Extending SAN&LAN over dark fiber (DWDM)?
Hi, sorry for my English, but I hope you understand me, and I understand your answers:)
We are in the process of adding new data center (DC2), which will be geographically located about 20 km from our existing data center (DC1). Between them laid dark fiber (two fibers). We need a solution for the LAN(layer 2) and SAN(native FC) extension ...
Solution is to see me use two passive EWDM-MUX8 at both ends of dark fiber with DWDM transceivers on the equipment in the DC1 & DC2.
For Ethernet, we propose to use Cisco 10GBASE DWDM X2 Modules (p/n:DWDM-X2-xx.xx =) - equipment at both ends supports these modules.
For FC we propose to use DWDM SFP Modules for Cisco ONS Family (p/n:ONS-SC-4G-xx.x =).
SAN equipment at both ends - Cisco MDS 9124 (p/n:DS-C9124AP-K9).
But I'm not entirely sure of the correctness of this decision, especially in SAN extension.
Is this workable solution?
Does the Cisco MDS 9124 supports this transceivers (ONS-SC-4G-xx.x=)?
There are other potential pitfalls are not visible to me?
In advance, thanks for the advice.
For ethernet, your decision is correct.
For SAN, things get a little dicey. The MDS 9124 doesn't support the ONS transcievers, and the FC 4G LH transciever is limited in distance to about 10 km.
If it were me, I would do things a little differently. I would put a Nexus 5000 series at each end of your dark fiber, with a 20 GB etherchannel trunk between them. Each nexus would then be connected to your data center ethernet network via 10 gig ethernet, and to your MDS's via 2/4/8 gig FC. The nexus could then be set up such that FC traffic destined for the other end will be encapsulated in ethernet, sent over the link, unencapsulated at the other end, and sent to the appropriate FC host.
It's relatively easy, simple to operate, and no mucking around with DWDM/CWDM, which can be a very complex animal.
Similar Messages
-
MACSec over dark fiber - transceiver module option?
Dear all,
Want to order two WS-C3750X-24T-S with service modules C3KX-SM-10G in order to implement MACSec between two datacenters using dark fiber (one fiber). Distance between datacenters is about 17 Km.
Can I use GLC-EX-SMD module on both location?
Thanks in advance,Hi Marvin,
Thanks for the response,
Actually I'm little bit confused because ISP fiber engineer explain to me that since there is single fiber optic between two datacenters he suggest me to use GLC-BX40-D-I in one side and GLC-BX40-U-I in other side. This is because GLC-BX40-D-I 1550nm for TX and 1310 for RX and viceversa for GLC-BX40-U-I. In other hand GLC-EX-SMD operates only on range 1310nm and this module will be installed in both sides.
Based on cisco docs GLC-BX40-D-I and GLC-BX40-U-I not supported in 3750X.
I just want to be sure if it will work for sure in my environment?
BR
Enis -
Extending POTS over a fiber mux
Guys,
I know this is probably way below what the ONS product line can do, but I have the need to extend some POTS lines over fiber and am thinking some TDM/DWDM method would be the cheapest (rather than routers doing dial-peers between FXOs/FXSs. Are there any Cisco products that could do this down-and-dirty?
Thanks,
Mike.For ethernet, your decision is correct.
For SAN, things get a little dicey. The MDS 9124 doesn't support the ONS transcievers, and the FC 4G LH transciever is limited in distance to about 10 km.
If it were me, I would do things a little differently. I would put a Nexus 5000 series at each end of your dark fiber, with a 20 GB etherchannel trunk between them. Each nexus would then be connected to your data center ethernet network via 10 gig ethernet, and to your MDS's via 2/4/8 gig FC. The nexus could then be set up such that FC traffic destined for the other end will be encapsulated in ethernet, sent over the link, unencapsulated at the other end, and sent to the appropriate FC host.
It's relatively easy, simple to operate, and no mucking around with DWDM/CWDM, which can be a very complex animal. -
What Gear do i need to enable WDM (DWDM) on a Dark Fiber?
We have Dark Fiber between 2 DCs and would like to enable WDM on it. What Cisco Optical Gear do i need for this? We would also link to enable Encryption on this link as well. TIA
You can do "simple" CWDM with the Cisco WDM series of CWDM Passive devices. Those can support 4 or 8 channels.
