851 Router Config Issue
Hi all,
Hopefully this will be a nice easy one for you all.
I have recently configured and installed an 851 router successfully :) I now only have one issue, the damn thing switches itself off after a period of inactivity!
If I want to use it again I have to issue a reset command then a boot command.
This takes me to the:
router>
prompt. I then have to issue a copy start run command. And then a no shut on each of my interfaces.
Obviously I would just like the router to stay up and running. But I cant work out how to do it. Im sure that this is just a simple config issue and I would dearly love for you all to solve it!
If any of you know the answer can you please provide clear an accurate commands as I will copy it parrott fashion into the router.
Thank you all in advance.
Stuart
Hello,
as spremkumar already pointed out the config register usually is set to 0x2102. You can reconfigure the register by:
Router#configute terminal
Router(config)#config-register 0x2102
Router(config)#end
Then perform a reload and check whether the config is present after the router finished booting.
Hope this helps! Please rate all posts.
Regards, Martin
Similar Messages
-
Forgive me, I have configured several routers on the inside but never a default gateway. It seems simple enough but I am stuck.
I can ping the Gateway from the inside. I can ping the inside from the gateway. I can ping the outside from the gateway, but I cannot ping the out side from the inside. (Or get to the DNS server assuming they have ICMP turned off) Heres my config (IPS have been changed to protect the innocent:) )
My guess is something is screwed up with NAT
Configuring g
!b
boot-start-ma
no
ip subnet-zeroered, becomes
no ip routinghe configurat
!n
!e
no ip cef
interface Ethernet0er enable secret: b
ip address 63.223.13.115 255.255.255.128The enable password is used when you do n
ip access-group 20 out
[OK]
ip nat outside
*Mar
enable
no ip route-cacheith some older sof
half-duplexs, and Trans
!i
ip nat inside source list 20 pool poolone
ip nat inside source static 192.168.10.5 63.223.13.121
ip classless
ip route 0.0.0.0 0.0.0.0 63.223.13.1
no ip http server
access-list 20 permit 192.168.0.0 0.0.255.255
banner login ^Cc
###### WARNING ######
AUTHORIZED ACCESS ONLY^C
line con 0
password 7 03005A1C011C70
login
line aux 0
line vty 0 4
password 7 06020E364B5D58
login
no scheduler allocate
end
ZaxT1#
Pro Inside global Inside local Outside local Outside global
--- 63.223.13.121 192.168.10.5 --- ---
ZaxT1#I do not know how you generated this config listing but it seems to be quite garbled. So I am not sure how accurately we can evaluate it.
But one things that does appear to be there is that you are using access list 20 to control what addresses get translated by NAT and it permits 192.168.0.0/16. So that any address in 190.168.0.0 will get translated. However the same access list is applied outbound on Ethernet 0. So Ethernet 0 will only permit outbound traffic whose source address is 190.168.x.x. Except all these addresses have been translated so that the source address is no longer 192.168.x.x. This would prevent any traffic going out through Ethernet 0.
Do not use the same access list to control translation and to control outbound traffic on the interface.
HTH
Rick -
WRT54G firmware failure leaving no access to router config
I have a WRT54G router. Running Vista SP2 64-bit on a laptop wired to router. When I first tried to upgrade the firmware I was connected wirelessly. (I know, please just think it but don't type it) During the upgrade the internet connection disconnected and the upgrade failed. I am connecting right now wirelessly using someones unsecure network. I attempted to upgrade the firmware to 8.00.7. Since then I am unable to access the router config using IP 192.168.1.1. I have read as many posts as I can handle. I have checked and that is the IP showing in Vista, (Network & Sharing, view status, properties) however I cannot ping that IP. It times out every time. I have done all the resets (10 seconds and up to 1 minute) on the router and power cycle etc. Nothing. I downloaded the firmware utility and I get an error message everytime that it is unable to get responses from the server. I have tried my password, which I think is gone due to all the resets, and am using admin as the password. I have disabled my firewall. I do have Network Magic and when I checked control internet access it says I am able to do so. Is there a way to disable Network Magic? Can that be the issue? When all this started I had my own internet connetion. I'm in the process of moving so I have disconnected my internet service. Since I'm only trying to connect to the router locally, do I really need to have a live internet connection? Please, HELP! I don't want to buy a new router. This one has been very reliable. If I do have to buy something new, can you recommend something just as reliable.
