Denying telnet traffic from VRF interfaces on the router

Hi,
We are currently trying to accomplish incomming telnet traffic from an VRF interface to be denied by the router(7613--IOS:12.2(18)SXF4). In the line vty , we have associated an access-class specifying the block should be allowed for inbound telnet connection to the router. This is working good but it also allows the incomming telnet from an VRF interface having the same block as the global table block which is configured for allowing the incomming telnet connection. We don't want to allow any telnet connection from the vrf interface , even though it matches the permit block in the access-list
Kindly note that, we have not specified vrf-also command on the access-class.
Please let us a way to accomplish the above requirement .
Thanking You
Regards
Anantha Subramanian Natarajan

Hi,
Thanks for the suggestion.
I think, I haven't made my requirement clear. We would not like applying access-list to the VRF interfaces to acheive this requirement bcos, then we may have to bind to all the VRF interfaces(I mean customer interfaces),we acting as service provider. We are looking the way by applying access-class binded to line vty ,which is common to all the telnet traffic.
Kindly let us know,if you have some suggestions on the same
Regards
Anantha Subramanian Natarajan

Similar Messages

  • External ip adress at the server network interface behind the router

    Hello to all!
    I am installing MacOSX Snow Leopard Server and using it behind my AirPort router as a mail and web server. I was setup Airport at the NAT section with 'Enable default host at' option and all services workning well, but one thing that i want to understand is the 'network interfaces' at the 'Server admin' of Leopard Server. There is listed only internal ip adress (10.0.1.2) that use the my server, but there is no my static external ip adress. Is it correct ? Or i should manualy also to add a external ip adress which is now actually used with my AirPort router?
    If i should, so how do it correctly, using virtual interfaces at the network section or somewhere else?

    So, with any Airport routers i can't to route my public static IP adress to the MacOSX Server machine? I need another router device for this, am i right?
    Your Airport uses your public static IP address.
    Your Airport is typically then configured to port-forward inbound traffic along to your server at your own private static IP address via NAT. The mechanism known as port-forwarding is (once it is configured) how traffic routing to your public static IP address gets routed to your private static IP address.
    In general (and unless something like NAT is involved), there's only one host box active at one IP address at a time.
    I am not sure, but i think that at the server network interface i should has a public static IP adress, but with this configuration i can't see it.
    If you would so kind as to tell me what particular part(s) of [this article|http://labs.hoffmanlabs.com/node/275] are confusing and why, and I'll see if I can address the confusion and to update the article.

  • How the heck do i get a firmware upgrade from my computer to the router?

    I went to this site here to try and make my router work. It is a WRT54GS wireless router, and I saw where i could download some firmware upgrade, so I clicked on it and saved it to my desktop. It is a .bin file. Now how do I get that file to the router?????
    The router was working until today and now it isn't sending out a wireless signal. However, it is still connecting my computer to the internet through its wire (modem to router, router to computer with cable). But when I open the Easylink software, it says that the internet connection is not working, even though the little green light is on for "wireless" on the front of the router.
    But anyway, how do I get this downloaded file onto the router??? There isn't any usb ports on the router to connect to it. There isn't anything in the Easylink software that gives me that option, or if there is they hid it pretty good. They really should explain how to do this, or do they expect everyone to have a degree in networking or computers or something? I need some help here 

    As sabretooth suggested,Open an Internet Explorer browser page on a computer hard wired to the router...In the address bar type - 192.168.1.1...Leave the Username blank & in Password use admin in lower case...Click on the 'Administration' tab- Then click on the 'Firmware Upgrade' sub tab- Here click on 'Browse' and browse the .bin firmware file and click on "Upgrade"...
    Wait for few seconds until it shows that "Upgrade is successful"  After the firmware upgrade, click on "Reboot" and you will be returned back to the same page OR it will say "Page cannot be displayed".
    Now,Press and hold the reset button for 30 seconds...Release the reset button...Unplug the power cable from your router, wait for 30 seconds and re-connect the power cable...Now re-configure your router...