They depend on you "feeding" them signals from special transceiver models that modulate the light on a wavelength compliant with the ITU-50GHz channels listed in the DWDM SFP+ data sheet Leo mentioned and linked to.
The compatibility matrix tells you what Cisco gear is compatible with those transceivers. If you're using other 3rd party gear, they have equivalent support matrices. The bottom line is you need to match wavelengths to what the mux is expecting.
If you move up to the ONS 15454 line you have more flexibility - transponder cards etc that will transform standard SFP+ (1550 nm 10 Gbps signalling on fiber) to the ITU channels etc. You're talking serious money there though - hundreds of thousands of US$. Cisco will be happy to send a sales engineer over and build a nice detailed bill of materials if that's in your budget. -
Connecting two CRS-4 over 110Km lenght dark-fiber
I wonder if I want connect two CRS-4 over 110Km lenght and get 40G of througput whitout ONS 15454 MSTP DWDM infrastructure.
I am looking for lowering the cost for a two cities point-to-point carrier class connection with high throughput.
TIAThank you for the reply.
As long as I can understand for it, it is possible to interconnect two CRS-4 by mean a dark-fiber without a DWDM transport system, if the distance and fiber parameters limits are meeted.
In the 1-Port OC-768C/STM-256C Tunable WDMPOS datasheet I can read that the targeted distance is 1000km for DWDM Line Interface, and 80 or 100Km for Single-channel optical link (without DWDM).
This would mean that a DWDM platform is needed to get the 1000km length?
What about the throughput when it is connected in single-chanel mode?
http://www.cisco.com/en/US/prod/collateral/routers/ps5763/product_data_sheet0900aecd80395bbe.html
I appreciate so much your attention.
Gustavo Espitia -
Unable to Access Remote LAN over IPSec VPN
I have a Cisco ASA 5540 setup with Remote Access VPN for users. Suddenly no one can access the remote LAN over VPN. Below is my config:
ASA Version 7.0(8)
hostname DC2ASA
domain-name yorktel.com
enable password d2XdVlFOzleWlH1j encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
dns-guard
interface GigabitEthernet0/0
description outside/savvis
nameif outside
security-level 0
ip address 216.33.198.4 255.255.255.0 standby 216.33.198.5
interface GigabitEthernet0/1
description inside
nameif inside
security-level 100
ip address 10.203.204.1 255.255.254.0 standby 10.203.204.2
interface GigabitEthernet0/2
nameif insidesan
security-level 100
ip address 10.203.206.1 255.255.254.0 standby 10.203.206.2
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group service FileMaker tcp-udp
port-object range 16000 16001
access-list outside-in extended permit ip 65.123.204.0 255.255.254.0 216.33.198.0 255.255.255.0 log
access-list outside-in extended permit ip 216.33.198.0 255.255.255.0 216.33.198.0 255.255.255.0 log
access-list outside-in extended permit icmp 216.33.198.0 255.255.255.0 216.33.198.0 255.255.255.0 log
access-list outside-in extended permit icmp any any
access-list outside-in extended permit icmp any any echo
access-list outside-in extended permit ip any host 216.33.198.22 inactive
access-list outside-in extended permit tcp any host 216.33.198.19
access-list outside-in extended permit udp any host 216.33.198.19
access-list outside-in extended permit ip any host 216.33.198.19
access-list outside-in extended permit tcp any host 216.33.198.10 eq 3389
access-list outside-in extended permit tcp any host 216.33.198.10 eq ftp inactive
access-list outside-in extended permit tcp any host 216.33.198.10 eq ftp-data inactive
access-list outside-in extended permit tcp any host 216.33.198.10 eq ssh inactive
access-list outside-in extended permit tcp any host 216.33.198.19 eq www
access-list outside-in extended permit tcp any host 216.33.198.19 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.19 eq https
access-list outside-in extended permit tcp any host 216.33.198.19 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.19 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.19 eq smtp
access-list outside-in extended permit tcp any host 216.33.198.19 eq pop3
access-list outside-in extended permit tcp any host 216.33.198.19 eq 587
access-list outside-in extended permit tcp any host 216.33.198.16 eq www
access-list outside-in extended permit tcp any host 216.33.198.16 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.16 eq https
access-list outside-in extended permit tcp any host 216.33.198.16 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.16 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.16 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.16 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.16 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.16 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.38 eq www
access-list outside-in extended permit tcp any host 216.33.198.38 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.38 eq https
access-list outside-in extended permit tcp any host 216.33.198.38 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.38 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.38 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.38 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.38 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.38 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.25 eq www
access-list outside-in extended permit tcp any host 216.33.198.25 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.25 eq https
access-list outside-in extended permit tcp any host 216.33.198.25 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.25 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.25 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.25 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.25 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.25 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.22 eq www
