Cisco 1921 - Anti Spoofing?
Hello there.
I have a customer who has a service from "sharedband" which basically bonds two adsl lines. The DSL lines terminate to two netgear routers that talk to each other using the sharedband service. The two netgears present a single ip address to the LAN, which i have placed a router in the way to provide firewall services.
I have configured s2s VPN, CBAC, ACLs and locked down the router pretty well. But havent configured any sort of anti spoofing.
The support guy from sharedband say i need to "turn off" anti spoofing on the Cisco router. But i HAVENT configured it and am not aware its on by default. As you can imagine, when both netgears are switched on, packets get lost and the service goes really slow. When only one router is operational, it works like a dream albeit slow due to the line speed.
Is their anything on by default, or can i configure anything to allow 2 mac addresses to be accepted for the same IP address. Its not like HSRP where it provides a virtual MAC address. IP CEF is switched ON, its running IOS version 15.0.
The folks at shareband pointed my in the direction of a document they provide that states how to switch anti spoofing off, but thats on a draytek which we arnt using.
Here is that link http://support.sharedband.com/index.php?act=article&code=view&id=3.
Anyone know how to do this in IOS?
Hi,
I found this post Googling after problems with 1921 on Sharedband. opened TAC case - no luck so far.
However adding secondary IP in subnet of Sharedband physical IPs enables 1921 to "see" all the Sharedband routers and improves performance - same result as Sharedband "20 milliseconds of resequencing" workround
ip address 192.168.3.254 255.255.255.0 secondary
1921-BRSA-2CAMB#sh ip arp g0/1
Protocol Address Age (min) Hardware Addr Type Interface
Internet 91.108.165.74 - 588d.0978.3f21 ARPA GigabitEthernet0/1
Internet 192.168.3.254 - 588d.0978.3f21 ARPA GigabitEthernet0/1
Internet 91.108.165.73 0 e894.f667.eff8 ARPA GigabitEthernet0/1
Internet 192.168.3.4 0 e894.f6bb.b990 ARPA GigabitEthernet0/1
Internet 192.168.3.1 137 e894.f667.eff8 ARPA GigabitEthernet0/1
Internet 192.168.3.2 94 e894.f6bb.bc76 ARPA GigabitEthernet0/1
Internet 192.168.3.3 113 e894.f6bb.b8f8 ARPA GigabitEthernet0/1
Similar Messages
-
Hi all,
I have strange problem with anti spoof access-list which I would like to set up in cisco 7606 with 7600-PFC3CXL. So I made an access-list which is in [1.] and set up on interface Te1/1 like this [2.], but there are no match in output direction? Why? Well I made a test with [3.] but no matchs in access-list and ICMP was working than I made change [4.] and yeap icmp was not working and I have seen match in input direction good. It looks like that output direction in acl not working so I removed line 1 inc acl [4.] and icmp still not working and acl [3.] started matching icmp in line 1? Why? Can anybody help me? Thanks.
Karel
btw.> I tried solve this problem with this links:
http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/acl.html
http://www.cisco.com/web/about/security/intelligence/acl-logging.html
[1.]
Extended IP access list anti_spoof_Te1/1_input
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip 127.0.0.0 0.255.255.255 any
50 deny ip 194.79.52.0 0.0.3.255 any
60 deny ip 0.0.0.0 0.255.255.255 any
70 permit ip any OUR CIDR
80 permit ip any host BGP Neighbor
90 deny ip any any
Extended IP access list anti_spoof_Te1/1_output
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip any 192.168.0.0 0.0.255.255
40 deny ip any 127.0.0.0 0.255.255.255
50 deny ip any 0.0.0.0 0.255.255.255
60 deny ip any OUR CIDR
70 permit ip host BGP Neighbor any
80 permit ip OUR CIDR any
90 deny ip any any
[2.]
ip access-group anti_spoof_Te1/1_input in
ip access-group anti_spoof_Te1/1_output out
[3.]
