ACS DB Replcation Fails Through Cisco Firewalls w/Skinny Policy Inspect
We run Cisco ACS v3.3 (Windows) on two servers over our WAN, and replcate the internal databases for redundancy. The problem is that replications fail between the ACS servers and it is because of the default port the ACS servers use to replicate over...TCP 2000.
Between the two servers are Cisco ASA firewalls running 7.2.2(19). We run Cisco MGCP VoIP phones between the sites as well, which utilize TCP 2000 for call control.
When the policy-inspect skinny command is enabled on the firewalls, the ACS server replcation breaks, because the firewall sees that the TCP 2000 packets for the DB replication are not VoIP call control packets.
Is there a way to reconfigure the ACS servers so they use a different port other than TCP 2000? (Registry hack, ini file edit, something???)
Frankly, it is rather lame of Cisco to implement an already defined port for their DB replication that defined in IETF as a well know port for the skinny protocol. Even worse is that this problem continues to exist into v4.0 as I understand it.
An no...we should not have to disable the inspect-policy for skinny on the ASA's. :-)
Any help to qwell my frustration on this topic would be appreciated.
Thanks,
-Scott
Scott,
If disabling the inspection of the skinny protocol is not feasible, the following
configuration sample may be incorporated into the firewall configuration so that replication traffic is not affected by the skinny fixup:
In this example, the ACS servers are at IP addresses 10.1.2.3 and 10.4.5.6.
#Define what traffic you want inspected:
access-list skinny_acl extended deny ip host 10.1.2.3 host 10.4.5.6
access-list skinny_acl extended deny ip host 10.4.5.6 host 10.1.2.3
access-list skinny_acl extended permit tcp any any eq 2000
#Create a class map to match the acl
class-map skinny_map
match access-list skinny_acl
#Under the global policy, take the skinny inspection out of the
#class inspection_default, and add it under our new class
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class skinny_map
inspect skinny
service-policy global_policy global
###Will be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 172.16.1.2 host 172.16.5.6 eq 2000
Global policy:
Service-policy: global_policy
Class-map: skinny_map
Match: access-list skinny_acl
Access rule: permit tcp any any eq 2000
Action:
Input flow: inspect skinny
FWSM(config-pmap-c)#
###Will not be inspected for skinny###
FWSM(config-pmap-c)# show service-policy flow tcp host 10.1.2.3 host 10.4.5.6 eq 2000
Global policy:
Service-policy: global_policy
FWSM(config-pmap-c)#
Regards,
~JG
Please rate if helps !
Similar Messages
-
How to hide line console parameters through Cisco ACS
Hi,
Can any one of you please help me in the following scenario ?
I want to hide the line console, line aux and line vty configuration parameters of the cisco devices based on user level privillages through Cisco ACS. For example, if a user logs into the devices with privilege level 7, then he should not be able to see the line paramenters on the cisco devices for which he had privilege level 7 access.
Can you please help me out how to achieve this?? Your help in this regard is highly appriciated.
ThanksThis thing is possible with local authorization on IOS device. With ACS this is not possible.
In acs you can set what all commands a specific user can issue. That feature is called command authorization.
For show run you need to give priv 15. ACS works in a different way if you compare it with setting up local priv lvls on router/switch.
Best way to set it up is to give all user priv lvl 15 and then define what all commands user can execute.
Note : Having priv 15 does not mean that user will able to issue all commands.
We will set up command authorization on acs to have control on users.
This is how your config should look,
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization config-commands
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Regards,
~JG
Do rate helpful posts -
How many clients can connect through cisco AP 1310 in wireless network ?
I had setup wireless network with
wlc4402,cisco AP 1310.1131 and 1242 and Cisco acs 4.1.My problem is only 30 clients connect through Cisco AP 1310 at a time.I can not connect more than 30 clients at a time.What is the issue in wireless network?please reply .
Thanks and regards
By
D.AnbuduraiWIRELESS > 802.11 > RRM
How can do that setting ? Can you reply with
some brief steps? And also I want to know how
many clients can connect in wireless network at
a time exactly through cisco aps?
Thanks and regards
d.anbudurai -
PCS calls are failing through "SendToVRU" node.
Hi All
we are using icm enabled PCS and getting problem that calls are failing through the send to VRU node.
Actually we are getting Handoff.tcl errors on our monitoring system. From CVP error log we found that those errors are against PCS calls only and from ICM script we found the above.For reference i am attaching screenshot.
Kindly help if anyone faced the same issue and got the solution.Not much info is provided, but are the calls which failing belong to a particular language? check below mentioned link and see if it applies for you.
https://tools.cisco.com/bugsearch/bug/CSCtk13452/?referring_site=ss -
Slow connection in one server if accessing through Cisco ACE
Hi,
Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
What need to do in my configuration? Below is my configuration
logging enable
logging timestamp
logging trap 7
logging buffered 7
logging monitor 7
logging host 167.81.126.5 udp/514
logging host 137.55.152.147 udp/514
resource-class SG_01
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum equal-to-min
boot system image:c4710ace-mz.A3_2_0.bin
login timeout 30
peer hostname singapore-ace2
hostname singapore-ace1
interface gigabitEthernet 1/1
channel-group 14
no shutdown
interface gigabitEthernet 1/2
channel-group 14
no shutdown
interface gigabitEthernet 1/3
channel-group 14
no shutdown
interface gigabitEthernet 1/4
channel-group 14
no shutdown
interface port-channel 14
description ISOLAN-ACE-TRUNK
ft-port vlan 99
switchport trunk native vlan 1
switchport trunk allowed vlan 12,14,112
no shutdown
clock timezone SGT 8 0
ntp server 137.55.152.1
context Admin
member SG_01
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any
ip domain-name ysn.psg.philips.com
probe http singapore_01
description This probe used to monitor application url-app-script
interval 5
passdetect interval 5
request method get url /insiteserverstatus/insiteserverstatus.aspx
expect status 200 200
open 1
probe http singapore_02
description This probe used to monitor IIS-login-page
interval 5
passdetect interval 5
request method get url /InSiteLumiledsApplication/
expect status 200 200
open 1
probe icmp uplink
description This probe used in conjunction with ft track host
interval 2
faildetect 2
passdetect interval 3
parameter-map type connection PARAM_L4STICKY-IP
exceed-mss allow
rserver host sggysnysn1ms013
ip address 137.55.152.135
inservice
rserver host sggysnysn1ms014
ip address 137.55.152.136
inservice
rserver host sggysnysn1ms018
ip address 137.55.152.145
inservice
serverfarm host PLI9058
probe singapore_01
probe singapore_02
rserver sggysnysn1ms013
inservice
rserver sggysnysn1ms014
inservice
rserver sggysnysn1ms018
inservice
sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
timeout 720
replicate sticky
serverfarm PLI9058
