Ethernet port 0/0 on Cisco 2600 unable to access NM-ESW-16 ports
Is it possible to config the E0/0 port on the Cisco 2600 router to access the FE ports on the on-board NM-ESW-16? There is only one Ethernet port on the router.
Thanks for the reply. However, we are unclear how to accomplish this. I tried the no switchport mode command on a FE port on the switch. Afterwards, I tried to assign an IP adddress and mask to the port. The switch responded saying that an IP address cannot be applied to a L2 port. What I need to understand is how to re-assign a L2 port as a L3 port. Thanks for any added help.
kjjscharff
Similar Messages
-
Cisco 2600 series router and cable modems
Hi everyone, I am just about to get started preparing for my CCNA... I am looking to pick up some used Cisco 2600 series routers to set up a home lab. I am wondering if it is possible to connect a cable modem directly to a 2600 series router? If so, do I need a certain type of WIC? I want to go from my cable modem, to a router, to my switch. Thanks in advance!
Hi,
Yes you can, using the Ethernet port on the cable modem, you can connect the cable modem to the router 2600, and the 2600 comes with builtin ethernet or fastethernet (according to your platform).
HTH,
Mohammed Mahmoud. -
ASA 5505 unable to access ASDM ( just needs some ports ope and FWDing setup)
I was able to access the ASDM launcher in the browser yesterday via https://192.168.111.1/admin and I was stuck there as the browser version says that my ASA image does not work with my ASDM version... So i tried some trouble shooting and think that i may have changed the image to an image that does not exist. (I'm not sure where it is that I would actually place that image either) Now i am unable to access through the browser at all.
Anyways, I am ok with SSH/CLI and have been using my firewall in this manner. I am walking into this companies current configuration and simply need to do the following:
I need to OPEN ports 9000, 85, 40085, 49005 so that my mobile device can pull my security cameras in the office
I need to set port forwarding so that any connections that hit outside-in ip address 205.214.36.53:1610 >>> http://192.168.111.30:1610/AndroidWS/ for our new mobile CRM.
I have been through some of your related discussions and am falling short somewhere. Please help
here is my "show run" and my "dir"
ciscoasa(config)# show run
: Saved
ASA Version 9.0(2)
hostname ciscoasa
domain-name scec.local
enable password ol40hHpZTtZQFXMJ encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd ol40hHpZTtZQFXMJ encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif INSIDE
security-level 100
ip address 192.168.111.1 255.255.255.0
interface Vlan2
nameif OUTSIDE
security-level 0
ip address 205.214.236.50 255.255.255.240
boot system disk0:/asa902-k8.bin
boot system disk0:/asa825-k8.bin
boot system disk0:/asa831-k8.bin
ftp mode passive
dns domain-lookup INSIDE
dns domain-lookup OUTSIDE
dns server-group DefaultDNS
name-server 192.168.111.50
name-server 8.8.8.8
domain-name scec.local
object network LAN
subnet 192.168.111.0 255.255.255.0
object network SERVER1
host 192.168.111.50
object network SERVER1_PUBLIC
host 205.214.236.51
object network SERVER2
host 192.168.111.20
object network SERVER2_PUBLIC
host 205.214.236.52
object network SERVER3
host 192.168.111.30
object network SERVER3_PUBLIC
host 205.214.236.53
object network SERVER4
host 192.168.111.40
object network SERVER4_PUBLIC
host 205.214.236.54
object network SERVER5
host 192.168.111.10
object network SERVER5_PUBLIC
host 205.214.236.55
object-group service SERVER1_PORTS tcp
port-object eq www
port-object eq https
port-object eq smtp
port-object eq pop3
port-object eq imap4
port-object eq 3389
object-group service SERVER2_PORTS tcp
port-object eq 3389
object-group service SERVER3_PORTS tcp
port-object eq 3389
object-group service SERVER4_PORTS tcp
port-object eq 3389
object-group service SERVER5_PORTS tcp
port-object eq 3389
port-object eq www
port-object eq https
access-list OUTSIDE_IN extended deny ip 10.0.0.0 255.0.0.0 any log
access-list OUTSIDE_IN extended deny ip 172.16.0.0 255.240.0.0 any log
access-list OUTSIDE_IN extended deny ip 192.168.0.0 255.255.0.0 any log
access-list OUTSIDE_IN extended deny ip 127.0.0.0 255.0.0.0 any log
access-list OUTSIDE_IN extended deny ip 0.0.0.0 255.255.255.0 any log
access-list OUTSIDE_IN extended deny ip 244.0.0.0 255.255.255.240 any log
access-list OUTSIDE_IN extended deny ip host 255.255.255.255 any log
access-list OUTSIDE_IN extended permit icmp any any echo-reply
