Tiger Server firewall issues - forwarding protocol 47 (GRE) for VPN access
Hi everybody,
I'm trying to allow VPN access to my Mac Pro running 10.4.10 Server. I've allowed the TCP and UDP ports, but the sticking point is this: the client tries to connect but I get a bunch of these in the firewall log:
Deny P:47 xxx.xxx.xxx.xxx(address initiating VPN) 10.0.100.222(MacPro local address) in via en0
After doing some research I figured I needed to allow protocol 47 (GRE) and so tried to add a rule via the "Advanced" tab for firewalls in server manager. I click the + button, select allow, leave the other field, select GRE, and then select from:any and to:any and the in dropdown. When I try to save and activate the rule, however, it complains that there is an error and that all subsequent rules are skipped. I've tried all the possible variations (within my parameters, of course) but it won't work.
Manually inspecting the /etc/ipfw file shows the rule added but without a specification for the GRE or protocol 47 part. i.e.:
add 1050 allow from any to any in
(This looks a little like a server manager bug to me, but I digress)
So I tried manually editing the file in /etc/ipfilter but no joy.
Being somewhat new to OSX I am getting flustered. Am I completely misunderstanding something here? While a search on "VPN GRE firewall" turns up about million hits, none seem applicable to my situation. Thanks in advance.
Try using the "Services" tab, selecting "any" (for example) and configuring the rule there.
The "Advanced" section will allow you to add rules that don't already exist, but there is already a rule for GRE so that might, possibly have something to do with the error you're getting.
Similar Messages
-
I have a mac mini server which I want to set up for remote access from windows and mac pcs. How do I do this. I can access it form my home network OK
Posted in error.
-
GRE for VPN using extendable NAT.
Iam trying to configure VPN, I've got this:
ip nat inside source static tcp 192.168.100.8 1352 203.145.145.145 1352 extendable
ip nat inside source static tcp 192.168.100.8 1723 203.145.145.145 1723 extendable
ip nat inside source static tcp 192.168.100.8 47 203.145.145.145 47 extendable
ip nat inside source static tcp 192.168.100.8 isakmp 203.145.145.145 isakmp extendable
ip nat inside source static tcp 192.168.100.12 3389 203.145.145.145 3389 extendable
where do I put the GRE protocol in this configuration? Without GRE vpn does not work.
I don't want to do this:
ip nat inside source static 192.168.100.8 203.145.145.145
Is it a good idea to use interface Tunnel40843 for VPN than static NAT an external ip address, how do I use tunnel for VPN? What's the code?To see how GRE over IPSec can be configured, refer to 'Configuring IPSec/GRE with NAT' at http://www.cisco.com/warp/public/707/ipsecgrenat.html. The document additionally discusses a firewall configuration that you could skip unless you have a firewall in place too.
-
Server slowness issue: Due to sql delete for 8 lakhs rows
Hi. We had faced an issue like PeopleSoft server utilization went to 94 % due to a sql execution
that sql was about deleting 8 lakhs rows. I wonder will it create server slowness? deletion of 8 Lakhs rows will bring the performance down?Hi,
Could you clarificate which kind of PeopleSoft server is it?. Does it is a Process Scheduler or Application Server? How do you find that the cause of the slowness is the execution of a SQL and which process is executing it?.
How is the performance at DB level when the SQL is executed?
Please provide more infraestructure information, like Hardware architecture and OS version.
Regards,
Andrés Caro -
NPO wants to get windows server 2012 r2 datacenter as the main operating system and then windows server 2012 r2 essentials plus 10 windows 8.1 as virtual desktops. Each desktop for one remote user running office 2013. Is there a better configuration?
In either case what licenses does the NPO need to purchase?
BobHi,
For license related questions we recommend you contact Microsoft licensing specialist.
http://support.microsoft.com/kb/141850/en-us
Regards.
Vivian Wang -
UDP Flooding, ip forward-protocol, and service dhcp
I've been reading up on how IOS routers handle DHCP using the "ip helper-address" command and ran across a few different terms / commands that I need help clarifying.
I've found that "ip forward-protocol" is enabled by default for many services, and bootps is enabled by default.