class-map type management match-any HTTPS-ALLOW_CLASS
class-map match-all L4STICKY-IP_141:ANY_CLASS
2 match virtual-address 137.55.152.141 any
class-map type http loadbalance match-any NO_MS018
50 match source-address 137.55.155.31 255.255.254.0
class-map type management match-any SSH-ALLOW_CLASS
2 match protocol ssh source-address 167.81.124.0 255.255.255.192
3 match protocol ssh source-address 167.81.126.0 255.255.255.192
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
class class-default
sticky-serverfarm SG_GROUP_01
insert-http X-Forwarded-For header-value "%is"
policy-map multi-match PLI9058-VIPs_POLICY
class L4STICKY-IP_141:ANY_CLASS
loadbalance vip inservice
loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
loadbalance vip icmp-reply
connection advanced-options PARAM_L4STICKY-IP
interface vlan 12
description Client-side vlan
bridge-group 1
no normalization
mac-sticky enable
access-group input ALL
access-group output ALL
service-policy input PLI9058-VIPs_POLICY
no shutdown
interface vlan 14
ip address 137.55.152.236 255.255.255.248
peer ip address 137.55.152.237 255.255.255.248
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 112
description Server-side vlan
bridge-group 1
no normalization
access-group input ALL
access-group output ALL
nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
no shutdown
interface bvi 1
ip address 137.55.152.189 255.255.255.192
alias 137.55.152.188 255.255.255.192
peer ip address 137.55.152.190 255.255.255.192
description Bridge-Group 1 Virtual Interface
no shutdown
ft interface vlan 99
ip address 192.168.1.1 255.255.255.252
peer ip address 192.168.1.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 100
heartbeat count 10
ft-interface vlan 99
ft group 1
peer 1
priority 150
peer priority 50
associate-context Admin
inservice
ft track host test1
track-host 137.55.152.234
peer track-host 137.55.152.235
peer probe uplink priority 50
probe uplink priority 50
ip route 0.0.0.0 0.0.0.0 137.55.152.233Hi Earsdale,
All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
If you need help with this troubleshooting, you can always open a TAC service request
Regards
Daniel -
Can we Monitor third party Windows servers through Cisco Prime
Hi Team,
We are using Cisco Prime assurance and are currently monitoring Cisco UCCE Components through it.
Meanwhile we have few third party windows servers , which we would like to monitor it through Cisco Prime , just to maintain a single monitoring tool.
If yes, please share the steps or link.Also highlight the limitations in that.
Regards,
krishnaSeems Cisco Prime Assurance Manager is now obsolete and end of life already.
It is replaced by Cisco Prime Infrastructure. CPI supports third party/vendor devices to some minimum extent with limited management details collected via SNMP Templates.
-Thanks
Vinod
**Encourage Contributors. RATE Them.** -
Failed to retrieve the system DEP policy
I've been getting this error on my Windows 8.1 Pro when I run EMET GUI. I think it's related to when I changed the apps configuration.
I tried uninstalling/reinstalling and I get "Could not create EMET default configuration. Please run this program as an Administrator" even though I am running it as Administrator.
Then I get this error when I run EMET GUI (tried both EMET 5.1 and 4.1 update 1 and have the same error)
************** Exception Text **************
MitigationInterface.NonFatalException: Failed to retrieve the system DEP policy
at MitigationInterface.SysMitigation_DEP..ctor(OSVERSIONINFOEX OsInfoEx, Boolean EnableUnsafeSettings)
at MitigationInterface.SystemMitigations..ctor()
at GraphicalApp.MainForm.MainForm_Load(Object sender, EventArgs e)
at System.EventHandler.Invoke(Object sender, EventArgs e)
at System.Windows.Forms.Form.OnLoad(EventArgs e)
at DevExpress.XtraEditors.XtraForm.OnLoad(EventArgs e)
at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
at System.Windows.Forms.Control.CreateControl()
at System.Windows.Forms.Control.WmShowWindow(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.Form.WndProc(Message& m)
at DevExpress.XtraEditors.XtraForm.WndProc(Message& msg)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
************** Loaded Assemblies **************
mscorlib
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.NET/Framework64/v4.0.30319/mscorlib.dll
EMET_GUI
Assembly Version: 5.1.5426.28434
Win32 Version: 5.1.5426.28434
CodeBase: file:///C:/Program%20Files%20(x86)/EMET%205.1/EMET_GUI.exe
HelperLib
Assembly Version: 5.1.5426.28431
Win32 Version: 5.1.5426.28431
CodeBase: file:///C:/Program%20Files%20(x86)/EMET%205.1/HelperLib.DLL
System.Windows.Forms
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Windows.Forms/v4.0_4.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
System.Drawing
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Drawing/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
System
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34239 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System/v4.0_4.0.0.0__b77a5c561934e089/System.dll
DevExpress.XtraBars.v13.2
Assembly Version: 13.2.9.0
Win32 Version: 13.2.9.0
CodeBase: file:///C:/Program%20Files%20(x86)/EMET%205.1/DevExpress.XtraBars.v13.2.DLL
DevExpress.Utils.v13.2
Assembly Version: 13.2.9.0
Win32 Version: 13.2.9.0
CodeBase: file:///C:/Program%20Files%20(x86)/EMET%205.1/DevExpress.Utils.v13.2.DLL
DevExpress.XtraEditors.v13.2
Assembly Version: 13.2.9.0
Win32 Version: 13.2.9.0
CodeBase: file:///C:/Program%20Files%20(x86)/EMET%205.1/DevExpress.XtraEditors.v13.2.DLL
DevExpress.Data.v13.2
Assembly Version: 13.2.9.0
Win32 Version: 13.2.9.0
CodeBase: file:///C:/Program%20Files%20(x86)/EMET%205.1/DevExpress.Data.v13.2.DLL
DevExpress.XtraTreeList.v13.2
Assembly Version: 13.2.9.0
Win32 Version: 13.2.9.0
CodeBase: file:///C:/Program%20Files%20(x86)/EMET%205.1/DevExpress.XtraTreeList.v13.2.DLL
DevExpress.UserSkins.HighContrast
Assembly Version: 12.2.10.0
Win32 Version:
CodeBase: file:///C:/Program%20Files%20(x86)/EMET%205.1/DevExpress.UserSkins.HighContrast.DLL
System.Xml
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34230 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Xml/v4.0_4.0.0.0__b77a5c561934e089/System.Xml.dll
System.Core
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Core/v4.0_4.0.0.0__b77a5c561934e089/System.Core.dll
System.Configuration
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Configuration/v4.0_4.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
System.Data
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209 built by: FX452RTMGDR
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_64/System.Data/v4.0_4.0.0.0__b77a5c561934e089/System.Data.dll
System.Data.Linq
Assembly Version: 4.0.0.0
Win32 Version: 4.0.30319.34209
CodeBase: file:///C:/Windows/Microsoft.Net/assembly/GAC_MSIL/System.Data.Linq/v4.0_4.0.0.0__b77a5c561934e089/System.Data.Linq.dll
MitigationInterface
Assembly Version: 5.1.5426.28431
Win32 Version: 5.1.5426.28431
CodeBase: file:///C:/Program%20Files%20(x86)/EMET%205.1/MitigationInterface.DLLHi Subbarao,
1. If Bex Query is greyed out, then it is not been enabled for external access.
2. If Bex Query failed to retrieve cube for the connection, then the Cube might be removed or relocated (or) Connection fail
Try this workaround, this connection will not be affected if you relocate the cube in BW side and also you can use any cube / data mart to access data from BW.
