Separating forwarded traffic from bounce back traffic

Similar Messages

• Storage 7410 cluster - separating "admin" traffic from "storage" traffic

  Please help me figure out a strategy here. We have a Storage 7410 cluster running in an active/passive mode. On each node, I have cabled nge0 and nge1 each to 100Mbps ports and nxge0 and nxge1 to 10Gbps ports. I have configured nge0 to be the "admin" interface for node 1, and nge1 the same for node 2. I have aggregated nxge0 and nxge1 via LACP and it's currently owned by node 1 (fails over to node 2 nicely). Here's the basic layout:
  Node 1
  nge0 -> active "admin" interface -> ip address 172.16.158.33
  nge1 -> inactive (owned by Node 2) "admin" interface
  nxge0/nxge -> active LACP aggregate "aggr1" -> ip address 172.16.158.32
  Node 2
  nge0 -> inactive (owned by Node 1) "admin" interface
  nge1 -> active "admin" interface -> ip address 172.16.158.41
  nxge0/nxge -> inactive (owned by Node 1) LACP aggregate
  What's confusing me is routing. Right now all interfaces have IPs on the same subnet. I can define a default route for the gateway on that subnet (172.16.158.1) on the "aggr1" LACP, but only Node 1 gets routed. So, I can add two additional default routes to the same gateway, reflecting each of the other NICs (nge0, nge1). But the way I understand it, there's no guarantee that IP traffic that originated on aggr1 will return via that same interface. Or am I mistaken? Essentially, I want to segregate "storage" traffic from "admin" traffic, and I want to make sure that any host connecting to the "storage" IP address takes full advantage of the 10Gbps aggregate.
  Any ideas are welcome.
  Charles

  My assumption above was correct. At some point, traffic was now favored over nge0, so my performance went down from ~200MB/s to about 60MB/s (expected results with Windows VMs on vmware with a NFS datastore). It looks like I may have to abandon the nge ports and lose the LACP (at least until I can get a second nxge NIC in each head). Is that all I can do? Any ideas are appreciated.
  Charles

• [SOLVED] How to forward lan traffic from router to openvpn client....

  Hi all,
  I have maybe a strange situation. I recently started testing a VPN service on my home network. Ideally I would like most of my home machines to connect through this VPN. I am using it for both privacy and to circumvent geo-restricted sites. I have a router, Asus WL-500gp which is running the Tomato Firmware, and I did first attempt to setup OpenVPN on it which did work but didn't provide very much bandwidth due to probably not having enough processing power to deal with the encryption and the compression involved. I was only able to get about 5Mbit down when normally I get approx 30+ so this was not an acceptable performance hit.
  I then decided to try setting up the VPN on my media server which is running Arch(of course). This was easily accomplished and is working extremely well with approx 25Mbs down. An acceptable performance hit. Now, as it stands only this machine is running through the VPN, the rest of the machines are still connecting to the net normally through the router. Is there a way to have other devices on my lan also get forwarded through the VPN on my Arch server. I do realize I could run my server as a router but I would rather leave the tomato router for that as it works well and is easy to setup whereas I suspect it may be complicated to setup on Arch. Is it possible to configure the tomato to forward certain IP's(my wired network is all static ip's) or even MAC's to the media server rather than the ISP. I suspect it can be done with some new routes added in but I am not that familiar with routing tables to figure it out.
  So for example my tomato router is on ip 192.168.1.1, media server is on 192.168.1.2, xbmc 1 is on 192.168.1.3, xbmc 2 is on 192.168.1.4 etc. So say I would also like to have xbmc 1 and 2 go through the VPN as well. Is there a relatively simple way to accomplish this? I am thinking something along the lines of having the tomato forward request from IP 192.168.1.3-192.168.1.4 to 192.168.1.2(rather than the default gateway), then on the server tell it to forward these request to tun0(the VPN's network device).
  Any thoughts? Anyone done something like this?
  Thanks,
  Kevin
  Last edited by ould (2012-12-26 13:29:59)

