Using Xserve to route traffic between LANs

A couple of years ago Camelot posted a response on how to set up an Xserve to route network traffic between the Xserve's internal NICs (http://discussions.apple.com/thread.jspa?threadID=1193839&tstart=127). In that situation, both LANs were 192.168.x.x. Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work? Addresses on the 172.16 are dished out from a Cisco PIX501 which I don't control. The Xserve has a fixed IP of 172.16.128.241 (DHCP with manual address) on en0. The 192.168 LAN is on en1 and the XServe does the DHCP for that side. NAT is on with IP forwarding. I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
Xserve is running Server 10.5.4

Can this same technique be used where one LAN is 192.168.x.x and the other LAN is 172.16.x.x or do the first two octets have to be the same for this to work?
You can route between any connected networks. There doesn't have to be any common elements in the IP address subnets.
I can get to systems on the 172.16 LAN from the 192.168 LAN but not vice versa.
You say you're running NAT on this system. NAT is not needed (or, in fact, desired) since it's designed for one way traffic (e.g. traffic from LAN 1 is translated to an address in LAN2 before forwarding). To have traffic flow the other way you need to setup port forwarding, which isn't practical for a large number of machines.
My earlier suggestion doesn't suggest enabling NAT at all, just IP Forwarding. IP Forwarding should work both ways provided the relevant devices in each LAN know where to route the traffic (e.g. devices in the 192.168.x.x LAN need to have a route that sends traffic for 172.16.x.x to the 192.168.x.x address of the XServe).

