Unable to ping across subnet
hi
i have a solaris system
hostname sun
router (IP) 10.xx.xx.1
IP 10.xx.xx.20
network id 10.xx.xx.0
mask 255.255.255.0
where problem is
i can't ping from solaris machine(sun) to any PC across the subnet ( with IP as well as name).
resolution
--> /etc/defaultrouter is in order
--> network card is properly setup and running
--> can ping any system on local subnet including router(with IP ! DNS is across the subnet).
--> can ping from other PC's(win) on same subnet to systems across subnet using same default gateway settings
( that is routing settings at router are okay) .
--> netstat -r (shows following output )
sun% netstat -r
Routing Table:
Destination Gateway Flags Ref Use Interface
10.xx.xx.0 sun U 3 2460 hme0
224.0.0.0 sun U 3 0 hme0
default 10.xx.xx.1 UG 0 37756
localhost localhost UH 0 6502 lo0
sun%
--> /etc/netmasks
10.0.0.0 255.255.255.0
--> it takes unreasonably long time to set default interface for multicast during boot.
any suggestions where the problem could be.
thnx
garry
Hi garry
Yes you cannot ping with name unless you dont include that system's name and ip in the host file.
Due to the following reasons, you cannot ping ip across the subnet :
1. The pinging ip may be in a different vlan for which you dont have any access.
2. The default gatway has to be added which is accessable to other subnet also.
To over come your problem :
sample diagram of your problem
sub net 1- - - - - - - - - - - - - - - -
you are here |
sub net 2 - - - - - - - - - - - - route - - - - -dns / internet
|
sub net 3- - - - - - - - - - - - - - - -
is this n/w diag ok.
still you have any problem check the ACL of the router.
Regards
Sridhar M
Similar Messages
-
Unable to ping across subinterfaces
Hi everyone,
This is my first time using this service so please be gentle.
I have an 871 router connected to a 2960 switch via two ports; both ports are configured as trunks.
On one of the router's trunks, I have set up subinterfaces.
My issue is - how come I can't ping across subinterfaces, or even VLANs? Any suggestions would greatly help.
Following are my router's config and CDP output for both the router and switch:
Current configuration : 6000 bytes
! Last configuration change at 16:08:47 C Wed Oct 23 2013 by root
! NVRAM config last updated at 14:32:14 C Fri Jul 19 2013 by root
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
hostname kai-vlan-gw
boot-start-marker
boot-end-marker
enable secret 5 $1$lcxP$E3AqTmhjOU7dVGPhEEQCN1
no aaa new-model
resource policy
clock timezone C 3
ip subnet-zero
ip cef
no ip bootp server
ip domain name kenyanalliance.local
ip name-server 192.168.5.1
ip multicast-routing
ip ssh time-out 60
login block-for 100 attempts 3 within 100
crypto pki trustpoint TP-self-signed-1536830124
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1536830124
revocation-check none
rsakeypair TP-self-signed-1536830124
username root password 7 10455D485044111E1E57
class-map type port-filter match-all DHCP_Traffic
match port udp 67
class-map type port-filter match-all Telnet_Traffic
match port tcp 23
policy-map type port-filter Unnecessary_Ports
class DHCP_Traffic
drop
class Telnet_Traffic
drop
interface FastEthernet0
interface FastEthernet1
switchport mode trunk
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
no ip address
duplex auto
speed auto
interface FastEthernet4.5
encapsulation dot1Q 5
ip address 192.168.5.245 255.255.255.0
no snmp trap link-status
interface FastEthernet4.10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip verify unicast reverse-path
ip helper-address 192.168.10.250
no snmp trap link-status
interface FastEthernet4.11
encapsulation dot1Q 11
ip address 192.168.11.254 255.255.255.0
ip verify unicast reverse-path
ip helper-address 192.168.11.250
no snmp trap link-status
interface FastEthernet4.12
encapsulation dot1Q 12
ip address 192.168.12.254 255.255.255.0
ip verify unicast reverse-path
ip helper-address 192.168.12.250
no snmp trap link-status
interface FastEthernet4.13
encapsulation dot1Q 13
ip address 192.168.13.254 255.255.255.0
ip verify unicast reverse-path
ip helper-address 192.168.13.250
no snmp trap link-status
interface FastEthernet4.14
encapsulation dot1Q 14
ip address 192.168.14.254 255.255.255.0
ip helper-address 192.168.14.250
no snmp trap link-status
interface FastEthernet4.15
encapsulation dot1Q 15
ip address 192.168.15.254 255.255.255.0
ip verify unicast reverse-path
ip helper-address 192.168.15.250
no snmp trap link-status
interface FastEthernet4.16
encapsulation dot1Q 16
ip address 192.168.16.254 255.255.255.0
ip verify unicast reverse-path
ip helper-address 192.168.16.250
no snmp trap link-status
interface FastEthernet4.20
encapsulation dot1Q 20
ip address 192.168.20.254 255.255.255.0
ip verify unicast reverse-path
ip helper-address 192.168.20.250
no snmp trap link-status
interface Vlan1
ip address 10.10.10.25 255.255.255.0
ip route-cache flow
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.5.254
ip route 172.20.20.8 255.255.255.248 192.168.5.150
ip route 172.22.254.0 255.255.255.224 192.168.20.253 name TO-AKI
ip route 192.168.0.0 255.255.255.0 192.168.5.252 name Mombasa
ip route 192.168.1.0 255.255.255.0 192.168.5.252 name Thika
ip route 192.168.18.0 255.255.255.0 192.168.5.252 name Kisumu
ip route 192.168.21.0 255.255.255.0 192.168.5.150 name Machakos
ip route 192.168.22.0 255.255.255.0 192.168.5.150 name Bunyala_Yard
ip route 192.168.23.0 255.255.255.0 192.168.5.150 name Meru
ip route 192.168.100.0 255.255.255.0 192.168.5.150
no ip http server
ip http authentication local
ip http secure-server
logging trap debugging
logging 192.168.20.12
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
control-plane host
control-plane
banner exec ^C
Please be advised that you must be an administrator to proceed.
