3845 router and ios 15.1(4)m9
Who can tell me if it is needed to purchase a license for IOS 15.1(4)M9 which is going to be installed on cisco 3845 router?
Dear Customer,
Unfortunately your question was raised in the wrong supportforum.
Cisco ServiceGrid is part of Software Enabled Services. We provide Integration Services.
However, you can raise your question in the right forum: https://supportforums.cisco.com/community/6016/lan-switching-and-routing
Our hardware professionals will be happy to provide you any answer you need.
thanks
Patrick
Similar Messages
-
"permit tcp any any established" and IOS Firewall
Guys, I need some clarification here. I have already asked couple TAC guys but they either did not know the answer right away or they wanted to send me to another team who might answer it...
I have a single router. One LAN, one WAN. It is an 800 series router and IOS Firewall feature is turned on as follows:
ip inspect name IOS_Firewall tcp
ip inspect name IOS_Firewall udp
ip inspect name IOS_Firewall icmp
interface FastEthernet4
ip address dhcp
ip access-group 161 in
ip nat outside
ip inspect IOS_Firewall out
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map mymap
access-list 161 permit udp any any eq ntp
access-list 161 permit udp any any eq bootpc
access-list 161 permit tcp any any established
access-list 161 permit icmp any any
access-list 161 permit esp any any
access-list 161 permit gre any any
access-list 161 permit udp any any eq isakmp
access-list 161 permit udp any any eq non500-isakmp
access-list 161 permit udp any eq non500-isakmp any
access-list 161 permit udp any eq isakmp any
access-list 161 permit udp any eq domain any
access-list 161 permit tcp any any eq telnet
access-list 161 permit tcp any any eq 1723
access-list 161 permit tcp any any eq 4500
access-list 161 permit tcp any any eq 5000
access-list 161 permit tcp any any eq 5500
access-list 161 deny ip any any log
My question is, is the statement "access-list 161 permit tcp any any established" required since I already have the IOS Firewall feature turned on?
Thank youNo you do not need it with CBAC's TCP inspection enabled.
-
Branch office setup with L3 switch and router with IOS security
Hello,
I am in the process of putting together a small branch office network and I am in need of some design advise. The network will support about 10-15 workstations/phones, 3-4 printers, and 4-5 servers. In addition we will eventually have up to 25-30 remote users connecting to the servers via remote access VPN, and there will also be 2-3 site-to-site IPSec tunnels to reach other branches.
I have a 2911 (security bundle) router and 3560 IP Base L3 switch to work with. I have attached a basic diagram of my topology. My initial design plan for the network was to setup separate VLANs for workstation, phone, printer, and server traffic. The 3560 would then be setup with SVIs to perform routing between VLANs. The port between the router and switch would be setup as a routed port, and static routes would be applied on the switch and router as necessary. The thought behind this was that I'd be utilizing the switch backplane for VLAN routing instead instead of doing router-on-a-stick.
Since there is no firewall between the switch and router my plan was to setup IOS firewalling on the router. From what I am reading ZBF is my best option for this. What I was hoping for was a way to set custom policies for each VLAN, but it seems that zones are applied per interface. Since the interface between the router and switch is a routed interface, not a trunk/subinterface(s), it doesn't seem like there would be a way for me to use ZBF to control traffic on different VLANs. From what I am gathering I would have to group all of my internal network into one zone, or I would have to scrap L3 switching all together and do router-on-a-stick if I want to be able to set separate policies for each VLAN. Am I correct in my thinking here?
I guess what I am getting at is that I really don't want to do router-on-a-stick if I have a nice switch backplane to do all of the internal routing. At the same time I obviously need some kind of firewalling done on the router, and since different VLANs have different security requirements the firewalling needs to be fairly granular.
If I am indeed correct in the above thinking what would be the best solution for my scenario? That is, how can I setup this network so that I am utilizing the switch to do L3 routing while also leveraging the firewall capabilities of IOS security?
Any input would be appreciated.
Thanks,
AustinThanks for the input.
1. I agree, since I have only three to four printers, they need not be in a separate VLAN. I simply was compartmentalizing VLANs by function when I initially came up with the design.
2. Here's a little more info on the phone situation. The phones are VoIP. The IP PBX is on premise, but they are currently on a completely separate ISP/network. The goal in the future is to converge the data and voice networks and setup PBR/route maps to route voice traffic out the voice ISP and data traffic out the other ISP. This leads up to #3.
3. The reason a router was purchased over a firewall was that ASA's cannot handle routing and dual ISPs very well. PBR is not supported at all on an ASA, and dual ISPs can only be setup in an active/standby state. Also, an ASA Sec+ does not have near the VPN capabilities that the 2911 security does. The ASA Sec+ would support only 25 concurrent IPSec connections while the 2911 security is capable of doing an upwards of 200 IPSec connections.