Create a new secured OLAP Connection with SAP BICS Client under the SAP Netweaver BI 7.X option by providing credentials. Select "Do not specify a cube in the connection" and click finish then publish it to the BO Repository.
Open the WEBI Report, select the Bex Query as Data source which you want to access, now you can able to retrieve the data from the desired BW Cube via BEX Query.
Check the User Rights and Role imported into BOE Repository.
--Raji. S -
Patch rollup for Cisco Secure ACS 4.2 fails.
I've got 2 freshly installed ACS 4.2 for Windows servers and I need to apply the latest patch rollup before I build the configurations. I stopped the ACS services and ran Acs-4.2.0.124.15-SW.exe to install the patches. The application begins running fine but fails on upgrading the database and then none of the ACS services would start. I was able to restore the files from the backup that runs with the patch utility and get ACS functioning again. What am I missing - does the patch rollup require any specific Microsoft Patches to be installed or something like that?
ThanksThanks for the feedback. I attempted the patch rollup install again and it failed in the same place - on the database upgrade. I did think of one thing. Do I need to have my antivirus/protection services disabled prior to installing the rollup?
Also my versions are as follows:
Server OS - Windows Server 2003 R2
Cisco Secure ACS - 4.2.(0) Build 124
Thanks,
Richard Jaehne -
AAA authentication is fail on cisco 4505 switch with acs
i am new in AAA . i want to login switch which authentication come from cisco acs 5.1 but i configure both switch and acs 5.1. when i telnet
switch it display % Authentication fails. can anybody help me regurding this issue!!!
on cisco switch end conf:
aaa new-modle
aaa authentication login default group tacacs+
aaa authentication login TACASE group tacacs+
aaa authentication exec default group tacacs+
tacacs-server host 10.10.10.1
tacacs-server key Password!@#
line vty 0 4
login authentication TACASE
on acs 5.1 side i add switch on its vlan ip address which is connect acs 5.1 but
BUT when i login using putty terminal its show % Authentication fails.
Please help me regurding this issue!!!Hi,
what is the error message reported on ACS?
Are you sure that you are using the same key on ACS and cat4k?
Can you configure "ip tacacs source-interface " with the vlan interface you are using as source?
You can also collect these debugs:
- deb aaa authentication
- deb tacacs
Cheers
Marco -
RPC fails through 881 Point to point Tunnel for VEEAM
Hi I have inherited 2 881's
We are setting up a Veeam server to Replicate a Hyper-V host.
When I try and add the remote hyper-v server through the P2P VPN VEEAM comes back with an error. "Unable to connect via WMI".
WMI is enabled on the target server firewalls are down and AV software removed. If I'm in the same subnet the WMI works. It feels like the VPN is blocking WMI.
Everything else seems to be working through the P2P VPN.
Thanks
Traffic is initiated through device 1
881 Device 1 Config
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
interface Loopback0
no ip address
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.x.x.x255.255.255.240
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.11.1 255.255.255.0
ip access-group 130 in
ip access-group 130 out
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 10.10.21.10 10.10.21.80
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.123.165.1 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.11.5 25 interface FastEthernet4 25
ip nat inside source static tcp 10.10.11.5 9091 interface FastEthernet4 9091
ip nat inside source static tcp 10.10.11.9 80 interface FastEthernet4 80
ip nat inside source static tcp 10.10.11.9 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 23 permit 10.10.11.0 0.0.0.255
access-list 23 permit 10.10.21.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 216.123.165.0 0.0.0.15 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.10.11.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.11.9
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 10.10.11.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 106 deny ip 10.10.11.0 0.0.0.255 10.10.21.0 0.0.0.255
access-list 106 permit ip 10.10.11.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 120 remark CCP_ACL Category=16
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.11.0 0.0.0.255 any
access-list 120 permit ip 10.10.21.0 0.0.0.255 any
access-list 130 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 130 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 130 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
banner exec ^CC
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CC
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
scheduler max-task-time 5000
end
CarePathBackupRouter#
881 Device 2 Config
service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-sll-zone-in-zone source ssl-zone destination in-zone
service-policy type inspect sdm-pol-ssl-vpn-traffic
zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone
service-policy type inspect sdm-policy-sdm-cls--2
interface Loopback0
ip address 10.10.50.1 255.255.255.0
interface FastEthernet0
switchport access vlan 2
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.x.x.x255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Virtual-Template5
ip unnumbered FastEthernet4
zone-member security ssl-zone
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan2
description $FW_DMZ$
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
ip local pool SDM_POOL_1 10.10.50.2 10.10.50.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.10.5 25 interface FastEthernet4 25
ip nat inside source static tcp 10.10.20.100 80 interface FastEthernet4 80
ip nat inside source list 120 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.20.100 443 interface FastEthernet4 443
ip nat inside source static tcp 10.10.10.5 9091 216.x.x.x9091 extendable
ip access-list extended DMZOutbound
remark CCP_ACL Category=128
permit ip host 10.10.20.4 any
permit ip host 10.10.20.5 any
ip access-list extended LANtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
permit ip any host 10.10.20.4
permit ip any host 10.10.20.100
ip access-list extended SDM_4
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended VPNZtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
permit ip any host 10.10.20.4
ip access-list extended VPNtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
ip access-list extended WANtoOWA
remark CCP_ACL Category=128
permit ip any host 10.10.10.5
ip access-list extended WebsiteViewer
remark CCP_ACL Category=128
permit ip host 10.10.20.5 any
permit ip host 10.10.20.4 any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 10.10.20.1
permit ip any host 10.10.20.2
permit ip any host 10.10.20.3
permit ip any host 10.10.20.4
permit ip any host 10.10.20.5
permit ip any host 10.10.20.6
permit ip any host 10.10.20.7
permit ip any host 10.10.20.8
permit ip any host 10.10.20.9
permit ip any host 10.10.20.10
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.20.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.20.0 0.0.0.255
access-list 23 permit 10.10.50.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 permit ip 207.164.203.24 0.0.0.7 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit tcp any host 192.168.1.111 eq smtp
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.10.20.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.10.20.100
access-list 105 remark CCP_ACL Category=4
access-list 105 permit ip host 10.10.10.0 any
access-list 105 permit ip host 10.10.20.0 any
access-list 105 permit ip host 10.10.50.0 any
access-list 120 deny ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 120 deny ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.20.0 0.0.0.255 any
access-list 121 permit ip 10.10.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 121 permit ip 10.10.50.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 150 permit tcp any any eq 8081
access-list 190 permit ip any host 10.10.10.7
access-list 190 permit ip host 10.10.10.7 any
no cdp run
control-plane
banner exec ^CCCCCCCCCC
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CCCCCCCCCC
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
scheduler max-task-time 5000
webvpn gateway gateway_1
ip address 216.x.x.xport 8081
ssl trustpoint TP-self-signed-3840840377
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context WebVPN
title "CarePath WebVPN"
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
url-list "CarePath"
heading "CarePath Websites"
url-text "CPNet" url-value "http://10.10.10.100/CPnet/"
url-text "CarePath External Website" url-value "http://www.carepath.ca"
url-text "Navigator" url-value "http://10.10.10.103"
policy group policy_1
url-list "CarePath"
functions svc-enabled
svc address-pool "SDM_POOL_1"
svc msie-proxy option auto
svc split include 10.10.0.0 255.255.0.0
svc dns-server primary 10.10.10.5
virtual-template 5
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 20
inservice
end
CarePathRouterB#Ok I think I messed up.
