Tiger Server firewall issues - forwarding protocol 47 (GRE) for VPN access

Similar Messages

• I have a mac mini server which I want to set up for remote access from windows and mac pcs.  How do I do this.  I can access it form my home network OK

  I have a mac mini server which I want to set up for remote access from windows and mac pcs.  How do I do this.  I can access it form my home network OK

  Posted in error.

• GRE for VPN using extendable NAT.

  Iam trying to configure VPN, I've got this:
  ip nat inside source static tcp 192.168.100.8 1352 203.145.145.145 1352 extendable
  ip nat inside source static tcp 192.168.100.8 1723 203.145.145.145 1723 extendable
  ip nat inside source static tcp 192.168.100.8 47 203.145.145.145 47 extendable
  ip nat inside source static tcp 192.168.100.8 isakmp 203.145.145.145 isakmp extendable
  ip nat inside source static tcp 192.168.100.12 3389 203.145.145.145 3389 extendable
  where do I put the GRE protocol in this configuration? Without GRE vpn does not work.
  I don't want to do this:
  ip nat inside source static 192.168.100.8 203.145.145.145
  Is it a good idea to use interface Tunnel40843 for VPN than static NAT an external ip address, how do I use tunnel for VPN? What's the code?

  To see how GRE over IPSec can be configured, refer to 'Configuring IPSec/GRE with NAT' at http://www.cisco.com/warp/public/707/ipsecgrenat.html. The document additionally discusses a firewall configuration that you could skip unless you have a firewall in place too.

• Server slowness issue: Due to sql delete for 8 lakhs rows

  Hi. We had faced an issue like PeopleSoft server utilization went to 94 % due to a sql execution
  that sql was about deleting 8 lakhs rows. I wonder will it create server slowness? deletion of 8 Lakhs rows will bring the performance down?

  Hi,
  Could you clarificate which kind of PeopleSoft server is it?. Does it is a Process Scheduler or Application Server? How do you find that the cause of the slowness is the execution of a SQL and which process is executing it?.
  How is the performance at DB level when the SQL is executed?
  Please provide more infraestructure information, like Hardware architecture and OS version.
  Regards,
  Andrés Caro

• Licensing help needed for datacenter server with vm running windows server 2012 essentials and ten virtual desktops for remote access

  NPO wants to get windows server 2012 r2 datacenter as the main operating system and then windows server 2012 r2 essentials plus 10 windows 8.1 as virtual desktops.  Each desktop for one remote user running office 2013.  Is there a better configuration?
   In either case what licenses does the NPO need to purchase?
  Bob

  Hi,
  For license related questions we recommend you contact Microsoft licensing specialist.
  http://support.microsoft.com/kb/141850/en-us
  Regards.
  Vivian Wang

• UDP Flooding, ip forward-protocol, and service dhcp

  I've been reading up on how IOS routers handle DHCP using the "ip helper-address" command and ran across a few different terms / commands that I need help clarifying.
  I've found that "ip forward-protocol" is enabled by default for many services, and bootps is enabled by default.
  Then there's "service dhcp" which enables the DHCP relay service.
  I also see the term "UDP Flooding" mentioned in several places, but can't find any specifics on what this entails.
  Can someone please explain how "ip forward-protocol", "service dhcp", and "UDP Flooding" are different, how they interact, etc?
  Thanks!
  -Mason

  When configuring the ip helper-address command, the following broadcast packets will be forwarded by the router by default:
  TFTP - port 69
  Domain Name System (DNS) - port 53
  Time service - port 37
  NetBIOS Name Server - port 137
  NetBIOS Datagram Server - port 138
  Bootstrap Protocol (BOOTP) - port 67
  TACACS - port 49
  f you do not want all the defaults to be forwarded, issue the no ip forward-protocol command to disable the port from being forwarded by the router, as shown in this example:
  router#(config-if)ip helper-address x.x.x.x
  router#(config)no ip forward-protocol udp tftpWith these commands, all default User Datagram Protocol (UDP) broadcasts except TFTP broadcasts are forwarded by the router.
  Configure the no ip forward-protocol command separately for each port to prevent the port from forwarding the broadcast packets by the router.

