What should my default route be with a VPN?
I have a remote site that is connected to my main site using a VPN over the internet. ALL traffic on the remote site should come back to the main. On the remote site I have the outside interface configured with a crypto map indicating that the peer is my Main site's outside ASA (VPN endpoint) interface. The VPN functions and most of the traffic seems to be flowing correctly, except..
When a user tries to telnet to a site the packets seem to be going out to the internet instead of through the VPN tunnel? The way I came to this conclusion is I did a traceroute on the router to the IP of the Telnet server and see that it goes to the internet and gets lost. A traceroute from the user's station shows it goes out their router and just times out afterwards.
There is 1 static route on the router specifying the default route as the ISP's interface. This is the correct next hop but with my crypto map configured on the interface and with the peer being my main site, is this configuration correct? Should my default route on the router be my VPN peer's IP as the next hop or the ISP's?
Also do you think this is the reason why packets are getting routed to the internet instead of back to my Main site? Thanks for any help!!
Thanks for the reply Karsten. I'm thinking now that the issue is actually back at my Main site and not at the crypto map. When I was on the remote router and did the traceroute (which went to the internet) I think it was only because I didn't specify which specific interface to ping from.
I still wasn't sure about that next hop though so thanks for answering that! -Mark
Similar Messages
-
What should the default tablespace be for SAP users
I'm using Oracle 10.2.0.4
For the users
OPS$<SID>ADM
OPS$ORA<SID>
SAP<SID>
what should the default tablespace be
PSAP<SID>USR or PSAP<SID>Hello Bill,
> For the users
> OPS$<SID>ADM
For this user the default tablespace is SYSTEM
> OPS$ORA<SID>
For this user the default tablespace is SYSTEM
> SAP<SID>
For this user the default tablespace is PSAPPRDUSR
Regards,
Federico Biavati -
Injecting Global default Routes into a MPLS VPN
Hi,
I have a PE router running MPBGP which receives two default routes to the internet through an IPV4 BGP session. I need to import these routes in to a VRF and export them to different customer VRFs so that these VRFs are able to access Internet.
I have used the feature called "BGP Support for IP Prefix Import from Global Table into a VRF Table" (URL:http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00803b8db9.html#wp1063870)
and imported these routes into a VRF.
The issue is these routes are not propagated to any of the other PE routers which has customer VRFs configured.
Has anybody tried this or a similar method to inject a dynamic default route into a MPLS VPN.
Any suggestions would be highly appreciated.
Thanks
SubhashHi Subhash,
is there anything preventing you from terminating your internet BGP sessions in a VRF? Then everything should go smoothly, i.e. standard VRF import/export.
So possibility A) create a VRF Internet, move bgp neighbor commands there and use filters preventing anything but the default route, then use route targets to distribute the default route into other VRFs.
Possibility B) use static routing with packet leaking. Could look like this:
ip route vrf Internet 0.0.0.0 0.0.0.0 global
ip route vrf Internet 0.0.0.0 0.0.0.0 global 250
ip route Serial0/0 !assuming this is where the customer router connects.
Note: the BGP peer IP does not have to be directly connected! There has to be a LDP label for it though. so include your BGP peers network into your IGP and the backup will work, when you loose the link to the peer.
Hope this helps! Please rate all posts.
Regards, Martin -
What should the"default behavior" be for WiFi network connections?
I Have been able to at least temporarily fix the plethora of problems encountered after downloading Mountain Lion to my 2009 17" MBP just ten days ago. Thanks to the time and effort of so many posters that are much more savvy than me, I successfully executed the steps suggested in many of the posts and with good results. It surely beats running down to the Apple store and being told that I am the only one with a problem.
Okay, I've realized that I don't really know what the default behavior of the WiFi network connection should be?
Specifically:
Should the Wi-Fi drop down in Network always be" looking for networks", even though I am obviously on my Network?
Should the Wi-Fi be connected at all times even when your computer is in sleep mode- or deep sleep mode? There have been so many problems with Wi-Fi dropping off,slow or hanging loads, etc.
I unchecked "ask to join networks, in Network preferences thinking it might stop looking for networks when it doesn't need to because I'm already on mine. I do see my neighbors (four neighbors) in the drop down in Network.
How do you get into Time Capsule's settings, to check speeds, especially ping? What should the ideal settings be?
How do you know if your DHCP license is renewed? I've heard that feature isn't working and may be the culprit to some of the Wi-Fi problems.
I'll look forward to your help in understanding more about this. I've been in the support area a lot lately, I've read plenty of definitions, and explanations of the different options to choose from in Apple's support area, but nowhere have I seen anything that explains what the default behavior should be or perform like.
