Pix501 Bidirectional Nat Outside To Inside To Internet
Mar 22, 2007
I have a PIX501 firewall with a wireless network attached to the outside interface and our local network attached to the inside interface.
I've setup access lists to permit the wireless clients attached to the outside interface to be able to access services on our inside interfaces.
The wireless clients are on a totally seperate /24 subnet.
Now everything seems to work fine with nat statements for our local wired subnets for example wirelessClients accessing the email server etc however the wireless clients cannot access the internet.
For the wireless clients to get out onto our internet connection they have to take the following path
So my question is how should I go about giving the access for the WirelessClients to be able to open web pages on the internet? For that to happen
the traffic has to pass through the outside interface on the 501 firewall out of the inside interface onto the local switch and then back out of our
main PIX515E to reach the destionation.
I'm fairly sure I'd need to modify the WebAccessNetwork access-list to permit WirelessLan to any against the port listings so thats not a problem I can change that
how I'm not entirely sure I to go about it with the NAT statements.
I just leased a Godaddy linux dedicated server with a Cisco PIX 501 firewall. Control panel is Plesk 8. Preconfigured with Ferdora 7, mysql, php,etc.
I've tried to configure multiple domains but am having problems.
I currently have several websites each running on their own Godaddy shared hosting account. I'm am trying to migrate all of these websites onto the dedicated server.
My plan is as follows: Configure the firewall Configure the server (add IPs) Configure the domains from within Plesk (add client, domains, dns). But DO NOT change the name servers on the domain. I need to test the websites first. Copy the webpages, content from the shared hosting accounts to the server. Test the websites on the server. I am hoping that I can access the websites on the server using ip addresses, since I figure I won't be able to use the domain names without first changing the name server entries on the domains. Once testing is completed, change the name servers on the domains so they point to the server.
What I have done: Configured the firewall interface (outside = 72.169.55.184/24, inside = 10.0.0.254/24) Configured the firewall IP translation rules (outside = 72.169.55.183, inside = 10.0.0.1) Configured server (added 3 IPs - 10.0.0.1 [exclusive], 10.0.0.2 [exclusive], 10.0.0.3 [exclusive]). I figure I need a unique ip for each domain? Created a client called MyDomains. All domains are created under this client. Created domain mydomain1 (assigned ip 10.0.0.1 [exclusive]). Added services ftp, ssi, php, cgi, etc. DNS 'A' records all set to firewall ip 72.169.55.184 Created domain mydomain2 (assigned ip 10.0.0.2 [exclusive]). Added services ftp, ssi, php, cgi, etc. DNS 'A' records all set to firewall ip 72.169.55.184 Created domain mydomain3 (assigned ip 10.0.0.3 [exclusive]). Added services ftp, ssi, php, cgi, etc. DNS 'A' records all set to firewall ip 72.169.55.184
I might be close, or I might be so far off that my inexperience shows.
Is the above correct? Do I need a unique "inside" ip address (10.0.0.1, 10.0.0.2, 10.0.0.3) for each domain/website? Do I need to add translation rules to the firewall for 10.0.0.2, 10.0.0.3?
How do I test each domain on the server without changing the name server entries on the domain? I have one firewall ip address 72.169.55.184 but 3 different domains. How can I test mydomain1.com, mydomain2.com, mydomain3.com?
If anyone can tell me if I have this correct, or what I have to do to get this correct I'd be immensly appreciative. Just as important is knowing how I can test each domain before I go live with it.
I have this nice vps, but its on linux, and I always wanted to run windows apps on the vps, because of the nice configuration. I already tried wine, but most of my windows apps don't work, cuz they require .net framework to run.
I tried to instal vmware server and virtualbox, but both of them complain about a kernel problem, they are unable to locate my kernel source, so they can't run.
I am linux newbie, and i am running on a centos 5 operating system.
Some people say its impossible to run virtualization 'inside' virtualization, but i already read some people that say its possible.