access-list OUTSIDE_IN extended permit icmp any any time-exceeded
access-list OUTSIDE_IN extended permit icmp any any unreachable
access-list OUTSIDE_IN extended permit tcp any object SERVER1 object-group SERVER1_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER2 object-group SERVER2_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER3 object-group SERVER3_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER4 object-group SERVER4_PORTS
access-list OUTSIDE_IN extended permit tcp any object SERVER5 object-group SERVER5_PORTS
access-list inside-out extended permit ip any any
pager lines 24
logging asdm informational
mtu INSIDE 1500
mtu OUTSIDE 1500
ip audit name OUTSIDE_ATTACK attack action alarm drop
ip audit name OUTSIDE_INFO info action alarm
ip audit name INSIDE_ATTACK attack action alarm drop reset
ip audit name INSIDE_INFO info action alarm
ip audit interface INSIDE INSIDE_INFO
ip audit interface OUTSIDE OUTSIDE_INFO
ip audit interface OUTSIDE OUTSIDE_ATTACK
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
ip audit signature 6051 disable
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-509.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (INSIDE,OUTSIDE) source static SERVER1 SERVER1_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER2 SERVER2_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER3 SERVER3_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER4 SERVER4_PUBLIC
nat (INSIDE,OUTSIDE) source static SERVER5 SERVER5_PUBLIC
object network LAN
nat (INSIDE,OUTSIDE) dynamic interface
access-group inside-out in interface INSIDE
access-group OUTSIDE_IN in interface OUTSIDE
route OUTSIDE 0.0.0.0 0.0.0.0 205.214.236.49 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization exec LOCAL
http server enable
http 0.0.0.0 0.0.0.0 INSIDE
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 INSIDE
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
ssh version 2
console timeout 0
dhcpd option 3 ip 192.168.111.1
dhcpd address 192.168.111.100-192.168.111.200 INSIDE
dhcpd dns 192.168.111.50 8.8.8.8 interface INSIDE
dhcpd enable INSIDE
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username wti password OIEBfkGT1DRShCnN encrypted privilege 15
username admin password g/t7o/eHDKMomDrS encrypted privilege 15
username vpnuser password 8DcFkqJ9hi39UQw. encrypted privilege 15
username sysadmin password mi1AUI982JWkJuWt encrypted
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:6dd04d2527e7929343ebd090969e18a1
: end
ciscoasa(config)# dir
Directory of disk0:/
148 -rwx 15390720 09:08:54 Jul 31 2013 asa825-k8.bin
149 -rwx 27611136 09:43:48 Oct 31 2013 asa902-k8.bin
150 -rwx 2048 00:00:00 Jan 01 1980 FSCK0000.REC
20 drwx 2048 09:12:16 Jul 31 2013 coredumpinfo
151 -rwx 16280544 09:14:46 Jul 31 2013 asdm-645.bin
10 drwx 2048 09:19:42 Jul 31 2013 log
19 drwx 2048 09:20:08 Jul 31 2013 crypto_archive
153 -rwx 14240396 14:14:18 Jun 11 2014 asdm-631.bin
154 -rwx 4096 00:00:00 Jan 01 1980 FSCK0001.REC
155 -rwx 12998641 09:20:28 Jul 31 2013 csd_3.5.2008-k9.pkg
156 drwx 2048 09:20:30 Jul 31 2013 sdesktop
157 -rwx 6487517 09:20:32 Jul 31 2013 anyconnect-macosx-i386-2.5.2014-k9.pkg
158 -rwx 6689498 09:20:36 Jul 31 2013 anyconnect-linux-2.5.2014-k9.pkg
159 -rwx 4678691 09:20:38 Jul 31 2013 anyconnect-win-2.5.2014-k9.pkg
160 -rwx 4096 00:00:00 Jan 01 1980 FSCK0002.REC
161 -rwx 4096 00:00:00 Jan 01 1980 FSCK0003.REC
162 -rwx 4096 00:00:00 Jan 01 1980 FSCK0004.REC
163 -rwx 6144 00:00:00 Jan 01 1980 FSCK0005.REC
164 -rwx 6144 00:00:00 Jan 01 1980 FSCK0006.REC
165 -rwx 6144 00:00:00 Jan 01 1980 FSCK0007.REC
166 -rwx 22528 00:00:00 Jan 01 1980 FSCK0008.REC
167 -rwx 38912 00:00:00 Jan 01 1980 FSCK0009.REC
168 -rwx 34816 00:00:00 Jan 01 1980 FSCK0010.REC
169 -rwx 43008 00:00:00 Jan 01 1980 FSCK0011.REC
170 -rwx 2048 00:00:00 Jan 01 1980 FSCK0012.REC
171 -rwx 26624 00:00:00 Jan 01 1980 FSCK0013.REC
172 -rwx 2048 00:00:00 Jan 01 1980 FSCK0014.REC
173 -rwx 26624 00:00:00 Jan 01 1980 FSCK0015.REC
174 -rwx 2048 00:00:00 Jan 01 1980 FSCK0016.REC
175 -rwx 2505 09:46:08 Oct 31 2013 8_2_5_0_startup_cfg.sav
176 -rwx 1189 09:46:12 Oct 31 2013 upgrade_startup_errors_201310310946.log
177 -rwx 100 16:42:40 Jun 10 2014 upgrade_startup_errors_201406101642.log
178 -rwx 100 14:52:26 Jun 11 2014 upgrade_startup_errors_201406111452.log
127004672 bytes total (21886976 bytes free)
Please let me know if you need any other information from me so that i can get our mobile devices to connect to the new CRM from outside the network and allow the owner access on his mobile device to the company cameras.
