NAT'ing firewall Wiki articles gone

http://wiki.archlinux.org/index.php/NAT'ing_firewall_-_Share_your_broadband_connection
and
http://wiki.archlinux.org/index.php/NAT'ing_firewall_-_Adding_advanced_features
are empty now.
Can some1 check why those pages are stubs now, couse i need both articles,
or atleast to give backups if possible, since i set up my home server using those.
Last edited by Satan666999 (2008-12-30 08:40:40)

Google cache for the first page:
http://74.125.77.132/search?q=cache:toh … ient=opera
No idea why it's off the wiki though, has it got something to do with the ' in NAT'ing?

Similar Messages

FMS: NAT and Firewall

I've run into one roadblock after another with Cirrus (Stratus) - basically, even the Adobe Videophone example refuses to work in the 'real world' where there's a mix of NAT and firewall configurations outside the developer's control. (http://forums.adobe.com/message/1064983#1064983 and thread at http://forums.adobe.com/thread/736422?tstart=0)
My question is whether Flash Media Server 4 has the same sort of issues? We don't want to pay up to install and run our own FMS only to discover that we won't be able to provide a P2P service to our end users because they're scattered around the Internet with a mix of mobile devices and computers lying behind NAT and firewall devices that we can't predict.

FMS4 and Cirrus should behave identically as far as facilitating P2P communications on the open Internet.
as the referenced article describes, with some combinations of NATs and firewalls, P2P communication is impossible. RTMFP tries really hard to establish connections in the cases where direct communication is possible, but will not function in cases where direct communication is not possible.
we believe direct communications should be possible for the majority of Internet users, but recognize that it won't be possible for 100% of users.

Cannot Create New Wiki Articles

For some reason, we are no longer able to create or edit new wiki articles on our server. We can create and edit blogs.
The server currently is the Directory Master, we've tried stopping and restarting web service, rebooting the machine, etc.
It is recognizing the directory user group, since only employees in the group (not customers) are allowed to view the articles on the site.
The error received when attempting to create a new article is:
Error from server: Problem creating the page: <type 'exceptions.OSError'> (13)

Apple helped out on this one.!
So, we were not able to create new entries in old (existing) groups... Talking with support we were able to create a new group, and that new group could create new entries.
SO it turns out to be a permission error. Using Sever Admin I copied the permissions from the new group and replicated those permissions down through all the other groups and lo and behold everything worked.
hope that anyone who runs into this <exceptions.OSError> 13 with server 10.6 finds this helpful

RV320 Additional WAN IP NAT'ing

Hello, I have an RV 320, my initial IP allocation from my ISP was 38.122.x.x a /30 allocation. Recently I needed to NAT a device so I requested a /29 block from my ISP the new block is 38.79.x.x. The router is fully managed by ISP, they told me that the new /29 block will be configured to route to the original WAN IP of my RV320. I configured a 1to1 NAT and no luck I am unable to remotely connect to the device via the external IP. Any assistance would be greatly appreciated.

Jennifer,
Thanks for the quick reply.
You were pretty much correct, all I needed to do was create the appropriate NAT map between the Public IP & a DMZ server and also add a new RULE to allow the new public facing services to be available for internet users. This is just the same as setting up NAT'ing on the IP range configured on the Public ASA interface.
I didn't need to set-up any static arp's or create any routes (default route is already set out via the Public interface). Also no ISP speific set-up was required, so as
I haven't tried to set-up outbound NAT/PAT yet from the Private interface so I cannot say if that is just as easy.

Trying to submit a wiki article but getting an error

I have tried two times today to submit a wiki article but each time I see the following message:
Sorry, there was a problem with your last request!
Is the site currently down for maintenance? As well, how will I know if my article is being saved or not?
Any help you can provide is appreciated.
Ken

With that error message I don't think your article got saved. Today's activity seems normal for a Sunday, so there doesn't seem to be an outage. But sometimes our work is not saved and we need to save again. You should try again.
I cannot find any articles by you today. Usually when you save you can see the activity in two places. First, it should show on the main Wiki page that lists recent activity. Second, it should show in your profile on the activity tab. It is possible for
the article to get saved and not show up in these two places, but your error message indicates it did not get saved.
When I publish new articles I include my own personal tag, so I can quickly find my articles. You can do a tag search for all articles with any given tag. That is the most reliable way to be tell if the article exists. The tag I use is "rlmueller".
On the main Wiki page I add to the url to do a tag search, so the url becomes as follows:
http://social.technet.microsoft.com/wiki/contents/articles/tags/rlmueller/default.aspx
This finds all articles with my tag. You can do similar, just substitute your own unique tag.
Richard Mueller - MVP Directory Services