There have been 2 or 3 times where it looked as though I was going to be able to connect to config interface and the firsrt basic screen loads with minimal data and no clickable links to allow me to change screens. The "&" from one of the links that is supposed to appear but does not, is the only thing that appears in that area and if I click it, I either get a error from IE that it cannot connect, or, it takes me to the Ports screen with minimal data and I cannot progress from there. In the top right corner of the screen, it does show the firmware version is 8.00.7. ?????
P.S. Obviously, I'm not very computer savvy so excuse me if I'm missing the obvious.
Message Edited by Steviegt on 09-29-2009 08:38 AM
Message Edited by Steviegt on 09-29-2009 08:43 AM
Windows Vista Home Premium SP2 64-bit
Internet Explorer v8
Office 2007 SP2 Home and Student
Outlook 2007 Standalone
ESET Smart Security
WRT54G v8.00.6
Solved!
Go to Solution.Its Great that your issue has been resolved now...
-
Reg:FWSM router mode issue
Hi,
I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,
7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29]
Here we created a p2p link between 7613 gig port and switch3560 gig port (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.
Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.
We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .
router config:
Router#sh firewall module
Module Vlan-groups
04 1,2
Router#sh firewall vlan-group
Display vlan-groups created by both ACE module and FWSM
Group Created by vlans
1 ACE 100-101,200-202
2 <empty>
Router#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.225.62.145 - 001d.a156.9300 ARPA GigabitEthernet10/1
Internet 10.225.62.146 107 001d.a1a5.fbc1 ARPA GigabitEthernet10/1
Internet 192.168.2.1 - 001d.a156.9300 ARPA Vlan200
Internet 192.168.2.2 7 0007.0e5c.3d00 ARPA Vlan200
Internet 192.168.3.1 4 0007.0e5c.3d00 ARPA Vlan201
Internet 192.168.3.2 - 001d.a156.9300 ARPA Vlan201
Fwsm config:
hostname FWSM
interface Vlan200
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
interface Vlan201
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9
: end
FWSM#
FWSM# sh arp
outside 192.168.2.1 001d.a156.9300
inside 192.168.3.2 001d.a156.9300
eobc 127.0.0.81 0000.1800.0000
FWSM# sh int
Interface Vlan200 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 0007.0e5c.3d00, MTU 1500
IP address 192.168.2.2, subnet mask 255.255.255.0
Traffic Statistics for "outside":
6 packets input, 658 bytes
12 packets output, 1316 bytes
474 packets dropped
Interface Vlan201 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 0007.0e5c.3d00, MTU 1500
IP address 192.168.3.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
6 packets input, 658 bytes
7 packets output, 726 bytes
107 packets droppedhi,
thanks for being so helpful,there is a little issue thats arisen, i can not ping inside address configured on fwsm(192.168.3.1)where as i can ping 192.168.3.2 on router interface.i cannot telnet fwsm using its outside interface ip 192.168.2.2 either,hereis my FWSM config ,kindly suggest if there is any mistake .
thanks.
Also i tried to ping inside fwsm interface from my client 10.220.2.2 and enabled debug,to get these ,
FWSM# debug icmp trace 255
debug icmp trace enabled at level 255
FWSM# ICMP echo request (len 50 id 2 seq 34642) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 34642) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 34898) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 34898) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 35154) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 35154) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 43602) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 43602) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 49746) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 49746) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 55634) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 55634) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25683) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 25683) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25939) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 25939) 192.168.3.1 > 10.220.2.2
Kindly suggest what could be done.
thanks. -
I have an Airport Extreme as my router and am using time capsule to extend the network in my new house. My ISP is only providing me 4-5 ip addresses and wants me to set up my router to issue out new ip addresses for all my devices.How do I fix this?Help.
They said I need to change my settings to NAT settings. I haven't been able to figure out or find anything. I have also spoken to Apple Support on the phone for hours without being able to figure out how to do this ( i don't think he knew much either lol.) Please help me because I've got about 15-20 devices in my house that require to be connected to the internet and this is just making things ridiculously slow and painful for me.
