SAN HQ ICMP Ping
Is question - possible to change the value of timeout ping ICMP for SAN HQ when it checks the group for connectivity?
I followed ~ 800 PS4000 throughout the country, and when I use SAN HQ to monitor the heartbeat ping that is sent sends an error (warning) to an Inbox message, if it does not return timely. This becomes a problem when you so many devices.
Any ideas?
Thanks in advance
Let me check on that, but to my knowledge, currently it doesn't seem to be a way to configure the time-out value.
-joe
Tags: Dell Tech
Similar Questions
-
Echo of Ping ICMP blackBerry Smartphones
I'm working on a Nextel 8350i with v4.6.1.313 (Platform 3.1.0.31), not renovated. The plan is on a data unlimited and direct connect, but no cell phone service (incoming and outgoing calls are blocked).
The problem I have called with a 3rd party TMW D2 Link program, this program uses GPS to track the phone/driver (it's a program of shipping for the trucking industry), sends 'pages' on phones of drivers on this program (using data), allows drivers to send messages and to the entrance of their time, again using the data. The program ceased to receive a signal, from what I can tell. Internet works fine on the phone, but I know that something is wrong because no matter what I can not do the program to get a signal and it worked before, for several months. I did a diagnostic test, and everything went well except the ICMP Ping echo, which came as 'no '. I don't know exactly what is this... but since I did a bit of research, it seems to do with sending a signal to 3rd party applications? Am that I on the right track here? I have no idea how to solve this problem.
Here is a list of what I did on the phone:
Reset the Radio (several times)
Diagnostic test (one under manage connections) & under status and still the only thing that 'failed', was the echo Ping ICMP message, and Yes test diagnoses were able to complement every time
Battery pull (several times after trying things)
Extraction of SIM card
Software update (I don't check the previous edition of software, that I just plugged it in Blackberry Desktop Manager and he came to say that she needed an update)
TMW D2 app update latest version
I am very close to wiping the phone and reinstalling the OS, but I'm not sure it will work because it doesn't seem to be a software problem... I am not opposed to if anyone thinks it will work.
Any help is appreciated. I'll watch this site throughout the day, so I should respond quickly if you need more information. Thank you!
Just in case anyone else with Nextel Berry and TMW has this problem with D2 is no longer go in D2, go to the option Admin, go to the option erase data and go ahead and wipe. For some reason I'm going to only have this problem with the Berrys Nextel, but that seems to fix the problem. I don't know why. Forms must update and re-download themselves but if they do not go to the installation and the menu and save some success and it sort of "force" to download, it's worked every time so if it doesn't work for you I don't know what else to do the removal program and re - download.
I have not yet found someone, even with Sprint, who knows about Ping Echo... or if it's even a question. Most people don't know what it is if anyone of you learn something about Ping Echo please let me know... I will update this post as well if I learned something.
-
GIS 2100 - network ICMP Sweep w/Echo
I get a lot of these alarms on my IPS. I am interested in finding a way to separate a real "fist blow" of what appears to be unique pings from one host to another on my internal network.
The issue I see is that the alarm goes off once every few minutes on any other IP "pirate" and "victim". So I'm not sure which meets this alarm 2100, it seems to be pulled each time he sees a host another rattling.
In an effort to set alarm to fire only on real activity to "sweep" the number of events of '1' (the default setting), I changed to '2' - this seems to allow the alarm to fire only when he sees greater than 1 of this activity from a single "pirate".
However, I always find that triggers the alarm of 2100 on several hosts 'attackers' on my network.
It would seem that this alarm is deliberately failed to trigger much more often than necessary. Would appreciate any suggestions to get this alarm to stop the shot unnecessarily.
Maybe I don't understand what he's trying to do? For me, a single host ping a single target is not hit 'ping '.
Hi Mark. Thus, it is a scan engine signature designed to detect the host from a single source (1) traffic to multiple destination hosts. Its Unique setting (literally, it's what it's called) represents the number of distinct hosts required to trigger the signature. Based on the default settings of this signature:
unique: 5
storage-key: striker-address
number of events: 1
alert interval: 60 (seconds)
Summary-mode: fire-all
It should take (and generate an alert) every time that ICMP echo requests are from any source ("striker") more than five 5 destinations ('victims') within a period of 60 seconds. It should not draw if ICMP echo requests are from a source to a single destination only (1:1); several destinations must be involved. I tested in my lab to confirm.
Now, alerting gets more complicated because of this use of signatures of synthesis (and global summary)... Based on the default settings of this signature:
Summary-threshold: 100
Summary-interval: 30 (seconds)
Summary-key: striker-address
If this event will fire more than 100 times in 30 seconds, go ahead, that a summary alert (instead of individual alerts) once each interval summary (3o seconds) by summary key (address of the attacker).