Your point about moving the SVI's to a firewall to perform filtering between VLANs makes sense, however, wouldn't this be the same thing as creating subinterfaces on a router? In both cases you are moving routing from the switch backplane to the firewall/routing device, which is what I am trying to avoid. -
I Have ipad with IOS8.0.2 with internet from sim card, can i use it as a wireless router and how if it possible?
Hi Mostafa sanad,
Welcome to the Apple Support Communities!
It sounds like you may want to use your iPad as a personal hotspot. Please read over the attached article for information on the process.
iOS: Understanding Personal Hotspot
Have a great day,
Joe -
Router platform and IOS version to support MPLS
I have few Cisco 2621 routers and one 3640 router, could I use these router to create a MPLS VPN lab? if so , what is the minimum IOS version required?
Thanks in advance.The minimum hardware and software image tu support MPLS can be found at www.cisco.com/go/fn select search by feature and in the search box put MPLS (Multiprotocol Label Switching) there you can find the platform and IOS to support basic MPLS, but you need to consider the fact that supporting MPLS special features like AToM can only be supported on some 7200, 7500, 7600, 10000 and 12000, http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide_chapter09186a0080153e64.html#1030652
-
3825 and 3845 router duplex issue?
We are currently having a new 10Mbps "LANLink" service installed in our office. Our WAN provider terminates in our comms room on a Lucent MUX, which then connects via RJ45 Ethernet to our Cisco 3825 router.
Our provider has asked us to set our router to 10Mb/full duplex. However, when we do, the Gigabit Ethernet interface on our 3825 goes down. If I set the interface to autonegotiate, it resolves to 10/half. Traffic will run at 10/half, but with muchos collisions.
We have exactly that same problem at the other end of the line, on a 3845 router. The router interface will only come up when running half duplex.
The engineer has been in and proved to me that the Lucent MUX is running 10/full. We have also switched out the ethernet cables a number of times.
We have stabilised the line somewhat by running all Lucent and Cisco equipment at half duplex. But surely there's a fix for this?
The interface config is shown below. Can anyone tell me what the 'negotiate auto' line means - despite 'speed 10' and 'duplex half' commands elsewhere?
interface GigabitEthernet0/1
description **Colt LANLink - London City Office**
ip address 192.168.254.246 255.255.255.252
duplex half
speed 10
media-type rj45
negotiation auto
service-policy output llq
Thanks
RichardHi Ankur -
Thanks for posting.
That's why I was confused - the 'negotiation auto' was already in the config when the router arrived. I don't see why it's even necessary: surely it's either 'duplex half/full/auto' and 'speed 10/100/1000/auto'? Why do Cisco need to provide another command for 'negotiation? -
VPN between ASA and IOS router
We have established a VPN tunnel between IOS router and ASA, however it i working only from the latter. What are the common dissimilarities whcih occur between these two devices when setting up VPN?
Do a search for the following on cisco.com- "Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions"
It should help fix any problems.
HTH and please rate. -
the zycel N series access point and cisco router reboots when i try to stream or mirror onto apple tv using air play. What can be the cause of the problem?
Please answer as many of the following questions as you can. You may already have answered some of them. In that case, there's no need to repeat the answers.
Have you restarted your router and your broadband device (if they're separate) since you first noticed the problem? If not, do that now and see whether there's any change.
If your browser is Safari, then from the Safari menu bar, select
Safari ▹ Preferences... ▹ Privacy ▹ Remove All Website Data
and confirm. Any change?
If you're running OS X 10.9 or later, select the Advanced tab in the Preferences window and uncheck the box marked
Stop plug-ins to save power
Any change?
Quit and relaunch the browser. Any change?
Log out and log back in. Any change?
Enable Private Browsing in the Safari menu. Any change?
Are any other web browsers installed, and are they the same? What about other Internet applications, such as iTunes and the App Store?
If other browsers and Internet applications are also affected, follow these instructions and test. Any change?
If Parental Controls is active for any user, please turn it off and test. Any change?
If only Safari is affected, launch the Activity Monitor application and enter "web" (without the quotes) in the search box. If a process named "Safari Web Content" is shown in red or is using more than about 5% of a CPU, select it and force it to quit by clicking the X or Quit Process button in the toolbar of the window. There may be more than one such process. Any improvement?
Again, if only Safari is involved, open the iCloud preference pane and uncheck the box marked Safari, if it's checked. Any change?
Are there any other devices on the same network that can browse the Web, and are they affected?
If you can test Safari on another network, is it the same there?