Extended IP access list anti_spoof_Te1/1_output
1 deny icmp host from OUR CIDR host in INTERNET log-input
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 172.16.0.0 0.15.255.255
30 deny ip any 192.168.0.0 0.0.255.255
40 deny ip any 127.0.0.0 0.255.255.255
50 deny ip any 0.0.0.0 0.255.255.255
60 deny ip any OUR CIDR
70 permit ip host BGP Neighbor any
80 permit ip OUR CIDR any
90 deny ip any any log-input
[4.]
Extended IP access list anti_spoof_Te1/1_input
1 deny icmp host from INTERNET host from OUR CIDR
10 deny ip 10.0.0.0 0.255.255.255 any
20 deny ip 172.16.0.0 0.15.255.255 any
30 deny ip 192.168.0.0 0.0.255.255 any
40 deny ip 127.0.0.0 0.255.255.255 any
50 deny ip 194.79.52.0 0.0.3.255 any
60 deny ip 0.0.0.0 0.255.255.255 any
70 permit ip any OUR CIDR
80 permit ip any host BGP Neighbor
90 deny ip any anyFollowing links may help you
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml -
Increasing anti-spoofing rules
What options are available on the C370's for implementing anti-spoofing controls in order to protect our company from the increasing number of phishing emails using spoofed addresses?
We already have an inbound rule to check the mailfrom: field and reject all messages that contain our domainsHello Anne,
I hope that this tech-note may help:
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117796-problemsolution-esa-00.html
This is a technote to assist with tagging possibly spoofed emails.
You can change the action to another action if you want it to be dropped or actions in some other manner.
Regards,
Matthew -
I have an AIP-SSM-20 module that I am in the process of upgrading the system images and the signatures.
I was wondering if someone could guide me in the right direction on how to configure an anti-spoofing policy on the sensor.
If you have some sample configs that I could look at or even if you can explain to me how to do it through the GUI I would really appreciate it.Carlos,
It depends on what type of attack you are attempting to protect against. RPF will help you when a host spoofs an address on an interface where it should not live. For instance, if your internal network is 192.168.1.0/24 and a packet arrives on the outside of your firewall with a source address of 192.168.1.2, the appliance can drop the packet due to the information in its routing table. However, SYN floods from the Internet are a different matter. There is a mechanism on the IPS that can help you with this. Please see the document below for the SYN Cookie functionality of IPS Signature 3050/0.
https://supportforums.cisco.com/docs/DOC-11874
Thank you,
Blayne Dreier
Cisco TAC IDS Team
**Please check out our Podcast**
TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast -
Static NAT entry disappears when using NVI on Cisco 1921 (Multiple versions)
We have a Cisco 1921 as an IPSec tunnel endpoint where we assign static NAT entries. It is a static one-to-one NAT putting each remote endpoint as a local /24 subnet. We are using NVI and we see some of these static entries disappear when packets are unable to reach the destination.
The production router is running 15.0(1r)M16 but we were able to reproduce this same behavior on 15.4(1)T2.
To reproduce, we add the static NVI entry:
ip nat source static X.X.X.X 172.30.250.11
And things look good for a bit:
ROUTER# sh ip nat nvi trans | i 172.30.250.11
gre 172.30.250.11:0 X.X.X>X:0 Y.Y.Y.Y:0 Y.Y.Y.Y:0
--- 172.30.250.11 138.54.32.9 --- ---
tcp Y.Y.Y.Y:60360 Z.Z.Z.Z:60360 172.30.250.11:22 X.X.X.X:22
There is a known issue with GRE traffic being dropped at this particular endpoint, so after generating GRE traffic, the entry completely disappears:
ROUTER# sh run | i 172.30.250.11
ROUTER#
ROUTER# sh ip nat nvi trans | i 172.30.250.11
gre 172.30.250.11:0 X.X.X>X:0 Y.Y.Y.Y:0 Y.Y.Y.Y:0
icmp Y.Y.Y.Y:59916 Z.Z.Z.Z:59916 172.30.250.11:59916 172.30.250.11:59916
tcp Y.Y.Y.Y:60360 Z.Z.Z.Z:60360 172.30.250.11:22 X.X.X.X:22
I can reproduce this by severing the tunnel to any other remote site, and after generating GRE traffic to the downed endpoint, the corresponding static NAT entry will disappear.
