SSH in LAN
Hello,
I have an issue with MacOSX and ssh. Here is my setup:
Server: MacOSX 10.4.11
Client: MacOSX 10.6.4
When trying to connect to server I get a connection closed if I'm inside the LAN. However, from outside, I get to connect to my server (using port forwarding).
If I try to connect with the IP address, I get "Connection closed by IP address" (IPv4)
However, if I try to connect with hostname, I get "Connection closed by IP address" (IPv6 address)
Any ideas why I can connect from outside and not the LAN
I have tried disabling firewalls on both sides, this didn't help.
Note: I have changed the default port in /etc/services, I doubt this changes anything
Thank you for the help
Ok, thanks for the help. I had tried, but hadn't had all the output. However, some other interesting came up.
If, while connecting, I change my location in the network settings, the renewal of my IP allows me to connect to the machine.
So it comes from the client. Moreover, I have been able to connect with another mac.
Here is the output with the -v flag:
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug1: Applying options for *
debug1: Connecting to PowerMacG4.local [IPv6Address] port xxxx.
debug1: Connection established.
debug1: identity file /Users/name/.ssh/identity type -1
debug1: identity file /Users/name/.ssh/id_rsa type 1
debug1: identity file /Users/name/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: SSH2MSGKEXINIT sent
debug1: SSH2MSGKEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2MSG_KEX_DH_GEXREQUEST(1024<1024<8192) sent
debug1: expecting SSH2MSG_KEX_DH_GEXGROUP
debug1: SSH2MSG_KEX_DH_GEXINIT sent
debug1: expecting SSH2MSG_KEX_DH_GEXREPLY
debug1: Host '[powermacg4.local]:xxxx' is known and matches the RSA host key.
debug1: Found key in /Users/name/.ssh/known_hosts:1
debug1: sshrsaverify: signature correct
debug1: SSH2MSGNEWKEYS sent
debug1: expecting SSH2MSGNEWKEYS
debug1: SSH2MSGNEWKEYS received
debug1: SSH2MSG_SERVICEREQUEST sent
debug1: SSH2MSG_SERVICEACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
No credentials cache found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/name/.ssh/identity
debug1: Offering public key: /Users/name/.ssh/id_rsa
Connection closed by IPv6Address
Similar Messages
-
[solved] Troubleshoot ssh with keys (works from LAN, not WAN)
I'm trying to set up ssh so that I can connect to my work computer from home. It is pretty much essential that I keep the work box as secure as possible at all times. (So I can't disable the firewall, come home and test it because IT would not be at all happy.)
I'm not sure if this is an Arch question, a Fedora question or a general Linux/networking question.
The work box is running Fedora 17. It has a firewall eerily like the "simple stateful firewall" described on Arch's wiki. It is running sshd. Public key authentication is enabled. No other form of authentication is enabled. It has a rule allowing ssh connections.
My laptop is running Arch. It has a firewall very like that described on the "simple stateful firewall" page. It has a couple of rules allowing stuff I need at home (printer and something I had to enable for the LAN).
Initially, I was given an internal ip address. I got this working fine i.e. I could ssh into the box from my laptop while sitting next to it in my office over the LAN. I'm using the default form of key pair generated on Arch (i.e. rsa) and am using gpg-agent with ssh support in lieu of ssh-agent to manage keys. Pin entry is using the qt front end as I'm on KDE. (I adapted KDE's config so that it starts gpg-agent with ssh support for the session so that I didn't end up with two instances.)
Once the firewall was in place and sshd was running, they gave me a public ip address. At this point, no port was opened in their firewall to allow WAN connections but I tested the public ip address from within the LAN and it once again worked fine.
Once I'd confirmed the machine could connect out after getting a public ip, they arranged for the port to be opened for ssh. However, I cannot connect to the machine from home.
$ ssh -vvi .ssh/id_rsa [email protected]
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 22: Applying options for xxx.xxx.xxx.x
debug1: /etc/ssh/ssh_config line 32: Applying options for *
debug1: auto-mux: Trying existing master
debug1: Control socket "/home/username/.ssh/[email protected]:nn" does not exist
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx.xxx.xxx.x [xxx.xxx.xxx.x] port nn.
debug1: connect to address xxx.xxx.xxx.x port nn: Connection timed out
ssh: connect to host xxx.xxx.xxx.x port nn: Connection timed out
xxx.xxx.xxx.x is the public ip (works fine from LAN)
nn is the port number
username is my user name (same on both machines)
The options for the host from ssh_config are:
AddressFamily inet
Compression yes
ControlMaster auto
ControlPath ~/.ssh/socket-%r@%h:%p
and the only generic option applied to all hosts is just a line to insist on protocol 2 which I think is default now anyway but I followed the wiki and specified it to be sure.
What have I missed? My networking knowledge is pretty basic at best. (I got this far using Arch's wiki, Fedora's documentation and a little trial and error. That seemed to work well but now I've added google and still can't figure it out. All the hits I get concern cases where the LAN connection works but authentication fails over WAN. But I'm not getting that far - it looks like my work box doesn't respond at all...)
Last edited by cfr (2012-09-25 22:12:06)So I discovered I'd also managed to kill off LAN access as well as the machine's ability to use any sort of DNS... (I did say it needed to be secure...)
Anyway, I fixed that, reestablished working ssh from LAN but still can't get it to work from WAN.
Question: if ShieldsUp! reports the port as stealthed does that mean that the port has not actually been opened? So the campus firewall is blocking the connection? Because if so, I'm knocking my head against a brick (fire)wall to no purpose whatsoever...
I figure it can't be the software firewall else I'd not be able to connect on the LAN. And it is a public ip address so there's no NAT translation required... -
Cisco ASA 5505 doesn't forware incoming connection to LAN
Hello everybody.