Thanks, as always.Generally, you don't want to tweak the wifi settings. It pretty much takes care of itself. The caveat to that is, of course, if you're experiencing problems.
The 'looking for networks' behaviour only happens when you log in, wake the mac from sleep OR when you click on the wifi icon. You clicking on it tells the mac "I want to see what networks are available" - so it does a scan for you to check to see if any new networks have appeared since you last clicked on it (or woke/logged in). In short, if you don't want it to look for new networks, don't click on the icon!
Unchecking the 'ask to join networks' option only applies when your mac detects a new network (such as when it wakes) that you haven't already authorised; it'll ask you to confirm whether you want to join it or not. Otherwise, if the network is open it'll join automatically. You should keep this selected if you travel around with your Mac. It's a good idea to know what network you're on before you start plugging in passwords or typing other things into the mac.
There is a utility that you can use for ping and traceroute called 'Network Utility'. Click on the Spotlight icon in the top right of your screen and type "Network' and you should see it at the top of the list. Hit 'return' to open it.
DHCP licences are normally renewed automatically by your router every 24 hours. Again, there's no reason to be messing about with that unless you're experiencing problems.
If you're experiencing wifi dropout, let us know, and we'll make some suggestions, but if you're not, you're best leaving your mac to manage the background processes. It knows what it's doing!
Message was edited by: softwater -
Import EIGRP default route only with network command
Hi,
Does anyone know why I can only import the default route learned by EIGRP (from a CE router) in the VPNV4 table with the command ?network 0.0.0.0? under the address family? Is this the correct behavior?
router bgp 100
address-family ipv4 vrf red
redistribute eigrp 200
no synchronization
network 0.0.0.0
exit-address-family
PE9(config-router-af)#do show ip route vrf red 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "eigrp 200", distance 90, metric 547840, candidate default path, type internal
Redistributing via bgp 100, eigrp 200
Last update from 91.91.91.1 on FastEthernet0/0.91, 00:04:11 ago
Routing Descriptor Blocks:
* 91.91.91.1, from 91.91.91.1, 00:04:11 ago, via FastEthernet0/0.91
Route metric is 547840, traffic share count is 1
Total delay is 20400 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 4
PE9(config-router-af)#do show ip bgp vpnv4 vrf red 0.0.0.0
% Network not in table
PE9(config-router-af)#
PE9(config-router-af)#network 0.0.0.0
PE9(config-router-af)#
PE9(config-router-af)#do show ip bgp vpnv4 vrf red 0.0.0.0
BGP routing table entry for 91:91:0.0.0.0/0, version 1068
Paths: (1 available, best #1, table red)
Flag: 0x820
Advertised to update-groups:
2
Local
91.91.91.1 (via red) from 0.0.0.0 (9.9.9.9)
Origin IGP, metric 547840, localpref 100, weight 32768, valid, sourced, local, best
Extended Community: RT:118:118 Cost:pre-bestpath:128:547840
0x8800:32768:0 0x8801:200:522240 0x8802:65284:25600 0x8803:65281:1500
mpls labels in/out 28/nolabel
PE9(config-router-af)#
Thanks,
MarceloHi Marcelo,
Yes this is normal, a default route unlike any other routes is not redistributed between routing protocols by default, in the case of BGP you have 2 options, either use a network command and make sure that the route is in the routing table (via EIGRP in your case), or use redistribute + default-information originate, you can test this by removing the network command and adding the default-information originate under the address family.
HTH,
Mohammed Mahmoud. -
What is the default alarm behaviour with snooze disabled ?
I think there is an issue with my iPhone's alarm behaviour when snooze is disabled. As I remember, if an alarm with snooze disabled goes off you have to slide the screen to stop the alarm. Pressing the volume buttons should have no effect. But in my case, pressing the volume button mutes the alarm and it won't sound any more.
This defeats the whole purpose of setting a snooze disabled alarm to make it more difficult to sleep through. The overall behaviour is worser than setting an alarm with snooze which would go off again after the snooze interval if I were to press the volume buttons.
Is this a new default behaviour or is this an issue ? If its an issue what could I do to fix it ?I Don't see a settings where you can disabled snooze for the built in alarm clock.
-
What is the recommended upgrade for OSX 10.6.8 and what should I watch out for with the upgrade?
I would like to know whether there is a recommended upgrade for OSX 10.6.8. Is it Mountain Lion? Is there anything I should watch out for in case I do the upgrade? My computer is not working optimally and now my external drive (My Passport, 1TB) is not recognized by my computer. Thanks!
You should try to get your computer working before you upgrade.
Check that your computer is compatible with Mountain Lion/Mavericks/Yosemite.
To check the model number hold down the option/alt key, go to the Apple menu and select System Information.
