SSL Multiple Tunnel Groups with Multiple group policies
Hello folks.
Have a query and cant seem to find an answer on the web.
I have configured SSL Clientless VPN on a lab ASA5510, using 2 tunnel groups, one for enginneers and one for staff, mapped to 2 different group policies, each with different customisation. I have mapped the AD groups to the tunnel groups using both ACS and now LDAP (currently in use), both working successfully, using group lock and LDAP map of IETF-Radius-Class to Group name ensures engineers get assigned to the engineers tunnel group and staff get mapped to the staff tunnel group only.
The question i have is....is there a way to use a single tunnel group to map the user based on AD group which will then use the correct Group-policy (1 tunnel group to multiple group-polciies). I have seen examples of doing this with different URLs but want to know if they can all use the same URL and avoid using the drop down list using aliases.
It may be a simple "No" but it would be nice to know how to do it without using the URLs or drop down list. Users are easily confused ......
Easy. Disable the drop-down list, and use the authentication-server (LDAP or Radius) in the DefaultWEBVPNGroup. By default when you browse to the ASA, it will be using the DefaultWEBVPNGroup. Let LDAP or Radius take care of the rest.
You will get the functionality you are looking for.
HTH
PS. If this post was helpful, please rate it.
Similar Messages
-
Selectively Format Groups with Multiple Columns
I have a bit of an obscure task I've been trying to hammer out to no avail. I've searched quite a bit but can't seem to find anyone else who has attempted this. I have two group by statements, one is a category and the other is a rank. What I'm trying to do is organize the report so that there are category rows and below each category row is a set of columns for each rank with their associated values as such:
category1
rank1 rank2 rank3 rank4
value1 value1 value1 value1
value2 value2 value2 value2
category2
rank1 rank2 rank3
value1 value1 value1
value2 value2 value2
I've tried using details>Section Expert>>Layout>Format Groups with multiple column. Unfortunately, this applies to both groups putting the categories into columns instead of rows, making a mess. Does anyone know of a way to selectively put groups into columns and ensure alignment? In the above example the user would be able to compare rank values from multiple categories since they all line up. Any help with this would be very much appreciated.Hi,
Have you tried using a crosstab? Give this a shot:
1) Group the report on Category
2) Create a new group header section. Group Header b
3) Place a crosstab in this section
4) The columns would be the Rank field, I'm not sure about what you would like to show in the rows
5) The summarized field would be the Value field ofcourse
Let me know how this goes.
-Abhilash -
We have multiple users, each with multiple devices, on 1 apple id - as we want to share music and ibooks etc. We want the children to have access to the store, but with a financial limit. How do we do this?
Welcome to the Apple Community.
That's simply not possible I'm afraid. You'd need to give them their own account and allowance or make it so you are required to be there to input the password when they wish to make a purchase. -
JNDI Lookup for multiple server instances with multiple cluster nodes
Hi Experts,
I need help with retreiving log files for multiple server instances with multiple cluster nodes. The system is Netweaver 7.01.
There are 3 server instances all instances with 3 cluster nodes.
There are EJB session beans deployed on them to retreive the log information for each server node.