I just got a Cisco asa 5505 with the next OS and ASDM info
ASA 5505 OS 8.4(3) ASDM 6.47
I configured and enter all rules to allow incoming traffic to LAN but it's not working also, I have one host inside that is configured in a second IP and create the rule to allow traffic to it but it doesn't work too.
Problem 1
I have VNC running in port 5900 tcp and I want to connect from Internet using port 6001 and this has to forware the connection to the real VNC port. In the configuration I have a few host with the same configuration but I use different outside port to get it.
Problem 2.
I have a second IP with services: SMTP, HTTP, HTTPS and port 444 all TCP forwarding to a server in the LAN.
Facts:
SMTP.
Every time that I do telnet to the second IP looking for the SMTP port, the firewall doesn't let the incoming connection goes through and the LOGGING screen doesn't how that connection.
PORT 6001 (outside)
this port is configured to work with the IP in the outside internface and it was to send the incoming connection to a host inside to the real port 5900.
Can any one check my configuration if I'm missing anything? for sure I'm but I didn't find it. Bellow is the configuration, I masked the Public IPs just left the last number in the IP, also I left the LAN network to see better the configuration.
I will appreciate any help.
Thanks a lot..
CONFIGURATION.
: Saved
ASA Version 8.4(3)
hostname saturn1
domain-name mydominio.com
enable password SOMEPASS encrypted
passwd SOMEPASS encrypted
names
name 192.168.250.11 CAPITOLA-LAN
name 192.168.250.15 OBIi110-LAN
name 192.168.250.21 DRP1260-LAN
name 192.168.250.22 HPOJ8500-LAN
name 192.168.250.30 AP-W77-NG-LAN
name 192.168.250.97 AJ-DTOP-PC-LAN
name 192.168.250.96 SWEETHEART-PC-LAN
name 192.168.250.94 KIDS-PC-LAN
name XX.YY.ZZ.250 EXTERNALIP
name XX.YY.ZZ.251 EXTERNALIP2
name XX.YY.ZZ.1 GTWAY
dns-guard
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.250.2 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address EXTERNALIP 255.255.255.0
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name mydominio.com
object network CAPITOLA-LAN
host 192.168.250.11
object network EXTERNALIP
host XX.YY.ZZ.250
description Created during name migration
object network CAPITOLA-PUBLIC
host XX.YY.ZZ.251
object network capitola-int
host 192.168.250.11
object network capitola-int-vnc
host 192.168.250.11
object network aj-dtop-int-vnc
host 192.168.250.97
object network sweetheart-int-vnc
host 192.168.250.96
object network kids-int-vnc
host 192.168.250.94
object network VPNNetwork
subnet 10.10.20.0 255.255.255.0
object network InsideNetwork
subnet 192.168.250.0 255.255.255.0
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network capitola-int-smtp
host 192.168.250.11
object-group service capitola-int-smtp-service tcp
port-object eq smtp
object-group service capitola-int-services tcp
port-object eq smtp
port-object eq https
port-object eq www
port-object eq 444
object-group service capitola-int-vnc-service tcp
port-object eq 6001
object-group service aj-dtop-int-vnc-service tcp
port-object eq 6002
object-group service sweetheart-int-vnc-service tcp
port-object eq 6003
object-group service kids-int-vnc-service tcp
port-object eq 6004
access-list incoming extended permit icmp any any
access-list incoming extended permit tcp any object capitola-int object-group capitola-int-services
access-list incoming extended permit tcp any object capitola-int-vnc object-group capitola-int-vnc-service
access-list incoming extended permit tcp any object aj-dtop-int-vnc object-group aj-dtop-int-vnc-service
access-list incoming extended permit tcp any object sweetheart-int-vnc object-group sweetheart-int-vnc-service
access-list incoming extended permit tcp any object kids-int-vnc object-group kids-int-vnc-service
access-list incoming extended permit tcp any object capitola-int-smtp object-group capitola-int-smtp-service
access-list split-tunnel standard permit 192.168.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any object VPNNetwork
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 10.10.20.1-10.10.20.50 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static any any destination static VPNNetwork VPNNetwork no-proxy-arp
object network capitola-int
nat (any,any) static XX.YY.ZZ.251
object network capitola-int-vnc
nat (inside,outside) static interface service tcp 5900 6001
object network aj-dtop-int-vnc
nat (inside,outside) static interface service tcp 5900 6002
object network sweetheart-int-vnc
nat (inside,outside) static interface service tcp 5900 6003
object network kids-int-vnc
nat (inside,outside) static interface service tcp 5900 6004
object network obj_any
nat (inside,outside) dynamic interface
object network capitola-int-smtp
nat (any,outside) static interface service tcp smtp smtp
access-group incoming in interface outside
route outside 0.0.0.0 0.0.0.0 GTWAY 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http server idle-timeout 2
http server session-timeout 1
http 192.168.1.0 255.255.255.0 inside
http CAPITOLA-LAN 255.255.255.255 inside
http AJ-DTOP-PC-LAN 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh CAPITOLA-LAN 255.255.255.255 inside
ssh AJ-DTOP-PC-LAN 255.255.255.255 inside
ssh timeout 15
console timeout 0
vpn-addr-assign local reuse-delay 2
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password SOMEPASS encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect pptp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:036b82d3eb5cffc1c65a3b381246d043
: end
asdm image disk0:/asdm-647.bin
no asdm history enableJose, your fix to problem 1 allows all access from the outside, assuming you applied the extended list to the outside interface. Try to be more restrictive than an '...ip any any' rule for outside_in connections. For instance, this is what I have for incoming VOIP (access list and nat rules):
access list rule:
access-list outside_access_in extended permit udp any object server range 9000 9049 log errors
nat rule:
nat (inside,outside) source static server interface service voip-range voip-range
- 'server' is a network object *
- 'voip-range' is a service group range
I'd assume you can do something similar here in combination with my earlier comment:
access-list incoming extended permit tcp any any eq 5900
Can you explain your forwarding methodology a little more? I'm by no means an expert on forwarding, but the way I read what you're trying to do is that you have an inbound VNC request coming in on 5900 and you want the firewall to figure out which host the request should go to. Or is it vice-versa, the inbound VNC request can be on port 6001-6004 ? -
Dear all,
I have a Cat6509 running 12.2(18)SXD4 code to support the WS-X6724-SFP module. We are having connectivity issues, which I think may be related to bug CSCsa85588 (BGP tags not being forwarded). There is a fix in 12.2(18)SXE2. However, I am not sure which feature set to choose as the naming convention appears to have changed. Existing feature set is ENT W/IPV6/SSH/3DES LAN ONLY. The following feature sets are available with 12.2(18)SXE2:
ADVANCED ENTERPRISE SERVICES SSH
ADVANCED IP SERVICES SSH
ENTERPRISE SERVICES SSH
IP SERVICES SSH LAN ONLY
IP SERVICES SSH
I have tried using the 'compare image' tool but it does not list 12.2(18)SXE2.