************** (NOTE: I can do both of these things currently from within the network without any issues)*************
THANKSJgreene -
This doesn't specifically answer your question, but if you want to get ASDM functionality back you need to load a newer version onto flash memory and then point the ASA to that with the configuration command:
asdm image disk0:/asdm-version.bin
You are running ASA Version 9.0(2) so you need at least version 7 of ASDM to support that. Interestingly enough your "asdm image" statement in your config points to asdm-509.bin and you have asdm-631.bin and asdm-645.bin on flash. None of those will work. I suggest loading up asdm-721.bin and changing the asdm image statement accordingly. I am pretty sure a reboot is required after that is done.
Good Luck!
-Jeff -
FreeRadius and Cisco 2600 Terminal Server [IOS 12.1(3)T]
Hi Cisco People
I'm using FreeRadius 2 and Cisco 2600 Terminal server to coordinate access to cisco routers based on time ranges.
Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the resources in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .)
+++++++++++++++ +++++++++++++++++ +++++++++++++
+ User +++++++++++++++++++++++ Cisco 2600 +++++++++++++++++++++ Network +
+ + + Terminal Serv + + Devices +
+++++++++++++++ +++++++++++++++++ +++++++++++++
(NAS)
+
+
+++++++++++++++
+ FreeRadius +
+++++++++++++++
Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.
users
=============
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"
clients.conf
==============
client 192.168.1.1 {
secret = SECRET_KEY
shortname = termserver
nastype = cisco
A typical transaction would be :
Access-Request
=======
NAS-IP-Address = 192.168.1.1
NAS-Port = 35
NAS-Port-Type = Async
User-Name = "cisco"
Calling-Station-Id = "1.1.1.1"
User-Password = "cisco"
Access-Accept
=======
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
This works fine but doesn't provide any timing limitations. So I have modified the FreeRadius config to be :
users
=============
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15",
Session-Timeout = 20
Cisco Terminal Server
==============
aaa new-model
aaa authentication login default group radius local none
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
After this, I am able to see that the terminal server actually receives an Access-Accept including the Session-Timeout attributes like the following :
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Session-Timeout = 20
But the problem is that it doesn't really terminate the session after the 20 seconds are reached . My questions is that :
1. Is the terminal server really able to enforce such time limit after receiving the attribute ?
2. Is the 2600 terminal server with [IOS 12.1(3)T] compliant with RFC 2865?
3. What can I do so that the terminal server forces the user to be logged out after the session time limit is reached ?
Thanks
FrankFrank,
I think you should use the login time s well:
Login-Time
Login-Time is a very powerful internal check AVP. It allows flexible authorization and its value is used by the logintime (rlm_logintime) module to determine if a person is allowed to authenticate to the FreeRADIUS server or not. This value is also used to calculate the Session-Timeout reply value. Session-Timeout is subsequently used by the NAS to limit access time.
The following line will grant Alice access only between 08:00 and 18:00 each day.
"alice" Cleartext-Password := "passme", Login-Time := 'Al0800-1800'
The logintime module will calculate the reply value of Session-Timeout if Alice has logged in within the permitted timeslots to inform the NAS how long she is allowed to stay connected. If Alice tries to access the network when she is not permitted, the request will be rejected.
http://www.packtpub.com/article/getting-started-with-freeradius
http://wiki.freeradius.org/config/Users
yes, the terminal server is RFC 2865 compliant.
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed -
Cisco 2600 voice IP for FXO interface
Hi all,
Pls help me step by step configuring Voice IP for Cisco 2600 using FXO interface.
Thank you very much.It all goes by what you want to cofigure. FXO interface generally connects with PBX or PSTN..
Some config examples using FXO ports, visit
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/inst_nts/acc_gtwy/voice.htm
One more good link on that
http://www.cisco.com/warp/public/788/signalling/fxo_disconnect.html -
Cisco 2600 router with 4A/S module can be terminal server
I have a cisco 2600 router with 4A/S module, can it become the terminal server? If yes, which kind of octal cable should I choose to connect to other cisco routers console ports? Thanks a lot
The commands mean that R1's console is connected using the first RJ-45 cable and is available on port 2001, R2's console is connected using the second RJ-45 cable and is available on port 2002 and so on. Remember that the ports are numbered as 2000 plus the line number. Hence, the first port is 2001. If you have more than eight devices and have connected a second CAB-OCTAL-ASYNC cable then you need to add a similar configuration line with the port numbers starting from 2009 till 2016.
In your configuration u configured 9 ports. So please add second cable for another 8 ports.
To connect to the console of a device, telnet to the terminal server router's loopback address and specify the port number associated to the device. For example, to connect to console of router R1 (from our example) type telnet 192.168.12.1 2001 in the Run dialog box from your PC.
For further information click the below url
http://www.cisco.com/public/technotes/smbsa/en/us/internet/config_cisco_router_term_server.html#trouble -
Hi,
i was unable to access my cat6509 neither from console port or telnet access since someone by mistake has modified the setting in the switch &now it become inaccessible so is there any suggestion to workaround without losing my current configuration .
by the way when i connect to the concole port through terminal window nothing can by display in the terminal(blank)Hi,
have you access to the MSFC?