In the session bean there is a method:
public List getServers() {
List servers = new ArrayList();
ClassLoader saveLoader = Thread.currentThread().getContextClassLoader();
try {
Properties prop = new Properties();
prop.setProperty(Context.INITIAL_CONTEXT_FACTORY, "com.sap.engine.services.jndi.InitialContextFactoryImpl");
prop.put(Context.SECURITY_AUTHENTICATION, "none");
Thread.currentThread().setContextClassLoader((com.sap.engine.services.adminadapter.interfaces.RemoteAdminInterface.class).getClassLoader());
InitialContext mInitialContext = new InitialContext(prop);
RemoteAdminInterface rai = (RemoteAdminInterface) mInitialContext.lookup("adminadapter");
ClusterAdministrator cadm = rai.getClusterAdministrator();
ConvenienceEngineAdministrator cea = rai.getConvenienceEngineAdministrator();
int nodeId[] = cea.getClusterNodeIds();
int dispatcherId = 0;
String dispatcherIP = null;
String p4Port = null;
for (int i = 0; i < nodeId.length; i++) {
if (cea.getClusterNodeType(nodeId[i]) != 1)
continue;
Properties dispatcherProp = cadm.getNodeInfo(nodeId[i]);
dispatcherIP = dispatcherProp.getProperty("Host", "localhost");
p4Port = cea.getServiceProperty(nodeId[i], "p4", "port");
String[] loc = new String[3];
loc[0] = dispatcherIP;
loc[1] = p4Port;
loc[2] = null;
servers.add(loc);
mInitialContext.close();
} catch (NamingException e) {
} catch (RemoteException e) {
} finally {
Thread.currentThread().setContextClassLoader(saveLoader);
return servers;
and the retreived server information used here in another class:
public void run() {
ReadLogsSession readLogsSession;
int total = servers.size();
for (Iterator iter = servers.iterator(); iter.hasNext();) {
if (keepAlive) {
try {
Thread.sleep(500);
} catch (InterruptedException e) {
status = status + e.getMessage();
System.err.println("LogReader Thread Exception" + e.toString());
e.printStackTrace();
String[] serverLocs = (String[]) iter.next();
searchFilter.setDetails("[" + serverLocs[1] + "]");
Properties prop = new Properties();
prop.put(Context.INITIAL_CONTEXT_FACTORY, "com.sap.engine.services.jndi.InitialContextFactoryImpl");
prop.put(Context.PROVIDER_URL, serverLocs[0] + ":" + serverLocs[1]);
System.err.println("LogReader run [" + serverLocs[0] + ":" + serverLocs[1] + "]");
status = " Reading :[" + serverLocs[0] + ":" + serverLocs[1] + "] servers :[" + currentIndex + "/" + total + " ] ";
prop.put("force_remote", "true");
prop.put(Context.SECURITY_AUTHENTICATION, "none");
try {
Context ctx = new InitialContext(prop);
Object ob = ctx.lookup("com.xom.sia.ReadLogsSession");
ReadLogsSessionHome readLogsSessionHome = (ReadLogsSessionHome) PortableRemoteObject.narrow(ob, ReadLogsSessionHome.class);
status = status + "Found ReadLogsSessionHome ["+readLogsSessionHome+"]";
readLogsSession = readLogsSessionHome.create();
if(readLogsSession!=null){
status = status + " Created ["+readLogsSession+"]";
List l = readLogsSession.getAuditLogs(searchFilter);
serverLocs[2] = String.valueOf(l.size());
status = status + serverLocs[2];
allRecords.addAll(l);
}else{
status = status + " unable to create readLogsSession ";
ctx.close();
} catch (NamingException e) {
status = status + e.getMessage();
System.err.println(e.getMessage());
e.printStackTrace();
} catch (CreateException e) {
status = status + e.getMessage();
System.err.println(e.getMessage());
e.printStackTrace();
} catch (IOException e) {
status = status + e.getMessage();
System.err.println(e.getMessage());
e.printStackTrace();
} catch (Exception e) {
status = status + e.getMessage();
System.err.println(e.getMessage());
e.printStackTrace();
currentIndex++;
jobComplete = true;
The application is working for multiple server instances with a single cluster node but not working for multiple cusltered environment.
Anybody knows what should be changed to handle more cluster nodes?
Thanks,
GergelyThanks for the response.
I was afraid that it would be something like that although
was hoping for
something closer to the application pools we use with IIS to
isolate sites
and limit the impact one badly behaving one can have on
another.
mmr
"Ian Skinner" <[email protected]> wrote in message
news:fe5u5v$pue$[email protected]..
> Run CF with one instance. Look at your processes and see
how much memory
> the "JRun" process is using, multiply this by number of
other CF
> instances.
>
> You are most likely going to end up on implementing a
"handful" of
> instances versus "dozens" of instance on all but the
beefiest of servers.