Failure to comply with this notification could lead to prosecution.
^C
banner login ^C
==============================================================
You're logging in to a restricted device. Please contact the
administrator if you need access!!
==============================================================
^C
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 130E43435E5F073F3977
login local
transport preferred ssh
transport input ssh
scheduler max-task-time 5000
ntp clock-period 17174973
ntp server 128.138.141.172
end
Rouer CDP neighbors:
kai-vlan-gw#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater
Device ID Local Intrfce Holdtme Capability Platform Port ID
etsw1 Fas 1 142 S I WS-C2960-2Fas 0/23
etsw1 Fas 4 152 S I WS-C2960-2Gig 0/1
Switch CDP neighbors:
etsw1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
Device ID Local Intrfce Holdtme Capability Platform Port ID
kai-vlan-gw.kenyanalliance.local
Fas 0/23 150 R S I 871 Fas 1
kai-vlan-gw.kenyanalliance.local
Gig 0/1 156 R S I 871 Fas 4
etsw3 Gig 0/2 177 S I WS-C2960- Gig 0/2
Kenyan_Alliance_MPLS_HQ
Fas 0/7 158 R S I 871 Fas 0
Kenya_Alliance.yourdomain.com
Fas 0/13 151 R S I 1841 Fas 0/0
Kenya_Alliance_HQ
Fas 0/14 158 R S I 881 Fas 3Thanks for your response.
Yes, the Vlans exist on the switch. Here's my switch config:
Current configuration : 3125 bytes
! Last configuration change at 10:13:13 C Thu Oct 24 2013
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname etsw1
enable secret 5 $1$QtkT$ArHPOKJqiLtNCA1/a0cjr.
no aaa new-model
clock timezone C 3
system mtu routing 1500
ip subnet-zero
ip name-server 192.168.5.1
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface FastEthernet0/1
switchport access vlan 5
switchport mode access
interface FastEthernet0/2
switchport access vlan 5
switchport mode access
interface FastEthernet0/3
interface FastEthernet0/4
description VMHost_10.10.10.6
switchport mode trunk
interface FastEthernet0/5
description VMHost_10.10.10.7
switchport mode trunk
interface FastEthernet0/6
switchport access vlan 5
switchport mode access
interface FastEthernet0/7
switchport access vlan 5
switchport mode access
interface FastEthernet0/8
description VMHost_10.10.10.6
switchport mode trunk
interface FastEthernet0/9
description VMHost_10.10.10.7
switchport mode trunk
interface FastEthernet0/10
switchport access vlan 5
switchport mode access
interface FastEthernet0/11
switchport access vlan 20
switchport mode access
interface FastEthernet0/12
switchport access vlan 5
switchport mode access
interface FastEthernet0/13
switchport mode trunk
interface FastEthernet0/14
switchport access vlan 5
switchport mode access
interface FastEthernet0/15
description VMHost_10.10.10.6
switchport access vlan 20
switchport mode trunk
interface FastEthernet0/16
description Proxy_Server
switchport access vlan 5
switchport mode access
interface FastEthernet0/17
description VMHost_10.10.10.7
switchport mode trunk
interface FastEthernet0/18
switchport mode trunk
interface FastEthernet0/19
description VMHost_10.10.10.7
switchport mode trunk
interface FastEthernet0/20
switchport access vlan 5
switchport mode access
interface FastEthernet0/21
switchport access vlan 20
switchport mode access
shutdown
interface FastEthernet0/22
switchport mode trunk
interface FastEthernet0/23
description Mgmnt_VLAN_Int
switchport access vlan 5
switchport mode trunk
interface FastEthernet0/24
interface GigabitEthernet0/1
switchport mode trunk
interface GigabitEthernet0/2
switchport mode trunk
interface Vlan1
ip address 10.10.10.1 255.255.255.0
no ip route-cache
ip default-gateway 10.10.10.25
ip http server
logging trap debugging
logging 192.168.20.12
control-plane
banner login ^C
============================================================
You're logging in to a restricted device. Please contact the
administrator if you need access!!
============================================================
^C
line con 0
password 7 15195F5D517928313A60
login
line vty 0 4
session-timeout 5
password 7 15195F5D517928313A60
login
line vty 5 15
login
ntp clock-period 36029439
ntp server 10.10.10.25
end -
WRT54G / upgraded firmware, unable to access across subnets
Hi,
I have a network with 10 WRT54G (v6) 's. Recently I upgraded the firmware on two units from 1.00.7 to the latest 1.02.2 and am experiencing some network wierdness.
The wireless routers are connected via the LAN port to a linux router which is a firewall/bridge between subnets 10.1.3.x & 10.1.1.x. I have rules in place to allow my workstation to http to the 10 routers and disallow everything else. All of this is logged.
I cannot from my workstation (10.1.1.x) access the web interface on the two units I upgraded the firmware on 10.1.3.x). I can still access the web interface on the remaining units (10.1.3.x)
I can however access the web interface from the same subnet to the newly upgraded units.
I can see from the firewall log that the packet is making it out correctly and tcpdump verifies this.
Does anybody have a clue what is going on. I feel like it would be best to return to the previous firmware, but where do I find it???
