VPN access based on source IP via ACS5.5

Hi All,
I want to allow one vpn user to access vpn based on his public IP. For example if user access vpn from 1.1.1.1 then only he should be able to connect to vpn.
I created network authorization profile under access policies as below
systemuser=vpnuser1
endstationfilter=1.1.1.1
but it does not work, user is able to connect from any public IP and when I look into the monitoring and reports for logs it matches different rule which is last rule in the list whereas the above rule is on top.
Can somebody help

Hello Jain,
FYI
Security Group Access devices communicate with their peers and learn their SGT values. The Security Exchange Protocol-IP (SXP)-IP Mappings diagnostic tool connects to the device whose IP address you provide and lists the peer devices' IP addresses and SGT values.
You must select one or more of the device's peers. This tool connects to each of the peers that you select and obtains their SGT values to verify that these values are the same as the values that it learned earlier.

Similar Messages

VPN Access via LDAP authentication

Hello everyone,
I have setup an OS X server to serve as our department's VPN server. I am attempting to configure it to use an existing linux LDAP server for authentication, so that we don't need to have local accounts on the server. In the Directory Utility I have entered the information to point to our LDAP, and have it configured as RFC 2307 (Unix) for LDAP mappings. Everything in the Directory Utility appears that it considers the LDAP connection to be valid. In fact, from a terminal I can successfully finger users in LDAP.
In the Server Admin, I have selected the users that I wish to have VPN access (the LDAP users also show up in this list). However, when I try to connect to it, it fails almost immediately. Here is a snippet of the server's VPN log file (I have changed the IP addresses and hostname in the logfile to "*"):
2010-05-11 20:37:13 EDT Incoming call... Address given to client = **.***.***.**
Tue May 11 20:37:14 2010 : Directory Services Authentication plugin initialized
Tue May 11 20:37:14 2010 : Directory Services Authorization plugin initialized
Tue May 11 20:37:14 2010 : PPTP incoming call in progress from '**.***.***.**'...
Tue May 11 20:37:14 2010 : PPTP connection established.
Tue May 11 20:37:14 2010 : using link 0
Tue May 11 20:37:14 2010 : Using interface ppp0
Tue May 11 20:37:14 2010 : Connect: ppp0 <--> socket[34:17]
Tue May 11 20:37:14 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:14 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : sent [LCP ConfReq id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : rcvd [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : lcp_reqci: returning CONFACK.
Tue May 11 20:37:17 2010 : sent [LCP ConfAck id=0x1 <asyncmap 0x0> <magic 0x1b8adf3d> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xaef8a1b5> <pcomp> <accomp>]
Tue May 11 20:37:17 2010 : sent [LCP EchoReq id=0x0 magic=0xaef8a1b5]
Tue May 11 20:37:17 2010 : sent [CHAP Challenge id=0xc6 <7636b1bad668b175a847d43875397f99>, name = "***.*****.edu"]
Tue May 11 20:37:17 2010 : rcvd [LCP EchoReq id=0x0 magic=0x1b8adf3d]
Tue May 11 20:37:17 2010 : sent [LCP EchoRep id=0x0 magic=0xaef8a1b5]
Tue May 11 20:37:17 2010 : rcvd [LCP EchoRep id=0x0 magic=0x1b8adf3d]
Tue May 11 20:37:17 2010 : rcvd [CHAP Response id=0xc6 <4a2f0f54d4ce55fe6d1308a8206c4b02000000000000000046f6233c5bb9ea82f6ef2164eb55ed a3355a931a6762101300>, name = "mouck"]
Tue May 11 20:37:17 2010 : sent [CHAP Failure id=0xc6 "\37777777677:\r\002"]
Tue May 11 20:37:17 2010 : CHAP peer authentication failed for mouck
Tue May 11 20:37:17 2010 : sent [LCP TermReq id=0x2 "Authentication failed"]
Tue May 11 20:37:17 2010 : rcvd [LCP TermReq id=0x2 "Failed to authenticate ourselves to peer"]
Tue May 11 20:37:17 2010 : sent [LCP TermAck id=0x2]
Tue May 11 20:37:17 2010 : Connection terminated.
Tue May 11 20:37:17 2010 : PPTP disconnecting...
Tue May 11 20:37:17 2010 : PPTP disconnected
I am unsure why the authentication is not working. In the past, I have tried to configure the Open Directory service to be "Connected to a Directory System" but could never get the service to start. To be honest, I'm not even positive I need to have the Open Directory service running, since the authentication should hopefully be passed to our existing LDAP.
Any thoughts or suggestions would be greatly appreciated. Thanks very much!