Then there's "service dhcp" which enables the DHCP relay service.
I also see the term "UDP Flooding" mentioned in several places, but can't find any specifics on what this entails.
Can someone please explain how "ip forward-protocol", "service dhcp", and "UDP Flooding" are different, how they interact, etc?
Thanks!
-MasonWhen configuring the ip helper-address command, the following broadcast packets will be forwarded by the router by default:
TFTP - port 69
Domain Name System (DNS) - port 53
Time service - port 37
NetBIOS Name Server - port 137
NetBIOS Datagram Server - port 138
Bootstrap Protocol (BOOTP) - port 67
TACACS - port 49
f you do not want all the defaults to be forwarded, issue the no ip forward-protocol command to disable the port from being forwarded by the router, as shown in this example:
router#(config-if)ip helper-address x.x.x.x
router#(config)no ip forward-protocol udp tftpWith these commands, all default User Datagram Protocol (UDP) broadcasts except TFTP broadcasts are forwarded by the router.
Configure the no ip forward-protocol command separately for each port to prevent the port from forwarding the broadcast packets by the router. -
Basic tiger server printing to network printer issues - HELP :)
Hi everyone, Im after some help as im running out of ideas, here is my basic setup: (sorry i have rambled on a bit
current 192.168.0.x network that has ADSL, PC's HP Laserjet 5Si network printer.
Connected to that is my Tiger server with 2 lan ports, one is connected to that network and the other connected to a switch where I run all my macs - the server is a basic file and software update server.
macs connected to the server get a 192.168.2.x address and can access the internet and each other etc - all is happy.
now - I had my personal macbook pro connected directly to the first network to access the printer, works fine and fairly quickly but was unable to access the server (i imagine because the server thinks i was from the big bad internet from the .0.x range
once i connected to the other network served by the mac server i could access all the files fine but printing would not work, so i thought I would have the server access the printer as it has access to both networks and just share it to the local macs.
well when i add it and put in the 192.168.0.71 address it connects and loads the GIMP HP5si driver, but when it tried to print it takes up to 5 mins to show that its finished, but only sometimes does the printer actually fire up, and the times it did it never printed the whole page...
The only thing i can think of is that the server is trying to print to the .0.x address'ed printer but using the .2.x address range, possibly confusing the systems.., im not too familiar with all the firewall/NAT settings ,i think i have everything turned off, but its still not working..
If anyone can help it would be greatly appreciated, im not sure what else to do.
Thank you for your timeThis sounds more like a protocol or a driver issue rather than an addressing issue. Which protocol is being used to connect to the printer? You mention the GIMP driver gets loaded, which I read that it's an automatic function rather than you having to manually browse to the driver.
Also, I would look at trying the Gutenprint drivers from Sourceforge rather than the included GIMP-Print.
The other thing would be to check the cups error log on the server. It could give some clues as to why the spool file is taking so long. -
Firewall issue with centralized SQL server - port 52384
Hi,
I have dedicated, centralized MS SQL 2012 server for our internal infrastructure with few instances. There is dedicated named instance SC for SC Family Products running on TCP port 1435. Also Server Browser running on UDP 1434 is enabled. I'm trying to install
SCOM 2012 R2. I got to the step Configure the Operational Database and here, I encountered a problem. I try to connect to my SQL server and put into
Server name and instance name SQL\SC and into SQL Server port 1434 or 1435, it doesn't connect. If I turn off firewall on SQL server, it connects without problems. On SQL server, I already have allowed incoming communication on ports UDP 1434
and also TCP 1433-1436. Than, I found out, that I need to allow in TCP 135 so I did it. It didn't work. Than I allowed TCP 49154-49157 for reporting services - it still didn't work. Last thing I allowed (using Microsoft Network Monitor) was TCP port 52384
and suddenly, it worked .
I know what UDP 1434 and TCP 1433-1436 are for. Also, I understand why I have to open 135 and 49154-49157. But I am pretty confused by the port 52384 - what is it for ? Why it isn't mentioned in documentation ? I am pounding with this problem for a while,
and also, I found out, that my SC VMM is not working, if I do not allow all of these ports - so, probably not only used by SCOM ?
