ASA5510 - Nat 2 Inside vlans to separate ISP's
Hi All,
We have 2xASA5510. I have 2 Inside interfaces as INS_STAFF and INS_QUEST and two Outside interface OUT_STAFF and OUT_QUEST which is in sapareta ISP's. All interfaces is assinged to different vlans. now i want to nat INS_STAFF to OUT_STAFF and INS_QUEST to OUT_QUEST,because I'm having two default routes it gets impossible to do. Plus I want to make failover with my ASA's. I know that i can solve this problem with PBR on router.but I haven't it . Can you help me with solving this problem only with ASA's? Can it help to make context's and separate each Inside and Outside alone?
Best Regars,
Davud Hajiyev
You can only make it work with multiple context mode where each context will have an inside and an outside interface, ie:
Context 1: INS_STAFF and OUT_STAFF
Context 2: INS_QUEST and OUT_QUEST
With just single context, you can't configure 2 default gateways on ASA as it is not supported to have 2 default gateways via 2 outside interfaces.
Similar Messages
-
NAT and Routed Network with Two ISP's on one router
I'm sure this has been done covered many times, but I am not finding it.
I have two ISP connections.
With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
Everything on 192.168.100.x should use NAT and go out ISP-B
I have tried
ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
route-map ISP-B permit 10
match ip address 101
match interface GigabitEthernet0/1
set ip next-hop 100.0.0.1
route-map ISP-A permit 10
match ip address 111
match interface Multilink1
set ip next-hop 1.1.1.1
The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
HTH -
Connection lost from inside VLANs
Hi everyone.
The SA520 loss connection to inside VLANS placed behind a layer 3 switch in a daily basis. As a result the PCs can´t connect to Internet. If I try to ping the LAN IP of the SA from de switch it doesn´t respond. I get rid of the problem pinging from the SA520 to the gateway toward the inside (the layer 3 switch IP) as if the SA had lost the capacity to forward traffic to the inside networks. Rebooting the appliance works also.
Curiosly I have another completely flat VLAN connected to the SA in a dedicated different LAN port which never face the problem, so I suspect the SA becomes unable to route more than one hop internal VLANs.
My customer SA520 has 2.1.51 firmware. It's setup with ISP redundancy in rollover.
Any help will be appreciated and possibly save my neck.
Thanks,
Dario AgudeloHi Dario,
As per the details mentioned we are unable to conclude the issue.
We would like to request the following:
1. Dbglogs from SA520
2. Network Topology (So that we can findout whether any route is required or not to forward the traffic).
3. Layer 3 switch information and configuration details (if the switch is manageable).
To get dbglogs, login to SA520 web UI and in the URL type https://IP_address_of_SA500/scgi-bin/dbglog.cgi
Please note that the dbglogs logs will contain passwords, so please change or remove them. If you are not comfortable posting it on the community forum, please send it through the private message.
Thanks,
Nitin -
Help with Slow access or NAT to Inside Interface on ASA 9.1
I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?
Attached a diagram of what I am currently doing?
Any help is appreciated.
Thanks.
P.S. Addresses in attached picture config are not real, but I know what they translate to.Hi,
To me you it would seem that you are looking for a NAT configurations something like this
object network SERVER-PUBLIC
host 197.162.127.6
object network SERVER-LOCAL
host 10.0.1.25
nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL
It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.
I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni -
Hello everybody!
I have a small discussion with my colleagues about operation with Access interfaces on a Switch.
I have an opinion that when you created a vlan 10, you've gotten STP instance and CAM per vlan.
When a frame from a host comes on one Access Port Vlan 10, on income to vlan NO adding any 802.1Q tag.
If a frame goes to other Access Port inside of Vlan 10 it will go out also without any tag.
During such operations inside local vlan no tagging at all.
802.1Q tag will be added on non-native vlan on out of a trunk port 802.1Q and on another side the tag will be removed and the frame goes inside vlan 10 and to the destination port.
I suppose inside vlan we don't have any 802.1q or ISL, we have gotten this situation only on a trunk.