Debugging has not shown anything, and I have found some mentions of similar behavior on older versions. Has anyone seen this? We don't have support access to test all versions, so if it is known to be resolved in a particular one, we would love to know to work towards loading that version.
ThanksHi Ryan,
Asa cannot ahve 2 default routes, it can only have one. ASA also doesnt support PBR, so the setup that you are trying to configure would not work on the ASA. Router is the correct option for it.
Hope that helps.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
New Cisco 1921 doesn't display running configuration
Hi All,
I've recently received this new Cisco 1921 routers with Cisco CP loaded, so it comes up with the annoying change username and password at first access. I've removed all of those files from the flash memory, and rebooted it, and it came up with the proper initial configuration dialog, which is what I wanted.
But, whenever I configure the router with a set of basic configuration, like interface, routing, and snmp loggings, and hit wr mem, it doesn't display at all when I do "sh run". It's weird cause when I do sh run | sec rip or any other stuff that I have configured, it shows up , but not in sh run at all.
What's the deal with the new routers??? Even sh version doesn't show the config-register or memory allocation details. Which is weird!
xxxxx#sh ver
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 17:58 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
xxxxxx uptime is 6 minutes
System returned to ROM by reload at 06:39:25 UTC Mon Apr 29 2013
System restarted at 06:40:59 UTC Mon Apr 29 2013
System image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
==================================================================
xxxxx#sh run
Building configuration...
Current configuration : 1930 bytes
! Last configuration change at 06:42:46 UTC Mon Apr 29 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname xxxxxx
boot-start-marker
boot-end-marker
logging userinfo
logging buffered 4096
no aaa new-model
no ipv6 cef
ip source-route
ip cef
xxxxxxx #sh run | sec rip
router rip
version 2
network 172.17.0.0
network 192.168.10.0
network 192.168.13.0
no auto-summary
xxxxxxx#sh license feature
Feature name Enforcement Evaluation Subscription Enabled RightToUse
ipbasek9 no no no yes no
securityk9 yes yes no no yes
datak9 yes yes no no yes
SSL_VPN yes yes no no yes
ios-ips-update yes yes yes no yes
WAAS_Express yes yes no no yesSame stuff, but I do have another router that's working fine when I do a sh run.
Problematic router:
xxxxxx#sh hardware
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 17:58 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
xxxxx uptime is 1 hour, 35 minutes
System returned to ROM by reload at 06:39:25 UTC Mon Apr 29 2013
System restarted at 06:40:59 UTC Mon Apr 29 2013
System image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload
Last reload reason: Reload Command
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
Working router:
yyyyyyy#sh ver
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 17:58 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
yyyyyyy uptime is 1 week, 3 days, 10 hours, 19 minutes
System returned to ROM by power-on
System restarted at 06:19:19 est Fri Apr 19 2013
System image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco CISCO1921/K9 (revision 1.0) with 491520K/32768K bytes of memory.
Processor board ID FGLxxxxxx
2 Gigabit Ethernet interfaces
1 terminal line
DRAM configuration is 64 bits wide with parity disabled.
255K bytes of non-volatile configuration memory.
249840K bytes of USB Flash usbflash0 (Read/Write)
License Info:
License UDI:
Device# PID SN
*0 CISCO1921/K9 FGLxxxxxx
Technology Package License Information for Module:'c1900'
Technology Technology-package Technology-package
Current Type Next reboot
ipbase ipbasek9 Permanent ipbasek9
security None None None
data None None None
Configuration register is 0x2102 -
Cisco 1921 Dual ADSL Load Balancing/Failover?
