VMW Fusion 4.1 breaks 1 host LAN subnet
Testing VMware Fusion 4.1 on '09 MacBook Pro Lion 10.7.2 to run a Lion 10.7.2 guest for testing. When Fusion is running, regardless of VM on, suspended or stopped, it sometimes has (not yet consistantly reproduceable) killed Exchange mail in the host (mail.app or MS 02k11) and kills any new access to one particular local subnet (yet all other LAN and WAN subnets are fine) from host wired etnernet LAN (guest VM running bridged, wifi, totally separate / firewalled from host wired LAN). Quit Fusion and, bam, all works again. Repeatable back & forth, and after reboot with nothing else running. Can't even ping subnet on router. Even stranger: if shared server volumes from affected subnet are mounted in host before starting Fusion they stay mounted and fully accessible for read/write yet their whole subnet can no longer be pinged, no new connection to server from host can be established.
Tried changing lots of network settings in host, Fusion and guest VM, seems to make no difference: The simple act of starting Fusion.app breaks host access to just the 1 local subnet. Quitting Fusion.app restores it.
Anyone got any ideas what causes this, maybe something simple I've overlooked? TIA.
Sorry to hear that.
But Apple have probably broken it when they added the MobileMe and modified the Wide-Area Bonjour code.
However, I can report that Back-to-My-Mac does work on the AEBS. If you already a MM subscriber, you can use that to get back to the AirDisk.
Similar Messages
-
PBR using dual ISP and single LAN subnet
Hello,
I have 2 ISP connections on the Cisco router 29121 i.e. Leased Line and PPPoe and single LAN subnet
I want to use PBR.
I want to allow ip traffic destined for 1.1.1.1,2.2.2.2,3.3.3.3 ( Fictitious IP) to go through Lease Line
and all other traffic through PPPoe
Please help me to achieve this.
Thanks in advance.WoW Great Thanks cadet alain
It working as desired.
This is my current config. I just want you help for last thing
If leased line goes down, I want to direct the user to PPPoe
However, if PPPoe, the users should NOT BE directed to leased line
int gi0/0
description << Leased Line >>
ip address 100.100.100.101 255.255.255.252
ip nat outside
no shut
int gi0/2
description << LAN Subnet>>
ip address 10.1.50.1 ip nat inside
ip policy route-map lease
no shut
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in max-reassemblies 512
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname XXXXXXXXXXXXXXX
ppp chap password 0 9860
ppp pap sent-username XXXXXXXXXXXXXXX password 0 9860
no cdp enable
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no shut
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
access-list 100 permit ip 10.1.50.0 0.0.0.255
route-map lease permit 10
match ip address 100
match interface gi0/0
route-map pppoe permit 10
match ip address 100
match interface dialer 0
ip nat inside source route-map lease interface gi0/0 overload
ip nat inside source route-map pppe interface dialer 0 overload
access-list 101 permit ip 10.10.1.50.0 0.0.0.255 host 1.1.1.1
acess-list 101 permit ip 10.1.50.0 0.0.0.255 host 4.2.2.2
route-map PBR permit 10
match ip address 101
set ip next-hop 100.100.100.102
ip route 0.0.0.0 0.0.0.0 dialer0
ip route 0.0.0.0 0.0.0.0 100.100.100.102 -
RV130 router : Unable to modify LAN subnet mask
Hi every one,
I'm using a cisco router RV130, which runs the latest firmware (1.0.1.3), and when
I set an IP address to the LAN interface, I can't choose the subnet mask greater than /24.
The scrolling list proposes only these values :
255.255.255.0
255.255.255.128
255.255.255. .. and so on to 255.255.255.252
The issue is that the customer's lan address is 172.17.0.0/16 (255.255.0.0)
Any clue ?
ThierryPlease see the attached Word Document for how to create a case online. Please make sure your CCOID is associated with the Product and/or the contract. This will prevent any issue when creating a case. If there is an issue with the association, the 1-866-606-1866 number will put you in touch with the people to assist in the association to your CCOID. Hope this helps.
-
Hi,
I have a LAN using IP range 192.168.1.x. I am currently using a Cisco 857 ADSL router to provide internet access to all the PC's in the LAN.
I want to change the network so that IP addresses are separated into different departments, eg 192.168.10.x, 192.168.20.x. Each different network would be able to access the internet, mail server and the file server etc, but would not have access to each other.
Could this be achieved using ACL's on my existing router? The Cisco router only has 4 ports, would I need to purchase an additional router, or layer 3 switch to do this?