access-list outside-in extended permit tcp any host 216.33.198.22 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.22 eq https
access-list outside-in extended permit tcp any host 216.33.198.22 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.22 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.22 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.22 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.22 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.22 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.17 eq www
access-list outside-in extended permit tcp any host 216.33.198.17 eq rtsp
access-list outside-in extended permit udp any host 216.33.198.17 eq 5005
access-list outside-in extended permit tcp any host 216.33.198.17 eq 1755
access-list outside-in extended permit udp any host 216.33.198.17 eq 1755
access-list outside-in extended permit tcp any host 216.33.198.17 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.17 eq https
access-list outside-in extended permit tcp any host 216.33.198.17 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.17 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.17 eq 989
access-list outside-in extended permit tcp any host 216.33.198.17 eq 990
access-list outside-in extended permit tcp any host 216.33.198.24 eq www
access-list outside-in extended permit tcp any host 216.33.198.24 eq rtsp
access-list outside-in extended permit udp any host 216.33.198.24 eq 5005
access-list outside-in extended permit tcp any host 216.33.198.24 eq 1755
access-list outside-in extended permit udp any host 216.33.198.24 eq 1755
access-list outside-in extended permit udp any host 216.33.198.24
access-list outside-in extended permit tcp any host 216.33.198.24 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.24 eq https
access-list outside-in extended permit tcp 209.67.5.96 255.255.255.224 any inactive
access-list outside-in extended permit udp 209.67.5.96 255.255.255.224 any inactive
access-list outside-in extended permit udp any host 216.33.198.17 inactive
access-list outside-in extended permit tcp any host 216.33.198.18 eq 1433
access-list outside-in extended permit tcp any host 216.33.198.18 eq 1434
access-list outside-in extended permit tcp any host 216.33.198.100 eq www
access-list outside-in extended permit tcp any host 216.33.198.101 eq www
access-list outside-in extended permit tcp any host 216.33.198.102 eq www
access-list outside-in extended permit tcp any host 216.33.198.103 eq www
access-list outside-in extended permit tcp any host 216.33.198.104 eq www
access-list outside-in extended permit tcp any host 216.33.198.105 eq www
access-list outside-in extended permit tcp any host 216.33.198.106 eq www
access-list outside-in extended permit tcp any host 216.33.198.107 eq www
access-list outside-in extended permit tcp any host 216.33.198.108 eq www
access-list outside-in extended permit tcp any host 216.33.198.109 eq www
access-list outside-in extended permit tcp any host 216.33.198.110 eq www
access-list outside-in extended permit tcp any host 216.33.198.100 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.101 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.102 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.103 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.104 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.105 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.106 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.107 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.108 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.109 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.110 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.100 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.101 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.102 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.103 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.104 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.105 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.106 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.107 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.108 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.109 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.110 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.100 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.101 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.102 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.103 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.104 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.105 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.106 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.107 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.108 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.109 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.110 eq ftp-data
access-list outside-in extended permit tcp host 12.71.134.4 any
access-list outside-in extended permit udp host 12.71.134.4 any
access-list outside-in remark Allow Mark to access remote desktop from home office.
access-list outside-in extended permit tcp host 96.255.220.240 any
access-list outside-in remark Allow Mark to access remote desktop from home office.
access-list outside-in extended permit udp host 96.255.220.240 any
access-list outside-in extended permit tcp host 67.81.54.83 any
access-list outside-in remark Allow Chris to access remote desktop from home office.
access-list outside-in extended permit tcp host 100.1.41.196 any
access-list outside-in remark Allow Chris to access remote desktop from home office.
access-list outside-in extended permit udp host 100.1.41.196 any
access-list outside-in extended permit udp host 67.81.54.83 any
access-list outside-in remark Allow Jim Johnstone to remote in from home office.
access-list outside-in extended permit tcp host 96.225.44.46 any
access-list outside-in remark Allow Jim Johnstone to remote in from home office.
