" (for this example write only "1")
    Router(config-if)#ip address 10.1.1.254 255.255.255.0
    Router(config-if)#no shutdown
    Router(config-if)#exit
    Router(config)#interface FastEthernet 0/0.2
    Router(config-if)#encapsulation dot1q "VLAN-ID" (for this example write only "2")
    Router(config-if)#ip address 10.1.2.254 255.255.255.0
    Router(config-if)#no shutdown
    Router(config-if)#exit
    b) Using a separate Router FastEthernet interface per VLAN and this option is not practical:
    Router(config)#interface FastEthernet 0/0
    Router(config-if)#ip address 10.1.1.254 255.255.255.0
    Router(config-if)#no shutdown
    Router(config-if)#exit
    Router(config)#interface FastEthernet 0/1
    Router(config-if)#ip address 10.1.2.254 255.255.255.0
    Router(config-if)#no shutdown
    Router(config-if)#exit
    c)Using a MultiLayer Switch with inter vlan commands:
    Switch(config)#interface vlan 1
    Switch(config-if)#ip address 10.1.1.254 255.255.255.0
    Switch(config-if)#no shutdown
    Switch(config-if)#exit
    Switch(config)#interface vlan 2
    Switch(config-if)#ip address 10.1.2.254 255.255.255.0
    Switch(config-if)#no shutdown
    Switch(config-if)#exit
    Switch(config)#ip routing (to enable routing on the MultiLayer Switch)

  • BGP on internet with two ISPs

    Hi,
    I have a situation here. I am hosting two subnets, one from each ISP.
    I want one subnet A out ISP A, and subnet B out ISP B
    On Router exiting ISP A
    I advertised both subnets with route-maps allowing A directly, and B with five times the AS path prepend
    On Router exiting ISP B
    I advertised both subnets with route-maps allowing B directly, and A with five times the AS path prepend
    Now if one of ISP goes down, the other subnet is not working by default. I need to shutdown BGP completely on link down interface
    The defect I am assuming is that five times AS path is not sufficient longpath to consider it as a backup path. Hence ISP A treating subnet A and B as best path and ISP B treating subnet A and B as best path. Is it possible for both ISPs to assume that it is hosting the best path for these subnets...or what could be the problem.
    I just traced from Router A to Router B via internet and it takes almost 8 hops
    I want to try giving 10 AS path-prepend on same AS and try. Let me know if there is anyother solution too
    Thanks,
    Raj

    Hello,
    You can consult with ISPs to see if they allow this to happen between them, however I would be extremely surprised if they do this, also an ISP may not be willing to sell off or give the /24 subnet, chances of this are extremely low unless it was critical and major like the Government departments.
    PI address space would allow advertisement of routes to different ISPs, still a problem whether the ISPs you peer with accept /25 (splitting, using x2 /25's at each location). Or just have one /24 in active standby fashion.
    PA address space is much more difficult, they probably own the /16 in most cases, why would they make such major routing changes to not advertise that one single /24 if they've given it to you. The only option here is to dual home to a single provider that has different POPs for each circuit and that will guarantee that your traffic will be diversely routed to different tier 1 ISPs.
    Hope this helps.

  • BGP Conditional Advertisement With 2 Subnets

    Is it possible to trigger conditional advertisement of a Border Gateway Protocol (BGP) prefix based upon the non-existence of two subnets? I can only get this to work with one subnet.
    My customer has parallel links to a provider (one BGP session).
    The command reference mentions one subnet in the description of the non-exist-map.
    Perhaps I should just identify one network from this Internet Service Provider (ISP) to focus on as the indicator of the failure.

    An IP address match is mandatory for a non-exist-map. The access-list specified should be a simple access-list and contains only one prefix. If the condition requires multiple prefixes, multiple access-list can be used, for example:
    route-map ISP1-backbone permit 10
    match ip address 2 3 4

  • How to enter invoice with two different tax codes in one line?

    Dear friends,
    I have this PO for which I enter the invoice.
    I recieve later a subsequent debit for this PO from the transporter. This subsequent invoice has got extra debits, one with 21% VAT and one with 19% VAT, which means two items with two different tax codes.
    I want to enter this subsequent debit for each item of the PO, and I want to enter both debits in every item of the PO.
    How can I enter in one row in MIRO a debit with two different tax codes.
    Thank you.

    I want in the same line item to enter two tax codes.
    Do you Know if there is any way to do this?
    It is a subsequent debit and it has two items with two different tax codes. I want to enter the subsequent debit for a PO with many items and enter the value of the whole subsequent invoice. So there is the need to enter one line item with two tax codes.
    How can this be done?
    Thank you?

  • I need to upgrade memory slots on my Mac mid 2010 up to 4 GB module which is currently 2GB with two different 1GB memory  slots.Is it compatible and would like to know about the cost?