Feb 22 04:58:31 la1092 kernel: ata2: command 0xc8 timeout, stat 0x50 host_stat 0x24 Feb 22 04:58:32 la1092 kernel: ata2: status=0x50 { DriveReady SeekComplete } Feb 22 04:58:32 la1092 kernel: Info fld=0x2d7e, Current sdb: sense key No Sense Feb 22 04:58:32 la1092 kernel: ata1: command 0xc8 timeout, stat 0x50 host_stat 0x24 Feb 22 04:58:32 la1092 kernel: ata1: status=0x50 { DriveReady SeekComplete } Feb 22 04:58:32 la1092 kernel: Info fld=0x4632f99, Current sda: sense key No Sense Feb 22 04:58:32 la1092 kernel: ata2: command 0xc8 timeout, stat 0x50 host_stat 0x24
Current setup is nginx, lighttpd and apache as web servers.
I've been using Clearancerack for about 4 or 5 months now and feel I should write an honest review about them considering there really doesn't seem to be too many.
Ever since the start several months ago, I've had nothing but a pleasant experience working with Chris and clearancerack.
So, here we go they get a :
Setup: 10/10
The setup is stellar. The first server I ordered was up the night that I ordered it (only a few hours) all ready to go. The servers even come with a free apc remote reboot port!
Pricing: 10/10
You could not ask for more affordable pricing than that of ClearanceRack, considering the extraordinary support, network, and all around company. Their prices are cheaper than those of the highest quality competitors, yet provide even higher quality service!
Even collocation pricing is very affordable! I will probably be sending up a few nodes in the next several months.
Network: 10/10
There has not been one second of downtime in the month's that I've been there. There was an issue with the network routing once, using bandwidth suppliers that the DC has connections to, yet Clearancerack does not use. This was fixed within several hours as well.
The network consists of a BGP mix of Peer1, All Stream, Shaw Big Pipe, MCI and peering to TorIX.
Almost all of my users experience faster downloads around the globe on the ClearanceRack network, than several of the other networks we've used throughout the US.
Support: 11/10 - Yes 11...
The support is stellar. They provide 24/7 E-mail (it really is 24/7) and REAL HUMAN Phone support (you won't get the usual leave a message, unless they really are busy and cannot take your call). At any time of day you email them, you'll have a response within minutes, even sales!
We've had one issue with one of our nodes in which Chris had to go into the datacenter to take a quick look. The issue was resolved in 30 minutes at the most.
Any requests we've made, whether it be licensing, IP allocations have all been handled extremely quickly, no matter what time of day it is.
Company:
Many times you'll hear people say, "They're great for a small scale company." Meaning, they're decent, but do have their downs that the higher scale competitors don't. Its not like that at Clearancerack. Every single thing about them is stellar, and the service is MUCH better than service I've received at various considered "higher scale and known" datacenters around the globe.
Clearancerack, ran by Chris - is ran by REAL people, wanting to make a REAL difference in the hosting market, and he/they are doing an amazing job at that.
You don't experience any poor customer service that you'll experience elsewhere. They are 100% honest with any sort of question, issue, or comment you may have. You WON'T get any of the lies, or uninformative information you receive elsewhere when an issue arises.
Personal:
Chris, I will continue to be working with you for many years to come, as I hope many of the current subscribers, and the future do to. Someone like you deserves the very best, and should GREATLY succeed in their business career. - Thank you for everything Chris! - You really know what hosting is all about.
Thats It!
Thanks for taking the time to read this review.
Generally you won't find a honest review with the ratings that I've given these guys, but THEY do deserve it, at the very least. I do not have one complaint about them as I do many other providers, and I've tried many throughout the globe.
I hope you will go ahead and try ClearanceRack for your dedicated solutions needs. They have no contracts, so you can sign up for one month, test out the service and make a final decision (although I can pretty much guarantee you will stay!)
Hostingcon:
If your going to hostingcon, check em' out! They have their own booth there!
I need several Windows VMs to test out some softwares and I plan on using virtualization technology to cut some costs.
I have a Linux(Debian Etch) dedicated server sitting to accomplish this. Specs are Quad Core Xeon 2.13Ghz with 4GB Ram/500GB HDD.
Now if I were to choose between Xen 3.1 and VMWare Server for the virtualization technology which would provide better performance?
I tried Windows on Xen 3.1 with PV Drivers and it seemed some what slow, but I'm not sure what the case was there so I can't say which would provide better performance overall.