Similar Messages

  • ASA 5510 Not able to route traffic between 2 LAN interfaces

    Hi everybody,
    I need help to enable traffic between two physical ports on my Cisco ASA 5510. I created access rules and NAT but traffic doe not go from accounting interface to Inside. I am able to access internet from both interfaces. Can someone pin point me in the right direction since I am not an expert in Cisco but has to finish this by the end of the week.
    Thank you,
    Sigor
    Here is my configuration:
    ASA Version 8.2(2)
    hostname Cisco
    domain-name xxx.com
    names
    interface Ethernet0/0
     description Outside
     nameif Outside
     security-level 0
     ip address 101.101.101.101 255.255.240.0
    interface Ethernet0/1
     description Inside Network
     nameif Inside
     security-level 90
     ip address 192.168.10.1 255.255.255.0
    interface Ethernet0/2
     description Accounting
     nameif Accounting
     security-level 100
     ip address 20.0.1.1 255.255.255.0
    interface Ethernet0/3
     shutdown
     no nameif
     no security-level
     no ip address
    interface Management0/0
     nameif management
     security-level 100
     ip address 192.168.1.1 255.255.255.0
     management-only
    ftp mode passive
    clock timezone EST -5
    dns domain-lookup Outside
    dns server-group DefaultDNS
     name-server 8.8.8.8
     domain-name xxx.com
    same-security-traffic permit inter-interface
    object-group service Port-10000 tcp
     port-object eq 10000
    object-group service Port-8080 tcp
     port-object eq 8080
    object-group service Port-8011 tcp
     port-object eq 8011
    object-group service DM_INLINE_TCP_1 tcp
     group-object Port-8080
     port-object eq www
     group-object Port-8011
    object-group service DM_INLINE_TCP_2 tcp
     group-object Port-10000
     port-object eq https
     port-object eq www
    object-group service rdp tcp
     port-object eq 3389
    object-group service DM_INLINE_TCP_3 tcp
     group-object rdp
     port-object eq ftp
    object-group service DM_INLINE_TCP_4 tcp
     group-object Port-10000
     port-object eq www
     port-object eq https
     port-object eq ssh
    object-group service DM_INLINE_TCP_5 tcp
     group-object Port-8011
     group-object Port-8080
     port-object eq www
    object-group service DM_INLINE_TCP_6 tcp
     group-object Port-10000
     port-object eq www
     port-object eq https
    object-group service DM_INLINE_TCP_7 tcp
     group-object rdp
     port-object eq ftp
    access-list Outside_access_in extended permit tcp any host 101.101.101.104 object-group DM_INLINE_TCP_5
    access-list Outside_access_in extended permit tcp any host 101.101.101.102 object-group DM_INLINE_TCP_6
    access-list Outside_access_in extended permit tcp any host 101.101.101.103 object-group DM_INLINE_TCP_7
    access-list Outside_access_in extended permit tcp any host 101.101.101.106 eq smtp                                                              
    access-list Outside_1_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.50.0 255.255.255.0
    access-list Inside_nat0_outbound extended permit ip 192.168.10.0 255.255.255.0 192.168.80.0 255.255.255.0
    access-list CiscoIPsec_splitTunnelAcl standard permit 192.168.10.0 255.255.255.0                                                                
    access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 192.168.10.0 255.255.255.0
    access-list Accounting extended permit ip 20.0.1.0 255.255.255.0 any
    pager lines 24
    logging asdm informational
    mtu Outside 1500
    mtu Inside 1500
    mtu Accounting 1500
    mtu management 1500
    ip local pool IPSecDHCP 192.168.80.100-192.168.80.200 mask 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (Outside) 1 interface
    nat (Inside) 0 access-list Inside_nat0_outbound
    nat (Inside) 1 0.0.0.0 0.0.0.0
    nat (Accounting) 1 0.0.0.0 0.0.0.0
    static (Inside,Outside) tcp 101.101.101.104 www 192.168.10.14 www netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.104 8011 192.168.10.14 8011 netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.104 8080 192.168.10.14 8080 netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.102 10000 192.168.10.3 10000 netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.102 https 192.168.10.3 https netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.102 www 192.168.10.3 www netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.103 ftp 192.168.10.17 ftp netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.103 3389 192.168.10.32 3389 netmask 255.255.255.255
    static (Inside,Outside) tcp 101.101.101.106 smtp 192.168.10.23 smtp netmask 255.255.255.255
    static (Inside,Accounting) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
    access-group Outside_access_in in interface Outside
    access-group Accounting in interface Accounting
    route Outside 0.0.0.0 0.0.0.0 101.101.101.101 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication ssh console LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 management
    http 192.168.10.0 255.255.255.0 Inside
    http 20.0.1.0 255.255.255.0 Accounting
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 32608000
    crypto ipsec security-association replay disable
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256
    -SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
    crypto map Outside_map 1 match address Outside_1_cryptomap
    crypto map Outside_map 1 set pfs group1
    crypto map Outside_map 1 set peer 89.216.17.35
    crypto map Outside_map 1 set transform-set ESP-3DES-SHA
    crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map Outside_map interface Outside
    crypto isakmp enable Outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    telnet timeout 5
    ssh 192.168.10.0 255.255.255.0 Inside
    ssh timeout 5
    console timeout 0
    dhcpd address 20.0.1.100-20.0.1.200 Accounting
    dhcpd dns 192.168.10.19 8.8.8.8 interface Accounting
    dhcpd lease 306800 interface Accounting
    dhcpd domain abtscs.com interface Accounting
    dhcpd enable Accounting
    dhcpd address 192.168.1.2-192.168.1.254 management
    dhcpd enable management
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy CiscoIPsec internal
    group-policy CiscoIPsec attributes
     dns-server value 192.168.10.30 192.168.10.19
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value CiscoIPsec_splitTunnelAcl
     default-domain value xxx.com
     vpn-group-policy CiscoIPsec
    tunnel-group 198.226.20.35 type ipsec-l2l
    tunnel-group 198.226.20.35 ipsec-attributes
     pre-shared-key *****
    tunnel-group CiscoIPsec type remote-access
    tunnel-group CiscoIPsec general-attributes
     address-pool IPSecDHCP
     default-group-policy CiscoIPsec
    tunnel-group CiscoIPsec ipsec-attributes
     pre-shared-key *****
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny
      inspect sunrpc
      inspect xdmcp
      inspect sip
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:2a7c97a7a22397908ef83ca6f0065919
    : end