Thanks!It is on DHCP & NAT under router mode yet my isp is still the one issuing ip addresses to my devices instead of the router issuing them
-
I can sync bookmarks in firefox for android, but only the ones that are on Bookmarks main folder, the folders create below the main folder are not synchronized. Is this a bug or a config issue?
ThanksThanks Barney, I tried that but all that comes up in Spotlight are the log files that show the file paths! I don't know how Steam works. Are all the files held by Steam on their server perhaps?
-
Disappearance of IP Routing config on 6509
Our 6509 Switch (Cisco WS-C6504-E) suddenly lost its Routing table & entire Routing configs including all Static & Dynamic route configurations.
We had to turn on ip routing & restore the routing configuration .
Have anyone experienced this & does it could be some kind of caveat with the MSFC or the Layer 3 engine .
Any thoughts are welcome.
No config changes were applied to the switch ; except only a SNMP ip address was allowed .
Thanks
PrabsAh, ok, thanks. I guess that was pretty obvious, now that I know the answer.
The "ip routing" command isn't mentioned anywhere in the CLI documentation, but I guess if I'd thought about it a little longer, I may have come to the same conclusion.
Thanks Tom. -
Review my first 892 router config
This is the first router config that I have done, and I used CLI to program a Cisco model 892. There are about 10 users behind this router connected to a series SG300 switch. This router will provide DHCP, VLANs, and NAT access to the internet (via cable modem). The lan port is FE0 and the WAN port is FE8 to the internet. There are 4 Cisco WAP321 connected with two SSID's. The guest SSID (internet access only) uses VLAN2 and the normal SSID uses VLAN1.. Please let me know if there are security or efficiency improvements that I can add to this. Thanks!
! Last configuration change at 20:04:03 PST Mon Dec 22 2014
! NVRAM config last updated at 15:10:16 PST Mon Dec 22 2014
! NVRAM config last updated at 15:10:16 PST Mon Dec 22 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname gateway
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
no aaa new-model
clock timezone PST -8 0
ip cef
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.8.1 192.168.8.99
ip dhcp pool data
import all
network 192.168.8.0 255.255.255.0
default-router 192.168.8.1
dns-server 192.168.8.60
domain-name summmitdrive.local
ip dhcp pool guest_wifi
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 64.59.168.13 64.59.168.15
no ip domain lookup
ip domain name summitdrive.local
ip host gateway 192.168.0.1
ip host fs1 192.168.8.60
ip name-server 64.59.168.13
ip name-server 64.59.168.15
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO892-K9 sn FCZ1714C2ZD
username sdcadmin privilege 15 secret 4 zsc1w55wVxL1behpFMAW8XrxKcVujVnNHLpMKP.ZgXk
redundancy
ip ssh version 2
interface Loopback0
ip address 192.168.0.1 255.255.255.0
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
no ip address
interface FastEthernet5
no ip address
interface FastEthernet6
no ip address
interface FastEthernet7
no ip address
interface FastEthernet8
ip address 184.71.128.156 255.255.255.252
ip access-group INBOUND_INTERNET in
ip nat outside
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
interface Vlan1
description data_vlan
ip address 192.168.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Vlan2
description guest_vlan
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list NAT interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 184.71.128.154
ip access-list extended INBOUND_INTERNET
permit icmp any host 184.71.125.118 echo-reply
permit icmp any host 184.71.125.118 time-exceeded
permit icmp any host 184.71.125.118 unreachable
deny ip any any log
ip access-list extended NAT
permit ip 192.168.0.0 0.0.255.255 any
ip access-list extended SSH
permit ip 192.168.8.0 0.0.0.255 any
control-plane
mgcp profile default
line con 0
logging synchronous
line aux 0
line vty 0 4
access-class SSH in
exec-timeout 5 0
login local
transport input ssh
ntp server 1.ca.pool.ntp.org
ntp server 0.ca.pool.ntp.org
endI've modified inbound_internet:
ip access-list extended INBOUND_INTERNET
permit icmp any host 184.71.125.118 echo-reply
permit icmp any host 184.71.125.118 time-exceeded
permit icmp any host 184.71.125.118 unreachable
permit udp any any eq ntp
permit tcp any any established
deny ip any any log
The idea is to block anything inbound unless it is an already established connection from the inside. Does that make sense? -
Security Wireless 857w router config.
Hi,
I do have adsl & wireless internet connection running properly under my Cisco 857w router.
