"Splitting A Domain"
I have a question about e-mail that I am hoping someone might be able to help with or point me in the right direction.
I have a client with a domain name of example.com. The ISP concerned currently provides an SMTP feed for all the mail addressed to this domain on an SDSL line to an Xserve running Mac OS X Server with a public IP address of xxx.xxx.xxx.xxx which is the head office - lets call this location A. This office has a total of 120 employees; they also have two other satellite offices (lets call them locations B & C) with their own Xserves each with external IP addresses of yyy.yyy.yyy.yyy and zzz.zzz.zzz.zzz respectively and each office has between 30 and 40 staff and an ADSL internet connection. The mail server at location A currently handles mail for all 3 locations and staff at location B connect via a VPN to pick up and send their mail whilst staff at location C are connected via a 2mb lease line.
All users send and receive quite a lot of mail and send a large number of pretty big attatchments, which at times causes the existing mail server at location A, at best to slow down and sometimes even appear to stall.
What I would like to do to overcome this is rather than have 1 mail server handling all mail, would be for location B and C to have there own server but using the same domain. So, if mail is delivered by the ISP, if the user works at location A, ([email protected]) the server at A will handle the mail for that user, but if mail comes in for [email protected], the server at location B will handle the mail. Obviously the same would apply for location C. Users at each location would use their own smtp server for mail.
I think what I'm asking about is 'splitting a domain', but I'm wondering whether anybody has any experience of doing this with Mac OS X Server and if so, how this could be achieved.
Thanks
Paul
PowerBook G4 17" Mac OS X (10.4.10)
This approach adds complexity, when it may be better to streamline.
You should determine why your server is slowing to a crawl..
Most likely, it's your content filter.
There are many ways to streamline a config. If, as an example, you see that amavis/clamav is the largest cpu hog, and 50% of your email is internal- you could disable the content filter for internal mail.
Another example, if you don't have proper restrictions in place for incoming mail, you are forcing your mail server to do (potentially) double the load vs using postfix to block unwanted mail before amavis/clamav.
My opinion.. you need to analyze and understand where your bottlenecks are. A few config changes should be all you need.
Start with pterobyte's tutorial on frontline defense
http://osx.topicdesk.com
Jeff
Similar Messages
-
Domain Splitting and iDisk issues
First, my apologies if my question has been answered previously. I did search the forums, but didn't find anything promising.
I have split my large domain.sites file into four separate domain.sites file, following the guidance of folks on this forum. Each domain.sites file contains two sites; a one-page "index" site with links to all my sites and one of my "real" sites. (the index site has a slightly different name in each domain.sites file so I don't ovewrite).
But now I'm having a dickens of a time keeping all the sites online at the same time. I did some searching in these forums and discovered that I have to do two rounds of "publish all." Since these were existing files, the first time I told one domain file to "publish all," it erased the sites I had deleted from that file. After the second round of publishing, the sites have all come back (except for my biggest one, which I haven't published a second time; I'll do that overnight).
It looked like I have everything working...until I synced my iDisk. Then one of my sites disappeared again! Plus, some of my sites that I can access on-line don't show up on my iDisk.
I typically leave my iDisk mounted on my desktop. Do I need to change this if I'm working with multiple domain.sites files?
Thanks for any help you can provide!Thanks to both of you for your help. I after one last publish last night, I got all my sites on line.
Syncing my iDisk didn't work as well, though. Somehow I ended up with two copies of my iDisk on my desktop: one with the typical globe icon and another with a generic "drive" icon. The globe one was supposedly the current one, saying it had sinced this morning, but it only had some of my sites on it. (Oddly enough, it had each of the index sites, from all four domain.sites files, but not all the "real" sites from those files) The plain "drive" icon idisk had all the files on it. I couldn't get rid of either of them without restarting. But restarting seemed to set things to rights.
I've taken Varkgirl's advice and don't have my iDisk on my desktop. I didn't really access it much anyway.
Would it be of benefit to others for me to spell out the steps I took to split my domains and have a site index always show up as the site for the short url? I'd adjust it with some of the things I've learned in the process. I know there are good instructions for domain splitting in this forum already, but I don't know that my approach to a sites index with multiple domains has appeared on the forums before. -
I have split my domains and decided to publish one. Well everytime I publish one.....the rest go away. I get 404 error on the web.
