Two Subnets?
Have a WRT54G with network-ready printer connected via RG45 - works fine and all wireless laptops print to it.
Need to move the printer to other end of house. Do I need A) an Access Point, B) Bridge, or C) another router for the printer to connect (wirelessly) to the first router?
You need a wireless bridge. It connects a wired device through a wireless connection to your WRT.
Similar Messages
-
Two subnets with different mask on a single router?
router 1941
Hello. I'm needing assistance with the setup of two subnets within a single router.
Here's my information:
Router has only two GigabitEthernet interfaces.
GigabitEthernet0/0 has 172.20.0.1 ip and 255.255.252.0 mask.
GigabitEthernet0/1 has 172.21.0.1 ip and 255.255.128.0 mask
Now, on each side there is a Switch with two computers.
I need to have 1 computer on each side on the same subnet, and the other one on a different subnet, meaning a pc on the same side cannot communicate with the other computer on its side, but can with another computer on the other side.
I have no idea how to configure this on the router, can anyone please help me?
Thanks in advance!>>> So you want PC1 and PC3 to be able to talk to each other but you don't want them to be able to >>>talk to PC2 and PC4 and vice versa.
This is correct.
>>>If so you don't need a router, you can just a switch (or switches) and use two vlans with no L3 >>>interfaces.
Unfortunately they are not giving me the choice of making my own net design. I need to setup this with all the devices mentioned (1 router, 2 switches, 4 pcs).
>>>If so you don't need a router, you can just a switch (or switches) and use two vlans with no L3 >>>interfaces.
As long as they communicate with the appropiate PC, it doesnt matter if they communicate to other devices or not.
Thanks again! -
Two subnets in one VLAN.
I'm just practicing VLANs.
I created two subnets in VLAN1. And while trying to enable communication between the devices in both subnets, i configured Fa0/0 interface of router as 10.0.1.254/24 (But as i expected it didn't enabled communication). I believe i'm missing something.
Can someone please help me in this ?
Regards,
ChanduChandu
Each VLAN represents only one subnet, so when you say VLAN it is the logical meaning of a subnet ID, so let me give another definition.
10.1.1.0/24 (VLAN 1)
10.1.2.0/24 (VLAN 2)
So, for example, Subnets 10.1.1.0/24 and 10.1.2.0/24 can't be on the same VLAN, they have to be in 2 different VLANs, and to enable communication between different VLANs, there are 3 options.
a) Router on a stick: by configuring one FastEthernet Router port with sub interface commands:
Router(config)#interface FastEthernet 0/0
Router(config-if)#no ip address
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface FastEthernet 0/0.1
Router(config-if)#encapsulation dot1q "VLAN-ID" (for this example write only "1")
Router(config-if)#ip address 10.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface FastEthernet 0/0.2
Router(config-if)#encapsulation dot1q "VLAN-ID" (for this example write only "2")
Router(config-if)#ip address 10.1.2.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
b) Using a separate Router FastEthernet interface per VLAN and this option is not practical:
Router(config)#interface FastEthernet 0/0
Router(config-if)#ip address 10.1.1.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#interface FastEthernet 0/1
Router(config-if)#ip address 10.1.2.254 255.255.255.0
Router(config-if)#no shutdown
Router(config-if)#exit
c)Using a MultiLayer Switch with inter vlan commands:
Switch(config)#interface vlan 1
Switch(config-if)#ip address 10.1.1.254 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#interface vlan 2
Switch(config-if)#ip address 10.1.2.254 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#exit
Switch(config)#ip routing (to enable routing on the MultiLayer Switch) -
Can a BO XI R2 Cluster Span Two Subnets?
We were able to setup a BO XI R2 two server cluster using two servers on the same subnet.
Server A at IP address -.-.---.45
Server B at IP address -.-.---.46
Schedule reports and ad hoc queries through the web servers (on both machines) operated without issue. [The two servers share a Sybase database and a NetApp file system.]
We then attempted to setup a BO XI R2 two server cluster, but with the two servers in different data centers and on different subnets. [Everything else is the same ... shared Sybase database, shared NetApp file system.] The two servers are able to ping each other without any trouble. Unfortunately, the reports we schedule only seem to run on the server where they were introduced. [Reports introduced on Server A only run on Server A - even if Server B goes down. And, vise versa.]
We are wondering if there is some communications between the two servers that requires the servers to be on the same subnet.
Edited by: Wesley Conner on Jun 19, 2009 2:45 AMWe have had customers and employees successfully configure clustered CMS's across subnets, we have also had plenty of issues (especially if the subnets are geographically seperated by WAN links).
You may want to open a case with support as some extensive tracing and analysis may be required. If no filtering is occurring and the link has enough bandwidth then it should work. CMS communication to the CMS DB is rather extensive so weithout enough bandwidth I'd expect all kinds of issues. I'm not sure how much would be enough but to be safe I'd say at least the same pipe of the server NIC(s)
Regards,
Tim -
Hello from Spain,
I have configured IPMP with two interfaces on Solaris 10. It works.
Now I need to configure a zone with a different subnet mask because I need the zone to be invisible to global, but not to the firewall, because I need to exit with this zone.
Here is an example of what I'm trying to do
Global
/etc/hosts
172.24.100.20 WK1
172.24.100.21 WK1-bge0
172.24.100.22 WK1-bge1
/etc/netmasks
172.24.100.0 255.255.255.0
172.24.110.0 255.255.255.0
/etc/defaultrouter
172.24.100.1
/etc/hostname.bge0
WK1 netmask + broadcast + group localhost up addif WK1-bge0 deprecated -failover netmask + broadcast + up
/etc/hostname.bge1
WK1-bge1deprecated -failover netmask + broadcast + group localhost up
Zone IP's
172.24.100.101 zone1 (global see it, it sees global and firewall)
172.24.110.101 zone2 (global see it, it sees global, but doesn't see firewall)
zone2 /etc/defaultrouter
172.24.110.1
¿Is it possible to do this? ¿any ideas?
Thanks.