access-list outside-in extended permit udp host 96.225.44.46 any
access-list outside-in extended permit tcp host 64.19.183.67 any
access-list outside-in extended permit udp host 64.19.183.67 any
access-list outside-in remark Allow Steve Fisher to remote in from home office.
access-list outside-in extended permit tcp host 173.67.0.16 any
access-list outside-in remark Allow Steve Fisher to remote in from home office.
access-list outside-in extended permit udp host 173.67.0.16 any
access-list outside-in remark Allow remote desktop connections to remote.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.20 eq 3389
access-list outside-in remark Allow remote desktop connections to remote.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.20 eq ftp-data
access-list outside-in remark Allow remote desktop connections to remote.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.20 eq ftp
access-list outside-in remark Allow remote desktop connections to remote.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.20 eq www
access-list outside-in remark Allow remote desktop connections to remote.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.20 eq https
access-list outside-in remark Allow remote desktop connections to remote.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.20 inactive
access-list outside-in remark Allow remote desktop connections to remote.yorkcast.com
access-list outside-in extended permit udp any host 216.33.198.20 inactive
access-list outside-in remark Allow remote desktop connections to remote.yorkcast.com
access-list outside-in extended permit ip any host 216.33.198.20 inactive
access-list outside-in remark Allow remote desktop connections to ftp.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.19 eq 3389 inactive
access-list outside-in remark Allow remote desktop connections to BMS-TV
access-list outside-in extended permit tcp any host 216.33.198.21 eq 3389
access-list outside-in remark Allow remote desktop connections to BMS-TV
access-list outside-in extended permit tcp any host 216.33.198.21 eq www
access-list outside-in remark Allow remote desktop connections to BMS-TV
access-list outside-in extended permit tcp any host 216.33.198.21 eq https
access-list outside-in extended permit tcp any host 216.33.198.21 eq 8080
access-list outside-in remark Allow remote desktop connections to BMS-TV
access-list outside-in extended permit tcp any host 216.33.198.21 eq ftp
access-list outside-in remark Allow remote desktop connections to BMS-TV
access-list outside-in extended permit tcp any host 216.33.198.21 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.19 eq 3306
access-list outside-in extended permit udp any host 216.33.198.19 eq 3306
access-list outside-in remark Allow remote desktop connections to ftp.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.23 eq 3389
access-list outside-in remark Allow remote desktop connections to ftp.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.23 eq ftp
access-list outside-in remark Allow remote desktop connections to ftp.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.23 eq www
access-list outside-in remark Allow remote desktop connections to ftp.yorkcast.com
access-list outside-in extended permit tcp any host 216.33.198.23 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.18 eq 3389 inactive
access-list outside-in extended permit tcp any host 216.33.198.17 inactive
access-list outside-in extended permit ip any host 216.33.198.17 inactive
access-list outside-in extended permit tcp any host 216.33.198.18 inactive
access-list outside-in extended permit udp any host 216.33.198.17 eq 554
access-list outside-in extended permit udp any host 216.33.198.24 eq 554
access-list outside-in remark Allow any access from Treasury
access-list outside-in extended permit tcp host 64.241.196.50 any
access-list outside-in remark Allow any access from Treasury
access-list outside-in extended permit udp host 64.241.196.50 any
access-list outside-in remark Allow any access from Treasury
access-list outside-in extended permit ip host 64.241.196.50 any
access-list outside-in extended permit tcp any host 216.33.198.26 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.26 eq www
access-list outside-in extended permit tcp any host 216.33.198.26 eq https
access-list outside-in extended permit tcp any host 216.33.198.27 eq https
access-list outside-in extended permit tcp any host 216.33.198.27 eq www