If you connect to your router with Wi-Fi and you can also connect with Ethernet, do that and turn off Wi-Fi. Any difference? -
3845 Router do not work with NME-X23ES-1GP Interface card
Need help!
I Trying install interface card NME-X 23ES-1GP on 3845 Router. I installed this card in slot 4, but router could not communicate with this card.
IOS version in Router 12.3
Here is results show diag command:
Slot 4:
Unknown (type 1187) Port adapter
Port adapter is disabled deactivated
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision : 1.0
Top Assy. Part Number : 800-25011-01
Board Revision : A0
Deviation Number : 0-0
Fab Version : 03
PCB Serial Number : FOC090009VC
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product (FRU) Number : NME-X-23ES-1G-P
Version Identifier : V01
Base MAC Address : 0013.8088.9f80
MAC Address block size : 128
EEPROM format version 4
EEPROM contents (hex):
Possibly IOS release too old?Thank you for link. I read all information on this link. But I can't solve the problem.
Commands "show version" and "show flash:" show my the IOS image file version on Router (but not on interface modules). Here is Routers IOS image:
c3845-advipservicesk9-mz.123-11.T5.bin
I Can't connect to and open a session on the interface module. Command service-module interface slot/port session don't work.
What I should do next?
May is ncessarily upgrade Software on router?
Here is results show version and show flash:
BIG1#show flash:
-#- --length-- -----date/time------ path
1 29801400 Jun 28 2005 04:47:46 +00:00 c3845-advipservicesk9-mz.123-11.T5.bin
2 1651 Jun 28 2005 04:55:18 +00:00 sdmconfig-38xx.cfg
3 3085312 Jun 28 2005 04:55:40 +00:00 sdm.tar
4 763392 Jun 28 2005 04:55:56 +00:00 es.tar
5 820224 Jun 28 2005 04:56:10 +00:00 common.tar
6 1038 Jun 28 2005 04:56:24 +00:00 home.shtml
7 113152 Jun 28 2005 04:56:36 +00:00 home.tar
8 749101 Jun 28 2005 04:56:52 +00:00 256MB.sdf
9 1208320 Jun 28 2005 04:57:08 +00:00 ips.tar
27451392 bytes available (36560896 bytes used)
BIG1#show version
Cisco IOS Software, 3800 Software (C3845-ADVIPSERVICESK9-M), Version 12.3(11)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Sat 02-Apr-05 15:14 by yiyan
ROM: System Bootstrap, Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)
BIG1 uptime is 57 minutes
System returned to ROM by reload at 07:11:45 UTC Tue Jul 12 2005
System image file is "flash:c3845-advipservicesk9-mz.123-11.T5.bin"
Cisco 3845 (revision 1.0) with 223232K/38912K bytes of memory.
Processor board ID FCZ0927714C
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
4 Voice FXS interfaces
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62720K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102 -
RADIUS COA on software version 12.4 using 3845 router
We working to provide dynamic badwidth control by using RADIUS COA to 3845 router.
When we issue the COA 3845 rejects the message with invalid session id message.
We are using following instructions to craft RADIUS COA message.
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htipmaaa.htmlHi Manuel,
I have PPPOE client running directly against 3845 and terminating PPOE. Authentication, authorization and accounting work against FreeRADIUS.
Next step for us is to manage subscriber connections by sending COA to change service parameters.
Our system sends RADIUS COA as in below.
You can find the packet dumps, configuration and Cisco log below.
Thank you for responding and looking forware to your next response.
Igor
*** Example with Shaping ***
policy-map SHAPE-TEST
class class-default
shape average 48000
Using: cisco-avpair = "ip:sub-qos-policy-out=SHAPE-TEST"
======================== Packet capture =================================
No. Time Source Destination Protocol Info
1 2000-01-01 08:46:03.257911000 172.16.2.218 172.20.2.55 RADIUS CoA-Request(43) (id=1, l=49)
Frame 1: 91 bytes on wire (728 bits), 91 bytes captured (728 bits)
Arrival Time: Jan 1, 2000 08:46:03.257911000 Eastern Standard Time
Epoch Time: 946734363.257911000 seconds
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 91 bytes (728 bits)
Capture Length: 91 bytes (728 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:radius]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: HewlettP_af:82:b5 (2c:27:d7:af:82:b5), Dst: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
Destination: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.16.2.218 (172.16.2.218), Dst: 172.20.2.55 (172.20.2.55)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 77
Identification: 0x5b26 (23334)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: UDP (17)
Header checksum: 0x8244 [correct]
[Good: True]
[Bad: False]
Source: 172.16.2.218 (172.16.2.218)
Destination: 172.20.2.55 (172.20.2.55)
User Datagram Protocol, Src Port: 57459 (57459), Dst Port: radius-dynauth (3799)
Source port: 57459 (57459)
Destination port: radius-dynauth (3799)
Length: 57
Checksum: 0x6ec3 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: CoA-Request (43)
Packet identifier: 0x1 (1)
Length: 49
Authenticator: f8ce880960a402b9809f0c173c6c8530
[The response to this request is in frame 2]
Attribute Value Pairs
AVP: l=10 t=Acct-Session-Id(44): 000000C3
Acct-Session-Id: 000000C3
AVP: l=19 t=Vendor-Specific(26) v=Cisco(9)
VSA: l=13 t=Cisco-Policy-Down(38): POLICE-TEST
Cisco-Policy-Down: POLICE-TEST
0000 00 1b 21 b3 18 58 2c 27 d7 af 82 b5 08 00 45 00 ..!..X,'......E.
