VirtualBox or OVM Server VM with VPN IP
Hi,
I looking for a solution for the following issue:
- connect through VPN a laptop to the intranet, but using a fixed IP address.
It is not feasible to get a fixed IP from the VPN server, as such I'm wondering if I connect the host machine to the VPN (get a dynamic IP) and then startup a VM, will it work if I allocate the fixed IP from the intranet to the VM? So I want to use the host just as a tunnel between the intranet and the VM with the fixed IP (due to this Oracle VM Server sounds more appropriate as it is a bare metal solution).
I have a VirtualBox (4.2.0) VM on a Win7 host and set to have a bridge to the Cisco AnyConnect VPN Virtual Miniport Adapter, but if in the VM (Oracle Linux 5) I set DHCP, eth0 can't be brought up (does not manage to get to the DHCP server) and if I set the fixed IP, I can't even ping the gateway, so this is why I'm asking that is it even possible what I'm thinking about?
Thank you.
Hello,
Didn’t work for me in the beginning using the bridge (when at the office this is my preferred method).
An now Works from HOME like charm - using NAT
Here are the steps :
Connected to my office using Cisco any connect VPN (I believe u can use any VPN software).
Go to : Oracle Vm virtualBox Manager
Go to : My Oracle Linux 6.x VM.
Make sure that Settings -> network - > Adapter is set on NAT.
Restart your VM machine (u may power off - > power on) , as sometimes it doesn’t catch changes.
You should now Coca Cola Enjoy.
Regards
Etay G
Similar Messages
-
Can EBS in OVM server interface with second OVM Server or VMware ?
Pl. let me know which ones possible:
1. Win7 laptop --> Install VMware/VirtualBox ---> Install one OVM Server with EBS & GRCC and other OVM Server with GRCM & GRCI. Can they work in sych with each other (send/receive/communicate etc like various modules do within a ebs suite)?
2. Win7 laptop --> Install VMware/VirtualBox ---> Install one OVM Server with EBS & GRCC 64 bit and other OVM Server with GRCM & GRCI (all 32 bit). Can they work in sych with each other (send/receive/communicate etc like various modules do within a ebs suite .. 64 and 32 bit)?And no I will always be using just one physical machine. And if i'm running GRCC and it needs any data from GRCM or ebs it should be available (like it would be if I had two physical machines/servers for EGRCC/EBS & EGRCM networked together).You should be able to connect between the VMs.
1) So pl. recheck the the sequence and let me know how to go about it without loosing win7.As long as you do not use Oracle VM you should be fine.
2) Can 2 Oracle VM Servers run within the same VMware or Virtual box?
(say one with EGRCC/EBS & other with EGRCM)You are not clear about this, if you use 2 different VMWare or VirtualBox machines then you should be fine.
3) In case (2) above is not possible can I have 2 VirtualBoxes on/in same physical machine running win7 ?
(Two VirtualBox/VMwares - VirtualBox/VMware No 1 running Oracle VM Server with EBS/EGRCC & VirtualBox No 2 running EGRCM).Yes.
Thanks,
Hussein -
Mac OS X server together with VPN provider?
Hi,
I have question that I'm hoping you can help me answer. I don't have a router that is DD-WRT compatible. But I need something similar - since PPTP VPN on iOS disconnect when it's put into sleep.
Do you know, or think that it is possible to setup Mac OS X Server with something Privat VPN? Or is it only for setting up and new personal VPN and use an existing server from a VPN provider like you.
I hope you understand what I'm asking :)I would not recommend using the built-in firewall on an OS X Server box that is also running other services. You could put a server at the perimeter of your network and make it a firewall, an probably a pretty good one, but as soon as you start services, you open ports on the server itself. I also can't imagine that the firewall capabilities of a DSL modem would be that dependable or configurable. If you're looking for an inexpensive way, what you're thinking may work, but it would not be as secure as a good standalone firewall.
I vote for upgrading the firewall. -
How do I access server with VPN?