  Xyne wrote:
  My first thought was to just set the server up as a router, but then I got to the part where you reject the idea. If you change your mind, you may find my recent notes on configuring something similar useful.
  I'm pretty much a networking noob so I may be way off, but I would try the following. Here I'm assuming that the lan and vpn interfaces on the server are eth0 and tun0, respectively. These commands are adapted from the aforementioned notes.
  On the server:
  # Enable IP forwarding.
  echo 1 > /proc/sys/net/ipv4/ip_forward
  # Allow postrouting to tun0. You may want to use "-s" here to strictly limit forwarding to IPs on your LAN.
  iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
  # Enable forwarding from the LAN to the VPN (and back via related and established connections).
  # Again, you may want to use "-s".
  iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
  iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  After that, I think  you can you just need to set the server as the default gateway on the other machines. I am not familiar with the Tomato firmware, but I would expect there to be some easy way to do it there.
  You probably want the router to return the VPN's DNS servers instead of your ISP's DNS servers if you use DHCP on the LAN.
  Thank you very mach! It's has been useful for me when i wanna connect my VBox mashines to do my lab)

• How can i configure my iphone to only pass traffic from certain apps over vpn

  I have got a telephony app that connects to a phone system through vpn. when I turn on "send all traffic through vpn" internet and other apps are really slow. is their a way to configure the phone to send only traffic from the app through VPN.

  Now all my new apps as well as several others are gone from the iPhone.
  Look on other screens. The 4.1 update ands Game Center to the home screen. If that screen was full it create a blank screen and moves one app from the home screen to the new screen to make room for Game Center. All the other screens are pushed back one place.
  How can I get my apps back? It cost me a lot of time and money to discover those apps and get them onto the phone. Are they just gone now?
  If they are really gone, you can download them again. You will not be charged again if you use the same iTunes account.

• For my Rapid Video Blogging I would like to bring the traffic from You Tube

  I hear there are sites as complicated and financially up there, Blogcasts, and all kind of sites that I could try to get involved with to have a place where I can try to get the traffic from watching the Video Rapid Blogs. I am not sure of the technology, from simple sites to a full on website. Does anybody have this knowledge so I could get going on getting this set up. I would need some site to bring the traffic to where what I am selling is and hopefully have a good response.
  I am brand new at all of this but I have the academic and practical knowledge-working for years in teaching at the college level in exercise physiology, have gone on to get my registered dietician degree so I left school when I was done, put a small studio together where I worked mostly with memdical doctor's referrals since I had been around the rehab docs during my rotation for my exercise physiology degree.
  I love the studio, but all my bad technique when I was young and my sport injuries all hit at once. I developed brain CA, had some chemo and radiation. I had to close the studio but I still have to live so I am thinking this rapid video blogging, put out some 3 minute video blogs supporting my ability to help some people who tried all kinds of weight loss methods, work with the tried and true wy but add the psych in that which can help them not expect quick-fixes, not support nutrition bars that do not fit in until they are egged in a exercise program, get rid of all the stuff 24 hour fitness tries to sell them unless they want to know how many steps they take. I could put some 3-4 minute video blogs together bringing the potential customers back to my website or whatever kind of site i would need. i m not up-to-date on all the various site for stuff like this, but if anybody want s to help e get an awareness of what is out there available to me, I would appreciate if anybody has the knowledge and practice in these areas of websites, blog sites, to help me put some classy, straight to-the-pont video info together, I would really appreciate it. I keep reading about blog spots,mad a;; types of things like websites where iI could push the traffic fro You Tube bak to this site for some sales.

  I dont understand anything you said in your post.
  Do you have a specific question about video production?
  The forums are for individual technical or creative issues that users have with video production. I am sur someone will be able to help you, but and to get a response it is best to ask a specific question.
  Is this about a technical problem you have or something about setting up a web site? If its the latter this is the wrong forum.