Hi oleg,
It's a very common issue and generally happens when you try to connect the VPN client from the same location which has a site to site VPN with the device. For example if you try to connect the VPN client to the ASA and your public Ip is 1.1.1.1 and on the same ASA if you have a Site to Site VPN already connnect with an IP address 1.1.1.1 you will see the following error in the debug:
"cannot match peerless map when peer found in previous map entry."
Please check for the same, if thats the case you are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc75090
You needed a Cisco CCO id to check the link.
Thanks
Jeet Kumar

Providing Access based on Client IP Address

Current Scenario -
SAP Portal is accessible directly and via Citrix (VPN).
Based on the URL alias - we have implemented Desktop Filtering.
eg if the URL ends with / internet - You get restricted roles
eg if the URL ends with / intranet - You get wider roles
In Production, we also have Netscaler Reverse Proxy and HTTPs settings in place for External (outside firewall) access.
New Requirement (Example) -
Based on the IP address of the client, determine which subnet it falls under and based on that -
If used within Citrix - Provide certain roles
If not used within Citrix - Restricted access / Redirect to a different URL on the redirect server.
Questions -
With the current desktop filtering in place based on URL determination and no specific restriction for inside/outside Citrix access -
1 - Please suggest which would be a good way to crack this? Inside Portal (IP address determination and SAP Logon modification) / Outside Portal (eg Citrix, Network OS Exit, Reverse Proxy etc) based on Best Practise ?
2 - Not sure if this is relevant : Find IP address of Client with webdybpro (This API works only in Web Dynpro and not PDK) ? I believe tweaking SAP Logon logic can get very painful and overtly complicated for such scenarios.
Thanks for your inputs ~ Dhanz

Vivek,
On the coding front -
1 - Will reading the IP address in the header field x-forwarded-for retrieve right results if reverse proxy is in place ? Wouldnt it retrieve the proxy / load balancer IP instead of Client IP ?
2 - Also we have HTTPS settings for extranet access - So encrypted data (eg Client IP ) is transferred that the Web Dispatcher cannot manipulate ?
Please suggest.
Remember to be polite
Edited by: Anja Engelhardt on Jan 27, 2012 11:27 AM

VPN access to a Watchguard firewall using Radius credentials

Good morning, I have an Ipod Touch 4G that I would like to use to connect to our Watchguard firewall using the built in VPN client and pptp
I am the person onsite that manages the Watchguard firewall(s) (x553 with 10.2.12 firmware) , which are setup for pptp vpn access using Windows Radius servers. The users use their Active Directory credentials to make the VPN connections.
I have several macs at home, including an iMac and Mac mini and both of them can easily make VPN connections to the Watchguard firewall using pptp VPN access with Radius credentials. T
The setup I have been trying on the ipod Touch 4g is using the dns name for the firewall (published in Network Solutions DNS). I have also tried the outside address of each firewall. For the account, since we are using a Radius connection into Active Directory, I put my login in the format of domain\username . RSA SecurID is On, the Encryption level is set to Auto and Send all traffic is off.
In my testing so far, the Ipod Touch starts the connection, starts authenticating to Radius and fails. If I turned off RSA SecurID, no authentication is attempted, so it looks like this needs to stay turned on. It doesn't seem to matter is Send all traffic is off or on. Having it off is preferable as I don't want to send all Internet traffic through the firewall when connected via VPN.
So, I basically duped the setup of the VPN on the Ipod Touch based on my setup that's working on the Mac Mini and Imacs at home. But VPN on the iPod Touch 4g with the latest version of IOS is not working.
Does anyone have this kind of configuration working on the iPod Touch 4g or know if this is a shortcoming of this version of the Ipod or IoS?
Thanks,
Leo

