| Hi there, I am trying to setup Packetfence 4 to do Inline enforcement (as I have some unmanaged switches) and so I went to work on Saturday to try and set it up, so this is the setup: Cisco ASA Firewall internal IP address 192.168.10.1 Packetfence ETH1 will be route to firewall through which all traffic will go from my wired and wireless subnets (192.168.16.0/24 and 192.168.15.0/24) - IP address 192.168.10.254 ETH0 Management is 192.168.16.254 I set on my core switch default gateway to be 192.168.16.254. My issue is that I can't ping 192.168.10.254 from the core switch. From the firewall I can ping 192.168.16.254 so it is routing that way but can't seem to get further. From the Packetfence I can ping 8.8.8.8 (so get to the internet), but DNS works but probably just need to add DNS server to ifcfg-eth1 or whatever. Here are my conf files: [general] # # general.domain # # Domain name of PacketFence system. domain=cmcrc.com # # general.dnsservers # # Comma-delimited list of DNS servers. Passthroughs are created to allow queries to these servers from even "trapped" nodes. dnsservers=192.168.16.77,192.168.16.40,172.16.16.98 # # general.dhcpservers # # Comma-delimited list of DHCP servers. Passthroughs are created to allow DHCP transactions from even "trapped" nodes. dhcpservers=192.168.16.77,192.168.15.250 # # general.timezone # # System's timezone in string format. Supported list: timezone=Australia/Sydney #[registration] #auth=ldap [trapping] # # trapping.range # # Comma-delimited list of address ranges/CIDR blocks that PacketFence will monitor/detect/trap on. Gateway, network, and # broadcast addresses are ignored. range=192.168.15.0/24,192.168.16.0/24,172.16.0.0/22 # # trapping.whitelist # # Comma-delimited list of MAC addresses that are immune to isolation. In # inline enforcement, the firewall is opened for them as if they were # registered. This "feature" will probably be reworked in the future. whitelist=192.168.16.40,192.168.16.77,192.168.16.98 # # trapping.detection # # # Enables snort-based worm detection. If you don't have a span interface available, don't bother enabling it. If you do, # you'll most definately want this on. detection=enabled # # trapping.detection_engine # # Let you choose from our supported IDS: snort or suricata # detection_engine=suricata # # trapping.wireless_ips # # Enable wids trapping detection wireless_ips=enabled [registration] # # registration.range # # range=192.168.15.0/24,192.168.16.0/24,172.16.0.0/22 # # registration.nbregpages # # The number of registration pages to show to the user nbregpages=1 #[guests_self_registration] #modes=email,sms,sponsor [alerting] # # alerting.emailaddr # # Email address to which notifications of rogue DHCP servers, violations with an action of "email", or any other # PacketFence-related message goes to. # # alerting.fromaddr # # Source email address for email notifications. Empty means root@<server-domain-name>. # Source email address for email notifications. Empty means root@<server-domain-name>. [scan] # # scan.engine # # Which scan engine to use to perform client-side policy compliance. engine=openvas # # scan.registration # # If this option is enabled, the PF system will scan each host after # registration is complete. registration=enabled # # scan.user # # Username to log into scanning engine with. user=sysadmin # # scan.pass # # Password to log into scanning engine with. pass=C@p1t@lsys! # # scan.openvas_configid # # ID of the scanning configuration on the OpenVAS server openvas_configid=daba56c8-73ec-11df-a475-002264764cea # # scan.openvas_reportformatid # # ID of the .NBE report format on the OpenVAS server openvas_reportformatid=9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 [database] # # database.pass # # Password for the mysql database used by PacketFence. pass=5Zs4LecTxvkXhp [inline] # # inline.should_reauth_on_vlan_change # Should have to reauthenticate the node if it change vlan should_reauth_on_vlan_change=enabled # # inline.interfaceSNAT # Choose the interface(s) you want to use to enable snat (by default it´s the management interface) interfaceSNAT=eth1 [captive_portal] # # captive_portal.network_detection_ip # # This IP is used as the webserver who hosts the common/network-access-detection.gif which is used to detect if network # access was enabled. # It cannot be a domain name since it is used in registration or quarantine where DNS is blackholed. # It is recommended that you allow your users to reach your packetfence server and put your LAN's PacketFence IP. # By default we will make this reach PacketFence's website as an easy solution. # network_detection_ip=192.168.16.254 [provisioning] # # provisioning.autoconfig # # Enable or disable the XML mobile config generation for wireless on iPhones, iPods, and iPads autoconfig=enabled [interface eth1] enforcement=inline ip=192.168.10.254 type=internal mask=255.255.255.0 [interface eth2] type=monitor [interface eth0] ip=192.168.16.254 type=management mask=255.255.255.0 enforcement= [interface eth0.3] mask=255.255.255.0 