There is serious clock skew all across the 4 CTs I have put in an OpenVZ HN which runs Debian GNU/Linux, the kernel Linux is v2.6.26, waldi tree. The HN shows correct time, the CMOS RTC is bang correct.
I'm trying to establish a VPN server inside a Fedora 10 VPS under OpenVZ. Openswan or Poptop is preferred over OpenVPN because Windows has built-in support for these protocols.
It looks like the host node (it's actually the vps from myprohost.com) doesn't have the required kernel modules enabled(installed?). Take Poptop for example, if I run pppd after rpm installation, the output is like this:
[root@v ~]# /usr/sbin/pppd /usr/sbin/pppd: This system lacks kernel support for PPP. This could be because the PPP kernel module could not be loaded, or because PPP was not included in the kernel configuration. If PPP was included as a module, try `/sbin/modprobe -v ppp'. If that fails, check that ppp.o exists in /lib/modules/`uname -r`/net. See README.linux file in the ppp distribution for more details.
[root@v ~]# modprobe -v ppp FATAL: Could not load /lib/modules/2.6.18-92.1.18.el5.028stab060.2/modules.dep: No such file or directory
And when I check for the availability of the encryption module "MPPE", I got the same result:
[root@v ~]# modprobe mppe FATAL: Could not load /lib/modules/2.6.18-92.1.18.el5.028stab060.2/modules.dep: No such file or directory
Openswan complains about some missing kernel modules too. So what do I do? Do I tell the provider to enable these modules? Do they normally do that? Will the host node require a reboot after having done that?
What modules are required for Poptop and Openswan? And, do I need to tell them to re-enable these modules every time I rebuild my OS?
I've got a dedicated server running my portal. Now we plan to soon launch broadcasting, where we via a webcam + microphone will broadcast (streaming WMV media) to all our members. Our members will then be able to interact with the speakers via chatting.
Now we are currently undergoing loadtesting, with our current setup, which is:
2. home PC with static IP and 1 MBit upload=>Video+Audio Streaming
So the member requests a page from the dedicated server, which has a chat window and a windows media player. The player will retrieve the video/audio content from the home PC. This is done by the client.
Now is pretty logical to see that there will be limitations in how many connections the home pc will be able to handle.
The question is: How do i make the dedicated server get the content from the home pc (so it only serves one connection) and then get all the clients to get their video content from the dedicated server ?
I've looked into the proxy modules for the apache server, however they (forward/reverse proxy) both passes the connection on to the remote machine and thereby not doing what I want to do.
We are running the latest Plesk 12 under CentOS 7.
While I can see the App Owncloud as Admin in the Application Vault my users cannot see that particular app in their Application pool. They can see all other apps though. Just not Owncloud.
All resellers and customers are allowed to install everything from the pool and i selected Owncloud in the Vault already and "made it available" .. Though it is not shown.
I have following Warning when creating a new Domain inside a Subscriptions:
I found this Article: [URL] .....
But in my case this does not solve the Problem.
1> All permissions are right. 2> When I type command '/usr/local/psa/bin/repair --restore-vhosts-permissions' i get the answer 'Directory permissions were successfully updated.' 3> The Order of Webuser and FTPUser (as described in the article) could also not be the problem, because in my case there is only one user (There is only Webuser and no FTP-User.) 4> When typing '/usr/local/psa/bin/repair --update-vhosts-structure' I get the following error 6 times each:
Unable to update the structure of the home directory: an unexpected error has occurred. update-vhosts-structure failed: mkdir: cannot create directory `./webroot.kk-bits.com/logs': File exists ERROR: Cannot relink logs. Target directory '/var/www/vhosts/webroot.kk-bits.com/logs' is in invalid state.
To get the error 6 times seems to mean, that i have this problem with 6 Domain.
I like to create some service plans using the cli-tools, /usr/local/psa/bin/service_plan.I am able to create a service plan, but I'm unable to create a service plan inside a reseller plan. For example I cannot "tell" the service_plan script to add the created serviceplan to a reseller plan. Is it possible to create a serviceplan inside a reseller plan, using the cli?
I recently placed an order (based on an add I found while browsing this forum) for a quad xeon. Everything went smoothly and their live support was very helpful. About 2 hours after receiving my confirmation I received an email containing a credit card form. The form is asking me to fill out everything I filled out during the billing process (including my credit card number, security code, and bank number). I know this form is basically a contract so they can bill me if I go over my bandwidth limit, but it seems pretty odd. Is this a normal thing or should I be weary about filling this out?
