RFC 6598 on Campus Wireless behind CGN
Hello,
RFC 6598 states that 100.64.0.0/10 network is reserved by IANA for shared addresses behind CGN. http://tools.ietf.org/html/rfc6598
We are planning to deploy dual-stack with CGN to handle IPv4 traffic, particularly for our wireless network with approximately 48,000 concurrent stations. Is it the best practice today to assign RFC 6598 to these stations instead of RFC 1918?
Any suggestions would be appreciated!
Jason
Can't hurt.
Remember, the reported wireless "strength" is an amalgam of strength and quality (or lack of interference.)
A sudden drop in "strength" may actually be a more complete reflection of signal quality, often due to lots of interference in the area from other routers or other devices sharing the same frequency spectrum like cordless phones and microwave ovens.
Have the Apple Store techs run their tests, or if you don't have time, you could just check to see if your signal strength on their network matches that reported by their demo Macs.
Similar Messages
-
New m451dw LaserJet IMPOSSIBLE to Connect to Campus Wireless Network!!!
I just installed a new LaserJet Pro 400 (m451DW) in my office on campus. I bought this printer specifically because of its wireless printing capability and I cannot get it to connect to the campus wireless network. Our network on the University of WI requires a NetID (personal ID) and password. The HP utility finds the wireless network but only has a field to enter the password for the wireless network, but not my NetID. So naturally, connection is going to fail. So, not only can I NOT connect to the wireless campus network, I can't use Apple AirPrint for my iPhone or iPad. I've searched all over this and HP's site for a solution and have found nothing. And, it's not like it's possible to call HP for support. Does anyone have anything I can try or a resource to refer to?
First you do realize that if you do connect your printer to your campus WiFi you now have everyone that can print to it. All they have to do is search for printers, install the drivers and print away on your paper. You need to isolate this printer.
You can by following here.
Connect wireless printer anywhere, convert from wired, bypass failed radio, add WPA2 security.
http://h30434.www3.hp.com/t5/Printer-Networking-and-Wireless/Connect-your-wireless-printer-when-away...
Say thanks by clicking the Kudos Thumbs Up to the right in the post.
If my post resolved your problem, please mark it as an Accepted Solution ...
I worked for HP but now I'm retired! -
HP Officejet Pro 8600 All in One printer - printing wirelessly from an IPAD
I'm trying to connect a HP Officejet Pro 8600 to our university campus wireless network for the purposes of printing wirelessly from an IPAD. The printer finds the wireless network when going through wireless wizard setup but gets a message that the wireless network is using security that is not supported.
The campus wireless network uses:
Security type: WPA2-Enterprise
Encryption type: AES
Can anyone tell me if these are supported by this model printer?Hey ibebry,
The printer is designed to be used with WPA2 - Personal and not the Enterprise version. From the wiki artricle on WPA encryption:
WPA-Personal Also referred to as WPA-PSK (Pre-shared key) mode, it is designed for home and small office networks and doesn't require an authentication server. Each wireless network device authenticates with the access point using the same 256-bit key generated from a password or passphrase.
WPA-Enterprise Also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK). It is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup, but provides additional security (e.g. protection against dictionary attacks on short passwords). An Extensible Authentication Protocol (EAP) is used for authentication, which comes in different flavors.
If the network is using WPA-Enterprise, then most likely the 8600 will not be able to connect. Hope this helps.
-------------How do I give Kudos? | How do I mark a post as Solved? --------------------------------------------------------
I am not an HP employee. -
Mx880 connected to LAN. Cannot access via wireless. ???
I have an end user on campus who has a Canon MX880 multi-function printer/copier/scanner, etc. I have it configured to a specific IP address, and connected to the college LAN via data cable, data drop. The drop is good, I have tested with a laptop. I manually set the IP4 settings on the MX880, and can ping the printer when connected via ethernet to LAN. As soon as I try to get on the the college wireless LAN, I can't ping it. I took another laptop, disconnected the data cable from the printer, plugged it into the laptop, and manually config'd the laptop to the same manual IP4 settings as the printer is set to. This time, from the other laptop, I can ping connected to the printer port wirelessly or when ethernet connected. So there is nothing wrong with the campus wired or wireless network. It's only when I try and ping the MX880, via the campus wireless network, that I have a problem. Again, I have the MX880 ethernet connected to a data drop. I have the LAN settings enabled, and IP4 manually set. I can ping the printer IP address when ethernet connected from somewhere else on the network, but I can't when I'm using the campus wireless network. And again, If I use two laptops, one used in place of the printer, but set to same IP settings, I have no problem pinging the IP address via LAN or campus wireless. Any ideas???
Most public networks (like the ones on a college campus) have built in firewalls that prevent communication between devices. They're designed primarily to give a device internet access but not to let 2 devices on the network talk to each other for security purposes (so the guy in the dorm next to you can't hack your computer). Trying to use the printer with a public network probably wont work.