Pd. Excuse my englishGeneral advice, since you don't indicate which type of zone you have (shared IP or exclusive IP):
if you are dealing with zones and routing, best to configure your local zones as "exclusive IP" (bge can do this) meaning you dedicate a physical interface to the local zone and configure the interface from within the new zone. Otherwise all interfaces and routing belong to the global zone and routing can be a problem. Then you can configure IPSEC or ipf to allow/deny access as desired b/t the zones or other network nodes.
If you have S10 u4 (8/07), exclusive IP is available:
docs.sun.com Home > Solaris 10 System Administrator Collection > System Administration Guide: Solaris Containers-Resource Management and Solaris Zones > Zones > 17. Non-Global Zone Configuration (Overview) > Zone Components > Zone Network Interfaces > Solaris 10 8/07: Exclusive-IP Non-Global Zones
docs.sun.com Home > Solaris 10 System Administrator Collection > System Administration Guide: Solaris Containers-Resource Management and Solaris Zones > Zones > 17. Non-Global Zone Configuration (Overview) > Zone Components > Zone Network Interfaces > Security Differences Between Shared-IP and Exclusive-IP Non-Global Zones -
Media manager between two subnets
Hoping some can help. My home network is on a DLink N+ router with a 192.168.0.x subnet. The DLink router is connect to my FIOS router which is on the 192.168.1.x subnet. All of my cables boxes are connected to the FIOS router all of my home PC's,laptops, gaming systems etc connect to the DLink. The DLink's internet gateway is the FIOS router and they are connected via ethernet. By default Media Manager is looking for devices on the 192.168.1.x but the Media Manager host machine is on the 192.168.0.x. So with my current setup I can not use media manager.
I could change the DLink over to the 192.168.1.x subnet but then I will have to disable DHCP on the DLink and basically turn a sofisticated Dual Band N+ router into an access point. I don't want to do this. Is there a method where I could do some port forwarding to make Media Manager work between the two subents. Please help!
I hear of lots of people using their own router in lieu of the FIOS supplied Motorola router. If FIOS would just start supplying N routers I wouldn't need two! I hope I can keep my current network setup and still be able to use media manager. After all it would be a lot nicer to stream video over the N band than over G. I think the biggest weakness with Media Manager is being stuck on G if it winds up I can't use it with my N router.
Thanks for your help"Is there a method where I could do some port forwarding to make Media Manager work between the two subents."
No
"Please help!I hear of lots of people using their own router in lieu of the FIOS supplied Motorola router."
You would need a NIM/Bridge setup to connect your coax lan (set top boxes) to your Wan. Are you using coax Wan from the AT router? The AT has a built in NIM thats one reason Verizon uses it. -
Hello,
We have 2 subnets in differnet locations, both are connected via IPSec VPN, 192.168.1.0 and 192.168.2.0
Can access 192.168.1.2 to 192.168.2.2 and vice versa but from other IP not possible
x.x.x.x indicates public ip of HO
xx.xx.xx.xx indicates public ip of branch
In HO [192.168.1.0] using cisco 1941 please see the below config
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname HO
boot-start-marker
boot system flash0 c1900-universalk9-mz.SPA.152-2.T.bin
boot-end-marker
enable secret 5 $1$OAdT$6oO4MRgeqLLswhYJ1MrQ1/
no aaa new-model
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2 192.168.1.49
ip name-server x.x.x.x
ip name-server x.x.x.x
ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4155682894
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4155682894
revocation-check none
rsakeypair TP-self-signed-4155682894
crypto pki certificate chain TP-self-signed-4155682894
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313535 36383238 3934301E 170D3132 31313231 30323033
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31353536
38323839 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C569 6AE9BC8C B3151335 D5B65344 CE66C09D 21397F80 B61A1B88 18CD5647
2C17C13E 6E40BD61 CC40EB38 06C45B2E 9B90346D 93594CFC 104CD1F6 FC00ECA4
3849440F 81130037 7F4C8600 C59E8B2C 77D40781 55714284 CF3B1622 528A3B56
4CF2FA62 1AC88250 33C9D8E7 CF868D5F 456C8C03 3D387DD6 BB9F1405 6B713899
551D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 142A4B7F 1185A51A 72C6E1ED FB8C94A5 60FCA1FD 75301D06
03551D0E 04160414 2A4B7F11 85A51A72 C6E1EDFB 8C94A560 FCA1FD75 300D0609
2A864886 F70D0101 05050003 81810071 863A10FA 57C3350F 6D9D47C7 5CAF71FD
6C7B4E05 001CF020 FDD65D31 0222968A B5992645 89164D80 E3022EA4 2D0A4F66
5B0FC75D 98C3E547 07612401 FF90AED6 127C186C 6220E15C 7E8BB62A E2C6D151
09CDE38E FD5F1D4C 4F4137D7 45BE3B8C A6354921 784DD88A 75A95737 46D0BD36
A83F6B52 74C15C46 37C727ED 1569BC
quit
license udi pid CISCO1941/K9 sn FCZ1523C51L
license boot module c1900 technology-package datak9
username admin privilege 15 secret 5 $1$nZ..$VIWkm8aaxLSpX1M4EaQrc0
redundancy
crypto isakmp policy 2
authentication pre-share
crypto isakmp key cisco123 address xx.xx.xx.xx
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set ASA-IPSEC
match address 100
interface Tunnel0
no ip address
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description connection to dreamnet
ip address x.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
interface GigabitEthernet0/1
description local lan interface $ES_LAN$
ip address x.x.x.x 255.255.255.248
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1/0
ip address 192.168.1.7 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.x
access-list 100 remark SDM_ACL category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 110
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet
scheduler allocate 20000 1000
end
In Branch [192.168.2.0] using cisco asa 5510 please see the below config
ASA Version 8.2(5)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
nameif Sat
security-level 0
ip address 192.168.3.200 255.255.255.0
interface Ethernet0/1
nameif Lan
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.10.1 255.255.255.0