In light of all the foregoing and your original description, I suspect that your hosts are legitimately triggering signature, eventually causing the Alerts Summary. The extent of why guests are triggered, you should examine the hosts themselves (possibly take and examine a capture package (s) in order to identify what hosts are ping what other hosts, if there is a common software package installed on hosts allocated, etc..). Network management software (legitimately) often make use of ICMP ping scans. Looking a little... online it seems that even some popular antivirus software is known to trigger (based on the it try to update multiple servers to determine connectivity ping). Perhaps there is a package of software installed on these hosts generating traffic to trigger?
-
Hi all
We have downgraded cisco device acs ACS 5.0 to ACS 4.2.1.15 1120, when we demand ICMP ping to the device of GBA his does not, but I do test ping device acs console mode not the GUI mode.
Y at - it an option to enable ICMP Ping response on cisco acs 1120. otherwise a patch to upgrade to run this action, my requirement is to enable ICMP ping on acs device for troubleshooting. Instead, always check with telnet x.x.x.x 2002 for service responds
Hi Santosh,
The pathc available on the download page of cisco.com.
The path is the following:
www.Cisco.com > support > download software > Products > Security > Identity Management > Cisco Secure Access Control Server Solution Engine > Cisco Secure Access Control Server Solution engine 4.2 > Secure Access Control Server (ACS) Solution engine > 4.2.0.124.
the fixes are:
appl_Acs4.x_PingTurnOff_With_CSAgentUpdate_1_Patch.zip
appl_Acs4.x_PingTurnOn_With_CSAgentUpdate_1_Patch.zip
You'll need software valid contract of download to download the patches.
I hope this helps.
Kind regards
Anisha
P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.
-
Hello
I am setting up and reconfiguration of a firewall PIX515 with 6.3 software (4) OS PIX.
I cannot ping devices on the Internet from inside interface. There are a few addresses that I can ping if I am outside of the firewall.
Looks like the firewall is not translate correctly on the return package. I can navigate and do other things but not ping.
Here's my nat and global declarations:
# Sh nat Pix1
NAT (inside) 1 10.0.0.0 255.0.0.0 0 0
NAT (dmz) 1 172.xx.xx.0 255.255.255.0 0 0
Pix1 # global HS
Global (outside) 1 6x.xxx.xxx.6 x - 6 x .xxx .xxx. 7 x
Global 1 6x.xxx.xxx.6x (outside)
Global interface (dmz) 1
Here's an abbreviated ICMP trace:
Pix1 debug icmp trace #.
ICMP trace on
WARNING: This can cause problems on busy networks
Pix1 # 1:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = 89
length 63 = 40
2: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
3:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9219
GTH = 40
4: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
5:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9475
GTH = 40
6: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
7: ICMP echo-reply of the outside:6 x .xxx .xxx. 1 to the seq ID = 512 6x.xxx.xxx.6 = the 9475
ngth = 40
8:-inside:10.xx.xx.x ICMP echo request 5-6x.xxx.xxx.1 ID = 512 seq = len 9731
GTH = 40
9: ICMP echo request: translation of inside:10.xx.xx.x 5-outside:6 x .xxx .xxx. 6
Thanks in advance for your help.
Doug.
ICMP is not a protocol with the State, to allow ping trought the PIX, you must add extra lines in your access list on the outside!
See: Handling ICMP Pings with the PIX firewall
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml
The PIX and the traceroute command
http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_tech_note09186a00800e9312.shtml
examples:
Traveroute
Microsoft:
Access-group 101 in external interface
access-list 101 permit icmp any unreachable host YourPublicIP
access-list 101 permit icmp any host YourPublicIP time exceeded
access-list 101 permit icmp any host YourPublicIP echo-reply
UNIX:
Access-group 101 in external interface
access-list 101 permit icmp any unreachable host YourPublicIP
access-list 101 permit icmp any host YourPublicIP time exceeded
ICMP command example
ICMP deny everything outside
ICMP allow any response of echo outdoors
ICMP allow any response echo inside
permit ICMP echo host 192.168.1.30 inside
permit ICMP echo host 192.168.1.31 inside
permit ICMP echo host 192.168.1.20 inside
permit ICMP echo host 192.168.1.40 inside
permit ICMP echo host 192.168.1.100 inside
sincerely
Patrick
-
Client VPN connects but cannot ping all hosts
Here is the configuration of a PIX 501, which I want to accept connections from the VPN software clients. I can connect successfully to the PIX using the 5.0.0.7.0290 VPN client and I can ping the PIX to 192.168.5.1, but I can't ping or you connect to all hosts behind the PIX. Can someone tell me what Miss me in my setup?
Thanks for your help.