I fixed my vpn connection on the iPod Touch. This is what works for Radius login to a Watchguard firewall:
Server (DNS name or ip address).
Account domainname\username
RSA SecurIT off
Encryption level Auto
Send All Traffic off.
Leo

ACE load balance based on Source IP Address

Hi Cisco Support,
I have question related to Cisco ACE behavior in term to taking a decision based on source address
I currently have two servers sits behind ACE part of one server farm, these servers are load balanced via one VIP on ACE module and every things looks fine.
Now service owners want to replace these old servers with new hardware hence before the migration we need to make sure these new servers are working as required standard hence need to create a testing scenario for new servers along with old server. The problem is that number of third party partners are accessing existing servers by hitting VIP on ace and we can't engage all our partner to participate in this test therefore decided to engage only one partner to carry our test with us.
For that reason can we some how configure the ACE so when packet arrive on ACE from one test partner mentioned above, ACE send only that partner's traffic based on it's source address (define via class/policy map on ACE if possible) towards new servers in the existing server farm and not to the old server in the same server farm.
Thanks for your support

Hi,
Just to put some config sample that might help you to get this done.
First create the new rservers and include them under a new serverfarm (New-APP)/
serverfarm host Webfarm
rserver SVR1
    inservice
rserver SVR2
    inservice
serverfarm host New-APP
rserver New-1
    inservice
rserver New-2
    inservice
- Same VIP already working.
class-map match-all VIP-HTTP
2 match virtual-address 10.10.10.10 tcp eq www
- Create a new class that will include your partner's IP(s).
class-map type http loadbalance match-any 3rd-Party
2 match source-address 200.200.200.1 255.255.255.255
3 match source-address 200.200.200.10 255.255.255.255
Modify your current first-match policy to put the new class on top so that all the traffic matched by the statement above (IP) will be redirected to the new farm with the new APP, any other traffic that does not match the "rule" will be sent to the old serverfam with the old app.
policy-map type loadbalance first-match L7-SLB
class 3rd-Party
    serverfarm New-APP
class class-default
    serverfarm Webfarm
Since you already have LB working then this is it, nothing needs to be added under the multi-match policy nor interface.
HTH
Pablo

Assessing Command 'Analyze Source Files' via Command Line when running TestSTand Deployment Utility

Our Software Configuration Manager is running the TestStand Command Line Deployment Build Tool (Ref: https://decibel.ni.com/content/docs/DOC-38947).
        When he builds the application, the code will not be at the same location it was in development.
If you are Manually running the TestStand Deployment Utility, This is not a problem because everything is relative in the workspace.   Simply go to the Distributed Files Tab (of TestSTand Deployment Utility) and hit the, "Analyze Source Files" button. This finds the required files and apparently creates an updated hard path to be used during the build (probably in the *.tsd).
PROBLEM: We auto-run the Command Line Deployment Build Tool (Command Line), and we do not have access to the, 'Analyze Source Files' command.
            As a result, our build consist of many warnings and the output is missing many files (the location of the files have not been updated).
If we could access the 'Analyze Source Files' Command via command line, that would fix the issue.
FYI: We use an automatic builder called Quick Build as our builder.
Attachments:
TestSTand Deployment Utility-Distributed Files Tab.PNG ‏76 KB

Unfortunately it looks like Analyze Source Files does not have a command equivalent for the command line based on this article and attached PDF:
https://decibel.ni.com/content/docs/DOC-38947
That may be a good post for the TestStand Idea Exchange for consideration in future versions of TestStand.
Michael K.