Here's the configs again.
Device 1
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.10.08 11:11:23 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 14737 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CarePathBackupRouter
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 10000
no logging console
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
--More-- aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3598019594
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3598019594
revocation-check none
rsakeypair TP-self-signed-3598019594
crypto pki certificate chain TP-self-signed-3598019594
certificate self-signed 01
3082025D 308201C6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353938 30313935 3934301E 170D3132 30333038 32333235
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35393830
31393539 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B290 42576863 0D990847 52965EB6 37067C00 38E8AFDC A2A4352C 5DD36F7A
--More-- 2F5CA25C B586E580 00E7F634 2437B446 DEF48F61 DA8D307C 47157F18 ED555E11
D7AEEF72 6C6CE291 1506D9E3 EF32D956 2E7677D6 710B370E 5A8E5115 33A92F11
44562D62 1452435C 3723126B E279C9DE 217077CF 1320D7C2 CF1BE495 1351B500
7B210203 010001A3 81843081 81300F06 03551D13 0101FF04 05300301 01FF302E
0603551D 11042730 25822343 61726550 61746842 61636B75 70526F75 7465722E
796F7572 646F6D61 696E2E63 6F6D301F 0603551D 23041830 1680142D A4BC83A1
785F6C73 DD8A98F1 8CBFACB1 D1287530 1D060355 1D0E0416 04142DA4 BC83A178
5F6C73DD 8A98F18C BFACB1D1 2875300D 06092A86 4886F70D 01010405 00038181
00B02915 B9C40F05 DC7DE975 67982D89 6C781413 5C2F0F3A 76CEEFD1 45DE776D
6D2B875F 0109EBBA E106BD35 CAE1F188 4D038977 E8FC77AC E8E1FC8A 14C88C3F
8CE98F32 69C1C7A8 E9C6394D 8A285A40 701115EC FBBB092D 23B13FA5 977D82EA
E5090F60 DC0B3480 96BDC5BB C1393AB0 5C135C70 6DA3926E 233E0824 982F6010 FF
quit
ip source-route
ip dhcp excluded-address 10.10.10.1
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip port-map user-protocol--1 port tcp 9091
--More-- ip inspect log drop-pkt
no ipv6 cef
multilink bundle-name authenticated
vtp mode transparent
username vinadmin privilege 15 secret 5 $1$fDR/$CNiqlhaGh1/86.yaksu9J1
username bannayar secret 5 $1$WQH0$lqEvJa6vyCgG8P6ZCKFV30
username kabaines secret 5 $1$qghZ$KIzZ4AvLHuxpxdT8lPXu00
username ecousineau secret 5 $1$0vGF$/hFzdgUsjNy4KhQbBEJXX1
username ddepetrillo secret 5 $1$J.Z.$r2Hvj0wy65KdU2DB8RybI.
username dfulogsi secret 5 $1$mBGJ$pOTWXESj5IrNoHcp4a6Dg1
username whryniuk secret 5 $1$aiXM$V7Ivp7w9WGPfp7ZvNUuxw.
username lhryniuk secret 5 $1$ZMWh$q1TcQiQCnOcOc3386C60./
username dthomson secret 5 $1$oSuN$9iRmSxMzpFiJZ7J./DXwN/
username smoore secret 5 $1$DRy7$yYXbtjMqP6eNVNWf82qit1
username wpowell secret 5 $1$gK57$oUtnIg6xk6tV8xofNCWZj.
username pcarter secret 5 $1$FNOP$kwi.OJx9PTQqYRFFc3Lw11
username mferguson secret 5 $1$JAkk$yZ8gLDfpLjhoBUY2xiKGt0
username kmcdonald secret 5 $1$e6zr$WxiKO0Aqee2mUb3GtcOwK1
username drorovan secret 5 $1$q/bp$qpIgTq2zo3CUZtsMKYB9d/
--More-- username jragaz secret 5 $1$3xZ7$Cvg8Er8k5khygwd.Dg/Xh1
username pmajor secret 5 $1$u7up$X0HemguPY9Ng1vKxcAz.81
username borovan secret 5 $1$4Lje$BYGyz2EhCxE.FVql5tddA0
username jgowing secret 5 $1$YAsY$36ioJChe4Se786FyVOwZO/
username GGarcia secret 5 $1$9QO0$qEaHekjre5tWLc4HNnLhd/
username rbergeron secret 5 $1$8oB6$yk3IoBFJo/ndzRCoQTGPQ1
username rsimpson secret 5 $1$dnSM$KOiCXCpX6jgv/Z/WLt/qM0
username kgodbout secret 5 $1$xDkJ$OoOKh8KtQDy4h2CsnGl1V/
username amcgowan secret 5 $1$e9fw$xByQdweSgJKomCoa42Xhd.