-
Deny specific wireless network
Is it possible to deny a specific wireless network in OS 10.5.6?
Our network guys have setup 2 wireless networks. The first is for students/faculty/staff use, and it allows services such as file servers and printing. The second wireless network is for guests, and they can only get on the Internet - no file services, no printing.
However, we run into a problem when the kids, for one reason or another, jump onto the guest network and in the process hose their 802.1x settings for our campus wireless. It would be nice if I could setup our images to allow them to connect to our campus wireless, while at the same time disabling their ability to connect to the guest wireless.
Unfortunately, the kids need the ability to join other wireless networks, since they do take these machines home and many of them need to connect to their home wireless networks to do homework.
Any ideas?
TIA for any help,
- KeithOne possible solution is to create a closed network for the network you don't want students to access. This will require entering the MAC addresses of all of the machines that you wish to grant access to the closed network. Since none of the student machines will be in the list, they will not be able to log into the closed network.
Because "allowed" machines have a different MAC address for Ethernet and Airport, you may need to enter both MAC addresses for each "allowed" computer, depending on how those computers will access that network. -
My ISP -- my university -- now requires us to log in using PPPoE in order to join the campus wireless network. However, PPPoE does not appear to be an option for Airport under OS 10.2.8. I set up my newer Mac (running OS 10.4) but can't see how to set up the same thing under OX 10.2.8. Any thoughts?
Used an ethernet connection instead
-
Time Capsule on Existing Wireless Network
My niece will be going to college this fall, and her dad bought her a Time Capsule. Her dorm will already have a wireless network. How can she use the Time Capsule on an existing network and still have some security?
Using an Ethernet cable, she should connect the Time Capsule directly to the Mac's Ethernet port and backup files that way. The Mac will not be able to connect to the Internet when the Ethernet cable is connected and backups are running.
If the Time Capsule is configured to "join" the campus wireless network using wireless only.....which is not supported by Apple..... then backups must occur very slowly over that "public" network. Definitely not recommended.
If is not too late to return the Time Capsule....there are better, and less expensive options here. -
Macbook AirPort and Wireless internet
I was on the college campus wireless in the middle of class when my AirPort connection stopped. I got reconnected to the guest network and had full strength, but Safari would say that I wasn't connected to the internet at all.
Since it's the campus wireless, I don't know of anyway to restart a hub or anything.
Does anyone know what could have happened and how I can fix it?Option click the wireless icon, in upper right menu bar>> open Wireless Diagnostics.
-
How to disable wireless function in HP printers
We are campus environment, and have hundreds of HP printers deployed. All of them are connected to the network via TP cables. However, their wireless components are still up, and broadcast under SSID hpsetup, which are detected by our new campus wireless network as rogue AP or adhoc. We want to disable the wireless component inside all HP printers, but find no instructions as how to get this done from HP manuals. Is there anyone knowing how to disable the wireless function in HP printers? Thanks in advance for your help.
It varies based on model, but often it is found in: Setup > Network > Wireless Radio on/off
Say thanks by clicking "Kudos" "thumbs up" in the post that helped you.
I am employed by HP -
Slow wireless with Powerbook, but fine with iBook?!
I'm currently using a campus wireless net and my Powerbook G4 is really, really, slow but my newer iBook G4 is much faster. When plugged in with an ethernet cable, however, both are equally fast. Does anyone have any idea why this could be so, and how I could go about fixing it? I unfortunately have no details on the wireless net.
Cheers,
Dave
Powerbook G4 Mac OS X (10.3.9) also iBook G4 10.4.6Do the
recpetion levels match? if they don't you will find
that the lower the reception the slower the speed.
Most wireless software, including the Airport
software, steps down the connection speed based on
the reception levels to ensure the stability of the
signal.
Thanks. That was exactly the problem. My Powerbook has worse reception than the iBook. Is this a know problem?
Cheers,
Dave -
IPhone and connecting to college campus network!! helppp
Ok, i have a problem connecting to my college campus' wireless network. We have a few different networks all with security enabled. When i go to click on the network it brings me to a page where i have to choose from DHCP, Static, ect..and i have to enter IPs and a DNS; and more other information.
When you connect to the networks with a laptop it connects automatically and the internet browser directs you to the schools web page asking for school info such as an email and password and stuff. This doesnt happen with the iPhone; cant even connect to the network itself....anyone having this issue?? or know how i can fix this? thankssyeahh i was thinking that, just ask the school or IT dept. I dont think they'll be able to help me with an iPhone and getting onto the network, they'll just be like i dont know, its not a regular computer. I guess ill have to look for the IT department.
-
Self-assigned IP address which is not able to connect to the internet.