Chi - pix # sh conf
: Saved
: Written by enable_15 at 03:49:39.701 UTC Friday, January 1, 1993
6.3 (3) version PIX
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the encrypted password
encrypted passwd
hostname chi - pix
.com domain name
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol they 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
list-access internet-traffic ip 192.168.5.0 allow 255.255.255.0 any
Allow Access-list allowed a whole icmp ping
access-list 101 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
access-list 102 permit ip 192.168.5.0 255.255.255.0 10.10.11.0 255.255.255.0
pager lines 24
opening of session
debug logging in buffered memory
ICMP deny everything outside
Outside 1500 MTU
Within 1500 MTU
IP address outside pppoe setroute
IP address inside 192.168.5.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
IP local pool ippool 10.10.11.1 - 10.10.11.254
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) - 0 102 access list
NAT (inside) 1 list-access internet-traffic 0 0
group-access allowed to ping in external interface
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Permitted connection ipsec sysopt
Crypto ipsec transform-set esp - esp-md5-hmac GvnPix-series
Crypto-map dynamic dynmap 10 GvnPix-set transform-set
toGvnPix 10 card crypto ipsec-isakmp dynamic dynmap
toGvnPix interface card crypto outside
ISAKMP allows outside
ISAKMP key * address 0.0.0.0 netmask 0.0.0.0
ISAKMP keepalive 60
ISAKMP nat-traversal 20
part of pre authentication ISAKMP policy 9
encryption of ISAKMP policy 9
ISAKMP policy 9 md5 hash
9 2 ISAKMP policy group
ISAKMP policy 9 life 86400
vpngroup address ippool pool chiclient
vpngroup dns 192.168.5.1 Server chiclient
vpngroup wins 192.168.5.1 chiclient-Server
vpngroup chiclient com default domain
vpngroup split tunnel 101 chiclient
vpngroup idle 1800 chiclient-time
vpngroup password chiclient *.
Telnet 0.0.0.0 0.0.0.0 inside
Telnet timeout 30
SSH 0.0.0.0 0.0.0.0 outdoors
SSH timeout 30
management-access inside
Console timeout 0
VPDN group chi request dialout pppoe
VPDN group chi net localname
VPDN group chi ppp authentication pap
VPDN username password net *.
dhcpd address 192.168.5.2 - 192.168.5.33 inside
dhcpd dns xx
dhcpd rental 86400
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 100
Cryptochecksum:
Chi - pix #.On the PIX configuration seems correct.
I guess you try to access hosts in 192.168.5.0/24, and these default hosts is the PIX inside interface 192.168.5.1?
How you try to access these internal hosts? If you try to ping the hosts, please please make sure there is no personal firewall enabled inside welcomes as personal firewall normally doesn't allow incoming connections from different subnet ip address.
-
Remote host IP SLA ping by tunnel VPN with NAT
Hi all
I did some research here, but don't drop on similar issues. I'm sure that what I want is not possible, but I want to make sure.
I want to monitor a remote host on the other side a VPN. The local endpoint is my ASA.
The local INSIDE_LAN traffic is NATted to 10.19.124.1 before entering the VPN tunnel.
Interesting VPN traffic used ACL card crypto:
access-list 1 permit line ACL_TUNNELED_TO_REMOTE extended ip host 10.19.124.1 192.168.1.0 255.255.255.0
NAT rules:
Global (OUTSIDE) 2 10.19.124.1 mask 255.255.255.255 subnet
NAT (INSIDE_LAN) 2-list of access ACL_NAT_TO_REMOTE
NAT ACL
access-list 1 permit line ACL_NAT_TO_REMOTE extended ip 172.19.126.32 255.255.255.224 192.168.1.0 255.255.255.0
This configuration works very well for traffic from hosts in 172.19.126.32 255.255.255.224 is 192.168.1.0 255.255.255.0.
However, I like to use "ip sla" on the SAA itself to monitor a remote host with icmp ping 192.168.1.0. This would imply NATting one IP on the ASA to 10.19.124.1, but I do not see how to do this. None of the interfaces on the SAA are logical, to use as a source for this interface.
Thanks for ideas and comments.
Concerning
You are absolutely right, that unfortunately you won't able to NAT interface ASA IP address. NAT works for traffic passing by the ASA, don't not came from the SAA itself.
-
Cannot ping CentOS 6.4 invited Windows 7 host through NAT
Hello
I am running VMware Workstation 9.02 on Windows 7 (64 bit) with customers running CentOS (also 64 bit) 6.4, using NAT networking.
Everything worked fine, but suddenly I can reach is no longer the guest computers CentOS network NAT. Ping the address of the guest PC from the command-line on the host computer Windows 7 fails with a 'Request timed.' error out. However, the guest operating system still seems to be able to connect to the Internet (i.e. Ping google.com from a command-line in the CentOS prompt seems to have reached the site).