Thanks
NickHi,
It's true, the 850 series only supports one vlan. :(
You would have to put a Layer3 switch behind it, and create a separate subnet connecting it to the cisco 857 (either by VLAN/SVI or routed port).
On the L3 switch create different VLANs and SVI's for your clients. Assign different ports to the desired Client VLANs.Communication between the VLANs can be limited by ACL's applied to the SVIs.
On the L3 switch point a default route towards the Cisco857, and dont forget to set appropriate routes on your Cisco 857 pointing back to the Layer 3 Switch.
hth
Ingo -
I have a tunnel created and I need to NAT the local network 192.168.1.0/24 to 172.31.196.0/24 to the destination IP, let's say (2.2.2.2)
code version is 821
name 2.2.2.2 External_IP
name 172.31.196.0 Local_xlated
I thought the statement would look like nat (inside,outside) inside-network Local_xlated static destination External_IPeluciasa(config)# packet-tracer input inside tcp 192.168.1.6 53 8.8.8.8 53
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) MC_Local_xlated access-list L2LVPN-POLICYNAT
match ip inside 192.168.1.0 255.255.255.0 outside host External_IP
static translation to MC_Local_xlated
translate_hits = 0, untranslate_hits = 0
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 0.0.0.0 0.0.0.0
match ip inside any outside any
dynamic translation to pool 1 (External_IP [Interface PAT])
translate_hits = 24686918, untranslate_hits = 1904674
Additional Information:
Dynamic translate EluciMX01/53 to External_IP/356 using netmask 255.255.255.255
Phase: 7
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 32668832, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
eluciasa(config)# -
I'm planning to use RVS 4000 in 10 of my branch offices.
The current IP's of those branch offices are 10.12.0.0/16 (255.255.0.0)
When trying to configure the RVS4000 LAN IP I only have a drop down for selecting the mask and the largest one is 255.255.255.0, is there any way of using larger mask then that?
Thanks!The LAN configuration of RVS4000 is limited to a Class C network. That said, RVS4000 does support multiple VLANs, each of which is a Class C network.
-
Connect two internet lines on the same cisco router 3945 series
i have two internet lines from the same provider and i have one router i want to connect the two lines in the same router
any ideas !!!!!!!!!!!!!Hi,
No problem, similar treatment. Follow
1. Create IP SLA/Track for both internet link
2. Break your LAN subnet into 2 smaller subnet
3. Create route map, Match with 1 subnet & route the traffic towards 1st internet link
route-map General_Internet_Traffic permit 10
match ip address 115
set ip next-hop verify-availability 10.1.1.1 track 1
set ip next-hop verify-availability 11.1.1.1 track 2
4. Create route map, Match with 2 subnet & route the traffic towards 2nd internet link
5. Configure NATing/PATing over the interface, selecting by route-map
ip nat inside source route-map General_Internet_Traffic interface FastEthernet0/0 overload
- Ashok -
Access websites hosted on local web server
Hi there,
I have a Cisco ASA 5505 in my home office which has a few PCs behind it with a linux web server running some websites. I can access the websites from outside no problem (i.e. on my iPhone using a 3G connection). However, I struggle to access the websites from within the network. The ASA gives me this error:
6
May 05 2013
11:52:27
192.168.55.61
50420
Failed to locate egress interface for TCP from inside:192.168.55.61/50420 to 86.*.*.*/80
ASA runs version 9. Here is the config bit:
object network denon-server
host 192.168.55.200
access-list outside_access_in extended permit tcp any object denon-server eq www
object network denon-server
nat (any,outside) static interface service tcp www www
Any suggestions?Hi,
I assume that you are trying to reach the LAN server with the public IP address that the ASA holds and also uses for the above Port Forward / Static PAT configuration?
If this is the situation then I am afraid that with the current configuration that is not possible. The NAT configuration towards Internet is done between probably "inside" and "outside". So "outside" interface holds the public IP address. ASA doesnt let you connect to that "outside" IP address from behind the "inside" IP address. (Or any other interface for that matter)
What you could try to do is configure a NAT that would enable you to use the public IP address of the server even when connecting from the "inside" of ASA.
Try this
object network SERVER-LOCAL
host 192.168.55.200
object network SERVER-PUBLIC
host 86.x.x.x
object network LAN
subnet 192.168.55.0 255.255.255.0
nat (inside,inside) source dynamic LAN interface destination static SERVER-PUBLIC SERVER-LOCAL
Where
SERVER-LOCAL = Is the "object" that defines the real IP address of the server
SERVER-PUBLIC = Is the "object" that defines the public IP address of the server (that ASA holds on its "outside")
LAN = Is the "object" that defines the subnet from where LAN users connect to the server public IP address
Check that the network mask is correct for the LAN and fill in the public IP address.
