MPLS router with firewall

Similar Messages

• External Router and Firewall

  I have just been informed by Apple Care that my entire implementation for my Xserve is off base. We only got to this problem when Kerberos wouldn't work. I had judiciously followed the manual and had my Ether1 and 2 ports set up to do external (1) internal (2), provide DHCP, NAT, VPN the whole nine yards. Ran gateway assistant, got my FQDN, promoted to open directory. And now I am told by my Apple Care guy that this is not at all the way to go; that I need to have an external router with firewall and assign the static IP to it and then run the server interally only. Let me just say I took the 4 day server essentials class and that was noticably lacking in the discussion. So I guess what I am asking today is what an ideal router/firewall product would be suggested. I'd prefer it be rack mounted. I also need a product that the company is going to support. So suggestions are greatly appreciated.
  I guess I am back to square one on this. Full reinstall. Sigh.

  1. Run OD and AFP on the fixed IP Master. This should
  be your strongest, fastest server and must have a
  real fixed IP address, not allocated by DHCP. You
  need an FQDN for this IP address entereted in your
  internal DNS.
  WES: I believe I am hearing you say that the VPN/Firewall server (the weaker one) would now carry the static IP address on ethernet1; and have say 192.168.2.1 as it's manualy set internal IP on ethernet2; say 192.168.3.1. The better server would have it's IP manually set to, say 192.168.3.1.
  2. Run internal DHCP and DNS services on the Master
  also.
  WES: I am not sure why one would run DHCP and DNS here though? I figured that was a simplier process to accompish off the weaker server.
  3. On your firewall machine (the Replica, maybe
  running Tiger Server 10-user) run your webpages &
  VPN.
  WES: But as I understood it, one had to run this off of the machine with the FQDN. Same as mail. More below....
  4. Put Mail on a completely separate box in your
  DMZ.
  WES: I'm not sure I follow you here. I am out of boxes. Actually I'll have to buy another one if I got this route at all. I don't have nearly a large enough operation to justify three servers -- maybe not two -- except for this problem.
  One advantage of using a Tiger Server Master/Replica
  over a cheap firewall box is that you have redundancy
  available for all your Tiger Server apps (DHCP, DNS,
  etc). You also have an automatic backup of all user
  accounts/passwords and you don't need to configure
  separate VPN accounts/profiles for your users.
  WES: Yes that makes sense.
  Plus, if you're serious about VPN, 'proper' routers
  start to get real expensive if you need concurrent
  connections.
  WES: There is another issue that I am a bit uncertain about. Where I got into trouble here was trying to get Kerberos to work. However, I am not sure that in the end that's a service I'm going to need. If VPN encrypts all traffic over the internet is Kerberos necesssary. I DON'T need it in house as there isn't an internal security issue of any kind. Maybe I am shooting for something I don't need...which brings us to...I am still confused about the Apple Care guy's comment that with the set up as it is, he could essentially raid my OD. He rattled off a lot of cool talk that made me think he was right but I have never found any reference to this. Can anyone explain to me -- one box acting in this capacity for a small office with a public IP -- being that open to a security risk. Puzzles me.

• MIB walk for a router with MPLS enabled interfaces

  To perform some testing in an agent I am building, I need a MIB walk for a router with MPLS enabled interfaces. I would greatly appreciate help with this MIB walk

  You can do a walk-through of the MIB by running a command such as getmany -v2c public mplsLsrMIB . For detailed instructions refer http://cisco.com/en/US/docs/ios/12_2t/12_2t2/feature/guide/lsrmibt.html.

• Help with Firewall and Internet Sharing

  I’m trying to use my Mac Mini with an Airport Extreme card, which is connected to the internet using Siemens Speedstream 4100 DSL modem, for Internet Sharing with a Windows (work) laptop.
  So, in the Sharing preferences panel:
  Share connection from: Built in Ethernet
  To computers using: Airport
  I get the warning message:
  Other settings may interfere with Internet Sharing.
  The ‘More Info’ button gives the popup message:
  Your firewall settings will prevent computers sharing your internet connection from browsing the web. Enable Personal Web Sharing in the Services pane to allow computers sharing your connection to browse the web.
  I do that, turn the Airport card on, and the laptop can see the network, but can’t connect.
  If I turn the Firewall off, then I can connect fine, but then I don’t have a Firewall. Isn’t that risky if I’m using DSL? How can I do the internet sharing and still protect my computer?
  I realize I could buy a router with a built-in firewall, but isn’t there a way to set up the system using what I have?