Can anyone explain what's that port for ? Or why it's not enough to open 1434, 1433-1436, 135 and 49154-49157 ?
Thanks
TomasHi,
I didn't install SCOM yet. I am stuck at installation, till I figure out why port 52384 needs to be opened.
1. My SQL Server Configuration Manager is set like this:
Protocols for SC - TCP/IP Enabled
IP2
Active : Yes
Enabled : Yes
IP Address : ipv4 ip address of server
TCP Dynamic Ports : (blank)
TCP Port : 1435
So, that should be ok, right?
2. If I turn off firewall on SQL, everything connects ok - so based on that, I suppose that SCOM server firewall is configured ok . It's issue on SQL.
On SQL server, I have these inbound rules:
COM+ Network Access (DCOM-In) - TCP 135 enabled
HTTP/HTTPS - TCP 80,443 enabled
SCOM Reporting - TCP 49154-49157 enabled
SQL UDP ports - UDP 1433-1437 enabled
SQL TCP ports - TCP 1433-1435 enabled
SCOM 52384 - TCP 52384 enabled <- this is the port I don't understand, why it should be opened
If I disable any of these rules, my connection will not pass. I figured out those ports using Microsoft Network Monitor on SQL server.
3. Those databases do not exist yet. I am stuck at 3th step of Operations Manager Setup - at Configure the operational database.
There are fields Server name and instance name, SQL Server port, Database name, Database size, Data file folder, Log file folder
. First two are writable and the rest is greyed out. If I don't turn off firewall and I don't enable all rules from point 2 on SQL server and than put in the SQL server name with instance (SQL\SC) and port 1434 (or 1435) it gives
me red cross, and rest of the page stays greyed out - so, it's unable to connect. If I turn off firewall, or enable all the rules in previous point (2) I am able to change name of the database, database size, data/log file folder. But if I disable any
of those ports, it stays greyed out - I am concerned about port 52384, why it should be opened? What is it for? Why it isn't mentioned in any documentation? Or am I doing something wrong?
Thanks
Tomas -
DMZ and Firewall Issues or where to place the Infra Server
Hi,
finally, I've got a more or less working Midtier Server on United Linux. I've two machines: a Sun Box which has the Infrastructure and the storage on it in the intranet, and I've got a linux box in the DMZ with the midtier on it. Unlucky as I am in this mission, I figured out, that Portal want's to contact the Sunbox for SSO from the browser and not as I assumed from the Server Side. But the forwarded Hostname is an internal name only. Am I right, that it would be the best solution, to install the infra option (SSO etc.) on the DMZ machine as well. So, the scenario would look like this: E-Storage and files on the intranet machine (eg. Sunbox) and Infra and middle in the DMZ. Please help.
EricI don;t know to what end this will help you, or if it actually addresses your question - i;m a bit vague on technologies likes firwalls and dmz - save understanding their general purpose.
anyway due to hardware limitations, we have had to deploy ocs on a single node. Red HAt 7.3 (yep os limitations aswell). Anyway our general access to the internet is done via a cable connection. This connection is shared amongst our LAN via a proxy. Now, the linux server was given an ip that belongs to the cable network - its not part of our LAN. Anyway , we initially started by opening port 7778 and 7779 as these were the ports for web access - for end users. This did not work. Just like u mentioned in your post SSO access - thus we had to open port 7777. This done it all appears to run fine.
Anyway, have a search through technet, there is a paper on firewall loadbalancing - with respect to iAS - this is the technology used to deploy most of the OCS applications - i imagine this may just address a few of your questions. -
Cisco 881 Zone Firewall issues
I'm having issues with an 881 that I have configured as a zone based firewall.
I have allowed HTTP(s) and DNS on the DMZ but my user is saying he cannot access the internet.
On the corporate side the user complains that some websites fail, such as Linked in.
I have been using CCP to configure the device. What am I doing wrong?