However, I am trying to configuring with out success the (wap), my wifi internet connection still open for everyone.
I will really appreciate your advices.
Thanks in advance.
Daniel.Hi Brandon,
Thanks for your response, but unfortunally I could not setup my Wireless Security yet.
With the following config I am unable to connect with my laptop:
Encryption mode: "Cipher TKIP"
Authentication Key Management:
Key Management: "Mandatory" "WPA"
WPA Preshared key: "xxxxxxxxx" "ascii"
I mean, if I want to connect with my laptop via wifi the router encryption modes need to be configure to (none).
Here below I attached my router config, maybe you can see what is wrong on it.
Thanks in advance.
Daniel -
I am a developer getting started with Solaris 10 configuration. I recently installed Solaris 10 and have run into an issue with network connectivity.
I have done much research on this and I was able to get communiction to the internet established once, but the settings were lost on reboot.
Overview - The Solaris box is connected to a router which is acting as a DHCP server.
AMD 64 dual 2.6
nForce4+ integrated NIC
1) I am not able to obtain an address from the router. Nor do I get a respons back when I ping it. I get an IP etc if I boot into Windows so phyicial connectivity is fine.
2) Upon reboot the device nfo0 as shown using ifconfig -a has an IP of 0.0.0.0.
3) If I run ifconfig [hostname] my machine gets the ip from the hosts file, but I would like to obtain this from the router.
4) NOTE - the machine shows as active on my router, but the Solaris box cannot be reached from other computers on the networ, nor do I get a reply back when pinging the router from the Solaris box.
GOAL - reach and obtain a DHCP from the router and have the changes stick upon reboot.
/etc/hosts contents
127.0.0.1 localhost loghost
192.168.1.55 solarisX /*<-- this is what I get when I do ifconfig nfo0 solarisX */
/etc/hosname.nfo0
netmask + 255.255.255.0
solarisX
/etc/defaultrouter
192.168.1.254
/et c/netmasks
192.168.0.0 255.255.2550
Specific Steps taken:
Using the driver nfo-2.4.5 locate at http://homepage2.nifty.com/mrym3/taiyodo/eng/ I did the following.
% cd /.../nfo-x.x.x
% rm obj Makefile
% ln -s Makefile.${KARCH}_${COMPILER} Makefile
% ln -s ${KARCH} obj
where ${KARCH} is the result of `isainfo -n`, and ${COMPILER} is
"gcc" or "suncc" which you want to use to make the driver.
4. Testing
Testing before installation is strongly recommended.
# cd /.../nfo-x.x.x
# /usr/ccs/bin/make install
# ./adddrv.sh
# /usr/ccs/bin/make uninstall (for solaris7, don't remove the file )
# modload obj/nfo
# devfsadm -i nfo (for solaris7, use drvconfig and reboot with -r )
# ifconfig nfoN plumb ( where N is an instance number, typcally 0 for first card)
# ifconfig -a ( you will see an entry for nfoN)
# ifconfig nfoN YOUR-HOST-NAME
# ifconfig nfoN ( ensure IP address is correct)
# ifconfig nfoN up ( and then you can test with ping, telnet, ftp ...)
5. Installation
After you ensure that the nfo driver is fully functional, install it.
(1) copy the nfo driver into the kernel directory
# cd /.../nfo-x.x.x
# /usr/ccs/bin/make install
If you do not test the nfo driver yet, execute the following commands:
# ./adddrv.sh
# devfsadm -i nfo (for solaris7, use drvconfig and reboot with -r)
(2) Configure the network interface. Create and/or modify the following file:
/etc/hostname.nfoN
(3) Reboot the system.
# init 6
Edited by: hedger on Nov 16, 2007 11:17 PMThanks Alan. I worked on trying to get the NIC working again last night. I had it working once, although the settings did not perist. I can still get the device to load, but I can't communciate with the router (it's not physical because another OS can reach it.
I took your advice and tried the sys-unconfig. But I did not have much success.
I am wondering if plopping in a new PCI NIC would be the most efficient route to get the server up.
What kind of NIC do you utilize and have had success with?
I am looking at possibly a DLINK DFE-530 or NetGear FA-311. I don't need wireless at this point just a rock solid DEV box.
Thanks again for the previous info.