access-list outside-in extended permit tcp any host 216.33.198.27 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.27 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.27 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.27 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.27 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.27 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.27 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.26 eq ftp inactive
access-list outside-in extended permit tcp any host 216.33.198.26 eq ssh inactive
access-list outside-in extended permit tcp any host 216.33.198.28 eq 81
access-list outside-in extended permit tcp any host 216.33.198.28 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.28 eq www
access-list outside-in extended permit tcp any host 216.33.198.28 eq ssh
access-list outside-in extended permit tcp any host 216.33.198.29 eq www
access-list outside-in extended permit tcp any host 216.33.198.28 eq 3389
access-list outside-in extended permit tcp any host 216.33.198.29 eq ssh
access-list outside-in extended permit tcp any host 216.33.198.30 eq ssh
access-list outside-in extended permit tcp any host 216.33.198.31 eq ssh
access-list outside-in extended permit tcp any host 216.33.198.20 object-group FileMaker
access-list outside-in extended permit tcp any host 216.33.198.20 eq 5003
access-list outside-in extended permit udp any host 216.33.198.20 eq 5003
access-list outside-in extended permit tcp any host 216.33.198.33 eq www
access-list outside-in extended permit tcp any host 216.33.198.33 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.33 eq https
access-list outside-in extended permit tcp any host 216.33.198.33 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.33 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.33 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.33 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.33 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.33 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.34 eq www
access-list outside-in extended permit tcp any host 216.33.198.34 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.34 eq https
access-list outside-in extended permit tcp any host 216.33.198.34 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.34 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.34 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.34 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.34 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.34 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.36 eq www
access-list outside-in extended permit tcp any host 216.33.198.36 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.36 eq https
access-list outside-in extended permit tcp any host 216.33.198.36 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.36 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.36 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.36 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.36 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.36 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.37 eq www
access-list outside-in extended permit tcp any host 216.33.198.37 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.37 eq https
access-list outside-in extended permit tcp any host 216.33.198.37 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.37 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.37 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.37 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.37 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.37 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.39 eq www
access-list outside-in extended permit tcp any host 216.33.198.39 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.39 eq https
access-list outside-in extended permit tcp any host 216.33.198.39 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.39 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.39 eq 8094
access-list outside-in extended permit tcp any host 216.33.198.39 eq 8096
access-list outside-in extended permit tcp any host 216.33.198.39 eq 8097
access-list outside-in extended permit tcp any host 216.33.198.39 eq 8090
access-list outside-in extended permit tcp any host 216.33.198.41 eq 3389
access-list outside-in extended permit tcp any host 216.33.198.41 eq www
access-list outside-in extended permit tcp any host 216.33.198.41 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.41 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.41 eq https