Details of all Technet Wiki Article must be displayed

Hello.
For a user who has created multiple Technet Wiki articles and just opens one of his created Technet Wiki articles ,his other created articles are not listed anywhere on the page.IMO ,like in Technet Gallery,creators all article must be listed
somewhere on the page.It would allow creator as well as person looking for help to see other articles .
Does this idea sounds logical ? Can we have this
Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers

Add my name to tag... OK, that is good idea... strange solution, but might help the author (and other as well) to find his own articles. But this can't be THE solution but a secondary (or temporary) solution. It is
much simpler to add a searching page with advance options like search all the article's of user XXX... an this should not come instead of adding the list in the user profile.
[Personal Site] [Blog] [Facebook]

Users steal ownership of Wiki Articles in Profile Activity -- Is this bug still happening?

Is anyone seeing this Wiki/Profile bug still happening (not just the results of how it happened last year):
Users steal ownership of Wiki Articles in Profile Activity
This is where the wrong person gets credit for the article (they were an editor but not the author) in the Profile Activity tab and thus, they get the Author points.
Still happening?
Meaning that the bug starts happening this year (and not just the issues with it last year).
Thanks!
Ed Price, Power BI & SQL Server Customer Program Manager (Blog,
Small Basic,
Wiki Ninjas,
Wiki)
Answer an interesting question?
Create a wiki article about it!

You have a macbook pro too (as noted), does this happen with yours? If apple changed things and it's normal, like as you stated that it was lite so you'd know you're computer is 'on' but I'd like to know for sure if that's what it's supposed to be doing. (nip it in the bud if there's a problem)
I know it isn't sleeping (not pulsing) but since the light is on (steady), it is something I noticed right away. For example, right now as I type this, with the MBP on my desk w/ the cinema display plugged in (w/ a keyboard) and the lid is closed on the MBP, the light is ON right now. Not pulsing, but a steady light. Doesn't seem like it should be, to me. (at least in my view)
Thanks for your reply Josh.

Potential errors on Simple Stateful Firewall Wiki page?

Reading through the Simple Stateful Firewall Wiki page I think I see a few errors. I'm willing to make the changes myself but before I do and end up creating a real error I'd like some confirmation from folks more familiar with iptables than I am.
I think the first errors are that the wiki page indicates this
iptables -N TCP
iptables -N UDP
I think it should really be
iptables -N OPEN-TCP
iptables -N OPEN-UDP
The other error I think I see is this
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --hitcount 6 --seconds 4 -j DROP
I think that one should be
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP
Thanks.
Last edited by imatechguy (2011-10-21 03:45:13)

The wiki page says:
Warning: This is the step where you will be locked out if you are logged in via SSH. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.
Note the pink background, and the boldness. Not bold enough?

FVWM wiki article

Hi there,
I saw in the in the wiki Beginners Guide, that there was several lines about fvwm, but nowhere else. So I thought it would be nice to create a good wiki article about it. Actually, I have started it - FVWM.
Feel free to edit and express your opinion about it. It would be nice to have a good help for newbies. And yes, I know, that man pages are very good and will answer most of the questions (if not all). But still, the information ammount is too vast for the mind of newbie.

ThomasAdam wrote:
sokuban wrote:One thing I think you should add is documentation on the extra features in the patched version.
I don't think so -- it's completely peripheral to FVWM per se.
I don't see the harm in it. He said that the man pages are vast etc, and I was thinking about information that wouldn't be in the man pages, add on to the fact that it is fairly Arch-specific (or so I thought), so it should deserve a place in the Arch wiki.
The wiki page also shows how to install the patched version, it isn't completely ignoring it. I'm sure a lot of people would see that and wonder what the patched version has to offer.
ThomasAdam wrote:
No, this is hideously old, and outdated -- even if it were up, the patches referenced there don't even apply -- the ones shipped as part of the Genpoo ebuild are kept up to date by hand.
http://jesgue.homelinux.org/fvwm-files/fvwm.php
Stop looking on the wayback machine.
-- Thomas Adam
Well, I have no clue where the updated patch documentation is (does it exist?). I'm talking about this: http://aur.archlinux.org/packages.php?ID=7195
and in the description/comments it shows those sites. Not sure if this is the same as the Genpoo (Gentoo?) ebuild you are talking about.
Last edited by sokuban (2009-10-21 17:35:16)