• Basic tiger server printing to network printer issues - HELP :)

  Hi everyone, Im after some help as im running out of ideas, here is my basic setup: (sorry i have rambled on a bit
  current 192.168.0.x network that has ADSL, PC's HP Laserjet 5Si network printer.
  Connected to that is my Tiger server with 2 lan ports, one is connected to that network and the other connected to a switch where I run all my macs - the server is a basic file and software update server.
  macs connected to the server get a 192.168.2.x address and can access the internet and each other etc - all is happy.
  now - I had my personal macbook pro connected directly to the first network to access the printer, works fine and fairly quickly but was unable to access the server (i imagine because the server thinks i was from the big bad internet from the .0.x range
  once i connected to the other network served by the mac server i could access all the files fine but printing would not work, so i thought I would have the server access the printer as it has access to both networks and just share it to the local macs.
  well when i add it and put in the 192.168.0.71 address it connects and loads the GIMP HP5si driver, but when it tried to print it takes up to 5 mins to show that its finished, but only sometimes does the printer actually fire up, and the times it did it never printed the whole page...
  The only thing i can think of is that the server is trying to print to the .0.x address'ed printer but using the .2.x address range, possibly confusing the systems.., im not too familiar with all the firewall/NAT settings ,i think i have everything turned off, but its still not working..
  If anyone can help it would be greatly appreciated, im not sure what else to do.
  Thank you for your time

  This sounds more like a protocol or a driver issue rather than an addressing issue. Which protocol is being used to connect to the printer? You mention the GIMP driver gets loaded, which I read that it's an automatic function rather than you having to manually browse to the driver.
  Also, I would look at trying the Gutenprint drivers from Sourceforge rather than the included GIMP-Print.
  The other thing would be to check the cups error log on the server. It could give some clues as to why the spool file is taking so long.

• Firewall issue with centralized SQL server - port 52384

  Hi, 
  I have dedicated, centralized MS SQL 2012 server for our internal infrastructure with few instances. There is dedicated named instance SC for SC Family Products running on TCP port 1435. Also Server Browser running on UDP 1434 is enabled. I'm trying to install
  SCOM 2012 R2. I got to the step Configure the Operational Database and here, I encountered a problem. I try to connect to my SQL server and put into
  Server name and instance name SQL\SC and into SQL Server port 1434 or 1435, it doesn't connect. If I turn off firewall on SQL server, it connects without problems. On SQL server, I already have allowed incoming communication on ports UDP 1434
  and also TCP 1433-1436. Than, I found out, that I need to allow in TCP 135 so I did it. It didn't work. Than I allowed TCP 49154-49157 for reporting services - it still didn't work. Last thing I allowed (using Microsoft Network Monitor) was TCP port 52384
  and suddenly, it worked . 
  I know what UDP 1434 and TCP 1433-1436 are for. Also, I understand why I have to open 135 and 49154-49157. But I am pretty confused by the port 52384 - what is it for ? Why it isn't mentioned in documentation ? I am pounding with this problem for a while,
  and also, I found out, that my SC VMM is not working, if I do not allow all of these ports - so, probably not only used by SCOM ? 
  Can anyone explain what's that port for ? Or why it's not enough to open 1434, 1433-1436, 135 and 49154-49157 ?
  Thanks
  Tomas

  Hi,
  I didn't install SCOM yet. I am stuck at installation, till I figure out why port 52384 needs to be opened.
  1. My SQL Server Configuration Manager is set like this:
  Protocols for SC - TCP/IP Enabled
  IP2
  Active : Yes
  Enabled : Yes
  IP Address : ipv4 ip address of server
  TCP Dynamic Ports :   (blank)
  TCP Port : 1435
  So, that should be ok, right?
  2. If I turn off firewall on SQL, everything connects ok - so based on that, I suppose that SCOM server firewall is configured ok . It's issue on SQL.
  On SQL server, I have these inbound rules:
  COM+ Network Access (DCOM-In) - TCP 135 enabled
  HTTP/HTTPS - TCP 80,443 enabled
  SCOM Reporting - TCP 49154-49157 enabled
  SQL UDP ports - UDP 1433-1437 enabled
  SQL TCP ports - TCP 1433-1435 enabled
  SCOM 52384 - TCP 52384 enabled <- this is the port I don't understand, why it should be opened
  If I disable any of these rules, my connection will not pass. I figured out those ports using Microsoft Network Monitor on SQL server.
  3. Those databases do not exist yet. I am stuck at 3th step of Operations Manager Setup - at Configure the operational database.
  There are fields Server name and instance name, SQL Server port, Database name, Database size, Data file folder, Log file folder
  . First two are writable and the rest is greyed out. If I don't turn off firewall and I don't enable all rules from point 2 on SQL server and than put in the SQL server name with instance (SQL\SC) and port 1434 (or 1435) it gives
  me red cross, and rest of the page stays greyed out - so, it's unable to connect. If I turn off firewall, or enable all the rules in previous point (2) I am able to change name of the database, database size, data/log file folder. But if I disable any
  of those ports, it stays greyed out - I am concerned about port 52384, why it should be opened? What is it for? Why it isn't mentioned in any documentation? Or am I doing something wrong?
  Thanks
  Tomas 