Thanks,
LeeHi Lee,
logon to ftp://ftp.linksys.com/pub/network/ and download the previous firmware version and try downgrading the firmware... -
Multiple routers and subnets - can't access across subnets
Hey all, I'm having an issue with multiple routers and subnets on my FIOS connection. Here's how everything is setup:
Primary router:
ActionTec MI424WR Rev D (from Verizon)
WAN IP: From ISP
WAN NETMASK: From ISP
LAN IP: 192.168.1.1LAN NETMASK: 255.255.255.0
Secondary router (WAN connected to ActionTec LAN):
Belkin N750 gigabit w/ 802.11n
WAN IP: 192.168.1.2
WAN NETMASK: 255.255.255.0
LAN IP: 192.168.2.1
LAN NETMASK: 255.255.255.0
With this setup, I have the secondary router's WAN port connected to a LAN port on the primary router. Each are broadcasting an SSID and each are running DHCP to assign address to their respective subnets. Everything was well and good, except that I could reach 192.168.1.* systems from 192.168.2.*, but not vice versa -- anything connected to the Primary router was blind to systems connected to Secondary. Also, I could not ping anything on .2 from .1.
So, I added the following static route to the primary router:
DESTINATION: 192.168.2.0
NETMASK: 255.255.255.0
GATEWAY: 192.168.1.2
Once this was added to the router, I could ping everything, so that was good. However, even though .1 can now ping .2, I can't access certain things such as the web interface of my NAS (192.168.2.2). I can ping it, but accessing it in the browser from .1 doesn't work; however, accessing from .2 does work.
I think the ActionTec router might be blocking it, but that's just a guess. The firewall on this thing has me thoroughly confused. Currently, I have 192.168.1.2 in the DMZ on the ActionTec, but that didn't make a difference. I've also completely disabled the firewall on the secondary Belkin router, but still nothing.
Any help from the pros here? Much appreciated!
Solved!
Go to Solution.Ok, I figured it out and everything is now working. The issue appears to be that the ActionTec router doesn't recognize traffic from Subnet 1 to Subnet 2 as internal traffic -- it treats it as external traffic and closes it off. To fix this, it required some Advanced Firewall Filters that were far from unituitive and took a lot of testing to get it just right. If anyone runs into a similar situation in the future, here's a rundown of what I did to make it all work:
Primary Router:
ActionTec, MI424WR Rev D
WAN IP/NETMASK:Assigned by ISP
LAN IP/NETMASK:192.168.1.1 / 255.255.255.0
Secondary Router:
Belkin N750 Gigabit w/ 802.11n
WAN IP/NETMASK:192.168.1.2 / 255.255.255.0
LAN IP/NETMASK:192.168.2.1 / 255.255.255.0
Plug Secondary router's WAN port into a LAN port on the Primary router.
Setup Secondary router to have static LAN address (192.168.1.2)
At this point, you should have 2 separate subnets: Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*).
Systems on both subnets should be able to reach the internet. Also, Subnet 2 should be able to ping and reach systems on Subnet 1; however, systems on Subnet 1 should not be able to ping or reach systems on Subnet 2. For this, we need to create a static route so Subnet 1 can reach Subnet 2.
Create and apply the following static route in the Primary router: (Advanced > Routing)
RULE NAME:Network (Home/Office)
DESTINATION:192.168.2.0(your secondary subnet)
GATEWAY:192.168.1.2(secondary router's WAN IP)
NETMASK:255.255.255.0
METRIC:1
The router now has a route between Subnet 1 (192.168.1.*) and Subnet 2 (192.168.2.*). You should be able to ping systems on Subnet 1 from 2, and ping systems on Subnet 2 from 1. You should not be able to access any systems, though -- the firewall is still blocking all but ping traffic from Subnet 1 to Subnet 2. We need to create some firewall rules to allow this communication.
Make sure Primary firewall is set to at least typical/medium (Firewall Settings > General).
We need to create some network objects to make it easier to manage the rules we'll create. Go to Advanced > Network Objects and do the following:
1.Click Add. You are now on Edit Network Object screen.
2.Set Description to 'Subnet 1'.
3.In Items section below, click Add.
4.Set Network Object Type to 'IP Subnet'.
5.Set Subnet IP Address to 192.168.1.0.
6.Set Subnet Mask to 255.255.255.0.
7.Click Apply. You are now back on Edit Network Object screen.
8.Click Apply. You are now back on Network Objects Screen.
9.Repeat the above steps again, but this time creating a second network object called 'Subnet 2':
Nameubnet 2
IP Subnet:192.168.2.0
Subnet Mask:255.255.255.0
Now we create the firewall rules. Go to Firewall Settings > Advanced Filtering.
In the Inbound/Input rules section, click the Add link next to Network (Home/Office) Rules.
Create the following Advanced Filter:
SOURCE ADDRESSelect 'Subnet 1'
DEST. ADDRESSelect 'Subnet 2'
PROTOCOL:'Any'
OPERATION:'Accept Packet'
OCCUR:'Always'
Click Apply. You will now be back on the Advanced Filtering page.
In the Outbound rules section, click the Add link next to Network (Home/Office) Rules.
Create the following Advanced Filter:
SOURCE ADDRESSelect 'Subnet 1'
DEST. ADDRESSelect 'Subnet 2'
PROTOCOL:'Any'
OPERATION:'Accept Packet'
OCCUR:'Always'
Click Apply. You will now be back on the Advanced Filtering page.
Click Apply.
You're all done. You should now have internet access on both subnets, be able to ping across subnets and also be able to access services across subnets (local webservers, SSH, telnet, mail, etc). You will not be able to see network file shares across subnets in Windows, however, as this requires a WINS server (which is well outside the scope of this post). For instance, I have a Western Digital NAS on the 192.168.2.0 subnet that I can access as \\Mybooklive\ from within Subnet 2; on Subnet 1, however, I have to access it by its IP \\192.168.2.10\. -
Unable to wake emacs across subnets
We have several emac labs w/ ard active on them, however, we are unable to wake them up from our central office location. If the client is available we can observe, control and just about anything else we need to do to them. Our biggest issue is that we can't wake them up across subnets. We also have a mini running server 10.4.7 as a task server out there...any ideas
First, make sure that "wake on network administrator access" is active in the Energy Saver -> Options on your clients.
