VPN Server with two router local network
I just got a Mac Mini Server 2011 to set up as a home server. One of the main features I want to use is a VPN so I can access my files on my local network when I'm away from home. I live in Japan and I have a Japanese optical connection to the internet that runs through two boxes before I can use it in any form: some sort of modem, and a "gateway" which I literally just found out is also acting as a router and serving DHCP addresses. In addition, I have a 2TB Time Capsule that, until just recently, I had been using in the "Share a Public IP" mode because I didn't realize the gateway was also issuing DHCP addresses. I cannot simply plug my TC into the modem in place of the gateway - both are required to access the internet.
Until today I had both routers using DHCP on the local networks they each created. Under that environment, I had finally configured Lion Server to file share (easy), manage network accounts (moderate), and serve Profile Manager (difficult). But despite my best efforts at mapping the ports on the Time Capsule, I just couldn't get the ports open using tools like canyouseeme.org, so the VPN was a no-go. That's when I realized the gateway could be a router too, so with some creative google searches, and extensive use of google translate, I was able to figure out how to open ports on the gateway. It does it pretty differently from the Time Capsule and other routers I've seen. It asks you define the host on the LAN (what i assume to be the target IP), the protocol (TCP vs. UDP), and then a range of ports for it to open. I plugged in the IP of the Time Capsule, opened all the UDP ports (since it was an option to just open all, and I figured 1) the TC would still protect my network and 2) it would just be a test), but I still couldn't see the ports as being open.
So then I got desperate, and I switched the TC back to Bridge Mode, reconfigured the Server and my MBP (my client Mac) to the new IP addresses being served by the Japanese gateway, and tried again. I think I reconfigured the DNS settings in Server Admin properly to account for the change in IP, and then updated the services in Server.app, but now I can't even get to my server homepage (the apple placeholder page) using either its IP or its .private domain, and to make matters worse, I STILL can't seem to get the ports open (yes, I changed the port mapping to send it directly to the server IP as the target after the change).
To add insult to injury, the wired ethernet connection I had been running from my TC to the MM Server is now reporting a cable unplugged (it's not), even when I plug it directly into the gateway, though I am able to connect wirelessly.
Does anyone have any idea what's going on? Why can't I get these ports open? (By the way, I called my ISP and they said they aren't blocking any of the ones I'd want to use for VPN.)
What is the *better* set up - using the TC as a second LAN, serving its own DHCP addresses, or using it in Bridge mode?
Why did these changes sever my wired connection?
I was getting even more problems (like loss of internet connectivity on all devices) using the TC in bridge mode, so I decided to go back to the dual network setup.
Hello Eric,
As I mentioned above.
For external Internet access, I would create a Generation
1 VM
and use 2 Legacy Network Adapters for
the Interfaces . Connect it to the External and Internal network, and then install VM Linux IPFire (How
to install) and
configure IPFire with RED and GREEN interface.
You don't need router or any firewall.
I have the same set-up that you are trying to do in your lab and it's working great.
All my VMs / computers on the LAN have their gateway the Linux VM.
Hope this help.
Regards,
Charbel Nemnom
MCSA, MCSE, MCS, MCITP
Blog: www.charbelnemnom.com
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Similar Messages
-
Configuring Cisco ASA for site to site VPN ( Issue with setting up local network)
OK, so our primary firewall is a checkpoint gateway. Behind that we have a cisco ASA for vpn users. I have a project at the moment where we need to connect to another company using site to site VPN through the cisco ASA, as the checkpoint gateway is unable to establish a permanent tunnel with the other companies Cisco ASA.
What would be the best practise for setting up the local network on my side? Create the network on the ASA and then use a L2 vlan to connect to the Core switch?
Setup a L3 interface on the core switch and point it towards the checkpoint gateway which would then point to the ASA?
When you have to select your local network through the site to site wizard do you have to put the inside network address of the ASA?