    Without diving too deep into your config, I noticed a couple of things:
    interface Ethernet0/1
     description Inside Network
     nameif Inside
     security-level 90
     ip address 192.168.10.1 255.255.255.0
    interface Ethernet0/2
     description Accounting
     nameif Accounting
     security-level 100
     ip address 20.0.1.1 255.255.255.0
    On an ASA, higher security level interfaces are always allowed, by default, to lower security levels, but not the other way around. So, if you want to keep this config, you would need an acl on the Inside interface to allow traffic to go from level 90 to 100:
    access-list Inside permit ip any any
    access-group Inside in interface Inside
    The acl will permit the traffic into either interface (outside or Accounting). As long as you have your other rules set up correctly, this should resolve your issue...
    HTH,
    John

  • How to route traffic between two different interfaces

    Hi,
    I need to setup a routing between two different interfaces on a host.
    Inferface ce1 : 192.168.120.12
    Inteface ce2 : 192.168.110.50
    Is it possible to add a route which enables the ce2 interface to catch packets from the ce1 interface ?
    Regards,
    Armin

    The problem is a application which is only able to listen on one interface.
    To fix this, I have to make all packages visible on one interface.

  • Howto control/filter traffic between VRF-(lite) using route leaking?

    Hi,
    does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?
    Scenario 1:
    I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.
    Scenario 2:
    Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns
    Kind Regards,
    Thorsten

    Thanks.
    That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.
    Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.
    Does cisco offer software for managing this?

  • Traffic Between 2 Ports on Different VLANs on the Same Switch

    Hi,
    This question probably results from a flaw in my understanding of network layer 2 versus layer 3 and VLANs so any additional context in that regard would be very welcome
    If I've got 2 systems on difference VLANs that are connected to ports on the same switch (e.g. 2950), with that switch being connected via an uplink to a router or layer 3 switch and i want to pass traffic between the 2 systems (e.g. copy a file from a folder shared on one system to another), will the traffic pass directly from one port on the 2950 to the other? Or will it need to go through the uplink? I guess it will need to go through the uplink initially as layer 3 needs to be involved for inter-VLAN routing but wondering if layer 2 MAC address will ultimately be learned, allowing traffic to pass directly between the systems, not over the uplink.
    Thanks in advance,
    cisco_reader.

    If the hosts are on different Layer 2 Vlans and you want to pass data between them, that data needs to be 'Routed'.
    In order to Route data from one Layer 2 Vlan to another, you need a device capable of Layer 3 Routing. That device can be a traditional Router or can be something called a Layer 3 switch.
    A 2950 switch is Layer 2 only so has the ability to create many Layer 2 Vlans which is what you have done. In order to route traffic between those Vlans, you can either use a router or a L3 switch.
    If you decided to use a router, look up something called 'Router on a Stick' which involves creating a Trunk link from the 2950 to the Router and then setting up Subinterfaces on the Routers port to act as the 'Default Gateway' for each of your Vlans.

  • My 1st Generation time capsule won't connect to the internet thru a new motorola sb6121 - get continuously flashing yellow light. Using a router in between the modem and capsule yields good but slower connection to internet. Any thoughts?

    My 1st Generation time capsule won't connect to the internet thru a new motorola sb6121 - get continuously flashing yellow light. Using a router in between the modem and capsule yields good but slower connection to internet. Any thoughts?

    Thanks for your response
    Let me give the history - I started with an Apple Express being fed thru a D-Link  EBTR 2310 cable Router from an RCA DCM315 Modem (Pure). Comcast service all the way.
    Got the 1st generation TC in 2008 and merely replaced the Airport Express with the TC. Worked ok
    A year or two ago I did try removing the modem and feeding the TC directly from the modem. Resulted in the same condition I have now - Continuous flashing amber on the TC. So I put the router back in the chain.
    Some time later, at the recommendation of a Comcast rep, I replaced the router with (a Belkin F5D 5231) to see if speed and dropout problems would be improved. I thought it helped some at the time but now I am not so sure.
    Last week I decided to see if a new modem would help with download speeds. So I got another pure cable modem (Motorola SB 6121- high on the Comcast recommended list).
    Got up and running easily with Comcast help and with the modem connected directly to a computer.
    Next I put the TC in the link and again could not get past the TC continuing to flash amber. Although I did get connected to the internet with this configuration I lost connection two both of my printers - one connected by USB and the other wirelessly to the TC. Again everything works fine when I put the Belkin router back in the system.
    However with the router in there, the modem shows the downstream connection to be 10/100 ethernet speed. (Modem light changes color for indicating speeds.}
    I have gone thru all of the combinations of powering down/ up, but all stays the same.
    I can live with what I have but something still doesn’t seem right.
    Thanks again

  • I have admin access to the main router in our LAN, so how can i telnet or get access to other LAN members in LAN without using third party software?