Am I right? Thank you in advance for help!
P.S. we are not talking about incoming frame on an access port with a tag/double tagging/vlan hopping...
Best regards,
DmitryI can't agree more ;) Thanks a lot!
I have found the explanation about it inside of a book of Todd Lammle. It is the final argument ;)
"An access port belongs to and carries the traffic of only one VLAN. Traffic is
both received and sent in native formats with no VLAN information (tagging) whatsoever.
Anything arriving on an access port is simply assumed to belong to the VLAN assigned to the port. Because an access port doesn’t look at the source address, tagged traffic—a frame with added VLAN information—can be correctly forwarded and received only on trunk ports."
Thank you very much!
Dmitry -
Static NAT to inside DNS address
I'm struggling to address an issue where as a policy I have internal virtualized/clustered servers on reserved DHCP addresses on a separate VLAN, and occasionally there is a situation where by the guests change hosts and end up on another VLAN (for whatever reason) or with a different IP address.
This isn't an issue for my internal users because all our communications works off DNS addresses, but I have a natted FTP server that whenever it changes IP/VLAN, i have to manually change the natted address on my ASA.
ex
static (inside,Outside) 100.100.100.101 192.168.100.39 netmask 255.255.255.255
would like to use a DNS address of ftp.domainname.com instead of the IP address so that if the inside IP changes I don't have to rewrite the static rule every time.
Is there any facility to do this with the ASA?
thanksHello Robert,
Not possible to do it on the ASA. You will need to use the ip address on the Nat statements. -
ASA NAT/Traceroute Inside to Outside Issues
Hi All,
Product in question: ASA5512-x in HA Active/Standby Failover mode
When running a ping from the inside network to a device on the internet I recieve replies and all is good. However when running a traceroute from inside the network to a device on the internet I receive timeouts which look to be caused by a ACL deny rule, that being "outside/internet_access_in" If I quickly add an access rule for "outside/internet" incoming rule and allow any any with ICMP_Group then I get replies and the ACL is allowing it, however the replies for the traceroute are always the same, which is the device IP your tracing. I wouldn't think you would want an outside/internet incoming rule for this kind of service as it would open you up and kinda defeat the purpose of firewal etc.
To me it sounds like NAT is certainly causing some weirdness here, possilby they way it's setup...
The following is the explanation from the Deny message on syslog.
%ASA-4-106023: Deny protocol src
[interface_name:source_address/source_port] [([idfw_user|FQDN_string], sg_info)]
dst interface_name:dest_address/dest_port [([idfw_user|FQDN_string], sg_info)]
[type {string}, code {code}] by access_group acl_ID [0x8ed66b60, 0xf8852875]
A real IP packet was denied by the ACL. This message appears even if you do not have the log option enabled for an ACL. The IP address is the real IP address instead of the values that display through NAT. Both user identity information and FQDN information is provided for the IP addresses if a matched one is found. The ASA logs either identity information (domain\user) or FQDN (if the username is not available). If the identity information or FQDN is available, the ASA logs this information for both the source and destination.
Following are the 2 NAT rules in place at the moment - The first one was auto created when configuration a site-to-site VPN which is meant to tell the traffice over the VPN not to NAT.
nat (inside,internet) source static Private_Network_Classes Private_Network_Classes destination static Test_VPN_Site Test_VPN_Site no-proxy-arp route-lookup
nat (inside,internet) source dynamic any interface
I hope this gives some insight into the issue I am having and someone can suggest some fixes/reconfig's to work around this. It certainly hasn't been easy trying to explain what is occuring here in writting.
Thank you for your time.Hi Jouni,
I would agree with your comments as well after obtaining better understanding of the issue myself with your support.
As per request below is exact syslog message from traceroute.