I have a connection via VPN to my work from home now. I'm on a MBP 10.6 and work is Cisco IPSec. It show the connection in my menu bar.
My question is how do I now see my work files? I figured the vpn connection would show in my sidebar or on my desktop. This is the first time I have tried connecting to work from home.VPN normally just gets you into the network. You then have to mount the server's shared volume to see files. Depending on how the network is set up, you may be able to browse for the server by clicking on "All" under the Shared header in the Finder Sidebar (you may have to click the disclosure triangle to see things under the "Shared" header). It will be easiest if you then select to show the window in Column view. If you see the server to which you want to connect, click on it and you should be asked for a user name and password; if not, click the "Connect As" button that should appear in the next column.
If you can't browse for the server, use the Connect To Server command under the Go menu in Finder and enter in the appropriate URL to the server; check with your server administrator for the correct information.
Hope this helps. -
Can I connect to server with Server Admin over vpn?
I succeed to connect with the server over vpn, allowing me to connect to disks e.g. but I seem not to be able to connect to the server to administer it with Server Admin. Is it a matter of openingen a port?
Thanks,
But, Iam facing another problem.
When I am trying to connect to Oracle 9i server database with Oracle 10g client, Iam facing the following problem.
On my 10g client machine for the tnsnames.org file, I added configuration of Oracle 9i service. When Iam trying to connect with username, password and host string of oracle 9i server, I am getting the following error:
ORA-12514: TNS:listener does not currently know of service requested in connect descriptor
Waiting for Reply,
Satish. -
Problem with OVM Server 3.2.6 - xend not running
Hi, just now I upgraded my server to OVM Server 3.2.6 version and server boots up, cluster is up but I have message that Hypervisor is running in UNDETERMINED bit mode (WARNING: XEND IS PROBABLY NOT RUNNING). While boot I saw message that xend failed to start because "mount point /proc/xen does not exist". Also when it tries to start xend, there is message "xencommons should be started first". Reinstalling OVMS did not help. Does anyone have this problem?
Thanks.For me, it looks like the same.
1 - Yes
2 - B
3 - Not yet, I've tried to downgrade to 3.2.4, but it is not possible.
4.1 - service xend status:
xc: error: Could not obtain handle on privileged command interface (2 = No such file or directory): Internal error
Traceback (most recent call last):
File "/usr/sbin/xend", line 36, in ?
from xen.xend.server import SrvDaemon
File "/usr/lib64/python2.4/site-packages/xen/xend/server/SrvDaemon.py", line 26, in ?
import relocate
File "/usr/lib64/python2.4/site-packages/xen/xend/server/relocate.py", line 28, in ?
from xen.xend import XendDomain
File "/usr/lib64/python2.4/site-packages/xen/xend/XendDomain.py", line 36, in ?
from xen.xend import XendOptions, XendCheckpoint, XendDomainInfo
File "/usr/lib64/python2.4/site-packages/xen/xend/XendCheckpoint.py", line 20, in ?
from xen.xend import balloon, sxp, image
File "/usr/lib64/python2.4/site-packages/xen/xend/image.py", line 46, in ?
xc = xen.lowlevel.xc.xc()
xen.lowlevel.xc.Error: (1, 'Internal error', 'xc_interface_open failed: No such file or directory')
xend daemon is stopped
4.2 - service ovs-agent status:
log server (pid 4460) is running...
notification server (pid 4489) is running...
remaster server (pid 4492) is running...
monitor server (pid 4494) is running...
ha server (pid 4496) is running...
stats server (pid 4498) is running...
xmlrpc server (pid 4499) is running... -
Lost connection between ovm-manager and ovm-server (ovm 3.1)
Hi,
I have a manager as a VM on my laptop and a physical server as an ovm-server. Everything is fine when i boot the server but after some time, the manager stop to show the information from the server. in the ovs-agent log file the following messages are repeated regulary
[2013-08-29 13:06:19 6160] DEBUG (notification:289) Trying to connect to manager.
[2013-08-29 13:06:20 6160] DEBUG (notification:291) Connected to manager.