MacBook Pro (Mid/Late 2007 or newer) model number 3,1 or higher
Your Mac needs:
OS X v10.6.8 or OS X Lion already installed
2 GB or more of memory (More is better - 4 GB minimum seems to be the consensus)
8 GB or more of available space
Check to make sure your applications are compatible. PowerPC applications are no longer supported after 10.6.
Application Compatibility
Applications Compatibility (2)
Do a backup before installing. -
WebElements: What should the default URL be in the CMC
Hi,
Had issues with displaying the HTML output on update and refresh of a given report selecting specific categories. Current, using CR 2008 and Central Management Console(CMC) Product 12, 2008.
Cannot view the report's output using webElements like SelectDuo, SelectLink etc. When one clicks on a filter from the formula passed to the SelectDuo
the report redirects to the SAP Business Objects info-view Logon page.
Here is the default URL, in the CMC: Does it need to be tweaked to view the result of the same report refreshing itself without prompting for a login.
https://internal_servername:8443/OpenDocument/opendoc/openDocument.jsp?sIDType=CUID&iDocID=%SI_CUID%
Thanks,
-RpIn order to use OpenDocument without getting a login screen, one of two things need to happen:
1. If you have single-sign-on enabled for BI Launchpad, it can also be enabled for OpenDocument. See the Platform Administrators Guide for more information about how to configure this.
2. If you don't have any type of single-sign-on, you'll need to have a valid session/logon token that you can add to the end of the OpenDocument URL. For more information about how to build an OpenDocument call, go to help.sap.com/bobip. This will bring up the list of help docs for BI 4.1. If that's not your version, find your version on the left side of the screen and click on it. Then go to the "Development Information" for that version and find something like "Viewing Documents Using OpenDocument...". If there is no link for that (it wasn't updated and published for every SP), try the next earlier SP. Keep trying until you find it. This will give you information about how to add a logon token to the URL.
-Dell -
What should be done to deal with a lost ipod?
I recently lost my ipod. but then i figured that how was i suppose to know when my Ipod would just fall outa my backpack. so basically a lot of my personal data is on their such as: Facebook, Hotmail, photoes, contacts, app store login user, etc. i dont know what to do from someone from seeing that. i changed most of my passwords but is their something else?
It still wouldn't work because even if you have an iPhone, You have to enable it on your device, which is impossible, to use if you can't find it
Well, yes... I'm fully aware that the 'Find My iPhone' feature has to be enabled on the device before you lose it, and you need a MobileMe account.
For the purposes of this discussion let's assume the OP qualifies... -
Routing issue with 2 VPN on ASA
Hello,
I am trying to setup a VPN between 3 sites :
site2 and site3 needs to communicate with site1(ASA) :
site1(ASA)
| |
| |
site2 site3
Peer
On site2 / site3 if have multiple peers that want to communicate to site 1 and that can arrive indifferently on site2 or site3 firewall.
All VPNs are UP but there is a routing problem is located on the ASA. Indeed, site2 to site1 communication is ok in both directions. The problem comes from site3.
On site3, incoming packets reach the target on site1 through the VPN, but the answer is sent back through site1/site2 VPN.
Is there a simple way to force the trafic to use the same VPN for responding data ?
Here is a sample of the configuration on the ASA (subnet on site2 and site3 must be left on 'any') :
access-list outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 any
access-list outside_cryptomap_2 extended permit ip 10.0.0.0 255.255.0.0 any
crypto map my-crypto-map 1 match address outside_cryptomap_1
crypto map my-crypto-map 1 set pfs
crypto map my-crypto-map 1 set peer 90.X.Y.Z
crypto map my-crypto-map 1 set transform-set ESP-AES-256-SHA
crypto map my-crypto-map 1 set security-association lifetime kilobytes 51200
crypto map my-crypto-map 2 match address outside_cryptomap_2
crypto map my-crypto-map 2 set pfs
crypto map my-crypto-map 2 set peer 190.X.Y.Z
crypto map my-crypto-map 2 set transform-set ESP-AES-256-SHANo, this is not possible, you cannot have overlapping crypto ACLs.
One possible solution might be to apply NAT to the traffic before it enters the tunnel on site3.
But so this requires changing from "any" to one or more specific networks.
hth
Herbert -
VPN - What should we see? | Mac to mac VPN
So now that I have my VPN working properly, should I be able to see the remote Macs in my Finder Network browser?
At the moment I have to Apple-K and put in their IP number to access them them.
Same for Printers, should I be able to see the remote printers in my Printer Setup Utility?you can't browse the network over a VPN link.
You need to know the IP addresses and/or use DNS host names (using an internal DNS server which points hostname -> private IP address).