The actual NAT configuration tells the ASA this
When a connection from LAN is coming towards SERVER-PUBLIC then UN-NAT SERVER-PUBLIC to SERVER-LOCAL and NAT LAN to "inside" interface IP address (as defined by the parameter "interface" in the configuration)
This should enable the LAN hosts to use the public IP address to connect to the server. The server though will see the connections coming from the ASA "inside" interface IP address.
Hope this helps
Please remember to mark a correct reply as the correct answer if it did answer. And/or rate helpfull answers
Ask more if needed.
- Jouni -
Remote access VPN client gets connected no access to LAN
: Saved
ASA Version 8.6(1)2
hostname COL-ASA-01
domain-name dr.test.net
enable password i/RAo1iZPOnp/BK7 encrypted
passwd i/RAo1iZPOnp/BK7 encrypted
names
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.32.0.11 255.255.255.0
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.9.200.126 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
nameif failover
security-level 0
ip address 192.168.168.1 255.255.255.0 standby 192.168.168.2
interface Management0/0
nameif management
security-level 0
ip address 192.168.2.11 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dr.test.net
object network RAVPN
subnet 192.168.0.0 255.255.255.0
object network NETWORK_OBJ_192.168.200.0_24
subnet 192.168.200.0 255.255.255.0
object network NETWORK_OBJ_192.9.200.0_24
subnet 192.9.200.0 255.255.255.0
object-group network inside_network
network-object 192.9.200.0 255.255.255.0
object-group network Outside
network-object host 172.32.0.25
access-list RAVPN_splitTunnelAcl standard permit 192.9.200.0 255.255.255.0
access-list test123 extended permit ip host 192.168.200.1 host 192.9.200.190
access-list test123 extended permit ip host 192.9.200.190 host 192.168.200.1
access-list test123 extended permit ip object NETWORK_OBJ_192.168.200.0_24 192.9.200.0 255.255.255.0
access-list test123 extended permit ip 192.9.200.0 255.255.255.0 object NETWORK_OBJ_192.9.200.0_24
pager lines 24
mtu management 1500
mtu outside 1500
mtu inside 1500
mtu failover 1500
ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
route outside 0.0.0.0 0.0.0.0 172.32.0.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=KWI-COL-ASA-01.dr.test.net,O=KWI,C=US
crl configure
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 192.9.200.0 255.255.255.0 inside
telnet timeout 30
ssh 0.0.0.0 0.0.0.0 management
ssh 0.0.0.0 0.0.0.0 outside
ssh 66.35.45.128 255.255.255.192 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
group-policy RAVPN internal
group-policy RAVPN attributes
wins-server value 192.9.200.164
dns-server value 66.35.46.84 66.35.47.12
vpn-filter value test123
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test123
default-domain value dr.kligerweiss.net
username test password xxxxxxx encrypted
username admin password aaaaaaaaaaaa encrypted privilege 15
username vpntest password ddddddddddd encrypted
tunnel-group RAVPN type remote-access
tunnel-group RAVPN general-attributes
address-pool RAVPN
default-group-policy RAVPN
tunnel-group RAVPN ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 2
subscribe-to-alert-group configuration periodic monthly 2
subscribe-to-alert-group telemetry periodic daily
password encryption aes
Cryptochecksum:b001e526a239af2c73fa56f3ca7667ea
: end
COL-ASA-01#
Here is some capture done on the inside interface which may help too, I tried pointing the gateway to inside interface on the target device but I think this was a switch without ip route available on it I believe that is still sending packet back to Cisco inside interface
COL-ASA-01# sho cap test | in 192.168.200
25: 23:45:55.570618 192.168.200.1 > 192.9.200.190: icmp: echo request
29: 23:45:56.582794 192.168.200.1.137 > 192.9.200.164.137: udp 68
38: 23:45:58.081050 192.168.200.1.137 > 192.9.200.164.137: udp 68
56: 23:45:59.583176 192.168.200.1.137 > 192.9.200.164.137: udp 68
69: 23:46:00.573517 192.168.200.1 > 192.9.200.190: icmp: echo request
98: 23:46:05.578110 192.168.200.1 > 192.9.200.190: icmp: echo request
99: 23:46:05.590057 192.168.200.1.137 > 192.9.200.164.137: udp 68
108: 23:46:07.092310 192.168.200.1.137 > 192.9.200.164.137: udp 68
115: 23:46:08.592468 192.168.200.1.137 > 192.9.200.164.137: udp 68
116: 23:46:10.580795 192.168.200.1 > 192.9.200.190: icmp: echo request
COL-ASA-01#
Any help or pointers greatly appreciated, I am doing this config after a long gap on Cisco last time I was working it was all PIX so just need some expert eyes to let me know if I am missing something.