The files are also gone from iDisk.
Yesterday someone posted about this:
http://discussions.apple.com/message.jspa?messageID=2541090#2541090
But....ugh.....I don't know what they are talking about. What I really mean is it is above my head. Can anyone condense this and tell me what I am supposed to do to correct this.
Sorry that I have to be spoon fed here, but I want to learn to fix this.
iBook G4 Mac OS X (10.4.6) http://www.the-camera-obscura.comOkay......I tried this.....here is what happened:
I have two domain files.
When I renamed the sites within both domain files that I have, and then I published all to .mac, everything came back w/ new names. I could see all online.
Then I went back and changed the sites to their original names and I published one site in a domain and it didn't come back......
Then I did the same w/ the other, and the sites within that domain DID come back.
But the first one I published never did.....it is a single site in that I splitted from the original domain.
Any suggestions? My other question is......does this workaround need to be done each time I update? Or is it some kinda glitch that will occur sometimes?
iBook G4 Mac OS X (10.4.6) http://www.the-camera-obscura.com -
Jabber and Multiple DNS Domains
have a customer that is running into some "minor" issues in getting Jabber to work well on their mobile devices.
The issues revolves around I think a DNS issue in that their Internet domain is "mycomp.com" while inside they are "corp.mycomp.local"
Am I correct in that this is easily fixed for the expressway-E and expressway-C is to have the following setup:
On the External DNS server
_collab-edge.tls.mycomp.com => expresswaye.mycomp.com
On the Internal DNS server:
_cisco-uds._tcp.mycomp.com => cucm1.corp.mycorp.local
_cisco-uds._tcp.corp.mycomp.local => cucm1.corp.mycomp.local
If the Expressways are configured correctly, then this should work and the credentials for the users should be the same instde and out, OR am I missing something?
ThanksHi Richard,
Please check the following links
https://ciscocollab.wordpress.com/2014/07/23/collaboration-edge-mra-with-split-dns-domains/
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_7/CJAB_BK_C606D8A9_00_cisco-jabber-dns-configuration-guide/CJAB_BK_C606D8A9_00_cisco-jabber-dns-configuration-guide_chapter_010.html#CJAB_TK_D380F2C5_00
HTH
Manish -
"short" urls and multiple domain files
In http://discussions.apple.com/thread.jspa?threadID=655367&tstart=0,
Apnewbie said:
"If you have separate sites with separate Domain files and published separately to .Mac, they will be listed on your iDisk in alphabetical order and your short .Mac url will point to the one at the top of the list on the iDisk."
I'm thinking about splitting my domain file, as my sites are growing large and it is time consuming for iWeb to recreate all the pages when I've only changed one site. I'd like to keep a particular "site" (consisting of one page with links to my other "real" sites) at the top of the list so it is always what appears when folks go to my short url. Are than any non-alphanumeric characters that I can use at the begin that won't cause problems for browsers?
Does this mean that if my preferred "top site" is in domain file A and I publish domain file B after I've published domain A, the "top site" will still be the site at the short url?
Also, can somebody please remind me again how to use a link in the forums here but have text other than the full url show up? I think I've done it before, but I've forgotten.
iBook G4 14 in Mac OS X (10.4.7) iMac 400 MHz G3 OS 9.2.2Apnewbie said:
"If you have separate sites with separate Domain
files and published separately to .Mac, they will be
listed on your iDisk in alphabetical order and your
short .Mac url will point to the one at the top of
the list on the iDisk."
I spoke too soon on this and a correction is needed. When you publish to .Mac using individual Domain files, your short url will point to the most recently published index.html file, which will then take you to your most recently published site. I tested this just prior to that last statement in that post and my browser cache tripped me up here.
I'm thinking about splitting my domain file, as my
sites are growing large and it is time consuming for
iWeb to recreate all the pages when I've only changed
one site. I'd like to keep a particular "site"
(consisting of one page with links to my other "real"
sites) at the top of the list so it is always what
appears when folks go to my short url. Are than any
non-alphanumeric characters that I can use at the
begin that won't cause problems for browsers?