    I have admin access to the main router in our LAN, so how can i telnet or get access to other LAN members in LAN without using third party software?
    its linksys3500 router and  i login as admin using the gateway address in address bar..
    i want to access the c drive of my colleague in same subnet in same office and i know his ip address.but he not configured telnet accept request.so without it how can i open his telnet port and access him

    Duplicate post. 

  • Beginner question: Can I create a hybrid home network between an ethernet-connected iMac and an airport connected Macbook Pro using a hybrid router?

    I recently acquired an friend's used iMac, I don't know anything about networks and all I can find is how to create a Wi-Fi home network but nothing about hybrid Ethernet/Wi-Fi networks.
    I have the iMac connected via Ethernet to the wireless router.
    I connect via Airport with my MacBook Pro
    I would appreciate if anyone has any pointers as to how I can start setting up a network between my ethernet-connected iMac and WiFi connected Macbook.
    Thanks!

    ethernet and airport/WiFi are just transmission media for the same network. If you can get internet on both computers, they are networked. Using the same router = same network.
    So now, what is it you want to do? Share files between them?
    http://support.apple.com/kb/ht1549
    http://gigaom.com/2008/09/26/mac-101-sharing-files-between-2-macs/
    http://apple.stackexchange.com/questions/62450/how-to-share-files-between-two-ma cs-at-home

  • Is it recommended to use HSRP or multiple default between Core Layer Switch and Customer Edge Router?

    My client is asking me for following
    Client is using Router as edge device. 2  WAN links from different service provider ( each 20 Mbps)  are getting terminated on the router. There are internal servers present in the network. Client want to make setup such that even if one wan link fails  internet users should be able to access web server. Moreover if the edge router fails there should be secondary edge device so that there is device redundancy ?
    As per my understanding, in this scenario we need to do static one - to - one natting(belonging to WAN interface subnet). If we use two routers as Customer edge ans if we connect core layer switch to these two router, is it recommended to use HSRP/VRRP/GLBP or two default route on core switch pointing to two routers with equal ad value. we will also track the wan link with help of ip sla.
    which is recommended solution  Router redundancy protocol or Default routes.?

    Just had another read of this post and some other points have come up.
    1) I assumed your secondary link was for redundancy but you talk about terminating both SP links on the same router in your first paragraph.
    Did you mean this or are you going to be terminating a link per router ?
    2) are you using the second router purely for backup ?
    3) something you didn't ask about but is relevant is the IP addressing. Are you using provider independent addressing or does each SP provide you with an address block.
    If it is the second then you are going to have an issue with the web server. The problem is which provider's IP do you use for the web server ie.
    if you use the primary provider IP then that will be the DNS record on the internet. If the primary router fails then the IP address will change on the secondary router but DNS will still be handing out the primary IP.
    If you enter both IPs (primary and secondary) into DNS then you would get load balancing but this means both links will be used and the secondary would not just be backup.
    In addition if one of the links fails then DNS does not know this so it will still be handing out the failed address as well as the address that is still up which means some connections will work and some won't.
    Jon

  • Unknown network traffic / router traffic monitoring

    So I got a new PC with windows 7 on it, and I installed this gadget that monitors network traffic, and it shows a lot of traffic that my local PC isn't showing, so I am thinking there is something running on the LAN that I can't see. I was looking to find a live, better program to monitor the actiontec router, for traffic. anyone know of anything that can maybe show me who is using all the bandwidth on my network?
    i have found software for Linksys, but nothing for the Actiontec.
    Thanks,
    Quasimodem
    Fios in Florida
    Solved!
    Go to Solution.