[2013-08-29 13:06:20 6160] ERROR (notification:316) No manager Core API server object for 10:60:4b:88:bc:24:10:60:4b:88:bc:25:fe:ff:ff:ff.
[2013-08-29 13:06:34 6171] ERROR (notification:64) Unable to send notification: (111, 'Connection refused')
I did not reboot neither the server nor the manager. No IP change. Rebooting the manager has no effect.
The only way to restore communication is to restart the ovs-agent on the server, but this restart disable the network card. I must be physical on the server to restart the network.
any help will be very helpful
best regards
Jean-MarcHi,
The are many steps to verify:
Verify with your firewall on the Oracle VM Manager system (service iptables stop).
Verify with a ping between OVM Manager and OVM Server using the IP Address and using the hostname for each one (from OVM Manager : ping ovm-server ; and from OVM Server: ping ovm-manager).
I hope this can help you
Best Regards -
Remote Access to Windows Small Business Server System via VPN
Same old story: I use macs at home but I want to be able to connect to our small company Windows network over the internet to pick up and put down files.
Said company network consists of a server running Microsoft Small Business Server and Exchange. The data sits on some network drives (Z: etc, you know the sort of thing).
I've sorted out email access - I just connect to the Exchange Webmail interface and do all that using a web browser at home.
Now for data: well, I have successfully connected to our company network using VPN PPTP by following the guidance in Pogue's Missing Manual. The VPN window reports that I am connected to ip 192.168.0.150 which our network guru tells me is the address of the "Internal virtual network adapter on the VPN." The actual server PC with the data on it is at .100.
Now, he's a great guy and everything but is definitely a Microsoft man only. When I asked him how to browse our network files on the server he told me to set up a network share using Windows explorer.
So..can anyone please advise how I can translate that action into OSX land? I have searched the Apple support papers but with no success. These days most hits for VPN concern the blessed iPhone....
I have tried in the finder running connect to server and typing in smb://servername. That returns error code -36 "the finder cannot complete the operation because some data in [that address] cannot be read or written". I have tried using the company lan IP address for the server instead and that returns "name or password is not correct".
I appreciate these things often depend completely on the fine details of our setup. If nothing else, does anyone know a good book to assist here - Pogue is a great basic guide but not really detailed enough for this sort of thing. Failing that, how do I find out what error -36 means? Ta.
Message was edited by: Matt McGrath bisFor error -36, might try this...
http://docs.info.apple.com/article.html?artnum=301580
For stubborn Mac<->Windows® problems...
http://www.thursby.com/products/admitmac.html
Other solutions...
http://www.thejackol.com/2005/09/21/os-x-and-windows-server-2003-file-sharing/ -
Cluster Not Available error when booting OVM server DOM0 from USB
Hi all,
I have been wanting to run OVM 2.2 from a USB stick for a while now. I ran through the install CD today and saw there was a 'minimal USB install' option on the installation screen. So I plugged in a 4GB USB stick, rebooted, and ran the USB install.
After a while, the install completed, OVM booted up perfectly it seemed, and I was happy.
The server had no local storage apart from this USB stick as we are going to be hooking it up to an iSCSI target for guest VM storage.
This was a new lab setup, so I got the VM Manager running on another system, connected to the USB booted OVM server, and went to create a pool.
Running the 'test connection' that worked fine.
Trying to add the pool - failed. I got the error 'Cluster Not Available'
On the OVM server I did a repos.py -l and nothing gets listed.
I understand that for HA you need a repository with shared storage. However, before I have used these same install CDs with a singe local hard disk, to get OVM server running, and it did so fine.
So what's different with the USB disk install that means you don't get a repository?
Do I have to create a special repository LUN, manually connect the OVM server to this, and then use repos.py to create it?
Cheers,
JeffOk I have read, re-read related parts of the underground manual and have hit a brick wall with the 'simple' task of setting up a NIC for dedicated iSCSI traffic. The manual does not cover this task in the iSCSI SAN section.
So I'm in a catch 22.