About posting TechNet Wiki articles

Hello,
I already write some articles on my personal blogs (italian and english).
Is it needed that a TechNet Wiki article is original and it doesn't exist on another web site ?
Can I publish on TechNet Wiki an article I already published on my blogs ?
Thanks,
Paolo.
Paolo Patierno

Yes, you can post your own content! That's great! And if it's in any of the TechNet Guru categories, you can also enter those competitions and get more views on your articles!
http://social.technet.microsoft.com/wiki/contents/articles/22885.technet-guru-contributions-for-february.aspx
Ed Price, Power BI & SQL Server Customer Program Manager (Blog,
Small Basic,
Wiki Ninjas,
Wiki)
Answer an interesting question?
Create a wiki article about it!

Need some help with a fundamental concept of nat'ing/routing

I have the following code on an ASA5500 pair with very down-level code. 7.1.2.
Here is a snippet of the ruleset:
interface GigabitEthernet0/1.40
description Production Servers Network
vlan 40
nameif Production
security-level 40
ip address 172.20.0.1 255.255.0.0 standby 172.20.0.2
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
nat (Production) 0 access-list no-nat
Am I correct in believing all traffic sourced from the 192.168.3.0 and 172.20.0.0 networks coming in via the Production interface will NOT be Nat'ed.
My next question is will that traffic be routed through that interface Production using the original IP addresses, or will that traffic NOT be routed anywhere?
I don't want that traffic to be routed, but am concerned since these access list commands permit IP traffic between the networks, this traffic will be routed.

Thanks for responses, but they confuse me more.
It is not your answers causing my confusion, but the firewall rules I am trying to apply to this.
From what you are saying, traffic WILL flow from the 192.168.3.0 network to the 192.168.20.0 network, flowing through the Production interface. It won't be Nat'ed, but it will route because the access list explicitly allows IP traffic sourced from the 192.168.3.0 network to reach the 192.168.20.0 network.
However, this is not what is currently happening in the networks, as far as I have been told.
Let me add more lines of code to the problem, and give my interpretation, and you can tell me where I am going wrong.
1. There is no access list explictly associated with the Production interface, as can be seen through the definition in my first post.
2. More complete code:
object-group network network_vpn
description VPN IP's
network-object 192.168.2.0 255.255.255.0
network-object 192.168.3.0 255.255.255.0
access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip object-group network_vpn 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip object-group network_vpn 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip 192.168.0.0 255.255.0.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.0.0 255.255.0.0
access-list no-nat extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list no-nat extended permit ip 172.20.0.0 255.255.0.0 192.168.2.0 255.255.255.0
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list no-nat extended permit ip 192.168.3.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list no-nat extended permit ip 192.168.2.0 255.255.255.0 192.168.20.0 255.255.255.0
nat (Production) 0 access-list no-nat
nat (Production) 0 access-list Production_nat0_inbound outside
nat (Production) 1 172.20.0.0 255.255.0.0
Use the 3rd last line in the access-list no-nat commands as an example.
As I envision this, if I have a network sourced as 192.168.3.0, coming in through the Production interface, IP traffic can reach the 172.20.0.0 network, albeit through not NAT'ed, but with the original IP addreses, assuming routing is configured between these networks? I guess my related question would be is routing not implictly turned on between these networks?
3. Also, I think several lines of this access rule are redundant, given the network object covers the 192.168.2.0 and 192.168.3.0 networks.

Why recently created wiki articles are not showing in profile Statistics page?

Recently I have created a wiki.. altogether it should be 3 but under
profile Statistics page it shows as two.. it almost two weeks now..
Below are the wiki's
(si-LK)http://social.technet.microsoft.com/wiki/contents/articles/19489.registry-import-not-all-data-was-successfully-written-to-the-registry-some-keys-are-open-by-the-system-or-other-process-or-you-have-insufficient-privileges-to-perform-this-operation-si-lk.aspx
http://social.technet.microsoft.com/wiki/contents/articles/19805.kb2817630-kb2817347-outlook-2013-si-lk.aspx
(en-US)http://social.technet.microsoft.com/wiki/contents/articles/20586.how-to-change-ipv4-dns-server-address-to-public-dns-in-windows.aspx

I think that if the activity has not shown up by now, that it will never show up, and your statistics will not be updated. I have had this happen to myself. When the Wiki is having performance problems, articles can be created or updated, but meta data
is not updated properly. Sometimes this can be fixed, sometimes not. This issue is of major concern, but there is no fix yet.
Richard Mueller - MVP Directory Services