  • Obtaining Certificate from Win2K CA for the router

    I am trying to obtain CA certificate from Windows2000 CA Server to 2611 router but unsuccessful.
    I have a folder Mscep in my Certsrv folder.Does that mean CA Server has support for SCEP protocol? Or i will have to still install an addon for SCEP ?
    I could find addon for Windows2003 but not windows 2000.Can anyone please tell where to download this file ?
    Config used is : Enrollment mode - RA and enrollment URL http://(CA's DNS name)/certsrv/mscep/mscep.dll.
    Any thing wrong in the config ?
    Please suggest on this

    Hi Selmi
    Thanx.But do i need this file? my doubt is if i have mscep.dll file available in my certsrv folder does that mean that CA has support of SCEP? How can I know that ?

  • VRF-Lite on one 6509; How to route traffic from global to VRF.

    To anyone that can lead me in the right direction:
    I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin"  on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch.  I am using EIGRP for the global network and route table and static routing within the the VRF.  Any suggestions or recommendations?  Thanks in advance for your help in this matter...

    Hello,
    You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
    Example:
    Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
    G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
    interface G0/1
    IP address 1.1.1.1 255.255.255.0
    inteface G0/2
    ip vrf forwarding X
    ip address 2.2.2.2 255.255.255.0
    Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
    configure this:  (ip route vrf X  y.y.y.y y.y.y.y.y G0/1 Global)
    Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
    You Can then redistribute the Global static into the Eigrp as below:
    router Eigrp 1
    no auto summary
    redistribute static metric 1.1.1.1.1
    HTH
    Mohamed

  • Stop DHCP traffic from passing across interfaces

    I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.
    Example of setup
    Company 1 connected to interface 1 has its own dhcp server
    Company 2 connected to interface 2 has its own dhcp server.
    Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.
    Is there anyway to stop dhcp traffic from crossing interfaces
    Shane

    usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.
    To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:
    * Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
    * Incoming packets from any address to 255.255.255.255
    * Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
    where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients
    An example in an ASA would similar to the following.
    For blocking client:
    access-list TEST extended deny udp any any eq bootpc
    For blocking server:
    or access-list TEST extended deny udp any any eq bootps
    Hope that helps.

  • Telnet traffic intiated from console and other traffic

    I have got this scenario :
    hostname R1
    interface Ethernet 0/1
    ip address 192.168.10.10 255.255.255.0
    ip policy-may APPLYPOLICY
    ip local policy route-map REDIRECT
    ip access list extended CONTROL
    Permit tcp any 172.18.1.0 0.0.0.255 eq 23
    route-map REDIRECT permit 10
    match ip address CONTROL
    set ip next-hop 192.168.10.220
    As we know that packets that originate from the router are policy routed according to the local policy.
    Does the telnet traffic to a destination on the 172.18.1.0/24 network, that is initiated from console connection on the router, will be policy routed as well ?

    Hi,
    all traffic locally generated should be treated the same, it should not matter, if you access the router through console or vty. The main point is, that the telnet packets are created locally, no matter how the command is executed.
    Regards, Martin

  • Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

    Hii frnds,
    here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
    Below is the out put from the router
    r1#sh run
    Building configuration...
    Current configuration : 3488 bytes
    ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
    ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
    version 15.1
    service config
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname r1
    boot-start-marker
    boot-end-marker
    enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
    aaa new-model
    aaa authentication login local-console local
    aaa authentication login userauth local
    aaa authorization network groupauth local
    aaa session-id common
    dot11 syslog
    ip source-route
    ip cef
    ip domain name r1.com
    multilink bundle-name authenticated
    license udi pid CISCO1841 sn FHK145171DM
    username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
    username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
    redundancy
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group ra-vpn
    key xxxxxx
    domain r1.com
    pool vpn-pool
    acl 150
    save-password
      include-local-lan
    max-users 10
    crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
    crypto dynamic-map RA 1
    set transform-set my-vpn
    reverse-route
    crypto map ra-vpn client authentication list userauth
    crypto map ra-vpn isakmp authorization list groupauth
    crypto map ra-vpn client configuration address respond
    crypto map ra-vpn 1 ipsec-isakmp dynamic RA
    interface Loopback0
    ip address 10.2.2.2 255.255.255.255
    interface FastEthernet0/0
    bandwidth 8000000
    ip address 117.239.xx.xx 255.255.255.240
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map ra-vpn
    interface FastEthernet0/1
    description $ES_LAN$
    ip address 192.168.10.252 255.255.255.0 secondary
    ip address 10.10.10.1 255.255.252.0 secondary
    ip address 172.16.0.1 255.255.252.0 secondary
    ip address 10.10.7.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    ip local pool vpn-pool 172.18.1.1   172.18.1.100
    ip forward-protocol nd
    ip http server
    ip http authentication local
    no ip http secure-server
    ip dns server
    ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
    ip nat inside source list 100 pool INTERNETPOOL overload
    ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
    access-list 100 permit ip 10.10.7.0 0.0.0.255 any
    access-list 100 permit ip 10.10.10.0 0.0.1.255 any
    access-list 100 permit ip 172.16.0.0 0.0.3.255 any
    access-list 100 permit ip 192.168.10.0 0.0.0.255 any
    access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
    access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
    access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
    control-plane
    line con 0
    login authentication local-console
    line aux 0
    line vty 0 4
    login authentication local-console
    transport input telnet ssh
    scheduler allocate 20000 1000
    end
    r1>sh ip route
    Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route, + - replicated route
    Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
    S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
          10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
    C        10.2.2.2/32 is directly connected, Loopback0
    C        10.10.7.0/24 is directly connected, FastEthernet0/1
    L        10.10.7.1/32 is directly connected, FastEthernet0/1
    C        10.10.8.0/22 is directly connected, FastEthernet0/1
    L        10.10.10.1/32 is directly connected, FastEthernet0/1
          117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
    L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
          172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
    C        172.16.0.0/22 is directly connected, FastEthernet0/1
    L        172.16.0.1/32 is directly connected, FastEthernet0/1
          172.18.0.0/32 is subnetted, 1 subnets
    S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
          192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
    C        192.168.10.0/24 is directly connected, FastEthernet0/1
    L        192.168.10.252/32 is directly connected, FastEthernet0/1
    r1#sh crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst             src             state          conn-id status
    117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
    IPv6 Crypto ISAKMP SA
    r1 #sh crypto ipsec sa
    interface: FastEthernet0/0
        Crypto map tag: giet-vpn, local addr 117.239.xx.xx
       protected vrf: (none)
       local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
       remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
       current_peer 49.206.59.86 port 50083
         PERMIT, flags={}
        #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
        #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
        #pkts compressed: 0, #pkts decompressed: 0
        #pkts not compressed: 0, #pkts compr. failed: 0
        #pkts not decompressed: 0, #pkts decompress failed: 0
        #send errors 0, #recv errors 0
         local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
         path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
         current outbound spi: 0x550E70F9(1427009785)
         PFS (Y/N): N, DH group: none
         inbound esp sas:
          spi: 0x5668C75(90606709)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550169/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         inbound ah sas:
         inbound pcp sas:
         outbound esp sas:
          spi: 0x550E70F9(1427009785)
            transform: esp-3des esp-md5-hmac ,
            in use settings ={Tunnel UDP-Encaps, }
            conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
            sa timing: remaining key lifetime (k/sec): (4550170/3437)
            IV size: 8 bytes
            replay detection support: Y
            Status: ACTIVE
         outbound ah sas:
         outbound pcp sas:

    hi  Maximilian Schojohann..
    First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
    In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
    so plz give me an alternate solution ....thanks in advance....