>
> This can be affected by how much memory each instance
uses. An
> application that puts major amounts of data into
persistent scopes such as
> application and|or session will have a larger foot print
then a leaner
> application that does not put much data into memory
and|or leave it there
> for a very long time.
>
> I know the first time we made use of CF in it's
multi-home flavor, we went
> a bit overboard and created way too many. After nearly
bringing a
> moderate server to its knees, we consolidated until we
had three or four
> or so IIRC. A couple dedicated to to each of our largest
and most
> critical applications and a couple general instances
that ran many smaller
> applications each.
>
>
>
>
> -
Mail Groups with Multiple Contact Email Addresses
I cannot find a way to create a Group in Address Book where the contacts have more than one email address. In fact I have not been able to get emailing to groups with Mail to work at all. I always get prompted to select one of my other outgoing SMTP servers... none of them work, iCloud, Gmail, private domain. I don't understand why this is so difficult.
I have read online that Groups do not support contacts with multiple email addresses... Really? Say it isn't so!User A can have one mailbox associated with his ID. You can create other "User A" mailboxes with different names and e-mail addresses as shared mailboxes and grant User A full mailbox rights and send as right. User A can
then connect to each one of them separately.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
GROUP WITH MULTIPLE EMAIL MEMBERS
I have a group created whose members have multiple emails. I want to be able to type in the group name, and have ALL emails automatically inserted, not just one per group member.
HOW?Okay... I spoke a little too soon.
It cuts off my emails at 50 when I have 77. I'll attach my Script. See what you can do.
property defaultGroups : {}
property defaultLabels : {}
-- Prompt for the group to use
tell application "Address Book" to set everyGroup to name of every group
if (count of everyGroup) is greater than 0 then
set theGroups to choose from list everyGroup with prompt ¬
"Send this message to which group?" default items defaultGroups with multiple selections allowed
end if
-- Prompt for message subject
set theResult to display dialog "What would you like the subject of the message to be?" default answer "I'm sending this via AppleScript!"
set theSubject to text returned of theResult
-- Prompt for whether an attachment is desired. If so, prompt for the location of the file.
set theResult to display dialog "Would you like to attach some files to this message?" buttons {"Yes", "No"} default button 1
set wantsAttachment to button returned of theResult
if wantsAttachment is equal to "Yes" then
set theAttachment to choose file
end if
-- Prompt for message body
set theResult to display dialog "What would you like to say in the body of the message?" default answer ""
set theBody to text returned of theResult
-- Go through each account and constuct a list of possible addresses
-- to use as a return address for this message.
tell application "Mail"
set listOfSenders to {}
set everyAccount to every account
repeat with eachAccount in everyAccount
set everyEmailAddress to email addresses of eachAccount
if (everyEmailAddress is not equal to missing value) then
repeat with eachEmailAddress in everyEmailAddress
set listOfSenders to listOfSenders & {(full name of eachAccount & " <"Which account would you like to send this message from?" without multiple selections allowed
if theResult is not equal to false then
set theSender to item 1 of theResult
tell application "Mail"
-- Properties can be specified in a record when creating the message or
-- afterwards by setting individual property values.
set newMessage to make new outgoing message with properties {subject:theSubject, content:theBody & return & return}
tell newMessage
-- Default is false. Determines whether the compose window will
-- show on the screen or whether it will happen in the background.
set visible to true
set sender to theSender
set theEmails to {}
tell application "Address Book"
repeat with aGroup in theGroups
repeat with aPerson in people of group aGroup
repeat with anEmail in emails of aPerson
if (label of anEmail is in defaultLabels) or defaultLabels is {} then
if theEmails does not contain the value of anEmail then
copy (value of anEmail) to end of theEmails
end if
end if
end repeat
end repeat
end repeat
end tell
repeat with anEmail in theEmails
make new to recipient at end of to recipients with properties {address:anEmail}
end repeat
tell content
if (wantsAttachment is equal to "Yes") then
-- Position must be specified for attachments
make new attachment with properties {file name:theAttachment} at after the last paragraph
end if
end tell
end tell
-- Bring the new compose window to the foreground, in all its glory
activate
end tell
end if -
How to create a group with multiple data fields
Post Author: RichS
CA Forum: Formula
Using CR XI. Using CSV input from ODBC text driver. No problems here.