6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:19:01|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
6|May 27 2013|10:18:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:18:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:18:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:21|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:17|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:13|106023|x.x.x.x.144||172.18.20.12||Deny icmp src internet:x.x.x.x.144 dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:17:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:17:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:23|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:21|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:19|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:17|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:15|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:13|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:11|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:09|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:07|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:05|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:16:03|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:16:01|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:59|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:57|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:55|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:53|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:51|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:49|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:47|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:45|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:43|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:41|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:39|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:37|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:35|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:33|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:31|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:29|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:15:27|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:15:25|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|10:00:02|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|10:00:00|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|09:59:57|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|09:59:55|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|09:59:53|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|09:59:51|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
6|May 27 2013|09:59:50|302021|x.x.x.x|0|172.18.20.12|1|Teardown ICMP connection for faddr x.x.x.x/0 gaddr x.x.x.x/1 laddr 172.18.20.12/1
4|May 27 2013|09:59:48|106023|x.x.x.x||172.18.20.12||Deny icmp src internet:x.x.x.x dst inside:172.18.20.12 (type 11, code 0) by access-group "internet_access_in" [0x0, 0x0]
Software Version:
Cisco Adaptive Security Appliance Software Version 9.0(1)
Device Manager Version 7.1(3) -
Unable to ping device behind Cisco 3750 on the same inside VLAN via Cisco ASA 5505 Anyconnect VPN
Hi Guys,
I've been stuck with this for the last 2 days, and I thought to try and use Cisco's forum, I setup my home DC, and started having problems once I moved a Cisco 5505 behind a Cisco 1841 router (I wanted to eventually test DMVPN live on the internet,) I was no longer able to ping some devices, then as soon as I introduce a collapsed core/distribution switch, I'm also no longer able to ping the devices behind the Cisco 3750, I've attached a network diagram and the ASA running-config.
Everything seem fine internally with the exception of an intermittent network connectivity with a Citrix NetScaler VPX running on a VMware ESXi.
For some odd reason, I am able to ping the following, with no issues.
Cisco 3750 SVI (192.168.1.3)
CentOS web server (connected directly to the Cisco ASA 5505)
I have checked and enable the following:
Nat Exemption
Sysopt connection permit-vpn
ACL's
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Added ICMP in the inspection policy
Packet-capture - Only getting echo requests.
Thanks in advance!Hi,
I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
object network acvpnpool
subnet <anyconnect VPN Subnet>
object network insidelan
subnet <inside lan subnet>
nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
Regards
Karthik -
ASA5510 NAT configuration question
Hello friends...
I have 30 IP cameras with a private IP address:
10.1.1.1 – 10.1.1.30
I have a Cisco ASA 5510 firewall.
I want to be able to use one public IP address, example, 50.50.50.50
With a specific port to go to a different internal camera,
Example
50.50.50.50:3001 should be NATTED to camera 10.1.1.1
50.50.50.50:3002 should be NATTED to camera 10.1.1.2
50.50.50.50:3003 should be NATTED to camera 10.1.1.3
50.50.50.50:3004 should be NATTED to camera 10.1.1.4
Etc…
How do I do this? I know how to create NAT… just not like this, please help!!
Any help is greatly appreciated.
Thanks
DavidHi,
No worries.
static (inside,outside) tcp 50.50.50.50 3001 10.1.1.1 80
static (inside,outside) tcp 50.50.50.50 3002 10.1.1.2 80
static (inside,outside) tcp 50.50.50.50 3003 10.1.1.3 80
static (inside,outside) tcp 50.50.50.50 3004 10.1.1.4 80
static (inside,outside) tcp 50.50.50.50 3005 10.1.1.5 80
Dan -
My ISP sends various services through VLAN. Internet, TV and Telephone.
Now I wonder, is it possible to use this router to distribute these VLANs through the wan port to eg my IPTV box?hello,
I don't understand the two last message (only french english and spanish ;-) ), but i am interested for this functionality.
I try to set up this :
Route the vlan 100 from the LAN to WAN, Is it plan for the new wersion ?
A lot of french people (like me) are looking for this functionality, Most of all ISP use two box : one server and one player (video) and the communication between the two box are made on the VLAN 100 (Video, TV, ...)
Is it possible to implement for the new release version ?