Hello,
We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
I had a look at ppp multilink but I am unsure our ISP (BT) support this?
This is my current config which I think only one ADSL line is being used. Some input would be appreciated
Robbie
! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname xxxxxx
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 xxxxx
enable password xxxx
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip name-server 194.74.65.68
ip name-server 194.72.0.114
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-xxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
revocation-check none
rsakeypair TP-self-signed-xxxxx!
crypto pki certificate chain TP-self-signed-xxxxxx
certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
license udi pid CISCO1921/K9 xxxxx
username admin privilege 15 secret 5 xxxxxxxxxx/
interface GigabitEthernet0/0
description lan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/0/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
mtu 1483
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
interface Dialer1
mtu 1483
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp link reorders
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 10.0.0.0 0.254.255.255
dialer-list 1 protocol ip permit
control-plane
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
endHi,
Can anyone help me with this config? not very reliable.
Building configuration...
Current configuration : 17349 bytes
! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Router
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
aaa new-model
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
no ip source-route
ip port-map user-protocol--8 port udp 3392
ip port-map user-protocol--9 port tcp 3397
ip port-map user-protocol--2 port udp 3391
ip port-map user-protocol--3 port tcp 14000
ip port-map user-protocol--1 port tcp 3391
ip port-map user-protocol--6 port udp 3394
ip port-map user-protocol--7 port tcp 3392
ip port-map user-protocol--4 port udp 14100
ip port-map user-protocol--5 port tcp 3394
ip port-map user-protocol--10 port udp 3397
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.10.1 192.168.10.49
ip dhcp pool DHCP_POOL1
import all
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.1.1
lease infinite
ip dhcp pool ccp-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.10.1
lease infinite
no ip bootp server
ip host SHAWN-PC 192.168.1.10
ip host DIAG 192.168.1.5
ip host MSERV 192.168.1.13
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
multilink bundle-name authenticated
cts logging verbose
crypto pki trustpoint TP-self-signed-1982477479
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1982477479
revocation-check none
rsakeypair TP-self-signed-1982477479
license udi pid
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
redundancy
controller VDSL 0/0/0
operating mode adsl2+
controller VDSL 0/1/0
operating mode adsl2+
no cdp run
track timer interface 5
track 1 interface Dialer0 ip routing
delay down 15 up 10
track 2 interface Dialer1 ip routing
delay down 15 up 10
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 104
match protocol user-protocol--7
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 101
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 103
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 103
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 102
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--7-2
match access-group 101
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 102
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 101
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 102
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--3-2
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--8-2
match access-group 101
match protocol user-protocol--8
class-map type inspect match-all sdm-nat-user-protocol--9-2
match access-group 104
match protocol user-protocol--9
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 101
match protocol user-protocol--9
match access-group 104
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 104
match protocol user-protocol--8
match access-group 102
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--10-2
match access-group 104
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 101
match protocol user-protocol--10
match access-group 104
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-user-protocol--7-2
inspect
class type inspect sdm-nat-user-protocol--8-2
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--9-2
inspect
class type inspect sdm-nat-user-protocol--10-2
inspect
class type inspect sdm-nat-user-protocol--3-2
inspect
class type inspect sdm-nat-user-protocol--4-2
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
interface Null0
no ip unreachables
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/0/0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
interface Ethernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
interface Ethernet0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface GigabitEthernet0/3/0
no ip address
interface GigabitEthernet0/3/1
no ip address
interface GigabitEthernet0/3/2
no ip address
interface GigabitEthernet0/3/3
no ip address
interface GigabitEthernet0/3/4