My OVM server boots up, with it's single management NIC configured, but once booted - I don't want to connect to the iSCSI target via this network - I need it completely closed off.
I want to use another NIC (or bond of two) for dedicated iSCSI traffic to and from the OVM Server.
However, the underground manual strangely only seems to cover a single NIC configuration! It looks like he assumes you are going to be running iSCSI on your management NIC, which I can only think is incredibly bad practice.
I have installed OVM with the linux asknetwork - this did not give me the option to configure additional interfaces.
I then manually edited /etc/sysconfig/network-scripts/ifcfg-eth1 on the OVMServer, restarted network, restarted the entire box - I can ping my new NIC / IP locally from within the OVM server, but I can not connect to the iSCSI target, nor can I ping the iSCSI NIC on the OVM server from the target.
This is such a simple thing to try to achieve - super frustrating...
Jeff -
Problem of OVM- server :(
Install OVM-server 2.1 on the HP-Proliant DL145 AMD possessor
Configuration ovs-agent
/etc/init.d/ovs-agent configure
;ssl support --
;enable ssl support in xmlrpc transport?(enable/disable)
ssl=disable
ssl=
now ssl=disable
;network access control by ip --
;rules := if addr.match(allow) and not addr.match(deny): return True
;pattern items delimited by comma and could be
;219.142.73.50 #single ip
;219.142.73.* #range
;219.142.73.0/24 #range
;default to allow all, deny none
allow=195.168.0.77
allow=
now allow=195.168.0.77
deny=
deny=
now deny=
would you like to modify password to communicate with agent?[y/N]
OVS Agent configuration done.
This is agent status
[root@vm ~]# /etc/init.d/ovs-agent start
OVSAgentServer is now starting...
OVSAgentServer started.
Traceback (most recent call last):
File "/opt/ovs-agent-2.2/utils/broadcast_macip.py", line 66, in ?
main()
File "/opt/ovs-agent-2.2/utils/broadcast_macip.py", line 60, in main
s.sendto(data, ('<broadcast>', int(config.get("agent", "port"))))
socket.error: (101, 'Network is unreachable')
[root@vm ~]# /etc/init.d/ovs-agent status
OVSAgentServer is running.
[root@vm ~]#
I am connecting from 195.168.0.77
The browser returns me following errors
OVSAgentServer
This server exports the following methods through the XML-RPC protocol.
Methods
exists(vmpath)
check if a vm exists
@return "success" if success else "failed:<error message>"
add_vm_disk(vm_path, disk_path, sharable=False)
attach a disk to a vm
@return "success" if success else "failed:<error message>"
add_vm_vif(vm_path, num)
add vifs for the vm
@return "success:macs=<macs_string>" if success else "failed:<error message>"
macs_string is in the format of "mac1,mac2"
et cetera.....
Please Help me...... :(EmOuBi
No problem with ping.
The firewall switched off '/etc/init.d/iptables stop '
look at http://dba.host.n.kg/image/1371/10440_OVS-error.JPG
in this picture you can see state of connecting.. -
Problems accessing 1 remote desktop when connected with VPN
Hi everyone,
I have an ASA 5505 and have a problem where when I connect through VPN I can RDP into a server using its internal address but I cannot RDP to another server using its internal address.
The one I can connect to has an IP of 192.168.2.10 and the one I cannot connect to has an IP of 192.168.2.11 on port 3390.
Both rules are configured exactly the same except for the IP addresses and I cannot see why I cannot connect to this one server.
I am also able to connect to my camera system with an IP 192.168.2.25 on port 37777 and able to ping any other device on the internal network.
I've also tried pinging it and telneting to port 3390 with no success.
Here is the config.