If it is, try WakeOnLan or WakeOnMac and see if either of those work. If those don't work either, then the routers on your network are probably not correctly passing the necessary packet.
Hope this helps. -
Connect mac client to mac printer share across subnets
I need to share printers from a Mac. I need to connect
Mac clients on different subnets to the Mac shared printers. I installed
a Mac mini, connected to printers via HP JetDirect Socket (port 9100), and
shared them. I was able to print from the Mac mini, and connect Mac
clients on the same subnet to the shared printers with Bonjour and print.
I moved the Mac mini to its intended location on another subnet. I
immediately learned that Bonjour does not publish services across
subnets. I could not find documentation on how to connect to a Mac shared
printer across subnets, but I did find some third party documentation (only some incomplete
documentation from Apple) on how to implement DNS-SD Service Discovery. I
enabled DNS-SD and was able to publish the printer shares across subnets, but I
was still unable to connect to the printer shares from a Mac client. I
found some third party documentation (none from Apple) on how to manually connect to a Mac
printer share by specifying the IP address of the server, specifying the CUPS
default IPP protocol, and the print queue name. I was unable to connect
to the shared printers. I receive ping replies from my Mac mini, and port
scan reveals that port 631 for IPP, CUPS default, is open. Printer
sharing is configured so everyone can print. I am able to connect to the Mac
mini with VNC Screen Sharing. I don’t see how this can be a network
issue.
Macs don’t seem to like to connect to our Windows
shared printers because of our PaperCut software, and connecting Mac clients to
Windows printer shares and authentication is beyond the average user,
exacerbated by Macs not behaving the same as Windows when bound to an Active
Directory domain.
I called Apple support, they escalated to Apple Enterprise
support. Apple Enterprise support said they couldn’t help me beyond a
single network with no subnets, but Apple Engineering might be able to solve
the problem for $695.
Why do I need to pay $695 to learn how to connect Mac
clients to Mac shared printers, something that should be easy and intuitive and
have documentation readily available? Windows printer sharing is easy and
intuitive and documentation is readily available, and services are published
across subnets without have to implement DNS-SD.Thank you for your reply. I followed the instructions in the sybaspot.com site and in some of the included references to set up DNS-SD. DNS-SD worked, but I couldn't connect the Mac client to the Mac shared printers.
I also found http://www.papercut.com/products/ng/manual/ch-mac-printing-10-8-9.html#ch-mac-pr inting-10-8-9-sharing-printers.
I expanded my search and found this: http://support.apple.com/kb/PH13940, last modified May 8, 2014. I started work on my project February 2014. Apple Support could have told me about this document.
PH13940 says: "The computers must be on the same local network as your Mac". Apple must not consider multiple subnets one network.
PH13940 says: "Printer sharing is for printers attached directly to your Mac. You don’t need to share network printers, because they are already shared on the network."
Apple must define "network printers" as any printer with a network interface. Microsoft defines network printers as printers shared by another computer. TCP/IP ports are local ports on a Windows computer, so TCP/IP connected printers are local printers that can be shared. Multiple users on a Mac all see the same connected printers. Multiple users on Windows all see the same local printers, but network printer connections can be different for each user.
Apple must not see any value in accounting for printing and assigning the cost to the user or department. We need to account for printing and cannot have any users bypassing the system by printing directly to printers. I have created Access Control lists on the printers to limit connections to the specific IP addresses of our print servers.
The documents about setting up DNS-SD and IPP connections must have assumed USB connected printers on a Mac. The odd thing is that I was able to share a network printer from the Mac mini when the client Mac was on the same subnet. Is PH13940 wrong?
I am Microsoft Certified Systems Engineer 1999 and Apple Certified Technical Coordinator 2013. -
Hello
I am having trouble configuring my jet toolkit to boot across subnets.
It works fine in the same subnet but when it goes across subnets it seems to lose the default router for the client.
{0} ok boot net:dhcp - install
Resetting...
POST Sequence 01 CPU Check
POST Sequence 02 Banner
LSB#00 (XSB#00-0): POST 2.12.0 (2009/09/09 15:17)
POST Sequence 03 Fatal Check
POST Sequence 04 CPU Register
POST Sequence 05 STICK
POST Sequence 06 MMU
POST Sequence 07 Memory Initialize
POST Sequence 08 Memory
POST Sequence 09 Raw UE In Cache
POST Sequence 0A Floating Point Unit
POST Sequence 0B SC
POST Sequence 0C Cacheable Instruction
POST Sequence 0D Softint
POST Sequence 0E CPU Cross Call
POST Sequence 0F CMU-CH
POST Sequence 10 PCI-CH
POST Sequence 11 Master Device
POST Sequence 12 DSCP
POST Sequence 13 SC Check Before STICK Diag
POST Sequence 14 STICK Stop
POST Sequence 15 STICK Start
POST Sequence 16 Error CPU Check
POST Sequence 17 System Configuration
POST Sequence 18 System Status Check
POST Sequence 19 System Status Check After Sync
POST Sequence 1A OpenBoot Start...
POST Sequence Complete.
Sun SPARC Enterprise M4000 Server, using Domain console
Copyright 2009 Sun Microsystems, Inc. All rights reserved.
Copyright 2009 Sun Microsystems, Inc. and Fujitsu Limited. All rights reserved.