management-only
ftp mode passive
clock timezone AST 3
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
access-list Sat_access_in extended permit object-group DM_INLINE_PROTOCOL_1 host x.x.x.x host xx.xx.xx.xx
access-list Lan_nat0_outbound extended permit ip any 192.168.2.192 255.255.255.224
access-list Lan_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Sat_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Sat 1500
<--- More --->
mtu Lan 1500
mtu Lan1 1500
mtu management 1500
ip local pool pool 192.168.2.201-192.168.2.210 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (Sat) 1 interface
nat (Lan) 0 access-list Lan_nat0_outbound
nat (Lan) 1 0.0.0.0 0.0.0.0
route Sat 0.0.0.0 0.0.0.0 192.168.3.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.10.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 Sat
http x.x.x.x 255.255.255.240 Sat
<--- More --->
http xx.xx.xx.xx 255.255.255.0 Sat
http 192.168.2.0 255.255.255.0 Lan
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map Sat_map 1 match address Sat_1_cryptomap
crypto map Sat_map 1 set pfs group1
crypto map Sat_map 1 set peer x.x.x.x
crypto map Sat_map 1 set transform-set ESP-DES-SHA
crypto map Sat_map interface Sat
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
<--- More --->
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 6ecc7aa5a7032009b8cebcf4e952d491
308205ec 308204d4 a0030201 0202106e cc7aa5a7 032009b8 cebcf4e9 52d49130
0d06092a 864886f7 0d010105 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
30303230 38303030 3030305a 170d3230 30323037 32333539 35395a30 81b5310b
30090603 55040613 02555331 17301506 0355040a 130e5665 72695369 676e2c20
496e632e 311f301d 06035504 0b131656 65726953 69676e20 54727573 74204e65
74776f72 6b313b30 39060355 040b1332 5465726d 73206f66 20757365 20617420
68747470 733a2f2f 7777772e 76657269 7369676e 2e636f6d 2f727061 20286329
3130312f 302d0603 55040313 26566572 69536967 6e20436c 61737320 33205365
63757265 20536572 76657220 4341202d 20473330 82012230 0d06092a 864886f7
0d010101 05000382 010f0030 82010a02 82010100 b187841f c20c45f5 bcab2597
a7ada23e 9cbaf6c1 39b88bca c2ac56c6 e5bb658e 444f4dce 6fed094a d4af4e10
9c688b2e 957b899b 13cae234 34c1f35b f3497b62 83488174 d188786c 0253f9bc
7f432657 5833833b 330a17b0 d04e9124 ad867d64 12dc744a 34a11d0a ea961d0b
15fca34b 3bce6388 d0f82d0c 948610ca b69a3dca eb379c00 48358629 5078e845
63cd1941 4ff595ec 7b98d4c4 71b350be 28b38fa0 b9539cf5 ca2c23a9 fd1406e8
18b49ae8 3c6e81fd e4cd3536 b351d369 ec12ba56 6e6f9b57 c58b14e7 0ec79ced
<--- More --->
4a546ac9 4dc5bf11 b1ae1c67 81cb4455 33997f24 9b3f5345 7f861af3 3cfa6d7f
81f5b84a d3f58537 1cb5a6d0 09e4187b 384efa0f 02030100 01a38201 df308201
db303406 082b0601 05050701 01042830 26302406 082b0601 05050730 01861868
7474703a 2f2f6f63 73702e76 65726973 69676e2e 636f6d30 12060355 1d130101
ff040830 060101ff 02010030 70060355 1d200469 30673065 060b6086 480186f8
45010717 03305630 2806082b 06010505 07020116 1c687474 70733a2f 2f777777
2e766572 69736967 6e2e636f 6d2f6370 73302a06 082b0601 05050702 02301e1a
1c687474 70733a2f 2f777777 2e766572 69736967 6e2e636f 6d2f7270 61303406
03551d1f 042d302b 3029a027 a0258623 68747470 3a2f2f63 726c2e76 65726973
69676e2e 636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403
02010630 6d06082b 06010505 07010c04 61305fa1 5da05b30 59305730 55160969
6d616765 2f676966 3021301f 30070605 2b0e0302 1a04148f e5d31a86 ac8d8e6b
c3cf806a d448182c 7b192e30 25162368 7474703a 2f2f6c6f 676f2e76 65726973
69676e2e 636f6d2f 76736c6f 676f2e67 69663028 0603551d 11042130 1fa41d30
1b311930 17060355 04031310 56657269 5369676e 4d504b49 2d322d36 301d0603
551d0e04 1604140d 445c1653 44c1827e 1d20ab25 f40163d8 be79a530 1f060355
1d230418 30168014 7fd365a7 c2ddecbb f03009f3 4339fa02 af333133 300d0609
2a864886 f70d0101 05050003 82010100 0c8324ef ddc30cd9 589cfe36 b6eb8a80
4bd1a3f7 9df3cc53 ef829ea3 a1e697c1 589d756c e01d1b4c fad1c12d 05c0ea6e
b2227055 d9203340 3307c265 83fa8f43 379bea0e 9a6c70ee f69c803b d937f47a
6decd018 7d494aca 99c71928 a2bed877 24f78526 866d8705 404167d1 273aeddc
481d22cd 0b0b8bbc f4b17bfd b499a8e9 762ae11a 2d876e74 d388dd1e 22c6df16
b62b8214 0a945cf2 50ecafce ff62370d ad65d306 4153ed02 14c8b558 28a1ace0
5becb37f 954afb03 c8ad26db e6667812 4ad99f42 fbe198e6 42839b8f 8f6724e8
<--- More --->
6119b5dd cdb50b26 058ec36e c4c875b8 46cfe218 065ea9ae a8819a47 16de0c28
6c2527b9 deb78458 c61f381e a4c4cb66
quit
crypto isakmp identity address
crypto isakmp enable Sat
crypto isakmp enable Lan
crypto isakmp policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
<--- More --->
crypto isakmp policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
<--- More --->
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
<--- More --->
crypto isakmp policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
<--- More --->
crypto isakmp policy 170
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
telnet xx.xx.xx.xx 255.255.255.224 Sat
telnet 192.168.10.0 255.255.255.0 management
telnet timeout 5
ssh xx.xx.xx.xx 255.255.255.224 Sat
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.101-192.168.2.200 Lan
dhcpd dns 192.168.2.2 8.8.8.8 interface Lan
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable Sat
svc enable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy KKKK_1 internal
<--- More --->
group-policy KKKK_1 attributes
dns-server value 8.8.8.8
vpn-tunnel-protocol IPSec
group-policy KKKK internal
group-policy KKKK attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
username aslam password ZB9WJGrSUPUGLGwR encrypted privilege 0
username aslam attributes
vpn-group-policy KKKK
username aslu password /3qnLbX8e8tM0LIe encrypted
tunnel-group KKKK type remote-access
tunnel-group KKKK general-attributes
address-pool pool
default-group-policy KKKK_1
tunnel-group KKKK-1 type remote-access
tunnel-group KKKK-1 general-attributes
address-pool pool
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key *****
<--- More --->
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
<--- More --->
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:a0d50431d7d29fd35edf9fcabfa4434b
: end
Hope anybody can help on this matter...What network/s do you want to access?