I don't know what has changed in the State of the Windows host. I tried to re-setup of VMware, but nothing seems to restore connectivity between a Windows host and the guest of CentOS operating system. Can anyone suggest what could be bad, or how I can start to debug the loss of connectivity on the side Windows?
I'm using a Kaspersky firewall on the Windows 7 host, but it never prevented connectivity with VMware customers before.
Thank you
Tony
If the virtual machine has a network/Internet connectivity so I doubt it is a matter of VMware itself and it is most likely a firewall issue. Check and make sure that all firewalls do not block ICMP (ping) echo requests on the host and the guest.
-
Hello
I installed windows server r2 in VM ware player, I installed 3 windows srevers with different names, I opened all 3 windows servers, I see that they took the IP as
192.168.119.128
192.168.119.130
192.168.119.131
How to create network between the 3 machines, IE, when I ping a server windows windows server 2 currently I my not getting no response
I opened all 3 windows servers, I see that they took the IP as
192.168.119.128
192.168.119.130
192.168.119.131
How to create network between the 3 machines, IE, when I ping a server windows windows server 2 currently I my not getting no response
There all ready is a network between them also visible that they are all on the same IP subnet and it is common that echo ICMP (ping) requests are blocked by default in the firewall, so check here first!
-
virtul machines not ping to the host machine?
Thanks for the reply and solve my prob...
now I m command ping with the host computer to the my virtual machines these are pinging...
but virtual machines don't ping not to host the computer why?
Please answer me help me...
Welcome to the community,
What is the operating system on the host computer. In the case for example of Windows 7, you may need to allow ICMP (ping) in Windows Firewall.
André
-
DMVPN and INTERNET VIA HUB RENTAL ISSUES
Hello everyone,
I really wish you can help me with the problem I have.
I explain. I test a double Hub - double DMVPN Layout for a client before we set it up in actual production.
The client has sites where routers are behind some ISP routers who do NAT.How things are configured:
-All rays traffic must go through the location of the hub if no local internet traffic on the rays.
-Hub 1 and 2 hub sends a default route to rays through EIGRP. But only Hub 1 is used.
-Hub 1 is the main router to DMVPN. In case of connection / hardware failure of the Internet Hub 2 become active for DMVPN and Internet.
-Hub 1 and 2 hub are both connected to an ISP and Internet gateway for rays.
-Hub 1 and 2 hub are configured with IOS Firewall.
-On the shelves I used VRF for separate DMVPN routning Global routning table so I could receive a default route of 1 Hub and Hub 2 to carry the traffic of rays to the Internet via the location of the hubWhat works:
-All rays can have access to the local network to the location of the hub.
-All the rays can do talk of talk
-Working for DMVPN failover
-Rais NOT behind the router NAT ISP (i.e. the public IP address) directly related to their external interface can go Internet via hub location and all packages are inspected properly by the IOS and Nat firewall properly
What does not work:-Rays behind the NAT ISP router can not access Internet via Hub location. They can reach a local network to the location of the hub and talk of talks.
IOS Firewall Router hub shows packages from rays of theses (behind a NAT) with a source IP address that is the router og PSI of public IP address outside the interface. Not the private address LAN IP back spoke.
In addition, the packets are never natted. If I do some captge on an Internet Server, the private source IP is the IP LAN to the LAN behind the rays. This means that the hub, router nat never these packages.How to solve this problem?
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
Well I don't know that's why I need your help/advice :-)
I don't know that if I have to configure a VRF on the location of the hub gets also like things might mess upward.
The problem seems to be NAT - T the rays that are not behind a NAT, among which go over the Internet through a Hub and inspection of Cisco IOS and NAT are trying to find.
I tested today with the customer at the start them talking behind nat could ping different server on the Internet but not open an HTTP session. DNS was to find work. The IOS Firewall has been actually
inspection of packages with private real IP address. Then I thought it was a MTU issue, so I decided to do a ping on the Internet with the largest MTU size and suddenly the pings were no more.
I could see on the router Hub1 IOS Firewall was inspecting the public IP of the ISP NAT router again alongside with rays and not more than the actual IP address private. Really strange!
Attached files:
I attach the following files: a drawing of configuration called drawing-Lab - Setup.jpeg | All files for HUB1, BRANCH1 and BRANCH2 ISP-ROUTER configs, named respectively: HUB1.txt, BRANCH1.txt, BRANCH2.txt and ISP - ROUTER .txt
Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch2 (behind the NAT ISP router):
Branch2 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
Packet sent with a source address of 192.168.110.1
.....
Success rate is 0% (0/5)* 06:04:51.017 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (110.10.10.2:8) - answering machine (200.200.200.200:0)
If the IOS Firewall does not inspect the true private source IP address that can be, in this case: 192.168.110.2. He sess on the public IP address.
HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500There is no entry for packets of teas present NAT
Captge on Tunnel 1 on Hub1 interface (incoming packets in):
7 7.355997 192.168.110.1 200.200.200.200 request ICMP (ping) echo
So that the firewall controllable IOS to the 110.10.10.2:8 public IP sniffing capture said that the package come from private real IP addressInhalation of vapours on the server (200.200.200.200) with wireshark:
114 14.123552 192.168.110.1 200.200.200.200 request ICMP (ping) echo
If the private IP address of source between local network of BRANCH2 is never natted by HUB1
If the server sees the address source IP private not natted although firewall IOS Hub1 inspect the public IP address 110.10.10.2:8
Hub1 newspapers when ping host 200.200.200.200 on the Internet of Branch1 (not behind the NAT ISP router):
Branch1 #ping vrf DMVPN-VRF 200.200.200.200 source vlan 100
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 200.200.200.200, time-out is 2 seconds:
Packet sent with a source 192.168.100.1 address
!!!!!* 06:05:18.217 Jul 15 UTC: % FW-6-SESS_AUDIT_TRAIL_START: start session icmp: initiator (192.168.100.1:8) - answering machine (200.200.200.200:0)
This is so the firewall sees the actual private IP which is 192.168.100.1
HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500
ICMP 80.10.10.2:22 192.168.100.1:22 200.200.200.200:22 200.200.200.200:22The real private source IP address is also find natted 1 Hub outside the public IP address
Captge on Tunnel 1 on Hub1 interface (incoming packets in):
8 7.379997 192.168.100.1 200.200.200.200 request ICMP (ping) echo
Real same as inspected by IOS Firewall so all private IP address is y find.
Inhalation of vapours on the server (200.200.200.200) with wireshark:
/ * Style definitions * / table. MsoNormalTable {mso-style-name : « Tabel - Normal » ; mso-tstyle-rowband-taille : 0 ; mso-tstyle-colband-taille : 0 ; mso-style-noshow:yes ; mso-style-priorité : 99 ; mso-style-qformat:yes ; mso-style-parent : » « ;" mso-rembourrage-alt : 0 cm 5.4pt cm 0 5.4pt ; mso-para-margin : 0 cm ; mso-para-marge-bottom : .0001pt ; mso-pagination : widow-orphelin ; police-taille : 11.0pt ; famille de police : « Calibri », « sans-serif » ; mso-ascii-font-family : Calibri ; mso-ascii-theme-font : minor-latin ; mso-fareast-font-family : « Times New Roman » ; mso-fareast-theme-font : minor-fareast ; mso-hansi-font-family : Calibri ; mso-hansi-theme-font : minor-latin ; mso-bidi-font-family : « Times New Roman » ; mso-bidi-theme-font : minor-bidi ;}
67 10.441153 80.10.10.2 200.200.200.200 request ICMP (ping) echo
So, here's all right. The address is natted correctly.
__________________________________________________________________________________________
Best regards
Laurent
Hello
Just saw your message, I hope this isn't too late.
I don't know what your exact problem, but I think we can work through it to understand it.
One thing I noticed was that your NAT ACL is too general. You need to make it more
specific. In particular, you want to make sure that it does not match the coming of VPN traffic
in to / out of the router.
For example you should not really have one of these entries in your NAT translation table.
HUB1 #sh ip nat translations
Inside global internal local outside global local outdoor Pro
ICMP 80.10.10.2:1 80.10.10.2:1 100.10.10.2:1 100.10.10.2:1
ICMP 80.10.10.2:2 80.10.10.2:2 110.10.10.2:2 110.10.10.2:2
UDP 80.10.10.2:4500 80.10.10.2:4500 110.10.10.2:4500 110.10.10.2:4500Instead use:
Nat extended IP access list
deny ip any 192.168.0.0 0.0.255.255 connect
allow an ip
deny ip any any newspaperIf you can use:
Nat extended IP access list
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
IP 192.168.0.0 allow 0.0.255.255 everything
deny ip any any newspaperAlso, I would be very careful with the help of the "log" keyword in an ACL, NAT.
I saw problems.
What are the IOS versions do you use?
Try to make changes to the NAT so that you no longer see the entries of translation NAT
for packages of NAT - T (UDP 4500) in the table of translation NAT on the hub. It may be
This puts a flag on the package structure, that IOS Firewall and NAT is
pick up on and then do the wrong thing in this case.
If this does not work then let me know.
Maybe it's something for which you will need to open a TAC case so that we can
This debug directly on your installation.
Mike.
-
I copy and pasted the exact message, I got as to weather or not it's just my computer, or thing network my mother and I are on a modem/router in shared connetion sometimes does affect my PC and sometimes both not shure what to think relly. Im running windows XP Home Edition with all service packs and updates. Things I noticed is coming and ive tried flushing the dns with cmd releaseing and renewal ip ect. Ive tried looking fourms in all directions, even if this is the first time ive posted atuly myself. Some say could be windows softwere problem cause action does my pc sometimes. I still have to be able to communicate with a representative of Ms.