I don't think that's necessary; you can keep a copy of the index.html file which points to your preferred site and place it back on your iDisk after publishing any site to force your short url to point to the site of your choice.
Does this mean that if my preferred "top site" is in
domain file A and I publish domain file B
after I've published domain A, the "top site"
will still be the site at the short url?
Again, the short url will point to the most recently published index.html file in .Mac. Sorry for the confusion. -
Splitting Application into separate projects
I'd tried to split my domain layer (annotated EJB3) into separate project, from my service layer (EJB3 session beans) - that used to run together happily but I got the following error against each entity.
Exception [TOPLINK-198] (Oracle TopLink - 10g Release 3 (10.1.3.0.0) (Build 060118)): oracle.toplink.exceptions.DescriptorException
Exception Description: In order to use ObjectChangeTrackingPolicy or AttributeChangeTrackingPolicy, class com.davinci.capital.domain.tran.Tran has to implement ChangeTracker interface.
Descriptor: RelationalDescriptor(com.davinci.capital.domain.tran.Tran --> [DatabaseTable(TRAN)])
When I put the projects back together I still got the problem. I think it might be related to the enhancement process and somehow picking the un-enhanced code.
Is there someway to 'reset' a project/application? I tried removing the project (and leaving the source) and then creating a new one with the source still in place, but the error remains.
Any ideas?
Thanks
Michael
Message was edited by:
mmcgovernSomewhat answered this myself.
Appears that I had some unenhanced domain class files lying around in the DAO layer - these where getting picked up instead of the enhanced ones.
However it appears I there is a problem having EJBs spread around different projects within the application. The above problem appears to be related to having two-way dependencies so I get two copies of classes file created - and it picks up the unenhanced one.
The real problem is that I can't have EJB's in multiple projects - its appears to only create an ejb-jar.xml for EJBs in the "target" project (embedded OC4J) - the EJB's in the related projects are ignored.
If could split EJBs into projects then I would not have two-way dependencies and the original problem goes away.
Any ideas?
null -
Personal domain for one site but not another
Hope someone can help. I have my family site set up through iWeb on Mobile me. I would like to create a "new" site that would be for a group I am involved in and for which I have obtained a personal domain name. I would like to know if the personal domain name can be used for the "new" site and not for my family site. I have tried to "add new site", put in the personal domain name, but then when I look at the bottom of the screen it shows my mobileme account name and then in parens it shows the personal domain name on both my family site and the "new" site.
Hope someone knows something about this! Thanks!Yes, you can change the URL for the domain name. I suggest you split the domain file. I use iWebSites to manage multiple sites.. It lets me create multiple sites and multiple domain files.
If you have multiple sites in one domain file here's the workflow I used to split them into individual site files with iWebSites. Be sure to make a backup copy of your original Domain.sites files before starting the splitting process.
This lets me edit several sites and only republish the one I want.
Once you get the two sites published separately you should be able to go in and change the CNAME to the URL of the site you want.
OT -
There has been many post regarding domain.sites splitting and how to handle multi-domain.
First you need to split your domain.sites package, with courtesy of Mark:
http://web.mac.com/mark8heaton/iWeb/DomainSeparation/SiteSeparation.html
What about handling multi-domain?
Make a master folder, and make sub-folders within this master folder to keep (split) domain.sites, then place the master folder in your Dock, ie:
http://www.geocities.com/[email protected]/images/domains.jpg
You can access your domain.sites at any time from the Dock.
What about making new domain.sites?
You can force iweb to create new domain.sites with shell script (Unix) or AppleScript - notice second item in domains.jpg.
_New Domain script forces iweb to create new domain.sites package - in your specify folder, as in this dialog box:
http://www.geocities.com/[email protected]/images/newDomain.jpg
There is no need for third-party application. Everything you see/need is free and is bundled in every mac.Vark,
Weird as heck, but it does happen.
I've had it happen to me a few times and I've had a
number of emails from others that have experienced
the same thing; enough to make me warn everyone
about it.
Funny, when I try to replicate the problem I'm unable
to; seems to strike at random.