Any help would be greatly appreciated.
Many thanks,
TraceyYou can find about new package descriptions on CCO at
http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/prod_bulletin0900aecd80281b17.html
So enterprise services SSH might be the image you need to go if you are upgrading to SXE2.
Also, as an FYI, I checked on bug CSCsa85588 and found that the fix was ported to 12.2(18)SXD5 image as well. -
CCP - Advanced Firewall Creating Custom Ports Inbound Traffic
Hey folks, i desperatly need some assistance with my ISR 800 series router zone based Firewall.
The router is currently setup and routing traffic to the internet successfully.
I would like to setup a custom inbound port(TCP-3389) accessible from the internet.
Port destination termination will be an internal PC at say 192.168.1.50.
How can i accomplish this using CPP or console.
I have already defined the port to application mapping using CPP. however the firewall is recording the following syslog message:
%FW-6-DROP_PKT: Dropping udp session 24.76.164.168:13925 192.168.1.50:3389 on zone-pair ccp-zp-out-zone-To-in-zone class class-default due to DROP action found in policy-map with ip ident 0
Any assistance is greatly appreciated
If full config is required to assist please let me know.Thanks for your response.
Pardon my ignorance! how can i export this info from the CCP interface to share? In lue of that procedure, i have provided the full config below.
Building configuration...
Current configuration : 22564 bytes
! Last configuration change at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
! NVRAM config last updated at 18:05:26 UTC Fri Aug 23 2013 by sshs
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname 881W-SSHS-R1
boot-start-marker
boot system flash:c880data-universalk9-mz.153-1.T.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 8192 warnings
enable secret 4 tFiAfenrBMx7/HkdLMWd3Yp19y9eWwFQw9w0LSu/IRk
enable password 7 09485B1F180B03175A
aaa new-model
aaa authentication login sslvpn local
aaa session-id common
memory-size iomem 10
clock timezone EST -5 0
clock summer-time UTC recurring
service-module wlan-ap 0 bootimage autonomous
crypto pki server 881-sshs-r1ca
database archive pem password 7 121D1001130518017B
issuer-name O=ssh solutions, OU=sshs support, CN=881w-sshs-r1, C=CA, ST=ON
lifetime certificate 1095
lifetime ca-certificate 1825
crypto pki trustpoint sshs-trustpoint
enrollment selfsigned
serial-number
subject-name CN=sshs-certificate
revocation-check crl
rsakeypair sshs-rsa-keys
crypto pki trustpoint 881-sshs-r1ca
revocation-check crl
rsakeypair 881-sshs-r1ca
crypto pki certificate chain sshs-trustpoint
certificate self-signed 01
308201DC 30820186 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
4C311930 17060355 04031310 73736873 2D636572 74696669 63617465 312F3012
06035504 05130B46 54583133 32353830 34593019 06092A86 4886F70D 01090216
0C383831 572D5353 48532D52 31301E17 0D313330 34313332 31323334 315A170D
32303031 30313030 30303030 5A304C31 19301706 03550403 13107373 68732D63
65727469 66696361 7465312F 30120603 55040513 0B465458 31333235 38303459
30190609 2A864886 F70D0109 02160C38 3831572D 53534853 2D523130 5C300D06
092A8648 86F70D01 01010500 034B0030 48024100 C14B55D9 4B2D4124 D711B49E
BBCA3A9D 4EE59818 3922DF07 8D7A3901 BE32D2C5 108FD57C BEA8BEAE F1CFEDF3
6D8EF395 DD4D6880 846C9995 EB25B50A DC8E2CC7 02030100 01A35330 51300F06
03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801494 EBC22041
8AEC4A0C E3D4399D AD736724 1241E730 1D060355 1D0E0416 041494EB C220418A
EC4A0CE3 D4399DAD 73672412 41E7300D 06092A86 4886F70D 01010505 00034100
BCB0E36C 74CB592B C7404CA2 3028AE4A EEBC2FF9 2195BD68 E9BC5D76 00F1C26F
50837DEC 99E79BF5 E5C6C634 BE507705 83F6004B 1B4971E6 EAFBBB0D B3677087
quit
crypto pki certificate chain 881-sshs-r1ca
certificate ca 01
30820299 30820202 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
60310B30 09060355 04081302 4F4E310B 30090603 55040613 02434131 15301306
03550403 130C3838 31772D73 7368732D 72313115 30130603 55040B13 0C737368
73207375 70706F72 74311630 14060355 040A130D 73736820 736F6C75 74696F6E
73301E17 0D313330 34313931 37313331 315A170D 31383034 31383137 31333131
5A306031 0B300906 03550408 13024F4E 310B3009 06035504 06130243 41311530
13060355 0403130C 38383177 2D737368 732D7231 31153013 06035504 0B130C73
73687320 73757070 6F727431 16301406 0355040A 130D7373 6820736F 6C757469
6F6E7330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BA7150D7 E4D5E06B 522A03C4 DBE95F4B C74A4BF5 D715814A 16B1D685 4873C6EB
2ACF8A35 4E4B5234 90B0DE07 738D705E 70C4CEDE D10271CD 658B3939 788859C7
B1730801 22DD5840 9EC1FC50 0AD4D2DF C5281E5F 891550B3 873B6305 02287605
80274704 700D7512 4D780096 E21A2DEE 18F76109 F1D6189B 56561E12 52E5A74B
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 168014CD 462ED740 1B5B89EC
8510BAB3 E91629AE 6C14F030 1D060355 1D0E0416 0414CD46 2ED7401B 5B89EC85
10BAB3E9 1629AE6C 14F0300D 06092A86 4886F70D 01010405 00038181 000EE548
B5692815 E61D2086 E7B53CD4 0C077D9D 479F8F6A 9276356D FD18FBD7 FDFCE15A
0224A686 F2154525 6F56CCD8 555E47EA 80C5223F A999260D 53E5AC53 A6AE6149