There are 3 fields that I want the same group by action. Is this possible?)
If any one of these 3 fields change I want some header information and column fieldnames to display. The header information I only want displayed on the first page (on the change) and the column fieldnames to display on every page. I have played around with things like "InRepeatedGroupHeader" and "report group header on each page". I am not getting all the results that I am looking for though.
I want report to look like:
Page header stuff (to display on every page) This data consists of some fields that will have static data and will display on every page. And it consists of 3 non-static fields that I want to group on.
Group header stuff that I only want displayed on the first page on a change from one of the 3 fields mentioned above.
Column headings that I want displayed on every page.
Details data
Group footer stuff (details not important for this)
I get the expected output (column headings displayed on every page, and group header stuff display on the first page on each group change) with one group field. But I want the group change to happen for all 3 fields.
It seems simple but I can't find a way to create a "group" so if "field1 or field2 or field3" change, I get the same "group by" action. I just need to know how to get the expected action.
I expect that I might have some terms mixed up and/or some important information that would aide you in helping me. If that is the case please re-post and I will add any missing or mis-stated information.
Thanks,Post Author: V361
CA Forum: Formula
I am slightly confused, but perhaps you can create a formula
Then group on the formula. If this is not what you want, could you post some sample data, with the desired results. -
Creating new group with multiple contacts
What is the simplest way to create a new group with say 8 or 10 names that have been cc'ed on an e-mail? Essentially, I would like to be able to add all of the names at once to my Address Book, then using this same list create a new group. I can't find a way of doing this other than one at a time, unless I'm missing something obvious. Thanks for any help.
There is collection of AppleScripts called Mail Scripts you can download at this link.
http://homepage.mac.com/aamann/Mail_Scripts.html
The script to use from the collection of scripts is Add Addresses (Mail) which adds addresses found in the selected messages (in the header fields "From", "To", "Cc", and "Bcc") to the Address Book. This is much more flexible than the "Add Sender to Address Book" available in Mail and provides a convenient way for creating mailing lists. -
Hi,
I develop a Java code using smartcardio API to program a smart card. My GUI allows to add at most 5 smart card readers that will wait for card present, then do authentication and program the smart card with an application, then wait for card removal. This is a separate thread running in a loop for each smart card reader added as programmer.
The problem occurs when a certain smart card is in progress and I inserted another smart card to another smart card reader. Both smart card reader halts and throw sun.security.smartcardio.PCSCException: Unknown error 0x8010002f.
I also observed that every time there is an attempt to insert/remove a smart card in the smart card reader that is connected to the USB port would cause the programming in progress to be interrupted and throw the PCSCException.
These are some exceptions I got during my testing:
sun.security.smartcardio.PCSCException: Unknown error 0x8010002f
at sun.security.smartcardio.PCSC.SCardTransmit(Native Method)
at sun.security.smartcardio.ChannelImpl.doTransmit(ChannelImpl.java:171)
java.lang.Exception: Loader Record Failed: 6E | 0 //Sometimes I got this return code SW1 0x6E SW2 0x00 which means an APDU with an invalid 'CLA' bytes was received. I had check the command before it was sent and it was correct.
Help me understand this issue. I think the CardTerminal.isCardPresent(), CardTerminal.waitForCardPresent(0), and CardTerminal.waitForCardAbsent(0) cause this issue that CardChannel.transmit(apduCommand) is interrupted or the smart card insertion/removal causes the CardChannel.transmit(apduCommand) is interrupted.
Regards,
KnivezHi,
when you work with one smartcard reader only usually you address the slot -1 that means "the first found".
But to deal with multiple readers you have to use slots of course since one reader will be slot 0, next reader will be slot 1 and so on...