From what network do you want to access it/them? -
Tuxedo Multipler-domain connected on two subnets ?
I have the following problem:
> I have 2 TUXEDO domains installed on 2 different nodes.
The node 1 has 2 net-interfaces (2 subnets).
From the first net-interface it has to receive the requests from the TUXEDO clients,
and then it has to forward the requests to other domain (node 2) connected on
the other net-interface.
Is it possbile to do it ?
Can you help me ?
Thanks in advance.
Regards
TonyI'm not sure why yoiu have RIP enabled...you shouldn't need it, but you will still need the static route on Router 1 192.168.1.0/255.255.255.0 to LAN 192.168.15.124. All you should need on router 2 is the default route that sends any traffic not in router 2 LAN subnet to router 1.
I'm not sure why this route 192.168.1.0/255.255.255.0 to 0.0.0.0 WAN is there, but I suspect it may be causing some of the issues....
Tomato 1.25vpn3.4 (SgtPepperKSU MOD) on a Buffalo WHR-HP-G54
D-Link DSM-320 (Wired)
Wii (Wireless) - PS3 (Wired), PSP (Wireless) - XBox360 (Wired)
SonyBDP-S360 (Wired)
Linksys NSLU2 Firmware Unslung 6.10 Beta unslung to a 2Gb thumb, w/1 Maxtor OneTouch III 200Gb
IOmega StorCenter ix2 1TB NAS
Linksys WVC54G w/FW V2.12EU
and assorted wired and wireless PCs and laptops -
HA ACS in two different subnets.
Hello,
I have to configure two ACS 1113 ver 4.1 (4) high reliability, in two different places and two different subnets.
An apparatus will have to manage an office, the second the other office, but if one goes down the other takes responsibility for the entire network.
The two subnets are accessible from all devices.
Will be configured both the Tacacs Server on all systems.
The ACS are connected to Active Directory to authenticate users.
My question is, do I create a profile ACS are replicated on the other even though they are on two different subnets? Can I make a HA on two different subnets?
Thank you.Hi Fabio,
1. Is it a problem that the ACS are connected to two different Active Directory that belongs to the same Domain?
Ans: I do not think so there should be any pbm when they have in the single domain.
2. Is there a particoular configuration to replicate just the profiles that i'm going to create on the Master ACS?
Yes. But its up to you how you want it and what and all you want to send for replication. You have an check box option to select the wanted configurations to be pointed for replication.
Please do rate if the given information helps.
By
Karthik -
How to route traffic across subnets when one NIC is a hyper-V virtual switch?
Having a bit of a problem with a hyper-V environment which does not seem to route network traffic on two different subnets between each other.
If it were a purely physical server with two NICs and a gateway set traffic would automatically be forwarded between the two different subnets.
However when one of those NICs is a hyper-V virtual switch this simple routing no-longer seems to work and no traffic gets forwarded between subnets?
Situation is:
Hyper-V server with two NICs
NIC 1 = 192.168.0/24 - main Internal company network.
NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router
Virtualized Domain Controller.
One or two virtualiszed NICs as necessary
How then does traffic get routed between these two subnets? If RRAS has to be configured to do this where is the best place to do it, on the hyper-V host or on the virtualized domain controller?
Thanks,Hi ,
You can create an internal virtual switch and configure an IP for it (I assume it is 192.168.1.2/24) .
After you enable RRAS in hyper-v host there will be two gateways for different subnets .
" NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router "
The problem is here ,if these VMs need to access internet .
So , these VMs can not configure their gateway same as the IP of internal virtual switch , you may set VM's gateway as the ADSL internet router's IP meanwhile add a static route entry for every VM .
Please refer to the Syntax :
route add -p 192.168.0.0 mask 255.255.255.0 192.168.1.2
Hope this helps
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Issues with multiple subnets - ASA5510 to Vigor 2820 VPN
Hi there,
I am hoping someone here can help. I have been struggling for some time to sort out issues in a VPN we have between our main London office and the Edinburgh branch office. We have an ASA 5510 in London, talking to a Vigor 2820 in Edinburgh.
The London office has a 192.168.0.0/24 subnet, with the default gateway as a Cisco Catalyst at 192.168.0.254, and the Cisco ASA at 192.168.0.254 as the firewall.
The Edinburgh office has the subnet 192.168.2.0/24, with the Vigor running on 192.168.2.1, providing routing, DHCP and firewall services there.
I have the VPN working fine, correctly routing traffic between those two subnets over the IPsec tunnel. However, I have had much trouble adding additional subnets for our VLANs in London.
What I want to happen is traffic from 192.168.2.0/24 to be able to get to and from 192.168.50.0/24 and several similar networks.
Upon tracing it using the Cisco packet tracer, I can see that the packets for the 192.168.50.0/24 subnet are not making it over the tunnel, having being stopped by the VPN: subtype: encrypt rules. Looking at these rules though, I can't spot the problem. Multiple changes of order of the rules, and reloads have not sorted out the problem. When I run a packet trace on the main subnet it works fine. I have attached some of the configuration (below) as well as the output from the packet tracer, and the config of the Vigor router.
I apologise in advance for the length of the post, but I have tried to include all relevant information to see if anyone can help.