And Yes I do not have a Host in Inside network to test against, all I have is a switch which cannot route and ip default gateway is not helping too...Hi,
The first thing you should do to avoid problems is to change the VPN Pool to something else than the current LAN network as they are not really directly connected in the same network segment.
You could try the following changes
tunnel-group RAVPN general-attributes
no address-pool RAVPN
no ip local pool RAVPN 192.168.200.1-192.168.200.254 mask 255.255.255.0
ip local pool RAVPN 192.168.201.1-192.168.201.254 mask 255.255.255.0
tunnel-group RAVPN general-attributes
address-pool RAVPN
no nat (any,inside) source static NETWORK_OBJ_192.168.200.0_24 NETWORK_OBJ_192.168.200.0_24 destination static NETWORK_OBJ_192.9.200.0_24 NETWORK_OBJ_192.9.200.0_24
In the above you first remove the VPN Pool from the "tunnel-group" and then remove and recreate the VPN Pool with another network and then insert it back to the same "tunnel-group". Nex you remove the current NAT configuration.
object network LAN
subnet 192.168.200.0 255.255.255.0
object network VPN-POOL
subnet 192.168.201.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN destination static VPN-POOL VPN-POOL
The above NAT configurations adds the correct NAT0 configuration for the changed VPN Pool. It also inserts the NAT rule to the very top before the Dynamic PAT rule you currently have. It is also one of the problems with the configurations as it will override your current NAT configurations.
You have your Dynamic PAT rule at the very top of your NAT rules currently which is not a good idea. If you wish to change it to something else that wont override the other NAT configurations in the future you can do the following change.
no nat (inside,outside) source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
NOTICE! Changing the above Dynamic PAT configuration will temporarily terminate all connections for users from the LAN as you reconfigure the Dynamic PAT rule. So if you do this change make sure that its ok to cause still small cut in the current connections of internal users
Hope this helps
Let me know if it works for you
- Jouni -
Can 2 vlans have the same subnet?
I hope the combined genius of the fellow community can answer me this. I am new to Cisco, and I understand VLANs as a physical boundary separating broadcast domains.
I was wondering if it is possible to divide 1 subnet (192.168.1.0) into two separate VLANS? I have all layer 3 switches in my environment. Making matters worse, there would be no pattern for the IP address assignments into VLAN-A vs. VLAN-B..
If this is possible, can you please explain the mechanisms for a successful implementation.It mostly depends if/how you want hosts on them to talk one another (or other networks).
If the answer is "not at all" then you can have as many VLANs as you like using the same subnet.
If the answer is "completely" then you have to either a. break your addressing (L3) down to have one set of hosts in subnet A (on vlan a) and the others in subnet b (on VLAN b). or b. have some fancy tricks in place with network address translation (NAT) in place.
I'll leave the latter solution off as beyond the scope of your question.
For the former, you would just change your subnet mask - for example, if the classful subnet is a "standard" /24 (255.255.255.0) then split it in two - /25 or 255.255.255.128. Assign hosts in one or the other.
You have to have some pattern - all networking is based on patterns in some way or another. -
Routing Experts please help with below LAN routing issue with NAT
Hello Experts,
I have a weird situation and requirement.
The existing setup is -
We have email/ticketing server hosted in the LAN which is reachable on the publicly NAT'ed IP with respective port numbers of 89 & 443. We have LAN & servers on the same subnet. The internet is with public DHCP IP assigned by ISP (/29). We use linksys router GUI for NAT settings (attached).We are using the same public IP for the server NAT & user NAT.
We tried to refresh our network by separating the subnets for LAN users & servers. We used the Cisco 3845 router to create sub-interfaces in the LAN and configure respective subnets. Now both user subnet and server subnet are connecting to the Internet with same public IP (static NAT for servers & dynamic for users). We can connect to the server IP from the Internet and it resolves fine. However user LAN subnet cannot connect to the server if we try the URL. Users can access the Internet fine.
Please find attached short diagram and below configuration and please give your inputs to solve this.