So a credential object will be identified on a system by a couple
<slot,alias>
After that, the way to address slots (I mean the syntax) depends on the classes you are using...
Bye -
Multiple Thumb Slider with Multiple Track Colors
Hi All,
Does any one implemented a Multiple Thumb Slider component with Multiple Track Colors. Please find the screen shot of the component below which I am talking about.
Any ideas or any link or sample source of code given would be highly appreciated.
If I drag any thumb the colored section between any two thumbs should increase or decrease.
Thanks,
BhaskerHi,
There is a sort of workaround I made myself. Basically you set up your slider into a canvas container and add new boxes exactly at the position between your thumb buttons, in order to imitate your 'tracks'. Look the image below and notice that the black tracks are in fact VBoxes. For different colors, make each VBox different backgroundColor style.
<?xml version="1.0"?>
<mx:Application xmlns:mx="http://www.adobe.com/2006/mxml">
<mx:Script>
<![CDATA[
import mx.containers.VBox;
var tracks : Array = [];
public function changeSliderHandler(event : Event) : void {
for (var i : int = 0,j : int = 0; i < tracks.length; i++) {
var track : VBox = tracks[i] as VBox;
track.setStyle('left', slider.getThumbAt(j++).xPosition + 3);
track.setStyle('right', slider.width - slider.getThumbAt(j++).xPosition + 3);
public function addTrackHandler(event : Event) : void {
var track : VBox = new VBox();
track.setStyle('backgroundColor', '#000000');
track.width = 0;
track.height = 2;
track.setStyle('bottom', '7');
tracks.push(track);
canvas.addChild(track);
slider.values = slider.values.concat(0, 0);
slider.thumbCount += 2;
]]>
</mx:Script>
<mx:Panel title="My Slider" height="95%" width="95%"
paddingTop="5" paddingLeft="5" paddingRight="5" paddingBottom="5">
<mx:Canvas id="canvas" borderStyle="solid" height="40" width="100%">
<mx:HSlider id="slider" minimum="0" maximum="100" thumbCount="2"
change="changeSliderHandler(event)" values="{[0,0]}" showTrackHighlight="false"
percentWidth="100" snapInterval="1" tickInterval="1"
allowThumbOverlap="true" showDataTip="true" labels="{[0, 50, 100]}"/>
<mx:VBox id="track1" backgroundColor="#000000" width="0" height="2" bottom="7" initialize="{tracks.push(track1)}"/>
</mx:Canvas>
<mx:Button label="Add track" click="addTrackHandler(event)"/>
</mx:Panel>
</mx:Application> -
Create Dynamic groups with multiple criteria
Hello,
I want to create a dynamic group of sql computers in a particular domain.
What should be the criteria?
System creates this:
((object is windows computer and (dns domain name equals contoso.com) and true) OR (object is SQL computers and (display name matches wildcard *) and True))
How can I set to below?
((object is windows computer and (dns domain name equals contoso.com) and true)
AND (object is SQL computers and (display name matches wildcard *) and True))
ThanksUse
the link that Blake already supplied to the site of Jonathan and use this XML part.
Replace the XXXXXXXXXX of course with the name of your class/group. Don't forget to add a reference to the SQL Server Core Library Management Pack.
<RuleId>$MPElement$</RuleId>
<GroupInstanceId>$MPElement[Name="XXXXXXXXXX"]$</GroupInstanceId>
<MembershipRules>
<MembershipRule>
<MonitoringClass>$MPElement[Name="Windows!Microsoft.Windows.Computer"]$</MonitoringClass>
<RelationshipClass>$MPElement[Name="SC!Microsoft.SystemCenter.ComputerGroupContainsComputer"]$</RelationshipClass>
<Expression>
<Contains>
<MonitoringClass>$MPElement[Name="MicrosoftSQLServerLibrary!Microsoft.SQLServer.DBEngine"]$</MonitoringClass>
<Expression>
<RegExExpression>
<ValueExpression>
<HostProperty>
<MonitoringClass>$MPElement[Name="Windows!Microsoft.Windows.Computer"]$</MonitoringClass>
<Property>$MPElement[Name="Windows!Microsoft.Windows.Computer"]/DNSName$</Property>
</HostProperty>
</ValueExpression>
<Operator>MatchesRegularExpression</Operator>
<Pattern>domain.(dev|net)/Pattern>
</RegExExpression>
</Expression>
</Contains>
</Expression>
</MembershipRule>
</MembershipRules>
</Configuration> -
Search groups with multiple rows into a sngle row
Hey all I have a view similar to the one below what I am trying to do is get the projects that have been fully completed. Meaning all items in that order have been sent. If there is an assignment within that project that has only been partially completed that that order must not show.