ASA Version 8.4(4)1
interface Ethernet0/0
switchport access vlan 3
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.2 255.255.255.0
interface Vlan3
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network CTSG-LAN-OUT
range 10.1.1.10 10.1.1.49
object network CTSG-LAN-IN
subnet 192.168.2.0 255.255.255.0
object service RDP3389
service tcp destination eq 3389
description To DC
object network SERVER-IN
host 192.168.2.10
object network SERVER-OUT
host 10.1.1.50
object network CAMERA-IN-TCP
host 192.168.2.25
object network CAMERA-OUT
host 10.1.1.51
object service CAMERA-TCP
service tcp destination eq 37777
object network SERVER-Virt-IN
host 192.168.2.11
object network SERVER-Virt-OUT
host 10.1.1.52
object service RDP3390
service tcp destination eq 3390
description To VS for Master
object network CAMERA-IN-UDP
host 192.168.2.25
object service CAMERA-UDP
service udp destination eq 37778
object network CTSG-LAN-OUT-VPN
subnet 10.1.1.128 255.255.255.128
object network SERVER-Virt-IN-VPN
host 192.168.2.11
object network SERVER-IN-VPN
host 192.168.2.10
object network CAMERA-IN-VPN
host 192.168.2.25
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside1_access_in remark Implicit rule: Permit all traffic to less secure networks
access-list inside1_access_in extended permit ip any any
access-list outside_access_in extended permit object RDP3389 any host 192.168.2.10
access-list outside_access_in extended permit object RDP3390 any host 192.168.2.11
access-list outside_access_in extended permit object CAMERA-TCP any host 192.168.2.25
access-list outside_access_in extended permit object CAMERA-UDP any host 192.168.2.25
pager lines 24
logging enable
logging buffer-size 10240
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RAVPN 10.1.1.129-10.1.1.254 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source static SERVER-IN-VPN SERVER-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
nat (inside,outside) source static CAMERA-IN-VPN CAMERA-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
nat (inside,outside) source static SERVER-Virt-IN-VPN SERVER-Virt-IN-VPN destination static CTSG-LAN-OUT-VPN CTSG-LAN-OUT-VPN
object network CTSG-LAN-IN
nat (inside,outside) dynamic interface
object network SERVER-IN
nat (inside,outside) static SERVER-OUT service tcp 3389 3389
object network CAMERA-IN-TCP
nat (inside,outside) static CAMERA-OUT service tcp 37777 37777
object network SERVER-Virt-IN
nat (inside,outside) static SERVER-Virt-OUT service tcp 3390 3390
access-group inside1_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.1.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP
-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SACTSGRO
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.2.0 255.255.255.0 inside
telnet timeout 15
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 15
dhcpd auto_config inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password xxxxx encrypted privilege 15
username admin attributes
vpn-group-policy DfltGrpPolicy
tunnel-group CTSGRA type remote-access
tunnel-group CTSGRA general-attributes
address-pool RAVPN
tunnel-group CTSGRA ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:0140431e7642742a856e91246356e6a2
: end
Thanks for your helpOk,
So you basically have configured the router so that you can connect directly to the ASA using the Cisco VPN Client. And also the objective was to in the end only allow traffic to the LAN through the VPN Client connection ONLY.
It would seem to me to achieve that, you would only need the following NAT configurations
VPN Client NAT0 / NAT Exempt / Identity NAT
object network LAN
subnet 192.168.2.0 255.255.255.0
object network VPN-POOL
subnet 10.1.1.128 255.255.255.128
nat (inside,outside) source static LAN LAN destination static VPN-POOL VPN-POOL
The purpose of the above NAT configuration is simply to tell the ASA that dont do any kind of NAT when there is traffic between the LAN network of 192.168.2.0/24 and the VPN Pool of 10.1.1.128/25. This way if you have any additional hosts on the LAN that need to be connected to, you wont have to make any form of changes to the NAT configurations for the VPN client users. You just allow the connections in the ACL (explained later below)
Default PAT
object-group network DEFAULT-PAT-SOURCE
network-object 192.168.2.0 255.255.255.0
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
This configurations purpose is just to replace the earlier Dynamic PAT rule on the ASA. I guess your router will be doing the translation from the ASA "outside" interface IP address to the routers public IP address and this configuration should therefore allow normal Internet usage from the LAN.