no ip address
interface GigabitEthernet0/3/5
no ip address
interface GigabitEthernet0/3/6
no ip address
interface GigabitEthernet0/3/7
no ip address
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 1444405858557A
ppp pap sent-username [email protected] password 7 135645415F5D54
ppp multilink
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 01475E540E5D55
ppp pap sent-username [email protected] password 7 055F5E5F741A1D
ppp multilink
router eigrp as#
router eigrp 10
network 192.168.1.1 0.0.0.0
router rip
version 2
network 192.168.1.0
no auto-summary
ip forward-protocol nd
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
ip access-list extended NAT
remark CCP_ACL Category=18
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
remark CCP_ACL Category=1
ip access-list extended STATIC-NAT-SERVICES
permit ip host 192.168.1.35 any
permit ip host 192.168.1.5 any
permit ip host 192.168.1.10 any
permit ip host 192.168.1.17 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
route-map ADSL0 permit 10
match ip address NAT
match interface Dialer0
route-map ADSL1 permit 10
match ip address NAT
match interface Dialer1
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny any
access-list 10 remark INSIDE_IF=NAT
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 139.130.227.0 0.0.0.255 any
access-list 100 permit ip 203.45.106.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.10
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.35
access-list 101 permit tcp any any eq www
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.35
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.10
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.17
control-plane
banner login ^CCE-Rescue Systems^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
end
Thanks
Shawn -
Updating Marantz firmware via CISCO 1921 Router
I have a CISCO 1921 Router running IOS Version 15.0(1r)M15. There are two Marantz 7701 pre/pro processors on the LAN side of this router. Marantz makes firmware updates available through the internet. All other network services seem to run without any issues on the 7701 except firmware updates. We can stream Pandora audio, various internet radio stations, and receive notification of firmware updates available just fine. However, if we try to actually update the firmware, the Marantz 7701 connects to the update server, then hangs trying to do the update and has to time out before I can try to do the update again. There is something in the way that Marantz uploads the firmware update that is getting blocked by the CISCO 1921.
If we put an HP ProCurve switch between the CISCO 1921 and the FIOS ONT and assign a routable IP address to the Marantz, the firmware update works just fine. If we attach the Marantz to an Apple Airport Express that is NATted/routed to a COMCAST cable modem connection the firmware update works just fine.
This is a long shot, but does anyone happen to have a Marantz 7701 attached to a CISCO router that successfully allows the Marantz firmware updates on the LAN side? If so, did you have to change any of the "default" IOS settings so the update takes place?
I tried to get some info from Marantz on how they do the firmware update, but the folks that answer the phone didn't have access to any protocol or handshake information.
Thanks for any insight or help on this.I have a CISCO 1921 Router running IOS Version 15.0(1r)M15. There are two Marantz 7701 pre/pro processors on the LAN side of this router. Marantz makes firmware updates available through the internet. All other network services seem to run without any issues on the 7701 except firmware updates. We can stream Pandora audio, various internet radio stations, and receive notification of firmware updates available just fine. However, if we try to actually update the firmware, the Marantz 7701 connects to the update server, then hangs trying to do the update and has to time out before I can try to do the update again. There is something in the way that Marantz uploads the firmware update that is getting blocked by the CISCO 1921.
If we put an HP ProCurve switch between the CISCO 1921 and the FIOS ONT and assign a routable IP address to the Marantz, the firmware update works just fine. If we attach the Marantz to an Apple Airport Express that is NATted/routed to a COMCAST cable modem connection the firmware update works just fine.
This is a long shot, but does anyone happen to have a Marantz 7701 attached to a CISCO router that successfully allows the Marantz firmware updates on the LAN side? If so, did you have to change any of the "default" IOS settings so the update takes place?
I tried to get some info from Marantz on how they do the firmware update, but the folks that answer the phone didn't have access to any protocol or handshake information.
Thanks for any insight or help on this. -
How to create anti-spoof rules with exception
Hello all,
I'm a beginner with Ironport and I need to create rules for specific cases.
I manage many mail domains and I want to create an anti-spoof rule with message filter. Easy to do with a dictionnary containing all my mail domains.
But I have some mail addresses with external applications that need to be send with my mail domains.