Our network is setup like this: Access layer switch > Core 6500 Switch > Checkpoint-Firewall > Internet
The ASA is connected to a checkpoint sub interface
Any help would be beneficial as im new to cisco ASAs
Thanks
MarkMark
If we understood more about your environment we might be able to give you better answers. My initial reaction was similar to the suggestion from Michael to use a L2 vlan. But as I think a bit more my attention is drawn to something that you mention in the original post. The ASA is there for VPN users. If the VPN users need to access your internal network then you probably already have something configured on the ASA that allows access to the internal network. Perhaps that same thing might provide access for your site to site VPN?
HTH
Rick -
Trying to configure a multi-homed IIS server with CF8 on local network
I'm a bit lost trying to configure my development server in CF Builder (windows XP). The server is Win2k with CF8.
The server sits next to my workstation, and the workstation has drive mappings to the server.
Websites on the server are under c:\websites\<sitename>
Coldfusion is in c:\ColdFusion8
Each website has its own IP address, and is represented in the workstation hosts file (i.e. www.site1.dev = 192.168.1.xx)
The *default* website on the server is in c:\inetpub\wwwroot, and this is where cfide, etc resides
This creates a situation where CF8 admin is at a different IP from each of the sites.
So... Do I set up each site as an RDS connection, or can I set it all up as a local server (using mappings)
I read Ben Forta's intruduction article, and am kind of lost - it didn't match up well with the server config dialogs.
I've been looking forward to seeing 'bolt'. Any assistance is most appreciated!
- DonI have to admit, I'm wondering if people use other configurations to accomplish what I seek to achieve...
I am an independent developer with a number of clients. In order to develop for them all in a setup that best duplicates their production configuration, I have set up multiple websites on a server machine, and access them from my 'workstation' computer on the same network.
So, each website (client project) has its own IP address, and I set up a record in the HOSTS file on my workstation with a URL to access it as if on the public web.
For instance, I have a very simple project, "AsiaFineConsultants" (project name, 'asiafine').
The website root on the server is located on the disk at c:\websites\asiafine.
On the server, IIS has that set up as a website, addressable at 192.168.1.42.
My workstation hosts file has www.asiafine.dev directed to 192.168.1.42.
So, on my workstation, I can browse to www.aisafine.dev and see the website. Simple!
I have many such projects, each with its own IP, root directory, IIS website, and entry in my workstation hosts file.
**** Doesn't everyone do it this way???? *****
Ok, the server has coldfusion installed (of course), but in its own 'website' at 192.168.1.55, with root directory at c:\inetpub\wwwroot.
This works just great. There are no problems with this arrangement. I've been using HomeSite and CFEclipse for years in this environment - without debugging.
As I go to set up Bolt (er, Builder) I can't get the mappings to work. The site mapping is different from the server mapping. Perhaps this is an over-simplification, but I can get RDS, and I can get the project in the editor, but I can't browse it internally because of mapping problems.
Problem!
Got any ideas? -
VPN Server won't route VPN client to gateway
We have a WIndows 7 VPN client that successfully connects with the 2012 VPN server and can access servers and resources on the remote 96.0 LAN; however, the VPN client can not access the 96.1 default gateway and thus no subnets outside of 96.0.
Use default gateway on remote network is NOT checked, but does not work with it checked either.
RRAS on the VPN server does allow for routing IPv4 and is setup to assign addresses via DHCP.You probably don't need a static route to get the traffic to the other subnets. Is the VPN router also the router for subnets? If it is, the packets should be delivered directly to any client in an attached subnet. You do have the remotes
using their own subnet? If not, Bing of Google off subnet addressing. You need that to be able to route the VPN traffic at the central site.
What you do need is a static route at the router which is the gateway router for the LAN segment to send the traffic to the VPN server, not to your Internet gateway (which would be the default behaviour. Whether the Internet gateway
is the VPN server or another router depends on your network config).
Exactly how you set it up depends on how your local network is configured. I haven't done that sort of thing lately, but you probably have to use the IP address of the VPN demand-dial interface as the target address of the route command rather than
the RRAS internal interface.