• DMZ and Firewall Issues or where to place the Infra Server

  Hi,
  finally, I've got a more or less working Midtier Server on United Linux. I've two machines: a Sun Box which has the Infrastructure and the storage on it in the intranet, and I've got a linux box in the DMZ with the midtier on it. Unlucky as I am in this mission, I figured out, that Portal want's to contact the Sunbox for SSO from the browser and not as I assumed from the Server Side. But the forwarded Hostname is an internal name only. Am I right, that it would be the best solution, to install the infra option (SSO etc.) on the DMZ machine as well. So, the scenario would look like this: E-Storage and files on the intranet machine (eg. Sunbox) and Infra and middle in the DMZ. Please help.
  Eric

  I don;t know to what end this will help you, or if it actually addresses your question - i;m a bit vague on technologies likes firwalls and dmz - save understanding their general purpose.
  anyway due to hardware limitations, we have had to deploy ocs on a single node. Red HAt 7.3 (yep os limitations aswell). Anyway our general access to the internet is done via a cable connection. This connection is shared amongst our LAN via a proxy. Now, the linux server was given an ip that belongs to the cable network - its not part of our LAN. Anyway , we initially started by opening port 7778 and 7779 as these were the ports for web access - for end users. This did not work. Just like u mentioned in your post SSO access - thus we had to open port 7777. This done it all appears to run fine.
  Anyway, have a search through technet, there is a paper on firewall loadbalancing - with respect to iAS - this is the technology used to deploy most of the OCS applications - i imagine this may just address a few of your questions.