I don't understand the problem, but this maybe could help you:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a00804ceb07.shtml
HTH
Andrea -
Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505
Problem : Unable to access user A to user B
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result :
Flow-lookup
Action : allow
Info: Found no matching flow, creating a new flow
Route-lookup
Action : allow
Info : 192.168.5.203 255.255.255.255 identity
Access-list
Action : drop
Config Implicit Rule
Result - The packet is dropped
Input Interface : inside
Output Interface : NP Identify Ifc
Info: (acl-drop)flow is denied by configured rule
Below is Cisco ASA 5505's show running-config
ASA Version 8.2(1)
hostname Asite
domain-name ssms1.com
enable password ZZZZ encrypted
passwd WWWW encrypted
names
name 82 B-firewall description Singapore office firewall
name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
name 122 A-forti
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.203 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 93 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name ssms1.com
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http B-inside-subnet 255.255.255.0 inside
http fw-inside-subnet 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer A-forti
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer B-firewall
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.5.10-192.168.5.20 inside
dhcpd dns 165 165 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username admin password XXX encrypted privilege 15
tunnel-group 122 type ipsec-l2l
tunnel-group 122 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map outside-policy
description ok
class outside-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum: XXX
: end
Kindly need your expertise&help to solve the problemany1 can help me ?
-
Hey guys,
I am unable to access cisco asa device using https and cannot lunch asdm, after recent power failure at our location. I have asdm installed on my machine and whenever i try to access the asdm, receive Error: unable to lunch device manager from X.X.X.X The following is log from java console
Trying for ASDM version file; url = https://x.x.x.x/admin/
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
When i try to access it from the browser it show error message
"The connection was interrupted"
I am running CISCO ASA 8.3 (1)
with asdm image as asdm 7.1.3
JAVA version installed Java 7 update 71
I have added the https:> to exception site list and set security level to medium,
even ssh access is not working !!
I would appreciate if anyone can help me out!!
Thanks
FareedHey lcaruso,
thanks for information!!
i was able to connection through console as suggested and regenerated the rsa key .. was able to connection through ssh, but the issue with the asdm or web access was not resolved.
I have tried few of the steps as suggested on
https://supportforums.cisco.com/document/49741/asa-pixfwsm-unable-manage-unit-sshtelnetasdm#collect_captures
capture output
ZHHFP-FIREWALL1(config)# sh cap capin
139 packets captured
1: 18:50:17.654720 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: S 2567327150:2567327150(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
2: 18:50:17.654812 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
084: S 590825877:590825877(0) ack 2567327151 win 8192 <mss 1380>
3: 18:50:17.655621 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: . ack 590825878 win 65520
4: 18:50:17.656078 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: P 2567327151:2567327332(181) ack 590825878 win 65520
5: 18:50:17.656139 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
084: . ack 2567327332 win 8192
6: 18:50:17.656475 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
084: FP 590825878:590825878(0) ack 2567327332 win 8192
7: 18:50:17.657696 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: . ack 590825879 win 65520
8: 18:50:17.657802 802.1Q vlan#1 P0 192.168.160.113.58084 > 192.168.160.126.8
443: F 2567327332:2567327332(0) ack 590825879 win 65520
9: 18:50:17.657848 802.1Q vlan#1 P0 192.168.160.126.8443 > 192.168.160.113.58
084: . ack 2567327333 win 8192
10: 18:50:17.658108 802.1Q vlan#1 P0 192.168.160.113.58085 > 192.168.160.126.8
443: S 1351758892:1351758892(0) win 8192 <mss 1260,nop,wscale 8,nop,nop,sackOK>
also i have downgraded the java to 1.6_45 but still not luck.
error message i received on java console
Trying for IDM. url=https://x.x.x.x/idm/idm.jnlp/
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
at com.cisco.launcher.w.a(Unknown Source)
at com.cisco.launcher.s.for(Unknown Source)
at com.cisco.launcher.s.new(Unknown Source)
at com.cisco.launcher.s.access$000(Unknown Source)
at com.cisco.launcher.s$2.a(Unknown Source)
at com.cisco.launcher.g$2.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(Unknown Source)
... 15 more
Any help would be highly appreciated!!
Thanks
Fareed -
Unable to access Internet from LAN - Cisco ASA 9.1(2)
Hi,
I have Cisco 5515 IOS 9.1(2). I had configured out-to-in rule with 'ssh' and able to access the Internet server, but the same server is unable to access the Internet. Not sure what i am missing here. Please look in to the configuration below and suggest.
10.4.20.2 is the host i am trying to access the Internet and it fails, but able to 'ssh' to this IP from the internet.