Diagnosis of last run time: 25/05/10 03:33:24
Diagnosis of DNS Client
DNS - not a user script home Info The use of Web Proxy: no Info Solve with ok name (www.microsoft.com): no No DNS server
DNS failure
Info [Www.microsoft.com] query on the server DNS 68.105.28.11 (Type = 0x1, Options = 0x10e8) returns 0x5b4 Info [Www.microsoft.com] query on the server DNS 68.105.29.11 (Type = 0x1, Options = 0x10e8) returns 0x5b4 Info [Www.microsoft.com] query on the server DNS 68.105.28.12 (Type = 0x1, Options = 0x10e8) returns 0x5b4 action Auto repair: renew the IP address action Release the current IP address... action Successfully published the current IP address action Renew the IP address... action The current IP address successfully renewed Info [Www.microsoft.com] query on the server DNS 68.105.28.11 (Type = 0x1, Options = 0x10e8) returns 0x5b4 Info [Www.microsoft.com] query on the server DNS 68.105.29.11 (Type = 0x1, Options = 0x10e8) returns 0x5b4 Info [Www.microsoft.com] query on the server DNS 68.105.28.12 (Type = 0x1, Options = 0x10e8) returns 0x5b4 Info Redirect the user to support call Info Redirect the user to support call Diagnosis of the bridge
Entry door Info The following proxy configuration is used by IE: automatically detect settings: disabled automatic Configuration Script: Proxy Server: Proxy bypass list: Info This computer is the following (s) default gateway: 192.168.1.1 Info This computer has the following IP address: 192.168.1.101 Info The default gateway is on the same subnet as this computer Info The default gateway entry is a valid unicast address Info The default gateway address has been resolved through ARP in 1 try (ies) Info The default gateway was reached via ICMP Ping in 1 try (ies) warn Www.microsoft.com hostname could not be resolved (0x2afc error code). Could be the front door or DNS problem action Auto repair: renew the IP address action Release the current IP address... action Successfully published the current IP address action Renew the IP address... action The current IP address successfully renewed Info This computer is the following (s) default gateway: 192.168.1.1 Info This computer has the following IP address: 192.168.1.101 Info The default gateway is on the same subnet as this computer Info The default gateway entry is a valid unicast address Info The default gateway address has been resolved through ARP in 1 try (ies) Info The default gateway was reached via ICMP Ping in 1 try (ies) warn Www.microsoft.com hostname could not be resolved (0x2afc error code) action Auto repair: reset the network connection action Disabling the network card action Activation of the card network Info Successfully activated network adapter Info This computer is the following (s) default gateway: 192.168.1.1 Info This computer has the following IP address: 192.168.1.101 Info The default gateway is on the same subnet as this computer Info The default gateway entry is a valid unicast address Info The default gateway address has been resolved through ARP in 1 try (ies) Info The default gateway was reached via ICMP Ping in 1 try (ies) warn Www.microsoft.com hostname could not be resolved (0x2afc error code). Could be the front door or DNS problem action Repair Manual: Reboot modem Info This computer is the following (s) default gateway: 192.168.1.1 Info This computer has the following IP address: 192.168.1.101 Info The default gateway is on the same subnet as this computer Info The default gateway entry is a valid unicast address Info The default gateway address has been resolved through ARP in 1 try (ies) Info The default gateway was reached via ICMP Ping in 1 try (ies) warn Www.microsoft.com hostname could not be resolved (0x2afc error code) Info The modem/router to stabilize a certain waiting time action Auto repair: renew the IP address action Release the current IP address... action Successfully published the current IP address action Renew the IP address... action The current IP address successfully renewed Info This computer is the following (s) default gateway: 192.168.1.1 Info This computer has the following IP address: 192.168.1.101 Info The default gateway is on the same subnet as this computer Info The default gateway entry is a valid unicast address Info The default gateway address has been resolved through ARP in 1 try (ies) Info The default gateway was reached via ICMP Ping in 1 try (ies) warn Www.microsoft.com hostname could not be resolved (0x2afc error code). Could be the front door or DNS problem IP layer diagnostic
Corrupted IP routing table Info The default route is valid Info The loopback route is valid Info The local host route is valid Info The local subnet route is valid Invalid entries in the ARP cache
action The ARP cache has been emptied Diagnosis of IP Configuration
Invalid IP address Info Detected valid IP address: 192.168.1.101 Wireless diagnosis
Wireless - Service disabled Wireless - user SSID
Wireless - first installation
Wireless - Radio
Wireless - off limits