access-list outside-in extended permit tcp any host 216.33.198.41 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.42 eq 3389
access-list outside-in extended permit tcp any host 216.33.198.42 eq www
access-list outside-in extended permit tcp any host 216.33.198.42 eq https
access-list outside-in extended permit tcp any host 216.33.198.42 eq ftp
access-list outside-in extended permit tcp any host 216.33.198.42 eq ftp-data
access-list outside-in extended permit tcp any host 216.33.198.42 eq 8080
access-list outside-in extended permit tcp any host 216.33.198.28
access-list inside-out extended permit tcp any host 216.33.198.17 eq rtsp
access-list inside-out extended permit udp any host 216.33.198.17 eq 5004
access-list inside-out extended permit udp any host 216.33.198.17 eq 5005
access-list inside-out extended permit tcp any host 216.33.198.17 eq 1755
access-list inside-out extended permit udp any host 216.33.198.17 eq 1755
access-list rtsp-acl extended deny tcp any host 216.33.198.17 eq rtsp
access-list rtsp-acl extended permit tcp any any eq rtsp
access-list inside_nat0_outbound extended permit ip 10.203.204.0 255.255.255.0 10.203.204.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip any 10.203.204.48 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 10.203.204.0 255.255.255.192
access-list inside_nat0_outbound extended permit ip host 10.203.204.19 10.203.204.32 255.255.255.224
access-list inside_nat0_outbound extended permit ip 10.203.204.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.203.204.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.203.204.144 255.255.255.240
access-list inside_nat0_outbound extended permit ip host 216.33.198.33 165.89.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip host 216.33.198.19 165.89.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip host 216.33.198.17 165.89.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip host 216.33.198.24 165.89.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip host 216.33.198.20 any inactive
access-list inside_nat0_outbound extended permit ip 216.33.198.0 255.255.255.0 165.89.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip any 10.203.204.48 255.255.255.248
access-list inside_nat0_outbound extended permit ip any 216.33.198.56 255.255.255.248
access-list dc2vpn_splitTunnelAcl standard permit 10.203.204.0 255.255.255.0
access-list dc2vpn_splitTunnelAcl standard permit 192.168.250.0 255.255.255.0
access-list dc2vpn_splitTunnelAcl standard permit 192.168.252.0 255.255.255.0
access-list dc2vpn_splitTunnelAcl standard permit any
access-list outside_map standard permit any
access-list Split_Tunnel_List standard permit 10.203.204.0 255.255.255.0
access-list test_splitTunnelAcl standard permit any
access-list outside_access_out extended permit tcp any host 12.71.134.75 inactive
access-list outside_in extended permit tcp host 12.71.134.75 any eq smtp
access-list outside_nat0_inbound extended permit ip host 216.33.198.21 host 165.89.130.31
access-list outside_nat0_inbound extended permit ip host 216.33.198.21 host 165.89.18.102
access-list outside_nat0_inbound extended permit ip host 216.33.198.21 host 165.89.18.103
access-list outside_nat0_inbound extended permit ip host 216.33.198.21 host 165.89.18.104
access-list outside_nat0_inbound extended permit ip 216.33.198.0 255.255.255.0 165.89.0.0 255.255.0.0
access-list outside_cryptomap_80 extended permit ip 10.203.204.0 255.255.255.0 192.168.250.0 255.255.255.0
access-list outside_cryptomap_60 extended deny ip host 216.33.198.33 165.89.0.0 255.255.0.0
access-list outside_cryptomap_60 extended deny ip host 216.33.198.19 165.89.0.0 255.255.0.0
access-list outside_cryptomap_60 extended deny ip host 216.33.198.17 165.89.0.0 255.255.0.0
access-list outside_cryptomap_60 extended deny ip host 216.33.198.24 165.89.0.0 255.255.0.0
access-list outside_cryptomap_60 extended permit ip 216.33.198.0 255.255.255.0 165.89.0.0 255.255.0.0
access-list outside_cryptomap_100 extended permit ip 10.203.204.0 255.255.255.0 192.168.252.0 255.255.255.0
access-list dc2vpntest_splitTunnelAcl standard permit 10.203.204.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
logging ftp-bufferwrap
logging ftp-server 10.203.204.10 logs asa ****
mtu outside 1500
mtu inside 1500
mtu insidesan 1500
mtu management 1500
ip local pool vpnpool 10.203.204.60-10.203.204.65 mask 255.255.255.0
failover
failover lan unit secondary