For example, I receive acknowledge mails sent with [email protected] address and example.com is an domain accepted and managed by my enterprise. So if I activate my anti-spoof rule, all external [email protected] mail will be dropped.
For example I tried this rule with no success :
Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND (mail-from-dictionary-match("Bypass_Sender", 0)){
drop();
I tried this rule too :
Filter_AntiSpoofing: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("My_Domains", 1)) AND ((mail-from !="^[email protected]$") OR (mail-from !="^[email protected]$") OR (mail-from !="@ack.mydomain.com$")){
drop();
Have you got any tips or advice to answer my funny case ?Hello,
We use the following message filter to ear-mark spoofed messages with an X-Header (which we later use for reporting since we told Ironport to log this specific header)
Spoofed_Email_Filter: if (recv-listener == "IncomingMail") AND (mail-from-dictionary-match("dict_internaldomains", 1)) {
insert-header("X-Spoofed", "from[$EnvelopeFrom]_To[$EnvelopeRecipients]_IP[$RemoteIP]_rep[$Reputation]");
The one drawback is that we need to maintain the Dictionary "dict_internaldomains". If we forget to add a new domain to this list it will never be detected as spam.
A good new message filter functionality would be to be able to do a "mail-from-rat-match" which would allow you to use the RAT tables(s) as dictionary.
We plan to solve this by moving the RAT to LDAP and query that same LDAP as dictionary. (If only I had time to test it) :D
Good luck,
Steven -
hi,
i have cisco 1921/k9 and EHWIC-4EGS-P but PoE is is not coming up. i want to connect my APs to this.
Please share how to enable PoE.You need to have the correct power supply on your 1921. If you don't have the PoE power supply, your PoE ports will not come up. See table 5 and then look at what power supply you have.
http://www.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/data_sheet_c78-612808.html
-Scott -
Cisco 1921 - Visio template needed
Can anyone send me a template for a Cisco 1921 router? (only the 1941 is on the Cisco download site).\
Would prefer a 2-D version . . .
You can email it direct to me [email protected]
thks, - Bill HHello Bill,
Please click here for Visio Stencils
HTH
Regards,
Ashish Shirkar
Technical Community Manager-NI -
I am trying to create a antispoofing rule using message filter feature.
It is like
if ( header("from") == "@*mydomain\\.com$" ) { apply anti-spoofing rules here; }
But the rough part is to be able to whitelist certain hosts, e.g., our partners.
For example:
AND ( header("Received") != "whitelist1|whitelist2...." )
Is there a better way to do this? My concern is that this will get very long and error prone over time.
Thanks,
JackWhat if you add all your partner ip addresses/domains to a sendergroup called 'partner_whitelist'.
Next, you can modify your existing filter to bypass spoofing checks from partner domains:
if (( header("from") == "@*mydomain\\.com$" ) AND (sendergroup != 'partner_whitelist'))
{ apply anti-spoofing rules here; } -
Uplink between Stacked Dell 8132 and Cisco 1921 HSRP pair.
Hello,
I have three Dell 8132 switches stacked and we plan on connecting them to an HSRP pair of Cisco 1921 routers. What would be the best way to uplink these stacked switches to the 1921 pair?
I was thinking of creating vlan trunk from 2 of the 3 Dell switches, one trunk going to each router and enable HSRP on these trunks for the vlans I need to route. Would that be a good approach?
Attached is a basic network of what it would look like. Please suggest if this is a good way to accomplish this or if there is a more better and efficient way to do it?
ThanksJust to clarify I wasn't suggesting that you move all the routing to the Dell switches. If the routers are already doing some routing for you then you could simply connect the Dell switches with L3 uplinks.
But yes if you feel more comfortable using Cisco then use the routers.
I have never used an integrated switch module to be honest, I just used L3 switches and routers separately.
I suspect it would work as long as there was a backplane connection between the switch module and the router itself so you could route directly from the switch module to the router.
Can't say for sure whether there is or not as like I say I have never used them.