Bill -
VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client
Hello,
I have problem in VPN between ASA5505 Easy VPN Server and 881G Router as Easy VPN Client. ASA 5505 have 7.2.3 software and 881G router have 15.1 software.
881G is configured as hardware client in network exstention mode, and it is placed behind NAT. ASA5505 is working as server. Same VPN Group works correctly from VPN software clients.
When I send traffic from 881G client side, in show cryto sessin detail I see encrypted packets. But with same command I dont see decrypted packet on ASA5505 side. On both devices Phase 1 and Phase 2 are UP.
VPN is working when I replace ASA5505 with ASA5510 correctly with have 8.4.6 software. But problem is that i need to do this VPN between ASA5505 and 881G.
Can you help me, how can I debug or troubleshoot this problem ?
I am unable to update software on ASA5505 side.Hello,
Hire is what my config look like:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 40 set pfs
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 60 set pfs
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 80 set pfs
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 set pfs
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 120 set pfs
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 140 set pfs
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-AES-128-SHA
crypto dynamic-map outside_dyn_map 160 set pfs
crypto dynamic-map outside_dyn_map 160 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 180 set pfs
crypto dynamic-map outside_dyn_map 180 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 200 set pfs
crypto dynamic-map outside_dyn_map 200 set transform-set ESP-AES-256-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 3
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
tunnel-group HW-CLIENT-GROUPR type ipsec-ra
tunnel-group HW-CLIENT-GROUP general-attributes
address-pool HW-CLIENT-GROUP-POOL
default-group-policy HW-CLIENT-GROUP
tunnel-group HW-CLIENT-GROUP ipsec-attributes
pre-shared-key *******
group-policy HW-CLIENT-GROUP internal
group-policy HW-CLIENT-GROUP attributes
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cisco_splitTunnelAcl
nem enable -
Problem in Rmi in machine with two IP local & internet
I am having problem in Rmi in machine with two interfaces local & internet
i.e..
if I set property java.rmi.server.hostname+ to the one with internet ip address using System.setProperty()
I can not access Rmi through local LAN
if I do not set the property Everything works fine in LAN but I can not access the RMI from Internet
Pls tell me the solutionConsider the code Here and if you can suggest in this code what changes I have to make ,I will be thankful to you
// Class MyHelloServer
package rmi.server;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.net.Inet4Address;
import java.net.InetAddress;
import java.net.MalformedURLException;
import java.net.NetworkInterface;
import java.net.SocketException;
import java.rmi.*;
import java.rmi.server.ServerNotActiveException;
import java.util.ArrayList;
import java.util.Enumeration;
import javax.swing.JOptionPane;
import rmi.bl.HelloImpl;
public class MyHelloServer
static public ArrayList hostList = new ArrayList();
static String hostname=null;
static String SERVER_PORT="9999";
static String MULTIPLE_BIND="true";
static{
startTest();
public static void startTest(){
try {
Enumeration enum1= NetworkInterface.getNetworkInterfaces();
while(enum1.hasMoreElements()){
NetworkInterface networkInterface = (NetworkInterface)enum1.nextElement();
Enumeration enum2 = networkInterface.getInetAddresses();
while(enum2.hasMoreElements()){
Object obj = enum2.nextElement();
if(obj instanceof Inet4Address){
if(!hostList.contains(((Inet4Address)obj).getHostAddress())){
hostList.add(((Inet4Address)obj).getHostAddress());
if(networkInterface.isPointToPoint()){
hostname=((Inet4Address)obj).getHostAddress();
}catch (SocketException e) {
e.printStackTrace();
if(hostname!=null){
System.setProperty("java.rmi.server.hostname", hostname);
System.out.println(System.getProperty("java.rmi.server.hostname")+"<<<<<< New");
public static void main(String args[])
try
HelloImpl storeServer = new HelloImpl();
int port=Integer.parseInt(SERVER_PORT);