Ted -
How can I resolve a NAT config issues with Arris router & AE
I'm having NAT conflict issues. None of the existing threads on the forum match my configuration. I have an Arris Cable Router/Modem (Time Warner) with 4 ports. Port 1 feeds an unmanaged switch for ethernet connected devices, and port 2 on the Arris router feeds and Airport Express. Getting "Double NAT Status" on airport utility for the AE. How can I resolve this while not effecting my wired devices ? Thanks so much !
To resolve the NAT conflict you simply need to reconfigure the AirPort Express as a bridge.
You would do so using the AirPort Utility, as follows:
Run the AirPort Utility, and then, select the AirPort Express.
Select Edit.
Select the Network tab.
Change Router Mode to: Off (Bridge Mode)
Select Update and allow the Express to restart. -
2851 router vpn to 851 router lan clients cannot ping
Greets - I'm expanding my lab experience by adding a 2851 router to my mix of 18xx and 851/871 units. Some of this infrastructure is in production, some just lab work. I have established good connectivity between 18xx's and 851/871's with IPSEC VPNs (site-to-site static and dynamic), but my problem is with adding in a 2851.
Setup: 2851 with 12.4 ADVENTK9, WAN on GE0/0 as 216.189.223.bbb/26, LAN on GE0/1 as 172.20.0.1/20 (VPN module, but no additional HWIC modules)
851 with 12.4 ADVENTK9, WAN on FE4 as 216.53.254.aaa/24, LAN on FE0..3 via BVI1 as 172.21.1.1/24
The two router WAN ports are bridged via a 3rd router (a Zywall with 216.0.0.0/8 route, with the router at 216.1.1.1) affectionately called the "InterNOT", which provides a surrogate to the great web, minus actual other hosts and dns, but it doesn't matter. As both my WAN addresses are within 216.x.x.x, this works quite well. This surrogate has tested fine and is known to not be part of a problem.
The 851 has been tested against another 851 with complementary setup and a successful VPN can run between the two.
I have good LAN-WAN connections on each router. I do have a "Good" VPN connection between the two routers.
The problem: I cannot ping from a LAN host on 172.20.x.x on the 2851 to any 172.21.1.x (eg 172.21.1.1) host on the 851, and vice versa.
From a LAN host, I can ping to my InterNOT - for example a dhcp host 172.20.6.2 on the 2851 LAN can ping 216.1.1.1 fine. I can also ping the 851's WAN address at 216.53.254.aaa.
To complicate matters, if I connect to the routers via console, I CAN ping across the vpn to the destination LAN hosts, in both directions.
This seems to indicate that there is a bridging problem between the LAN interfaces to the VPN interfaces. I suspect this is a config problem on the 2851, as I have had a similar config working on my 851 to 851 site-to-site setups. I also suspect it is in the 2851's config as I'm still just starting out with this particular router.
So some stripped-down configs:
For the 2851:
no service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router2851
boot-start-marker
boot-end-marker
no logging buffered
no logging console
enable password mypassword2
no aaa new-model
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.0.1 172.20.6.1
ip dhcp excluded-address 172.20.6.254 172.20.15.254
ip dhcp pool Internal_2000
import all
network 172.20.0.0 255.255.240.0
domain-name myseconddomain.int
default-router 172.20.0.1
lease 7
no ip domain lookup
multilink bundle-name authenticated
voice-card 0
no dspfarm
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-2995823027
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.53.254.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.53.254.aaa
set peer 216.53.254.aaa
set transform-set ESP-3DES-SHA
match address 100
interface GigabitEthernet0/0
description $ETH-WAN$
ip address 216.189.223.bbb 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
no shut
interface GigabitEthernet0/1
description $FW_INSIDE$$ETH-LAN$
ip address 172.20.0.1 255.255.240.0
ip nat inside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no mop enabled
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.20.0.0 0.0.15.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.20.0.0 0.0.15.255 172.21.1.0 0.0.0.255