  BDAqua wrote:
  We just need to figure out what port is needed. I'd goto Sharing>Firewall>New>Port Name... Other, and try Port 53 both UDP and TCP.
  Oh, and when you say the PC can't connect, could that just mean it can't browse?
  On the PC, put the IP of the Mac in DNS servers, or...
  208.67.222.222
  208.67.220.22
  Well, I'm unable to set the DNS server addresses, as this is a work computer and I don't have the administrative privileges.
  How bad is it to just turn the Firewall on the Mac off when I want to use the connection?

• Setting up router with ethernet bridge

  I have a new computer and want to re-setup my Linksys Model BEFSX41 Version 2 broadband firewall router with the Linksys Model WET11 wireless-b ethernet bridge to use my laptop wirelessly.  I don't want the desktop pc to be wireless, just the laptop.  Do I follow the steps in the FAQ "Hos do I setup my Cable modem with my Linksys Router?".  Then are there more instructions for the ethernet bridge?
  The pc is in the basement with the cable modem and Linksys router.  The ethernet bridge is upstairs where the laptop is.  Is this easy enough do to, or am I better off paying $75 to a computer tech to come to my house to do it?
  Thank you for any suggestions.
  Diane

  You cannot do the job that you described with the equipment that you listed.
  It is not clear from your note how you intend to use the WET11.  A wireless bridge is designed to receive a wireless signal (from a wireless router) and send it to a computer that is wired to the WET11.
  For example, the following setup would work:
  modem -- wireless router )))      ((( Wet11 -- computer
  but you never mentioned that you have a wireless router.
  Note that your WET11 cannot broadcast a network, for example, the following DOES NOT work:
  modem -- BEFSX41 -- WET11 )))      ((( wireless computer
  However, instead of (incorrectly) trying to use the WET11 to broadcast a network, you could use a WAP (wireless access point) to broadcast your network.   For example, the following would work:
  modem--BEFSX41--WAP )))   ((( wireless computer
                                    and/or   ((( WET11--wired computer
  For a WAP, you could use a WAP54G or a WAP200.
  Hope this helps.
  Message Edited by toomanydonuts on 05-30-2008 02:44 AM

• File Sharing works only with Firewall inactive

  I used to share files with an Xp Pc with no problem on my wifi network. When I upgraded to SL even though I see the pc in finder and the file sharing option is active I can access to my pc only if i stop the firewall.
  Bye

  Are you behind a router with a good firewall? If yes, there is no reason to use the Sno firewall. I only use it when on a public network--where I won't be doing any file sharing anyway.

• File Sharing with Firewall

  I have 3 computers in my home that I would like to set up a home network. I have a couple of questions I am hoping a Mac friend can help me answer.
  1. If we are all logged on to my airport (that is password protected) would that function as my network
  2. I have my firewall enabled on each computer. Each computer is running 10.3.9. If I enable file sharing for iTunes and so that I can share documents and pictures, do I open up my firewall to the outside world so that others can penetrate. Or is my firewall still active and only those computers on my home network can file share.
  Thanks for your help.
  Message was edited by: curycork2

  Are you behind a router with a good firewall? If yes, there is no reason to use the Sno firewall. I only use it when on a public network--where I won't be doing any file sharing anyway.

• How to do destination NAT in a 2600 router with IOS 12.3?