0010 00 4d 5b 26 00 00 80 11 82 44 ac 10 02 da ac 14 .M[&.....D......
0020 02 37 e0 73 0e d7 00 39 6e c3 2b 01 00 31 f8 ce .7.s...9n.+..1..
0030 88 09 60 a4 02 b9 80 9f 0c 17 3c 6c 85 30 2c 0a ..`.......
0040 30 30 30 30 30 30 43 33 1a 13 00 00 00 09 26 0d 000000C3......&.
0050 50 4f 4c 49 43 45 2d 54 45 53 54 POLICE-TEST
No. Time Source Destination Protocol Info
2 2000-01-01 08:46:03.259029000 172.20.2.55 172.16.2.218 RADIUS CoA-NAK(45) (id=1, l=47)
Frame 2: 89 bytes on wire (712 bits), 89 bytes captured (712 bits)
Arrival Time: Jan 1, 2000 08:46:03.259029000 Eastern Standard Time
Epoch Time: 946734363.259029000 seconds
[Time delta from previous captured frame: 0.001118000 seconds]
[Time delta from previous displayed frame: 0.001118000 seconds]
[Time since reference or first frame: 0.001118000 seconds]
Frame Number: 2
Frame Length: 89 bytes (712 bits)
Capture Length: 89 bytes (712 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ip:udp:radius]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: IntelCor_b3:18:58 (00:1b:21:b3:18:58), Dst: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
Destination: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
Address: HewlettP_af:82:b5 (2c:27:d7:af:82:b5)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
Address: IntelCor_b3:18:58 (00:1b:21:b3:18:58)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 172.20.2.55 (172.20.2.55), Dst: 172.16.2.218 (172.16.2.218)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 75
Identification: 0xe66e (58990)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 254
Protocol: UDP (17)
Header checksum: 0x78fd [correct]
[Good: True]
[Bad: False]
Source: 172.20.2.55 (172.20.2.55)
Destination: 172.16.2.218 (172.16.2.218)
User Datagram Protocol, Src Port: radius-dynauth (3799), Dst Port: 57459 (57459)
Source port: radius-dynauth (3799)
Destination port: 57459 (57459)
Length: 55
Checksum: 0xa044 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Radius Protocol
Code: CoA-NAK (45)
Packet identifier: 0x1 (1)
Length: 47
Authenticator: 8edb97b90c05e6ed7c1ce06688723520
[This is a response to a request in frame 1]
[Time from request: 0.001118000 seconds]
Attribute Value Pairs
AVP: l=21 t=Reply-Message(18): No Matching Session
Reply-Message: No Matching Session
AVP: l=6 t=Error-Cause(101): Session-Context-Not-Found(503)
Error-Cause: Session-Context-Not-Found (503)
0000 2c 27 d7 af 82 b5 00 1b 21 b3 18 58 08 00 45 00 ,'......!..X..E.
0010 00 4b e6 6e 00 00 fe 11 78 fd ac 14 02 37 ac 10 .K.n....x....7..
0020 02 da 0e d7 e0 73 00 37 a0 44 2d 01 00 2f 8e db .....s.7.D-../..
0030 97 b9 0c 05 e6 ed 7c 1c e0 66 88 72 35 20 12 15 ......|..f.r5 ..
0040 4e 6f 20 4d 61 74 63 68 69 6e 67 20 53 65 73 73 No Matching Sess
0050 69 6f 6e 65 06 00 00 01 f7 ione.....
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.21 10:00:43 =~=~=~=~=~=~=~=~=~=~=~=
ABN-3845#
ABN-3845#sho run
Building configuration...