username mstevelic secret 5 $1$dM72$u3W/r5o.WIULnYZMVLx.00
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key CarePathPSKJ0k1r address 63.250.109.214 255.255.255.248
crypto isakmp client configuration group VPNGroup
key Pa$$w0rd
dns 10.10.11.5
domain carepath.local
pool SDM_POOL_1
--More-- acl 103
max-users 70
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPNGroup
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Carepath HO
set peer 63.250.109.214
--More-- set transform-set ESP-3DES-SHA1
match address 107
archive
log config
hidekeys
vlan 2-3,10,20
vlan 30
name Internal
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 108
class-map type inspect match-all sdm-nat-http-1
match access-group 102
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
--More-- match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
--More-- match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
--More-- match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-http-1
--More-- inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
--More-- class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
--More-- zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
interface Loopback0
no ip address
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.123.165.9 255.255.255.240
--More-- ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.11.1 255.255.255.0
ip access-group 130 in
ip access-group 130 out
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
--More-- !
ip local pool SDM_POOL_1 10.10.21.10 10.10.21.80
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.123.165.1 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.11.5 25 interface FastEthernet4 25
ip nat inside source static tcp 10.10.11.5 9091 interface FastEthernet4 9091
ip nat inside source static tcp 10.10.11.9 80 interface FastEthernet4 80
ip nat inside source static tcp 10.10.11.9 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
--More-- ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 23 permit 10.10.11.0 0.0.0.255
access-list 23 permit 10.10.21.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 216.123.165.0 0.0.0.15 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.10.11.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.11.9
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 10.10.11.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 105 remark CCP_ACL Category=0
--More-- access-list 105 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 106 deny ip 10.10.11.0 0.0.0.255 10.10.21.0 0.0.0.255
access-list 106 permit ip 10.10.11.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 120 remark CCP_ACL Category=16
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.11.0 0.0.0.255 any
access-list 120 permit ip 10.10.21.0 0.0.0.255 any
access-list 130 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 130 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 130 permit ip any any
no cdp run
--More-- !
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
banner exec ^CC
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
--More-- Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CC
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
--More-- NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
scheduler max-task-time 5000
end
CarePathBackupRouter#
Device 2
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.10.08 11:05:59 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 29587 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot system flash c880data-universalk9-mz.124-24.5.T.bin
boot-end-marker
security passwords min-length 1
logging buffered 4096
enable secret 5 $1$tRc6$Pk3N1aDAx4E2rAYAJ90mH1
aaa new-model
aaa authentication login default local
--More-- aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-3840840377
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3840840377
revocation-check none
rsakeypair TP-self-signed-3840840377
crypto pki certificate chain TP-self-signed-3840840377
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383430 38343033 3737301E 170D3134 30393132 31303431
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
--More-- 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343038
34303337 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E66E C34A4C46 E413B794 5FB510D3 A306C684 9ED25F03 4B850571 D8E7561B
F66A4AA7 AE9E606C B440A785 3CE4A763 1C1A52FF 112D4CB9 CB755AA5 479F1508
775EED5D EEE09429 6D62FA24 C2B053F8 B8A09A91 3B5EAD10 9B7E2B0A 5AA92137
13DF18C1 4616B18C FD3662C1 A2813A66 2484E2B5 C56B607A 92E21E0F BD0D54CB
01930203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15526F75 7465722E 63617265 70617468 2E6C6F63 616C301F
0603551D 23041830 168014D4 3B765BFE CE03F36B 9714FB7D 1E31015E 9B5D2830
1D060355 1D0E0416 0414D43B 765BFECE 03F36B97 14FB7D1E 31015E9B 5D28300D
06092A86 4886F70D 01010405 00038181 0081DE27 6994F293 40268BED F231747F
A0FB4FE6 BAD884C8 D9395782 35FD0450 57E74E6E E8E3575E 8F08FC1D 2916A16D
5DDBA88C 1299FF6C D7293908 DE3CFF1E 29B1BC43 48D68718 51ED7651 E032E50C
B6DC8607 56D2E957 46DDC00F BF5B81AC 9AA2CB21 1E566639 10E207E3 21CB0127
61C16AF4 CB1B5AEE 3559D0B2 3AC9603B E5
quit
ip source-route
ip dhcp excluded-address 10.10.20.1 10.10.20.10
ip dhcp excluded-address 10.10.10.1 10.10.10.19
ip dhcp excluded-address 10.10.10.91 10.10.10.254
--More-- ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.5
lease 0 2
ip dhcp pool sdm-pool1
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
no ip cef
ip domain name carepath.local
ip name-server 10.10.10.5
no ipv6 cef
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
--More--
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
--More-- server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
username forrestja secret 5 $1$0M.C$jSf2s6jBJc.BhOHEQz6Z7/
username Mckyedo secret 5 $1$.oVV$osTs3rwN6PDW1r1ratB/Y/
username kabaines secret 5 $1$05fS$aQmBAn5OPzemwHISAcjA91
username ecousineau secret 5 $1$chbt$y8i/cTvlKaoi7M6IK9XQz0
username danidepetrillo secret 5 $1$ClAB$cL.ISVieN3dtuXKYboyiO/
username ddepetrillo secret 5 $1$/8z2$zo9yhdXX0injN5sR.o.gc.
username dfulogsi secret 5 $1$7kTK$48wgcGO5ne4/p069y6hNX.
username whryniuk secret 5 $1$4K6u$hQkC7ZproSeYzXuF6C9z61
username lhryniuk secret 5 $1$XHHt$MFNNStOiC6dgfY93laFrU1
username amcgowan secret 5 $1$40Fm$O5QuPgLtQU0uq.9KbxW0M1
username dthomson secret 5 $1$CAZB$VF0qQbZ/zECKv3QfIDhuD.
username cshirley secret 5 $1$A395$0hL0DnNysybt51exyXWrN1
username smoore secret 5 $1$YFq4$j7UTBgdbQMikKGyDhAPCP.
username jzemaitis secret 5 $1$KiOv$Y22d.91YFkVaDcHc9JfL90
--More-- username wpowell secret 5 $1$ECmG$dQvMWSXWQqPSM/SWMm6Ja0
username vinadmin privilege 15 secret 5 $1$XJMD$kQLDFx1u5IKBNqtMtg4dL0
username Admin secret 5 $1$O3rB$H003Fl.KI7vNzSxRpsB5t.
username shirleyco secret 5 $1$aTod$A91adrDfFQrKx31aAe3/z0
username mferguson secret 5 $1$XISU$UjnnmGN22rzIf7xnX0CEc.
username kmcdonald secret 5 $1$cv4K$uuotKYnegG6.y4R7YRiyW1
username mstevelic secret 5 $1$.isq$wi/HGo0IkZWmoBY..QEeD/
username drorovan secret 5 $1$L799$Sz04d/XVM/g5Y62z5W.1/0
username jragaz secret 5 $1$hmK5$z/tvrdohCMiEprCW9p9Yq.