• Cisco 881 Zone Firewall issues

  I'm having issues with an 881 that I have configured as a zone based firewall.
  I have allowed HTTP(s) and DNS on the DMZ but my user is saying he cannot access the internet.
  On the corporate side the user complains that some websites fail, such as Linked in.
  I have been using CCP to configure the device. What am I doing wrong?
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.03.15 11:49:00 =~=~=~=~=~=~=~=~=~=~=~=
  sh run
  Building configuration...
  Current configuration : 22210 bytes
  ! Last configuration change at 15:30:21 UTC Tue Mar 12 2013 by SpecIS
  ! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
  ! NVRAM config last updated at 14:12:39 UTC Thu Mar 7 2013 by specis
  version 15.1
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname -Rt
  boot-start-marker
  boot-end-marker
  security authentication failure rate 10 log
  security passwords min-length 6
  logging buffered 51200
  logging console critical
  enable secret 5
  enable password 7
  aaa new-model
  aaa authentication login local_auth local
  aaa session-id common
  memory-size iomem 10
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-3066996233
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3066996233
  revocation-check none
  rsakeypair TP-self-signed-3066996233
  crypto pki certificate chain TP-self-signed-3066996233
  certificate self-signed 01
  quit
  no ip source-route
  no ip gratuitous-arps
  ip dhcp excluded-address 10.0.2.2
  ip dhcp excluded-address 10.0.2.1
  ip dhcp pool Trusted
  import all
  network 10.0.2.0 255.255.255.0
  default-router 10.0.2.1
  domain-name spectra.local
  dns-server 10.0.2.2 10.0.1.6
  option 150 ip 10.1.1.10 10.1.1.20
  ip dhcp pool Guest
  import all
  network 192.168.112.0 255.255.255.0
  default-router 192.168.112.1
  dns-server 4.2.2.2 4.2.2.3
  ip cef
  no ip bootp server
  ip domain name yourdomain.com
  ip name-server 10.0.2.2
  ip name-server 4.2.2.2
  login block-for 5 attempts 3 within 2
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group 1
  parameter-map type inspect global
  log dropped-packets enable
  log summary flows 256 time-interval 30
  parameter-map type regex ccp-regex-nonascii
  pattern [^\x00-\x80]
  parameter-map type protocol-info yahoo-servers
  server name scs.msg.yahoo.com
  server name scsa.msg.yahoo.com
  server name scsb.msg.yahoo.com
  server name scsc.msg.yahoo.com
  server name scsd.msg.yahoo.com
  server name cs16.msg.dcn.yahoo.com
  server name cs19.msg.dcn.yahoo.com
  server name cs42.msg.dcn.yahoo.com
  server name cs53.msg.dcn.yahoo.com
  server name cs54.msg.dcn.yahoo.com
  server name ads1.vip.scd.yahoo.com
  server name radio1.launch.vip.dal.yahoo.com
  server name in1.msg.vip.re2.yahoo.com
  server name data1.my.vip.sc5.yahoo.com
  server name address1.pim.vip.mud.yahoo.com
  server name edit.messenger.yahoo.com
  server name messenger.yahoo.com
  server name http.pager.yahoo.com
  server name privacy.yahoo.com
  server name csa.yahoo.com
  server name csb.yahoo.com
  server name csc.yahoo.com
  parameter-map type protocol-info msn-servers
  server name messenger.hotmail.com
  server name gateway.messenger.hotmail.com
  server name webmessenger.msn.com
  parameter-map type protocol-info aol-servers
  server name login.oscar.aol.com
  server name toc.oscar.aol.com
  server name oam-d09a.blue.aol.com
  license udi pid CISCO881-SEC-K9 sn FCZ1703C01Y
  archive
  log config
  logging enable
  username S privilege 15 secret 4
  username ed privilege 15 password 7
  ip tcp synwait-time 10
  ip tcp path-mtu-discovery
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any SDM_BOOTPC
  match access-group name SDM_BOOTPC
  class-map type inspect imap match-any ccp-app-imap
  match invalid-command
  class-map type inspect match-any ccp-cls-protocol-p2p
  match protocol edonkey signature
  match protocol gnutella signature
  match protocol kazaa2 signature
  match protocol fasttrack signature
  match protocol bittorrent signature
  class-map type inspect match-any SDM_DHCP_CLIENT_PT
  match class-map SDM_BOOTPC
  class-map type inspect match-any SDM_AH
  match access-group name SDM_AH
  class-map type inspect match-any ccp-skinny-inspect
  match protocol skinny
  class-map type inspect http match-any ccp-app-nonascii
  match req-resp header regex ccp-regex-nonascii
  class-map type inspect match-any sdm-cls-bootps
  match protocol bootps
  class-map type inspect match-any TFTP
  match protocol tftp
  class-map type inspect match-any SDM_ESP
  match access-group name SDM_ESP
  class-map type inspect match-any SDM_VPN_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_VPN_PT
  match access-group 105
  match class-map SDM_VPN_TRAFFIC
  class-map type inspect match-all ccp-cls-ccp-permit-outside-in-1
  match access-group name Any-From-HO
  class-map type inspect match-any Skinny
  match protocol skinny
  class-map type inspect match-all ccp-cls-ccp-permit-outside-in-2
  match class-map Skinny
  match access-group name Hostcom-Skinny
  class-map type inspect match-any ccp-h323nxg-inspect
  match protocol h323-nxg
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  class-map type inspect match-any ccp-cls-protocol-im
  match protocol ymsgr yahoo-servers
  match protocol msnmsgr msn-servers
  match protocol aol aol-servers
  class-map type inspect match-any Pings
  match protocol icmp
  class-map type inspect match-any Ping-
  match class-map Pings
  class-map type inspect match-all ccp-cls-ccp-inspect-2
  match class-map Ping-
  match access-group name Ping-
  class-map type inspect match-any DNS
  match protocol dns
  class-map type inspect match-all ccp-cls-ccp-inspect-3
  match class-map DNS
  match access-group name Any-any
  class-map type inspect match-all ccp-protocol-pop3
  match protocol pop3
  class-map type inspect match-any ccp-h225ras-inspect
  match protocol h225ras
  class-map type inspect match-all ccp-cls-ccp-inspect-1
  match access-group name Any/Any
  class-map type inspect match-any https
  match protocol https
  class-map type inspect match-all ccp-cls-ccp-inspect-4
  match class-map https
  match access-group name any-any
  class-map type inspect match-any UDP
  match protocol udp