• Does WCCP support traffic from different VLANs(mapped to VRFs)?

  Hello,
  I have the following scenario from the WAN to the Data Center and from the WAN to the Branch:
  1. Router 2800/7200 with three (3) MPLS VRFs (VRF Lite)
  2. Switch 3750 with three (3) WAN VLANs (one for each VRF) and three (3) LAN User Traffic VLANs (one for each ASA Context) and one WAE VLAN
  3. WAE with WCCP enabled for one VLAN in the switch
  4. ASA with three (3) Contexts
  5. Three (3) Internal LANs (one for each Context)
  In summary, there are three flows of traffic which are separated along the way from Branch to Data Center. WAEs are working for one VLAN(VRF1) and WCCP is enabled at the 3750 Switch to do the redirection (not in the router). The question is: does WCCP support traffic from different VLANs (similar to inline 802.1Q) and handle all three flows separate? If so, what should the configuration be at the switch and the WAE?
  Thanks.

  The VRF awareness for 12.4(T) is still probably 8-12 months out. VRF aware WCCP features are definitely in the pipeline, but nothing has been publically published on availability timelines.
  It's now publically available on the forum... but , I've only found it on the 3750 and 3550 documentation.
  at the 3750 you will need to place the redirect statement on each of the VLANs, ip wccp 61 redirect in
  Kindly find here GRE Tunnel with VRF Configuration Example:
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml
  I have gotten as far as the WAE registering the router:
  "WCCP configuration for TCP Promiscuous service 61 and 62 succeeded.
  WCCP configuration for TCP Promiscuous succeeded.Please remember to
  configure WCCP service 61 and 62 on the corresponding router."
  wae01#sh wccp router
  Router Information for Service: TCP Promiscuous 61
  Routers Configured and Seeing this Wide Area Engine(1)
  Router Id Sent To Recv ID
  0.0.0.0 209.1.1.1 0000022F
  The router registers the WAE as a WCCP client:
  router04#
  "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 61 acquired on WCCP
  client 209.1.1.2"
  "*Feb 4 18:56:09.892: %WCCP-5-SERVICEFOUND: Service 62 acquired on WCCP
  client 209.1.1.2"
  The router however cannot figure out what its ID is and does not see
  itself as a WCCP group router.
  router04#sh ip wccp
  Global WCCP information:
  Router information:
  Router Identifier: -not yet determined-
  Protocol Version: 2.0
  Service Identifier: 61
  Number of Service Group Clients: 1
  Number of Service Group Routers: 0
  Total Packets s/w Redirected: 0
  Process: 0
  Fast: 0
  CEF: 0
  Redirect access-list: ACCELERATED-TRAFFIC
  Total Packets Denied Redirect: 0
  Total Packets Unassigned: 25957
  Group access-list: -none-
  Total Messages Denied to Group: 0
  Total Authentication failures: 0
  Total Bypassed Packets Received: 0
  This is a short summary of important commands for working with VRF's.
  View the VRF instances and the associated interfaces.
  ml-mr-c6-gs#show ip vrf
  Name Default RD Interfaces
  blurvrf 100:2 Vlan215
  Vlan326
  tgvrf 100:1 Vlan132
  Vlan325
  TenGigabitEthernet1/1
  ml-mr-c6-gs#
  Show the routing table for a specific VRF.
  ml-mr-c6-gs#show ip route vrf tgvrf
  Routing Table: tgvrf
  Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
  D - EIGRP, EX - EIGRP external,
  ---More--
  Gateway of last resort is 128.117.243.57 to network 0.0.0.0
  O E2 192.52.106.0/24 [110/1] via 128.117.243.57, 1d19h, Vlan325
  O E2 192.168.150.0/24 [110/160] via 128.117.243.57, 1d19h, Vlan325
  172.17.0.0/29 is subnetted, 3 subnets
  O E2 172.17.1.16 [110/0] via 128.117.243.57, 1d19h, Vlan325
  O E2 172.17.1.8 [110/1] via 128.117.243.57, 1d19h, Vlan325
  O E2 172.17.1.0 [110/1] via 128.117.243.57, 1d19h, Vlan325
  --More--
  Debugging should otherwise be similar to a regular switch or router.
  Final Teragrid VRF Design and Diagrams
  http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/final.shtml
  Teragrid Testbed Design
  http://www.cisl.ucar.edu/nets/devices/routers/cisco/vrf/testbed.shtml
  Cisco 4500 Series Switch Cisco IOS s/w config guide 12.1(20)EW
  Configuring VRF-Lite
  http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.html
  sachin garg