Firstly, here's the ASA config that seemed relevant. I tried to remove some since we have quite a few site-to-site tunnels set up, and these are probably not relevant (and are all working correctly).
access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip any 192.168.0.192 255.255.255.192 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list insideOutboundNonatAclnat (inside) 9 access-list vpnNatAclnat (inside) 10 192.168.30.5 255.255.255.255nat (inside) 10 192.168.0.0 255.255.255.0nat (inside) 10 192.168.20.0 255.255.255.0nat (inside) 10 192.168.30.0 255.255.255.0nat (inside) 10 192.168.50.0 255.255.255.0access-list inside_in extended permit ip 192.168.0.0 255.255.255.0 any access-list inside_in extended permit tcp host 192.168.5.2 host 192.168.0.2 eq domain access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.50.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.10.0 255.255.255.0 any access-list inside_in extended permit ip host 192.168.2.1 192.168.30.0 255.255.255.0 inactive access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-group inside_in in interface insideaccess-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 route inside 192.168.20.0 255.255.255.0 192.168.0.254 1route inside 192.168.50.0 255.255.255.0 192.168.0.254 1route inside 192.168.30.0 255.255.255.0 192.168.0.254 1route inside 192.168.40.0 255.255.255.0 192.168.0.254 1crypto ipsec transform-set ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET mode transportcrypto ipsec transform-set TRANS_VPN_SET_2 esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_VPN_SET_2 mode transportcrypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outsidecrypto dynamic-map core_vpn_dyn_map 20 set transform-set ESP_3DES_MD5 ESP_DES_MD5 TRANS_VPN_SET TRANS_VPN_SET_2crypto dynamic-map core_vpn_dyn_map 40 set pfs crypto dynamic-map core_vpn_dyn_map 40 set transform-set ESP_3DES_SHA ESP_DES_MD5crypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs crypto map outside_map 2 set peer [branch peer ip]crypto map outside_map 2 set transform-set ESP_3DES_MD5crypto isakmp identity address crypto isakmp identity address crypto isakmp policy 25 authentication pre-share encryption 3des hash md5 group 1 lifetime 28800crypto isakmp nat-traversal 30crypto isakmp disconnect-notifygroup-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth enable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule nonetunnel-group [branch peer ip] type ipsec-l2ltunnel-group [branch peer ip] ipsec-attributes pre-shared-key *
Note: [branch peer ip] replaces any instances of the branch office outside IP address
I appreciate there may be some duplicated/redundant rules here - I have been playing with config to try to fix the problem. I'd really appreciate any suggestions on how to track this down.
Here's the vigor config:
So it looks to match ok to me at both ends, unless there is something I missed. The vigor routing table shows:
Key: C - connected, S - static, R - RIP, * - default, ~ - private* 0.0.0.0/ 0.0.0.0 via [ISP gateway server], WAN1S [branch peer ip]/ 255.255.255.255 via [branch peer ip], WAN1S~ 192.168.40.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.50.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.10.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.0.0/ 255.255.255.0 via [London office ip], VPNC~ 192.168.2.0/ 255.255.255.0 is directly connected, LANS~ 192.168.7.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.30.0/ 255.255.255.0 via [London office ip], VPNS~ 192.168.20.0/ 255.255.255.0 via [London office ip], VPN* [ISP dns server]/ 255.255.255.255 via [ISP gateway server], WAN1
I have replaced IPs here as is shown. You can see the vigor seems to want to route the appropriate traffic over the VPN.
Finally, here is the packet trace output:
ciscoasa# packet-trace input outside tcp 192.168.2.1 echo 192.168.50.10 echo d$Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 192.168.50.0 255.255.255.0 insidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group outsideInAcl in interface outsideaccess-list outsideInAcl extended permit ip 192.168.2.0 255.255.255.0 any Additional Information: Forward Flow based lookup yields rule: in id=0x4529e48, priority=12, domain=permit, deny=false hits=362922, user_data=0x4529e08, cs_id=0x0, flags=0x0, protocol=0 src ip=192.168.2.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 4 Type: IP-OPTIONSSubtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x44057f0, priority=0, domain=permit-ip-option, deny=true hits=2693939, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 5 Type: NAT-EXEMPTSubtype: rpf-checkResult: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x44fe9a0, priority=6, domain=nat-exempt-reverse, deny=false hits=12, user_data=0x44fe800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip=192.168.2.0, mask=255.255.255.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 6 Type: NAT Subtype: rpf-checkResult: ALLOW Config: nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any dynamic translation to pool 10 (external [Interface PAT]) translate_hits = 2250, untranslate_hits = 17Additional Information: Forward Flow based lookup yields rule: out id=0x4b80e80, priority=1, domain=nat-reverse, deny=false hits=32, user_data=0x4b80ce0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 7Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any dynamic translation to pool 10 (external [Interface PAT]) translate_hits = 2250, untranslate_hits = 17Additional Information: Reverse Flow based lookup yields rule: in id=0x4b80fa0, priority=1, domain=host, deny=false hits=2811, user_data=0x4b80ce0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 8Type: IP-OPTIONSSubtype: Result: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: in id=0x4469ef8, priority=0, domain=permit-ip-option, deny=true hits=2010804, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 9 Type: VPN Subtype: encryptResult: DROP Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x4887aa8, priority=70, domain=encrypt, deny=false hits=10, user_data=0x0, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=192.168.2.0, mask=255.255.255.0, port=0Result: input-interface: outsideinput-status: upinput-line-status: upoutput-interface: insideoutput-status: upoutput-line-status: upAction: drop Drop-reason: (acl-drop) Flow is denied by configured rule
So it seems to find the rule, which it ought to match, but then returns DENY. What's going on here? Perhaps this is misleading and the issue is elsewhere, but it isn't clear from the output here.
For further information, this is output for the WORKING subnet - I have just taken a small part here though:
Phase: 10 Type: VPN Subtype: encryptResult: ALLOW Config: Additional Information: Reverse Flow based lookup yields rule: out id=0x4b86418, priority=70, domain=encrypt, deny=false hits=332214, user_data=0x7da5c, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0 src ip=192.168.0.0, mask=255.255.255.0, port=0 dst ip=192.168.2.0, mask=255.255.255.0, port=0
Thanks very much in advance for any help you can provide - I've been really stuck on this one!
ChrisHi,
Can you issue the packet-tracer with the direction beeing your London office -> Remote office?