  Hi All
  I have a 2600 router with two LAN interfaces which I am using for a PoC and has the following settings:
  FE 0/0 - 10.0.0.1/24 - client LAN - inside 
  FE 0/1 - 10.1.1.1/24 - server LAN - outside 
  The direction of the flows are from the clients to the servers. What I would like to achieve is when clients accessing the web server 10.1.1.10, this to be replaced by 10.1.1.100.
  I have tried the above a few times but doesn't work. Is the above possible? And If so please provide me with a sample config.
  Many Thanks
  [email protected]  

  Yes, you can do this.  You don't need destination NAT.  Source NAT translations work both ways.  This should work:
  ip nat inside source static tcp 10.1.1.100 80 10.1.1.10 80
  int fa 0/0
  ip nat inside
  int fa 0/1
  ip nat outside
  The bigger question is why you'd want to.  Just because you CAN do something doesn't mean you SHOULD.  Unless you have the 10.1.1.0 network subnetted or some sort of firewall/blocking in place, both IPs should be reachable by the hosts.  Why not just have them go directly to 10.1.1.100 instead of going to 10.1.1.10?  If there's a firewall or similar blocking 10.1.1.100, why not adjust your firewall settings instead?  You could have a valid reason for doing this but I can't think of very many scenarios off the top of my head where this would make sense.  If you can post more details on what you're trying to accomplish, you might get better advice on a better way to solve the problem.

• WRT54GS - Firewall - adding program to router's firewall

  Need help.  I have ATX 2007 tax software and I'm trying to do an e-filing.  I contacted software vendor and was walked through adding the software in exceptions using Windows Firewall.  I also disabled the windows firewall but still could not do a filing.  I kept getting error message of no internet connection.  Strange thing about this, I have ATX 2006 software and able to do e-filings and connect to internet.  The techies at ATX said the problem was the router.  They tried entering my computer remotely but could not get through because again they said router's firewall is blocking.  How can I add my software through the router's built-in firewall?  In the meantime, I have to revert back to dial-up (ugh!) on my old laptop just to do e-filings for my clients.  Any suggestions?

  The router only works with a broadband cable/dsl connection and not dial-up. Can you get online with the router?
  The box said windows xp or better... So I installed Linux!

• Problems with Firewall settings

  Hello,
  I'm having some odd issues with Firewall. Clicking on "Security", causes me to get the pinwheel. It eventually loads, but it's very slow. I also have issues when I turn on the Firewall, I allow connections for screen sharing, but Back to My Mac shows Orange and that it may have issues. I also have issues with DVD sharing when I have also allowed CD/DVD sharing in the options. Everything revolved around Security/Firewall. Is there anything I can do to diagnose these issues? I have a Time Capsule as my router.
  Thanks.
  I did look and Console and I do see this error sometimes when I click on the Security preferences tab:
  2/4/10 3:24:17 PM System Preferences[91476] Could not connect the action resetLocationWarningsSheetOk: to target of class AppleSecurity_Pref
  2/4/10 3:24:17 PM System Preferences[91476] Could not connect the action resetLocationWarningsSheetCancel: to target of class AppleSecurity_Pref
  Message was edited by: theBigD23

  I have a Time Capsule. I don't think that has anything turned on. I have the default settings. I know of other uses with Time Capsule with the exact same problem.

• Full mesh VPN solution for on MPLS network with PE and CPEs

  Hi,
  We are trying to evaluate some best solution for Hub-Spoke mesh vpn solution in a MPLS network. The VPN hub router will be in PE router and all the VPN spoke will be in CPE.
  Can someone please let us know what will be the best vpn solution, we understands that there will be some technical limitations going with GETVPN but still we did counld find any documenation for possiblity of using DMVPN.
  How about the recent flexvpn, can fex-vpn work on this requirement, where can i get a design/configuration document.?
  thanks in advance.

  Hello,
  GetVPN is intended for (ANY-to-ANY) type of VPN communication, over an MPLS network with Hub and Spoke Topology, your best Option is to look for Cisco (DMVPN) implementation where this type of VPN is primarily designed for Hub & Spoke.
  Regards,
  Mohamed