  match protocol tcp
  class-map type inspect match-all ccp-cls-ccp-inspect-5
  match class-map UDP
  match access-group name InsideOut
  class-map type inspect match-any ccp-h323annexe-inspect
  match protocol h323-annexe
  class-map type inspect match-any SDM_SSH
  match access-group name SDM_SSH
  class-map type inspect pop3 match-any ccp-app-pop3
  match invalid-command
  class-map type inspect match-any SDM_HTTPS
  match access-group name SDM_HTTPS
  class-map type inspect match-all ccp-protocol-p2p
  match class-map ccp-cls-protocol-p2p
  class-map type inspect match-all ccp-cls-ccp-permit-2
  match class-map Pings
  match access-group name RespondtoSomePings
  class-map type inspect match-any RemoteMgt
  match protocol ssh
  match protocol https
  class-map type inspect match-all ccp-cls-ccp-permit-1
  match class-map RemoteMgt
  match access-group name Spectra-RemoteMgt
  class-map type inspect match-any SDM_SHELL
  match access-group name SDM_SHELL
  class-map type inspect match-any ccp-h323-inspect
  match protocol h323
  class-map type inspect match-all ccp-protocol-im
  match class-map ccp-cls-protocol-im
  class-map type inspect match-all ccp-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 103
  class-map type inspect http match-any ccp-app-httpmethods
  match request method bcopy
  match request method bdelete
  match request method bmove
  match request method bpropfind
  match request method bproppatch
  match request method connect
  match request method copy
  match request method delete
  match request method edit
  match request method getattribute
  match request method getattributenames
  match request method getproperties
  match request method index
  match request method lock
  match request method mkcol
  match request method mkdir
  match request method move
  match request method notify
  match request method options
  match request method poll
  match request method post
  match request method propfind
  match request method proppatch
  match request method put
  match request method revadd
  match request method revlabel
  match request method revlog
  match request method revnum
  match request method save
  match request method search
  match request method setattribute
  match request method startrev
  match request method stoprev
  match request method subscribe
  match request method trace
  match request method unedit
  match request method unlock
  match request method unsubscribe
  class-map type inspect match-any ccp-dmz-protocols
  match protocol http
  match protocol dns
  match protocol https
  class-map type inspect match-any WebBrowsing
  match protocol http
  match protocol https
  class-map type inspect match-any DNS2
  match protocol dns
  class-map type inspect match-any ccp-sip-inspect
  match protocol sip
  class-map type inspect http match-any ccp-http-blockparam
  match request port-misuse im
  match request port-misuse p2p
  match request port-misuse tunneling
  match req-resp protocol-violation
  class-map type inspect match-all ccp-protocol-imap
  match protocol imap
  class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
  match class-map WebBrowsing
  match access-group name DMZ-Out
  class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
  match class-map DNS2
  match access-group name DMZtoAny
  class-map type inspect match-all ccp-protocol-smtp
  match protocol smtp
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect sdm-cls-bootps
  pass
  class type inspect ccp-icmp-access
  inspect
  class class-default
  pass
  policy-map type inspect imap ccp-action-imap
  class type inspect imap ccp-app-imap
  log
  reset
  policy-map type inspect pop3 ccp-action-pop3
  class type inspect pop3 ccp-app-pop3
  log
  reset
  policy-map type inspect ccp-inspect
  class type inspect ccp-cls-ccp-inspect-2
  inspect
  class type inspect ccp-cls-ccp-inspect-1
  inspect
  class type inspect ccp-cls-ccp-inspect-5
  pass log
  class type inspect TFTP
  inspect
  class type inspect ccp-invalid-src
  drop log
  class type inspect ccp-cls-ccp-inspect-4
  inspect
  class type inspect ccp-protocol-http
  inspect
  class type inspect ccp-protocol-smtp
  inspect
  class type inspect ccp-cls-ccp-inspect-3
  inspect
  class type inspect ccp-protocol-imap
  inspect
  service-policy imap ccp-action-imap
  class type inspect ccp-protocol-pop3
  inspect
  service-policy pop3 ccp-action-pop3
  class type inspect ccp-protocol-p2p
  drop log
  class type inspect ccp-protocol-im
  drop log
  class type inspect ccp-sip-inspect
  inspect
  class type inspect ccp-h323-inspect
  inspect
  class type inspect ccp-h323annexe-inspect
  inspect
  class type inspect ccp-h225ras-inspect
  inspect
  class type inspect ccp-h323nxg-inspect
  inspect
  class type inspect ccp-skinny-inspect
  inspect
  class class-default
  drop log
  policy-map type inspect ccp-permit-outside-in
  class type inspect ccp-cls-ccp-permit-outside-in-2
  inspect
  class type inspect ccp-cls-ccp-permit-outside-in-1
  pass
  class class-default
  drop log
  policy-map type inspect http ccp-action-app-http
  class type inspect http ccp-http-blockparam
  log
  reset
  class type inspect http ccp-app-httpmethods
  log
  reset
  class type inspect http ccp-app-nonascii
  log
  reset
  policy-map type inspect ccp-permit
  class type inspect SDM_VPN_PT
  pass
  class type inspect ccp-cls-ccp-permit-2
  inspect
  class type inspect ccp-cls-ccp-permit-1
  pass
  class type inspect SDM_DHCP_CLIENT_PT
  pass
  class class-default
  drop log
  policy-map type inspect ccp-permit-dmzservice
  class type inspect ccp-cls-ccp-permit-dmzservice-1
  inspect
  class type inspect ccp-cls-ccp-permit-dmzservice-2
  inspect
  class class-default
  drop
  zone security in-zone
  zone security out-zone
  zone security dmz-zone
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security ccp-zp-out-in source out-zone destination in-zone
  service-policy type inspect ccp-permit-outside-in
  zone-pair security Spec-zp-dmz-out source dmz-zone destination out-zone
  service-policy type inspect ccp-permit-dmzservice
  crypto isakmp policy 2
  encr aes 256
  authentication pre-share
  group 5
  lifetime 28800
  crypto isakmp key Y address x.x.x.x