    Keep in mind that when looking at Wireshark (sniffer) software there are different types of traffic:
    Unicast
    Broadcast
    Multicast
    Unicast is traffic between two devices.  You will see the traffic between the PC with wireshark and another device on your local network such as a printer, another PC or the Router.  You should not see traffic between another PC and the Internet for example.  Using a phone as an example some calls you and the conversation is between you and the person on the other end of the phone.  This is unicast traffic.  Using defaults of the actiontec, IP address seen will be 192.168.1.1 for the router and 192.168.1.2-99 for devices on your network.  If you have the TV service, 192.168.1.100-1xx is used for the cable boxes.
    Broadcast traffic is traffic sent to all devices.  Its not directed toward a particular PC but rather usually looking for information.  In a sniffer trace you will see broadcast traffic. Going back to the phone example, someone makes an announcement on an overhead intercom system that is broadcast traffic.  Broadcast traffic will be seen as 192.168.255.255
    Multicast traffic is traffic from one device for many devices.  Usually used in video feeds.   Using the phone system as an example someone wishes to tell a group of people something so instead of calling each person up and telling them each person who wants the information joins a conference bridge.  Anyone is allowed to listen but only those that wish to get the information receive it.  Generally how multicast works.  Multicast traffic will be seen as IP address 224.x.x.x or something of the sorts where the address will be 2xx.x.x.x.  
    I hope this makes sense.  Probably more information than you needed but at least it will help you understand what wireshark is telling you.

  • ASA5505 - Blocking internal traffic between 2 servers

    Hi guys/ladies
    I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
    10.50.15.4 > fileserver
    10.50.15.5 > domain controller (exchange)
    10.50.15.6 > terminal server
    10.50.15.7 > terminal server
    Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
    2
    Oct 27 2012
    14:51:05
    106007
    10.50.15.6
    55978
    DNS
    Deny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query
    What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
    Any idea why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
    Any help you can give would be great as this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.

    Result of the command: "show cap asp | include 10.50.15.6"
      15: 10:09:21.796849 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389:  udp 163
      16: 10:09:22.189153 802.1Q vlan#1 P0 10.50.15.6.58810 > 10.50.15.5.389:  udp 163 Drop-reason: (acl-drop) Flow is denied by configured rule
      17: 10:09:22.596252 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
      18: 10:09:23.625913 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
      19: 10:09:24.625227 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
      20: 10:09:26.635236 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86
      25: 10:09:30.653500 802.1Q vlan#1 P0 10.50.15.6.50855 > 10.50.15.5.53:  udp 86
      27: 10:09:34.655025 802.1Q vlan#1 P0 10.50.15.6.137 > 10.50.15.255.137:  udp 50 Drop-reason: (acl-drop) Flow is denied by configured rule
      28: 10:09:34.655071 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.255.138:  udp 237
      29: 10:09:34.655193 802.1Q vlan#1 P0 10.50.15.6.138 > 10.50.15.5.138:  udp 237 Drop-reason: (acl-drop) Flow is denied by configured rule
      30: 10:09:34.764700 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
      31: 10:09:34.899337 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
      32: 10:09:35.901946 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
      33: 10:09:36.915937 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
      34: 10:09:37.773916 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
      35: 10:09:38.942715 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
      37: 10:09:42.937695 802.1Q vlan#1 P0 10.50.15.6.56407 > 10.50.15.5.53:  udp 34 Drop-reason: (acl-drop) Flow is denied by configured rule
      38: 10:09:43.788579 802.1Q vlan#1 P0 10.50.15.6.49854 > 10.50.15.5.88: S 1487640872:1487640872(0) win 8192 Drop-reason: (acl-drop) Flow is denied by configured rule
      41: 10:09:55.803608 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
      42: 10:09:56.814166 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule
      43: 10:09:57.820804 802.1Q vlan#1 P0 10.50.15.6.54962 > 10.50.15.5.53:  udp 86 Drop-reason: (acl-drop) Flow is denied by configured rule

  • How to enable traffic between VPN clients in Windows Server 2012 R2?