Weird stuff!!! I believe it, just think it is extremely bizarre. -
Build recipe for dual I/O domains
Hello
I have 2 T4's each with 2 PCI buses. I want to build it with 2 separate I/O domains and each one feeds a path of SAN disk to the guest LDoms. I have assigned one bus to each domain but can't seem to get vdisk services to work with mpathing. What I have now is not working and would like a clear idea of how I should put one of these systems together.
I've seen lots of recipes for basic LDom guests which is fine. But nothing for a dual I/O domain setup.
Many thanksHi there.
http://seriousbirder.com/blogs/solaris-ldom-split-io-domain-configuration-example
I used this one, and it worked perfectly. It is an exampel for a T4.
Cheers -
Publishiing iWeb created pages to other domains
Is there a way to upload iWeb created pages to other domains besides .mac.
ThanksThank you both for the replies. I went further into the archives and saw a post about splitting the domain. Does this apply to my problem? http://discussions.apple.com/thread.jspa?threadID=552258&tstart=0
I want to take this very slowly as I lost a lot of albums from my Homepage way back when there was a large glitch it the system. I don't want to have to recreate sites so need to be sure of what I am doing, step by step.
Thanks
Jill -
How can I split an oversize site?
Like many novice uses, my first attempt at a website turned out far too large -- too many large photo files that I later resized, but stil have the original 25MB files in the site folder -- judging from comments on this forum.
I'd like to split my site into several smaller sites, which can later be linked together. But I find no way to save more than one version at a time on my computer. That is, there is no "Save As" option that would allow me to copy each webpage or group of pages into a separate file. (Ideally, my home page would be a separate file on the web that would then link to each of the other pages. The only way to reduce size of the website file seems to be throwing away weeks of work, then rebuilding all the separate pages almost from scratch.
Yes, I have published to a folder. But I don't think the published files can be edited again.
Any suggestions?
G6 866 Mac OS X (10.4.6)Dear VarkGirl,
Thanks. I've done that. When I publish to a folder,
each site (website1 and website2) comes out as a
separate sub-folder. Website1 has the name
"website1" whereas website2 has a long number code
for a name.
If you are still getting long code numbers for names, it sounds like you have not updated to 1.1.1.
I can drag and drop easily between the websites when
I'm in iWeb, and I can of course edit each page in
that context.
But when I publish to a folder, it publishes both
sites together, covered by a single index. If I
remove some files from either subfolder, won't that
throw off the index and make the system go haywire?
You can upload just one site to your ftp server. Instead of uploading index.html and all the many folders, just upload the CONTENTS of the ONE folder for the site you want to upload. It has its own index.html so it will still work. In other words, visiting www.yourdomain.com/index.html will forward you to the main page of the SITE you uploaded. Whereas before, www.yourdomain.com/index.html would forward you to www.yourdomain.com/SITEONENAME/index.html which would then forward you to www.yourdomain.com/SITEONENAME/toppagename.html
Does this make sense?
More basically, how can I take the files in my folder
and open them up so I can edit them? Put
differently, if I erase a file F from either website,
where can i store F until it is needed again?
Don't erase them from iWeb!!! You will never be able to edit them again!
If you use the upload method I have outlined above, you could upload only the site with the pages you want online, and discard the other site's pages, which would be all the pages you moved to a separate site.
OR you could split your domain file. Search on here for "domain splitting" for more info.
Put differently, how can I select X files from iweb
and select those to be published to a folder or to
the web?
See above
My modem is super slow dialup (24 baud, max) that I
could never upload my site from here. I'll have to
find a neighbor with a DSL modem and ask him to
upload it for me. The only aternative would be to
upload it from here 1 Page at a time -- a 30+hr
process.
Any suggestions?
I recommend Transmit for FTP uploading www.panic.com
Can't help with your speed problem though, sorry. -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
ASA 5520 site-to-site VPN question
Hello,
We have a Cisco 5520 ASA 8.2(1) connected to a Cisco RVS4000 router via an IPsec Site-to-Site VPN. The RVS4000 is located at a branch office. The tunnel works beautifully. When computers at the remote site are turned on the tunnel is established, and data is transferred back and forth.
The only issue I'm having is being able to Remote Desktop to the branch office computers, or ping for that matter. I can ping and Remote Desktop from the branch office computers to computers at the main site where the ASA is located.