  crypto isakmp key o1 address x.x.x.x
  crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to x.x.x.x
  set peer x.x.x.x
  set transform-set ESP-AES256-SHA
  match address 100
  crypto map SDM_CMAP_1 2 ipsec-isakmp
  description Tunnel to x.x.x.x
  set peer x.x.x.x
  set security-association lifetime kilobytes 128000
  set security-association lifetime seconds 28800
  set transform-set ESP-AES256-SHA
  match address 102
  interface FastEthernet0
  description B
  switchport access vlan 2
  no ip address
  spanning-tree portfast
  interface FastEthernet1
  description Docker
  switchport access vlan 2
  no ip address
  spanning-tree portfast
  interface FastEthernet2
  description Phone
  switchport access vlan 2
  no ip address
  spanning-tree portfast
  interface FastEthernet3
  description Guest
  switchport access vlan 3
  no ip address
  spanning-tree portfast
  interface FastEthernet4
  description External $FW_OUTSIDE$
  bandwidth inherit
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  ip verify unicast source reachable-via rx allow-default 104
  duplex auto
  speed auto
  pppoe-client dial-pool-number 1
  hold-queue 224 in
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip tcp adjust-mss 1452
  shutdown
  interface Vlan2
  description Trusted Network$FW_INSIDE$
  ip address 10.0.2.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1440
  interface Vlan3
  description Guest Network$FW_DMZ$
  ip address 192.168.112.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly in
  zone-member security dmz-zone
  interface Dialer0
  ip address negotiated
  no ip redirects
  no ip unreachables
  ip directed-broadcast
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  ip verify unicast reverse-path
  encapsulation ppp
  load-interval 30
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callout
  ppp chap hostname
  ppp chap password 7
  ppp pap sent-username password 7
  no cdp enable
  interface Dialer1
  ip address negotiated
  no ip redirects
  no ip unreachables
  ip directed-broadcast
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  ip verify unicast reverse-path
  zone-member security out-zone
  encapsulation ppp
  load-interval 30
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname
  ppp chap password 7
  ppp pap sent-username password 7
  ppp ipcp route default
  ppp ipcp address accept
  no cdp enable
  crypto map SDM_CMAP_1
  ip forward-protocol nd
  no ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
  ip access-list standard SSH-Management
  permit x.x.x.x log
  permit 10.0.2.0 0.0.0.255 log
  permit 10.0.1.0 0.0.0.255 log
  ip access-list extended Any-From-HO
  remark CCP_ACL Category=128
  permit ip 10.0.1.0 0.0.0.255 10.0.2.0 0.0.0.255
  permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
  ip access-list extended Any-any
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended Any/Any
  remark CCP_ACL Category=128
  permit ip host 10.0.2.0 host 10.0.1.0
  ip access-list extended DMZ-Out
  remark CCP_ACL Category=128
  permit ip 192.168.112.0 0.0.0.255 any
  ip access-list extended DMZtoAny
  remark CCP_ACL Category=128
  permit ip 192.168.112.0 0.0.0.255 any
  ip access-list extended Hostcom-Skinny
  remark CCP_ACL Category=128
  permit ip 10.1.1.0 0.0.0.255 10.0.2.0 0.0.0.255
  ip access-list extended InsideOut
  remark CCP_ACL Category=128
  permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
  ip access-list extended Ping-Hostcom
  remark CCP_ACL Category=128
  permit ip host 10.0.2.2 any
  ip access-list extended RespondtoSomePings
  remark CCP_ACL Category=128
  permit ip 10.0.1.0 0.0.0.255 any
  permit ip host x.x.x.x any
  permit ip host 37.0.96.2 any
  ip access-list extended SDM_AH
  remark CCP_ACL Category=1
  permit ahp any any
  ip access-list extended SDM_BOOTPC
  remark CCP_ACL Category=0
  permit udp any any eq bootpc
  ip access-list extended SDM_ESP
  remark CCP_ACL Category=1
  permit esp any any
  ip access-list extended SDM_HTTPS
  remark CCP_ACL Category=1
  permit tcp any any eq 443
  ip access-list extended SDM_SHELL
  remark CCP_ACL Category=1
  permit tcp any any eq cmd
  ip access-list extended SDM_SSH
  remark CCP_ACL Category=1
  permit tcp any any eq 22
  ip access-list extended RemoteMgt
  remark CCP_ACL Category=128
  permit ip host x.x.x.x any
  permit ip 10.0.1.0 0.0.0.255 any
  ip access-list extended any-any
  remark CCP_ACL Category=128
  permit ip any any
  logging trap debugging
  logging facility local2
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.0.2.0 0.0.0.255
  access-list 1 permit 192.168.112.0 0.0.0.255
  access-list 23 remark HTTPS Access
  access-list 23 permit 10.0.2.1
  access-list 23 permit x.x.x.x
  access-list 23 permit 10.0.2.0 0.0.0.255
  access-list 23 permit 10.0.1.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 101 remark IPSec Rule
  access-list 101 deny ip 10.0.2.0 0.0.0.255 10.1.1.0 0.0.0.255
  access-list 101 permit ip 192.168.112.0 0.0.0.255 any
  access-list 101 permit ip 10.0.2.0 0.0.0.255 any
  access-list 102 remark CCP_ACL Category=4
  access-list 102 remark IPSec Rule
  access-list 102 permit ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
  access-list 103 remark CCP_ACL Category=128
  access-list 103 permit ip host 255.255.255.255 any
  access-list 103 permit ip 127.0.0.0 0.255.255.255 any
  access-list 104 permit udp any any eq bootpc
  access-list 105 remark CCP_ACL Category=128
  access-list 105 permit ip host x.x.x.x any
  access-list 105 permit ip host x.x.x.x any
  dialer-list 1 protocol ip permit
  no cdp run
  route-map SDM_RMAP permit 1
  route-map SDM_RMAP_1 permit 1
  match ip address 101
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^C
  Authorised Access Only
  If your not supposed to be here. Close the connection
  ^C
  banner motd ^C
  Access Is Restricted To  Personel ONLY^C
  line con 0
  exec-timeout 5 0
  login authentication local_auth
  transport output telnet
  line aux 0
  exec-timeout 15 0
  login authentication local_auth
  transport output telnet
  line vty 0 4
  access-class SSH-Management in
  privilege level 15
  logging synchronous
  login authentication local_auth
  transport input telnet ssh
  scheduler interval 500
  end