881W NAT and Firewall

Hello all,
I recently configured my 881W for dual SSID, and NATing to separate the VLAN traffic. Afterwards, I used Cisco Configuration Professional to configure the firewall for medium security, and then I tested it by connecting it to my U-Verse residential gateway in DMZplus mode. I was able to get a DHCP address from my IP to the 881W, but I can't resolve DNS, or get to any outside internet sites. Based on my configuration below, does anyone have any insight into what could be wrong?
R1-881W#show run
Building configuration...
Current configuration : 14484 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname R1-881W
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1392450818
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
<some cert>
        quit
no ip source-route
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
ip dhcp pool Private
   import all
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.1
   dns-server 172.16.1.1 255.255.255.0
ip dhcp pool Guest
   network 192.168.12.0 255.255.255.0
   default-router 192.168.12.1
   dns-server 192.168.12.1 255.255.255.0
ip cef
no ip bootp server
ip domain name somedomain.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
no ipv6 cef
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
username someuser privilege 15 secret 5 xxxxxxxxxxxxxx
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh version 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
interface Null0
no ip unreachables
interface FastEthernet0
switchport access vlan 11
interface FastEthernet1
interface FastEthernet2
switchport access vlan 11
interface FastEthernet3
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
shutdown
duplex auto
speed auto
no cdp enable
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 100 interface FastEthernet4 overload
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
control-plane
banner login ^CWarning! Authorized Access Only!^C
line con 0
password 7 xxxxxxxxxxxxxx
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 xxxxxxxxxxxxxx
transport input telnet ssh
transport output telnet
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Henrik,
I redid the changes you suggested (excluding the
config to make the guest-zone only allowed to ping and get an IP-address of the route). I cannot connect to the internet from VLAN12. Here is my config below:
R1-881W#show run
Building configuration...
Current configuration : 8875 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname R1-881W
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1234567890
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
        quit
no ip source-route
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
ip dhcp pool Private
   import all
   network 172.16.1.0 255.255.255.0
   default-router 172.16.1.1
   dns-server 172.16.1.1 255.255.255.0
ip dhcp pool Guest
   network 192.168.12.0 255.255.255.0
   default-router 192.168.12.1
   dns-server 192.168.12.1 255.255.255.0
ip cef
no ip bootp server
ip domain name lab.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
no ipv6 cef
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
username somerookieuser privilege 15 secret 5 xxxxxxxxxxxxxxx
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh version 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP
match access-group name GUEST-TO-OUTSIDE_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect GUEST-TO-OUTSIDE_PMAP
class type inspect GUEST-TO-OUTSIDE_CMAP
class class-default
drop
zone security out-zone
zone security in-zone
zone security guest-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security ccp-zp-guest-out source guest-zone destination out-zone
service-policy type inspect GUEST-TO-OUTSIDE_PMAP
interface Null0
no ip unreachables
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
no cdp enable
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security guest-zone
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload
ip access-list extended GUEST-TO-OUTSIDE_ACL
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended NAT_ALLOWED
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
logging trap debugging
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
control-plane
banner login ^CWarning! Authorized Access Only!^C
line con 0
password 7 somestrongpassword
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 somestrongpassword
transport input telnet ssh
transport output telnet
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
R1-881W#

Update NTP (Network Time Protocol) wiki article?

I was trying to set up automatic clock synchronization, so I went here https://wiki.archlinux.org/index.php/Ne … e_Protocol to see how I could do that: first thing it says to install ntp, and that's easy, but then the configuration section is very different from the default /etc/ntp.conf coming with the repository package (version 4.2.6.p2-1), so this is the first reason why I think the article should be updated.
After that I started KISS-wondering why I should use a memory/bandwidth/cpu-eating daemon if what I want is just synchronize my clock at boot time, nothing more; in fact, configuring ntp that way is useful only for a ntp server, but I'm pretty confident that the large majority of people visiting that page are just looking for a way to sync their clock, so I think that the NTP part of the page should be split in 2 or even better 3 sub sections: 1) ntp server configuration (with ntpd running); 2) simple ntp clock synchronization (with ntpd running); 3) ntp clock synchronization (at boot time or as a cron event) (without ntpd running).
Subsection 3) should explain how to configure ntp.conf (and maybe /etc/rc.local ? I'm still studying on this) just to be able to have this command
ntpd -qg
automatically executed at boot time: maybe appending it to /etc/rc.local (but I'm afraid it's slightly more complicated than that, I'm still studying on it); it could also be reminded that it's possible to run that command at predefined time intervals by creating a cron event.
Is somebody with more knowledge than me interested in helping?
(Excuse my approximate English...)