Excel, PowerView error in SharePoint 2013: "An error occurred while loading the model for the item or data source 'EntityDataSource'. Verify that the connection information is correct and that you have permissions to access the data source."

I've installed SQL Server 2012 SP1 + SP server 2012 + SSRS and PowerPivot add-in.
I also configured excel services correctly. Everything works fine but the powerview doesn't work!
While I open an excel workbook consist of a PowerView report an error occurs: "An error occurred while loading the model for the item or data source 'EntityDataSource'. Verify that the connection information is correct and that you have permissions
to access the data source."
error detail:
<detail><ErrorCode xmlns="http://www.microsoft.com/sql/reportingservices">rsCannotRetrieveModel</ErrorCode><HttpStatus xmlns="http://www.microsoft.com/sql/reportingservices">400</HttpStatus><Message xmlns="http://www.microsoft.com/sql/reportingservices">An
error occurred while loading the model for the item or data source 'EntityDataSource'. Verify that the connection information is correct and that you have permissions to access the data source.</Message><HelpLink xmlns="http://www.microsoft.com/sql/reportingservices">http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsCannotRetrieveModel&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3128.0</HelpLink><ProductName
xmlns="http://www.microsoft.com/sql/reportingservices">Microsoft SQL Server Reporting Services</ProductName><ProductVersion xmlns="http://www.microsoft.com/sql/reportingservices">11.0.3128.0</ProductVersion><ProductLocaleId
xmlns="http://www.microsoft.com/sql/reportingservices">127</ProductLocaleId><OperatingSystem xmlns="http://www.microsoft.com/sql/reportingservices">OsIndependent</OperatingSystem><CountryLocaleId xmlns="http://www.microsoft.com/sql/reportingservices">1033</CountryLocaleId><MoreInformation
xmlns="http://www.microsoft.com/sql/reportingservices"><Source>ReportingServicesLibrary</Source><Message msrs:ErrorCode="rsCannotRetrieveModel" msrs:HelpLink="http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsCannotRetrieveModel&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3128.0"
xmlns:msrs="http://www.microsoft.com/sql/reportingservices">An error occurred while loading the model for the item or data source 'EntityDataSource'. Verify that the connection information is correct and that you have permissions to access the
data source.</Message><MoreInformation><Source>Microsoft.ReportingServices.ProcessingCore</Source><Message msrs:ErrorCode="rsErrorOpeningConnection" msrs:HelpLink="http://go.microsoft.com/fwlink/?LinkId=20476&EvtSrc=Microsoft.ReportingServices.Diagnostics.Utilities.ErrorStrings&EvtID=rsErrorOpeningConnection&ProdName=Microsoft%20SQL%20Server%20Reporting%20Services&ProdVer=11.0.3128.0"
xmlns:msrs="http://www.microsoft.com/sql/reportingservices">Cannot create a connection to data source 'EntityDataSource'.</Message><MoreInformation><Source></Source><Message>For more information about this error navigate
to the report server on the local server machine, or enable remote errors</Message></MoreInformation></MoreInformation></MoreInformation><Warnings xmlns="http://www.microsoft.com/sql/reportingservices" /></detail>
Please help me to solve this issue. I don't know if uploading the excel workbook is enough or maybe It needed to connect to another data source.
I Appreciate in advance.