I would suggest removing all the other NAT configuration before adding these.
Controlling VPN clients access to internal resources
Also I assume that your current VPN client is configured as Full Tunnel. In other words it will tunnel all traffic to the the VPN connection while its active?
To control the traffic coming from the VPN Client users I would suggest that you do the following
Configure "no sysopt connection permit-vpn" This will change the ASA operation so that connections coming through a VPN connections ARE NOT allowed by default to bypass the "outside" interface ACL. Therefore after this change you can allow the connections you need in the "outside" interface ACL.
Configure any rules you need regarding the VPN client connections to the "outside" interface ACL. Though I guess they already exist since you are connecting there without the VPN also
I cant guarantee this with 100% certainty but it would seem to me that the above things should get you to the point where you can access the internal resources ONLY after when you have connected to the ASA through the VPN client connection. Naturally take precautions like configuration backups if you are going to do major configuration changes. Also if you are remotely managing the ASA then you also have the option to configure a timer on the ASA after which it will automatically reload. This could help in situations where a missconfiguration breaks you management connection and you have no other way to connect remotely. Then the ASA would simply reboot after the timer ran out and also reboot with the original configuration (provided you hadnt saved anything in between)
Why are you using a different port for the other devices RDP connection? I can understand it if its used through the Internet but if the RDP connection would be used through the VPN Client only then I dont think there is no need to manipulate the default port of 3389 on the server or on the ASA.
Also naturally if there is something on the actual server side preventing these connections then these configuration changes might not help at all.
Let me know if I have understood something wrong
- Jouni -
OVM Server 2.1.2 does not prompt for Networking
OVM Server 2.1.2 does not prompt for a network setup (ie DHCP or static IPs).
- I tried re-installing this several times
This same machine works with native Enterprise Linux 5.2 x86-64 networking.
The motherboard has two onboard Realtek 8111C chips (10/100/1000 Mbit)
http://www.gigabyte.com.tw/Products/Motherboard/Products_Overview.aspx?ProductID=2842
Will setting up networking by hand work with OVM Server 2.1.2?OK I finaly made my Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller to work.
First install an Ethernet card in your box that OVM supports. This to make the OVM installation run smoothly.
When OVM is up and running follow the steps in [Mini-HOWTO] RPMs needed to compile a kernel-module on / for VM Server to get a working environment to compile modules.
Now get the driver for the unsupported card from ftp://61.56.86.122/cn/nic/r8168-8.008.00.tar.bz2 .
Unpack the file by running;:
tar -jxvf r8168-8.008.00.tar.bz2
Now follow the steps in the included readme file to compile and install the driver.
After this I edited the file /etc/modules.conf and changed the line
alias eth0 xxx
to
alias eth0 r8168
I then turned of the machine and removed my temporary network card.
When booted I ran system-config-network to configure the network once more to the original values I entered when I installed. -
OVM Server 3.2.1 install reboots server
I have been trying to install OVM Server on an IBM xSeries 336 server. OVM Server 2.2.1 was previously installed on this server.
Trying to install 3.2.1 now and I get to the splash screen booting from the CD. I press [Enter] to begin the installation. Once the process reaches the point of 'Loading SCSI driver', the server reboots. I have tested the media on other machines without issue. I have also tested the server with OVM Server 2.2.1 media and the install progresses normally to the end.
I suspect there are missing drivers causing the install to fail. Is there a way to load the missing drivers during the install process?
Thanks in advance,
UPDATE: I have successfully installed OVM Server 3.0.2... Not exactly what I wanted but....
Edited by: SBaugher on Feb 20, 2013 11:04 AMOracle VM 3 is entirely different from 2.2.1.
take a look at the release notes for 3.2.1 There are few instances in which you have to specify different boot parameters for the installation to work.
http://docs.oracle.com/cd/E35328_01/E35329/E35329.pdf
You might have a MEGARAID product.
If you are installing Oracle VM Server on a Sun Fire X4800, you must provide extra parameters when
booting from the installation media (CDROM or ISO file), or when using a kickstart installation. These
parameters allow the megaraid_sas driver to load correctly.