  • NAT list getting hit for traffic from WAN IP

    I have an 871 setup at home with a fairly basic configuration (NAT, Firewall, EasyVPN, Wireless). What I've noticed is that for traffic going from the WAN interface (FastEthernet4), it seems to be hitting the ACL in place for NAT. My config:
    interface Loopback0
    ip address 192.168.254.1 255.255.255.255
    interface FastEthernet4
    description Cable Modem Connection
    bandwidth 384
    ip address dhcp
    ip nat outside
    ip nat enable
    no ip virtual-reassembly
    duplex auto
    speed auto
    interface Vlan1
    no ip address
    bridge-group 1
    interface BVI1
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip nat inside source list NATLIST interface FastEthernet4 overload
    ip access-list extended NATLIST
    permit ip 192.168.1.0 0.0.0.255 any
    deny ip any any log
    Seems to work just fine, but I will see this in my logs:
    Oct 30 17:21:38 PDT: %SEC-6-IPACCESSLOGP: list NATLIST denied udp 76.22.98.39(0) -> 68.87.69.146(0), 1 packet
    Oct 30 17:21:38 PDT: %SEC-6-IPACCESSLOGP: list NATLIST denied udp 76.22.98.39(0) -> 140.142.16.34(0), 1 packet
    Oct 30 17:21:56 PDT: %SEC-6-IPACCESSLOGDP: list NATLIST denied icmp 76.22.98.39 -> 24.64.94.41 (0/0), 1 packet
    Oct 30 17:23:38 PDT: %SEC-6-IPACCESSLOGP: list NATLIST denied udp 76.22.98.39(0) -> 207.188.29.230(0), 1 packet
    Oct 30 17:25:38 PDT: %SEC-6-IPACCESSLOGDP: list NATLIST denied icmp 76.22.98.39 -> 121.18.13.100 (0/0), 2 packets
    Oct 30 17:27:38 PDT: %SEC-6-IPACCESSLOGDP: list NATLIST denied icmp 76.22.98.39 -> 24.64.94.41 (0/0), 1 packet
    Where 76.22.98.39 is the dynamic IP address from the cable provider. If the traffic isn't passing through the router, why is it trying to NAT it?
    IOS Version is 12.4(6)T9