Thanks, -
Static nat & public IP on inside interface.
Hello Guys,
I am facing some issue related to static nat please provide your replies. let me explain the scenario.
At site we have 4 cameras connected on switch and NVR (network video recorder) also connected on the same switch.
Locally at site we are able to access the four cameras via http/web and also through NVR software .
In order to access this cameras from remote location, we did static natting in router with pubic ip address for this cameras private IP address. Find nat table below.
At remote site/from internet when we are adding the cameras in NVR software using public IP address. Later automatically public IP address resolving into private IP address.
We are able to access cameras individually using http://<public ip address for camera> but when we try to add it in INVR software its changing public ip address to private.
Camera Name
Private IP address
Public IP address
Camera 1
192.168.1.3
xx. x8.23.115
Camera 2
192.168.1.4
xx.x8.23.116
Camera 3
192.168.1.5
xx.x8.23.117
Camera 4
192.168.1.6
xx.x8.23.118
Below is the configuration for the router. I am concerned about the public IP address which is assigned on internal/LAN interface instead of outisde interface by ISP. In other project i experienced Public IP address is at outside interface and private is at inside interface and we do static nat for inside to outside interface.
But here when i access the cameras through public IP individually its working but not when i am adding this public IP in NVR software. May be something is wrong with static.
interface GigabitEthernet0/0.1
encapsulation dot1Q 868
ip address 172.20.38.26 255.255.255.252
ip nat outside
ip virtual-reassembly in
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0 secondary
ip address 212.x.x.113 255.255.255.240 (its a public IP address)
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
ip nat inside source list 10 pool SLT overload
ip nat inside source static 192.168.1.3 x.x.23.115
ip nat inside source static 192.168.1.4 x.x.23.116
ip nat inside source static 192.168.1.5 x.x.23.117
ip nat inside source static 192.168.1.6 x.x.23.118
ip route 0.0.0.0 0.0.0.0 172.20.38.25
access-list 10 permit 192.168.1.0 0.0.0.255
ip nat translation tcp-timeout 1000
ip nat translation udp-timeout 1000
ip nat pool SLT xx.xx.23.114 xx.xx.23.114 netmask 255.255.255.240
ip nat inside source list 10 pool SLT overload
Please advise on the above configuration. Your help in the above regard will be highly appreciated.
Many Thanks in Advance.It is a bit odd to see the IPv4 address assigned this way. (Putting it on a Loopback would be a more elegant approach if the ISP is using private addresses for the WAN link.) But, there's nothing in here that would cause the NAT to fail. I suspect that the cameras are doing an HTTP redirect to their private IPv4 addresses at some point and this is causing your software to switch.
With this configuration, there's no reason why you can't just put the cameras directly on the public addresses and forego the NAT entirely. If there is a redirect going on, they will redirect to the correct IPv4 address and things will still work. -
Tengo la siguiente situacion tengo dos ASA 5520
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
los cuales estan en funcionamiento stand-alone pero ambos comparten la misma dmz a nivel de vlan y a nivel de segmento ip , ahora existe alguna solucion de que servidores de la dmz respondan requerimientos desde internet por los dos ASA sabiendo que el servidor de la dmz solo posee un defalu gateway en este caso es uno de los ASA que comparten la dmzHola Alexis,
EDIT: Durante mi hora de almuerzo estaba pensando en esta discusion y llegue a la conclusion de que si hay una forma en la cual le podemos hacer saber al servidor que le responda al otro asa ( el q no es el default gateway.
Para ello ocupas configurar Outside NAT:
Esta es la configuracion que ocupas en el asa
NAT (outside,inside) source dynamic any any destination static Global_Ip_Server Local_Ip_Server
Saludos
Julio -
I have two internet ISP's links, currently dmz and inside interfaces are using one ISP (route outside 0.0.0.0 0.0.0.0 “ISP1_IP”), I need to use one ISP for inside and the other ISP for dmz.
appreciate your help.
AliHi,
I am assuming ISP1 for Internal zone and ISP2 for DMZ.