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 11:49:00 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 22210 bytes
! Last configuration change at 15:30:21 UTC Tue Mar 12 2013 by SpecIS
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname -Rt
boot-start-marker
boot-end-marker
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
enable password 7
aaa new-model
aaa authentication login local_auth local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3066996233
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3066996233
revocation-check none
rsakeypair TP-self-signed-3066996233
crypto pki certificate chain TP-self-signed-3066996233
certificate self-signed 01
quit
no ip source-route
no ip gratuitous-arps
ip dhcp excluded-address 10.0.2.2
ip dhcp excluded-address 10.0.2.1
ip dhcp pool Trusted
import all
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
domain-name spectra.local
dns-server 10.0.2.2 10.0.1.6
option 150 ip 10.1.1.10 10.1.1.20
ip dhcp pool Guest
import all
network 192.168.112.0 255.255.255.0
default-router 192.168.112.1
dns-server 4.2.2.2 4.2.2.3
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server 10.0.2.2
ip name-server 4.2.2.2
login block-for 5 attempts 3 within 2
no ipv6 cef
multilink bundle-name authenticated
vpdn enable
vpdn-group 1
parameter-map type inspect global
log dropped-packets enable
log summary flows 256 time-interval 30
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
license udi pid CISCO881-SEC-K9 sn FCZ1703C01Y
archive
log config
logging enable
username S privilege 15 secret 4
username ed privilege 15 password 7
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect http match-any ccp-app-nonascii
match req-resp header regex ccp-regex-nonascii
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any TFTP
match protocol tftp
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 105
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-1
match access-group name Any-From-HO
class-map type inspect match-any Skinny
match protocol skinny
class-map type inspect match-all ccp-cls-ccp-permit-outside-in-2
match class-map Skinny
match access-group name Hostcom-Skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-any Pings
match protocol icmp
class-map type inspect match-any Ping-
match class-map Pings
class-map type inspect match-all ccp-cls-ccp-inspect-2
match class-map Ping-
match access-group name Ping-
class-map type inspect match-any DNS
match protocol dns
class-map type inspect match-all ccp-cls-ccp-inspect-3
match class-map DNS
match access-group name Any-any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match access-group name Any/Any
class-map type inspect match-any https
match protocol https
class-map type inspect match-all ccp-cls-ccp-inspect-4
match class-map https
match access-group name any-any
class-map type inspect match-any UDP
match protocol udp
match protocol tcp
class-map type inspect match-all ccp-cls-ccp-inspect-5
match class-map UDP
match access-group name InsideOut
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-2
match class-map Pings
match access-group name RespondtoSomePings
class-map type inspect match-any RemoteMgt
match protocol ssh
match protocol https
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map RemoteMgt
match access-group name Spectra-RemoteMgt
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 103
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method post
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol http
match protocol dns
match protocol https
class-map type inspect match-any WebBrowsing
match protocol http
match protocol https
class-map type inspect match-any DNS2
match protocol dns
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match request port-misuse tunneling
match req-resp protocol-violation
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map WebBrowsing
match access-group name DMZ-Out
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map DNS2
match access-group name DMZtoAny
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-cls-ccp-inspect-2
inspect
class type inspect ccp-cls-ccp-inspect-1
inspect
class type inspect ccp-cls-ccp-inspect-5
pass log
class type inspect TFTP
inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-cls-ccp-inspect-4
inspect
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-smtp
inspect
class type inspect ccp-cls-ccp-inspect-3
inspect
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop log
policy-map type inspect ccp-permit-outside-in
class type inspect ccp-cls-ccp-permit-outside-in-2
inspect
class type inspect ccp-cls-ccp-permit-outside-in-1
pass
class class-default
drop log
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-app-nonascii
log
reset
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-cls-ccp-permit-2
inspect
class type inspect ccp-cls-ccp-permit-1
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-1
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop
zone security in-zone
zone security out-zone
zone security dmz-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-in source out-zone destination in-zone
service-policy type inspect ccp-permit-outside-in
zone-pair security Spec-zp-dmz-out source dmz-zone destination out-zone