access-list 101 permit ip 172.20.0.0 0.0.15.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
banner motd ~This is a private computer system for authorized use only. And Stuff~
line con 0
line aux 0
line vty 0 4
privilege level 15
password mypassword
login local
transport input telnet ssh
scheduler allocate 20000 1000
end
And for the 851:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname router851
boot-start-marker
boot-end-marker
logging buffered 52000 debugging
no logging console
enable password mypassword
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
resource policy
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip dhcp use vrf connected
ip dhcp excluded-address 172.21.1.1 172.21.1.100
ip dhcp pool Internal_2101
import all
network 172.21.1.0 255.255.255.0
default-router 172.21.1.1
domain-name mydomain.int
dns-server 172.21.1.10
lease 4
ip cef
ip domain name mydomain.int
ip name-server 172.21.1.10
crypto pki <<truncated>>
crypto pki certificate chain TP-self-signed-3077836316
<<truncated>>
quit
username myusername privilege 15 password 0 mypassword2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mysharedkey address 216.189.223.aaa
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to216.189.223.bbb
set peer 216.189.223.bbb
set transform-set ESP-3DES-SHA2
match address 100
bridge irb
interface FastEthernet0
spanning-tree portfast
interface FastEthernet1
spanning-tree portfast
interface FastEthernet2
spanning-tree portfast
interface FastEthernet3
spanning-tree portfast
interface FastEthernet4
description $ETH-WAN$
ip address 216.53.254.aaa 255.255.254.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
no shut
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
interface BVI1
description Bridge to Internal Network
ip address 172.21.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 172.21.1.0 255.255.255.0 BVI1
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 172.21.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.20.0.0 0.0.15.255
access-list 101 remark IPSec Rule
access-list 101 deny ip 172.21.1.0 0.0.0.255 172.21.101.0 0.0.0.31
access-list 101 permit ip 172.21.1.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
bridge 1 route ip
banner motd ~This is a private computer system for authorized use only. And Stuff.~
line con 0
password mypassword
no modem enable
line aux 0
line vty 0 4
password mypassword
scheduler max-task-time 5000
end
Note that the above are somewhat stripped-down configs, without firewall or WAN ACL's - interestingly my default WAN-Inbound ACLs seem to break connectivity when included, so I realize I have some more cleanup to do there, but the 2851 LAN bridging seems to be what I should concentrate on first.
I'm still googling some of the particulars with the 2851, but any assistance is appreciated.
Regards,
Ted.Hi,
First,please delete NAT.If we configured the NAT in the RRAS,the source IP address in all packets sent to 192.168.1.0/24 would be translated to 192.168.1.224.
Second,please enable the LAN routing in RRAS server.To enable LAN routing,please follow the steps below,
1.In the RRAS server,Open Routing and Remote Access.
2.Right-click the server name,then click
properties.
3.On the General tab,select
IPv4 Router check box,and then click Local area network(LAN) routing only.
Then,announce the 172.16.0.0 network to the router.
To learn more details about enabling LAN routing, please refer to the link below,
http://technet.microsoft.com/en-us/library/dd458974.aspx
Best Regards,
Tina -
Ok I dont know if its just staring at me ridiculing me but I am feeling like an idiot here... I have an 871 and all I need to do is some basic rules..
Here is the config I am having the issue with...
I need these statics:
.227 opened and forwarded to these ports:
10.0.0.240 80 tcp
10.0.0.241 81 tcp
10.0.0.242 82 tcp
10.0.0.243 83 tcp
10.0.0.244 84 tcp
10.0.0.9 3389 tcp
then .228 forwarded and allports opened to 10.0.0.15
Right now its working for the .228 but the .227 is blocking everything.. If I remove the lines for the 10.0.0.15 *.*.*.228 then everything works for the .227 statics and ports..
What is wrong here???
s run
Building configuration...