Cisco 3845 router
access-list 1 permit 10.155.60.0 0.0.0.255
access-list 2 permit 10.155.61.0 0.0.0.255
access-list 3 permit 10.155.62.0 0.0.0.255
ip nat inside source list 1 int g0/0 overload
ip nat inside source list 2 int g0/0 overload
ip nat inside source list 3 int g0/0 overload
int g0/0
ip add 8.8.8.8 255.255.255.248
ip nat outside
no shut
int g0/1
description Trunk-to-Switch
no shut
int g0/1.60
description User vlan
ip add 10.155.60.1 255.255.255.0
encapsulation dot1q 60
ip nat inside
int g0/1.62
description Server vlan
ip add 10.155.62.1 255.255.255.0
encapsulation dot1q 62
ip nat inside
exit
aaa new-model
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
aaa session-id common
acl 120
max-users 10
exit
!access-list 120 remark ==[Cisco VPN Users]==
access-list 120 permit ip any host 192.168.0.10
access-list 120 permit ip any host 192.168.0.11
access-list 120 permit ip any host 192.168.0.12
access-list 120 permit ip any host 192.168.0.13
access-list 120 permit ip any host 192.168.0.14
access-list 120 permit ip any host 192.168.0.15
access-list 120 permit ip any host 192.168.0.16
access-list 120 permit ip any host 192.168.0.17
access-list 120 permit ip any host 192.168.0.18
access-list 120 permit ip any host 192.168.0.19
no access-list 100
access-list 100 remark [Deny NAT for VPN Clients]=-
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.10
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.11
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.12
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.13
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.14
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.15
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.16
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.17
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.18
access-list 100 deny ip 192.168.0.0 0.0.0.255 host 192.168.0.19
access-list 100 remark
access-list 100 remark -=[Internet NAT Service]=-
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
exit
ip nat inside source static tcp 10.155.62.55 21 8.8.8.8 21
ip nat inside source static tcp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static udp 10.155.62.55 88 8.8.8.8 88
ip nat inside source static tcp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static udp 10.155.62.84 3389 8.8.8.8 3389
ip nat inside source static tcp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static udp 10.155.62.98 80 8.8.8.8 80
ip nat inside source static tcp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static udp 10.155.62.98 443 8.8.8.8 443
ip nat inside source static tcp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static udp 10.155.62.98 25 8.8.8.8 25
ip nat inside source static tcp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static udp 10.155.62.84 8080 8.8.8.8 89
ip nat inside source static tcp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static udp 10.155.62.84 9005 8.8.8.8 9005
ip nat inside source static tcp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static udp 10.155.62.84 135 8.8.8.8 135
ip nat inside source static tcp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static udp 10.155.62.84 139 8.8.8.8 139
ip nat inside source static tcp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static udp 10.155.62.84 445 8.8.8.8 445
ip nat inside source static tcp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static udp 10.155.62.84 90 8.8.8.8 465
ip nat inside source static tcp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static udp 10.155.62.143 3381 8.8.8.8 3381
ip nat inside source static tcp 10.155.62.46 8081 8.8.8.8 91
ip nat inside source static udp 10.155.62.46 8081 8.8.8.8 91
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:/cme-gui-7.1.0.1
file privilege 0
telephony-service
dn-webedit
time-webedit
transport input ssh
line con 0
line vty 0 15
login local
ntp server ntp.first2know.net
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
ntp update-calendar
ntp master
=========================================================================================================================================
Cisco 3750 Config;
vlan 60
name User
vlan 61
name Voice
vlan 62
name Server
exit
interface g1/0/1
description Trunk-to-Router
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
interface vlan 60
description User Vlan
ip add 10.155.60.2 255.255.255.0
interface vlan 61
description Voice Vlan
ip add 10.155.61.2 255.255.255.0
interface vlan 62
description Server Vlan
ip add 10.155.62.2 255.255.255.0
service dhcp
ip dhcp pool Users
network 10.155.60.0 255.255.255.0
default-router 10.155.60.1
dns server 4.2.2.2
ip dhcp pool Voice
network 10.155.61.0 255.255.255.0
dns server 4.2.2.2
exit
ip dhcp excluded-address 10.155.60.1 10.155.60.2 10.155.60.3
ip dhcp excluded-address 10.155.61.1 10.155.61.2
interface range g1/0/2 - 1/0/21
switchport mode access
switchport access vlan 60
switchport access vlan 61
exit
exit
interface range g1/0/22 - 1/0/26
switchport mode access
switchport access vlan 62
exit
Thanks,
DeepakOne more thing I should clarify the route I am putting into the 10.10.1.9 server is
route add 10.1.6.0 mask 255.255.255.0 10.10.1.250 which tells the server to bypass the ASA and go directly to the ISP router.(then i can successfully tracert everything). The big question here is how to make the inside ASA connection 10.10.1.1 to force all traffic to 10.10.1.250.