    I need to upgrade memory slots on my Mac mid 2010 up to 4 GB module which is currently 2GB with two different 1GB memory  slots.Is it compatible and would like to know about the cost?

    this sub forum is about running windows on macs maybe you should try
    https://discussions.apple.com/community/notebooks/macbook

  • I have a serious (and bizarre!) issue with my novation impulse (Although i've tried it with two other keyboards and i still have the same problem) and its compatibility with mainstage 3

    i have a serious (and bizarre!) issue with my novation impulse (Although i've tried it with two other keyboards and i still have the same problem) and its compatibility with mainstage 3.
    the problem is best explained on the following one - page thread: 
    https://discussions.apple.com/thread/3951518?start=0&tstart=0
    (Clearly i'm not alone in this problem, although i think i figured out what's going wrong a little more than he did...read on!)
    his solution, to put mainstage in jump mode, is very unsatisfactory to me, as it bounces all of a sudden to drastically different settings.
    basically, my analysis is that my controller is NOT receiving MIDI date from mainstage.  in other words, mainstage knows what my controller is doing, but my controller doens't know what mainstage is doing.
     let's say i turn the knob all the way to the right ... 127...and the virtual fader goes to the right like it's supposed to. 
    now...next...let's say i change to a different patch, where that same VIRTUAL fader is not at the max clockwise position..maybe it's only at 1pm.  now when i turn the physical knob to the RIGHT, the midi data is still at 127 on the controller!  it didn't "reset" to sync up with the new level (say 80 or so) setting on the new patch.  so i can't increase that new setting of 80 by continuing to turn the knob to the right.  i have to turn it all the way to zero,...and then continue PAST zero until the controller thinks that IT is at 0...at that point the controller and mainstage are in agreement, and things work fine....so bascially, the keyboard thinks the level is at max...but mainstage thinks the level is at 1pm.
    i am using Logic 9, and i have a macbook pro 2.9 Ghz I7 with 8 gigs of memory and OS X 10.8.4

    Hi Josh,
    Thanks for taking the time to contact us here a Novation for technical support. Lets continue to correspond via email so we can get your issue resolved.
    Thanks.
    Mike Towns

  • WinXP with two users - can we have two separate iTunes, one for each user?

    Question:  On my Dell WinXPPro SP3 desktop with two users (myself and my wife), can each user have a separate iTunes - so what each of us does with iTunes has no effect on the other?
    Details:  Yesterday, June 29 2012, I bought a new iPad 3 with WiFi only, my first Apple product.  My #1 motive for buying it is to copy movie files (avi, m4v, mp4, etc.) from my WinXP setup (PC plus hard drive) to my new iPad to watch the movies in bed on the new iPad. I understand that I shall need to install iTunes on both the iPad and the PC in order to move or copy the existing movies from the PC side to the iPad.  (I also understand that I won't be able to use iCloud because iCloud will not run on WinXP, only Vista and Win7.)  [By the way, if iTunes will NOT help me do what I want to do, please let me know.  But that is not my question.]
    I am only one of two users on the PC.  My wife is the second user on the PC.  She already installed iTunes on the PC for her own use.  She is an avid iTunes user.   Most of the time, she does not use this PC.  She has her own WinXPPro SP3 Dell laptop, which is what she uses 99% of the time.  She has also had an iPod for some time, hence her use of iTunes.  And now, for the last two weeks, she also has a new iPhone 4S and her own iPad.  So her use of iTunes will grow.  The important point is the following - whatever I do on my side, I do not want to interfere with or disrupt her use of iTunes.  Not even for a second.
    So, can I install or re-install or somehow set up iTunes on MY user on the PC so that it does not in any way use or affect her iTunes?  If the answer is "yes", please give me a step-by-step and list all details.  Is there a YouTube that shows this specifically?  
    More details:  Right now, in C:\Program Files, before I have tried to install anything myself, there are already folders for Apple Software Update, iPod and iTunes, which derive from my wife's installations of these Apple programs some time ago.  I have just now run the Apple Software Updater, which first updated itself on this PC to version 2.1.3.127 and then updated her iTunes on this PC to version 10.6.3.25.  (As a result, the following processes/services are now running, which normally don't run when I am the user: 
      C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
      C:\Program Files\iPod\bin\iPodService.exe
      C:\Program Files\iTunes\iTunesHelper.exe
    Also, the following processes will launch the next time I reboot this PC (which normally don't launch when I am the user):
      C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe
      C:\Program Files\iTunes\iTunesHelper.exe )
    My wife says her iTunes is NOT set for Family Share.  (That sounds correct to me, for now and forever.)
    Summary:  So, how do I install iTunes for myself (for the first time) for my user on this PC so it does not - even for a second - interfere or affect my wife's use of her iTunes on all of her devices?
    Thanks !!!

    Mr. Wiclee - thanks for the link.
    When I said I had not "installed" iTunes on my iPad, I suppose I meant I have not yet signed in to iTunes, ever.  I suppose when I sign in to iTunes the first time on my new iPad, I will be required to create a new iTunes account?  Then refer to such new iTunes account when I launch iTunes for the first time on my PC as myself?  Or will I still need to use Method Three in your link? 
    The crucial thing is this - when I turn on iTunes on the PC for the first time with me as User, I do NOT want it to connect to my wife's iTunes account.  On my PC, I would want iTunes to ask me who I am, so I can then sign in with my new iTunes account that I had just created on my iPad.  How can I be sure to accomplish this goal?
    In my PC, if I look at Documents and Settings and compare the two folders for we two different users, one for me and one for my wife, I can see that my wife's has Application Data and Local Settings for her various Apple programs.  However, so do I in my User even though I have not yet installed any Apple programs on my side.  I am concerned that when I finall launch iTunes when I am user, it will open up in my wife's iTunes account, which I truly want to avoid.
    Thanks.  Please advise.

  • Report with two Command is empty if one of the two commands returns no data

    Hi all,
    I have a report with two Commands not linked together.
    If ONLY one of the two Commands returns no data, the full report is empty (although the other Command returns data).
    I'm using Crystal Report 2008 and the CRJ 12.2.205
    Have an idea?

    Hi Ted,
    how can I solve the problem, please? It is important.
    If I can help yourself, the problem is appeared in many reports since I updated the library (the old library version 11.8.4.1094 works fine with all). I'm waiting for your answer, please.
    Thank you very much.

Maybe you are looking for