  Hello Martin,
  Please apply the following changes and let us know:
  ip access-list extend DMZtoAny
  1 permit udp 192.168.12.0 0.0.0.255 any eq 53
  no permit ip 192.168.112.0 0.0.0.255 any
  Ip access-list extended DMZ-Out
  1 permit tcp 192.168.12.0 0.0.0.255 any eq 80
  2 permit tcp 192.168.12.0 0.0.0.255 any eq 443
  no permit ip 192.168.112.0 0.0.0.255 any
  Change that, try and if it does not work post the configuration with the changes applied,
  Regards,
  Remember to rate all of the helfpul posts, that is as important as a thanks
  Julio

• Windows Firewall issue, Inbound rule opend all, still not the same as turning off

  This is Windows Firewall issue on Windows 8.1 Pro. 
  Backup Exec server cannot expand a computer node in selection list. I drill down to Microsoft Windows Network/Domain/Computers, then when I tried to expand a Windows 8.1 Pro computer node, it hangs out. 
  I narrowed this problem to Windows firewall related issue on Windows 8.1 Pro computer. 
  When I turn off Windows Firewall on Domain profile, Backup Exec Selection expands the computer node of the Windows 8.1 Pro computer. So, I created an inbound rule opening all to BAckup Exec server as following, but it's still not the same as turning off
  Windows firewall specifically on Windows 8.1 Pro computer;
  Any Local IP address, Any Remote IP address, Any port, Any protocol, All Interface, All Programs and Services, All profiles(Domain, Private, Public)
  And there are no rules blocking any which may override the above rule. 
  Ethernet on Windows 8.1 Pro computer shows profile is linked with Domain, but just to make it work, I selected all profiles.
  Even though I opened all available in inbound rule, it's still not the same as turning off windows firewall. Why am I missing? 

  It looks as something related to RPC(UDP 135), but even when inbound rule is all open, why it matters? RPC seems working fine only when firewall is turned off on domain profile. 
  Protocol 17 is UDP
  Port: 135
  ===============================
  Event ID 5152
  The Windows Filtering Platform has blocked a packet.
  Application Information:
  Process ID:
  0
  Application Name:
  Network Information:
  Direction:
  Outbound
  Source Address:
  192.168.1.120
  Source Port:
  0
  Destination Address:
  192.168.1.11
  Destination Port:
  0
  Protocol:
  1
  Filter Information:
  Filter Run-Time ID:
  245836
  Layer Name:
  ICMP Error
  Layer Run-Time ID:
  32
  The Windows Filtering Platform has blocked a packet.
  Application Information:
  Process ID:
  0
  Application Name:
  Network Information:
  Direction:
  Inbound
  Source Address:
  192.168.1.11
  Source Port:
  35341
  Destination Address:
  192.168.1.120
  Destination Port:
  135
  Protocol:
  17
  Filter Information:
  Filter Run-Time ID:
  245834
  Layer Name:
  Transport
  Layer Run-Time ID:
  13

• Firewall issue - tcp outbound port 443

  Hello,
  I have a server-side programming language that I am trying to connect from my webserver to a payment gateway via a tcp connection on port 443. For some reason, I can't connect to the host from my server (Snow Leopard Server). I can use the same code however on my local laptop, in the same network, and connect just fine.
  Any ideas?
  Both machines are behind my Airport Base Station using port forwarding. I do have port forwarding enabled for port 443 in the airport which points to my Snow Leopard Server local I.P. address.
  Thanks for any thoughts.
  Donovan

  Well, I spoke too soon.. the firewall *is* the problem.
  There must have been a cache when I stopped it, which made it appear as if the fix was in the Airport Extreme. However, after turning the firewall back on, the issue came back. I've now done more testing, and the issue definitely involves the firewall.
  In Server Admin, I have the following Active Rule in the firewall:
  'Allow tcp from any to any dst-port 443'
  I am guessing that my server-side language "tcp connection" is being seen in that rule. I was told it is like a telnet connection. Is there a different rule that I should put in to allow telnet connections on port 443? I would think the same rule would work for both.
  Anyway, saga continues.
  Donovan

• Cannot create ODBC connection to Azure - is this a firewall issue?