Project ID || assignment ID || status
100 1001 COMPLETE
100 1002 COMPLETE
100 1003 COMPLETE
100 1004 COMPLETE
200 2001 NOT COMPLETE
200 2002 COMPLETE
300 3001 COMPLETE
300 3002 COMPLETE
300 3003 COMPLETE
400 4001 COMPLETE
The result should be
Project ID
100
300
400<> sign in Todd's query means that result of subquery should be all rows where value in status column is differ from "COMPLETE" for related id in main query. If at least one row will have value other than "COMPLETE" condition will be failed and value in main query will not be returned.
Peter D. -
SSL Cert. Request with multiple CNs?
Greetings to all of the Gurus out there!
Is it possible to generate a Certificate Request within iMS (version 5.2) that will handle multiple CNs? In other words, we could request a certificate that would work for mail.foo.com, pop.foo.com, imap.foo.com, etc., etc. Or, failing that, is it possible to somehow create and register multiple certs to accomplish this?
I know how to do this by using OpenSSL, but if I do that, then iPlanet doesn't know about the private OpenSSL key that I used to generate the certificate.
Any help is appreciated.Hi,
If the installation is stand-alone I
don't know of a way to specify more then one
certificate for each service. So if I recall prperly, based on iMS 5.2 experience,
I can insert 1 Cert in the msg-serv and this is used
by all services: smtp,imap,http. Correct - for a stand-alone installation.
What I am not sure
of, and this is where someone who has taken this
further, is if I am obligated to use the hostname
that the msg-serv is running on as my cert's cn?No you aren't obligated to use the hostname. You can use any name you want - you specify the name to be presented to clients during the certificate request stage.
In my case the msg-serv instance is running on the
host: kady-amd.education.ucsb.edu and i would prefer
to have 1 cert that was listed as from
mail.education.ucsb.eduYep sounds like a plan to me. This way your users only have to remember one address. Also if you decide to expand later (e.g. add in a MMP proxy and multiple backend hosts) you can just copy the certificate database files to the MMP, repoint the mail.education.ucsb.edu IP address and away you go.
I am wondering if this will require at the OS level,
a virtual hostname set up or can I do this with
msg-serv ?All you need is the DNS record for mail.education.ucsb.edu to point at the IP address of the standalone system.
Regards,
Shane. -
GRE Tunnel/NAT with multiple subnets and interfaces
So, I am not sure if we are trying to accomplish too many things at once and what we are attempting to do is not possible or if we are missing something in our configurations...
Here is the situation...
We are migrating some equipment between datacenters. The equipment only a has a /27 worth of IP space assigned to it so we cannot simply "move" the IP space to the new datacenter. Further because we have several VPNs terminated in the old IP space that originate from devices we do not directly control and are essential in continuing to provide service, it was/is difficult to magically update some DNS entries and change IP addresses overnight. The last twist in this puzzle is that at the new datacenter, we will deploying some new equipment that will be in a separate subnet (with a separate Windows AD structure) but sharing the new public IP space we have in the new datacenter.
We thought using a GRE tunnel, some trunks, and a bunch of NATs would make the whole process easy and we tested ti in a lab and everything SEEMED to work. However, when we performed the move we ran into an odd issue that we were unable to figure out and had to go back to a failsafe configuration that has the essentials up and running, but the environment is not running in an ideal way for us to gradually transition as we would like.