My site/e-mail/etc that is hosted by Solid Internet has been down for almost 2 weeks. This is causing me some major problems.
Their support forum doesn't work, their phones go straight to voicemail, their voicemail inbox is full, they don't respond to e-mails or support tickets. I'm not sure what else I can do to find out what the problem is?
I've only just renewed for a further year too so I'm not overly keen on flushing all that money down the toilet.
I don't think I have any site back ups, certainly no recent ones so I don't want to lose everything which I assume I'll need to do to move to a new host?
first off i will start by saying, as you can see.. this is my first post. Normally i just browse around, but i had to sign up and post a brief thread, about the awesome service i have received over at TurnKey.
A few weeks before christmas break, i signed up with Turnkey VPS, which was quickly setup. I've never really worked with a vps before, or much with servers at all really.
But their prompt and detailed explanation of how things work inside the control panel really helped me out. Then, a week after christmas break, with the economy going south, i had got laid off from work. I sent them an email saying that i wished to cancel cause of my current job status, and was suprised to see that Adam, their president had emailed me back himself and offered me a 90 day free run till i could get back on my feet. and if at the end of the 90days i hadent got on my feet, i could cancel completly. Since then, my job had announced that it would only be set backs and not termination - so i still have my job, and i dont have to cancel anymore!
Wholesale Internet HAS THE WORST BILLING SYSTEM / CUSTOMER SUPPORT SYSTEM EVER It has been 3 months and I have yet received my refund. If your server is up then its fine but I have contacted Aaron (great guy) 30+ times but he's always busy
Here's the issue. In ubersmith we have paypal + a spare credit card running. I setup a paypal subscription so I was to be billed automatically.
Ubersmith however was not tracking the subscription payments and instead billed our credit card.
This left me with double the charges for 3 months on my credit card and paypal ...
I have asked for a refund since September and have heard NOTHING.
I have vouched for Wholesale internet plenty but if this does not get taken care of Aaron I will be chargebacking every single charge for the last year ... maybe that'll get your attention
The billing department = Rebecca - a woman who neither answers the phone nor emails
We aquired a dedicated with wholesaleinternet a few months back. Other than slightly annoying but very short periods of downtime several times a week there were no major problems. Then the server became unreachable.
After many hours I finally get a tech response to my priority TT stating a fsck had to be performed. My initial worry was that the HD was failing as huge sectors should not be corrupt - certainly no software was running to cause this.
Over the next 2 weeks the server went down every 24-48 hours with exactly the same problem and the same resolution. Each time it took over 4 hours for a priority TT to be responded to and for the problem to be fixed. 8 hour waits were far from uncommon.
After pointing out the HD worries several times (what else could it be at this stage?) 2 weeks later the girl 'looking after the problem' finally agrees with us and agrees to replace the HD. I drag off any data I need (ie since the last backup) in a brief period of uptime and give her the go ahead. The server goes down again and over 48 hours later they tell me a new HD has been installed.
BEFORE the server went down for the final time we made it very clear that we simply cannot wait any longer and had no choice but to cancel our account. This was ignored and the HD changed anyway. We also made it clear that the huge problems caused should mean that there was no way we should require a month's notice to leave them. The downtime, huge delays in responding to priority tickets and inability of tech staff to recognise a simple HD failure means we need to go elsewhere. The downtime has cost us a LOT of money and several very good google results still have not recovered so the cost to us continues in a big way.
Despite the 2 weeks of more or less continual downtime causing us to have no choice but to switch hosts they now have the audacity to send debt collectors after us for not giving 1 months notice. On cancelling the account my reasons were made very, very clear and that given the situation I would not expect to need a months notice and certainly not to be charged.
So my advice...look elsewhere. There are some very professional companies about with competent tech staff and who give a damn about even their lower end customers.
I have used BQ Internet (bqbackup) for a dedicated server backup for months... On one occasion a while back, I started getting the now infamous "out of space" error message.
They fixed it, that time, fairly quickly telling me it was because they were "changing servers..."