• VRF-Lite on one 6509; How to route traffic from global to VRF.

  To anyone that can lead me in the right direction:
  I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin"  on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch.  I am using EIGRP for the global network and route table and static routing within the the VRF.  Any suggestions or recommendations?  Thanks in advance for your help in this matter...

  Hello,
  You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
  Example:
  Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
  G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
  interface G0/1
  IP address 1.1.1.1 255.255.255.0
  inteface G0/2
  ip vrf forwarding X
  ip address 2.2.2.2 255.255.255.0
  Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
  configure this:  (ip route vrf X  y.y.y.y y.y.y.y.y G0/1 Global)
  Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
  You Can then redistribute the Global static into the Eigrp as below:
  router Eigrp 1
  no auto summary
  redistribute static metric 1.1.1.1.1
  HTH
  Mohamed

• Prioritizing traffic from "main" computer on LAN

  My Current Setup
  internet router (dhcp server) main computer
  ●──────────────────●────────────(eth1)─●
  │ │(eth0)
  │ │
  │ switch │
  └─────●─────────────┘
  │
  └─● [other computers]
  My main computer is connected to the router via a switch on eth0 and directly via a usb cable on eth1. Other computers on the LAN connect to the router via the switch.
  The Problem
  I need to shape traffic in such a way that priority is given to uploads from the main computer when other computers are uploading.* I do not always have the option of throttling the upload on the other systems and I do not want to impose any arbitrary limits on them. I simple want to make sure that all the necessary bandwidth is given to the main computer and whatever is leftover can be used for the other computers.
  NOTE: I cannot shape traffic via the router. My ISP uses crippling firmware and I cannot bypass it.
  The Plan
  The main computer is not always on so I can't configure it to be an integral part of the network. I don't mind having to disconnect and reconnect a cable though so I suspect that I can disconnect the switch from the router and thus shape traffic from the other computers by passing it through the main computer:
  internet router (dhcp server) main computer
  ●──────────────────●────────────(eth1)─●
  │(eth0)
  │
  switch │
  ●─────────────┘
  │
  └─● [other computers]
  This is where I need some help. I've looked through a lot of documentation but I'm still not sure how to set this up. I think I need to use proxy ARP (with iproute2) but I'm hoping that someone else can confirm this before I explore it further. I'm afraid that I'll waste time only to find that it was a false start and that I need to do it differently.
  Can anyone with network configuration experience confirm that proxy ARP is the way to go? If not, what do you suggest?
  I would also appreciate any links to relevant tutorials|guides|documentation. I wouldn't mind some simple examples either but I'm not asking anyone to do this for me. I just need to know that I'm on the right path.
  Thanks.
  *I'm only concerned about upload bandwidth right now because I'm on ADSL and download bandwidth is usually not an issue. I also expect that any solution for upload shaping will work for download shaping as well.