Essentially what we had/have and how it was configured is as follows:
Site A
Edge Router - x.x.x.x /24 BGP announcement
x.x.x.y/27 that is within the /24 that we need at site b
GRE tunnel configuration
interface tunnel0
ip address 10.x.x.1 255.255.255.252
tunnel source <router edge IP>
tunnel destination <site b router edge ip>
keepalive 10 3
static route for site a public ip to bring it to site b via GRE tunnel
ip route x.x.x.y 255.255.255.224 10.x.x.2
Site B
Edge Router - y.y.y.y /24 BGP announcement
Similar GRE tunnel configuration (tunnel comes out and works so don't think issue is here)
2 Vlans (1 for site a ip space, 1 for site b ip space)
int vlan 50
ip address x.x.x.1 /27
int vlan 51
ip address y.y.y.129 /25
Trunk port for the VLANs going down to an ASA
int g1/1
swi mode trunk
swi trunk native vlan 51
swi tru all vlan 50,51
swi tru en dot1q
Then on the ASA, I have 2 physical interfaces for 4 logical interfaces (outside, outsideold, inside, insideold)
int e0/0
nameif outside
sec 0
ip address y.y.y.130 /25
int e0/0.50
nameif outsideold
sec 0
ip address x.x.x.2 /27
vlan 51
int e0/1
nameif inside
sec 100
ip address 192.168.y.1 /24
int e0/1.60
nameif insideold
sec 100
ip address 192.168.x.1 /24
vlan 60
A static route using the new ip space on the native outside interface...
route 0 0 y.y.y.129
And then I have some nat rules which is where I think things go a little haywire...
object network obj-y.y.y.0-24
subnet y.y.y.0 255.255.255.0
nat (inside,outside) dynamic interface
object network obj-x.x.x.0-24
subnet x.x.x.0 255.255.255.0
nat (insideold,outside) dynamic interface
object network obj-y.y.y.135-160
range y.y.y.135 y.y.y.160
object network obj-192.168.y.135-160
range 192.168.y.135 192.168.y.160
nat (inside,outside) static obj-y.y.y.135-160
object network obj-x.x.x.10-20
range x.x.x.10 x.x.x.20
object network obj-192.168.x.10-20
range 192.168.x.10 192.168.x.20
nat (insideold,outsideold) static obj-x.x.x.10-20
From some debugging and looking at packet-tracer, I found out I left out the below which was needed to properly nat traffic as it leaves the outside interface (when the default sends the traffic)
object network obj-192.168.x.10-20-2
range 192.168.x.10 192.168.x.20
nat (insideold,outside) static obj-x.x.x.10-20
There are / were a bunch of other nat exemptions for the VPNs and specific external routes to ensure all vpn traffic exited the "outsideold" interface which is where all the existing tunnels were terminated.
Everything appeared to be working great as all the VPN tunnels came up perfectly as expected and traffic appeared to be flowing, except for some of the most important traffic. The following was what was observed:
1. Any traffic using the dynamic NAT (ie...a machine with IP x.x.x.200 or y.y.y.20) would connect to the internet perfectly and work fine using the "new interface ip".
2. Any traffic in the "new range" using a one to one nat worked perfectly (ie y.y.y.140). Internet would work etc and nat translation would properly occur and everything could connect fine as expected.
3. ICMP packets to "old ip range" flowed perfectly fine to one to one nat IP (ie I could ping x.x.x.20 from outside) and likelise I could ping anywhere on the internet from a machine with a static natted ip.
4. Heres the butt...no traffic other than ICMP would reach these machines with static ips. Same range, same subnet as ones using the dynamic port translation that worked perfectly. Do not understand why this was / is the case and this is what I am seeking a solution to. I have attempted the following troubleshooting steps without success:
A. Confirmed MTU size was not an issue with the GRE tunnel. 2 methods, one plugging to edge router and using the "outsideold" ip space works perfectly and 2 if I assign outsideold ip space to "outside" interface, everything nats fine.