ASA Version 9.1(2)
interface GigabitEthernet0/0
description OUTSIDE
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface GigabitEthernet0/1
description BACKUP
nameif backup
security-level 0
ip address 2.2.2.2 255.255.255.248
interface GigabitEthernet0/4
description INSIDE
nameif inside
security-level 100
ip address 10.4.20.1 255.255.255.0
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone PT -8
clock summer-time PT recurring
dns domain-lookup outside
object network 2.2.2.4_10.4.20.2
host 10.4.20.2
access-list out2in extended permit icmp any any inactive
access-list in2out extended permit ip 10.4.20.0 255.255.255.0 any
access-list out2in_bkp extended permit icmp any any inactive
access-list out2in_bkp extended permit tcp any object 2.2.2.4_10.4.20.2 eq ssh
pager lines 24
logging enable
logging timestamp
logging standby
logging monitor debugging
logging trap debugging
logging history debugging
logging asdm debugging
mtu outside 1500
mtu backup 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network 2.2.2.4_10.4.20.2
nat (inside,backup) static 2.2.2.4 net-to-net dns
access-group out2in in interface outside
access-group out2in_bkp in interface backup
access-group in2out in interface inside
route outside 0.0.0.0 0.0.0.0 1.1.1.2 10 track 100
route backup 0.0.0.0 0.0.0.0 2.2.2.3 20 track 101
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 backup
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 100
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
sla monitor schedule 100 life forever start-time now
sla monitor 101
type echo protocol ipIcmpEcho 8.8.4.4 interface backup
sla monitor schedule 101 life forever start-time now
service resetoutside
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
track 100 rtr 100 reachability
track 101 rtr 101 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 backup
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 123.108.225.6 source outside
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
username xyz password ***** encrypted privilege 15
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9b63e3cfc9f98800d2bb3efa34c75906
: endHi Anand
Could you please do a packet tracer on the Asa?
Packet-tracer input inside icmp 10.20.4.2 8 0 4.2.2.2 detailed
Are you able to ping 4.2.2.2 from the server ?
Please use the following command
"fixup protocol icmp"
And then check whether you are able to ping the Internet.
Regards
Aditya -
I am unable to access my iCloud e mail account and am still able to access AOL account though. It says something about an IMAP pathway and a port number how do I find this?
If the old ID is yours, and if your current ID was created by editing the details of this old ID (rather than being an entirely new ID), go to https://appleid.apple.com, click Manage my Apple ID and sign in with your current iCloud ID. Click edit next to the primary email account, change it back to your old email address and save the change. Then edit the name of the account to change it back to your old email address. You can now use your current password to turn off Find My iDevice, even though it prompts you for the password for your old account ID. Then save any photo stream photos that you wish to keep to your camera roll. When finished go to Settings>iCloud, tap Delete Account and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud). Next, go back to https://appleid.apple.com and change your primary email address and iCloud ID name back to the way it was. Now you can go to Settings>iCloud and sign in with your current iCloud ID and password.
-
How to install 2-port vic3 2fxs/DID and 2-port vic2 fxo on cisco 2801 router
Hello
I'm looking for information on how to install 2 newly purchased cards and keep running into dead links. The cards I bought are for a CISCO-2801-CCME/K9 with PVDM2-8, FL-CCME-25, SP Services 128F/256D cisco router:
vic3 2fxs/DID and a vic2 2fxo.
I keep finding documents on how to install these cards but all links are dead and leading to nowhere.
http://www.cisco.com/en/US/docs/routers/access/interfaces/ic/hardware/installation/guide/2port_FXS_DID_VIC.html#wp1065062
The 2 documents i'm looking for are: how to install a 2-port vic2 fxo cards on cisco 2801 router and how to install 2-port vic3 2fxs/DID cards on the same 2801 cisco router.
NOTE: I've never installed these cards and am not sure if:
Does my ios support both of these cards?
and which slots do I install those in the router.
I have 4 slots like this:
slot 0: This slot only accepts VIC's ***This could be used for the vic3 2fxs/DID card correct?
slot 1: Nothing written here ****What can i install in this slot?
slot 2: This slot only accepts VIC's and WIC's ***If I buy a WIC and install here which other slot can i install my VIC2-2FXO card in ?
slot 3: Nothing written here ***What can i install in this slot?
Any chance someone can help me out with this.
Thanks very muchOk
I was able to figure out what goes where and found out that the IOS i had c-2801-spservicesk9-mz.124-15.T10.bin with cme-full-4.1.0.2 tar didn't support the vic3 2fxs/DID card. I then found the one that works which is the c2801-spservicesk9-mz.124-22.YB5.bin.I am now able to see my new hardware interfaces. The question I have now is since the previous version ran with cme-full-4.1.0.2 tar i'm not sure if this needs to be changed since in the compatibility matrix i found this IOS c2801-spservicesk9-mz.124-22.YB5.bin to be compatible with cme-full-7.1.0.0 tar
Do i need to remove cme-full-4.1.0.2 tar and install the cme-full-7.1.0.0 tar?
If yes, i know how to install the cme-full-7.1.0.0 tar but how do i remove the other cme-full-4.1.0.2 tar file in order to be able to install the other version?
Thanks -
I have my Apple cinema display connected to my MacBook Air via the Thunderbolt port, but I also want to connect an ethernet cable.
Is there an adaptor that accepts both VGA and ethernet cables at the same time that can be plugged into the Thunderbolt portI have my Apple cinema display connected to my MacBook Air via the Thunderbolt port, but I also want to connect an ethernet cable.