After doing some research, I came across the this command;
sysopt connection permit-vpn
I haven't tried entering the command yet, but was wondering if this is something that I can try initially to see it it resolves the problem.
Thanks,
JohnWhat are your configs and network diagrams at each location? What are you doing for DNS? I can help quicker with that info. Also, here are some basic site to site VPN examples if it helps.
hostname cisco
domain-name cisco.com
enable password XXXXXXXX encrypted
passwd XXXXXXXXXXX encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address XXX.XXX.XXX.XXX 255.255.255.248
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.0.0.2 255.255.255.0
interface Ethernet0/2
nameif backup
security-level 0
no ip address
interface Ethernet0/3
nameif outsidetwo
security-level 0
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.com
same-security-traffic permit intra-interface
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list XXX extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list XXX extended permit ip 10.90.238.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.4.0 255.255.255.0
access-list nonat extended permit ip 10.0.0.0 255.255.255.0 10.0.10.0 255.255.255.0
access-list nonat extended permit ip 10.0.10.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.2.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list nonat extended permit ip 10.0.4.0 255.255.255.0 10.90.238.0 255.255.255.0
access-list split standard permit 10.0.0.0 255.255.255.0
access-list split standard permit 10.90.238.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered errors
logging trap notifications
logging asdm informational
logging class vpn buffered debugging
mtu outside 1500
mtu inside 1500
mtu backup 1500
mtu outsidetwo 1500
mtu management 1500
ip local pool vpnpool 10.0.10.100-10.0.10.200
ip audit name Inbound-Attack attack action alarm drop
ip audit name Inbound-Info info action alarm
ip audit interface outside Inbound-Info
ip audit interface outside Inbound-Attack
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address XXX
crypto map outside_map 1 set peer XXX.XXX.XXX.XXX
crypto map outside_map 1 set transform-set myset
crypto map outside_map 1 set security-association lifetime seconds 28800
crypto map outside_map 1 set security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address XXX2
crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
crypto map outside_map 2 set transform-set myset
crypto map outside_map 2 set security-association lifetime seconds 28800
crypto map outside_map 2 set security-association lifetime kilobytes 4608000
crypto map outside_map 3 match address XXX3
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer XXX.XXX.XXX.XXX
crypto map outside_map 3 set transform-set myset
crypto map outside_map 3 set security-association lifetime seconds 28800
crypto map outside_map 3 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
management-access inside
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy XXXgroup internal
group-policy XXXgroup attributes
dns-server value XXX.XXX.XXX.XXX
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value domain.local
username XXX24 password XXXX encrypted privilege 15
username admin password XXXX encrypted
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXXgroup type remote-access
tunnel-group XXXgroup general-attributes
address-pool vpnpool
default-group-policy rccgroup
tunnel-group XXXgroup ipsec-attributes
pre-shared-key XXXXXXXXXX
isakmp ikev1-user-authentication none
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
pre-shared-key XXXXXXXXXX
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily -
Need help with ASA 5512 and SQL port between DMZ and inside
Hello everyone,
Inside is on gigabitEthernet0/1 ip 192.9.200.254
I have a dmz on gigabitEthernet2 ip 192.168.100.254
I need to pass port 443 from outside to dmz ip 192.168.100.80 and open port 1433 from 192.168.100.80 to the inside network.
I believe this will work for port 443:
object network dmz
subnet 192.168.100.0 255.255.255.0
object network webserver
host 192.168.100.80
object network webserver
nat (dmz,outside) static interface service tcp 443 443
access-list Outside_access_in extended permit tcp any object webserver eq 443
access-group Outside_access_in in interface Outside
However...How would I open only port 1433 from dmz to inside?
At the bottom of this message is my config if it helps.