Hi Ali.y,
Based on the current error message, the error can be related to the
Claims to Windows Token Service (C2WTS) and is an expected error under certain conditions. To verify the issue, please check the aspects below:
     1. The C2WTS Windows service and C2WTS SharePoint service are both running.
     2. Check the SQL Server Browser service is running on the machine that has the PowerPivot instance of SSAS.
     3. Check the domain. You're signing into SharePoint with a user account in some domain (call it Domain A). When Domain A is equal to Domain B which SharePoint server itself is located (they're the same domain), or Domain
A trusts Domain B.
In addition, the error may be caused by Kerberos authentication issue due to missing SPN. In order to make the Kerberos authentication work, you need to configure the Analysis Services to run under a domain account, and register the SPNs for the Analysis
Services server.
To create the SPN for the Analysis Services server that is running under a domain account, run the following commands at a command prompt:
• Setspn.exe -S MSOLAPSvc.3/Fully_Qualified_domainName OLAP_Service_Startup_Account
Note: Fully_Qualified_domainName is a placeholder for the FQDN.
• Setspn.exe -S MSOLAPSvc.3/serverHostName OLAP_Service_Startup_Account
For more information, please see:
How to configure SQL Reporting Services 2012 in SharePoint Server 2010 / 2013 for Kerberos authentication
Regards,
Heidi Duan
Heidi Duan
TechNet Community Support

Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access

Hi there,
I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you.
Outlook Web App - What do I need to configure in order to get my Exchange account to work with the OWA app on my iPhone? Is Office 360 required on the server that hosts Outlook Web App in our organisation? When I configure the settings and
connect I get the following message "couldn't connect - We couldn't connect to the server. Check your information and make sure it's correct." I can connect with other devices using Outlook Web App.
Remote Desktop - What do I need to configure in order to connect to my computer at work using Remote Desktop on my Windows Phone? When I configure the settings and connect I get the following message "Connection error - We couldn't connect
to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Inquiring minds may find this error code helpful: 0x204" I can connect with other devices using Remote Desktop. There are currently no
RD Server settings in the Remote Desktop app on the Windows Phone and the only way I'm to connect to my PC at work is via Remote Desktop and not to be confused with the one by Microsoft, however the app is on a trial basis and times out every 5 minutes and
can only be used once every hour unless I purchased the app for £2.99 off the App Store but would ideally like to use the Microsoft Remote Desktop app though.
Remote Web Access - What do I need to configure in order to get Remote Web Access on my Windows Phone using a URL? When I log in using a URL I get the following message "There is a problem with this Web page. Please contact the person who manages
the server" I can connect with other devices using Remote Web Access. Also how do you enable the background option for Remote Web Access? I know how to do this in Remote Desktop but not in Remote Web Access. Remote Web Access works on PCs regardless
being onsite and offsite and on my iPhone, the same issue also occurs with my Nokia 5230s regardless of whether I'm using Opera Mobile or Mini or the latest Nokia Browser.
VPN access - How do you configure VPN access on a Windows Phone using VPN? I cannot find the protocols PPTP, L2TP, SSTP and IPsec in order to configure VPN access on the Windows Phone apart from IKEv2.
Many thanks,
RocknRollTim

Any help would be much appreciated.
Kind regards,
RocknRollTim

Access Based Enumeration on CAD /Design Files 2008 R2

Hi,
I'm currently having some issues with our Windows Server 2008 R2 File Cluster, where the System Process is chugging along @ 80-95% CPU, which I personally find strange. After 2-3 hours of this type of resource utilization, we experience a failover to our
passive node. After a few hours of user connectivity and build it the same thing happens again.
Using ProcessExplorer I have been able to identify the srv2.sys driver having massive amounts of threads being created, with several running at 10-15% + CPU utilization per thread. srv2.sys driver is for SMBv2 Connectivity from my research and troubleshooting
of these issues.
I have had a ticket opened with MS Premier Support and I have completed installing all of the latest srv2.sys file updates to the latest version for 2008 R2, but we still seem to be having the issues, although it is intermittently. One of these fixes was in
relation to enabling Access Based Enumeration to a certain level within your File System/Structure (http://support.microsoft.com/kb/2732618/en-us)
Other hotfix installed is
http://support.microsoft.com/kb/2831154/en-us
We have users who run multiple image and CAD applications (Adobe InDesign, AutoCAD, MicroStation, Revit etc) across our network drives, as well as what I would call "standard" File Server access (word docs, spreadsheets, PDF's, powerpoint presentations
etc).
We have ABE enabled across all volumes.
At the moment, I am praying for the server to again reach 100% CPU capacity due to the System Process using these resources.
What I was wanting to ask is, are there any known issues with using Access Based enumeration of Drives for users/applications that use these InDesign/AutoCAD like applications?
The reason I ask this is that when we experience this issue I notice more activity on our volumes that host these CAD/Design files, compared to when we experience a period of stability on the system.
I have read on a few articles regarding Microstation that if it is a specific version, that you should disable SMBv2 via registry to revert to SMBv1 for better use/stability. I am going down the path of disabling SMB2 for all users who use these CAD applications
to see if this assists in resolving the issue, but I'm trying to explore all other options/potential issues to better configure our File Cluster
Looking for guidance on troubleshooting this issue further.
Thanks in advance.