2B28EC50 67AA35E7 3B32011B E82D0888 5D3EDCC3 28720D49 DC01ADBB 1B2B44AF
CFD12481 7F1D9720 4A66D59A 8A3B7BB8 287F064C 41D788DD 0552FD91 F8
quit
no ip source-route
ip port-map user-remote-app-tcp port tcp 3389 list 2 description remote-app
ip dhcp excluded-address 192.168.10.1 192.168.10.200
ip dhcp excluded-address 192.168.20.1 192.168.20.200
ip dhcp excluded-address 192.168.30.1 192.168.30.200
ip dhcp pool SSHS-LAN
import all
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.10.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN20
import all
network 192.168.20.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.20.1
domain-name sshs.local
lease 2
ip dhcp pool VLAN30
import all
network 192.168.30.0 255.255.255.0
dns-server 192.168.10.1
default-router 192.168.30.1
domain-name sshs.local
lease 2
no ip bootp server
ip domain name sshs.local
ip host 881W-SSHS-R1 192.168.10.1
ip name-server 208.122.23.22
ip name-server 208.122.23.23
ip cef
no ipv6 cef
ipv6 multicast rpf use-bgp
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
multilink bundle-name authenticated
license udi pid CISCO881W-GN-A-K9 sn FTX1325804Y
license boot module c880-data level advipservices
username sshs privilege 15 password 7 050F131920425A0C48
username sean secret 4 HKl1ouWejids3opAKgGPRpf0NznjhP7L/v.REW79pKc
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map match-any AutoQoS-Voice-Fa4
match protocol rtp audio
class-map type inspect match-all CCP_SSLVPN
match access-group 199
class-map match-any AutoQoS-Scavenger-Fa4
match protocol bittorrent
match protocol edonkey
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any remote-app
match protocol Other
class-map type inspect match-all SDM_RIP_PT
match protocol router
class-map type inspect match-any bootps
match protocol bootps
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any AutoQoS-VoIP-Remark
match ip dscp ef
match ip dscp cs3
match ip dscp af31
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any bootpc_bootps
match protocol bootpc
match protocol bootps
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map match-any AutoQoS-VoIP-Control-UnTrust
match access-group name AutoQoS-VoIP-Control
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map match-any AutoQoS-VoIP-RTP-UnTrust
match protocol rtp audio
match access-group name AutoQoS-VoIP-RTCP
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 102
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1
match class-map bootps
match access-group name boops-DHCP
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map bootpc_bootps
match access-group name DHCP-Request
class-map type inspect match-any SDM_CA_SERVER
match class-map SDM_HTTPS
match class-map SDM_HTTP
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map uremote-app
match access-group name remote-app
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
class type inspect msnmsgr ccp-app-msn-otherservices
log
class type inspect ymsgr ccp-app-yahoo-otherservices
log
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
pass log
class class-default
drop log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map AutoQoS-Policy-Fa4
class AutoQoS-Voice-Fa4
priority percent 1
set dscp ef
class AutoQoS-Scavenger-Fa4
bandwidth remaining percent 1
set dscp cs1
class class-default
fair-queue
policy-map AutoQoS-Policy-UnTrust
class AutoQoS-VoIP-RTP-UnTrust
priority percent 70
set dscp ef
class AutoQoS-VoIP-Control-UnTrust
bandwidth percent 5
set dscp af31
class AutoQoS-VoIP-Remark
set dscp default
class class-default
fair-queue
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
class type inspect http ccp-app-httpmethods
log
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_CA_SERVER
inspect
class type inspect ccp-cls-ccp-permit-1
pass log
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect sdm-access
inspect
class type inspect SDM_RIP_PT
pass
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-cls-ccp-permit-icmpreply-1
pass log
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security out-zone
zone security in-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
interface Null0
no ip unreachables
interface FastEthernet0
description LAN
switchport mode trunk
no ip address
interface FastEthernet1
description Not in Use
no ip address
interface FastEthernet2
description Trunk to 861W-SSHS-R1
switchport mode trunk
no ip address
auto discovery qos
interface FastEthernet3
description VoIP
switchport access vlan 30
no ip address
service-policy output AutoQoS-Policy-UnTrust
interface FastEthernet4
description WAN$ETH-WAN$$FW_OUTSIDE$
ip ddns update hostname xxx.xxxx.org
ip address dhcp client-id FastEthernet4
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
auto qos
service-policy output AutoQoS-Policy-Fa4
interface Virtual-Template1
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description SSHS Default LAN$FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan20
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Vlan30
description $FW_INSIDE$
ip address 192.168.30.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description PPPoA Dialer for Int ATM0$FW_INSIDE$