username pmajor secret 5 $1$CxxE$9hgS21SbVhVdOmUaRdvgs/
username borovan secret 5 $1$fsw9$ZIIUltJ9Cc7nBpmuswIDs.
username leedo secret 5 $1$xnMk$6IQf2FzK1L5QMgjfRx8.h.
username jgowing secret 5 $1$EVEP$YjxyE5Lw.hcivE.JqbH0Y/
username royst secret 5 $1$/wbP$W3daZVjU3bYAtR9x01nEh.
username rbergeron secret 5 $1$EeAx$ipFbCd0SwjTLUB/8pCMxR0
username rsimpson secret 5 $1$cvh6$0MVp4eSyhij0NCX6NUDGK1
username ssaraydarian secret 5 $1$YJV7$v14qULB7TFYsTEVcvyC8o.
username Leeke secret 5 $1$IH5i$.yJJW7mKF.sD7DIr53AXc0
username hooman secret 5 $1$eJ3J$OKcje0Q.K5o.IOJJ.it0D1
username cmills secret 5 $1$QH8Z$QZqY8kJEvpp/WBQIAl7yn0
username bannayar secret 5 $1$erc7$EhY2OUL2okAuJw6.VFwvW.
username alstiburek secret 5 $1$5FSX$5RJb1h0NBYyH6q93aXT3U.
username pcarter secret 5 $1$dVJI$EnovCDfEe3SakN15Q9kkW.
--More-- username dlinardos password 0 zckNW80240*
username janarthans view root secret 5 $1$A5c8$x/d03.bT3e29fTJ2Iunt/1
username palmerb view root secret 5 $1$MlTf$szxQvyRJBzRnofARAWP0z0
username lrobichaud privilege 0 secret 5 $1$nztN$hieW9P/XYakZ8aDxvc/hc/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key CarePathPSKJ0k1r address 216.x.x.x
crypto isakmp client configuration group VPNGroup
key Pa$$w0rd
dns 10.10.10.5
domain Carepath.local
pool SDM_POOL_1
acl 100
--More-- max-users 28
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPNGroup
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address 216.x.x.x that connects to this router.
set peer 216.x.x.x
set transform-set ESP-3DES-SHA1
--More-- match address SDM_4
archive
log config
hidekeys
ip ftp username cisco
ip ftp password <removed>
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 107
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 108
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
--More-- match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-1
match access-group 103
match protocol http
class-map type inspect match-any https
match protocol https
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map https
match access-group name WANtoOWA
class-map type inspect match-all sdm-nat-http-2
match access-group 104
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol tcp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
--More-- class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 106
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any http
match protocol dns
match protocol http
match protocol https
match protocol icmp
match protocol smtp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
--More-- match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-cls--2
match class-map http
match access-group name DMZOutbound
class-map type inspect match-all sdm-cls--1
match access-group name VPNZtoDMZ
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
--More-- match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-all ipsec-class
match protocol isakmp
match protocol ipsec-msft
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
--More-- class-map type inspect match-all webvpn-8081
match access-group 150
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-ssl-vpn-traffic
match access-group 121
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-any WebsiteViewer
match protocol smtp
match protocol https
match protocol http
match protocol ftp
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
--More-- class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
--More-- match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol http
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
--More-- match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect match-all sdm-cls-ccp-permit-dmzservice-2
match access-group name VPNtoDMZ
class-map type inspect match-all sdm-cls-ccp-permit-dmzservice-3
match class-map WebsiteViewer
match access-group name WebsiteViewer
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all sdm-cls-ccp-permit-dmzservice-1
match access-group name LANtoDMZ
class-map type inspect edonkey match-any ccp-app-edonkeychat
--More-- match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class class-default
--More-- drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-http-1
--More-- inspect
class type inspect sdm-nat-http-2
inspect
class type inspect sdm-ssl-vpn-traffic
inspect
class type inspect ccp-icmp-access
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class class-default
drop
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
--More-- log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-imap
--More-- inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
--More-- log
allow
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
inspect
class class-default
drop
policy-map type inspect sdm-pol-Out-to-Self
class type inspect SDM_VPN_PT
pass
class type inspect webvpn-8081
class type inspect SDM_EASY_VPN_SERVER_TRAFFIC
pass
class class-default
drop
policy-map type inspect sdm-pol-ssl-vpn-traffic
class type inspect sdm-ssl-vpn-traffic
inspect
--More-- class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--2
class type inspect sdm-cls--2
inspect
class class-default
drop
policy-map type inspect ccp-permit-dmzservice
class type inspect sdm-cls-ccp-permit-dmzservice-3
inspect
class type inspect sdm-cls-ccp-permit-dmzservice-2
inspect
class type inspect sdm-cls-ccp-permit-dmzservice-1
inspect
class type inspect ccp-dmz-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
--More-- inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class class-default
pass
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class class-default
drop log
zone security dmz-zone
zone security out-zone
zone security in-zone
zone security ezvpn-zone
--More-- zone security ssl-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect sdm-pol-Out-to-Self
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-zone-dmz-zone source ezvpn-zone destination dmz-zone
--More-- service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-sll-zone-in-zone source ssl-zone destination in-zone
service-policy type inspect sdm-pol-ssl-vpn-traffic
zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone
service-policy type inspect sdm-policy-sdm-cls--2
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination ssl-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
interface Loopback0
ip address 10.10.50.1 255.255.255.0
interface FastEthernet0
switchport access vlan 2
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
--More-- interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 63.250.109.214 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Virtual-Template5
ip unnumbered FastEthernet4
zone-member security ssl-zone
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
--More-- ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan2
description $FW_DMZ$
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
ip local pool SDM_POOL_1 10.10.50.2 10.10.50.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 63.250.109.209
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.10.5 25 interface FastEthernet4 25
--More-- ip nat inside source static tcp 10.10.20.100 80 interface FastEthernet4 80
ip nat inside source static tcp 10.10.20.100 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.5 9091 63.250.109.214 9091 extendable
ip access-list extended DMZOutbound
remark CCP_ACL Category=128
permit ip host 10.10.20.4 any
permit ip host 10.10.20.5 any
ip access-list extended LANtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
permit ip any host 10.10.20.4
permit ip any host 10.10.20.100
ip access-list extended SDM_4
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
--More-- permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended VPNZtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
permit ip any host 10.10.20.4
ip access-list extended VPNtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
ip access-list extended WANtoOWA
remark CCP_ACL Category=128
permit ip any host 10.10.10.5
ip access-list extended WebsiteViewer
remark CCP_ACL Category=128
permit ip host 10.10.20.5 any
permit ip host 10.10.20.4 any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 10.10.20.1
permit ip any host 10.10.20.2
permit ip any host 10.10.20.3
--More-- permit ip any host 10.10.20.4
permit ip any host 10.10.20.5
permit ip any host 10.10.20.6
permit ip any host 10.10.20.7
permit ip any host 10.10.20.8
permit ip any host 10.10.20.9
permit ip any host 10.10.20.10
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.20.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.20.0 0.0.0.255
access-list 23 permit 10.10.50.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
--More-- access-list 101 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 permit ip 207.164.203.24 0.0.0.7 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit tcp any host 192.168.1.111 eq smtp
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.10.20.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.10.20.100
access-list 105 remark CCP_ACL Category=4
access-list 105 permit ip host 10.10.10.0 any
access-list 105 permit ip host 10.10.20.0 any
access-list 105 permit ip host 10.10.50.0 any
access-list 106 remark CCP_ACL Category=128
access-list 106 permit ip host 216.x.x.x any
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 120 remark CCP_ACL Category=18
access-list 120 deny ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255
--More-- access-list 120 deny ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 120 permit ip 10.10.20.0 0.0.0.255 any
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 121 permit ip 10.10.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 121 permit ip 10.10.50.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 150 permit tcp any any eq 8081
access-list 190 permit ip any host 10.10.10.7
access-list 190 permit ip host 10.10.10.7 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 120
control-plane
banner exec ^CCCCCCCCCCCCC
--More--
% Password expiration warning.