  Xyne wrote:I think I need to use proxy ARP (with iproute2) but I'm hoping that someone else can confirm this before I explore it further. I'm afraid that I'll waste time only to find that it was a false start and that I need to do it differently.
  God no.... Proxy ARP is the most god awful creation ever created. The person who thought that was a good idea should be taken out the back and shot.
  You want to create a bridge with eth0 and eth1 = br0 so they both act on the same Layer 2 (ie, your Main computer becomes a 2-port switch). This should get you going, you'll just have to hack out / modify the firewall parts to do the traffic prioritisation stuff:
  http://www.sjdjweis.com/linux/bridging/

• How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine

  We have a CFTV system running on Win2008R2 that listens on 4 sequential port numbers and the last port is the Web Browser Port number for management and viwing cameras
  When we configure the port 8077 on the software, it opens 8077, 8078, 8079 and 8080 and works with no problem
  But...
  When we try to configure ports 77 (and therefore 77, 78, 79 and 80) thw applications hangs and seems like not be possible to configure to use port 80
  I could confirm that,  using NETSTAT and the main CFTV application open all required ports with no problem, but only works on ports with a different number from "80", wich is what i want, to make users more confortable, avoiding to type ":PORT_NUMBER"
  after the URL, it will be more "ellegant" solution to use default port 80 for user´s connections
  The question is: How to do a PortForward/Port Proxy? Redirecting traffic from port 8080 to 80 on the SAME machine?
  May i Use NETSH? (based on Help, it can be used to do this, but on different machines, not the same one)
  There is a RELIABLE application, running as a service, that can do the port forward/redirect?

  Hi,
  I’m sorry to tell you that we can’t redirect traffic from a port to another port on the same server itself. But we can do it with a router which is configured to portfoward.
  By the way, according to your description, another program may use the port 80. Is there an IIS installed on the server? If it is necessary, you can consult your CFTV system vendor.
  Hope this helps.
  Steven Lee
  TechNet Community Support

• How to redirect Internet traffic from RV082 to RV042 through a VPN Tunnel??

  Fellows,
  We have offices in USA and Venezuela.
  In our USA office we have a RV042 router and in Venezuela we have a RV082 router.
  We have connected a VPN tunnel (gateway-to-gateway) between both offices.
  The point is:
  How   could we redirect the internet traffic from our Venezuela office   (RV082) to the USA Office (RV042) to navigate using USA public IP's?
  The   reason for this is that we need to use online streaming services which   are only available for IP's from USA and we can't use them from the   Venezuelan IP's.
  We  can not use the PPTP option since the  equipment which will use the  streaming services (like hulu, crackle,  etc.) in Venezuela is a Google  TV device which doesn't allow the  configuration of proxy navegation or  PPTP VPN connections itself. That's  the reason why we need to do that  through the routers.
  We will really appreciate your support on this matter.
  Daniel

  Hi Daniel, this is called ESP wildcard forwarding which the router does support.
  https://supportforums.cisco.com/docs/DOC-12534   <- This is older but applicable
  https://supportforums.cisco.com/message/3766661
  -Tom
  Please mark answered for helpful posts