Hi,
After the hotfix is installed, did you create a new registry entry? If not, please following the steps below to create a new registry entry:
1. Open Registry Editor. To do this, click Start, type regedit in the Start Search box, and then press Enter.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters\
3. On the Edit menu, point to New, and then click DWORD (32 bit) Value.
4. Type ABELevel, and then press Enter.
5. On the Edit menu, click Modify.
6. In the Value data box, type a number according to the level that ABE is enabled on the shared folder, and then click OK.
7. Exit Registry Editor.
Note: The ABELevel value specifies the maximum level of the folders on which the ABE feature is enabled. For example if you enable ABE on \\Server\share, you must set the ABELevel value to 1. If you enable ABE on \\Server\share\share, you must set the ABELevel
value to 2. If the ABELevel value is not set or has value of 0, then this hotfix is not enabled.
The value of the above mentioned key is set as follows:
Value = 0: ABE is enabled for all levels (default behavior without key as well)
Value = 1: ABE enabled for depth of 1 (\server\share)
Value = 2: ABE enabled for depth of 2 (\server\share\folder)
And so on for multiple levels.
Please configure this registry key with the value that’s most suitable for your environment.
Regards,
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

SMB Share with Access Based Enumeration & Mac OSX 10.8/10.9

Hello,
I've been working on a bit of a problem related to some SMB Shares on Windows Server 2012 with Access Based Enumeration with Mac OSX 10.8 & 10.9.
Basically, we have one network share that mounts for all of our Students & Faculty on campus. Then, based on which security group the user is inside of in Active Directory, they gain access and visibility to different folders. (Basically, if they are members of the graphic design department, they get access to the Graphic Design's folder). All of that is working fine, no problems. From there we have 3 folders that branch off. We have a Distribution, an Open, and a Dropbox folder.
Distribution is setup as a spot for instructors to have full access, students have read access, They're able to drop files into this locations, to distribute them to their students. This folder is working fine, no problems.
Open is setup with everyone read/write access across the board. This folder is setup for students to share data to each other, work on projects, etc. This folder is working as intended, no problems.
Dropbox is the only folder we're having trouble with, i'm assuming because it's settings are the most complex out of the three. The purpose of the drop box is for students to have read/write control over their own content, but not others, and instructors to have read/write over this entire folder.
Now that I've laid out our Setup, the problem we've encountered, is ONLY occurring inside of the Dropbox folder. When I try to Drag/Drop OR Copy/Paste from another location on the computer into the Dropbox folder, I get a permission error. HOWEVER, if I have a file open, and I click "save as" browse to the dropbox folder, I can save the file into that location without any trouble. Also, on our windows computers, with the same exact users, drag/drop & Copy/Paste work normally.
Things I've Tried:
Disabling the .DS_Store - I figured in the drop box, the .DS_Store would be created by the first user who copied a file in, then subsequent users would not have access to the .DS_Store.
CIFS/SMB1 - I've read that SMB2 can cause some trouble while connecting to SMB Shares, so I tried both connecting via CIFS, and also by forcing back to SMB1, with no fix.
Am I missing something with this? I've read a lot about people having trouble connecting to SMB Shares, but for us it had not been a problem up until this point. Does anyone know what a possible fix might be for this? I'm sifting through internet searches right now, trying to find a solution, however MOST of the responses I see are regarding the two things I've already tried.
Any suggestions would be greatly appreciated.
Thanks!

hi everybody
I really need some help so here is a little up !
thanks !