• MPLS issues with redundant PE routers

  Hello,
  i'd like to set up an mpls lab. the layout of the gear is attached (mpls.jpg) At site A i have to PE router R4 and R6 which should have knowledge of the network 10.0.129.0/24 from site B. Router R1 is configured as a route reflector. the configuration of R1, R4, R5 and R6 are attached as well.
  with the configuration
  Routing Table R6
  O E2     10.0.129.0 [110/1] via 172.16.128.9, 00:04:37, FastEthernet0/1.200
  Routing table R4
  B        10.0.129.0 [200/11] via 150.1.5.5, 00:05:00
  a traceroute shows the path goes through R4 instead direkt through R1
  Tracing the route to 10.0.129.1
  VRF info: (vrf in name/id, vrf out name/id)
    1 172.16.128.9 4 msec 0 msec 4 msec
    2 172.16.128.1 [MPLS: Labels 19/29 Exp 0] 96 msec 100 msec 96 msec
    3 150.1.0.2 [MPLS: Labels 19/29 Exp 0] 68 msec 64 msec 68 msec
    4 172.16.129.9 [MPLS: Label 29 Exp 0] 64 msec 64 msec 64 msec
    5 172.16.129.10 40 msec *  36 msec
  show bgp vpnv4 unicast all 10.0.129.0 indicates an error
  Rack1R6# show bgp vpnv4 unicast all 10.0.129.0
  BGP routing table entry for 200:1:10.0.129.0/24, version 63
  Paths: (1 available, best #1, table CENTRAL, RIB-failure(17) - next-hop mismatch)
    Not advertised to any peer
    Local
      150.1.5.5 (metric 67) from 150.1.1.1 (150.1.1.1)
        Origin incomplete, metric 11, localpref 100, valid, internal, best
        Extended Community: RT:200:1 OSPF DOMAIN ID:0x0005:0x000000C80200
          OSPF RT:0.0.0.0:3:0 OSPF ROUTER ID:172.16.129.242:0
        Originator: 150.1.5.5, Cluster list: 150.1.1.1
        mpls labels in/out nolabel/29
  Rack1R4#show bgp vpnv4 unicast all 10.0.129.0
  BGP routing table entry for 200:1:10.0.129.0/24, version 146
  Paths: (1 available, best #1, table CENTRAL)
    Not advertised to any peer
    Local
      150.1.5.5 (metric 67) from 150.1.1.1 (150.1.1.1)
        Origin incomplete, metric 11, localpref 100, valid, internal, best
        Extended Community: RT:200:1 OSPF DOMAIN ID:0x0005:0x000000C80200
          OSPF RT:0.0.0.0:3:0 OSPF ROUTER ID:172.16.129.242:0
        Originator: 150.1.5.5, Cluster list: 150.1.1.1
        mpls labels in/out nolabel/29
  any ideas what i have to do in order to have a redundant path towards site B?
  thanks in advanced
  Alex

  Hi Alex,
  I think you still have redundancy via R6, but BGP route on R6 is not getting installed in routing table because it is having OSPF route with lesser AD value. If R4 goes down, R6 will loose OSPF route for 10.0.129.0/24 coming from R4, install BGP route ,redistribute this to OSPF and will advertise it to SW4.
  Routing Table R6
  O E2     10.0.129.0 [110/1] via 172.16.128.9, 00:04:37, FastEthernet0/1.200
  Rack1R6# show bgp vpnv4 unicast all 10.0.129.0
  BGP routing table entry for 200:1:10.0.129.0/24, version 63
  Paths: (1 available, best #1, table CENTRAL, RIB-failure(17) - next-hop mismatch)
    Not advertised to any peer
    Local
      150.1.5.5 (metric 67) from 150.1.1.1 (150.1.1.1)
        Origin incomplete, metric 11, localpref 100, valid, internal, best
        Extended Community: RT:200:1 OSPF DOMAIN ID:0x0005:0x000000C80200
          OSPF RT:0.0.0.0:3:0 OSPF ROUTER ID:172.16.129.242:0
        Originator: 150.1.5.5, Cluster list: 150.1.1.1
        mpls labels in/out nolabel/29

• OSX is blocking ports with firewall turned off...