Thanks in advance. -
GRE tunnel could not be used by the hosts connected to the router
Hi,
I am using cisco ASR1013 (RP2) and a Mikrotik Router for setting up a GRE tunnel for LAN to LAN routing over a broadband link. The tunnel works fine (able to ping tunnel end points and also all the connected interfaces on both the Mikrotik and Cisco ASR) but the hosts that are connected directly to the Cisco router interface over a layer 2 cisco switch are unable to connect (ping) the hosts or connected interfaces on the mikrotik side. I am sure its not a mikrotik issue as i dont see any traffic coming through the tunnel using the mikrotik torch utility. There are no ACL's or firewall rules on any of the devices......
Source and destination of the tunnel are public IP's and are pingable via internet (The tunnel is connected and endpoints are pingable)
Mikrotik connected interface IP = 192.168.253.1/24
Mikrotik tunnel end point IP = 192.168.254.1/30
Cisco tunnel end point IP = 192.168.254.2/30
Connected cisco subnet to reach Mikrotik = M.N.O.32/28
Cisco interface IP for LAN = M.N.O.33
Test host IP on the LAN subnet = M.N.O.34
The below is my Cisco config
ASR-1#sh run int tun 1
Building configuration...
Current configuration : 144 bytes
interface Tunnel1
ip address 192.168.254.2 255.255.255.252
ip mtu 1400
tunnel source A.B.C.D
tunnel destination W.X.Y.Z
end
ASR-1#sh run int g0/1/7
Building configuration...
Current configuration : 280 bytes
interface GigabitEthernet0/1/7
description LAN
ip address M.N.O.33 255.255.255.240
ip verify unicast source reachable-via rx
no negotiation auto
cdp enable
end
ASR-1#sh ip ro 192.168.253.1
Routing entry for 192.168.253.0/24
Known via "static", distance 1, metric 0 (connected)
Routing Descriptor Blocks:
* directly connected, via Tunnel1
Route metric is 0, traffic share count is 1
ASR-1#ping 192.168.253.1 so M.N.O.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.253.1, timeout is 2 seconds:
Packet sent with a source address of M.N.O.33
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/5/6 ms
ASR-1#pi M.N.O.34
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to M.N.O.34, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
If i try to ping 192.168.253.1 (network connected to Mikrotik) from the host M.N.O.34 (the gateway of this host is M.N.O.33 - Int g0/1/7 of the Cisco ASR), i cannot reach detination - request timed out.... Below are the results of trace and ping from the host connected to ASR G1/0/7
PING TO THE GATEWAY *********
[root@localhost ~]# ping M.N.O.33
PING M.N.O.33 (M.N.O.33) 56(84) bytes of data.
64 bytes from M.N.O.33: icmp_seq=1 ttl=255 time=0.161 ms
64 bytes from M.N.O.33: icmp_seq=2 ttl=255 time=0.143 ms
^C
--- M.N.O.33 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1357ms
rtt min/avg/max/mdev = 0.143/0.152/0.161/0.009 ms
PING TO THE TUNNEL END POINT IN CISCO ASR
[root@localhost ~]# ping 192.168.254.2
PING 192.168.254.2 (192.168.254.2) 56(84) bytes of data.
64 bytes from 192.168.254.2: icmp_seq=1 ttl=255 time=0.141 ms
64 bytes from 192.168.254.2: icmp_seq=2 ttl=255 time=0.141 ms
^C
--- 192.168.254.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1739ms
rtt min/avg/max/mdev = 0.141/0.141/0.141/0.000 ms
PING TO THE TUNNEL ENDPOINT IN MIKROTIK
[root@localhost ~]# ping 192.168.254.1
PING 192.168.254.1 (192.168.254.1) 56(84) bytes of data.
^C
--- 192.168.254.1 ping statistics ---
11 packets transmitted, 0 received, 100% packet loss, time 10413ms
PING TO THE CONNECTED INTERFACE ON MIKROTIK
[root@localhost ~]# ping 192.168.253.1
PING 192.168.253.1 (192.168.253.1) 56(84) bytes of data.
^C
--- 192.168.253.1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3641ms
TRACE TO THE CONNECTED INTERFACE ON MIKROTIK
[root@localhost ~]# traceroute 192.168.253.1
traceroute to 192.168.253.1 (192.168.253.1), 30 hops max, 60 byte packets
1 M.N.O.33 (M.N.O.33) 0.180 ms 0.156 ms 0.145 ms
2 * * *
3 * * *
4 * * *
5 * * *
Please helpHi,
Sorry for the delayed response ....Both ends static routes are added for the connected test interfaces.....