service-policy type inspect ccp-permit-dmzservice
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 5
lifetime 28800
crypto isakmp key Y address x.x.x.x
crypto isakmp key o1 address x.x.x.x
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set transform-set ESP-AES256-SHA
match address 100
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to x.x.x.x
set peer x.x.x.x
set security-association lifetime kilobytes 128000
set security-association lifetime seconds 28800
set transform-set ESP-AES256-SHA
match address 102
interface FastEthernet0
description B
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet1
description Docker
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet2
description Phone
switchport access vlan 2
no ip address
spanning-tree portfast
interface FastEthernet3
description Guest
switchport access vlan 3
no ip address
spanning-tree portfast
interface FastEthernet4
description External $FW_OUTSIDE$
bandwidth inherit
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 104
duplex auto
speed auto
pppoe-client dial-pool-number 1
hold-queue 224 in
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
shutdown
interface Vlan2
description Trusted Network$FW_INSIDE$
ip address 10.0.2.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1440
interface Vlan3
description Guest Network$FW_DMZ$
ip address 192.168.112.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callout
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
no cdp enable
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
ip directed-broadcast
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
zone-member security out-zone
encapsulation ppp
load-interval 30
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username password 7
ppp ipcp route default
ppp ipcp address accept
no cdp enable
crypto map SDM_CMAP_1
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip access-list standard SSH-Management
permit x.x.x.x log
permit 10.0.2.0 0.0.0.255 log
permit 10.0.1.0 0.0.0.255 log
ip access-list extended Any-From-HO
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended Any-any
remark CCP_ACL Category=128
permit ip any any
ip access-list extended Any/Any
remark CCP_ACL Category=128
permit ip host 10.0.2.0 host 10.0.1.0
ip access-list extended DMZ-Out
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended DMZtoAny
remark CCP_ACL Category=128
permit ip 192.168.112.0 0.0.0.255 any
ip access-list extended Hostcom-Skinny
remark CCP_ACL Category=128
permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
ip access-list extended InsideOut
remark CCP_ACL Category=128
permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
ip access-list extended Ping-Hostcom
remark CCP_ACL Category=128
permit ip host 10.0.2.2 any
ip access-list extended RespondtoSomePings
remark CCP_ACL Category=128
permit ip 10.0.1.0 0.0.0.255 any
permit ip host x.x.x.x any
permit ip host 37.0.96.2 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
ip access-list extended RemoteMgt
remark CCP_ACL Category=128
permit ip host x.x.x.x any
permit ip 10.0.1.0 0.0.0.255 any
ip access-list extended any-any
remark CCP_ACL Category=128
permit ip any any
logging trap debugging
logging facility local2
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.2.0 0.0.0.255
access-list 1 permit 192.168.112.0 0.0.0.255
access-list 23 remark HTTPS Access
access-list 23 permit 10.0.2.1
access-list 23 permit x.x.x.x
access-list 23 permit 10.0.2.0 0.0.0.255
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 192.168.112.0 0.0.0.255 any
access-list 101 permit ip 10.0.2.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host 255.255.255.255 any
access-list 103 permit ip 127.0.0.0 0.255.255.255 any
access-list 104 permit udp any any eq bootpc
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host x.x.x.x any
access-list 105 permit ip host x.x.x.x any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP permit 1
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Authorised Access Only
If your not supposed to be here. Close the connection
^C
banner motd ^C
Access Is Restricted To Personel ONLY^C
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
access-class SSH-Management in
privilege level 15
logging synchronous
login authentication local_auth
transport input telnet ssh
scheduler interval 500
endHello Martin,
Please apply the following changes and let us know:
ip access-list extend DMZtoAny
1 permit udp 192.168.12.0 0.0.0.255 any eq 53
no permit ip 192.168.112.0 0.0.0.255 any
Ip access-list extended DMZ-Out
1 permit tcp 192.168.12.0 0.0.0.255 any eq 80
2 permit tcp 192.168.12.0 0.0.0.255 any eq 443
no permit ip 192.168.112.0 0.0.0.255 any
Change that, try and if it does not work post the configuration with the changes applied,
Regards,
Remember to rate all of the helfpul posts, that is as important as a thanks
Julio -
Windows Firewall issue, Inbound rule opend all, still not the same as turning off
This is Windows Firewall issue on Windows 8.1 Pro.
Backup Exec server cannot expand a computer node in selection list. I drill down to Microsoft Windows Network/Domain/Computers, then when I tried to expand a Windows 8.1 Pro computer node, it hangs out.