String host=InetAddress.getLocalHost().getHostAddress();
java.rmi.registry.LocateRegistry.createRegistry(port);
if(MULTIPLE_BIND.equals("true")){
for (int i = 0; i < hostList.size(); i++) {
System.out.println(hostList.get(i).toString() + " <<<<IP" + i);
Naming.rebind("//"+hostList.get(i).toString()+":"+port+"/STORESERVER", storeServer);
}else{
Naming.rebind("//"+host+":"+port+"/"+"STORESERVER", storeServer);
MyHelloServer.MyThread thread= new MyThread(":"+port+"/"+"STORESERVER", storeServer);
System.out.println("Remote Server started.....");
catch (java.net.MalformedURLException me)
System.out.println("Malformed URL: " + me.toString());
System.exit(0);
catch (RemoteException re)
System.out.println("Remote exception: " + re.toString());
System.exit(0);
catch (Exception e)
System.out.println("Error: " + e.toString());
System.exit(0);
static class MyThread extends javax.swing.JPanel implements ActionListener{
String str="";
HelloImpl impl;
public MyThread(String text,HelloImpl storeServer){
this.impl=storeServer;
str=text;
int timetoWaitForCheck=15000;
javax.swing.Timer timer = new javax.swing.Timer(timetoWaitForCheck, this);
timer.start();
public void actionPerformed(ActionEvent ae)
startTest();
// Rebind
for (int i = 0; i < hostList.size(); i++) {
try {
Naming.rebind("//"+hostList.get(i).toString()+str, impl);
} catch (RemoteException e) {
e.printStackTrace();
} catch (MalformedURLException e) {
e.printStackTrace();
} -
SCCM central site and primary site use the same SQL SERVER with two Instance.
Hi Guys,
I want deploy SCCM 2012 central site and primary site in my domain. But Only one Sql server for me. Any one can tell me how to install the central site server and primary site server with the same SQL SERVER with two instance.
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Sean Xiao
TechNet Community SupportAlthough you can install like the configuration you said above, we do not recommend you do it this way. If your SQL box has problems, all the data will go away and you will not have data redundancy.
You need to configure the different SQL Port and SQL Broke service port e.g.
SQL port 4023 SQL Broke Service port 4022 for CAS instance
SQL port 4024 SQL Broke Service port 4021 for PRI instance
Juke Chou
TechNet Community Support
I agree with Johan and this configuration should not be used. But I want to clarify that the default ports for "SQL port" (actually, SQL over TCP) is 1433 and the SQL Broker Service uses 4022. The configuration above should work but the "correct" would be
to use 1433 and 4022 for the CAS and 10434 and 4023 for the Primary :)
You can read more about Network Ports used by Configuration Manager here
http://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_CommunicationPorts
/Tim
Tim Nilimaa | Blog: http://infoworks.tv | Twitter: @timnilimaa -
How to DHCP Server with NO ROUTER on Server Admin panel field?
Hi all!
I'm having a little problem.
I have two completely different networks, with different purposes, one is 10.0.10.X and the other is 192.168.10.X. My networks is like this:
Internet------Wifi Router (192.168.10.250) -----iMacs AirPoirt (192.168.10.X)
MacPro (10.0.10.100)-----iMacs Ethernet (10.0.10.X)
Great, is so simple. So I had a DHCP server (Windows blerg) on the 10.0.10.X (NOT MAC OS X SERVER) and everything works perfect, since on the Windows DHCP Server I'm not forced to fill the router/gateway and leaving it blank makes the iMacs have just one router/gateway from the 192.168.10.X lease from the Wifi Router.
Now I'm planning to migrate the DHCP Service to the Mac OS X Server (Snow Leopard Server), I fiddled a bit and found that I can't use DHCP Server on Mac OS Server leaving router field blank and if I type ANYTHING, my iMacs will NOT access the internet through 192.162.10.X since now there's two gateways (from 10.0.10.X that Server Admin panel forced me to fill and from 192.168.10.X that HAS to have one gateway and it's the correct one).
I've tried to fill with the 192.168.10.X gateway but throws a warning saying that is not on the same subnet.
I really don't want to re-route or mix the traffic for many reasons.
So I ask, is there any possible way to NOT fill or bypass or do anything to make DHCP Server service from Mac OS X Server not have a gateway/router?