ip address negotiated
ip access-group aclInternetInbound in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp chap hostname SSHS-CHAP
ppp chap password 7 045F1E100E2F584B
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
router rip
network 192.168.10.0
network 192.168.20.0
network 192.168.30.0
ip local pool sslvpn-pool 192.168.10.190 192.168.10.199
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
ip access-list extended AutoQoS-VoIP-Control
permit tcp any any eq 1720
permit tcp any any range 11000 11999
permit udp any any eq 2427
permit tcp any any eq 2428
permit tcp any any range 2000 2002
permit udp any any eq 1719
permit udp any any eq 5060
ip access-list extended AutoQoS-VoIP-RTCP
permit udp any any range 16384 32767
ip access-list extended DHCP-Request
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any log
ip access-list extended SDM_HTTP
remark CCP_ACL Category=1
permit tcp any any eq www log
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22 log
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443 log
ip access-list extended remote-app
remark CCP_ACL Category=128
permit ip any host 192.168.10.50
ip access-list extended boops-DHCP
remark CCP_ACL Category=128
permit ip any any
logging host 192.168.10.50
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.10.50
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip any any
control-plane
rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS
banner login ^C No Unauthorize access, all unauthorize users will be terminated at WILL! Enter user name and password to continue
^C
banner motd ^C This router is designated as the primary router in the SSHS LAN ^C
line con 0
password 7 06021A374D401D1C54
logging synchronous
no modem enable
transport output telnet
line aux 0
password 7 06021A374D401D1C54
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
privilege level 15
password 7 130102040A02102F7A
length 0
transport input telnet ssh
transport output telnet ssh
scheduler interval 500
ntp master
ntp update-calendar
ntp server nist1-ny.ustiming.org prefer
webvpn gateway sshs-WebVPN-Gateway
ip interface FastEthernet4 port 443
ssl encryption rc4-md5
ssl trustpoint sshs-trustpoint
inservice
webvpn context sshs-WebVPN
secondary-color white
title-color #669999
text-color black
acl "ssl-acl"
permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0
aaa authentication list sslvpn
gateway sshs-WebVPN-Gateway
max-users 4
ssl authenticate verify all
url-list "rewrite"
inservice
policy group sshs-webvpnpolicy
functions svc-enabled
filter tunnel ssl-acl
svc address-pool "webvpnpool" netmask 255.255.255.0
svc rekey method new-tunnel
svc split include 192.168.0.0 255.255.255.0
default-group-policy sshs-webvpnpolicy
end -
Failed to register service with Bonjour
I can't seem to register my Mac Mini's services with Bonjour. Below is what I think is relevant log to the issue. An Airport Extreme (Time Capsule, actually) is the host. It's running version 7.6.1. My Mac Mini is running 10.6.8.
I checked with "Bonjour Browser" and the services are listed. I can get access all these services locally and over the internet. The only problem is that when the Mac goes to sleep, it can not be awaken, locally or over the internet.
Any ideas?
Jul 4 02:34:56 localhost com.apple.launchctl.System[2]: DNSServiceRegister("ssh"): -65563
Jul 4 02:34:56 localhost com.apple.launchctl.System[2]: DNSServiceRegister("sftp-ssh"): -65563
Jul 4 02:34:56 localhost com.apple.launchctl.System[2]: DNSServiceRegister("ssh"): -65563
Jul 4 02:34:56 localhost com.apple.launchctl.System[2]: DNSServiceRegister("sftp-ssh"): -65563
Jul 4 02:34:56 localhost com.apple.launchd[1] (com.openssh.sshd): Unknown key: SHAuthorizationRight
Jul 4 02:34:56 localhost kernel[0]: yukon: Ethernet address 00:16:cb:ad:46:d7
Jul 4 02:34:56 localhost kextd[10]: 425 cached, 0 uncached personalities to catalog
Jul 4 02:34:56 localhost kernel[0]: display: family specific matching fails
Jul 4 02:34:56 localhost kernel[0]: Previous Shutdown Cause: 0
Jul 4 02:34:56 localhost kernel[0]: AppleTyMCEDriver::probe(Macmini2,1)
Jul 4 02:34:56 localhost kernel[0]: AppleTyMCEDriver::probe fails
Jul 4 02:34:56 localhost kernel[0]: ath_attach: devid 0x1c
Jul 4 02:34:56 localhost kernel[0]: GFX0: family specific matching fails
Jul 4 02:34:57 Mac-Mini-USA configd[14]: setting hostname to "Mac-Mini-USA.local"
Jul 4 02:34:58 Mac-Mini-USA kernel[0]: mac 10.3 phy 6.1 radio 10.2
Jul 4 02:34:58 Mac-Mini-USA kernel[0]: AirPort_Athr5424ab: Ethernet address 00:1c:b3:b1:81:8d
Jul 4 02:34:58 Mac-Mini-USA kernel[0]: AirPort: Link Down on en1
Jul 4 02:34:59 Mac-Mini-USA kernel[0]: Ethernet [AppleYukon2]: Link up on en0, 1-Gigabit, Full-duplex, Symmetric flow-control, Debug [796d,ac4c,0de1,0200,cde1,2800]
Jul 4 02:35:05 Mac-Mini-USA com.apple.usbmuxd[21]: usbmuxd-268.5 on Apr 5 2012 at 15:33:48, running 32 bit
Jul 4 02:35:05 Mac-Mini-USA com.apple.usbmuxd[21]: _CreateBonjourDeviceBrowseService (thread 0xa0746720): DNSServiceBrowse() failed -65563.
Jul 4 02:35:05 Mac-Mini-USA com.apple.usbmuxd[21]: StartListeningForBonjourDevices failed to create bonjour thing-duder.