  I am setting up a Access front-end, Azure back-end database. I am setting up the odbc on one of the clients machines and get sql state 28000, error 18456, sql state 01000, error 40608. I am using SQL Native client 10.0. I have not has issues with this before.
  I opened all IPs. Is this a firewall issue on their computer?
  Any ideas welcome.
  Thanks,
  Marcy

  Hello Marcy,
  Are you getting this error while doing test connection from ODBC datasource (DSN) ?
  Please share the actual error message that you are getting so that I can guide you.
  On the basis of the error 18456 please check following .
  password must be correct.
  check if port 1433 is blocked by windows firewall or any firewall on the client machine.
  Pass the user name as username@<azure servername>
  if you are using just username try to use sql native client 11.0
  check if TCP/IP protocol in sql server configuration manager is enabled.
  In case you tried all the above option then please share the error message that your client is getting.
  Hope this help.
  Mukesh
  SQL Azure and Business Intelligence

• New Mac Mini Server Network Issue

  I recently purchased the new Mac Mini Server with 10.6 to use as a Content Filter/Web Server for a small private school. While trying to set it up, using the on board ethernet and a USB to Ethernet adapter, I have lost all ability to acquire an IP. IT does not matter if I use the on board ethernet, the USB adapter, or the Airport. All three return a self-assigned IP. I know this is related to the machine since I can still access the cable modem setup by typing in 192.168.100.1. And I brought it home to work on it a little more and the bonjour services are detecting the other macs on the network.
  I tried trashing my network preference plist, but no change.
  I am considering doing a fresh install since I think the initial setup was borked. But I thought I'd hit up the board and see if anyone else had a thought before I begin that process.
  thoughts?

  I have setup this configuration several times with both a MacPro and the smaller mini setup. The gateway setup we are describing is about as simple as it gets (static IP, gateway running all services so 1 IP address, gateway set as 192.168.1.1 on the local net. Simple DHCP and DNS "server.local", and "server.xxx.com" external).
  I would be overjoyed to find that I can configure this by setting up some simple overrides in the routing. I would point out in defense that _everything else_ works perfectly basically by default.
  1) dns on server: local and external, forward and reverse from itself and the local network - check
  2) services on server (all of them): from itself and the local and external networks - check
  3) network access (ie NAT & Firewall) for local machines - check (web, streaming, even bittorrent)
  The only issue I see is that remote clients cannot access the gateway itself properly though VPN. UPD return packets seem to be mis-routed through the physical interface rather than the virtual one.
  ALL other operations (Mail, iCal, iChat, Push, Web Services, Wiki, Web Mail and iCal, NAT) work perfectly for the server, local network, and external hosts. The above problem only happens for vpn clients, and then only for connections from them to the gateway itself, and only for UDP packets.
  I would really love to know how to fix it, especially if this can be explained by a needed custom rule (But I'm guessing not given the otherwise full functioning system). Are you saying that to make VPN work you need to add custom routing info that is not described in the Server docs? If so what?
  Thanks,
  Hunter

• SQL Server Connection Issue

  I've tried going through the steps to resolve the issue, but I am still coming up blank. The part that I am not understanding is the, "A non-recoverable error occurred during a database lookup." part.
  Is this a security problem? I can establish an ODBC connection to the server as well as connect and query through visual studio, however when trying to run it through one of our custom programs, it throws this error message. 
  A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider:
  TCP Provider, error: 0 - A non-recoverable error occurred during a database lookup.)

  There are many reasons of SQL server connectivity issue. Refer checklist to find out the real cause of connectivity issue.
  1. Check SQL services are running
  2. Check SQL Browser service is running
  3. Check remote connections are enabled
  4. Network connectivity between database & application servers by TRACERT command
  5. Check TCP/IP protocol enabled at SQL server
  6. Check talent connectivity – telnet <IP address> <port no on SQL server running>
  7. Check UDP port 1434 is open or not on SQL Server
  8. Check firewall is running or not Check
  9. If firewall running, SQL Server & UDP port must be added in exception in firewall
  10. Run SQL Discovery report on machine SQL server installed, to check you are using correct instance name to connect( default \named) -http://mssqlfun.com/2013/02/26/sql-server-discovery-report/
  http://mssqlfun.com/2012/09/28/check-list-for-sql-server-connectivity-issue/
  Regards,
  Rohit Garg
  (My Blog)
  This posting is provided with no warranties and confers no rights.
  Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.