Regards,
Mahesh -
Cisco ASA and Internal Hosted Website
I have a Cisco ASA 8.4. I have an internal website for an application that they use both internal and externally (app.domain.com/app is 10.0.0.3) The company that hosts their External Website and DNS created a record that points to http://app.domain.com/app to their public ip 1.2.3.4. Externally everything works great I have port forward for 80 working. The problem is that when the users bring their laptops in to the office they are unable to get to the interanlly hosted website. I think the the firewall is having an issue letting the traffic back in. If i use the internal DNS and create a zone for domain.com with an A record for app.domain.com and point it to 10.0.0.3 the internal address..it works. Of course when they try to access the external website it does not work. So if create an A record that points to the web hosts address, it kinda of works...parts of the website don't come up. I really think I there is something like a hairpin or u-turn that needs to be done. Oh by the way this is my first real experince with an ASA. The Symantec Gateway they had worked great. I looked in the config and there were no hairpin or crazy rules, just the standard port forward for 80. Any ideas? I have tried several suggestions i found on the web, but none have worked.
Thanks
NickHi,
The main problem with such setup (from the ASAs perspective) is usually that the NAT for the server is configured from certain source interface towards some destination interface.
You might for example have this configuration
object network WEB-SERVER
host 10.0.0.3
nat (inside,outside) static interface service 80 80
This would enable connectivity from the behind "outside" interface towards which the translation is configured but not from behind "inside".
I am not sure how different vendor firewalls handle this situation if you say that you only had the original Static PAT configuration towards the external interface.
If you wanted to enable connectivity to the public IP address from your LAN you would have to make a NAT towards the "inside" interface from the "inside" interface. And thats not all. You would also have to configure Dynamic PAT for the source hosts on the LAN behind "inside". The reason for this is that the ASA needs to see the whole TCP conversation between the client/server and since we PAT all the users to the ASA "inside" interface IP address that makes sure that ASA sees the whole conversation between the hosts.
So you could try this configuration on the ASA
object network PUBLIC-IP
host
object network WEB-SERVER
host 10.0.0.3
object network LAN
subnet
nat (inside,inside) 1 source dynamic LAN interface destination static PUBLIC-IP WEB-SERVER
The above configuration would essentially look for connections coming from behind "inside" interface from the source address belonging to LAN to the destination IP address of PUBLIC-IP and proceed to UN-NAT the PUBLIC-IP to WEB-SERVER and PAT the source address to "interface" (inside interface IP address)
You would also perhaps needs to add this command
same-security-traffic permit intra-interface
This enabled the ASA to pass traffic through the same interface that the traffic arrived in. So basically do that Hairpin/U-turn
You can check the current configuration with the command
show run same-security-traffic
Do notice that there is a similiar command with a different parameter at the end (inter-interface vs. intra-interface). So check that you have the correct one.
Hope this helps
Let me know how it goes
- Jouni -
How to nat subnets before establishing site to site ipsec vpn tunnel?
Hello,
Coming across requirement which is new to me as I have not done this setup. Details as follows. Hope some1 can help.
Requirement: nat existing subnets to 192.168.50.0/24 subnet which is allowed at another firewall.
Existing device: Cisco 5510 where I need to do this NAT.
Existing scenario in short: I have created vlans on asa by creating sub interfaces.
Changes done: added new sub int for 192.168.50.0. Added new object as 192.168.50.0 . Now done with creation of acl where traffic from 192.168.50.0 to remote subnets allowed. In NAT object sections done nating 1 to 1 I.e. existing subnet to 192.168.50.0
Done ipsec vpn setup inc phase 1 & 2.
Now tried to ping remote hosts but not reachable.
Pls advice how to make it work.
I dont any router next to asa 5510. Asa is in routed mode. Next hop to asa is isp's mux.Hello. Pls find my answers inline
I first got the picture that the NAT network is 192.168.50.0/24 and some other networks should be NATed to this.
Answer: Thats correct.
Later on it seems that you have configured this to some interface on the ASA?
Answer: Yes as I have defined vlan's on ASA itself. i.e. other subnets too i.e. 10.x series & 192.168.222.x series. I used Ethernet 0/0 as main interface for all LAN networks and have created sub interfaces i.e. vlan's on it. Using 3COM switch down to ASA to terminate those vlan's & distribute to unmanaged switches. Due to port limitations on ASA I have configured vlans on ASA itself. Ethernet 0/2 is my WAN interfacei.e. ISP link terminates on Eth 0/2 port.