OpenBoot 4.24.12, 32768 MB memory installed, Serial #91113890.
Ethernet address 0:21:28:6e:49:a2, Host ID: 856e49a2.
Rebooting with command: boot net:dhcp - install
Boot device: /pci@0,600000/pci@0/pci@8/pci@0/network@2:dhcp File and args: - install
1000 Mbps full duplex Link up
Timed out waiting for BOOTP/DHCP reply
Timed out waiting for BOOTP/DHCP reply
Timed out waiting for BOOTP/DHCP reply
Timed out waiting for TFTP reply
Timed out waiting for TFTP reply
Timed out waiting for TFTP reply
Timed out waiting for TFTP reply
I have entered the router info in the defaultrouters file
kenapps08g:global# cat defaultrouters
# You can use this file to allow templates to be auto-populated with additional
# default router settings, especially useful for managing large numbers o
# server templates.
# Format:
# <subnet> <mask> <default router>
# Example:
# 192.168.1.0 255.255.255.0 192.168.1.254
10.0.1.0 255.255.255.0 10.0.1.1
10.0.2.0 255.255.255.0 10.0.2.1
10.0.3.0 255.255.255.0 10.0.3.1
</opt/SUNWjet/etc>
kenapps08g:global# more dhcp.conf
# This file is used to control some of the options for the DHCP boot
# environment
# DHCPDIR: The replies sent out by DHCP are limited in length; we use
# this directory to create symlinks to the actual Solaris
# media dirs; the intention is to keep paths short!
# N.B. If you change this, please make sure the new area is
# properly shared in /etc/dfs/dfstab
DHCPDIR="/dhcp"
# DEBUG_DHCP keep temporary files around after client_allocate_pdhcp.SunOS
# has run. Non-null invokes debug
DEBUG_DHCP=""
# REMOTE_DHCP define the hostname of the Sun server running Sun's DHCP daemon
REMOTE_DHCP="kenapps08g"
# REMOTE_DHCP_METHOD define what method to use to propogate. ssh is currently
# supported and requires you set up a trust relationship
# between this server and it.
REMOTE_DHCP_METHOD="ssh"
# DHCP_FORMAT Which dhcp server type is supported. SUN is currently supported,
# however, ISC is still in development. If REMOTE_DHCP is set,
# you must set DHCP_FORMAT to SUN. Valid entries are "SUN"
# and "NOOP". NOOP can be used if you are manually setting
# up your own DHCP server with the required parameters.
DHCP_FORMAT="SUN"
kenapps08g:global# more dhcp_servers
# You can use this file to define the DHCP servers responsible
# for different subnets.
# This is only required if you have multiple DHCP servers.
# If a match is found, the settings in this file will be used,
# otherwise the DHCP server defined in dhcp.conf will be used.
# Format:
# <client network> <client mask> <dhcp-server-name> <dhcp-server-tyep> <method>#
# <dhcp-server-name> overrides the REMOTE_DHCP setting
# <dhcp-server-type> overrides the DHCP_FORMAT setting
# <method> overrides the REMOTE_DHCP_METHOD setting
# Example:
# 192.168.1.0 255.255.255.0 dhcpserver1 SUN ssh
10.0.1.210 255.255.255.0 kenapps08g SUN ssh
10.245.64.10 255.255.255.0 lisjump01g SUN ssh
kenapps08g:global# more jumpstart.conf
# This config file defines the jumpstart specific variables.
# Version: $Revision: 1.8 $
# Last Updated; $Date: 2009/04/15 12:41:29 $
# Location of the additional media for patches and packages:
# These paths should be URI form e.g. nfs://<serverip>/<path> or <path>
# Currently only PKG_DIR and PATCH_DIR can be on a remote NFS server.
# If they are just <path>, the appropriate address of the JumpStart server
# will be added.
# N.B. if the media location is on a different server, please ensure it is
# routable from the client !
# You can specify an alternative location for where the client can
# NFS mount the /opt/SUNWjet directory. Simply provide the IP address
# of the server or the IP address and path on the remote server
# in the JS_CFG_SVR variable. However, this MUST be mounted
# on the JET server in /opt/SUNWjet as well, and be rw by root.
# e.g. JS_CFG_SVR="nas_server1" or
# JS_CFG_SVR="nas_server1:/unixshare/SUNWjet"
# When using an NFS server for images, even though the JET server
# MUST have the boot media locally, it is possible to have the client
# net boot from the remote NFS server. By default, clients will boot from
# the JET server. To override this, set JS_CLIENT_BOOT to "remote".
JS_Default_Root_PW=M4JVhMPO9CaQw
JS_BUILD_DIR=/var/opt/sun/jet
JS_PKG_DIR=/vendor/jumpstart/pkgs
JS_PATCH_DIR=/vendor/jumpstart/patches
JS_CFG_SVR=
JS_SOLARIS_DIR=/vendor/jumpstart
#JS_DHCP_VENDOR="SUNW.Ultra-5_10 SUNW.Ultra-30"
JS_DHCP_VENDOR="SUNW.Sun-Fire-T1000 SUNW.Sun-Fire-V240 SUNW.SPARC-Enterprise"
#JS_CLIENT_MANAGEMENT="bootp"
JS_CLIENT_BOOT="local"
kenapps08g:global# more server_interfaces
# You can use this file to help JET determine the correct IP address to
# use when it is configured on multi-homed hosts. It is also used to
# define which servers on different subnets whcih can be used in conjnction
# with dhcp.
# As we don't know which side of the server clients will connect through,
# you can set things up here - especially useful if this server is not
# a router either.
# Format:
# <client network> <client mask> <our preferred ip address>
# Example:
# 192.168.1.0 255.255.255.0 10.0.0.1
10.245.64.0 255.255.255.0 10.0.1.210
10.0.3.0 255.255.255.0 10.0.1.210
It has to be a defaultrouter setting somewhere because I can ping the server during jumpstart only from its own subnet.