• Unable to allow traffic from remote office - Cisco RV220W

  Hi there,
  I have just bought the RV220W Cisco router firewall because my DLINK-1600 got broken and now I am unable to allow access to the machines located behind this router from the machines located at a remote office. Any help would be much appreciated!!
  This is the situation:
  1. Two remote offices A and B connected by a VPN tunnel (this connection is managed by an external provider and it is properly functioning)
  2. IP range A office: 192.168.236.0/24
  3. IP range B office: 192.168.237.0/24
  4. Office A: CISCO RV220W router/firewall (the one that I´ve just bought as the old dlink has broken). This RV220W is connected to a cisco router (managed by provider) that is the one with the VPN tunnel to the other office. The CISCO router does not do NAT. On the other end (Office B) there is another CISCO router managed by the provider.
  5. Everything was working smoothly until our old router/firewall got broken and that is when I bought the rv220w. I have set up the CISCO RV220W at office A and the machines can ping the machines located at office B and can browse the internet, i.e., the traffic going out is OK and in that sense everything works smoothly.
  6. The problem is that the machines located at office B cannot access the machines located behind the CISCO RV220W and I know it is a problem of the firewall as if I capture traffic coming from office B, I can see that it is dropped by the CISCO RV220W.
  7. I have tried to enable an access rule in the firewall to allow traffic from office B (see picture below) but it does not seem to work. In the field, Send to Local Server (DNAT IP) I have entered the WAN IP of my router (you cannot leave it blank) … this rule does not work at all. I think that is not properly configured but I don´t know how to do it.
  8. As you see, the problem is that I don´t know how to set up a rule to allow specific traffic coming from the WAN (traffic from remote office – 192.168.237.0/24) to the LAN at office A - 192.168.236.0/24.
  In the old router/firewall I just had to create a rule specifying the source interface (WAN) and network (Office B) and the destination interdace (LANOfficeA) and network (Office A). It does not seem that here I can do the same. i mean, you always have to point to a server ip inside the LAN??
  I know it has to be a very easy thing to do but at this moment I am completely stuck. If anyone can give me some advice would be great.
  Thanks a lot for your help in advanced!
  Eva

  Hi Eva, the default inbound policy cannot be changed. It will block all inbound traffic. To my knowledge there is not a way around this. Access rules are the only way to 'poke' a hole through the firewall but as you note, it is for a specific host. Values such as .0 and .255 do not work.
  -Tom
  Please mark answered for helpful posts

• Permit traffic from Inside to Outside, but not Inside to medium security interface

  Can someone just clarify the following. Assume ASA with interfaces as :
  inside (100)   (private ip range 1)
  guest (50)       (private ip range 2)  
  outside (0)      (internet)
  Example requirement is host on inside has http access to host on outside, but it shouldn’t have http access to host on guest – or any future created interfaces (with security between 1-99).
  What’s the best practice way to achieve this?

  Hi,
  The "security-level" alone is ok when you have a very simple setup.
  I would suggest creating ACLs for each interface and use them to control the traffic rather than using the "security-level" alone for that.
  If you want to control traffic from "inside" to any other interfaces (and its networks) I would suggest the following
  Create and "object-group" containing all of the other network
  Create an ACL for the "inside" interface
  First block all traffic to other networks using the "object-group" created
  After this allow all rest of the traffic
  In the case where you need to allow some traffic to the other networks, insert the rule at the top of the ACL before the rule that blocks all traffic to other networks
  For example a situation where you have interfaces and networks
  WAN
  LAN-1 = 10.10.10.0/24
  LAN-2 = 10.10.20.0/24
  DMZ = 192.168.10.0/24
  GUEST = 192.168.100.0/24
  You could block all traffic from "LAN-1" to any network other than those behind the "WAN" interface with the following configuration.
  object-group network BLOCKED-NETWORKS
  network-object 10.10.20.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.100.0 255.255.255.0
  access-list LAN-1-IN remark Block Traffic to Other Local Networks
  access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
  access-list LAN-1-IN remark Allow All Other Traffic
  access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
  This should work if your only need is to control the traffic of the interface "LAN-1". If you want to control each interfaces connections to the others then you could do minor additions
  Have all your local networks configured under the "object-group"This way you can use the same "object-group" for each interface ACL
  object-group network BLOCKED-NETWORKS
  network-object 10.10.10.0 255.255.255.0
  network-object 10.10.20.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.100.0 255.255.255.0
  access-list LAN-1-IN remark Block Traffic to Other Local Networks
  access-list LAN-1-IN deny ip any object-group BLOCKED-NETWORKS
  access-list LAN-1-IN remark Allow All Other Traffic
  access-list LAN-1-IN permit ip 10.10.10.0 255.255.255.0 any
  access-list LAN-2-IN remark Block Traffic to Other Local Networks
  access-list LAN-2-IN deny ip any object-group BLOCKED-NETWORKS
  access-list LAN-2-IN remark Allow All Other Traffic
  access-list LAN-2-IN permit ip 10.10.20.0 255.255.255.0 any
  access-list DMZ-IN remark Block Traffic to Other Local Networks
  access-list DMZ-IN deny ip any object-group BLOCKED-NETWORKS
  access-list DMZ-IN remark Allow All Other Traffic
  access-list DMZ-IN permit ip 192.168.10.0 255.255.255.0 any
  access-list GUEST-IN remark Block Traffic to Other Local Networks
  access-list GUEST-IN deny ip any object-group BLOCKED-NETWORKS
  access-list GUEST-IN remark Allow All Other Traffic
  access-list GUEST-IN permit ip 192.168.100.0 255.255.255.0 any
  Then you could basically use the same type ACLs in each interface. (Though still separate ACLs for each interface) And as I said if you need to open something between local networks then insert the correct "permit" tule at the top of the ACL.
  Hope this helps
  - Jouni