So are you attempting to NAT some other LAN networks to this single NAT network before the traffic heads to the L2L VPN connection on your ASA?
Answer: Yes thats right. Attempting to NAT multiple networks to single NAT before traffic head to L2L VPN connecting from my ASA 5510 to remote Citrix firewall.
Can you then mention what are the source networks and source interfaces for these networks? What is the destination network at the remote end of the L2L VPN connection?
Answer: Source networks = 10.100.x series & 192.168.222.x series / Destination networks are from 192.168.228.x , 192.168.229.x series. Remote admin wants us to NAT our multiple subnets to single subnet i.e. 192.168.50.0 and then traffic from this subnet is allowed at remote end.
Do you want to just do a NAT Pool of the 192.168.50.0/24 network for all your Internet users OR does the remote end also have to be able to connect to some of your sites hosts/servers?
Answer: Yes just want to NAT LAN subnets to 192.168.50.0/24 for all LAN users. 1 way access. I am going to access remote servers.
The new thing for me is how to NAT multiple subnets. I have existing ipsec vpn's where I have added multiple subnets which is traditional set up for me. This requirement is new to me. -
Restoring Disk0: when it breaks in 12k XOR routers
Hi all,
How to restore the Disk0: contents like corrupted boot image,configurations and file system on the disk0: in 12k routers running with XOR Build.
1)Is there any options available ?
2)IS there any best practices to deal with this above ?
3)Is it possible that only primary RP's config/file system got corrupted and the backup RP is fine? Would then help for a switchover??
4)IS there any way to check the healthy of the config/file system before rolling back things after a power cycle??The firmware is up to date on the Cradlepoint CBR400. It's definitely not in the CBR400, i've already pursued that. Even though NAT is required on my end for multiple phones, disabling NAT by setting the CBR400 to IP passthrough mode to allow the phone to pickup the DHCP address from Verizon didn't work either. This works on a SIP softphone (Bria by Counterpath) and a laptop but not directly to a Polycom phone. Very odd scenario... The traffic coming from the Bria app on the laptop probably looks slightly different (no QoS tagging for one) than the traffic directly from the Polycom phone, which leads me to believe Verizon is doing some specialized handling of SIP traffic when they see it (probably SIP ALG of some sort) which is breaking hosted VoIP. For premise based VoIP it might work but a hosted VoIP scenario is different. Since the server is in the cloud, if Verizon is manipulating those packet headers before it reaches the server (re-writing a real IP with a LAN IP for example), the hosted server won't know where the traffic came from to be able to communicate back and establish the call (SIP signal or audio session). This is very common (SIP ALG) in today's routing devices. This is a whole separate scenario to double NAT which I believe they are also doing. This would explain why the SIP softphone Bria won't work with Verizon 4G LTE behind the NAT of the Cradlepoint CBR400.
Bottom line is that over the past week i've tested over a dozen scenarios with the 4G LTE and the Cradlepoint CBR400 and determined Verizon is breaking it. AT&T iPhone tether actually shows some promise except that the Cradlepoint CBR400 isn't compatible with it via USB. I'd be very curious to know if a compatible AT&T USB device would suffer from the same issues. In light of my iPhone tether testing i'd have to say no.
Maybe you are looking for
-
Remote Access: Computer no longer listed as "Shared"
I am out of town an need to access my MacPro from my Mac Laptop. I have done this for many years with no problem, but previously my Mac Pro has always been listed under the "Shared" area on the Finder window. I would simply select my Mac Pro, then ei
-
Trouble connecting iPad to my PC
When I connect my iPad to my PC I hear the device connect/disconnect sound several times before it finally remains disconnected and I get an error message telling me what Windows does not recognize the device. It did not do this last week-
-
Hi Friends, We are developing a custom Report on 11.5.9 and when we submit the request in SRS the output is fine generating but when we do the trtansaction in the Module(no SRS) the report is erroring out.Thers is no problem with the file and folder
-
How can I copy and relink home and group folders?
Hi, I'm upgrading our server from Tiger to Leopard Server. My main concern about doing the upgrade is that in the process I am swapping the secondary drive that holds the OD account list and all the home folders for our students (1000 odd folders) fo
-
Resizing a photograph for print (aspect ratio)
Hi, I am hoping someone can help me with something that seems like it should be very simple, but I can't seem to figure out. When I import my pictures from my DSLR into Bridge and then open in Photoshop the image size is varies, but typical size is 1