Current configuration : 2831 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname ABN-3845
boot-start-marker
boot-end-marker
enable password ipdradm
aaa new-model
aaa authentication ppp default local group radius
aaa authentication ppp mounir group radius local
aaa authorization network default local group radius
aaa authorization network mounir group radius
aaa accounting update periodic 1
--More--
aaa accounting exec mounir start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting network mounir start-stop group radius
aaa server radius dynamic-author
client 172.16.2.183
client 172.20.2.234
client 172.20.2.204
client 172.16.2.218
server-key ipdradm
port 3799
auth-type session-key
aaa session-id common
dot11 syslog
ip cef
ip domain name a-bb.net
ip name-server 172.16.0.25
multilink bundle-name authenticated
--More--
vpdn-group mounir
! Default L2TP VPDN group
accept-dialin
protocol pppoe
virtual-template 11
l2tp tunnel receive-window 1024
voice-card 0
no dspfarm
--More--
archive
log config
hidekeys
policy-map POLICE-TEST
class class-default
police 48000 9000 18000 conform-action transmit exceed-action drop violate
-action drop
bba-group pppoe global
--More--
virtual-template 11
interface Loopback0
ip address 172.29.1.5 255.255.255.255
interface GigabitEthernet0/0
ip address 172.20.2.55 255.255.255.0
duplex auto
speed auto
media-type rj45
interface GigabitEthernet0/1
ip address 10.30.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
pppoe enable group global
interface GigabitEthernet0/1.1
encapsulation dot1Q 2
interface Virtual-Template11
--More--
ip unnumbered GigabitEthernet0/1
ppp authentication pap mounir
ppp authorization mounir
ppp accounting mounir
interface Virtual-Template15
ip unnumbered Loopback0
no peer default ip address
ppp authentication pap mounir
ppp authorization mounir
ppp accounting mounir
router ospf 1
router-id 172.29.1.5
log-adjacency-changes
redistribute connected subnets
network 172.20.2.0 0.0.0.255 area 0
network 172.29.1.5 0.0.0.0 area 0
ip forward-protocol nd
no ip http server
--More--
no ip http secure-server
logging 172.20.2.150
radius-server attribute 32 include-in-access-req
radius-server attribute 32 include-in-accounting-req
radius-server attribute 25 access-request include
radius-server attribute nas-port format d
radius-server host 172.20.2.204 auth-port 1812 acct-port 1813 key ipdradm
radius-server key ipdradm
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
--More--
line con 0
line aux 0
line vty 0 4
password ipdradm
scheduler allocate 20000 1000
end
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#debug aaa coa
AAA CoA packet processing debugging is on
ABN-3845#debug radius
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol debugging is on
Radius elog debugging debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging debugging is off
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
*Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA):Orig. component type = PPoE
*Sep 21 13:59:05.380: RADIUS/ENCODE(000000BA): Acct-session-id pre-pended with N
as Port = 0/0/1/1
*Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
*Sep 21 13:59:05.380: RADIUS(000000BA): Config NAS IP: 0.0.0.0
*Sep 21 13:59:05.380: RADIUS(000000BA): sending
*Sep 21 13:59:05.380: RADIUS/ENCODE: Best Local IP-Address 172.20.2.55 for Radiu
s-Server 172.20.2.204
*Sep 21 13:59:05.380: RADIUS(000000BA): Send Accounting-Request to 172.20.2.204:
1813 id 1646/40, len 322
*Sep 21 13:59:05.380: RADIUS: authenticator 65 F4 15 61 6F AD B1 76 - 45 35 D5
42 9A 3E 2F C7
*Sep 21 13:59:05.380: RADIUS: Acct-Session-Id [44] 18 "0/0/1/1_000000C3"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 41
*Sep 21 13:59:05.380: RADIUS: Cisco AVpair [1] 35 "client-mac-address
=f8d1.11a7.167a"
*Sep 21 13:59:05.380: RADIUS: Framed-Protocol [7] 6 PPP
[1]
*Sep 21 13:59:05.380: RADIUS: Framed-IP-Address [8] 6 10.30.1.2
*Sep 21 13:59:05.380: RADIUS: User-Name [1] 9 "ipdradm"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 35
*Sep 21 13:59:05.380: RADIUS: Cisco AVpair [1] 29 "connect-progress=L
AN Ses Up"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 31
*Sep 21 13:59:05.380: RADIUS: Cisco AVpair [1] 25 "nas-tx-speed=10000
00000"