Also issue the command twice.
Personally I've used packet-tracer with some L2L VPNs to test if the remote end has the configurations correct. Also I've noticed that the first packet-tracer test never goes through. So issue that command twice and show how it goes.
Though I imagine you have tried to connect through the L2L VPN with real host machines and not just the firewalls packet-tracer?
Also I imagine the original info has a typo. You say your ASAs LAN gateway IP and the local L3 switches IP address is the same, 192.168.0.254.
Basically the hardest part regarding L2L VPNs should be the initial setup of the VPN connection. Even though it should be simple people still tend to mess up PSKs or Phase1/2 parameters. But as your L2L VPN is already in working order and you are just adding networks to it, it should be pretty simple.
When you add network and dont require any special NAT configurations, your NAT0 and Encryption domain access-list should look pretty much the same.
And looking at your configurations, it should be like this
access-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
Btw what is the network 192.168.7.0/24? It seems to have a VPN rule at the remote site but not at the HO site. Though there is a NAT0 rule for that traffic on the HO site.
EDIT: I imagine the VPN network rules should be an exact mirror image of eachother. Though it seems this doesnt stop devices from negotiating the VPN up but who knows if some other device type is picky about that one. Only thing in your situation that I see is the network 192.168.7.0/24 that is not included in the other ends configurations.
EDIT2: Also the reason your test for the already existing rule might be going through without a problem might be because the tunnel is up and working for the networks in question.
EDIT3: Does your Vigor device also have NAT0 rules configured for the new networks?
- Jouni -
"2 routers, one subnet" or "how do I access LAN of Router#1 from R#2"
Hi folks,
First post is a question but I hope I can contribute in the future.
I realize what i really want is a Wireless Access Point but I was in a rush and none are available locally. My need is to provide wireless internet on my upper floor where the DSL connected router in the basement will not reach. Wireless is disabled on DSL Router1 and not required there. I have currently succeeded in this by connecting a second router (WRT110) via ethernet on my top floor and configuring it to provide a seperate subnet. It aquires an address on it's WAN port from Router1 via DHCP and feeds wireless divices on the new subnet with DHCP provided addresses of it's own. NAT is enabled.
--Works fine for accessing Internet.
However,
I need to run a Squeezebox (ethernet or wireless) from Router2. It has to talk to it's server on Router1's subnet. It succesfully receives an address from R2 but will not conenct to the server on the other subnet.
Short question is Can I make this Work and How?
Random thoughts.
Ideally, I wanted to have the WRT110 "existing on" and "providing wireless access to" the same subnet as Router1. I was told it could be done and it makes some sense if I connect them via LAN ports on both and address accordingly, disable NAT, etc... but I can't quiet figure it out. Even when I tell the WRT110 that I want to assign it a static IP from the first subnet, it asks for both a WAN and LAN address. If somebody can describe and how to configure it to simply exist on subnet #1, it would be most ideal.
Otherwise if keeping two routed subnets
I see a route in my routing table for the two subnets to talk but is NAT still occuring on the packets travelling through the WRT110, even when just trying to access the other local subnet? If so, that boggles my mind on the routing statement requirements.
I tried enabling port forwarding (totally demiliterized it) for the server's IP on Router2 but I'm now thinking I should have done it on R1 as thats where the server exists, but would that only aply to traffic out R1's WAN port? Is this even required at all?
Tried to ponder combinations of NAT off & static or enhanced routing but haven't devised a combination that makes sense or works.
If I ping the server from a laptop running from the second subnet, I get destination host unreachable vs. a time out. So it knows it's out there (kinda sorta) but can't talk at IP level? This only tells me that 'maybe' it's possible if I get it the routing set right.
I won't write every combo I tried, hoping that by now you see what I am trying to accomplish and can tell me the best way to do it or that it's not worth the effort.
P.S.
Yes, I have considered a cheap switch just ahead of R2 so that I could keep the Squeezebox on the old subnet where it's happy and also feed the WRT110 to let it happily route mywireless internet traffic.
I also considered returning the WRT110 and ordering a Wireless Access Point via the Internet but I need to provide service for some guests by tomorrow night. Hope someone here can help.
Thanks in advance.Assuming your DSL is connected to Router #1(not linksys) and it's default IP Address is 192.168.1.1(subnet : 255.255.255.0)...Then you should change the default IP Address of Router #2(Linskys - WRT110) to 192.168.1.2(this address should be unique) and disable the DHCP Server on Router #2 and it's Internet Connection type should always be 'Automatic DHCP'...This configuration will work when both the router's are connected using their LAN Ports...Internet/WAN Port is not used when connecting both the routers to each other...
With the above mentioned configuration, computers connected to router #1 will communicate with computers connected to router #2... -
WRV200 IPSEC VPN to a remote site with 2 different subnets
Hi,
My old WRV54G had no problem with this! I'm trying to connect an IPSEC tunnel back to a router at my main office, there are two Subnets there 192.168.0.0/24 and 10.171.131.0/24. In my old router I would set up two tunnels to the same gateway with different subnets and everything would work fine.
When I do this with the WRV200 both tunnels come up but in the view of the VPN status they both have the remote network listed as 192.168.0.0 /24 and I can't seem to get them both to work. If I delete the 192.168.0.0/24 tunnel (tunnel #A) and just use the tunnel#B I can connect to the 10 network.
Anyone been able to get this working?Hi,
Ok, so the first thing you will have to think about is the encryption domain of the existing L2L VPN. Since your aim is to publish a Web server from another site through a L2L VPN connections you have to consider what the source addresses for the Web server connections can be?
It might be that you would need to have the source address for the L2L VPN in DC1 as "any" and naturally on DC2 the destination would be "any".
Though in that case it would probably cause problems if the Web server would need to use the DC2 Internet connections for something. This is because we would have now defined that traffic from the Web server to "any" destination IP address should be tunneled to the L2L VPN.
One other option might be that you actually configure DC1 site so that all incoming traffic from the Internet towards the 111.111.111.111 will have their source address translated to a single IP address (to be decided) before entering the L2L VPN. This would eliminate the need to use the "any" in the L2L VPN configurations because the Web server would see all connections come from a single IP address and therefore would not cause problems for the DC2 Web server IF it needs to access or be accessed through the local DC2 Internet connection.