The only way I'm managing to do it now is to use manually entered IPs on the iMacs, but it's 10 iMacs and I guess for some services like netboot etc I need DHCP.
Cheers,Lets assume that before you had computers with both Ethernet and WiFi connections, they were able to access the Internet via WiFi and talk amongst themselves via Ethernet. The Ethernet addresses were not (in theory) accessible from the WiFi network and hence not accessible from the Internet. Presumably you intended this for security reasons.
If so, you were completely mistaken. Even if you turned on a Software firewall on each of these iMacs to in theory block traffic going between the two networks you still have a potentially insecure setup. This is because traffic can reach the iMacs via WiFi. Once hypothetical malicious traffic has invaded an iMac via WiFi it can take control over the computer and within that computer reach out via its Ethernet port to other Ethernet computers.
The only way to ensure complete security is not to have any link between the two networks at all. If one of the computers is linked to both then you have a potential path for attacks to travel across.
So what are you really trying to do? If you want two totally separate networks with one having absolutely no link to the outside world then this is simple and is as follows.
NETWORK1 Internet------Wifi Router (192.168.10.250) -----iMacs AirPoirt (192.168.10.X)
NETWORK2 MacPro (10.0.10.100)-----different iMacs Ethernet (10.0.10.X) with WiFi turned off
You could define the default gateway for NETWORK2 as being the DHCP server itself. No computer on NETWORK2 would be able to access the Internet and hence it would be totally secure.
If however you want all computers to be able to access the Internet then you need a link between them. Are you merely wanting to segregate WiFi traffic as it might be insecure and evesdropped on? If so then the following is a better approach
WiFi clients (192.168.10.x)
Internet ----- AirPort Extreme (192.168.10.250) ------ Hardware FireWall does NAT (10.0.10.1) ---- MacPro (10.0.10.100) ---- iMacs via Ethernet (10.0.10.x)
The WiFi clients would not be able to directly access your 10.0.10.x network as they are blocked by the FireWall. However if you have say a Laptop that you want ot use on WiFi but still access your server on your internal secure LAN you would do this by having the server run the VPN server component. The WiFi client would then connect via the VPN server and this would ensure all the network traffic going over the WiFi is encrypted using industry standard IPSec encryption. In this second scenario the MacPro (presumably your server) would have the FireWall as the default gateway, and the FireWall would have the Internet router as its default gateway. You could set the Firewall to forward VPN traffic to the server or use the second Ethernet port on the server to accept VPN traffic on the 192.168.10.x LAN.
This is my own setup is something like
AirPort
|
Internet router --- Public IP range --- (WAN) FireWall (LAN) --- LAN Switch --- Server Port1 for normal traffic
|(DMZ) |
+----------------------------- Server Port2 for VPN -
New physical server - with two DC's - need help!
My scenario is I have a small business who has two locations. The "IT" guy is set in a way that he wants to do this, and he has contracted me to help.
Site 1
192.168.1.x network
SBS 2003 server (on really old hardware) Lets call this server SBS1
Site 2
192.168.2.x network
Is a domain controller thats a global catalog. The two sites replicate. Lets call this server Server2
SIte 2 Site VPN between the two offices
The OLD IT guy took an image of the SBS server six months ago, and put it on newer hardware. But it was never implemented. Since 6 months ago, not much has changed, a few new PC's and a few new users.
The current "IT" guy wants to put the imaged SBS that is the newer hardware server into the network and decom the old SBS server.
The network can be taken down, and downtime is okay. This doesnt need to a quick drop in and go.
My concern is, if I drop in the imaged server of the SBS server that was done six months ago, its going to look and say hey, there are some accounts that I dont have, so im going to remove them from Server2.
Whats the best way going about this?
I have suggested some other routes, but the "IT" guy is insistent on doing this, and well he's paying me by the hour so im fine following his lead.
Also the "IT" guy is willing to recreate missing user accounts if that happens.Some more information, the SBS server is not really being used as an SBS server. Exchange is not running, no sharepoint, etc.