Internal zone is allowed to access all protocols
access-list inside_access_in extended permit ip Internal-IP 255.255.255.0 any
Allow access from internet to DMZ server
access-list outside1_access_in extended permit tcp any host DMZ-Server'sPulic IP
Pat on the outside and DMZ interface for internal hosts
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 internal-IP netmask
Static NAT mapping for our DMZ server
static (dmz,outside1) DMZ-Server'sGlobal-IP DMZ-Server's-PrivateIP netmask 255.255.255.255
access-group outside1_access_in in interface outside1
access-group inside_access_in in interface inside
Default Routes
route outside 0.0.0.0 0.0.0.0 ISP1-Gateway 1
route outside1 0.0.0.0 0.0.0.0 ISP2-Gateway 2
hera, outside = ASA port that is connected to ISP1
outside1=ASA port that is connected to ISP2 -
Vlan for voice and vlan for data with diferent ISP best choice of config??
Hello everyone,
Im, Oscar
At our company we have a redundant ISP connection to two separate ISP's.
We are also using VoIP on the network.
Currently one ISP connection is used primarily and the second on is just used as a backup.
I was wondering if it is possible to use the first connection primarily for data traffic and the second connection for VoIP traffic?
We use different VLAN's for voice and data.
Any help would be appreciated.Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Yes, for egress. Ingress is "it depends".
You could also consider using both links for both kinds of traffic. -
NAT (INSIDE To OUTSIDE)
I need Configuration of this topology
At Outside Router
int f0/0
ip add 10.1.1.2 255.255.255.0
At Inside Router
int f0/0
ip add 192.168.1.2 255.255.255.0
At ASA
int e0
ip add 10.1.1.1 255.255.255.0
int e1
ip add 192.168.1.1 255.255.255.0
I want NAT from inside to outside and also need ACL configuration and attached diagram.
and version of ASA is 8.2
Navaz
Message was edited by: Navaz WattooTHIS MY ASA CONFIGURATION
ciscoasa(config)# sh running-config
: Saved
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUT extended permit tcp any any
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
static (inside,outside) 10.1.1.1 192.168.1.1 netmask 255.255.255.255
access-group OUT in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
prompt hostname context
Cryptochecksum:00000000000000000000000000000000
: end
ciscoasa(config)#
THIS MY OUTSIDE ROUTER CONFIGURATION
R1(config)#do sh run
Building configuration...
Current configuration : 877 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R1(config)#
THIS MY INSIDE ROUTER CONFIGURATION
R2(config)#do sh run
Building configuration...
Current configuration : 880 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
ip cef
no ip domain lookup
ip domain name lab.local
multilink bundle-name authenticated
interface FastEthernet0/0
ip address 192.168.1.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
ip route 10.1.1.0 255.255.255.0 192.168.1.1
no ip http server
no ip http secure-server
logging alarm informational
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
end
R2(config)#
Navaz
Maybe you are looking for
-
Additional Extended Withholding Tax for Chile.
Dear Gurus, I've received a request for an additional WIthholding tax used in chile for Foreigner which are not living at chile. The description I've received was as follows. If a Downpayment is applied the Withholding Tax should be set at the Downpa
-
I can't set up mails in IOS 8.02
i can't set up my mail account which I am using mor ethan 15 years in Iphone6 plus which has IOS 8.02 inside But i can do it on older program I have at home iPad 7.04 and works perfect What might be problem How can I install my emaill details without
-
Course material : SQL Programming & Design
Hello, Monday I have an exam of SQL Programming & Design, witch I followed online on the oracle academy site. Now I see that the website is down! Is there a opportunity to view the course material? Greetz, Dries
-
The last couple of days Mail has often stalled when trying to receive messages from the server on one of three accounts only. (My domain account) However, Earthlink and .mac work fine. I get the spinning gear next to the domain account which will con
-
Flush you iPod and show it on Utube
$100 to the first person that flushes their iPhone in the toilet and video tapes it and puts it on uTube!