failover lan interface failover GigabitEthernet0/3
failover polltime unit msec 999 holdtime 3
failover polltime interface 5
failover link failover GigabitEthernet0/3
failover interface ip failover 172.16.100.1 255.255.255.252 standby 172.16.100.2
monitor-interface outside
monitor-interface inside
monitor-interface insidesan
no monitor-interface management
icmp permit 65.123.204.0 255.255.254.0 outside
asdm image disk0:/asdm-508.bin
no asdm history enable
arp timeout 14400
nat-control
nat (outside) 0 access-list outside_nat0_inbound outside
nat (inside) 0 access-list inside_nat0_outbound
static (inside,outside) 216.33.198.10 10.203.204.10 netmask 255.255.255.255
static (inside,outside) 216.33.198.11 10.203.204.11 netmask 255.255.255.255
static (inside,outside) 216.33.198.12 10.203.204.12 netmask 255.255.255.255
static (inside,outside) 216.33.198.13 10.203.204.13 netmask 255.255.255.255
static (inside,outside) 216.33.198.14 10.203.204.14 netmask 255.255.255.255
static (inside,outside) 216.33.198.15 10.203.204.15 netmask 255.255.255.255
static (inside,outside) 216.33.198.16 10.203.204.16 netmask 255.255.255.255
static (inside,outside) 216.33.198.17 10.203.204.17 netmask 255.255.255.255
static (inside,outside) 216.33.198.18 10.203.204.18 netmask 255.255.255.255
static (inside,outside) 216.33.198.19 10.203.204.19 netmask 255.255.255.255
static (inside,outside) 216.33.198.20 10.203.204.20 netmask 255.255.255.255
static (inside,outside) 216.33.198.21 10.203.204.21 netmask 255.255.255.255
static (inside,outside) 216.33.198.22 10.203.204.22 netmask 255.255.255.255
static (inside,outside) 216.33.198.23 10.203.204.23 netmask 255.255.255.255
static (inside,outside) 216.33.198.24 10.203.204.24 netmask 255.255.255.255
static (inside,outside) 216.33.198.25 10.203.204.25 netmask 255.255.255.255
static (inside,outside) 216.33.198.26 10.203.204.26 netmask 255.255.255.255
static (inside,outside) 216.33.198.27 10.203.204.27 netmask 255.255.255.255
static (inside,outside) 216.33.198.28 10.203.204.28 netmask 255.255.255.255
static (inside,outside) 216.33.198.29 10.203.204.29 netmask 255.255.255.255
static (inside,outside) 216.33.198.30 10.203.204.30 netmask 255.255.255.255
static (inside,outside) 216.33.198.31 10.203.204.31 netmask 255.255.255.255
static (inside,outside) 216.33.198.32 10.203.204.32 netmask 255.255.255.255
static (inside,outside) 216.33.198.33 10.203.204.33 netmask 255.255.255.255
static (inside,outside) 216.33.198.34 10.203.204.34 netmask 255.255.255.255
static (inside,outside) 216.33.198.35 10.203.204.35 netmask 255.255.255.255
static (inside,outside) 216.33.198.36 10.203.204.36 netmask 255.255.255.255
static (inside,outside) 216.33.198.37 10.203.204.37 netmask 255.255.255.255
static (inside,outside) 216.33.198.38 10.203.204.38 netmask 255.255.255.255
static (inside,outside) 216.33.198.39 10.203.204.39 netmask 255.255.255.255
static (inside,outside) 216.33.198.40 10.203.204.40 netmask 255.255.255.255
static (inside,outside) 216.33.198.41 10.203.204.41 netmask 255.255.255.255
static (inside,outside) 216.33.198.42 10.203.204.42 netmask 255.255.255.255
static (inside,outside) 216.33.198.43 10.203.204.43 netmask 255.255.255.255
static (inside,outside) 216.33.198.44 10.203.204.44 netmask 255.255.255.255
static (inside,outside) 216.33.198.45 10.203.204.45 netmask 255.255.255.255
static (inside,outside) 216.33.198.46 10.203.204.46 netmask 255.255.255.255
static (inside,outside) 216.33.198.47 10.203.204.47 netmask 255.255.255.255
static (inside,outside) 216.33.198.48 10.203.204.48 netmask 255.255.255.255
static (inside,outside) 216.33.198.49 10.203.204.49 netmask 255.255.255.255
static (inside,outside) 216.33.198.50 10.203.204.50 netmask 255.255.255.255
static (inside,outside) 216.33.198.51 10.203.204.51 netmask 255.255.255.255
static (inside,outside) 216.33.198.52 10.203.204.52 netmask 255.255.255.255
static (inside,outside) 216.33.198.53 10.203.204.53 netmask 255.255.255.255
static (inside,outside) 216.33.198.54 10.203.204.54 netmask 255.255.255.255
static (inside,outside) 216.33.198.55 10.203.204.55 netmask 255.255.255.255
static (inside,outside) 216.33.198.56 10.203.204.56 netmask 255.255.255.255
static (inside,outside) 216.33.198.57 10.203.204.57 netmask 255.255.255.255
static (inside,outside) 216.33.198.58 10.203.204.58 netmask 255.255.255.255
static (inside,outside) 216.33.198.59 10.203.204.59 netmask 255.255.255.255
static (inside,outside) 216.33.198.60 10.203.204.60 netmask 255.255.255.255