Its basically a file server, print server, and DC.
When they did the image -this was six months ago-, they just cloned the old SBS server to new hardware. Now the IT guy wants to drop that cloned SBS server onto the network. I know i'll have to re copy all the users data files, etc.
I just need to know how AD is going to react. Is the Server 2, going to push its AD updates to the SBS server because its 6 months old? Or will the SBS say, hey im supposed to be the main DC, so update to my old information?
Are there any other huge issues that could happen? The image being six months old, is that going to cause huge issues with replication?
Should I just take a new image and put onto the server that currently has the six month old image?
Please help. Thank you. -
How to set VPN server with static IP without DHCP on
I set up a new Mac mini server with OS X 10.9.1 and Server App 3.0.1
My ISP gave me a static bublic IP address.
I have on:
- web server
- mail server
- DNS server
without using DHCP, but now i want to set up L2TP/IPSec VPN server and it requires that i give start IP address of the VPN server.
Can i use VPN server w/out DHCP server on?
If yes, how?
If not, when i turn on the DHCP server, what i have to do with web, mail servers?To run a public VPN server, you need to do the following:
1. Give the gateway either a static external address or a dynamic DNS name. The latter must be a DNS record on a public DNS registrar, not on the server itself. Also in the latter case, you must run a background process to keep the DNS record up to date when your IP address changes.
2. Give the VPN server a static address on the local network, and a hostname that is not in the top-level domain "local" (which is reserved for Bonjour.)
3. Forward external UDP ports 500, 1701, and 4500 (for L2TP) and TCP port 1723 (for PPTP) to the corresponding ports on the VPN server.
If your router is an Apple device, select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
Allow incoming IPSec authentication
if it's not already checked, and save the change.
With a third-party router, there may be a similar setting.
4. Configure any firewall in use to pass this traffic. -
Issues with iMac on local network
My iMac has started to disappear from my local network and I cannot find the source of the problem. The iMac remains connected to the internet and browsing works fine. Everything appears to be operating as normal from the iMac. Unfortunately Any apps on my iPad however cannot see the iMac and I cannot access Shared hard drive data. Additional home sharing on my iTunes goes down. This is reproduced on every app I try. (Mainly Air Video and Splashpad)
This problem is intermittent and I cannot resolve it through restarting the iMac or playing with network settings. Turning the iMac off for several hours usually resolves the problem. Occasionally however the problem will resolve itself without warning and everything will connect as they should.
Any assistance in helping me understand this problem and any fixes would be gratefully received.A couple of things i'd do at this point is to remove all your networks from the preferred network list, then re-add your wi-fi. If that doesn't fix it, i'd do a pram reset. Another couple of troubleshooting steps is to try it in another user and see if it still acts up. Also, try it in safe mode. I do understand that it's intermittent, so some of these steps might take a while to see if it's recreated the issue. Another thing, have you restarted the router?
-
How to start VPN Server with PPTP + How to backup Addressbook Server
Hey people,
I currently have Lion Server running on my mac mini server, it was upgraded to Lion (server) from Snow Leopard server.
Now i have 2 issues i'd like to address and ask your help for.
1. VPN Server on Lion Server.
I have had the VPN server running on Snow Leopard server without a problem, however, since my Lion upgrade it just isn't working with PPTP anymore.
I did read alot of discussions here and also read that you can configure it through the terminal using the serveradmin tool.
I have followed the instructions to get PPTP enabled, but it just isnt listening on the correct port, i don't see anything running nor can i connect from my Lion client to the server (i get server not responding).
Does anyone experiece the same problem? or know how to solve this?
2. Addressbook Server on Lion Server.
I have a few network users on my system, they use the Addressbook server through their iphone/ipad.
I don't know how to backup their contacts they added in the server, is there a way to backup the data?
I have already tried to export the user using the Workgroup Manager, but when i look in the file, i don't see any additional info other then the user settings.
I have been thinking of reinstalling the server to a complete fresh Lion only installation instead of the current upgraded Lion from Snow Leopard, that's why i need to backup the info.