Now, for the last two weeks, their server is telling me it's outta space, and I am getting absolutely no response from them whatsover...
I have sent emails using my regular email accounts plus sent emails using a gmail account.
Are they in some sort of trouble or something?
I guess I am going to have to look for another rsync backup provider...
"Offsite" backups are extremely important to me and my customers, and not having it available for two weeks is completely unacceptable.
I've been with wholesale internet services for a few months now and I must say working with Aaron (when available) has been a pleasure. However, working with anybody else on the team...Billing Departement I'm looking at you has been a COMPLETE Nightmare.
I orderded an extra IP Subnet range only to take it days (more than three) and a few tickets later to order. Their Billing/Sales department takes days to answer.
I then cancelled my services and was confirmed cancellation only to find out today that I've been billed and my credit card has been charged.
Not impressed with this incompetent operation. Aaron you do a great job but your team is nothing like you! I have yet to receive an e-mail back from sales about refunding me the money for the current billing statements.
I'm creating yet another ticket now in hopes that somebody there responds.
The server was fine as was the network, never had any issues, but the lack of support for billing was not.
their servers are down more than they are up, they claim to have 90 odd plus servers and it always seems to be that 4 servers in a row are down at a time, i would stay away from these ppl, we started as a reseller of theirs and it was terrible, lost a few customers cause of the bad service, and frorget about support,
I'm thinking about creating a resellers account with them but there seem to be a lot of mixed reviews, some people say they're the best hosts they've ever used, other strongly disagree.
I decided to let everyone know about WholesaleInternet (wholesaleinternet.net) company and how people from this company treat clients.
2 days ago my server was taken offline. After contacting support team, I was told someone was hosting phishing page. However, they didn't send me any email. I asked them to send abuse report for me.
As soon as I got it, I told that I will remove bad site from server as soon as they will activate server. Since then they just ignore all my tickets. Server is down for 2 days, I have opened support ticket and all my requests are ignored. Phone support is total 'scam', because I always here same message 'We can not answer your call' for 2 days.
I understand this company is being managed by single person only, but I didn't believe it's so awful.
My server is still down, and I have no idea what to do next. They even don't allow me to remove bad site or move all sites from server to another provider.
And yes, I also PMed Aaron via this forum, but he just replied 'Abuse has the impression that you are intentionally using the server for illegal activities. I looked at the ticket and I can see why they think that especially when you tell them you will move the phishing site to another server.' Then he started ignoring all my messages too.
What abuse team!? Company of single person has abuse team? Sure... I can't believe that moving site to other server (after removing phishing content from it) is treated as illegal activity by Wholesale Internet.
Well, I lost hundreds of dollars already, and it looks I need to start everything from 0 (because company just ignores me), so the only thing I can do - tell everyone RUN AWAY from this awful provider as soon as you can. Because if someone will hack one of your customer accounts and upload phishing page, they will destroy your hosting without any questions asked.
I will post more detailed review about this company later, including screenshots from my support desk, etc. So if you think getting a server with them, think again!
I am about to build the company network and I have some questions to know what I am speaking about with the company we will hire to do the job, so I would like to ask some questions, being sure here someone skilled will be able to help me.
The current company network is made of two optical fiber with each one it’s own router and ISP behind. I am thinking about to take a third ISP and ask for our own /24 PI, rather than current two /25 PA we have with each provider.
I would like to setup a highly available Internet link. Most probably I will ask a third provider to offer us the /24 PI and use it as main provider and use the two others to feed and to help us to reach high availability as BGP4 is able to balance over different networks.
It is not impossible to tweak performances later with OSPF protocol. The total maximum (theoretical) speed would be 150 Mbit/s for the 3 links together (but pushing as it will probably never happend), current peaks are more about 30-35 Mbit/s.
So I have some questions : - Do we need to get an AS to achieve this? - Is Foundry Networks NetIron NETIRON MLX-4 or NETIRON MLX-8 good for this job? - Will we be able to push (in case) up to 300-400 Mbit/s with this wheel (over 3 providers)? - What is the approximate price of such wheel? - What else do I have to think about?
At this time, I am only interested about the Internet network. The prority is the availability and not the speed, but it would be good to do not have to change machines if the average traffic to Internet is going to double in 1 year.