Access Dev Studio J2EE engine via SapRouter?

I have a group of Developers in another country who wish to use the j2ee engine on our local EP6 machine. They can presently access the R3 Dev system via SapRouter, but the question is: can we configure the j2ee engine in the Developer Workplace see the message server on the EP6 machine?
The path to setting is <i>Preferences > SAP J2EE Engine</i>
For example can we enter something like:
H/<localsaprouter>/H/<our saprouter>/H/<EP6 ip address>
Message was edited by: Graham Slater

Hi,
As for as I know ,
We need SAPlogon (higher vertion preferable but not necesary) for such knid of connection. for the saplogon connection you need application server name, system ID and username and password as described below
You also need some sort of VPN conection.
Following are the inputs required for creating Connection from SAP Logon Pad.
1. Application Server = IP Address or Host Name of SAP Server you want to connect.
2. SAP Router String = If you are connecting via Firewall accross VPN.
3. System ID = <SID> ex., DEV, PRD...
4. System Number = <00> ex., 00, 01 ..99
5. Select radio Button R/3
6. Give some description under that field.
Before doing the above please try to PING the Server at Location A from your machine(should be replying).
I don't think NWDS have this facility of using sap router remote r/3.
let me know whther this helps. also reward if so.

OSX 10.8 and SMB Shares with Access Based Enumeration.

Hello,
I've been working on a bit of a problem related to some SMB Shares on Windows Server 2012 with Access Based Enumeration with Mac OSX 10.8 & 10.9.
Basically, we have one network share that mounts for all of our Students & Faculty on campus. Then, based on which security group the user is inside of in Active Directory, they gain access and visibility to different folders. (Basically, if they are members of the graphic design department, they get access to the Graphic Design's folder). All of that is working fine, no problems. From there we have 3 folders that branch off. We have a Distribution, an Open, and a Dropbox folder.
Distribution is setup as a spot for instructors to have full access, students have read access, They're able to drop files into this locations, to distribute them to their students. This folder is working fine, no problems.
Open is setup with everyone read/write access across the board. This folder is setup for students to share data to each other, work on projects, etc. This folder is working as intended, no problems.
Dropbox is the only folder we're having trouble with, i'm assuming because it's settings are the most complex out of the three. The purpose of the drop box is for students to have read/write control over their own content, but not others, and instructors to have read/write over this entire folder.
Now that I've laid out our Setup, the problem we've encountered, is ONLY occurring inside of the Dropbox folder. When I try to Drag/Drop OR Copy/Paste from another location on the computer into the Dropbox folder, I get a permission error. HOWEVER, if I have a file open, and I click "save as" browse to the dropbox folder, I can save the file into that location without any trouble. Also, on our windows computers, with the same exact users, drag/drop & Copy/Paste work normally.
Things I've Tried:
Disabling the .DS_Store - I figured in the drop box, the .DS_Store would be created by the first user who copied a file in, then subsequent users would not have access to the .DS_Store.
CIFS/SMB1 - I've read that SMB2 can cause some trouble while connecting to SMB Shares, so I tried both connecting via CIFS, and also by forcing back to SMB1, with no fix.
Am I missing something with this? I've read a lot about people having trouble connecting to SMB Shares, but for us it had not been a problem up until this point. Does anyone know what a possible fix might be for this? I'm sifting through internet searches right now, trying to find a solution, however MOST of the responses I see are regarding the two things I've already tried.
Any suggestions would be greatly appreciated.
Thanks!
iMac, OS X Mountain Lion (10.8.5)

Just thought I'd post this in case it helps someone. This could be the same problem we have (had) here so try this:
When it asks for name and password put this in the name field: sharename\name
So if the share is called "WWW" and your login name is "Bob" you'd put "www\Bob" in the name field and then normal password in the password field.
Works perfectly for us. I cant remember when it started 10.7 or 10.8 but this was the only solution. Hope it helps someone else!