--More--
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
--More--
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
--More-- this session.
It is strongly suggested that you create a new username with a privilege level
--More--
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
--More--
Replace <myuser> and <mypassword> with the username and password you
want to use.
--More--
^C
banner login ^CCCCCCCCCCCCC
--More--
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
--More--
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
--More--
PUBLICLY-KNOWN CREDENTIALS
--More-- Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
--More--
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
--More--
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
--More--
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
--More--
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
--More-- no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
scheduler max-task-time 5000
webvpn gateway gateway_1
ip address 216.x.x.x port 8081
ssl trustpoint TP-self-signed-3840840377
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context WebVPN
title "CarePath WebVPN"
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
--More-- !
url-list "CarePath"
heading "CarePath Websites"
url-text "CPNet" url-value "http://10.10.10.100/CPnet/"
url-text "CarePath External Website" url-value "http://www.carepath.ca"
url-text "Navigator" url-value "http://10.10.10.103"
policy group policy_1
url-list "CarePath"
functions svc-enabled
svc address-pool "SDM_POOL_1"
svc msie-proxy option auto
svc split include 10.10.0.0 255.255.0.0
svc dns-server primary 10.10.10.5
virtual-template 5
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 20
inservice
end
--More--
Router# -
ACS Machine Authentication Fails Every 30 Days
Running ACS5.2, Windows XP Pro, Window Server 2003 and Cisco Anyconnect Client. When the machine name password changes between the PC and the AD server the ACS will error out with "24485 Machine authentication against Active Directory has failed because of wrong password"
TAC has been working with us on this and sees the error in the logs but does not have an answer on with to do to solve this. It has the same problem with Wireless Zero.
Once the PC is rebooted the error goes away for 30 days. We are in a hospital setting so this is a not just a minor problemSo it looks like this is the offical Microsoft answer:
Hello Tom,
I had a discussion with an escalation resource on this case and updated him on what we found so far, From what I understand this is a known issue when the client is using PEAP with computer authentication only and the workarounds to this problem are the 2 solutions lined up in that article that I sent you.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;904943
Regards
Krishna -
ACS Expert troubleshooter fails to display existing log entry
Hello everybody,
II ran into the following issue – let say RADIUS log (today) displays there are entries for user ABC (both successful and unsuccessful). BUT – when use the 'expert troubleshooter' to search for exactly the same user (both pass or fail authentication), the search results comes out empty.
This happens for all log entries (=users) and on different computers on different browsers. ACS version is 5.4 (upgraded to different patches to no avail).
Anybody experienced that? An existing bug notice will also be appreciated.Yet, I have not seen any bug for this: You please have a look on the guide to understand the functionally of Expert Troubleshooter:
http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/user/guide/acsuserguide/viewer_troubleshooting.html#wp1057685 -
How do I set up my hp laserjet printer through Cisco router?
I'm using my HP Laserjet 4000TN printer for my entire network. I need to be able to use it with all my computers. So I usually plug it into the modem via Cat5 cord and it grabs an IP address which I add in System Preferences and I'm good to go. However, I recently had to change my network. I now use a DSL modem as basically a dumb hub. Which then goes into a Cisco 800 series router. From there I need to be able to plug my computer into that router and then see it on both of my computers. (What's the point of having a home network if you can't print from it from any computer on the network?)
I was told to assign it a static IP address of 192.168.7.5. However, when I do this on my computer it doesn't seem to be going through to the printer. Whenever I try to print a test page it does not work.
It is grabbing IP address 192.168.7.22. However, when I enter this as the printer on the computer it is also not printing a test page. Very frustrating. I am unsure if this is the perfect forum for this as obviously it's the Cisco router that has changed and therefore it's not really a Mac issue. But I am unsure where else to turn.
Any help would be greatly appreciated.
Thanks!I found the solution. I was using WEP encryption and I needed to be using WPA encryption.
-
WindowsDesktopSSO fail-through to LDAP authentication
Hello, all.
I am setting up a WindowsDesktopSSO module and Auth Chain in Access Manager 7.1 (patch -04) under Sun Web Server 7.0u8. AM is currently a single instance intended to expand to a clustered installation, already "load-balanced" by another Sun Web Server 7.0u8.
The Desktop SSO module per se works after some magic and lots of forum and doc reading, and Auth-Chaining does work for enabled browsers when the AD user is not recognized by Access Manager (the actual portal/messaging user database is in Sun DSEE and not all users from AD have equivalent accounts in DSEE - no ISW yet).
However we have a problem with browsers which don't support SPNEGO (or have not enabled it for the domain).
Such browsers receive the HTTP-401 "Unauthorized" page from the web server (apparently, a compiled-in resource template from SWS7) and do not fall through to "LDAP" module which is next in chain for alternate authentication method, after "winsso" module.
This question has been raised and apparently solved in threads below, however no recipe was given and I'm at loss to invent it.
- http://forums.sun.com/thread.jspa?threadID=5336332
- http://forums.sun.com/thread.jspa?threadID=5361015
I have tried to add an "error-page" block to amserver/WEB-INF/web.xml and reference a custom HTML file with the HTTP-401 error text template.