during the dhcp part it looks like the traffic is coming thru and it gets its offer then during the tftp part no traffic comes across anymore
I am stuck on this one.
thanksthis file is in place with the interfaces
kenapps08g:global# cat defaultrouters
# You can use this file to allow templates to be auto-populated with additional
# default router settings, especially useful for managing large numbers o
# server templates.
# Format:
# <subnet> <mask> <default router>
# Example:
# 192.168.1.0 255.255.255.0 192.168.1.254
10.0.1.0 255.255.255.0 10.0.1.1
10.0.3.0 255.255.255.0 10.0.3.1
183.1.2.0 255.255.255.0 183.1.2.209
</opt/SUNWjet/etc>
kenapps08g:global# cat server_interfaces
# You can use this file to help JET determine the correct IP address to
# use when it is configured on multi-homed hosts. It is also used to
# define which servers on different subnets whcih can be used in conjnction
# with dhcp.
# As we don't know which side of the server clients will connect through,
# you can set things up here - especially useful if this server is not
# a router either.
# Format:
# <client network> <client mask> <our preferred ip address>
# Example:
# 192.168.1.0 255.255.255.0 10.0.0.1
10.0.1.0 255.255.255.0 10.0.1.210
10.0.3.0 255.255.255.0 10.0.1.210
183.1.2.0 255.255.255.0 10.0.1.210 -
ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN
Hi there, please forgive if I have missed any forum protocols as this is my first post.
I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.
Inside 192.168.1.254/24
Outside dhcp
VPN Pool 192.168.250.1-50/24
Inside LAN 192.168.1.0/24
: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.128
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4433
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_anyconnect internal
group-policy GroupPolicy_anyconnect attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username test password JAasdf434ey521ZCT encrypted privilege 15
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool vpn_pool
default-group-policy GroupPolicy_anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias anyconnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:24bcba3c4124ab371297d52260135924
: end :: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.0
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.100.2 255.255.255.255 management
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Anyconnect_VPN internal
group-policy GroupPolicy_Anyconnect_VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username sander password f/J.5nLef/EqyPfy encrypted
username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15
tunnel-group Anyconnect_VPN type remote-access
tunnel-group Anyconnect_VPN general-attributes
address-pool Anyconnect-pool
default-group-policy GroupPolicy_Anyconnect_VPN
tunnel-group Anyconnect_VPN webvpn-attributes
group-alias Anyconnect_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4636fa566ffc11b0f7858b760d974dee
: end: -
Not able to use Apple tv across subnet
Hi Guys,
I have made a test setup which contain an cisco 2600 router, apple tv and Macbook pro with 10.9.2 OSX. Its pretty simple setup. One interface(Fa0/0) of the cisco router is connected to apple TV via ethernet cable in an network 10.0.1.0/24 and another interface (Fa0/1) is connected to Macbook pro in network 10.0.2.0/24 via ethernet cable. Apple TV network ip is 10.0.1.2 whereas macook ip is 10.0.2.2. I am able to succesfully ping from macbook to apple tv, but not able to discover apple tv at all on my macbook. I tried every method, allowed udp port 5353 on router for bonjour discovery , but still no luck. Can any gentleman help me on this?Yes, we can mirror it across subnet. Thats what I am trying to figure out. People had done this eariler.
-
How to Fetch MAC-Adresses across Subnets
Hi All,
for some reason we have a number of Machines out there where we would like to install a Package via ARD instead of Casper. We have a list of Hostnames from this Machines. Now, the first idea was to ping them and to get the MAC-Adress out of the ARP Cache via arp -a. All together could be used as an Import-File for Remote-Desktop.
But ARP does not work across Subnets.
Now i was wondering - how does for example ARD read the MAC-Adress from a Machine if i do a scan to a specific Network-Range. Could i use this process to fetch the MAC-Addresses? Or could there be another way.
bye
joeHi
You could try installing ARD on a client within that range? Poll workstations within that range for relevant information. Save it to the Desktop of that ARD workstation. Transfer it to a memory stick etc. Or if you know the IP address of that workstation you may be able to add it using the network address option from another workstation that's in a different subnet.
Tony -
Problem With PXE Across Subnets
I'm having a problem with PXE across subnets. The workstation boots,
finds the dhcp server, finds the tftp server, downloads linux.1 and
linux.2 with no problem. It is unable to download linux3.tgz, however.
I've tried two different zen servers. I can tftp the file from either
zen server in windows with no problem. I can tftp it from maintenance
mode if I use a workstation as a tftp server. I can tftp it in PXE on
the same subnet with no problems.
A packet trace on the workstation shows that it gets so far into the
download and then begins getting ICMP 'destination unreacable' packets
from the server with the 'port unreachable' flag set.
It sounds as if the server is closing the conversation on that port.
Can anyone shed any light on this for me?
Dave Thomas
Rivercrest Technologies, Inc.Could you send me that trace? I would like to have a quick look
Ron
[email protected]
<[email protected]> wrote in message
news:iNOie.234$[email protected]..
> The source address is the zen server. I'm relatively certain there is
> not routing issue because I can tftp the file from windows with no issues
> etc. Also there are a lot of other services crossing the subnets that
> would fail if there is a routing issue.
>
> The 'port unreachable' flag seems to indicate that the zen server has
> stopped listening on the port that is being used for the transfer.
>
> Dave Thomas
>
> > Where do these ICMP "destination unreacable" come from? could there be a
> > routing issue to get to the imaging server?
> >
> > Ron
> >
> > <[email protected]> wrote in message
> > news:[email protected] oups.com...