Which to use really comes down to how much bandwidth you need between vlans which only you know really. If you think using one interface and splitting it up may cause problems then you could look at a switch module.
Although it does seem a bit redundant purchasing a switch module when you have L3 switches already :-)
But I do understand what you mean about being a Cisco shop.
Jon -
Cisco 1921 no username password commad
Hi,
I ahve countered an issue today. I was working on 1921 which is used as test router in ISP. I have loaded a router with test config with username & password in running config. After a while i have removed the username & password with no username---password---- command, then i logged out of router. But now its not allowing me to login as its asking username & password while its not taking any username/password not even cisco/cisco, admin/administrator.
Is this a behaviour of 1921 as i have not copied the runn to start but i disconneced from secure putty session when router was in running config mode. Kindly help.
Regards,
VishalYou have the router configured to use the local user database, but you have removed all the accounts. Doing that will not disable the configuration for using the local database. What you are experiencing is "normal". Menaing that the router is configured for authentication but there are no valid accounts. Like Reza stated, reboot the router and you'll get the startup config. If the config was saved, you'll have to do a password recovery on it.
-
Cisco 1921/1841 as a terminal server
Hi,
we need a terminal server.
I researched a little bit on cisco.com and found out that there are several options, and because of that I am not sure what to buy.
I write down the routers, card models and cables and you guys try to explain what the differences are.
- 1921 ISR2
- HWIC-8A 8-Port Async HWIC x2
- CAB-OCTAL-ASYNC 8 Lead Octal Cable (68 pin to 8 Male RJ-45s) x2
- 1841 ISR
- HWIC-8A 8-Port Async HWIC x2
- CAB-HD8-ASYNC High Density 8-port EIA-232 Async Cable x2
I found this card too:
HWIC-8A/S-232 8-Port Async/Sync Serial HWIC, EIA-232
and this one costs double the price of the HWIC-8A 8-Port Async HWIC but I am not sure if this is for a terminal server.
Is this option enough to manage 16 devices vie the console?
- 1921 ISR2
- HWIC-8A 8-Port Async HWIC x2
- CAB-OCTAL-ASYNC 8 Lead Octal Cable (68 pin to 8 Male RJ-45s) x2Hi,
This is my first post and I just stumbled upon your question.
The CAB-OCTAL-ASYNC has a 60-pin connector that will not work with HWIC-8A or HWIC-16A.
The HWIC-8A is compatible with (amongst others) your 1841 ISR and 1921 ISR2.
The CAB-HD8-ASYNC will work with HWIC-8A (and if you have them HWIC-16A). Each CAB-HD8-ASYNC can support up to 8 serial interfaces. So to answer your questioh about the a workable hardware list, one options is as follows:
- 1921 ISR2
- HWIC-8A 8-Port Async HWIC x2
- CAB-HD8-ASYNC x2
Hope this helps.
Maybe you are looking for
-
Using unzip from unix in java-code ...
Hi people, i have problem, i want to use the command unzip from unix, to unzip a zip-file, the commend unzip must invoke from java-code. Can someone help me. I use the zip-api, but i have 100Mb zip-file, it needs very long time to unzip the zip-file.
-
Cookies not deleting correctly in Safari
Why do my cookies re-appear after I reset Safari (4.02). Same issue with version 4.01. I've deleted the cookie file and that appears to work but I don't know why I need to do anything beyond resetting the browser. I've also deleted the cookie files f
-
Removing security to print a signed document
I have created a secured form (printing disabled), with a digital signature field. Is there a way, once I receive the form back from the user, for me (creator of the form) to disable the security so I can print the completed form? I tried to do this,
-
Hi, I want to include a tree and a table in a SplitPane and be able to click on a node and bring up the table with the columns. I am not sure why a default table does not showup on the right side.This code was similar to having 2 JTextArea. Also defa
-
Creative cloud student purchase problem
who do i contact when im expecting an email for a studen creative cloud purchase that never is sent?