- http://www.adobepress.com/articles/article.asp?p=25445&seqNum=4
<web-app>
<display-name>Access Manager Services</display-name>
<error-page>
<error-code>401</error-code>
<location>/401.html</location>
</error-page>
<distributable/>
<context-param>
...The HTML bage essentially contains a META REFRESH tag to redirect a non-enabled browser to ldapService, and a custom comment for the visitor:
<HTML><HEAD><TITLE>HTTP-401: Unauthorized</TITLE>
<meta HTTP-EQUIV="refresh" content="0;url=/amserver/UI/Login?service=ldapService">
</HEAD>
<BODY>...</BODY>However, when I set this up, such HTTP-401 handler completely overrides the Access Manager logic. Specifically, the HTTP header "WWW-Authenticate:Negotiate" is not set, so ANY browser is redirected to the LDAP service, and Desktop SSO never takes place.
I have also tried to tweak the amserver/config/default/WindowsDesktopSSO.xml file and its clones all around so that the page would render with a JSP template which prints the same content. However, I must be doing something incorrectly - the content is not returned to the browser, and SWS7 default 401 error HTML is printed.
- Customizing module per doc: http://docs.sun.com/app/docs/doc/820-3748/adueu?a=view
I think I can use the web.xml solution to point to a custom JSP which sets all needed HTTP headers (have to try that though), however I hoped for a cleaner solution of just setting a custom template for the HTML part of the message.
Thanks for any ideas,
//Jim Klimov
Edited by: JimKlimov on Jul 5, 2010 6:18 PM
tags/formatting fixedAn update to the "401.jsp" page. Original code did redirect, but only with a fixed URL.
For example, it ignored "goto" parameters for autologin to Messaging Server or Portal upon successful authentication (via LDAPService).
Here's an updated variant which tries to pass-through all provided request parameters:
<%@ page import="java.io.*"%>
<%@ page import="java.util.*"%>
<%@ page import="javax.servlet.*"%>
<%@ page import="javax.servlet.http.*"%>
<%@ page import="javax.servlet.ServletContext"%>
<%@taglib uri="/WEB-INF/jato.tld" prefix="jato"%>
<%@taglib uri="/WEB-INF/auth.tld" prefix="auth"%>
<%
*(C) 2010 Jim Klimov, JSC COS&HT
*param processing (C) http://www.apl.jhu.edu/~hall/java/Servlet-Tutorial/Servlet-Tutorial-Form-Data.html
response.setStatus (response.SC_UNAUTHORIZED);
response.setHeader ("WWW-Authenticate", "Negotiate");
* Default ORG and MODULE/SERVICE values, should override whatever
* was passed to the Login page, if fallback redirect is required
* TODO: Parametrize via serice/property configs
String FallbackServiceURI = "/amserver/UI/Login?service=ldapService&org=defaultRealmName";
%>
<HTML><HEAD><TITLE>HTTP-401: Unauthorized</TITLE>
<%
Enumeration paramNames = request.getParameterNames();
while(paramNames.hasMoreElements()) {
String paramName = (String)paramNames.nextElement();
if (
paramName.equals("service") ||
paramName.equals("module") ||
paramName.equals("org")
) { ; } else {
String[] paramValues = request.getParameterValues(paramName);
for(int i=0; i<paramValues.length; i++) {
String paramValue = paramValues;
FallbackServiceURI += "&"+paramName;
if (paramValue.length() != 0) {
FallbackServiceURI += "="+paramValue;
%>
<meta HTTP-EQUIV="refresh" content="0;url=<%= FallbackServiceURI %>">
</HEAD>
<BODY><H1>HTTP-401: Unauthorized</H1>
Proper authorization is required for this area.
Either your browser does not perform authorization,
or your authorization has failed.<br>
Your browser will be redirected to
<a href="<%= FallbackServiceURI %>">default
authorization method</a>.
</BODY></HTML>
Note that this variant falls back to the "defaultRealmName" organization. If that's not desired, take it out of default FallbackServiceURI and paramName.equals("org") checks.
HTH,
//Jim -
IChat Video/Audio Conferencing through Cisco 2811/2821/Other ISR Device
I have found some discussion, but I still have yet to find resolution on this forum or Cisco's forums. I am trying to get iChat AV to work through a Cisco 2821 ISR (Integrated Services Router).
The problem is that AV calls running over dynamic NAT do not work. If any machine in the mix has a static NAT (esentially binding it to a global IP) it will work. If the machine on the other side has a global IP, it also works. It appears that either A) iChat will not function over a dual NAT-Transversal, or the ISR is taking the SIP packets and attempting to route them to a VoIP WIC that is not in the router.
Has anyone been able to solve this yet? Does anyone have ideas? I am working with Cisco on this, but thusfar, they too have no solution.Hi Brent,
That would seem to cover any SIP binding to port 5060 which would stop the device trying to divert all SIP traffic to a Phone or Phone service (VoIP devices)
Formatting for CLI stuff is not my forte but I can tell you which ports you open.
Port 5678 on USP is where the invite go oit and come in on.
Port 5060 on UDP is where the application ngociates with the Buddy as to which ports from the group of twenty are used.
Ports 16384-16403 are the group of twenty ports also UDP.
iChat logs into the AIM server on port 5190 on the TCP protocol by default. (It can login on almost any port)
Certain chats and sending files and updates like Status Message and new Buddy pics, to the Buddy List, need port 5190 on the UDP protocol.
Jabber port are 5220, 5222 and 5223 for some older Jabber servers and GoogleTalk.
Bonjour needs 5297, 5298 and 5353 on UDP and 5298 on TCP as well for Local stuff.
See pic http://www.ralphjohnsuk.dsl.pipex.com/images/tableport.png
Do a Search for "Cisco" in the box on the right.
Change the Forum to the catagory of iChat to get iChat 2 and 3 results as I believe there have been older posts about this that might make this clearer.
10:13 PM Sunday; October 8, 2006
Maybe you are looking for
-
Okay so my mbp has had a couple minor freakouts lately, particularly while streaming video (the screen would turn one solid color and the only solution was to reboot) then today I opened my laptop and was in the process of entering my password when t
-
How do I reset airport extreme A1408 to use on different network after buying new Extreme?
I have just bought and set up new Airport ExtremeA1521 and want to take my old one and set up at son's. It is A1408. Will doing a reset do all I need to do? And then I want to hook up an Express to it to extend his network. Thanks.
-
How do I best backup Thunderbird to a separate hard drive?
Is there a backup procedure provided with Thunderbird? I wish to backup to a free standing USB hard drive running Windows 7 Home Premium.
-
New user not authenticating, can't change/use root access
I have a two-fold problem. First, I'm am unable to add any new users to my standalone server. Actually, I can add them but they won't authenticate. Am using File Services, AFP and SMB, and Web services for sharing iCals. No home directories, no NetBo
-
How to insert two pictures in JLabel (by HTML)? I was try with <img src='1.jpg'> but it dosen't work, instead pictures appears some post marks in black rectangle or somthing similar. Hvala unaprijed(sr). Thanks in advance.