    Hello, 
    I installed Remote Access role with VPN.
    IPv4 Router is enabled: http://snag.gy/UAMY2.jpg
    VPN clients should use static ip pool: http://snag.gy/REjkB.jpg
    One VPN user is configured to have static ip: http://snag.gy/TWwq0.jpg
    VPN server uses Windows Authentication and Windows Accounting.
    With this setup, VPN clients can connect to server, get ip addresses and can see server via server's vpn ip. Server can connect to VPN clients too (Using client's vpn ips). But VPN clients can't communicate with each other.
    For example, VPN server has ip 192.168.99.5
    VPN Client 1 - 192.168.99.6
    VPN Client 2 - 192.168.99.7
    I am able to ping 192.168.99.5 from both clients, and able to ping 192.168.99.6 and 192.168.99.7 from server via remote desktop. But I am not able to ping 192.168.99.7 from client 1 and 192.168.99.6 from client 2.
    If I trace route from 192.168.99.6 to 192.168.99.7 - I can see that packets goes to server (192.168.99.5) and next hop - request timeout.
    What else should I configure to allow network traffic between VPN clients?

    Hi,
    To better analyze this issue, would you please post the routing tables on the two VPN clients? You can run "route print" at the command prompt to get the routing table.
    Best regards,
    Susie
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • Possible to Route Traffic Based on AVC?

    Is it possible to route traffic, based on the Application Visibility Control functions that specific Cisco routers are capable of?  Here's my issue:  I have two ISP's.  One is at about 120% utilization.  The other isn't doing anything.  I can specify ip routes based on IP addresses.  For instance, I can ip route 173.252.110.27 255.255.255.255 10.x.x.x to point to our ISP2 firewall, which is our non-utilized provider, for Facebook traffic.  The problem is that sites like this have massive public subnets, so I won't be able to capture all of the traffic destined to Facebook.  Is there a way to route traffic based on application?  I know that Palo Alto firewalls have a way to do Policy Based Forwarding, based on application.  I was wondering if the same was possible with AVC.  Thanks for any help.

    Hello.
    Yes, it's possible and, actually, you have 2 ways.
    1. use manual load-balanace between links.
    2. use PfR to load-balance traffic automatically.
    PS: you also will need NAT with route-map.

  • Dynamic routing alternative between ASA and edge routers?

    This is the current setup between two edge routers and an ASA 5580.  The edge routers carry approximately 9200 BGP routes with ISP A also supplying the default route.  Is there a good, i.e. has been successfully implemented, dynamic routing situation between the edge routers and ASA such that the ASA can send traffic to the particular edge router that carries the best specific route?

    Hello,
    Let's remember that the ASA was built as a High-Level Next Generation Firewall.
    That does not mean it's not useful for routing but here we are talking about thousands of routes, I do not think there will be a performance issue on the FW because of that. I mean you have one of the greatest Cisco Firewalls (functionality and power speaking).
    So if that's the case and you really want to do that you will need to implement either RIP,EIGRP,OSPF on the link and then do the redistribution on the routers.
    Makes sense?
    Regards,
    Jcarvaja
    CCIE 42930

  • Which is the correct way to filter/block traffic between vlans?

      Hi all. My question is: Which is the correct way to filter/block traffic between vlans?
    i have a more than 15 vlans. I want to block traffic between them except 2 vlans.
    source vlan 3 deny destination vlan 4
    #access-list 100 deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255
    and the oposite:
    #access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
    I have to do this for all VLANs, ono by one. Is that right?
    Thanks.

    There are a couple of ways to achieve that. I assume that you have a Layer3-Switch. There I would configure one ACL per vlan-interface and allow/deny the traffic as you want. Sadly, the Switches don't support object-groups yet, so you have to use the IP-networks here. Only allow/deny traffic based on networks or hosts. Don't even try to be very granular with permit/denys based on ports. Because the switch-ACLs are not statefull you'll run into problems for the return-traffic if you woulf do that. And the return-traffic of course has to be allowed also.
    Another way: with the help of 802.1x you can deploy port-based ACLs for every user. That takes some time for planning, but is one of the most powerful solutions.
    For more control you could remove the L3-interface from your L3-switch and move that to your router or firewall. These devices support stateful filtering and you can control your traffic much tighter tehn with ACLs on the switch.
    Don't stop after you've improved your network! Improve the world by lending money to the working poor:
    http://www.kiva.org/invitedby/karsteni

Maybe you are looking for