Thanks,
John Clausen
Config:
: Saved
ASA Version 9.1(2)
hostname ciscoasa-gcs
domain-name router.local
enable password f4yhsdf.4sadf977 encrypted
passwd f4yhsdf.4sadf977 encrypted
names
ip local pool vpnpool 192.168.201.10-192.168.201.50
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 123.222.222.212 255.255.255.224
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.9.200.254 255.255.255.0
interface GigabitEthernet0/2
nameif dmz
security-level 100
ip address 192.168.100.254 255.255.255.0
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name router.local
object network inside-subnet
subnet 192.9.200.0 255.255.255.0
object network netmotion
host 192.9.200.6
object network inside-network
subnet 192.9.200.0 255.255.255.0
object network vpnpool
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.168.201.0_26
subnet 192.168.201.0 255.255.255.192
object network NETWORK_OBJ_192.9.200.0_24
subnet 192.9.200.0 255.255.255.0
access-list outside_access_in extended permit icmp any4 any4 log disable
access-list Outside_access_in extended permit udp any object netmotion eq 5020
access-list split standard permit 192.9.200.0 255.255.255.0
access-list VPNT_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static inside-network inside-network destination static vpnpool vpnpool
nat (inside,outside) source static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24 destination static NETWORK_OBJ_192.168.201.0_26 NETWORK_OBJ_192.168.201.0_26 no-proxy-arp route-lookup
object network netmotion
nat (inside,outside) static interface service udp 5020 5020
nat (inside,outside) after-auto source dynamic any interface
access-group Outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 123.222.222.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.9.200.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 2 regex "Windows NT"
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3 regex "Intel Mac OS X"
anyconnect enable
tunnel-group-list enable
group-policy SSLVPN internal
group-policy SSLVPN attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
default-domain value router.local
group-policy VPNT internal
group-policy VPNT attributes
dns-server value 192.9.200.13
vpn-tunnel-protocol ikev1 l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPNT_splitTunnelAcl
default-domain value router.local
username grimesvpn password 7.wersfhyt encrypted
username grimesvpn attributes
service-type remote-access
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool vpnpool
default-group-policy SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
tunnel-group VPNT type remote-access
tunnel-group VPNT general-attributes
address-pool vpnpool
default-group-policy VPNT
tunnel-group VPNT ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:36271b5a1b9382621e14c3aa635e2fbb
: endHi Vibor. Apologies if my comment was misunderstood. What I meant to say was that the security level of the dmz interface should probably be less than 100.
And therefore traffic could be controlled between DMZ and inside networks.
As per thr security level on the DMZ interface. ....... that command is correct. :-) -
How can i use iweb to work on both of my .mac accounts?
I have 2 seprate .mac accounts, one is for my personal, other is more work based.
How can I create on both with the same computer?
I have created a different user on my mac, and then logged in on that name , which has worked, however I would like to know if there is a easier /shorter way to accomplish this .
Thanksyou need to split your domains for that. see these links:
http://web.mac.com/varkgirl/iWeb/iWebFAQ/FAQ%20Home/9EC95C22-8561-4ED7-AC73-571D 97E7FF8F.html
http://web.mac.com/will.englefield/iWeb/WillG4PB/2Sites1Mac.html
max
Maybe you are looking for
-
Can't set email reminders in iCal
All of the sudden I am no longer able to set up email alarms. I am not sure what changed but I am told "You must add your own card and email address in Address Book to be able to use mail alarms." I go to the Address Book and select the card with my
-
Creating Smaller Sized PDFs from FM10
Hello, I have Tech Comm Suite 3 (FM10, Acrobat X) and using Windows XP. Can I create a PDF out of FM and have it open in Acrobat 7 and later? I know I can manually select that in Acrobat after the document is created (Save As-->Reduced File Size), bu
-
I'm trying to set up a branch office VPN. I'm using a PIX-506e, my peer is a PIX-515. I've attached my (sanitized) configuration, and there's an equivalent one in the 515. Network setup: BO1 Inside: 192.168.0.0 BO2 Inside: 130.45.14.0 We cannot estab
-
FDERecovery Agent, what is it?
Hello. I am seeing a message in Console that is new to me (OSX 10.8.4). I Goggled it, but it does not seem to native to Macs. Anyone have an idea what FDERecovery Agent is? Gave me this message: 7/25/13 4:37:19.667 PM FDERecoveryAgent[81]: No re
-
Updating to iOS 5.1 actually made my verizon iPhone battery worse!?
I kept everything the same ( auto brightness, close apps, location services, etc) My battery use to be amazing! After heavy use all day I would still have like 50% left! Now since updating the software to iOS 5.1 within 6 hours I was at like 40%! I a