    Hello Brom,
    I am facing the same situation that I can see a whole bunch of log-entries which state that IP-packets with the source address of the routers own WAN-interface-address are trying to reach a variety of IPs somewhere out there.
    I don't feel fine with just ignoring something - in only very rare situations this has been a good advise. I believe this is not a solution.
    There's just one naging question you should be able to answer.
    Since when needs the routers traffic translation? If the router sends packets because it want's to reach a destination for some reason it uses as source-address the address of the interface the traffic is supposed to leave and send's it directly there, doesn't it?
    So why in the world are there thousends of packets denied by the NAT-process (ofcourse, the NATACL doesn't allow this address), all showing the same pattern
    (pattern == protocol=udp AND source=ownWANIP AND port=0 AND destination=someIPoutthere AND port=0) as you can see from the following output, cause I think this is supicious and tryed it - wow! How do these packets get to the NAT-process anyway?!
    000894: Oct 10 06:57:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000895: Oct 10 06:58:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 4 packets 
    000896: Oct 10 06:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000897: Oct 10 06:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000898: Oct 10 07:02:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000899: Oct 10 07:04:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 16 packets 
    000900: Oct 10 07:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000901: Oct 10 07:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000902: Oct 10 07:08:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000903: Oct 10 07:09:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 5 packets 
    000904: Oct 10 07:11:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000905: Oct 10 07:11:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000906: Oct 10 07:13:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000907: Oct 10 07:14:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 14 packets 
    000908: Oct 10 07:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000909: Oct 10 07:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000910: Oct 10 07:18:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000911: Oct 10 07:19:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000913: Oct 10 07:22:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000914: Oct 10 07:22:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 3 packets 
    000915: Oct 10 07:23:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000916: Oct 10 07:24:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 8 packets 
    000917: Oct 10 07:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 3 packets 
    000918: Oct 10 07:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000919: Oct 10 07:29:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 3 packets 
    000920: Oct 10 07:30:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000921: Oct 10 07:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 3 packets 
    000922: Oct 10 07:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 3 packets 
    000923: Oct 10 07:34:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000924: Oct 10 07:35:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 24 packets 
    000925: Oct 10 07:38:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000926: Oct 10 07:38:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000928: Oct 10 07:39:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 3 packets 
    000929: Oct 10 07:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    000930: Oct 10 07:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000931: Oct 10 07:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000932: Oct 10 07:44:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000936: Oct 10 07:47:35: %SEC-6-IPACCESSLOGP: list FAE00IN denied tcp 222.173.130.154(6000) -> 212.152.155.204(1433), 1 packet 
    000937: Oct 10 07:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000938: Oct 10 07:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000939: Oct 10 07:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000940: Oct 10 07:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000941: Oct 10 07:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 5 packets 
    000942: Oct 10 07:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000943: Oct 10 07:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000946: Oct 10 07:56:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000947: Oct 10 08:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 7 packets 
    000948: Oct 10 08:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000949: Oct 10 08:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000950: Oct 10 08:01:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000951: Oct 10 08:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 15 packets 
    000952: Oct 10 08:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000953: Oct 10 08:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000954: Oct 10 08:06:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000956: Oct 10 08:10:26: %SEC-6-IPACCESSLOGDP: list FORNAT denied icmp 212.152.155.204 -> 172.16.0.151 (0/0), 1 packet 
    000957: Oct 10 08:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    000958: Oct 10 08:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000959: Oct 10 08:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000960: Oct 10 08:11:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000961: Oct 10 08:14:49: %SEC-6-IPACCESSLOGP: list FAE00IN denied tcp 216.133.175.69(2087) -> 212.152.155.204(5900), 1 packet 
    000962: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000963: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 11 packets 
    000964: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000966: Oct 10 08:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000968: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000969: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    000970: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000971: Oct 10 08:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000972: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000973: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 3 packets 
    000974: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000975: Oct 10 08:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000976: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000977: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 29 packets 
    000978: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 2 packets 
    000979: Oct 10 08:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 2 packets 
    000980: Oct 10 08:38:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000981: Oct 10 08:39:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000982: Oct 10 08:39:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000983: Oct 10 08:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 2 packets 
    000984: Oct 10 08:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    000985: Oct 10 08:44:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000986: Oct 10 08:44:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000987: Oct 10 08:49:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 2 packets 
    000988: Oct 10 08:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000989: Oct 10 08:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000990: Oct 10 08:52:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000991: Oct 10 08:54:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 5 packets 
    000992: Oct 10 08:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    000993: Oct 10 08:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000994: Oct 10 08:59:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000995: Oct 10 09:00:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    000996: Oct 10 09:05:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 17 packets 
    000997: Oct 10 09:07:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    000998: Oct 10 09:07:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    000999: Oct 10 09:09:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001002: Oct 10 09:10:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 7 packets 
    001003: Oct 10 09:15:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 14 packets 
    001004: Oct 10 09:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001005: Oct 10 09:16:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001006: Oct 10 09:17:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001007: Oct 10 09:21:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 6 packets 
    001008: Oct 10 09:24:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001009: Oct 10 09:24:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001010: Oct 10 09:26:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001012: Oct 10 09:27:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 4 packets 
    001013: Oct 10 09:32:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 26 packets 
    001014: Oct 10 09:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001015: Oct 10 09:33:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001016: Oct 10 09:35:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001017: Oct 10 09:37:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    001018: Oct 10 09:41:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001019: Oct 10 09:41:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001020: Oct 10 09:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 
    001021: Oct 10 09:43:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 1 packet 
    001022: Oct 10 09:48:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 195.96.0.3(0), 74 packets 
    001023: Oct 10 09:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 130.149.17.21(0), 1 packet 
    001024: Oct 10 09:50:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.12(0), 1 packet 
    001027: Oct 10 09:52:49: %SEC-6-IPACCESSLOGP: list FORNAT denied udp 212.152.155.204(0) -> 131.130.1.11(0), 1 packet 