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 31
*Sep 21 13:59:05.380: RADIUS: Cisco AVpair [1] 25 "nas-rx-speed=10000
00000"
*Sep 21 13:59:05.380: RADIUS: Acct-Session-Time [46] 6 143522
*Sep 21 13:59:05.380: RADIUS: Acct-Input-Octets [42] 6 6382156
*Sep 21 13:59:05.380: RADIUS: Acct-Output-Octets [43] 6 2559911
*Sep 21 13:59:05.380: RADIUS: Acct-Input-Packets [47] 6 224941
*Sep 21 13:59:05.380: RADIUS: Acct-Output-Packets [48] 6 161500
*Sep 21 13:59:05.380: RADIUS: Acct-Authentic [45] 6 RADIUS
[1]
*Sep 21 13:59:05.380: RADIUS: Acct-Status-Type [40] 6 Watchdog
[3]
*Sep 21 13:59:05.380: RADIUS: NAS-Port-Type [61] 6 Ethernet
[15]
*Sep 21 13:59:05.380: RADIUS: Vendor, Cisco [26] 15
*Sep 21 13:59:05.380: RADIUS: cisco-nas-port [2] 9 "0/0/1/1"
*Sep 21 13:59:05.380: RADIUS: NAS-Port [5] 6 16777217
*Sep 21 13:59:05.380: RADIUS: NAS-Port-Id [87] 9 "0/0/1/1"
*Sep 21 13:59:05.380: RADIUS: Service-Type [6] 6 Framed
[2]
*Sep 21 13:59:05.380: RADIUS: NAS-IP-Address [4] 6 172.20.2.55
*Sep 21 13:59:05.380: RADIUS: Unsupported [151] 10
*Sep 21 13:59:05.380: RADIUS: 44 36 34 41 36 36 31 33
[D64A6613]
*Sep 21 13:59:05.380: RADIUS: Nas-Identifier [32] 19 "ABN-3845.a-bb.net"
*Sep 21 13:59:05.380: RADIUS: Acct-Delay-Time [41] 6 0
*Sep 21 13:59:09.804: RADIUS: acct-timeout for 2DC0CAF4 now 5, acct-jitter -1, a
cct-delay-time (at 2DC0CC30) now 4
ABN-3845#
ABN-3845#
*Sep 21 13:59:32.708: RADIUS: COA received from id 1 172.16.2.218:50186, CoA Re
quest, len 49
*Sep 21 13:59:32.708: COA: 172.16.2.218 request queued
*Sep 21 13:59:32.708: ++++++ CoA Attribute List ++++++
*Sep 21 13:59:32.708: 65F0A840 0 00000009 string-session-id(337) 8 000000C3
*Sep 21 13:59:32.708: 670B2A10 0 00000009 sub-policy-Out(345) 11 POLICE-TEST
*Sep 21 13:59:32.708:
*Sep 21 13:59:32.708: COA: No matching entry found
*Sep 21 13:59:32.708: COA: Added Reply Message: No Matching Session
*Sep 21 13:59:32.708: COA: Added NACK Error Cause: Session Context Not Found
*Sep 21 13:59:32.708: COA: Sending NAK from port 3799 to 172.16.2.218/50186
*Sep 21 13:59:32.708: RADIUS: 18 21 4E6F204D61746368696E672053657373696F6E
*Sep 21 13:59:32.708: RADIUS: 101 6 000001F7
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
ABN-3845#
===================A -
Setting up SSH on a 3845 router?
Greetings everyone!
Just curious, how does one set up SSH on a cisco 3845 router? Specifically, how does one generate the RSA keys?
It seems to be missing the "generate" subcommand for crypto. When I type crypto key the only sub-commands are lock and unlock. I'm unfamiliar with this and don't want to mess around too much since it's a production box.
I'm running c3845-spservicesk9-mz.124-11.T2.bin so I should have the ability, yes? Any guidance would be appreciated. I really would prefer not to use telnet.you have k9 image , it should support crypto commands, are you sure you were at the configuration mode?
try again.., here is a link for setting up ssh in IOS.
http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a00800949e2.shtml
way to do it is open two telnet sessions to the router, in one session be in the enable mode and leave the session opened. On the other telnet session work with the SSH configuration implementation. When finished do not save the config , exit the session and open a new session using ssh to ensure you can connect and login to the router via ssh... if for any reason fails you still have the other telnet session opened to undo the ssh changes or correct them.
also for making sure your telnet sessions do not time out while working with configs permit yourself more time by entering exec-time out 60 <-- one hour for your vty lines.
line vty 0 4
exec-timeout 60
you can also do the complete ssh implementation via console port as well.
Regards
PLS rate any helpful posts if it helps -
Cisco 3845 Router, SSH, Secure HTTP & CS-MARS
Hello,
I have a 3845 router (Version 12.3(11r)T2, RELEASE SOFTWARE (fc1)) which I have configured SSH access through vty. Th e problem is that SSH access fails when I try to connect to it using Putty. It also fails to connect using ip http secure-server both from a browser & through CS-MARS (IOS IPS). All user names exist and are working fine with telnet.
Does IOS 12.3 have issues with SSH * secure http?