Wireless - hardware problem
Wireless - Novice user
Wireless - network Ad - hoc
Wireless - less preferred
Wireless - 802. 1 active x
Wireless - Configuration mismatch
Wireless - low SNR
WinSock diagnostic
WinSock status Info All base service provider entries are present in the Winsock Catalog. Info Winsock Service providers strings are valid. Info Entry provider MSAFD Tcpip [TCP/IP] passed the loopback communication test. Info Entry provider MSAFD Tcpip [UDP/IP] passed the loopback communication test. Info Entry provider RSVP UDP Service Provider managed the loopback communication test. Info Entry provider RSVP TCP Service Provider passed the loopback communication test. Info Connectivity is valid for all Winsock service providers. Diagnosis of network adapter
Network location detection Info Using the Internet connection at home Identification of network adapter
Info Network connection: name = Local, peripheral network connection = VIA compatible Fast Ethernet Adapter, MediaType = LAN, type = LAN Info Ethernet connection selected State of the network adapter
Info The network connection status: connected HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity warn HTTP: Error 12007 connecting to www.microsoft.com: the server name or address cannot be resolved warn HTTPS: Error 12007 connecting to www.microsoft.com: the server name or address cannot be resolved warn FTP (passive): error 12007 connecting to FTP.Microsoft.com: the server name or address cannot be resolved warn HTTP: Error 12007 connecting to www.hotmail.com: the server name or address cannot be resolved warn HTTPS: Error 12007 connecting to www.passport.net: the server name or address cannot be resolved warn FTP (active): error 12007 connecting to FTP.Microsoft.com: the server name or address cannot be resolved error Could not make an HTTP connection. error Could not make an HTTPS connection. error Could not make an FTP connection. Well, I recently changed the setting on my router, but only because I started to use OpenDns not only it give me a static ip address, but has so far completely solved the problem as far as I can guess its more like currcumventing the relly problem but good if it works lol. Thank you for reply and help me out tho I relly apprecate it ^_^
-
routers that will keep the dhcp leases in the flash memory?
If a router is turned off, it will keep its current list of active DHCP leases? Is there any router that will do it?
Sometimes when the internet is slow, my users will unplug the router/modem, but this results in IP address conflicts when new computers Gets a new IP address, but the router begins to give IP addresses since the beginning of the range that are already in use.
I know not all router consumer who would do this. Memory is rare on these routers and after a reboot, anything not absolutely necessary gets scrapped.
Your problem sounds more like a firmware bug or a problem of computers. By default, the DHCP server must check the availability of any IP address before sending a DHCP offer. He might try to resolve the IP through ARP or do an ICMP ping. Maybe the firewall on the computers block these packages. Or the DHCP server complies at all (that I consider a bug in the firmware).
What exactly needs to be verified with a sniffer network on a computer connected to the network. That should reveal if the router sends something to the DHCP offer or not...
-
Dear all,
I applied ASA 5510 in my network,
I configured 3 DMZ, inside and outside interfaces
ASA, I can access the Interior, DMZ and outside (Internet)
Inside users can communicate with the servers in the DMZ
Inside users goto Internet via the external interface
DMZ servers can goto Internet via the external interface
The DMZ servers cannot Ping inside the network
I've been using IpSec VPN on my router,
clients connect to the router using the Cisco VPN Client software,
NOW, when I understood ASA in the network, VPN clients are unable to communicate with the servers in the DMZ
security level 0 for outside
DMZ 50
100 for the inside
NAT is disabled with no command nat control
What I need to ON the NAT and some ACL must be put in place...
Please advise me what ACL I should implement, interface? Direction?
Which statement NAT should I include?
I want to access my network via VPN...
Help, please
Kind regards
Junaid
ICMP pings are not stateful. The firewall needs special treatment to dynamically allow pings back, this is done through the "ICMP inspection." The ICMP inspection is disabled by default. You can activate the inspection or use an ACL to allow ICMP traffic. Here is a useful link:
Please rate if useful.
Concerning
Farrukh
-
Open source routed wrong frame IP checksum recalculation
I am a student and by my experiences of the course work, I discovered that this problem:
Bad IP header checksum calculation problem appears when Windows retransmits IP frames with the free source route option of different lengths (tested for ICMP and UDP payload).