type=dhcp-listener gateway=192.168.15.250 ip=192.168.15.252 snmptrapd_binary=/usr/sbin/snmptrapd # services.radiusd # # Should radiusd be managed by PacketFence? radiusd=enabled # # services.snort_binary # # Location of the snort binary. Only necessary to change if you are not running the RPMed version. snort_binary=/usr/sbin/snort # # services.suricata_binary # # Location of the suricata binary. suricata_binary=/usr/bin/suricata # # services.httpd_binary # # Location of the apache binary. Only necessary to change if you are not running the RPMed version. httpd_binary=/usr/sbin/httpd # # services.dhcpd_binary # # Location of the dhcpd binary. Only necessary to change if you are not running the RPMed version. dhcpd_binary=/usr/sbin/dhcpd # # services.named_binary # # Location of the named binary. Only necessary to change if you are not running the RPMed version. named_binary=/usr/sbin/named Networks.conf [172.16.0.0] dns=192.168.16.77 dhcp_start=172.16.0.10 gateway=172.16.0.254 named=enabled dhcp_max_lease_time=86400 dhcpd=enabled type=vlan_registration netmask=255.255.252.0 dhcp_end=172.16.0.246 dhcp_default_lease_time=86400 domain-name=vlan_registration.cmcrc.com [192.168.30.0] dns=192.168.16.77 dhcp_start=192.168.30.10 gateway=192.168.30.254 named=enabled dhcp_max_lease_time=86400 dhcpd=enabled type=vlan_isolation netmask=255.255.255.0 dhcp_end=192.168.30.246 dhcp_default_lease_time=86400 domain-name=vlan_isolation.cmcrc.com [192.168.10.0] dns=192.168.16.77 dhcp_start=192.168.10.10 gateway=192.168.10.254 domain-name=inline.cmcrc.com named=enabled dhcp_max_lease_time=86400 dhcpd=enabled type=inline netmask=255.255.255.0 dhcp_end=192.168.10.246 dhcp_default_lease_time=86400 Switches.conf which I understand in my situation is not required. # # Copyright 2006-2008 Inverse inc. # # See the enclosed file COPYING for license information (GPL). # If you did not receive this file, see [default] vlans = 1,2,3,4,5 normalVlan = 1 registrationVlan = 2 isolationVlan = 3 macDetectionVlan = 4 voiceVlan = 5 inlineVlan = 6 inlineTrigger = normalRole = normal registrationRole = registration isolationRole = isolation macDetectionRole = macDetection voiceRole = voice inlineRole = inline VoIPEnabled = no mode = testing macSearchesMaxNb = 30 macSearchesSleepInterval = 2 uplink = dynamic # # Command Line Interface # # cliTransport could be: Telnet, SSH or Serial cliTransport = Telnet cliUser = cliPwd = cliEnablePwd = # # SNMP section # # PacketFence -> Switch SNMPVersion = 1 SNMPCommunityRead = public SNMPCommunityWrite = private #SNMPEngineID = 0000000000000 #SNMPUserNameRead = readUser #SNMPAuthProtocolRead = MD5 #SNMPAuthPasswordRead = authpwdread #SNMPPrivProtocolRead = DES #SNMPPrivPasswordRead = privpwdread #SNMPUserNameWrite = writeUser #SNMPAuthProtocolWrite = MD5 #SNMPAuthPasswordWrite = authpwdwrite #SNMPPrivProtocolWrite = DES #SNMPPrivPasswordWrite = privpwdwrite # Switch -> PacketFence SNMPVersionTrap = 1 SNMPCommunityTrap = public #SNMPAuthProtocolTrap = MD5 #SNMPAuthPasswordTrap = authpwdread #SNMPPrivProtocolTrap = DES #SNMPPrivPasswordTrap = privpwdread # # Web Services Interface # # wsTransport could be: http or https wsTransport = http wsUser = wsPwd = # # RADIUS NAS Client config # # RADIUS shared secret with switch radiusSecret= [192.168.0.1] type = Cisco::Catalyst_2900XL mode = production uplink = 23,24 #SNMPVersion = 3 #SNMPEngineID = 0000000000000 #SNMPUserNameRead = readUser #SNMPAuthProtocolRead = MD5 #SNMPAuthPasswordRead = authpwdread #SNMPPrivProtocolRead = DES #SNMPPrivPasswordRead = privpwdread #SNMPUserNameWrite = writeUser #SNMPAuthProtocolWrite = MD5 #SNMPAuthPasswordWrite = authpwdwrite #SNMPPrivProtocolWrite = DES #SNMPPrivPasswordWrite = privpwdwrite #SNMPVersionTrap = 3 #SNMPUserNameTrap = readUser #SNMPAuthProtocolTrap = MD5 #SNMPAuthPasswordTrap = authpwdread #SNMPPrivProtocolTrap = DES #SNMPPrivPasswordTrap = privpwdread Any help gratefully received! Alastair Ferguson IT Manager Capital Markets CRC Limited (CMCRC) Telephone: +61 2 8088 4222 Mobile: +61 424 235 159 Fax: +61 2 8088 4201 www.cmcrc.com  Capital Markets CRC Ltd - Confidential Communication The information contained in this e-mail is confidential. It is intended for the addressee only. If you receive this e-mail by mistake please promptly inform us by reply e-mail and then delete the e-mail and destroy any printed copy. You must not disclose or use in any way the information in the e-mail. There is no warranty that this e-mail is error or virus free. It may be a private communication, and if so, does not represent the views of the CMCRC and its associates. If it is a private communication, care should be taken in opening it to ensure that undue offence is not given. |
------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. A cloud service to automate IT design, transition and operations 2. Dashboards that offer high-level views of enterprise services 3. A single system of record for all IT processes http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