Okay, so my whole issue started around six or more months ago. I have a white MacBook which I have never particularly had any connectivity problems with, at least that where caused by my laptop. I constantly am on the internet at home and have never had issues with wireless connection here. I am a full time student which means I am also constantly on campus with my laptop and needing access to the internet. Even so, there I have never had any issues with connectivity.
My issue is when I go to another university campus I am unable to connect to the internet. My airport finds the network I want and connects to it but usually within a few seconds the radial bars go a light gray and have an exclamation point through them . When looking under the Airport drop down list it simply says, "Airport has a self-assigned IP address and may not be able to connect to the internet." This particular IP that is not allowing me to access the internet starts off with 169.**.*.**. I would provide the entire IP but as I am not on that campus at the moment, I can't and don't remember it fully.
I have tried SO many different things in order to find a solution but have come up empty handed every time. I've tried turning off my firewall and all of the steps that resolution includes and have also tried to resolve the issue through the creation of a new location, new network, and the use of network assistant on Airport.
I know it is not an issue of the universities wireless network because I can easily connect to the internet through my Ipod Touch without a password simply by finding the network, connecting, stating I'm a guest, and then agreeing to the terms of use. Same goes for my local campus wireless network on both my Ipod Touch and MacBook.
I am in extreme need of a resolution and would GREATLY appreciate any kind of feedback anyone can give me. If there is any other information you may need to help me out a little more accurately just let me know, I'll be happy to give you whatever I can so that I may figure this annoyance out!By the way, totally didn't mean to categorize this under Airport for Windows. This is my first post and OBVIOUSLY a figured out a way to mess it up. My bad. :S
But again I'd appreciate any help! :] -
Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
[SOLVED] Strange issue with dhcpcd
Alright, so today when I booted up, I tried to connect to my campus' wireless network using Wicd, but it timed out every time it attempted to obtain an IP. So I ran through my usual steps to get wireless up in the console (ifconfig -> iwconfig -> dhcpcd), but dhcpcd caught SIGHUP as soon as it started running. And that's not even the weirdest part- I now have a process with ID 2309 for dhcpcd that respawns every time `kill -9' is used. Anyone have any idea what's going on? I'm at a total loss here.
EDIT: Alright, the issue seems to have remedied itself. I'm still not sure what happened but it's working, so I'm gonna flag this as solved for now.
Last edited by azrael_ (2011-10-11 19:07:47)well, that should be titled [Solved?]
This is what seems to have fixed it for me:
* log out of kde
* drop to console as root
* use bluetoothctl cli to remove the mouse and add it again...
No idea why this works when you use bluetoothctl and not the kde settings gui (bluedevil), and no idea what was causing the issue in the first place... but happy mouse -
I live in a college apartment and am thinking about getting an Apple TV so we can watch all of the movies/tv shows that are in my iTunes on our tv. Our campus wireless network is not password WEP password, but requires a login page be filled out (much like a hotel, or panera bread). Will my Apple TV be able to enter in my login info to access the internet? If not, can I sync my iTunes library to my Apple TV without an internet connection? I know I won't be able to rent movies or access youtube, but I will be fine as long as I can transfer movies to the TV.
This is the University of Miami if anyone is personally familiarYou should be able to transfer stuff to the AppleTV directly via an ethernet cable, however if you are transferring DRM protected Apple stuff, it will need internet for authorisation transiently.
AppleTV has no web browser to allow you to enter the passwords in the manner you describe.
If your computer connects via wireless to the campus network, you may be able to enable internet sharing on it's ethernet port, to authorise purchases, but rentals usually need AppleTV connection to the internet for playback so as to record when you started watching the title.
Maybe you are looking for
-
I had 400mb of free space. I added one new music album and wanted to sync. I get a message no photos are synced (the 20mb i had on it were gone) because i'm out of free space. After syncing, the info says i still have 365 mb of free space. I sync aga
-
I have a credit in Itunes. ow can I use this credit in IBooks? It only shows credit card info to use.
-
Eroor in eclipse when i have run TOMCAT in debuge mode web service debuging
hello all, i have a serious problem with debug my web service. I set local variable in eclipse (-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=8000). And now if i run TOMCAT in normal mode all worked f
-
Is it possible to do a bulk delete in email?
I got so discusted a couple of weeks a go at having to edit/highlight/ each individual email that I just stopped using my iPad for email. I now have over 700 emails in the inbox. Is there anyway to do a bulk delete without having to manually (activat
-
Pdf doc showing lots of lines when viewed via tablet/ipad & mobile
I create a weekly newsletter for our local District Councillors. This is done in Word using tables, and then Adobe Acrobat Pro 9 to convert to a pdf. When viewed on our website, this is perfect. However, when viewed via a tablet or mobile, lots of li