Time Machine backups of an upgraded Snow Leopard Server to Lion Server won't work on a fresh Lion Server installation, i have always had the problem that it can't read the data for some reason.
Anyone know a solution for these 2 issues?Hi,
In your base module MANIFEST.MF include Rest module in ATG-Required.
It like,
ATG-Required: DCS B2CCommerce WebUI Rest
Hope it will work for you.
Regrads
Kumaresh Babu A -
Com.apple.Server.Accounts error 2 - Local Network Group problem
I am lost :-)
just to specify, this is not a production server, it is just a learning platform for me.
I did a format and start over my server configuration
in order
DNS
DHCP
Open Directory
Profile Manager
User and group
File Sharing
very basic config.
Somewhere during user and group something happen
I did create a new Local Network Group and 2 Local Network User, me and a Directory admin
but now, when I create a group, it seem I can only create local group
and I can't edit Local Network Group
Local Group -> no problem
I can edit Local Group. I can add member
or I can go to a member and add it to a Local Group even if the user is a Local Network User
it work
Local Network Group -> does not work
I can't edit Local Network Group, can't add member
if i go the same Local Network user I added to local group and try to add it to a Local Network group, I get this error
com.apple.Server.Accounts error 2
I dont know where I went wrong :-)
any idea
Thank youI just reformat and restart the configuration :-( but I might have the same problem again, so i hope to understand why it happened.
I had the problem on both the server and a client machine.
Part of the Local Network User and Groups were greyed out, so I could not edit them
My airport setting for DNS was set to my server, so the client automatically got the local ip of the server for DNS.
On the server, initially, the formatting DNS IP was so to my airport, then I changed it to the DNS of my Internet provider.
but for the self ip 127.0.0.1 i did saw it there at the begining but maybe when did change later it might have been affected.
I did changed the System Preferences>Network setting to a fix IP even if my airport was set as the DHCP with a fix IP for the Mac Mini.
I remember not seeing a DNS in that page. I will check for that now that I am about to start again.
and also, I tried to change the DHCP to be from given from the Mac Mini (like I read in the book) but when I did a
ipconfig getpacket en0
it was still showing the airport as the DHCP server
I will not set it this time.
Thank you
I will come back later with some update
Thank you -
Mac Mini Server with two displays
I am about to purchase the new MMS, but I want to clarify two things first.
I just got off the phone with Apple Customer Service. I asked them, if it's possible to connect two displays, one via Thunderbolt, the other via mini port at full 2500x1440 res. The guy said, it's possible with two Thunderbolt displays, however, he seemed not to sure about it. Further, he couldn't say anything about the possibility of connecting one Thunderbolt and an older Cinema display at full res.
Does anybody know?
Thanks!I'm not sure about the full res on HDMI. They always had the dual link adapter for the mini display port, not sure how this HDMI one will work out. Maybe they'll offer a special adapter in time?
You can see the available ports here: http://www.apple.com/macmini/design.html
and tech info here: http://www.apple.com/macmini/specs.html -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site.
Maybe you are looking for
-
How can I delete more that one thing at a time in iTunes
How can more than more than one song be deleted in iTunes on computer?
-
Objects look like bitmaps when importing vector files
Hello, I am absolute beginner with ID CS5. I am going trough a bunch of tutorials, and there is one thing I cannot solve. When I am importing vector file content (Illustrator CS5 file with vector objects - strokes) into InDesign frame, imported objec
-
Main Calendar and Contacts wont show in thier respective selected group boxes under "sync with outlook".
-
I was attempting to burn a cd to itunes and it is now stuck in the cd rom. I tried doing the startup thing with the apple-opt-o-f, that didn't work. I tried dragging the icon to trash and that removes the icon but the disc stays in. I tried ejecting
-
How to View Transport Log in DEV SAP Portal System
Hi All, Kindly help me by giving me the path of where is the Import, Export and Transport Log maintained in SAP Portal. And is it posible to view the Log of other systems from DEV system? If yes then how. Thanks in Advance. Regards, Disha.