I get this error in MARS:
"Error in INIT GET. Check the username/password"Hi -
I searched all open/closed TAC cases for you with that error message - I found 1 similar case.
Here's the results of their case:
"we managed to fix the issue it was ip http authentication enable command (change to accept local usernames/passwords)."
Can you review this and see if you need to tell SSH and HTTPs to use the local database?
Please let us know.
thxs
peter -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
Strange issue with 3.6.3 VPN Client and IOS firewall
I'm able to establish a VPN connection from the VPN Client to the e0/0 interface of the IOS FW/VPN router and pass encrypted traffic.
Whenever I initiate a connection to something on the "Internet" from the LAN (e0/1) of the router, a temporary ACL entry is added to ACL 103 as it should be and I'm able to get out on the Internet from the internal LAN; however, I immediately lose my VPN connection from my PC Client when IOS FW adds those temporary "return entries".
Router is running 12.2(13)T.
Anyone else having issues like that? I've looked everywhere on cisco.com and elsewhere but I don't see anyone having a similar issue.
You Cisco gurus have any thoughts?
Thanks,
Jamey
Config below:
jamey#wr t
Building configuration...
Current configuration : 3947 bytes
! Last configuration change at 16:27:03 GMT Wed Jan 22 2003 by jdepp
! NVRAM config last updated at 00:14:38 GMT Wed Jan 22 2003 by jdepp
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname "jamey"
no logging buffered
no logging console
username XXXX password 7 XXXXX
clock timezone GMT 0
aaa new-model
aaa authentication login tac local
aaa session-id common
ip subnet-zero
no ip domain lookup
ip inspect name myfw ftp
ip inspect name myfw realaudio
ip inspect name myfw smtp
ip inspect name myfw streamworks
ip inspect name myfw vdolive
ip inspect name myfw tftp
ip inspect name myfw rcmd
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name firewall http java-list 3
ip audit notify log
ip audit po max-events 100
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group XXXX
key XXXXXXX
dns x.x.x.x
domain xxx.com
pool ipsec-pool
acl 191
crypto ipsec security-association lifetime kilobytes 536870911
crypto ipsec security-association lifetime seconds 86400
crypto ipsec transform-set foxset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set foxset
crypto map clientmap client authentication list tac
crypto map clientmap isakmp authorization list XXXXX
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback10
description just for test purposes
ip address 172.16.45.1 255.255.255.0
interface Ethernet0/0
description "Internet"
ip address x.x.x.x 255.255.255.224
ip access-group 103 in
ip inspect myfw out
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
interface Ethernet0/1
description "LAN"
ip address 192.168.45.89 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
ip local pool ipsec-pool 192.168.100.1 192.168.100.254
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0/0
no logging trap
access-list 3 permit any
access-list 103 permit ip 192.168.100.0 0.0.0.255 any log
access-list 103 permit icmp any any log
access-list 103 permit udp any eq isakmp any log
access-list 103 permit esp any any log
access-list 103 permit ahp any any log
access-list 103 permit udp any any eq non500-isakmp log
access-list 103 permit tcp any any eq 1723 log
access-list 103 permit udp any any eq 1723 log
access-list 103 deny tcp any any log
access-list 103 deny udp any any log
access-list 191 permit ip 192.168.45.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 191 permit ip 172.16.45.0 0.0.0.255 192.168.100.0 0.0.0.255
radius-server authorization permit missing Service-Type
call rsvp-sync
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
password XXXXXX
line vty 5 15
end
Some debugging info:
At this point, my VPN PC is successfully connected to the e0/0 VPN router and assigned IP of 192.168.100.2. It is running constant pings to 192.168.45.67 and 172.16.45.1 (172.16.45.1 is a loopback on the router for testing), 192.168.45.67 is a host on the internal network.