Jul 4 02:35:05 Mac-Mini-USA rpc.statd[25]: statd.notify - no notifications needed
Jul 4 02:35:05 Mac-Mini-USA fseventsd[34]: bumping event counter to: 0x3b67f (current 0x0) from log file '0000000000037354'
Jul 4 02:35:05 Mac-Mini-USA bootlog[41]: BOOT_TIME: 1341387288 0
Jul 4 02:35:07 Mac-Mini-USA /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow[30]: Login Window Application Started -- Threaded auth
Jul 4 02:35:07 Mac-Mini-USA org.apache.httpd[19]: httpd: apr_sockaddr_info_get() failed for Mac-Mini-USA.local
Jul 4 02:35:07 Mac-Mini-USA org.apache.httpd[19]: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
Jul 4 02:35:08 Mac-Mini-USA blued[42]: Apple Bluetooth daemon started.
Jul 4 02:35:08 Mac-Mini-USA kextd[10]: writing kernel link data to /var/run/mach.sym
Jul 4 02:35:10 Mac-Mini-USA kernel[0]: display: Not usable
Jul 4 02:35:10 Mac-Mini-USA /usr/sbin/ocspd[64]: starting
Jul 4 02:35:12 Mac-Mini-USA ARDAgent[71]: Failed to register service with Bonjour. -65563Thank Linc. WakeOnLan is quite niffty but I'm not physically there and the only computer (Mac Mini) I have access to is the one that can't be awaken (other than scheduled wake by itself).
But I did run WakeOnLan on the Mac Mini and was able to see itself, amognst others, listed as "awake".
I'll try to get my family member there on the local network to try WakeOnLan and see if it's listed when it's asleep.
Meanwhile I'll briefly describe my setup and status:
The Setup:
MacBook Air => Internet => Cable Modem => Time Capsule => Mac Mini
Mac Mini is Ethernet connected to Time Capsule.
Time Capsule hosts the entire local network.
Mac Mini is headless (no keyboard or monitor connected)
Mac Mini is setup for Remote Management, Remote Login, and Web Sharing.
Port Mapping on Time Capsule is setup accordingly for the above services.
"Wake for network administration" is selected in Energy Saver.
Successful Connections (only when already awake):
SSH over LAN and over Internet
VNC over LAN and over Internet
File Sharing over Internet
Web Sharing over Internet
Mac Mini shows up as available for connection in Finder of another locally connected Mac.
Note: while accessing over LAN, I've only tried using a client (MacBook Air) via WiFi. -
SSH and media wiki not connecting from outside of my LAN
I cant seem to connect to ssh or my mediawiki server from outside of my LAN. Ive forwarded all the needed ports and been going over my config all night. I also made sure my router wasn't blocking anything.
-ssh tells me connection denied
-when i go to my http server i can list directorys but as soon as i try to load media wiki i get a 502 error
*these problems do not happen if im connecting from another machine in my local LAN
This is my sshd_config
# $OpenBSD: ssh_config,v 1.25 2009/02/17 01:28:32 djm Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
#Host *
# ForwardAgent no
# ForwardX11 yes
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
#HostbasedAuthentication yes
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
#AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
#Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel yes
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
#RSAAuthentication yes
#PubkeyAuthentication yes
#HostbasedAuthentication no
#PasswordAuthentication no
#HashKnownHosts yes
#StrictHostKeyChecking ask
#LoginGraceTime 120
#PermitRootLogin no # (put yes here if you want root login)
hosts.deny
# /etc/hosts.allow
sshd: ALL
mysqld: ALL
# End of file
# /etc/hosts.deny
ALL: ALL: DENY
# End of file
hosts.allow
# /etc/hosts.allow
sshd: ALL
mysqld: ALL
# End of file
I feel like its a security policy or something im not catching.
Ive been searching and working to fix this all night to no avail.
Thanks ahead of time for any help.djszapi wrote:
Hello ahronzombi!
Do you try it with apache web server ? If yes, is there any related information in the apache.log when someone try to connect from out. What's in your http server related config files, vhosts, etc?
Ill try that today. i tried something similar with sshd and looked at the verbose output of the program when trying to connect remotely. it was never touched, like no one tried to connect. i feel like its a network security issue since i can connect locally. but ill check these logs as well -
Ssh fails with rule matching LAN
My goal is simple: use a key pair from the WAN only but allow password auth from the LAN.
I thought my recipe had previously worked in Arch and other distros, but now I'm unsure. Here's a snippet of some relevant sections of /etc/ssh/sshd_config:
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
Match Address 192.168.1.0/24
PasswordAuthentication yes
Without the match section I'm able to login. With the match section I am not able to login from WAN or LAN hosts.
Here's an excerpt from the ssh client logging in from the localmachine itself along with a tail of the journal (using the match address section):
CLIENT SIDE
myhost% ssh -v localhost
OpenSSH_6.4, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /home/myuser/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to localhost [::1] port 22.
debug1: Connection established.
debug1: identity file /home/myuser/.ssh/id_rsa type 1
debug1: identity file /home/myuser/.ssh/id_rsa-cert type -1
debug1: identity file /home/myuser/.ssh/id_dsa type -1
debug1: identity file /home/myuser/.ssh/id_dsa-cert type -1
debug1: identity file /home/myuser/.ssh/id_ecdsa type 3
debug1: identity file /home/myuser/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4
debug1: match: OpenSSH_6.4 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr [email protected] none
debug1: kex: client->server aes128-ctr [email protected] none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA <ommited pub>
debug1: Host 'localhost' is known and matches the ECDSA host key.
debug1: Found key in /home/myuser/.ssh/known_hosts:6
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/myuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/myuser/.ssh/id_dsa
debug1: Offering ECDSA public key: /home/myuser/.ssh/id_ecdsa
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
Permission denied (publickey).
SERVER SIDE
myhost% sudo journalctl -f --full
-- Logs begin at Sat 2013-06-29 11:25:32 EDT. --
Jan 07 13:09:18 myhost systemd[1]: Started SSH Key Generation.
Jan 07 13:09:18 myhost systemd[1]: Starting OpenSSH Daemon...
Jan 07 13:09:18 myhost systemd[1]: Started OpenSSH Daemon.