I narrowed this problem to Windows firewall related issue on Windows 8.1 Pro computer.
When I turn off Windows Firewall on Domain profile, Backup Exec Selection expands the computer node of the Windows 8.1 Pro computer. So, I created an inbound rule opening all to BAckup Exec server as following, but it's still not the same as turning off
Windows firewall specifically on Windows 8.1 Pro computer;
Any Local IP address, Any Remote IP address, Any port, Any protocol, All Interface, All Programs and Services, All profiles(Domain, Private, Public)
And there are no rules blocking any which may override the above rule.
Ethernet on Windows 8.1 Pro computer shows profile is linked with Domain, but just to make it work, I selected all profiles.
Even though I opened all available in inbound rule, it's still not the same as turning off windows firewall. Why am I missing?It looks as something related to RPC(UDP 135), but even when inbound rule is all open, why it matters? RPC seems working fine only when firewall is turned off on domain profile.
Protocol 17 is UDP
Port: 135
===============================
Event ID 5152
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID:
0
Application Name:
Network Information:
Direction:
Outbound
Source Address:
192.168.1.120
Source Port:
0
Destination Address:
192.168.1.11
Destination Port:
0
Protocol:
1
Filter Information:
Filter Run-Time ID:
245836
Layer Name:
ICMP Error
Layer Run-Time ID:
32
The Windows Filtering Platform has blocked a packet.
Application Information:
Process ID:
0
Application Name:
Network Information:
Direction:
Inbound
Source Address:
192.168.1.11
Source Port:
35341
Destination Address:
192.168.1.120
Destination Port:
135
Protocol:
17
Filter Information:
Filter Run-Time ID:
245834
Layer Name:
Transport
Layer Run-Time ID:
13 -
Firewall issue - tcp outbound port 443
Hello,
I have a server-side programming language that I am trying to connect from my webserver to a payment gateway via a tcp connection on port 443. For some reason, I can't connect to the host from my server (Snow Leopard Server). I can use the same code however on my local laptop, in the same network, and connect just fine.
Any ideas?
Both machines are behind my Airport Base Station using port forwarding. I do have port forwarding enabled for port 443 in the airport which points to my Snow Leopard Server local I.P. address.
Thanks for any thoughts.
DonovanWell, I spoke too soon.. the firewall *is* the problem.
There must have been a cache when I stopped it, which made it appear as if the fix was in the Airport Extreme. However, after turning the firewall back on, the issue came back. I've now done more testing, and the issue definitely involves the firewall.
In Server Admin, I have the following Active Rule in the firewall:
'Allow tcp from any to any dst-port 443'
I am guessing that my server-side language "tcp connection" is being seen in that rule. I was told it is like a telnet connection. Is there a different rule that I should put in to allow telnet connections on port 443? I would think the same rule would work for both.
Anyway, saga continues.
Donovan -
Cannot create ODBC connection to Azure - is this a firewall issue?
I am setting up a Access front-end, Azure back-end database. I am setting up the odbc on one of the clients machines and get sql state 28000, error 18456, sql state 01000, error 40608. I am using SQL Native client 10.0. I have not has issues with this before.
I opened all IPs. Is this a firewall issue on their computer?
Any ideas welcome.
Thanks,
MarcyHello Marcy,
Are you getting this error while doing test connection from ODBC datasource (DSN) ?
Please share the actual error message that you are getting so that I can guide you.
On the basis of the error 18456 please check following .
password must be correct.
check if port 1433 is blocked by windows firewall or any firewall on the client machine.
Pass the user name as username@<azure servername>
if you are using just username try to use sql native client 11.0
check if TCP/IP protocol in sql server configuration manager is enabled.
In case you tried all the above option then please share the error message that your client is getting.
Hope this help.
Mukesh
SQL Azure and Business Intelligence -
New Mac Mini Server Network Issue
I recently purchased the new Mac Mini Server with 10.6 to use as a Content Filter/Web Server for a small private school. While trying to set it up, using the on board ethernet and a USB to Ethernet adapter, I have lost all ability to acquire an IP. IT does not matter if I use the on board ethernet, the USB adapter, or the Airport. All three return a self-assigned IP. I know this is related to the machine since I can still access the cable modem setup by typing in 192.168.100.1. And I brought it home to work on it a little more and the bonjour services are detecting the other macs on the network.