> > > I'm having a problem with PXE across subnets. The workstation boots,
> > > finds the dhcp server, finds the tftp server, downloads linux.1 and
> > > linux.2 with no problem. It is unable to download linux3.tgz,
> however.
> > >
> > >
> > > I've tried two different zen servers. I can tftp the file from either
> > > zen server in windows with no problem. I can tftp it from maintenance
> > > mode if I use a workstation as a tftp server. I can tftp it in PXE on
> > > the same subnet with no problems.
> > >
> > > A packet trace on the workstation shows that it gets so far into the
> > > download and then begins getting ICMP 'destination unreacable' packets
> > > from the server with the 'port unreachable' flag set.
> > >
> > > It sounds as if the server is closing the conversation on that port.
> > >
> > > Can anyone shed any light on this for me?
> > >
> > > Dave Thomas
> > > Rivercrest Technologies, Inc.
> > >
> >
> >
> -
Unable to Ping IP when using route redistribution
Hi Everyone,
I have below setup
R1 is running EIGRP and connected to R2 via EIGRP
R2 is Running OSPF and connected to R3 via OSPF.
R2 is doing the redistribution of eigrp to ospf and vice versa.
R1 config
interface FastEthernet1/0/1
ip address 10.1.12.1 255.255.255.0
R1# sh ip eigrp nei
EIGRP-IPv4 Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.12.2 Fa1/0/1 13 01:47:54 652 3912 0 14
R2 config
interface FastEthernet0/16
ip address 10.1.12.2 255.255.255.0
sh ip eigrp nei
EIGRP-IPv4:(100) neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 10.1.12.1 Fa0/16 12 01:49:44 1 200 0 36
interface FastEthernet0/19
ip address 10.1.23.2 255.255.255.0
sh ip ospf 10 neighbor
Neighbor ID Pri State Dead Time Address Interface
10.1.23.3 1 FULL/DR 00:00:38 10.1.23.3 FastEthernet0/19
Redistribution config on R2
router ospf 10
router-id 10.1.23.2
log-adjacency-changes
redistribute eigrp 100 subnets
network 10.1.23.0 0.0.0.255 area 10
distribute-list 1 out
router eigrp 100
redistribute ospf 10 metric 100 100 100 100 100
no auto-summary
network 10.1.12.0 0.0.0.255
R3 config
interface FastEthernet0/16
ip address 10.1.23.3 255.255.255.0
Neighbor ID Pri State Dead Time Address Interface
10.1.23.2 1 FULL/BDR 00:00:36 10.1.23.2 FastEthernet0/16
R1 Routing Table shows routes learned via ospf network of R1.
R1#sh ip route eigrp 100
10.0.0.0/8 is variably subnetted, 15 subnets, 2 masks
D EX 10.1.10.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.11.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.8.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.9.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.13.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.7.1/32 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
D EX 10.1.23.0/24 [170/25628160] via 10.1.12.2, 01:17:03, FastEthernet1/0/1
i am able to ping the IP of OSPF interface of R2 but not of R3 as shown below
R1# ping 10.1.23.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.2, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
R1# ping 10.1.23.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.23.3, timeout is 2 seconds:
Success rate is 0 percent (0/5)
R1#
Need to know even the route is in routing table why i am umable to ping the IP 10.0.23.3?
Also unable to ping the loopback IP of R3 below
R1# ping 10.1.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.10.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Regards
MaheshHi Alain,
Yes R3 was getting the filtered EIGRP routes from R1 via R2.
i removed the distribute list on R2 and ping worked fine now.
I understood now why ping was not working earlier as R1 int IP 10.1.12.1 was dropped by the distribute list.
Now i added this to ACL 1 on R2 which is used by distribute list on R2 and ping works fine now while using distribute list on R2.
Best regards
Mahesh -
PIX 501 unable to ping vpnclient
Hi,
Here is the topology:
vpnclient ------->Internet---->Broadband router (with port forwarding) -----> PIX-------->Internal network
vpn client is able to establish VPN connection with PIX. VPN client can ping internal network machines (which i wasn't able to do until i used nat-treverse command). but PIX is unable to ping vpnclient's IP addresses or inside address of PIX.
++VPN Client getting this++
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : abc.com
Link-local IPv6 Address . . . . . : fe80::b940:3053:3f6f:a4c1%23
IPv4 Address. . . . . . . . . . . : 10.10.10.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
PIX> en
Password: *****
PIX# sh run
: Saved
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 9jNfZuG3TC5tCVH0 encrypted
hostname PIX
domain-name cisco
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list in2out permit ip 172.16.0.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 10.10.10.10-10.10.10.20 mask 255.255.255.0
pdm location 172.16.0.26 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 172.16.0.27 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list in2out
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 172.16.0.26 255.255.255.255 inside
http 172.16.0.27 255.255.255.255 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside 192.168.0.6 configpix
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map ipsec_map 1 set transform-set myset
crypto map outside_map 10 ipsec-isakmp dynamic ipsec_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup remoteClient address-pool clientpool
vpngroup remoteClient dns-server 172.16.0.1
vpngroup remoteClient default-domain abc.com
vpngroup remoteClient split-tunnel in2out
vpngroup remoteClient split-dns abc.com
vpngroup remoteClient idle-time 1800
vpngroup remoteClient password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 172.16.0.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 outside
ssh timeout 60
management-access outside
console timeout 0
dhcpd address 172.16.0.20-172.16.0.40 inside
dhcpd dns 194.168.4.100 194.168.8.100
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15Hi all,
Thanks all for the valueable reply's.
last time i have done modification with following commands to access cisco pix 515e from telnet from outside interface:
access-list outside_access_in permit icmp any any
access-list outside_access_in permit ip any any
access-list inside_access_out permit ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list 100 permit tcp any eq telnet host PIX_inside eq telnet
access-list 100 permit tcp any eq telnet host pix_outside eq telnet
access-list 100 permit tcp any eq telnet host 182.73.110.160 eq telnet
after adding the above commands i am facing this, my internet link is up and working fine, but not able to get ping reply from internet isp or dns server ip, i.e- 202.56.230.5. -
Solution to use Airprint across subnets wired/wireless
A lot of companies are trying to figure out how to setup airprint to print
in the workplace, wired+wireless across subnets.