Jan 07 13:09:18 myhost sudo[20291]: pam_unix(sudo:session): session closed for user root
Jan 07 13:09:18 myhost sshd[20295]: Server listening on 0.0.0.0 port 22.
Jan 07 13:09:18 myhost sshd[20295]: Server listening on :: port 22.
Jan 07 13:09:23 myhost sshd[20296]: reverse mapping checking getaddrinfo for <omitted address> [<omitted address>] failed - POSSIBLE BREAK-IN ATTEMPT!
Jan 07 13:09:34 myhost sshd[20296]: error: Received disconnect from <omitted address>: 13: Unable to authenticate [preauth]
Jan 07 13:09:39 myhost sudo[20298]: myuser : TTY=pts/2 ; PWD=/home/myuser ; USER=root ; COMMAND=/usr/bin/journalctl -f --full
Jan 07 13:09:39 myhost sudo[20298]: pam_unix(sudo:session): session opened for user root by myuser(uid=0)
Jan 07 13:10:35 myhost sshd[20308]: Connection closed by ::1 [preauth]
Last edited by badhat (2014-01-08 14:36:10)Yes, there are one or two fields which were note mapped and were removed. However, the records which got reconciled successfully have been done with the same field mapping.
UZ -
Using ssh tunneling to admin OS X server on a far-away LAN
My Mac OS X Server 10.4 box is behind a gateway (dns, dhcp, nat, ipfw) box on a LAN. My workstation (the one I will be administering from) is on a different LAN. I don't want to open holes in my firewall, but I have an account on the firewall (I am the admin). I want to use ssh tunneling to administer the server. I have successfully done this with my old webstar box (which the OSX Server is replacing).
Is it as simple as adding a port designation when I "Add Server" to the Server Admin and Workgroup Server? example:
localhost:8331 or localhost:8625
(8331 is the local end of the tunnel which ends up as 331 to the OSX server, and same for 8625) The OSX server doesn't care because it see the connections from the ports that it expects. I'm just wondering about configuring the admin apps which are on a different LAN.How do I bring up the file shares in a GUI
You don't. Not with Putty or an SSH connection. Just share a folder from the PC and access it via SMB from the Mac to access it.
http://support.apple.com/kb/HT1568 -
After Leopard install, why can't I ssh to Macs (from in or out of LAN)?
Since I upgraded to Leopard (using "Archive and Install"), I can't ssh to either of my two Intel Macs, either from inside OR outside the LAN. I can't even ssh from one Mac to the other Mac within the LAN (a Linksys router). I always get the message "port 22: Connection refused". This all worked before. In the "Firewall" page of the "Security" settings, both systems are set to "Allow all connections". I tried both hardwiring static IP addresses and using DHCP from the router. I even tried (temporarily) de-installing Norton AV. Nothing seems to make any difference. Ideas?
Can you ssh to any Tiger or PPC machines? I just tested it and I'm fine with ssh'ing into a Tiger Server G4 system from a Leopard Quad G5.
-
RV120W can't open web management, can't open SSH/http to server on LAN port
Hi,
I just buy cisco RV120W, but seem I found alot of issue. Hope some one can help.
Topology:
Internet------RV120W(192.168.1.1/24)--------(192.168.1.5/24)PC
|---------------(192.168.1.2)L3switch(10.10.10.1/24)--------(10.10.10.2/24)Server
Here is the issue:
1. from PC after I login to 192.168.1.1 the WEB can't be opened. it show as web server not responding. I have try with 3browser 2PC but all same. But I use HP it can be opened.
2. on RV120W I added static route and now I from PC I can ping to Server. I can telnet but SSH/HTTP always failed.
On firewall I never set anything, all is permited.
I try version 1.0.3.10 and 1.0.4.10 but all same.Hi Bernadi, thank you for using our forum, my name is Luis I am part of the Small business Support community. I have some question for you:
1.1) What kind of computer are those that didn't work?
1.2) If you connect those, are you receiving an IP address from DHCP?
1.3) What gateway is showing?
2.1) Do you have any debug or error?
2.2) Did you try creating an Forwarding rule for 443 to the server address?
I recommend you always use the last firmware.
I hope you find this answer useful
Greetings,
Luis Arias.
Cisco Network Support Engineer. -
LAN Switches cannot be accessed by Telnet, SSH or console in native vlan
Hi to all of you:
I do have a question about tagging the native vlan.
In our network we do have about 90 L2 and L3 switches, 2950 the oldest, 2960, 2960S, 3560 PoE, 3750 and 4503E, and we are running VTP, and 43 vlans within the entire network.
our Native VLAN is still vlan 1, and there are many corporative applications running in this vlan.
We have upgraded the IOS for the switches to the latest IOS version about 6 months ago, and after that we started to have issues on the switches, related to accessing the switch, either by telnet, ssh, or even console. However, the switch is still working fine, I mean, doing all bridging and switching traffic.
I have to reset or reload (power cycle) if I want to access the switch.
I have read that having the native vlan can be a problem.
Could you please let me know if you have gone through this problem?
Thanks in advance for your help.
Javier F. Berthin H.Hi Karhtick:
I guess you have the best answer, you suggested the memory command and I am attaching you as result.
Next step should be to downgrade the IOS?, because we did the upgrade just in order to have the latest IOS published by Cisco.
If you need the config please let me know, for complementary comments.
Thanks for your help.