Judging by your examples it would seem that you are using a 8.2 or older software level. Would you be willing to share some current configurations (with masked public IP addresses) or should I just give you some example configurations?
Most important ones would naturally be current NAT configurations and configuration related to the L2L VPN connection.
- Jouni -
I apologize in advance for the rambling novella, but I tried to include as many details ahead of time as I could.
I guess like most issues, this one's been evolving for a while, it started out with us trying to add a new member
to a replication group that's on a subnet without connectivity to the FSMO roles holder. I'll try to describe the
layout as best as I can up front.
The AD only has one domain & both the forest & domain are at 2008R2 function level. We've got two sites defined in
Sites & Services, Site A is an off-site datacenter with one associated subnet & Site B with 6 associated subnets, A-F.
The two sites are connected by a WAN link from a cable provider. Subnets E & F at Site B have no connectivity to Site A
across that WAN, only what's available through the front side of the datacenter through the public Internet. The network
engineering group involved refuses to route that WAN traffic to those two subnets & we've got no recourse against that
decision; so I'm trying to find a way to accomplish this without that if possible.
The FSMO roles holder is located at Site A. I know that I can define a Site C, add Subnets E & F to that site, & then
configure an SMTP site link between Sites A & C, but that only handles AD replication, correct? That still wouldn't allow me, for example,
to enumerate DFS namespaces from subnets E & F, or to add a fileserver on either of those subnets as a member to an existing
DFS replication group, right? Also, root scalability is enabled on all the namespace shares.
Is there a way to accomplish both of these things without transferring the FSMO roles from the original DC at Site A to, say,
the bridgehead DC at Site B?
When the infrastructure was originally setup by a former analyst, the topology was much more simple & everything was left
under the Default First Site & no sites/subnets were setup until fairly recently to resolve authentication issues on
Subnets E & F... I bring this up just to say, the FSMO roles holder has held them throughout the build out & addition of
all sorts of systems & I'm honestly not sure what, if anything, the transfer of those roles will break.
I definitely don't claim to be an expert in any of this, I'll be the first to say that I'm a work-in-progress on this AD design stuff,
I'm all for R'ing the FM, but frankly I'm dragging bottom at this point in finding the right FM. I've been digging around
on Google, forums, & TechNet for the past week or so as this has evolved, but no resolution yet.
On VMs & machines on subnets E & F when I go to DFS Management -> Namespace -> Add Namespaces to Display..., none show up
automatically & when I click Show Namespaces, after a few seconds I get "The namespaces on DOMAIN cannot be enumerated. The
specified domain either does not exist or could not be contacted". If I run a dfsutil /pktinfo, nothing shows except \sysvol
but I can access the domain-based DFS shares through Windows Explorer with the UNC path \\DOMAIN-FQDN\Share-Name then when
I run a dfsutil /pktinfo it shows all the shares that I've accessed so far.
So either I'm doing something wrong, or, for some random large, multinational company, every sunbet & fileserver one wants
to add to a DFS Namespace has to be able to contact the FSMO roles holder? Or, are those ADs broken down with a child domain
for each Site & a FSMO roles holder for that child domain is located in each site?Hi Matthew,
Unfortunately a lot of the intricacies of DFS leave my head as soon as I’m done with a particular design or troubleshooting situation but from memory, having direct connectivity to the PDC emulator for a particular domain is the key to managing domain based
DFS.
Have a read of this article for the differences between “Optimize for consistency” vs “Optimize for scalability”:
http://technet.microsoft.com/en-us/library/cc737400(v=ws.10).aspx
In brief, I’d say they mean:
In consistency mode the namespace servers always poll the PDCe for the latest and greatest information on the namespaces they are hosting.
In scalability mode the namespace servers should poll the closest DC for information on the namespaces they are hosting.
The key piece of information in that article about scalability mode is: “Updates are still made to the namespace object in Active Directory on the PDC emulator, but namespace servers do not discover those changes until the updated namespace object replicates
(using Active Directory replication) to the closest domain controller for each namespace server.”
I read that as saying you can have a server running DFS-N as long as it has connectivity to a DC but if you want to make changes, do them from a box that has direct connectivity to the PDCe. Then let AD replication float those changes out to your other DCs
where the remote DFS-N server will eventually pick them up. Give it a try and see how you get on.
That being said, you may want to double check that you have configured the most appropriate FSMO role placement in your environment's AD design:
http://technet.microsoft.com/en-us/library/cc754889(v=ws.10).aspx
And a DFS response probably wouldn’t be complete without an AskDS link:
http://blogs.technet.com/b/askds/archive/2012/07/24/common-dfsn-configuration-mistakes-and-oversights.aspx
These links may also help:
http://blogs.technet.com/b/filecab/archive/2012/08/26/dfs-namespace-scalability-considerations.aspx
http://blogs.technet.com/b/josebda/archive/2009/12/30/windows-server-dfs-namespaces-reference.aspx
http://blogs.technet.com/b/josebda/archive/2009/06/26/how-many-dfs-n-namespaces-servers-do-you-need.aspx
I hope this helps,
Mark -
FAX server in 10.5 server and across subnets
We can use 10.5 Server as a FAX server. Since I got this working a while ago, it has run reliably.
This is how we are doing it. Hopefully this will help others get it working too.
Our server: 10.5.2, Pro Intel 2x2.8 quad with a USB Apple faxmodem attached to the front USB port plugged into a standard phone line. Print service is set up and running and happens to be serving printers for us. Once the FAX seemed to get confused and not receive or send. I unplugged the USB fax, plugged it back in and it was fine again.
At the server I opened a text edit document and told the server to fax from Print > PDF > Fax PDF. A fax printer was automatically created on the server. While the fax was printing I told the printer in the Dock to "keep in dock." Opened that fax printer, choose "info" icon in top of window and renamed the fax from "external modem" to a new name so that it would be easy for our staff to use and find it. The server now has a fax on it. As anyone who has tried this has found you CANNOT edit the FAX from ServerAdmin. You can now see it as a queue with the new name it was given but editing it not possible from SA.