Current configuration : 4747 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname ******
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
no aaa new-model
resource policy
clock timezone MST -7
ip cef
ip name-server *.*.*.65
ip name-server *.*.*.65
ip inspect log drop-pkt
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp router-traffic
ip inspect name SDM_LOW vdolive
crypto pki trustpoint TP-self-signed-974215006
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-974215006
revocation-check none
rsakeypair TP-self-signed-974215006
crypto pki certificate chain TP-self-signed-974215006
certificate self-signed 01
30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 39373432 31353030 36301E17 0D313330 31303231 35333430
315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3937 34323135
30303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CE70D924 A69C5408 AF2DC7DF CD6C4FB4 6FF8B3A7 04380A8B AC07B63F DF47B76C
9269256B 2D166D76 DFEEB4A1 A7F3CD14 87018C5E 00957EE5 233F76EE 8D0EB13E
D33FE972 77661DF2 B2BBC711 E09CF82F 7FC907DF 5591C326 CF80D599 09017B23
AB6F3589 A983AC80 2C92D62D E15FF75B 14241C9B 394BED17 69F2BE7F 69BB21EF
02030100 01A36C30 6A300F06 03551D13 0101FF04 05300301 01FF3017 0603551D
11041030 0E820C52 69766965 72615F6D 65736130 1F060355 1D230418 30168014
8F9D3891 FB866320 C9C2FA5B 7AEE8A53 91F495DD 301D0603 551D0E04 1604148F
9D3891FB 866320C9 C2FA5B7A EE8A5391 F495DD30 0D06092A 864886F7 0D010104
05000381 81005F45 DD5BBAE3 960E8930 1C88ACEC 4D190FEC C8C6FA71 48FB8CB8
969BD344 1FC0E8C6 98C4ED1D B559A772 1A3ED3D9 1C75D143 BE642414 B049118C
858422D5 E84617E9 018B1B66 341E928D EAE0E568 923424C4 BF31DFFF E7E5A490
B24D2DBC CE5DC6FF 306EC1C2 BD4DDC04 4AE70B0B 5CFE9426 21B5F83E CA6D28E0
3B93DCA9 015E
quit
username****** privilege 15 secret 5 34yweth2453723475
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$
ip address *.*.*.226 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
speed auto
interface Vlan1
description $FW_INSIDE$
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip route 0.0.0.0 0.0.0.0 *.*.*.225
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool outside_ip_pool *.*.*.227 *.*.*.230 netmask 255.255.255.24 8
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.0.0.240 80 *.*.*.227 80 extendable
ip nat inside source static tcp 10.0.0.241 81 *.*.*.227 81 extendable
ip nat inside source static tcp 10.0.0.242 82 *.*.*.227 82 extendable
ip nat inside source static tcp 10.0.0.243 83 *.*.*.227 83 extendable
ip nat inside source static tcp 10.0.0.244 84 *.*.*.227 84 extendable
ip nat inside source static tcp 10.0.0.9 3389 *.*.*.227 3389 extendable
ip nat inside source static 10.0.0.15 *.*.*.228
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_4##
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip *.*.*.224 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit ip any host *.*.*.228
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
webvpn context Default_context
ssl authenticate verify all
no inservice
endHi,
I'm not really familiar with the Router Firewalls but I'd just point out what caught my eye (even though there might not be anything wrong about them)
You have ACL 101 attached to outside interface and it only allow traffic to .228
You have some outside_ip_pool configuration line that includes the IPs you're going to use for both Static NAT and Port Forward. Shouldnt you leave the .227 and .228 out of the Pool range?
- Jouni -
Hi guys,
I am having some trouble with this config. All i am looking to do is a simple reverse proxy to this one host. When the page comes up it prompts me to download a bin file.... Probe succeeds and it says its working. I would also like to redirect to /spend What am i missing?
PA-ACE-4700-SLB/Spend-Support# show run
Generating configuration....
crypto chaingroup SPEND-CHAINGROUP
cert AddTrustExternalCARoot.crt
cert COMODOHigh-AssuranceSecureServerCA.crt
access-list allow line 8 extended permit ip any any
probe tcp HTTPS_PROBE
port 443
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
probe tcp TCP8005_PROBE
port 8005
interval 5
passdetect interval 5
receive 3
connection term forced
open 2
rserver host Spend
ip address 10.0.10.22
inservice
serverfarm host SPEND
probe HTTPS_PROBE
rserver Spend 443
inservice
ssl-proxy service SPEND-SSLPROXY
key ProdKEYPAIR.PEM
cert WWW-PROD-CERT.crt
chaingroup SPEND-CHAINGROUP
class-map type http loadbalance match-any L5
2 match http url /.*
class-map match-all SPEND-CLASS
2 match virtual-address 10.0.1.110 tcp eq https
policy-map type loadbalance first-match HTTPS
class L5
serverfarm SPEND
policy-map multi-match SPEND-SLB
class SPEND-CLASS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1000
ssl-proxy server SPEND-SSLPROXY
interface vlan 1000
ip address 10.0.1.109 255.255.255.0
access-group input allow
nat-pool 1 10.0.1.110 10.0.1.110 netmask 255.255.255.255 pat
service-policy input SPEND-SLB
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.1.8
Thanks!