Javier
Core_Toldos#
Core_Toldos#
Core_Toldos#sh processes memory sorted
Processor Pool Total: 57114592 Used: 42061488 Free: 15053104
I/O Pool Total: 12582912 Used: 9397428 Free: 3185484
Driver te Pool Total: 1048576 Used: 40 Free: 1048536
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 56706116 14325484 38372056 0 0 *Init*
197 0 4506712 2363500 1463652 0 0 Auth Manager
0 0 0 0 1443720 0 0 *MallocLite*
0 0 577244636 370831296 916016 12457311 3203234 *Dead*
236 0 532808 46152 507068 0 0 IP ARP Adjacency
303 0 1335768 890528 450448 0 0 ADJ resolve proc
230 0 27640244 15996 378344 10152 0 CDP Protocol
77 0 368260 14413456 377820 0 0 EEM ED ND
102 0 385848 232 362236 0 0 HLFM address lea
404 0 3397428 3069392 334928 0 0 hulc running con
192 0 307492 21604 294808 0 0 HL2MCM
193 0 356552 70624 294744 0 0 HL2MCM
357 0 265100 0 275260 100548 0 EEM ED Syslog
365 0 126849404 86726456 255248 0 0 EEM Server
87 0 569060 274864 244984 0 0 Stack Mgr Notifi
203 0 753032 492440 164316 0 0 DTP Protocol
201 0 737920 526656 159424 0 0 802.1x switch
13 0 505129716 504972016 156620 0 0 ARP Input
Core_Toldos# -
Remote Access VPN Clients Cannot Access inside LAN
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: endHi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni -
How to use one NIC for everything and the other to allow ssh from
Hello,
I have two internet connexion at home:
- a cable connection (CABLEBOX) that i use for all of my devices as it's the fastest. All my computers are connected to it using ethernet or wifi.
- an adsl connection (ADSLBOX) that is connect to the second network card of one of my computers (MEDIABOX) only and that i want to use only to ssh that same device from the outside
I want that specific computer to use its:
- NIC1 to connect to the LAN and to the internet. Routing is enabled on CABLEBOX.
- NIC2 to connect to that device from the outside using ssh. ssh-D should also work through NIC2 as i need to be able to use that computer as a proxy on some occasions. Routing is enabled on ADSLBOX and it's set to port forward the port 22 to MEDIABOX.
Once this will be working i'd like to also route ftp connections to specific ips by NIC2.
No firewall is set on MEDIABOX yet, i'll do it later on.
I know basics on how to set routing rules, how to assign a specific LAN to a network card but i have a hard time on deciding which rules i should set...
Can someone guide me?
Thanks in advance
Last edited by parpagnas (2013-12-03 18:31:31)A possible solution might be this.
On ADSLBOX and CABLEBOX configure different subnets for the LAN, e.g.
ADSLBOX: 192.168.1.0/24
CABLEBOX: 192.168.2.0/24
The MEDIABOX gets these static IPs:
ADSL-LAN: 192.168.1.2
CABLE-LAN: 192.168.2.2
On the MEDIABOX, configure the two network interfaces using two routing tables.
The ADSL-LAN routing table
ip route add 192.168.1.0/24 dev eth0 src 192.168.1.2 table 1
ip route add default via 192.168.1.1 table 1
The CABLE-LAN routing table
ip route add 192.168.2.0/24 dev eth1 src 192.168.2.2 table 2
ip route add default via 192.168.2.1 table 2
The main routing table
ip route add 192.168.1.0/24 dev eth0 src 192.168.1.2
ip route add 192.168.2.0/24 dev eth1 src 192.168.2.2
# use the CABLE-LAN gateway as default, so general internet traffic from MEDIABOX runs over CABLEBOX
ip route add default via 192.168.2.1
define the lookup rules
ip rule add from 192.168.1.2 table 1
ip rule add from 192.168.2.2 table 2
To test the setup:
ip route show
ip route show table 1
ip route show table 2
I don't know how to persist something like this in ArchLinux using netctl. Might require to write a special systemd unit for it. Above is a working example from a RedHat box at my company.
Last edited by teekay (2013-12-04 07:42:22) -
ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN
Hi there, please forgive if I have missed any forum protocols as this is my first post.
I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.
Inside 192.168.1.254/24
Outside dhcp
VPN Pool 192.168.250.1-50/24
Inside LAN 192.168.1.0/24
: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.128
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4433
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_anyconnect internal
group-policy GroupPolicy_anyconnect attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username test password JAasdf434ey521ZCT encrypted privilege 15
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool vpn_pool
default-group-policy GroupPolicy_anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias anyconnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:24bcba3c4124ab371297d52260135924
: end :: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.0
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.100.2 255.255.255.255 management
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Anyconnect_VPN internal
group-policy GroupPolicy_Anyconnect_VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username sander password f/J.5nLef/EqyPfy encrypted
username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15
tunnel-group Anyconnect_VPN type remote-access
tunnel-group Anyconnect_VPN general-attributes
address-pool Anyconnect-pool
default-group-policy GroupPolicy_Anyconnect_VPN
tunnel-group Anyconnect_VPN webvpn-attributes
group-alias Anyconnect_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4636fa566ffc11b0f7858b760d974dee
: end:
Maybe you are looking for
-
My EMAIL account on Apple ID site is still wrong, from 2008!
On 12 January, I was trying to FIX problems I had with my iMac Password, so I could download the latest Adobe installer - but I had no problems with passwords etc until 2 days ago. The password I've used didn't work. (I had to change it on Verizon fo
-
Hi All, I want to create one Order in Back date with back date delivery(Picking + PGI) and Billing, i m able to create the Order& Billing in Back date but when i enter the back delivery date in sales order it will create current date's schedule line
-
[solved]Sudo asking for password when it shouldn't through a sh script
Bottom of my sudoers file looks like this: user username = (root) NOPASSWD: /usr/bin/g15daemon user username = (root) NOPASSWD: /usr/bin/g15stats Shell script looks like that: #!/bin/sh sudo /usr/bin/g15daemon -k & sleep 2 && sudo /usr/bin/g15daemon
-
Best practice to reclaim the recovery partition?
Hi all, I'm hoping some folks here might have some suggestions on how to best reclaim the recovery partition. I don't actually have a DVD burner, so I thought I might never get around to reclaiming the recovery partition. But I just saw somebody ment
-
please help!!