  I just purchased an iMac last week. I am not new to macs, but this is my first one in a few years so I am new to Leopard. The problem I've been having is strange. It seems that port 5190 is totally unreachable. This makes it impossible to connect to aim and use file transfer. I know i can connect on port 443, but file transfer doesn't work on that port. I also can not connect to certain streaming video websites. Justin.tv is one of them. On that site, the page loads perfectly, but no video loads. Other ports could also be affected but as of now, 5190 is the only one I know for a fact not to be working. I am behind a router, but I have 5 other PCs using the router with no problems. Everything works great on the windows machines. I have also tried to directly connect the mac to my cable modem. That didn't work. The blockage is local to this machine. I have disabled the OSX firewall and that did nothing. I am at a total loss here. If there is anyone that has an idea, i would very much appreciate it.
  thanks

  Just to make sure, by disabled the firewall, you've set it to Allow all incoming connections?
  Can you Ping it on that port? You may need to make sure Stealth mode is turned off in the Advanced button of Firewall System Prefs. While there, enable logging. Try to connect and see what the log produces.

• Help with firewall port opening

  I'm a newbie at this, so please be patient. And my Time Capsule is less than a week old, so I'm still in the learning stages.
  I purchased an iPod Touch and one of the programs from the App Store--Pocketpedia--requires certain ports to be open in order to sync with my Mac pedia programs.
  I went into the Time Capsule>Advanced settings to try to open the appropriate 2 ports (one for the Powerbook and one for the Touch). I'm obviously doing something wrong. That wouldn't be heard since all of the terminology is foreign to me. I know that I need to open the two TCP ports.
  I clicked on the + to add a new service/port. I wasn't sure if I needed the numbers in Public TCP ports or private, so entered them in both with the numbers separated by commas.
  I thought that this would be "personal file sharing" so I tried to choose that under "Service". However, when I did that it said "A pulic TCP port number conflicts with a file sharing port on the base station. Disable file sharing or choose a different port number." Actually, once I choose "personal file sharing", it autofills in port 548 into the two TCP numbers. That's one that's opened within System Preferences. So it actually won't let me change that number at all. When I try to, it services menu defaults back to "choose a service".
  Needless to say, I'm very confused. I did go ahead and create a service with the two port #'s and without designating it a specific "service", but that doesn't seem to fix my problem with allowing the Touch to sync with my Powerbook.
  Any help would be much appreciated.

  With port mapping (forwarding) you "open" ports on the router's firewall in order to allow Internet traffic to reach a host device on your local area network (LAN). In this case your iPod Touch and PowerBook. However, you can only map the same port(s) to only one device. For example, you cannot map port 548 to both the Touch AND the PowerBook, only one or the other.
  The typical port mapping setup requires two basic steps:
  1. Assign either a static IP address or reserve a DHCP-assigned IP address to the host device.
  2. Map the appropriate port(s) on the router to this host device.
  The following is a more detailed list of steps ...
  To setup port mapping on the Time Capsule (TC), either connect to the TC's wireless network or temporarily connect directly, using an Ethernet cable, to one of the LAN port of the TC, and then use the AirPort Utility, in Manual Setup, to make these settings:
  1. Reserve a DHCP-provided IP address for the host device.
  Internet > DHCP tab
  o On the DHCP tab, click the "+" (Add) button to enter DHCP Reservations.
  o Description: <enter the desired description of the host device>
  o Reserve address by: MAC Address
  o Click Continue.
  o MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>
  o IPv4 Address: <enter the desired IP address>
  o Click Done.
  2. Setup Port Mapping on the AEBSn.
  Advanced > Port Mapping tab
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s): <enter the appropriate UDP port values>
  o Public TCP Port(s): <enter the appropriate TCP port values>
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s): <enter the same as Public UDP Ports or your choice>
  o Private TCP Port(s): <enter the same as Public TCP Ports or your choice>
  o Click "Continue"
  (ref: "Well Known" TCP and UDP ports used by Apple software products)

• Need Help in finding out Router, Switch, firewall n IDS 4 Datacentre

  Hii All,
  Greetings!!!
  Iam workin on project for Datacenter. I need ur help in finding me out the exact Router, Switch, Firewall & IDS series based on my attached complete technical specification.
  pls find attched tech info for router, switch, firewall & IDS. Ur prompt respnse will be appreciated..
  Thanku in advance 4 ur kind cooperation & help.
  Looking forward 4 ur prompt response.
  Brgds
  Arif....

  The write-up more sounds like it's an 7206VXR router, a 6500E with Sup720.
  FW/ASA/PIX is an ASA 5510
  Please don't forget to rate useful posts.  Thanks.