  • Tacacs+ not working on VRF Interface

    C4948-10G switch running IOS 15.0(2)SG
    ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication login no_tacacs local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local if-authenticated
    aaa authorization network default group tacacs+ local if-authenticated
    aaa accounting commands 15 default start-stop group tacacs+
    aaa session-id common
    ip vrf mgmt
    rd 100:1
    interface fa1
    ip vrf forwarding mgmt
    IP address 192.168.5.1 255.255.255.0
    duplex auto
    speed auto
    ip vrf forwarding mgmt
    aaa group server tacacs+ tacacs+ (command did not prompt to sub-command for server-private ....)
    server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]
    tacacs-server host 192.168.5.75 key secret (Then, I decided to use global)
    tacacs-server host 192.168.5.76 key secret
    ip route vrf mgmt 192.168.5.75 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server1)
    ip route vrf mgmt 192.168.5.76 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server2)
    ip route vrf mgmt 192.168.5.85 255.255.255.0 192.168.5.2 (my management workstation)
    ip tacacs source-interface fa1
    sw2#debug tacacs
    SW2#debug aaa authentication
    SW2#test aaa group tacacs+ tester passwordtest new-code
    Feb  4 11:36:09.808: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
    Feb  4 11:36:09.808: TPLUS: Queuing AAA Authentication request 0 for processing
    Feb  4 11:36:09.808: TPLUS: processing authentication start request id 0
    Feb  4 11:36:09.808: TPLUS: Authentication start packet created for 0(tester)
    Feb  4 11:36:09.808: TPLUS: Using server 192.168.5.75
    Feb  4 11:36:09.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: Started 5 sec timeout
    Feb  4 11:36:14.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: timed out
    Feb  4 11:36:14.808: TPLUS: Choosing next server 192.168.5.76
    Feb  4 11:36:14.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: Started 5 sec timeout
    Feb  4 11:36:14.808: TPLUS(00000000)/1AEFC558: releasing old socket 0User rejected
    SW2#
    Feb  4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out
    Feb  4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out, clean up
    Feb  4 11:36:19.808: TPLUS(00000000)/1/1AEFC558: Processing the reply packet
    SW2#test aaa group tacacs+ tester passwordtest legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    Feb  4 11:39:16.372: AAA: parse name=<no string> idb type=-1 tty=-1
    Feb  4 11:39:16.372: AAA/MEMORY: create_user (0x1AEFC4A4) user='tester' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    Feb  4 11:39:16.372: TAC+: send AUTHEN/START packet ver=192 id=153531412
    Feb  4 11:39:16.372: TAC+: Using default tacacs server-group "tacacs+" list.
    Feb  4 11:39:16.372: TAC+: Opening TCP/IP to 192.168.5.75/49 timeout=5
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    SW2#
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:26.372: AAA/MEMORY: free_user (0x1AEFC4A4) user='tester' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
    SW2#ping vrf mgmt 192.168.5.85
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.5.85, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    SW2#sh ip route vrf mgmt
    Routing Table: mgmt
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is not set
         192.168.5.0/24 is variably subnetted, 3 subnets, 2 masks
    S       192.168.5.75/32 [1/0] via 192.168.5.2
    S       192.168.5.76/32 [1/0] via 192.168.5.2
    S       192.168.5.85/32 [1/0] via 192.168.5.2
    C       192.168.5.0/24 is directly connected, FastEthernet1
    SW2#sh ip vrf
      Name                             Default RD          Interfaces
      mgmt                             100:1                     Fa1
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080bd091c.shtml

    Hi,
    Your debug output shows time out to ACS server as below.
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
    Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
    Hope that helps
    Najaf
    Please rate when applicable or helpful !!!

  • Block / Deny ICMP Traffic cisco asa 5512-x

    hi expert
    I have cisco asa 5512x for configure as firewall and sslvpn.
    my customer want block/Deny icmp traffic from interface outside without block anything.
    i've configure form cli :
    icmp deny any outside
    but from outside can't open sslvpn url and asdm.