Is there an adaptor that accepts both VGA and ethernet cables at the same time that can be plugged into the Thunderbolt port -
Unable to enumerate USB device on port 1
I can't use my Newman Mp3 player in archlinux.And I googled,but I still don't know how to do
uname -a
Linux foolfrog 2.6.28-ARCH #1 SMP PREEMPT Sun Mar 8 10:18:28 UTC 2009 i686 Intel(R) Core(TM)2 Duo CPU T6400 @ 2.00GHz GenuineIntel GNU/Linux
dmesg
HDA Intel 0000:00:1b.0: power state changed by ACPI to D0
HDA Intel 0000:00:1b.0: PCI INT A -> GSI 22 (level, low) -> IRQ 22
HDA Intel 0000:00:1b.0: setting latency timer to 64
usb 2-1: new high speed USB device using ehci_hcd and address 3
usb 2-1: configuration #1 chosen from 1 choice
Initializing USB Mass Storage driver...
scsi4 : SCSI emulation for USB Mass Storage devices
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usb-storage: device found at 3
usb-storage: waiting for device to settle before scanning
scsi 4:0:0:0: Direct-Access Newman Mp3 Player 1.00 PQ: 0 ANSI: 0
sd 4:0:0:0: [sdb] 2013696 512-byte hardware sectors: (1.03 GB/983 MiB)
sd 4:0:0:0: [sdb] Write Protect is off
sd 4:0:0:0: [sdb] Mode Sense: 00 06 00 00
sd 4:0:0:0: [sdb] Assuming drive cache: write through
sd 4:0:0:0: [sdb] 2013696 512-byte hardware sectors: (1.03 GB/983 MiB)
sd 4:0:0:0: [sdb] Write Protect is off
sd 4:0:0:0: [sdb] Mode Sense: 00 06 00 00
sd 4:0:0:0: [sdb] Assuming drive cache: write through
sdb:
sd 4:0:0:0: [sdb] Attached SCSI removable disk
sd 4:0:0:0: Attached scsi generic sg2 type 0
scsi 4:0:0:1: Direct-Access Newman USB SD 1.00 PQ: 0 ANSI: 0 CCS
sd 4:0:0:1: [sdc] Very big device. Trying to use READ CAPACITY(16).
usb 2-1: reset high speed USB device using ehci_hcd and address 3
usb 2-1: reset high speed USB device using ehci_hcd and address 3
sd 4:0:0:0: [sdb] Result: hostbyte=0x07 driverbyte=0x00
end_request: I/O error, dev sdb, sector 0
Buffer I/O error on device sdb, logical block 0
sd 4:0:0:0: [sdb] Result: hostbyte=0x07 driverbyte=0x00
end_request: I/O error, dev sdb, sector 8
Buffer I/O error on device sdb, logical block 1
Buffer I/O error on device sdb, logical block 2
Buffer I/O error on device sdb, logical block 3
sd 4:0:0:1: [sdc] READ CAPACITY(16) failed
sd 4:0:0:1: [sdc] <6>sd 4:0:0:0: [sdb] Result: hostbyte=0x07 driverbyte=0x00
end_request: I/O error, dev sdb, sector 0
Buffer I/O error on device sdb, logical block 0
Result: hostbyte=0x07 driverbyte=0x00
sd 4:0:0:1: [sdc] Use 0xffffffff as device size
sd 4:0:0:1: [sdc] Sector size 0 reported, assuming 512.
sd 4:0:0:1: [sdc] 4294967296 512-byte hardware sectors: (2.19 TB/2.00 TiB)
usb 2-1: USB disconnect, address 3
sd 4:0:0:1: [sdc] Write Protect is off
sd 4:0:0:1: [sdc] Mode Sense: 00 00 00 00
sd 4:0:0:1: [sdc] Assuming drive cache: write through
sd 4:0:0:1: [sdc] READ CAPACITY failed
sd 4:0:0:1: [sdc] Result: hostbyte=0x01 driverbyte=0x00
sd 4:0:0:1: [sdc] Sense not available.
sd 4:0:0:1: [sdc] Write Protect is off
sd 4:0:0:1: [sdc] Mode Sense: 00 00 00 00
sd 4:0:0:1: [sdc] Assuming drive cache: write through
sd 4:0:0:1: [sdc] READ CAPACITY failed
sd 4:0:0:1: [sdc] Result: hostbyte=0x01 driverbyte=0x00
sd 4:0:0:1: [sdc] Sense not available.
sd 4:0:0:1: [sdc] Write Protect is off
sd 4:0:0:1: [sdc] Mode Sense: 00 00 00 00
sd 4:0:0:1: [sdc] Assuming drive cache: write through
sd 4:0:0:1: [sdc] Attached SCSI removable disk
sd 4:0:0:1: Attached scsi generic sg3 type 0
usb-storage: device scan complete
hub 6-0:1.0: unable to enumerate USB device on port 1
I can use my MP3 player in winxp,but can't use it int Vista,and Ubuntu also can't use it.Could you help me?I've been having the same problem with a usb stick of mine, the same error - unable to enumerate USB device. I figure explaining my experiences here may help someone else trying to figure this out.
This seems to be hardware related, unfortunately. I don't know if anyone can correct me. I have two laptops, one old one new. Both use 2.6.29. This one usb stick I have just wont work on the old laptop, regardless of kernel version or distribution. Other usb mass storage devices work.
I suspect that this is a combination between a kernel bug and hardware issues. All google searches on this error seem to indicate that the only way people fixed this was through replacement hardware.