Example of treatment of the standard Windows ICMP ping query:
Three hosts:
10.0.1.1 - Windows 7 Enterprase SP1 32 - bit Build 7601 v6.1
10.0.1.2 - Windows 7 Enterprase SP1 32 - bit Build 7601 v6.1
10.0.1.3 - Ubuntu 12.10 quantum 3.5.0 - 17-generic #28 - Ubuntu Linux SMP kills 9 Oct 19:32:08 UTC 2012 i68610.0.1.1 and 10.0.1.2 connected Ethernet cable
10.0.1.2 and 10.0.1.3 connected by an ad-hoc WiFi connection
10.0.1.2 has network bridge between the wireless network connection and local network connection
10.0.1.2 has routing and remote access service running and in the window save the folder key HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/Tcpip/Parameters are defined: IPEnableRouter = 1 and DisableIPSourceRouting = 0.Ping 10.0.1.3 10.0.1.1 10.0.1.2 using IP free source route option by
> ping 10.0.1.2-j 10.0.1.3Frame sent by 10.0.1.1 Ethernet
0000 00 22 4 d 4f a2 d8 88 ae 1 d 0e 0e 08 00 47 00 c4. » MO.... ...... G.
0010 00 44 01 5 b 00 00 80 01 97 49 0 at 00 01 01 a 0, 00. D.[.... . I......
0020 01 02 83 07 04 0 a 00 01 03 00 08 00 4 d 46 00 01... MF...
0030 00 15 61 62 63 64 65 66 67 68 69 6 a 6 b 6 c 6 d 6th... abcdef ghijklmn
0040 6f 70 71 72 73 74 75 76 77 61 62 63 64 65 66 67 opqrstuv wabcdefg
0050 68 69 hiEthernet frame received by 10.0.1.2
0000 00 22 4 d 4f a2 d8 88 ae 1 d 0e 0e 08 00 47 00 c4. » MO.... ...... G.
0010 00 44 01 5 b 00 00 80 01 97 49 0 at 00 01 01 a 0, 00. D.[.... . I......
0020 01 02 83 07 04 0 a 00 01 03 00 08 00 4 d 46 00 01... MF...
0030 00 15 61 62 63 64 65 66 67 68 69 6 a 6 b 6 c 6 d 6th... abcdef ghijklmn
0040 6f 70 71 72 73 74 75 76 77 61 62 63 64 65 66 67 opqrstuv wabcdefg
0050 68 69 hiFrame Ethernet sent by 10.0.1.2 (IP checksum is 98 49, but must be 95-48)
14 0000 d6 0e 4 d this 95 02 22 4 d8 a2 d 08 00 47 00 4f... M...." MB... G.
0010 00 44 01 5b00 7f 00 01 98 49 0 to 00 01 01 0 to 00. D.[.... . I......
0020 01 03 83 07 08 0 a 00 01 02 00 08 00 4 d 46 00 01... MF...
0030 00 15 61 62 63 64 65 66 67 68 69 6 a 6 b 6 c 6 d 6th... abcdef ghijklmn
0040 6f 70 71 72 73 74 75 76 77 61 62 63 64 65 66 67 opqrstuv wabcdefg
0050 68 69 hiGoing Linux-cookeed received and rejected by 10.0.1.3 ethernet (IP checksum is 98 49, but must be 95-48)
0000 00 00 00 01 00 06 14 d6 4 d 0e 00 00 08 00 d8 CE... M.......
b 0010 47 00 00 44 01 5, 00 7f 00 01 98 49 0 a 00 01 and 01 G... D.[.. ... I....
0020 0 at 00 01 03 83 07 08 0 a 00 01 02 00 08 00 4 d 46... MF
0030 00 01 00 15 61 62 63 64 65 66 67 68 69 6 a 6 b 6 c... .ABCD efghijkl
0040 6 d 6th 6f 70 71 72 73 74 75 76 77 61 62 63 64 65 mnopqrst uvwabcde
0050 66 67 68 69 fghiFramework catches using Wireshark Version 1.8.0rc2 (SVN Rev /trunk 43337 - 1.8)
Hi André,.
The issue of Windows is more complex than what is generally answered in the Microsoft Community Forums. Appropriate in the TechNet Forums. Please post your question in the TechNet Forums.
You can check the link to post your question:
http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads
I hope that helps!
Maybe you are looking for
-
Cannot add Classic theme restaurant on 10 to win 42-Firefox
I NEED my tabs to be "on the merits"... Since Firefox put the tabs 'on' and off the fix in ' subject: parameters, I used the Restorer of classic theme with great success. However, I just tried to install it on Fox 42 and it's not going... Is it me or
-
My Safari is using too much memory
I use Safari 9.1.1 on my iMac (OS X 10.9.5)...) Last week, Safari uses too much memory causing my computer to slow down and own memory has automatically free up space. I use the same sites in multiple windows. But it will bring my RAM available to
-
I edited on: config and changed "keyword.enabled' to 'false', but it's still an automatic search of Google at the boring address when I type in the address bar. Windows Firefox 27.0.1 8.1
-
HP officejet 4652: will not hold paper printer-get message paper
Get message "on paper" don't shoot the sheet in the printer printer 4652
-
Who else pre-ordered a Razr?
I just signed the upgrade at the beginning of a Razr! I hope someone comes up with a mobile PHONE "fix" in the future. Who else moves to the Razr?