If booting from the installation media, press F2 when the initial boot screen is displayed and provide the
following additional parameters as part of the boot command:
mboot.c32 xen.gz extra_guest_irqs=64,2048 nr_irqs=2048 --- vmlinuz --- initrd.img
If using a kickstart installation, add the additional kernel parameters to the PXE configuration file. -
Policy Based Routing with VPN Client configuration
Hi to all,
We have a Cisco 2800 router in our company that also serves as a VPN server. We use the VPN Client to connect to our corporate network (pls don't laugh, I know that it is very obsolete but I haven't had the time lately to switch to SSL VPN).
The router has two WAN connections. One is the primary wan ("slow wan" link with slower upload 10D/1U mbps) and it is used for the corporate workstations used by the emploees. The other is our backup link. It has higher upload speed - 11D/11U mbps, (fast wan), and thus we also use the high upload link for our webserver (I have done this using PBR just for the http traffic from the webserver). For numerous other reasions we can not use the `fast wan` connection as our primary connection and it is used anly as a failover in case the primary link fails.
The `fast wan` also has a static IP address and we use this static IP for the VPN Client configuration.
Now the thing is that because of the failover, when we connect from the outside using the VPN Client, the traffic comes from the`fast wan` interface, but exits from the `slow wan` interface. And because the `slow wan` has only 1mbps upload the vpn connection is slow.
Is there any way for us to redirect the vpn traffic to always use the `fast wan` interface and to take advantage of the 11mbps upload speed of that connection?
This is our sanitized config
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group dc
key ***
dns 192.168.5.7
domain corp.local
pool SDM_POOL_1
acl 101
max-users 3
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group dc
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
interface Loopback0
ip address 10.10.10.1 255.255.255.0
interface FastEthernet0/0
description *WAN*
no ip address
ip mtu 1396
duplex auto
speed auto
interface FastEthernet0/0.3
description FAST-WAN-11D-11U
encapsulation dot1Q 3
ip address 88.XX.XX.75 255.255.255.248
ip load-sharing per-packet
ip nat outside
ip virtual-reassembly
interface FastEthernet0/0.4
description SLOW-WAN-10D-1U
encapsulation dot1Q 4
ip address dhcp
ip nat outside
ip virtual-reassembly
no cdp enable
interface FastEthernet0/1
description *LOCAL*
no ip address
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1.10
description VLAN 10 192-168-5-0
encapsulation dot1Q 10
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly max-reassemblies 32
no cdp enable
interface FastEthernet0/1.20
description VLAN 20 10-10-0-0
encapsulation dot1Q 20
ip address 10.10.0.254 255.255.255.0
ip access-group PERMIT-MNG out
ip nat inside
ip virtual-reassembly
!!! NOTE: This route map is used to PBR the http traffic for our server
ip policy route-map REDIRECT-VIA-FAST-WAN
no cdp enable
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Virtual-Template3
no ip address
interface Virtual-Template4
no ip address
ip local pool SDM_POOL_1 192.168.5.150 192.168.5.152
ip forward-protocol nd
!!! SLOW-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 89.XX.XX.1 5
!!! FAST-WAN NEXT HOP DEFAULT ADDRESS
ip route 0.0.0.0 0.0.0.0 88.XX.XX.73 10
ip nat inside source route-map FAST-WAN-NAT-RMAP interface FastEthernet0/0.3 overload
ip nat inside source route-map SLOW-WAN-NAT-RMAP interface FastEthernet0/0.4 overload
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
ip access-list extended FAST-WAN-NAT
permit tcp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit udp 192.168.5.0 0.0.0.255 range 1025 65535 any
permit icmp 192.168.5.0 0.0.0.255 any
permit tcp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit udp 10.10.0.0 0.0.0.255 range 1025 65535 any
permit icmp 10.10.0.0 0.0.0.255 any
ip access-list extended REDIRECT-VIA-FAST-WAN
deny tcp host 10.10.0.43 eq 443 9675 192.168.5.0 0.0.0.255
permit tcp host 10.10.0.43 eq 443 9675 any
ip access-list extended SLOW-WAN-NAT
permit ip 192.168.5.0 0.0.0.255 any
permit ip 10.10.0.0 0.0.0.255 any
route-map FAST-WAN-NAT-RMAP permit 10
match ip address FAST-WAN-NAT
match interface FastEthernet0/0.3
route-map REDIRECT-VIA-FAST-WAN permit 10
match ip address REDIRECT-VIA-FAST-WAN
set ip next-hop 88.XX.XX.73
route-map SLOW-WAN-NAT-RMAP permit 10
match ip address SLOW-WAN-NAT
match interface FastEthernet0/0.4Can you try to use PBR Match track object,
Device(config)# route-map abc
Device(config-route-map)# match track 2
Device(config-route-map)# end
Device# show route-map abc
route-map abc, permit, sequence 10
Match clauses:
track-object 2
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Additional References for PBR Match Track Object
This feature is a part of IOS-XE release 3.13 and later.