At the server still in System Preferences > Fax and print > the new fax appears in the bottom of the printers list under "Faxes." Select the fax. Select "receive options" and set up how the fax is to receive and place received faxes. Ours go in to a folder in a share point which is available and automounted to everyone on our network so anyone, anywhere can get the incoming faxes. The next point assumes that you will do the same.
In 10.4 and once in 10.5 I had to delete the fax manually from System Preferences and recreate it as above when everything seemed to stop working and unplugging the modem and rebooting the server did not fix the stall. As long as everything is named exactly the same when you recreate the fax, no other changes or repeat of what is described below was needed.
For each of the users in our OD:
Tell them each to do the following: Open Applications > Applescript > Folder actions setup. Check off "enable folder actions," hit the + under the left box and select the folder in the share where the faxes are being received. Now select the fax folder in the left and hit the + under the right box and choose "add - new item alert." Save as necessary. The users who do this will now get notification when a new fax arrives and is deposited by the server in the Fax folder.
Now to get the fax to the clients to fax out on. The following will also get all of your shared printers onto any off server's subnet clients. For us the fax did not even show up in local subnet clients as printers usually do. So I kept working and eventually came up with the following:
Our network:
Main location 192.168.1.* server is here.
Remote locations connected via Verizon T1 and routers with no firewalling
192.168.2.*
192.168.3.*
Our client machines :
Intel white iMacs all running 10.5.2 with no special software for faxing. Our clients are bound to and controlled by our server.
I have been trying to get our server to serve the FAX across our 2 remote subnets since 10.3. With the newer CUPS coming with 10.5 and Apple now owning it I hoped that there would be an easy solution to get non local subnet computers the ability to see shared faxes and printers. Sent a forum question and got the following which was great news
Erich Wetzel wrote:
Can anyone advise, now that Apple owns CUPS, how to allow my other
two subnets to BrowsePoll our server for its printers?
The simplest way is to change the "Allow from @LOCAL" lines to be
"Allow from all". You can also use the web interface and check the
"Allow printing from the Internet", which does the same. If you
don't want to open up that much, just add "Allow from" lines for
each subnet.
Once you make this change, *do not* toggle the printer sharing box,
or you'll have to make the changes all over again.
Michael Sweet, Easy Software Products mike at easysw dot com
Michael,
Thanks for the reply, sounds like you have my solution. Small problem, upon selecting "allow printing from internet" in the web interface and committing the changes, the server restarts and the check box is empty again. In quick tests, the other options can be turned on and off as you would expect. Is there something particular to the Apple 10.5.1 install that would not permit internet printing or not permit this change?
I think the check box state in the web interface is a known bug in
CUPS 1.3.4.
I used the web interface for cups on the server and manually added the networks as described by Michael above. I don't know if it is required but I restarted the server. Open > Safari > browse to localhost:631 and you will get the CUPS web interface. The CUPS web interface is available on servers and clients. You can also browse to an IP or FDQN:631 to get the web interface from a receptive other machine.
The server was now supposedly ready to accept "browsepoll" requests from clients. I had played with this before so I was somewhat familiar with what to do next. Essentially each client needs to be told to contact the server and ask it for its printers. That is what browsepoll does in CUPS.
At the client, be logged in as an admin user OF THE CLIENT. Using Terminal and a text editor, edit as root /etc/cups/cupsd.conf
A few lines down look for:
# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAllow all
After that we added :
#*added by Erich*
BrowseProtocols all
BrowseRemoteProtocols all
BrowsePoll yourserver:631
BrowsePort 631
#*added by Erich*
where "yourserver" is either the IP address or FDQN of your server as seen by the client machine.
Save the file. Reboot the client. The CUPS system on the client will now ask your server CUPS system for its printers directly and repeatedly until it gets them. If it does not get any you will not be notified in anyway other than log messages on the client, see Console > /var/log > cups to review them, and the fact that you don't get your server's printers being available on the client.
This last piece came from a discussion started by Alessandro Dellavedova : check the starting post
http://discussions.apple.com/thread.jspa?messageID=5702731�
If you go to Safari > Localhost:631 on the client, CUPS should now see both the printers and the fax which are being hosted by your server.
Here's the fun part for me, with no additional playing I was now able to see the fax we created long ago in the print dialog printer list. You do not have to go to Print > PDF > Fax PDF, you can but do not have to. Just select the fax from the printer list and the dialog changes to fax appropriate options. Now we were able to print any document to the fax directly.
Odd behavior I have yet to figure out. I do not see the fax in the System Preferences > print and fax pane on the client machines. However, I can now fax through our server from all of our clients no matter what subnet they are on.
Making the same additions to the cupsd.conf file on remote machines which VPN via the internet to your network will get them the printers and fax in the same way. I do this with a powerbook and Imac from home so i can print at and fax from work.
This is what I did to get it working for us. Hope this helps.
-ErichThis is Great! Thanks a lot, this was exactly what I was looking for!
Maybe you are looking for
-
Last week I was able to sync photos to my iPad and this week the "photos" pane is absent from my iTunes screen on my computer. Does anyone have an idea as to what I may have done or what may have caused this?
-
MSS: Team View Drill Down Capabilities
Hi all, Is there a way that you can be able to drill down through employees in the Team View? I'm trying to figure out if when employees are loaded, if they are a chief, the little + sign shows up beside the photo, and you can then drill down to see
-
I'm using numbers on my MacBook, do I need to get seperate app to sync with phone?
I'm using numbers on my MacBook, do I need to get seperate app to sync with phone? Or should it sync through iCloud. Also does anyone know if numbers has a similar feature to auto sum on excel, where you can quickly add a row of numbers together? Man
-
N9: MfE Hotmail: Mail Storage Full Free some space...
Hi Friends, Does anyone having the error " Mail Storage Full free up some space first"...? I have this issue with N9. I just deleted the account and added it again and Hotmail working under mmailsettings.. but no contacts. I have so many issues with
-
Comparing performance of different Java code designs - benchmarking
Here's the problem: How do I run the java compiler (preferably Sun's javac) without getting any compile time optimization? I'd like to be able to compile a number of different programs to java bytecode - without having any optimization done by the co