Ok, I finally managed to find the time to revise the ntp.conf section, this is my first attempt to it:
===/etc/ntp.conf===
The first thing you define in your ntp.conf is the servers your machine will synchronize to.
NTP servers are classified in a hierarchical system with many levels called "strata": the devices which are considered independent time sources are classified as "stratum 0" sources; the servers directly connected to stratum 0 devices are classified as "stratum 1" sources; servers connected to stratum 1 sources are then classified as "stratum 2" sources and so on. It has to be understood that a server's stratum cannot be taken as an indication of its accuracy or reliability.
Tipically, stratum 2 servers are used for general synchronization purposes: if you don't already know the servers you're going to connect to, you should use the pool.ntp.org servers (http://www.pool.ntp.org/ or http://support.ntp.org/bin/view/Servers/NTPPoolServers) and choose the server pool that is closest to your location.
The following lines are just an example:
server 0.it.pool.ntp.org iburst
server 1.it.pool.ntp.org iburst
server 2.it.pool.ntp.org iburst
server 3.it.pool.ntp.org iburst
The iburst option is recommended, and sends a burst of packets if it cannot obtain a connection with the first attempt. The "burst" option should never be used without explicit permission and will likely result in blacklisting.
If you're setting up a ntp server, you need to add localhost as a server, so that, in case it loses internet access, it won't stop serving time to the network; add localhost as a "stratum 10" server (using the "fudge" command) so that it will never be used unless internet access is lost:
server 127.127.1.0
fudge 127.127.1.0 stratum 10
The next thing you have to do is add the drift file (which keeps track of yours clocks time deviation) and optionally the log file location:
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
Now all that's left to do is define the rules that will allow clients to connect to your service (localhost is considered a client too) using the "restrict" command; you should already have a line like this in your file:
restrict default nomodify nopeer
This restricts everyone from modifying anything and prevents everyone from querying your time server.
You can also add other options:
restrict default kod nomodify notrap nopeer noquery
In the past, "notrust" option was used too, but its function has changed to mean that authentication with a key is required.
Following this line, you need to tell ntpd what to allow through into your server; the following line is enough if you're not configuring a ntp server:
restrict 127.0.0.1
Otherwise you can add more clients like in this example:
restrict 1.2.3.4 nomodify
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
This tells ntpd that 1.2.3.4 and all IP addresses from the 192.168.0.0 range will be allowed to synchronize on this server, but they will not be allowed to modify anything. All other IP addresses in the world will still obey the default restrictions (the first line in the ntp.conf).
In the end, the complete file will look like this (almost all original comments have been stripped out for clarity):
# Name of the servers ntpd should sync with (these are for Italy as an example)
server 0.it.pool.ntp.org iburst
server 1.it.pool.ntp.org iburst
server 2.it.pool.ntp.org iburst
server 3.it.pool.ntp.org iburst
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
restrict default nomodify nopeer
restrict 127.0.0.1
For a more in-depth explanation of the file, especially if you want to configure your machine as a ntp server, the Gentoo Wiki has a more detailed description.
Lastly, never forget man pages:
$ man ntp.conf
is likely to answer most of your remaining doubts.
Last edited by kynikos (2011-02-06 23:15:03)

Please review wiki article "init and inittab"

https://wiki.archlinux.org/index.php/Init_and_inittab
diff against old version: https://wiki.archlinux.org/index.php?ti … did=120785
Much of the knowledge was learned from this thread.
A lot of enhancements. To summary:
Changed the title from "inittab" to current one; created redirections from "init";
A detailed explanation on the mechanism of init and the entry format of inittab;
Reorganized the sections explaining inittab entries to agree with the order of default inittab of Arch;
A lot of language polishing;
TODOs:
Write an overview. Currently the overview is still split into two parts (beginning of article and the "overview" section). I'd like to use the summary templates, but I'm running out of time now. Also, I'm neither familiar with the syntax or good at writing a summary. Help is needed;
The language in some sections may still be bad, or even have been made worse, due to my English level. Need review of a fluent speaker.
Last edited by xiaq (2011-05-02 05:48:07)

Thanks, xiaq!
You can use the talk page to share your ideas and enhancements.

NAT'ing firewall Wiki articles gone

Similar Messages

Maybe you are looking for