We finally figured it out with some DNS magic and a CUPS server.
I have documented the solution at a live document hosted at
http://sites.google.com/site/iwastepaper/
Hopefully it helps a few folks.
<Edited by Host>You will want to make sure your APs can route from where ever you install them to the WLC managment address.
How APs find the controller can happen a few different ways:
1) DNS A record
2) Layer 2 broadcast (which you seen already)
3) IP Route Forward
4) DHCP Option 43
5) Manual Prime the AP
Most folks lead with option 43.
http://www.my80211.com/cisco-wlc-labs/2009/7/4/cisco-dhcp-option-43-configuration-nugget.html
if you check the config guide you will explain the other processes. -
NetBoot across subnets with a bootpd relay
Hello Apple Community!
I've got 4 subnets at my school, each with various Macs around campus. I have a Mavericks server on each subnet currently, each with their own NetBoot images. It's a pain to keep everything updated. I can get a single client Mac (pre-2011) to boot across subnets using the bless command, but that's not really a viable solution for us to run a bless command on each client every single time we want to netboot. So far, the solution has been just to have dedicated netboot servers on each subnet, but I know there has to be a better way.
This article (OS X Server: How to use NetBoot across subnets - Apple Support) describes three different methods for netbooting across subnets, but two of them are not really viable for us. Those involve reconfiguring the network to allow BootP data to pass across subnets or configuring one server with multiple network connections, one for each subnet. However, option #2 describes configuring a bootpd relay. Based on my reading, this sounds like exactly what I need. However, I can't find any good documentation to walk me through setting it up.
I've thoroughly read the bootpd man page, which has had me editing the /etc/bootpd.plist on multiple servers. This hasn't gotten me very far. My clients still don't see the remote NetBoot server. It seems like the relay is supposed to redirect broadcasts from the remote Netboot server, through a local NetBoot server to the client. But I have no idea how to make this work.
Could someone please give me more guidance on what I'm supposed to be doing here? I'd like to host a single NetBoot server and have any client on any subnet be able to option-boot to see the NetBoot startup options (I have multiple NetBoot images, from Apple Service Toolkit to DeployStudio and Mavericks/Yosemite installers in between). Even if I could get it to just netboot to one default source (AST), I could deal with that. I'm also happy to host multiple NetBoot servers, but with all my NetBoot images in one location. I'm stumped in this multiple subnet environment and I need help. Please help.Thanks again for your feedback. I had forgotten I left the "tftp://" on the IP address. Though, I've tried that multiple ways, starting with IP only. Also, per the bootpd man page (https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/ man8/bootpd.8.html), <allow/> and <deny/> are lists for MAC address allowances and when nothing is defined everything goes through. These are there by default, though I will remove them and see what happens. Also, according to the man page, bootp_enabled enables on all connections when a boolean is set rather than an array. Though I will still change this also and see what happens. The array that comes after the netboot_disabled key is auto-generated by NetInstall when you turn the service on in Server.app.
Essentially, that plist comes from a fresh activation of NetInstall. I deleted the previous .plist, rebooted the server and when I turned on NetInstall, that's what was created, plus my bootp modifications.
All that said, you said that you assumed I started the relay with the 'debug & logging' options enabled. I haven't started the relay in any active sense. So far, I've just been modifying this .plist, and rebooting a bunch of times, but that's where I seem to get lost. Is there a way to actively "start" the relay? I'd love to look at these 'debug & logging' options. As for the 'Startup Disk' prefs on the client Mac, they do not show any significant change. Basically, they just don't see the remote server as a startup option. I have not gleaned any pertinent info from console, though I'm not sure I know what I'm looking for.
On a side note, I had a wild hair to try something different. I set my local subnet's server to look at a NetBootSP0 folder that was actually a symlink to a NetBootSP0 folder that was mounted as a file share from the remote NetBoot server. This really looked like it might work. When you boot the client, it saw the startup volumes from the remote server. However, upon boot, it doesn't seem to make the connection and winds up booting back to the internal hard drive. It was worth a try...
Maybe you are looking for
-
EXCEL output logo issues in XML Publisher
Hi, We are using XML Publisher API to generate PDF,EXCEL outputs using Template. While adding image to the template its showing in the pdf output. But not showing in the Excel output. Then i added url:{/Image} in the alt text of the image in template
-
File Adapter cannot read from Unix Directory
Hello Everyone, I have created a Bpel process that should read txt files from a Unix directory, but its not doing its job. I have tried this process on windows and it works fine. I got the following error from the process log in my bpel console. my p
-
How to define a description of a DD
There is only ANI displayed in a windows of application We need also displayed the description of account so I add a description to ANI in a windows of application but the description does not display anything but other DD,for example CO,it's descrip
-
I lost mouse operation all together. on my G5 DP 1.8
I work with a logitech wireless trackball and keyboard that I've had for quite a while, say 9 months maybe 10. They have been flawless, but today, thought the keyboard is working fine, the mouse seemed a little sluggish so I decided to look at the lo
-
hai, what r all the tables used for this report . <b>Created an interactive report in which sales orders were listed against different customers within the range selected. Selection of multiple sales orders were allowed for which checkboxes are provi