-AndyHey Andy what´s up?
Ok, Could you explain a little bit what seems to be the issue which you got or what you want to accomplish here?
You said, you are typing: https://10.0.1.110 and it should show the content of 10.0.10.22 but it is not or you are typing
https://10.0.1.110/spend and you expect the ACE magicly know what to do?
Could you specify a little bit?
If you are trying to do the following:
https://10.0.1.110/spend
then you may try something like:
class-map type http loadbalance match-any spend
2 match http url /spend
policy-map type loadbalance first-match HTTPS
class spend
serverfarm SPEND
class L5
serverfarm serverfarm-for-others
Please specify what you are looking for.
Jorge -
Hi All,
Still cutting my teeth with MPLS, and i am labbing up some stuff, and i've come accross an issue (or not)
This maybe by design, i'm not sure.
I've got a basic P core running OSPF and MPLS. Easy so far.
I've got 2 PEs, one on each side (still with me )
Attached to each PE I have a CE, and a Loopback.
On each side the CE is in one VRF and the Loopback is in another.
All straighforward so far. Routing is work I am using RIP for the CEs and Redisribute connected for the L-Backs.
MPBGP is working fine and the routes are being carried accross the core.
I now want to step it up and bit a try out some route leaking. I have imported routes from the CE VRF to the LBack VRF easily
on one PE. and vice versa.
However, the next step is where i get confused. When i import routes to a VRF i would expect to see them
propagated accross the MPLS core to the same VRF on the other side of the VPN.
Not sure if it should work like this.
Any Opinions??
Thank all
StephenHi Stephen,
As per your senario you wnat to import the route from one vrf to other vrf , So to achive that you can configure route-target for same.
Below is the senario :
CE 1_A-------------- ------------------- CE1_B
PE 1 ---------------- P ---------------- PE 2
CE 2_A-------------- ------------------- CE 2_B
In above senario
1] CE1_A & CE 1_B are in CUST_A vrf .
2] CE2_A & CE 2_B are in CUST_B vrf .
Now If you want that in CE 1 _A that is in vrf CUST_A should communicate with only CE2_A that is in vrf CUST_B you ca have different RT , Below is the example for above senario.
PE1 -
ip vrf CUST_A
rd 65000:100
route-target export 65:100
route-target import 65:100
route-target import 65: 20
route-target export 65: 10
ip vrf CUST_B
rd 65000:200
route-target export 65:100
route-target import 65:100
route-target import 65: 10
route-target export 65: 20
Here in above config you can see that in CUST_A vrf we had export the RT 65: 10 & that RT is imported by CUST_B vrf & in CUST_B vrf you had exported 65:20 RT & that RT is imported by CUST_A vrf.
So in now you can see that in CE 1_A & CE 2_A will see each other route in there routing table . This is know as extramet in MPLS.
Regards
Chetan Kumar
http://chetanress.blogspot.com
Maybe you are looking for
-
I have an odd problem with my 2011 MBP (15"). I use an external monitor (Samsung SA350, identified as SMS23A350H by the mac) hooked up to a KVM switch using the VGA port. The display support 1920x1080@60hz. It gets detected as such, and everything
-
How to identify all jobs that were running at a particular point in time?
TES 6.1.0.391 From time to time, we have a need to identify all jobs that were running at a particular moment in time on a particular agent (we have about 800 agents)...eg "what was running ("Active") at 09:03:42 a.m. two days ago on agent XYZ?" I've
-
How to I find out the most recent deductions to my account from the app store (say, for a recent download for additional functionality on a iPad game). Much as I try, I can't seem to get to see my account in enough detail to see what I have spent dow
-
Monitoring Number of queue entries RFC
Hello Guys, I´m configuring Monitoring in Transaction SOLUTION_MANAGER and RZ20. One dout. In RZ20 (Solution Manager), I have one alert for monitoring Transactional RFC and Queued RFC --> Inbound Queues --> Number of queue entries, with this alert i
-
I am trying to install an update to adobe air. It keeps giving me an error has occurred and contact my administrator. I am the administrator of this machine.