    Hi,
    Access for the Anyconnect/ASDM does not depend on the ICMP permit/deny commands on the ASA device.
    If you want to block the Pings to the ASA interface use the command:-
    icmp deny any outside etc.
    What do you mean by "i can ping from outside." Plzz explain.
    Thanks and Regards,
    Vibhor Amrodia

  • IDSM missing traffic on trunk interface

    Hi
    I have a scenario where an IDSM with IPS 6 is triggering on traffic from a non-trunk interface but when the same traffic passes over another VLAN on a trunk.
    Monitor setup is like this
    monitor session 10 source interface Gi1/2
    monitor session 10 source interface Gi7/1
    monitor session 10 filter vlan 22 - 23 , 208
    monitor session 10 destination intrusion-detection-module 5 data-port 1
    where 1/2 is the non-trunk interface and 7/1 is the trunk. Traffic from VLAN 23 is firewalled/NATed and sent out on VLAN 208 towards our edge network.
    The exact case is that when I browse an external web site with SQL code in the HTML I get an SQL Injection alert from VLAN 208 only. I never get the alert for the same traffic passing behind the firewall over the trunk. When I set a sniffer as source for the SPAN session I see the HTTP request with the SQL code passing through the trunk interface as well as VLAN 208.
    Am I missing something here? Shouldn't and IPS report ALL occurrences of bad traffic?
    Regards
    Fredrik Hofgren

    What has to be upgraded, the Catalyst IOS or the software on the IDSM? Our Catalyst has IOS 12.2(18)SXF5 and the IDSM the latest version 6.0(3)E1.
    It seems odd that it would be a problem with missing VLAN tags. When I set the IDSM to manually capture traffic from an IP in the inside VLAN passing over the trunk the VLAN tag is present when I view the packets in Ethereal.
    /Fredrik

  • 4900 DNS through VRF-interface

    Hi,
    i tried to configure a C4900M to connct to the nameserver through its VRF-Interface.
    The document "DNS - VRF Aware DNS" describes the command "ip name-server [vrf vrf-name] server-address1"
    But I cant use this comand on a 4900M.
    IOS-Version: 12.2(53)SG1
    How can it be realized?
    Thanks
    Andreas

    I have a 4900M with the same problem except I am running 15.2(1)E. The latest config guide I can find for the 15 train is 15.0 which does not list DNS as being supported for VRF. However, there are some commands that make it appear it is.
    Entering these commands...
    ip domain-lookup source-interface FastEthernet1
    ip domain-name vrf mgmtVrf mydomain.com
    ip name-server vrf mgmtVrf 4.2.2.1
    It still does not work...
    c4900M#ping vrf mgmtVrf 8.8.8.8
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/12 ms
    c4900M#ping vrf mgmtVrf google-public-dns-a.google.com
    Translating "google-public-dns-a.google.com"...domain server (4.2.2.1)
    % Unrecognized host or address, or protocol not running.
    I can ping and TFTP from my Fa1 interface, so routing is good. Looks like DNS is not fully supported yet, or am I missing a command?

  • HTTP compression: Excluding traffic from getting compressed

    Hi-
    We have a web application where we are trying to exclude certain traffic from getting compressed.
    The following should get compressed:
    http://www.domain.com/dir1/a.htm
    but the following should not get compressed:
    http://www.domain.com/dir2/b.htm
    I have configured my Sun One web server obj.conf file as follows:
    <Object name="default">
    NameTrans fn="pfx2dir" from="/dir1" dir="/opt/myapp/dir1"
    NameTrans fn="pfx2dir" from="/dir2" dir="/opt/myapp/dir2"
    <Client match="none"\
    browser="*MSIE [1-3]*"\
    browser="*MSIE [1-5]*Mac*"\
    browser="Mozilla/[1-4]*Nav*">
    Output fn="insert-filter" filter="http-compression" type="text/*"
    </Client>
    </Object>
    <Object ppath="*dir2*">
    Output fn="insert-filter" filter="http-compression" type="text/*" vary="off"
    </Object>
    But the objects (GIFs, HTML, TEXT, etc) where the dir2 condition is met are still getting compressed. Would someone be able to assist me?
    Thanks,
    Nimbus