I know that the usb flash drive I'm using has a hidden second volume on it. A 1GB read writeable volume, and a 4MB volume that is uneraseable, includes a pdf document that came with it. This is not a second partition, the OS sees it as a virtual CDROM drive. (I got the stick for free at a conference.) I don't know how this is implemented in hardware, but on other systems (on mac/windows/linux), a second volume appears after 10 seconds of insertion. I suspect this quirk is what prevents me from using this as a usb boot stick too.
My guess is that the usb device does not follow specification exactly, and borks on certain OS/hardware combinations. I would call my usb stick broken, and it only manifests itself on some hardware. The newman mp3 player may be similar, not following the usb specs 100%. As you said, it won't work in Vista either.
Do you have a different usb mass storage device that you can try? Plug in a hard disk, a thumb drive, a different mp3 player, see if it works right away. It makes me sad when hardware doesn't work on Linux, but sometimes that means a trip to ebay and newegg. I'm going to be doing that with my thumb drive. -
Radius-Authentication / Cisco 2600 fails MiscError -1642
Hi,
Im trying to configure BM 3.8 SP3ir3, Radius (NMAS 2.3) to
authenticate a Cisco 2600 against my BM. Under BM 3.7 this
setup is working fine, but now with 3.8 I get the following
error:
Access rejected, Miscellaneous error (-1642)
Ive configured the LPO with the following sequences:
NDS acceptable, simple acceptable
A test with NTRADPING:
with CHAP disabled, it works fine (LPO sequence is NDS)
with CHAP enabled, Ive got the error above
I tried the simple login sequence also (like a posting
in this newsgroup), but no change.
Hope you can help me, I need chap-authentication...
From Radius-Debug:
This one works (without CHAP):
[2005-07-28 05:52:43 PM] (->)Cacher:
NWDSReadObjectInfo(das01.radius.bmanager.informati k.kli_pa),
succeeded, time:7
[2005-07-28 05:52:43 PM] 31) [(ip) 172.24.4.2:2642], Received 46 Bytes
(Access-Request (1))
[2005-07-28 05:52:43 PM] [(total=31) (p=30) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-07-28 05:52:43 PM] <2> Done GetNextMessage [(ip)
172.24.4.2:2642]: time:2611012
[2005-07-28 05:52:43 PM] -------- START : (Access-Request (1)) [(ip)
172.24.4.2:2642]: time:640356694---
[2005-07-28 05:52:43 PM] CACHE:
CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
[2005-07-28 05:52:43 PM] AuthRequestHandler(), Calling
NewRequestHandler.
[2005-07-28 05:52:43 PM] CACHE:
CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
cache
[2005-07-28 05:52:43 PM]
(->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
[2005-07-28 05:52:43 PM] CacheFindContext - GetParentDN(userDN)
(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:43 PM] CacheFindContext - tmpContext
(RADIUS.BMANAGER.INFORMATIK.KLI_PA),
contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:43 PM] Handling local authentication request.
[2005-07-28 05:52:43 PM] CACHE:
CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
using cache
[2005-07-28 05:52:43 PM]
(->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
Access Group) succeeded, time:47
[2005-07-28 05:52:43 PM]
(->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
time:42
[2005-07-28 05:52:43 PM]
(->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
Attr) succeeded, time:45
[2005-07-28 05:52:43 PM] User Name: NAS2-1, User DN:
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
[2005-07-28 05:52:43 PM] (->)NADMAuthRequest()
[2005-07-28 05:52:43 PM]
(->)NADMAuthRequest(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA)
succeeded, time:961
[2005-07-28 05:52:43 PM] (->)Authenticate (0 policy, NDS pswd) (for
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA), succeeded
[2005-07-28 05:52:43 PM]
(->)NDSReadData:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Concurr ent
Limit) failed, no such attribute (-603), time:50
[2005-07-28 05:52:43 PM] CACHE:
CacheGetConcurrentLimit(das01.radius.bmanager.info rmatik.kli_pa),
using cache
[2005-07-28 05:52:43 PM]
User:NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Current Login:0, Login
Limit:-1, succeeded
[2005-07-28 05:52:43 PM] (->)Authentication SUCCEEDED
[2005-07-28 05:52:43 PM] Tag "DIALIN" uses profile
"DIALIN.RADIUS.BMANAGER.INFORMATIK.KLI_PA"
[2005-07-28 05:52:43 PM] FDN:
CN=NAS2-1.OU=RADIUS.OU=BMANAGER.OU=INFORMATIK.O=KLI_PA
[2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
[2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 6
[2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
[2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 7
[2005-07-28 05:52:43 PM] ->Sending Access-Accept (2) [(ip)
172.24.4.2(2642)] count=32
[2005-07-28 05:52:43 PM] ->Inserting into RespQ , code(2) id(7).