With dns, you could connect to:
hp500.domain.com
jeff.domain.com
server.domain.com
or if you add domain.com to you search domains in the client, you would just enter:
hp500
jeff
server
Jeff -
I noticed my VPN connections overrides the default route set by my WiFi connection. With an active VPN I can browse my office network but not the WWW.
When I type in terminal …
sudo route delete default
sudo route add -net default 192.168.2.1
sudo route add -net 192.168.178.0 192.168.178.201
… I can access (via VPN) my office network and can still browse in the WWW.
Is there any way I can prevent to override the default route when establishing a VPN connection (IPSec Cisco via Network > Add VPN)?
Maybe I can create an AppleScript or something like that?
192.168.2.1 = local network (home)
192.168.178.1 = remote network (office)
192.168.178.201 = remote virtual client IPWhy would you even come here asking for help with a Friztbox anyway? You should have contact the maker of the router or your network admins for info on how to enable split tunneling.
I wasn't asking for help about my Fritzbox. I didn't know where to start and thought Apple's forums maybe a good starting point. You told me "Nothing you can do about it.". I found a solution I can do it without touching the Fritzbox config. I tought a forum is to help others not to tell them "there's no way" or go and ask the maker.
Anyway, next time I will not consider to ask here. Sorry for bothering you. -
Hi,
I had border router, ipv6 BGP peering to upstream ISP and it learned about 5K of IPv6 BGP routes.
Internally I had another router iBGP peering with border router. But I do not want this internal router learned full ipv6 routes.
I would like it learn ipv6 route from 1st level upstream only and default route.
Question is what is IPv6 default route to internet ? for ipv4 it is 0.0.0.0/0
It is ::/0 ? or 2001::/23
RegardsThe IPv6 equivalent to IPv4's 0.0.0.0/0 is ::/0
So, answering to your question: default route for IPv6 is ::/0
Cheers, Gustavo -
What is the default password on Pet Store 1.3 when rebuilt?
I am unable to log into either the administrator client or the receiver application after rebuilding the WebLogic Server Pet Store Application. Neither jps_admin/admin nor rsvr/rcvr works. I saw a post referencing security.xml, but that file does not appear to be in this package
The default passwords worked when I used just the Pet Store template and prebuilt application, but the admin client would wait forever trying to get data, even when the client was ran from the same box as the server.
I am running WebLogic Server/Express 7.0 with SP7 for RHEL on Red Hat Enterprise Linux 4, Update 3 x86.
What should the default login names be? Or even better, if someone has seen the admin client unable to get data, how do you solve that?On my painfully new 11.1.2 install, and per the install instructions, the username and password are as follows:
epm_admin
whatever you set up -- (As I only ever use one of three different ones when I do installs, it wasn't too hard to go through all of the possibilities)
See: http://download.oracle.com/docs/cd/E17236_01/epm.1112/epm_install/frameset.htm?webLogicDomainName.html
Regards,
Cameron Lackpour
Edited by: CL on Aug 3, 2010 11:14 AM -
Mail on my cloud, mail on my computer, BUT ONLY mail from myself is on my iphone? what should i do,
Mail on my cloud, mail on my computer, BUT ONLY mail from myself is on my iphone? what should i do,
have synched with itunes,
have deleted account on iphone and set it up again but still i only see mail from myself to myself and none of the other mails i have on my computer or my cloud?
How do i fix this?Now i see that its mail from one of my aliases that i got on my phone but nothing else.
have deleted this acount from the phone several times but still i only see mail from one of my aliases.
Maybe you are looking for
-
EFT Payment Program. Writing to a flat file using UTL Package
Hi guys I wonder if someone can help me. I'm battling with something in pl/sql. I have a procedure that writes to a flat file. Each procedure I call writes a single section of the file, e.g "create_hdr_rec_line_fn" writes the header on top of the fil
-
LabVIEW does not support command line arguments. Are there some modifications to the Execution Display.vi that would enable this behavior?
-
Gray apple and spinning wheel only
I installed an update from the update scheduler. At first I couldn't print, I restarted the computer and it went to the background display only, no icons. I shut down the power and now all I get is the gray apple and spinning wheel.
-
How do I uninstall Coldfusion Builder 3?
I'm on a Mac OSX 10.10.2 and I have CFBuilder3 Build: 292922 When I click on the Uninstall application under the Coldfusion Builder 3 directory it does nothing. I can't even get a process to spawn in my Activity Monitor.... Anyone know how to get rid
-
Hi. I have Verizon Fios in my home and I just plugged a new phone in my bedroom jack and it is not working. This jack has worked in the past and all of the sudden has stopped. (I'm guessing it's when my Fios was put in) Does anyone know what the prob