.Jan 22 01:27:38.284: ICMP type=8, code=0
.Jan 22 01:27:38.288: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:38.288: ICMP type=0, code=0
.Jan 22 01:27:38.637: IP: s=192.168.45.145 (Ethernet0/0), d=255.255.255.255, len
40, access denied
.Jan 22 01:27:38.637: UDP src=2301, dst=2301
.Jan 22 01:27:38.641: IP: s=192.168.45.145 (Ethernet0/1), d=255.255.255.255, len
40, rcvd 2
.Jan 22 01:27:38.641: UDP src=2301, dst=2301
.Jan 22 01:27:38.761: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:38.765: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:38.765: ICMP type=8, code=0
.Jan 22 01:27:38.765: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:38.765: ICMP type=0, code=0
.Jan 22 01:27:39.282: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.286: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:39.286: ICMP type=8, code=0
.Jan 22 01:27:39.286: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:39.290: ICMP type=0, code=0
.Jan 22 01:27:39.763: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:39.767: IP: s=192.168.100.2 (Ethernet0/0), d=172.16.45.1, len 60,
rcvd 4
.Jan 22 01:27:39.767: ICMP type=8, code=0
.Jan 22 01:27:39.767: IP: s=172.16.45.1 (local), d=192.168.100.2 (Ethernet0/0),
len 60, sending
.Jan 22 01:27:39.767: ICMP type=0, code=0
.Jan 22 01:27:40.283: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:40.287: IP: s=192.168.100.2 (Ethernet0/0), d=192.168.45.67 (Ethern
et0/1), g=192.168.45.67, len 60, forward
.Jan 22 01:27:40.287: ICMP type=8, code=0
.Jan 22 01:27:40.287: IP: s=192.168.45.67 (Ethernet0/1), d=192.168.100.2 (Ethern
et0/0), g=192.168.100.2, len 60, forward
.Jan 22 01:27:40.291: ICMP type=0, code=0
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGNP: list 103 permitted 50 216.16.193
.52 -> <VPN ROUTER E0/0 INTERFACE>, 222 packets
.Jan 22 01:27:40.596 GMT: %SEC-6-IPACCESSLOGP: list 103 permitted udp 216.16.193
.52(500) -> <VPN ROUTER E0/0 INTERFACE>(500), 16 packets
here is where I initiate a telnet connection to a host 2.2.2.2 (a dummy host on the "Internet")
from a host on the internal side (LAN) (192.168.45.1)
.Jan 22 01:27:40.600: IP: s=192.168.45.1 (Ethernet0/1), d=2.2.2.2 (Ethernet0/0),
g=2.2.2.2, len 44, forward
.Jan 22 01:27:40.600: TCP src=38471, dst=23, seq=953962328, ack=0, win=4128
SYN
.Jan 22 01:27:40.764: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
here is where by VPN connection breaks
.Jan 22 01:27:40.768: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:41.285: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:41.285: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:45.773: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:45.777: IPSEC(epa_des_crypt): decrypted packet failed SA identity
check
.Jan 22 01:27:46.774: IP: s=<VPN PC CLIENT> (Ethernet0/0), d=<VPN ROUTER E0/0 INTERFACE> (Ethern
et0/0), len 112, rcvd 3, proto=50
.Jan 22 01:27:46.774: IPSEC(epa_des_crypt): decrypted packet failed SA identity
checkOk..I found the bug ID for this:
CSCdz46552
the workaround says to configure an ACL on the dynamic ACL.
I don't understand what that means.
I found this link:
http://www.cisco.com/en/US/products/sw/secursw/ps2138/products_maintenance_guide_chapter09186a008007da4d.html#96393
and they talk about it, but I'm having a hard time decoding what this means:
"To specify an extended access list for a crypto map entry, enter the match address crypto map configuration command. This access list determines which traffic should be protected by IPSec and which traffic should not be protected by IPSec. If this is configured, the data flow identity proposed by the IPSec peer must fall within a permit statement for this crypto access list. If this is not configured, the router will accept any data flow identity proposed by the IPSec peer. However, if this is configured but the specified access list does not exist or is empty, the router will drop all packets." -
I just got a new iPod touch 4th generation and I'm trying to connect to my router and my iPod says, 'Cannont find network.' I don't know what to do! No other networks come up on the list so I can't 'tag' along with thier wifi. Please help. I need advice.
What type network is yu router set up for? The 4G iPod can only connect and see 2.4 GHZ networl like B, G and the 2,4 GHz N. There is also a 5 GHz N but the iPod will not even seethat network.
See:
iOS: Troubleshooting Wi-Fi networks and connections
iOS: Recommended settings for Wi-Fi routers and access points
Maybe you are looking for
-
How do i get a dvd on to my iphone
how do i get a dvd on to my iphone
-
Hi there; I've encountered files with the extension eml. I am not able to see these files in any directory but they are occupying a huge amount of my tablespaces and HDDs. Each of which file is about 10MB. Does anyone know about these files? Thanks;
-
How do I get a refund for an app
I bought the iRig guitar accesory that allows you to plug in your guitar. I then got the free app and was consideing buying the Fender version which has a 4 track recorder and other effects for 15.00 but they tell you if you already have Amplitube ju
-
WAD Export to Excel, PDF parameters query export
Hi, I solve the problem with export to excel in WAD. Customer want to see all parameters (and also filters in query) with which are query execute in query in export to MS Excel or PDF. Any advices? Thanks Petr
-
Why do I have plymouth in boot?
Hello, I just upgraded an old system whats only supposed to run as a server so only uses textmode. After fixing all the problems the upgrade caused, it stopped booting because it wanted to spawn /bin/plymouth: no such file or directiory Where does th