    It looks like you expected the vary parameter to control whether the http-compression SAF compresses content. It doesn't. The vary parameter controls whether the http-compression SAF adds a Vary: header field to the response.
    If you don't want all files to be compressed, you should remove the Output fn="insert-filter" filter="http-compression" directive from the default object. You can instead create a new object only for those files you wish to be compressed:<Object ppath="/opt/myapp/dir1/*">
    <Client match="none"
            browser="*MSIE [1-3]*"
            browser="*MSIE [1-5]*Mac*"
            browser="Mozilla/[1-4]*Nav*">
    Output type="text/*"
           fn="insert-filter"
           filter="http-compression"
    </Client>
    </Object>

  • Use two interfaces on the same network

    Hello every one,
    I actually starting to work on a cisco project. I'm a beginner on networking and cisco technologie.
    For my project we use a router 2921.
    We got two network:
    - Network A: 192.198.0.X / 255.255.255.0 / Gateway 192.198.0.1
    - Network B: 162.168.0.X / 255.255.0.0 / Gateway 162.168.0.1
    Each network use switch, Switch A (connecting to network A) is connected to interface G0/0.
    And Switch B (connecting to network B) is connected to interface G0/1.
    Router well configured as:
    - G0/0: ip address 192.198.0.1 255.255.255.0 (network A)
    - G0/1: ip address 162.168.0.1 255.255.0.0 (network B)
    Every think working fine.
    The problem is with this one, we need to connect a computer on G0/2. This computer is configure as network A (192.198.0.10 / 255.255.255.0 and same gateway).
    I can't configure G0/2 as 192.198.0.1 255.255.255.0 (network A), cause G0/0 use this adresse.
    I can't put this computer on the switch A, my only physical possibilité is to connect him on G0/2.
    We just need to use interface G0/0 and G0/2 as a switch on the router with the same gateway (192.198.0.1)
    How can i connect this computeur? How can i configure two interfaces on the same network and same gateway?
    Thanks you

    I would just put the PC on a different network, but if you really want it to be in the same network, you could use IRB to connect two of the interfaces on the router at layer 2.
    Here is an example config for IRB:
    interface FastEthernet0/0
    bridge-group 1
    interface FastEthernet0/1
    bridge-group 1
    bridge irb
    interface BVI1
    ip address 192.168.0.1 255.255.255.0
    bridge 1 route ip
    Notice that the physical ports do not have IP addresses on them, the IP for the subnet is on the BVI interface.

Maybe you are looking for

  • Rename, New folder action using Drive CMIS connector

    I am trying to work on "Rename" and "New Folder" actions from Drive. To give more details - when I connect to our DAM using Drive, the DAM gets mounted as a network drive and can be accessed from Windows Explorer. I was told on one of the Adobe forum

  • I can't import my lion mail in mountain lion mail after upgrading

    Hi Apple people! Before I was on lion OS X then I exported my mail files and I get a mbox files so then I copied it to my hardisk after that I bought the mountain lion then I put it in USB Flash after that I erase my MacBook Pro Hardisk then I instal

  • Why is Mac OS X 10.7.4  "too new" to install Autodesk Entertainment creation Suite 2012

    Why is Mac OS X 10.7.4  "too new" to install Autodesk Entertainment creation Suite 2012. I went to Autodesk website I found nothing to fix this. Anyone who has ANY suggestions, I would appreciate any help you might provide.

  • Receive using bluetooth not working

    Hi,         I went to media->music, Then I clicked Receive using bluetooth.         I got an error message saying that:                        File Transfer         Connection Failed.         I then deleted the other device from my paired devices lis

  • Callin a report and scheduling it in the background ........  urgent

    Hi , i need to call a report2 from report1 .. i need to schedule the report2 in the background ...... such that the execution of report1 is never affected by the execution of report2 ....  jsut a call from report1 to report2 ..... also i need to pass