[2005-07-28 05:52:43 PM] -------- END : (Access-Request (1)) [(ip)
172.24.4.2:2642]: time:640358122---
This one dont work (chap enabled):
[2005-07-28 05:52:55 PM] 32) [(ip) 172.24.4.2:2647], Received 47 Bytes
(Access-Request (1))
[2005-07-28 05:52:55 PM] [(total=32) (p=31) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-07-28 05:52:55 PM] <4> Done GetNextMessage [(ip)
172.24.4.2:2647]: time:2426593
[2005-07-28 05:52:55 PM] -------- START : (Access-Request (1)) [(ip)
172.24.4.2:2647]: time:640481075---
[2005-07-28 05:52:55 PM] CACHE:
CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
[2005-07-28 05:52:55 PM] AuthRequestHandler(), Calling
NewRequestHandler.
[2005-07-28 05:52:55 PM] CACHE:
CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
cache
[2005-07-28 05:52:55 PM]
(->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
[2005-07-28 05:52:55 PM] CacheFindContext - GetParentDN(userDN)
(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:55 PM] CacheFindContext - tmpContext
(RADIUS.BMANAGER.INFORMATIK.KLI_PA),
contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:55 PM] Handling local authentication request.
[2005-07-28 05:52:55 PM] HandleCHAPRequest(NAS2-1)
[2005-07-28 05:52:55 PM] CACHE:
CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
using cache
[2005-07-28 05:52:55 PM] CHAP chapCSize: 16
[2005-07-28 05:52:55 PM] [CHAP]User Name: NAS2-1, User DN:
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
[2005-07-28 05:52:55 PM]
(->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
Access Group) succeeded, time:53
[2005-07-28 05:52:55 PM]
(->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
time:42
[2005-07-28 05:52:55 PM]
(->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
Attr) succeeded, time:44
[2005-07-28 05:52:55 PM] (->)NADMAuthRequest()
[2005-07-28 05:52:59 PM] ->Sending Access-Reject (3) [(ip)
172.24.4.2(2647)] count=20
[2005-07-28 05:52:59 PM] ->Inserting into RespQ , code(3) id(8).
[2005-07-28 05:52:59 PM] -------- END : (Access-Request (1)) [(ip)
172.24.4.2:2647]: time:640512029---
I cannt see an error with chap enabled..
Regards
GuentherI'm having the same problem. radping works with chap and simple passwords
but gives the -1642 error when I'm authenticating from my cisco vpn router.
BTW, I had everything working for YEARS with nds passwords and earlier
versions of bordermanager. BM 3.8 broke it.
Thanks
David
> Hi Jake,
>
> yes, its a cisco-issue. For downloading dynamic routes with
> radius you need the cisco-default-pw called "cisco". Strange
> and a big security leak....
>
> The authentication with ppp-user and chap / simple password
> works fine now.
>
> Regards
> Guenther
>
> Jake Speed schrieb:
> > Hi,
> > yes it's woking fine !
> > Working with a 3640, and 8 Bri/40 Async Interaces. With Chap enabeld,
> > and simple password used.
> > Seems to be a problem on the cisco site, so if radping works NW Radius
> > and the objects are ok.
> >
> > by
> > Jake
> >
> > Guenther Rasch wrote:
> >
> >> Hi Craig,
> >>
> >> I dont know why, but now CHAP works with ntradping.exe
> >> - Cisco router still doesnt work. Ive configured
> >> "simple password" in the lp-object...
> >>
> >> Does anyone have a working configuration nmas radius /
> >> cisco nas-router?
> >>
> >> Regards
> >> Guenther
> >>
> >> Craig Johnson schrieb:
> >>
> >>> In article <Yg0He.13962$[email protected]>,
> >>> Guenther Rasch wrote:
> >>>
> >>>> is it possible in BM 3.8? Which password / login sequence do I need
to
> >>>> get CHAP working?
> >>>>
> >>>
> >>> As far as I know, you cannot make CHAP work against an NDS password,
> >>> in any version of Novell RADIUS.
> >>> I don't really know about getting the dial access system password
> >>> working 3.8 (NMAS) RADIUS. I would assume there would be a login
> >>> policy object rule for it.
> >>>
> >>> Craig Johnson
> >>> Novell Support Connection SysOp
> >>> *** For a current patch list, tips, handy files and books on
> >>> BorderManager, go to http://www.craigjconsulting.com ***
> >>>
> >>>
Maybe you are looking for
-
IW31 Service Order created with reference order,sold to party not populated
Hello If one decides to create a new service order with IW31 but based on an old one using reference order field, not all data's are popullated to the new document: It works for some data's like : - operations - components It does not work for the fo
-
Multiple stereos off of Airport Express
I was wondering if there is a way to connect my airport express up to a optical cable on my stereo and to the headphone jack from my harmon kardon soundsticks. This way it could run more speakers at once, is there a special cable that can split from
-
I have a large Sony VGA television and I would like to connect Apple tv to it. What is the best connector to use, or should I just get a flat panel with HDMI connecter?Conneting VGA to
-
All Versions of E-Business Suite
Hi All, I want to know all versions of E-Business Suite starting from 10.7 to 11.5.10.2 (I mean 10.x,11.0.x,11.5.x). It would be great, If I can get a list of all versions. Thanks in advance, Putti
-
Hi, I have the ORDERS05 extended . I have extended the segment E1EDKT2 with the custom segment. I will be having the multiple lines to be appeded into the custom segment How can i do that ? READ TABLE dint_edidd WITH KEY segnam = 'E1EDKT2'. lv_tabix