I tried trashing my network preference plist, but no change.
I am considering doing a fresh install since I think the initial setup was borked. But I thought I'd hit up the board and see if anyone else had a thought before I begin that process.
thoughts?I have setup this configuration several times with both a MacPro and the smaller mini setup. The gateway setup we are describing is about as simple as it gets (static IP, gateway running all services so 1 IP address, gateway set as 192.168.1.1 on the local net. Simple DHCP and DNS "server.local", and "server.xxx.com" external).
I would be overjoyed to find that I can configure this by setting up some simple overrides in the routing. I would point out in defense that _everything else_ works perfectly basically by default.
1) dns on server: local and external, forward and reverse from itself and the local network - check
2) services on server (all of them): from itself and the local and external networks - check
3) network access (ie NAT & Firewall) for local machines - check (web, streaming, even bittorrent)
The only issue I see is that remote clients cannot access the gateway itself properly though VPN. UPD return packets seem to be mis-routed through the physical interface rather than the virtual one.
ALL other operations (Mail, iCal, iChat, Push, Web Services, Wiki, Web Mail and iCal, NAT) work perfectly for the server, local network, and external hosts. The above problem only happens for vpn clients, and then only for connections from them to the gateway itself, and only for UDP packets.
I would really love to know how to fix it, especially if this can be explained by a needed custom rule (But I'm guessing not given the otherwise full functioning system). Are you saying that to make VPN work you need to add custom routing info that is not described in the Server docs? If so what?
Thanks,
Hunter -
I've tried going through the steps to resolve the issue, but I am still coming up blank. The part that I am not understanding is the, "A non-recoverable error occurred during a database lookup." part.
Is this a security problem? I can establish an ODBC connection to the server as well as connect and query through visual studio, however when trying to run it through one of our custom programs, it throws this error message.
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider:
TCP Provider, error: 0 - A non-recoverable error occurred during a database lookup.)There are many reasons of SQL server connectivity issue. Refer checklist to find out the real cause of connectivity issue.
1. Check SQL services are running
2. Check SQL Browser service is running
3. Check remote connections are enabled
4. Network connectivity between database & application servers by TRACERT command
5. Check TCP/IP protocol enabled at SQL server
6. Check talent connectivity – telnet <IP address> <port no on SQL server running>
7. Check UDP port 1434 is open or not on SQL Server
8. Check firewall is running or not Check
9. If firewall running, SQL Server & UDP port must be added in exception in firewall
10. Run SQL Discovery report on machine SQL server installed, to check you are using correct instance name to connect( default \named) -http://mssqlfun.com/2013/02/26/sql-server-discovery-report/
http://mssqlfun.com/2012/09/28/check-list-for-sql-server-connectivity-issue/
Regards,
Rohit Garg
(My Blog)
This posting is provided with no warranties and confers no rights.
Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.
Maybe you are looking for
-
Error when trying to start EJB Server
Hi, I am new to EJB's and am following the tutorial on ejbtut.com. I followed the tutorial and created the EmployeesEJB.jar file and placed the appropriate code in the ejb.ini file to deploy it. But when i start the EJB server i get the following. Ca
-
I have a iMac with tiger operating system can I install lion with no problems?
if we do the up date from tiger to lion will we lose any datta like pictures and such?
-
Skips songs and doesnt play them all... HELP!
When I turn my ipod on and push shuffle songs, it skips songs by itself and only plays certain songs. I know they work because I have played these songs on there before, this problem just started a day or so ago. Also when I try to turn off the ipod,
-
Hey guys, I have some quizes I am doing in captivate 6 and what I was wondering is how I could go about setting the quizes up so that if the user enters an incorrect answer, we would get not only the standard: INCORRECT ASNWER - CLICK ANYWHERE TO CON
-
I'm receiving the messages twice
Occasionally I receive the same message twice. This mostly occurs in the morning.