PBR Match Track Object
Cisco IOS XE Release 3.13S
The PBR Match Track Object feature enables a device to track the stub object during Policy Based Routing.
The following commands were introduced or modified: match track tracked-obj-number
Cheers,
Sumit -
Disaster recovery of remaining OVM server
Hi,
I hope some of you can help me with some disaster recovery tests I have to do shortly.
The environment has 2 OVM servers: servre1 and server2 in a server pool.
Server1 has the cluster filesystem shared to it via multiipathing, and in turn, server1 shares the repository and cluster fs with server2 via NFS.
In the meantime, there are other LUNS shared with just server2, which are being replicated with the repository and cluster fs that is currently being used.
If server1 "dies" and this is easy to simulate as just shutting it down, it will stop sharing the repository and fs with server2, the server pool will have errors, and so will server 1 (it cannot be contacted), and so will server2 (it has lost access to repository and cluster fs).
Oracle documentation explains very clearly how to add and remove server pools and servers neatly, but it makes no mention of how to clean up a server in order to reuse in on a new server pool, with a new repository, in this case, the replicated LUNs that were only in server2.
Has any of you done something similar to this? Do I have to go into the OVM Manager database at row level to delete every mention of the old repository? Is there a way of cleaning up the server2 for reuse (other than reinstalling)? In OVM 2.2 there was a cleanup.py script, but I didn´t find such script in 3.0.3...
Any suggestions on how to test this will be welcome. If I have overlooked some useful documentation on this, please point me to it...
Regards,
T.Dan,
do you mean
sh ./ovm_upgrade.sh dbuser=ovs dbpass=<password> --fixup
Regards,
T.
Maybe you are looking for
-
Transfer Vendor Balance to SGL
Dear All I have a Vendor with Credit Balance of 100,000. Can I transfer 20,000 to SGL Account. So that his account is showing 80,000 as credit and 20,000 is shown in the SGL Account. What is the process/t-code? Please advice. Thanks & Regards Kanwalj
-
Arabic in PDF not displaying arabic on nexus 7(2013)
I cannot read a speecific pdf on my nexus 7 (2013) that is written in arabic. The pdf is fine on my computer however. The text is moved and not apparent on my nexus 7. Other Pdf's written arabic appear fine. This one seems to have a problem. Thanks i
-
Ok i know how to set a icon for all nodes in a JTree but my problem is setting incons for certain nodes. I am trying to Create a UML Training Tool for my degree and i have major trouble here. I can change the icons for all but all i want to do is cha
-
I've tried to install my Epson on my iMac G5 with Intel Core 2 Duo, but OS X doesn't recognize the printer... (I've installed it before on another port now there's a new installation) Well it does but I can't select it in the printer selection window
-
Bit of an odd one that had me scratching my head. I have a development system consisting of a PC running a 7842R, acquiring analogue and digital data from the FPGA, loading it into a shared variable, and reading it out within a timed loop on the host