• Possible to allow any traffic from a certain IP?

  Basic question:
  I'm using Snow Leopard and want to be able to allow any incoming traffic from a certain IP. I'm not concerned about what ports because it's a local device (PS3) behind the router. Is there a way to accomplish this without resorting to ipfw?
  Additional info:
  I have tried to add the PS3 Media Server program to the firewall list but even though it's set to allow, the firewall blocks incoming connections for it. I confirmed this through the console logs. I think it's something to do with being a Java based program.
  Console:
  8/29/09 3:37:59 PM 0x0-0x85085.PS3 Media Server1106 main TRACE 15:37:59.547 Created socket: /10.0.1.2:5001
  8/29/09 3:37:59 PM Firewall1028 JavaApplicationS is listening from 10.0.1.2:5001 proto=6
  8/29/09 3:38:04 PM Firewall1028 Deny JavaApplicationS connecting from 10.0.1.3:50680 to port 5001 proto=6

  Don't know anything about the topic, but this might help.
  http://forums.macrumors.com/showthread.php?t=774875

• Unexplained bounce backs from Ironport

  We have a C10 device and last week we receved instanct bounce backs from the Ironport when trying to send to several different external email addresses at different domains.
  The bounce backs were being generated by our internal Ironport itself instead of the destination email server so it is as if the email never left our company.
  After serval days and no configuration changes on the Ironport I sent several test emails to these external domains. They are being recevied okay without any problems. Can any one explain what is going on here and how the problem recitifed itself?
  Thanks for your help!

  What may be happening:
  It could be that your mailserver(e.g. Exchange) handed the mail off to the Ironport appliance, who took responsibility for the message. Then, after any last outbound scanning and appending disclaimers, the Ironport appliance did a MX lookup to deliver the message and then upon trying to deliver the message to the appropriate destination, the Ironport MTA received a SMTP 5## error code.
  Upon receiving the SMTP 5## error code, the Ironport appliance will consider this undeliverable to the destination and then turnaround and bounce it back to the original sender, which may be what you're observing.
  Where to go from here:
  It would be useful if you still have those bounce messages that were generated by the Ironport appliance. You can look up the original sender and intended recipient or subject line through the mail logs and find the corresponding timeframe when the Ironport MTA tried to establish a connection to the destination host. This will show up as an ICID event where the Ironport tried to connect to the destination host. I'm surprised that the bounce message didn't provide some info on the cause of the bounce.
  References:
  1. findevent is a good tool on the command line that you can use to search for messages.
  How can I determine the disposition of a message using the mail logs?
  http://tinyurl.com/jb7z4

• Can't copy files from desktop to external hardrive, it just bounces back?

  Hello!
  I can't just drop and drag any files from my macbook pro desktop into my hard drive icon, they just bounce back. But it will work in windows VM, any idea how i can get it to work on mac?
  Thanks

  Found it throught the apple site.
  very helpful
  thanks guys