Bandwidth Limit based on Source IP?

Hi
I am trying to think of a way to apply a bandwidth limit based upon Source IP subnet.
I need to have the ability to limit both the outbound and inbound traffic.
So I created the following config:
policy-map bw-limit-inbound
class bw-limit-class
police 10000
class-map match-any bw-limit-class
match access-group 150
access-list 150 permit ip 172.16.99.0 0.0.0.255 any
If I apply the Service Policy inbound, it does police the upload to 100Kbps.
If I apply it outbound, it does nothing to the download.
Any reason for this?
I am applying this to an SVI
Thanks

Hi Guys
Just to update this thread, I figured out where I was going wrong!
As mentioned by Mikael, the ACL only shows traffic one way, hence why it was not applying the service policy to the download.
I have three subnets I want to Police both outbound and inbound so I started with Three ACLs:
access-list 197 permit ip 172.16.97.0 0.0.0.255 any
access-list 197 permit ip any 172.16.97.0 0.0.0.255
access-list 198 permit ip 172.16.98.0 0.0.0.255 any
access-list 198 permit ip any 172.16.98.0 0.0.0.255
access-list 199 permit ip 172.16.99.0 0.0.0.255 any
access-list 199 permit ip any 172.16.99.0 0.0.0.255
I then created the relevant class maps:
class-map match-all vlan998-download
match access-group 198
class-map match-all vlan999-download
match access-group 199
class-map match-all vlan997-download
match access-group 197
class-map match-all vlan998-upload
match access-group 198
class-map match-all vlan999-upload
match access-group 199
class-map match-all vlan997-upload
match access-group 197
Then the service policies:
policy-map download-limit
class vlan997-download
police 2000000
class vlan998-download
police 3000000
class vlan999-download
police 4000000
policy-map upload-limit
class vlan997-upload
police 200000
class vlan998-upload
police 300000
class vlan999-upload
police 400000
Then finally applied those to the relevant SVI:
interface Vlan102
ip vrf forwarding WAN2
ip address 10.20.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
service-policy output download-limit
service-policy input upload-limit

Tiger Server firewall issues - forwarding protocol 47 (GRE) for VPN access

Hi everybody,
I'm trying to allow VPN access to my Mac Pro running 10.4.10 Server. I've allowed the TCP and UDP ports, but the sticking point is this: the client tries to connect but I get a bunch of these in the firewall log:
Deny P:47 xxx.xxx.xxx.xxx(address initiating VPN) 10.0.100.222(MacPro local address) in via en0
After doing some research I figured I needed to allow protocol 47 (GRE) and so tried to add a rule via the "Advanced" tab for firewalls in server manager. I click the + button, select allow, leave the other field, select GRE, and then select from:any and to:any and the in dropdown. When I try to save and activate the rule, however, it complains that there is an error and that all subsequent rules are skipped. I've tried all the possible variations (within my parameters, of course) but it won't work.
Manually inspecting the /etc/ipfw file shows the rule added but without a specification for the GRE or protocol 47 part. i.e.:
add 1050 allow from any to any in
(This looks a little like a server manager bug to me, but I digress)
So I tried manually editing the file in /etc/ipfilter but no joy.
Being somewhat new to OSX I am getting flustered. Am I completely misunderstanding something here? While a search on "VPN GRE firewall" turns up about million hits, none seem applicable to my situation. Thanks in advance.

Try using the "Services" tab, selecting "any" (for example) and configuring the rule there.
The "Advanced" section will allow you to add rules that don't already exist, but there is already a rule for GRE so that might, possibly have something to do with the error you're getting.

ASA 5505: VPN Access to Different Subnets

Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous

Hi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks!

VPN access based on source IP via ACS5.5

Similar Messages

Maybe you are looking for