B. Ran packet-tracer, all results show "allow" as if I should be seeing the packets.
C. Confirmed local windows machine firewall was off and not blocking anything.
D. Reviewed logs and observed SYN timeouts and TCP teardowns as if the firewall is not getting a response and this is where I am stumped. There is no path around the firewall so asymmetric routing should not be an issue and if that was the problem it should not work when the "outsideold" ip space is assigned and natted from the "outside" interface, but it does. Packet-tracer shows proper nat translations occurring and there is definitely proper routing along the path for stuff to return to the network or ICMP would not work (IE I can ping www.google.com but not open the web page).
So what simple piece of the nat configuration am I overlooking because I cannot possible wrap my head around it being anything else.
Any suggestions / lessons would be greatly appreciated.is this still a problem?
-
How do I create multiple libraries & use with multiple ipods?
Hi All,
My wife and I have different tastes in music. Currently we use different user log ons to seperate our libraries. It's a complete pain because there's no other reason to use seperate log ons.
We'll soon be upgrading to a new iMac and I'm wondering if it's possible to have two libraries operating in the one itunes sesssion?
So here are my questions:
1) Can I have two libraries sourcing the same music files?
2) We each have an iPod, can it be set to only update one of those libraries, but still automatically update when connected?
3) If we create playlists, will they be associated with only one library, or both (my preference is one, of course)?
4) I'm pretty sure iPods can be set so my iPod only updates my playlists, and my wife's iPod only updates her playlists - is that correct?
5) If we have seperate libraries, can we have seperate ratings? (Our opinion of what a five star song is is different)!
Of course, for the above questions, if the answer is 'yes' please let me know how to do this. I've had a look through the itunes manuals online, but they don't seem to have any information.
Cheers, ChrisChris,
I have the exact same situation, and I have tried Doug's iTunes Library Manager, but it doesn't work for me. The first workaround I tried was to set up two smart playlists to group together any music that only one of us liked, which could then be checked or un-checked (control-click) depending on which iPod is being synced. This is clumsy, and if you aren't careful the Recently Added playlist will still "contaminate" your iPod.
Last night I just made a new library for my wife (hold down Option when starting iTunes), copied everything over using the Add to Library command, exported all the playlists using the Export Library command, deleted all the music and playlists she doesn't want, and synced her iPod. It took a while to erase and re-sync, but it is now synced to HER library, and she doesn't see any music she doesn't like.
Tonight I will do the same for myself. I will have, then, three libraries which can be selected by holding down the option key when starting iTunes: Mine, My wife's, and the main one with everything (called Library) All the music files stay on an external Firewire Drive. There is no way to toggle libraries from within iTunes, you have to quit and start it again holding down the option key.
Podcasts are another story, and I haven't quite figured them out yet.
Marty
Maybe you are looking for
-
PC Suite 7.1.40.1 drops sync with Outlook / E71
Hi gurus, I am stuck on an interworking issue during MS Outlook calendar sync to my E71 (excellent piece, btw). It all started when upgraded to Oct09 timeframe PC Suite version (cannot recall the version#) and is still present in the newest one I dow
-
Think M72e start windows 7 with usb stick inserted
I know in the scheme of things my M72e annoyance is pretty minor,but I am more curious than exasperated. If I try to start the machine with a usb stick in any of the ports it won't boot into windows 7and I get a "No bootable partition in table" messa
-
I am having trouble viewing PDF's with Adobe Reader XI
I am having trouble viewing PDF's with Adobe Reader XI
-
Hi, I'm running into something that seems to be a bug in Power Query. I've got my Power Query tables from SharePoint lists into Excel and Power Pivot data model. (Making sure the SharePoint site is in English and I replace MMD columns with normal col
-
Displaying PDF & PowerPoint files
How can I display PDF files on a TV that only has composite? I already bought the cables for connecting my iPhone 4s to my TV but I have not yet found a way to display PowerPoint, PDF, or other files on the TV screen. Photos and videos work fine tho