static (inside,outside) 216.33.198.61 10.203.204.61 netmask 255.255.255.255
static (inside,outside) 216.33.198.62 10.203.204.62 netmask 255.255.255.255
static (inside,outside) 216.33.198.63 10.203.204.63 netmask 255.255.255.255
static (inside,outside) 216.33.198.64 10.203.204.64 netmask 255.255.255.255
static (inside,outside) 216.33.198.65 10.203.204.65 netmask 255.255.255.255
static (inside,outside) 216.33.198.66 10.203.204.66 netmask 255.255.255.255
static (inside,outside) 216.33.198.67 10.203.204.67 netmask 255.255.255.255
static (inside,outside) 216.33.198.68 10.203.204.68 netmask 255.255.255.255
static (inside,outside) 216.33.198.69 10.203.204.69 netmask 255.255.255.255
static (inside,outside) 216.33.198.70 10.203.204.70 netmask 255.255.255.255
static (inside,outside) 216.33.198.71 10.203.204.71 netmask 255.255.255.255
static (inside,outside) 216.33.198.100 10.203.204.100 netmask 255.255.255.255
static (inside,outside) 216.33.198.101 10.203.204.101 netmask 255.255.255.255
static (inside,outside) 216.33.198.102 10.203.204.102 netmask 255.255.255.255
static (inside,outside) 216.33.198.103 10.203.204.103 netmask 255.255.255.255
static (inside,outside) 216.33.198.104 10.203.204.104 netmask 255.255.255.255
static (inside,outside) 216.33.198.105 10.203.204.105 netmask 255.255.255.255
static (inside,outside) 216.33.198.106 10.203.204.106 netmask 255.255.255.255
static (inside,outside) 216.33.198.107 10.203.204.107 netmask 255.255.255.255
static (inside,outside) 216.33.198.108 10.203.204.108 netmask 255.255.255.255
static (inside,outside) 216.33.198.109 10.203.204.109 netmask 255.255.255.255
static (inside,outside) 216.33.198.110 10.203.204.110 netmask 255.255.255.255
static (inside,outside) 216.33.198.111 10.203.204.111 netmask 255.255.255.255
static (inside,outside) 216.33.198.112 10.203.204.112 netmask 255.255.255.255
static (inside,outside) 216.33.198.113 10.203.204.113 netmask 255.255.255.255
static (inside,outside) 216.33.198.114 10.203.204.114 netmask 255.255.255.255
static (inside,outside) 216.33.198.115 10.203.204.115 netmask 255.255.255.255
static (inside,outside) 216.33.198.116 10.203.204.116 netmask 255.255.255.255
static (inside,outside) 216.33.198.117 10.203.204.117 netmask 255.255.255.255
static (inside,outside) 216.33.198.118 10.203.204.118 netmask 255.255.255.255
static (inside,outside) 216.33.198.119 10.203.204.119 netmask 255.255.255.255
static (inside,outside) 216.33.198.120 10.203.204.120 netmask 255.255.255.255
static (inside,outside) 216.33.198.121 10.203.204.121 netmask 255.255.255.255
static (inside,outside) 216.33.198.122 10.203.204.122 netmask 255.255.255.255
static (inside,outside) 216.33.198.123 10.203.204.123 netmask 255.255.255.255
static (inside,outside) 216.33.198.124 10.203.204.124 netmask 255.255.255.255
static (inside,outside) 216.33.198.125 10.203.204.125 netmask 255.255.255.255
static (inside,outside) 216.33.198.126 10.203.204.126 netmask 255.255.255.255
static (inside,outside) 216.33.198.127 10.203.204.127 netmask 255.255.255.255
static (inside,outside) 216.33.198.128 10.203.204.128 netmask 255.255.255.255
static (inside,outside) 216.33.198.129 10.203.204.129 netmask 255.255.255.255
static (inside,outside) 216.33.198.130 10.203.204.130 netmask 255.255.255.255
static (inside,outside) 216.33.198.131 10.203.204.131 netmask 255.255.255.255
static (inside,outside) 216.33.198.132 10.203.204.132 netmask 255.255.255.255
static (inside,outside) 216.33.198.133 10.203.204.133 netmask 255.255.255.255
static (inside,outside) 216.33.198.134 10.203.204.134 netmask 255.255.255.255
static (inside,outside) 216.33.198.135 10.203.204.135 netmask 255.255.255.255
static (inside,outside) 216.33.198.136 10.203.204.136 netmask 255.255.255.255
static (inside,outside) 216.33.198.137 10.203.204.137 netmask 255.255.255.255
static (inside,outside) 216.33.198.138 10.203.204.138 netmask 255.255.255.255
static (inside,outside) 216.33.198.139 10.203.204.139 netmask 255.255.255.255
static (inside,outside) 216.33.198.140 10.203.204.140 netmask 255.255.255.255
static (inside,outside) 216.33.198.141 10.203.204.141 netmask 255.255.255.255
static (inside,outside) 216.33.198.142 10.203.204.142 netmask 255.255.255.255
static (inside,outside) 216.33.198.143 10.203.204.143 netmask 255.255.255.255
static (inside,outside) 216.33.198.144 10.203.204.144 netmask 255.255.255.255
static (inside,outside) 216.33.198.145 10.203.204.145 netmask 255.255.255.255
static (inside,outside) 216.33.198.146 10.203.204.146 netmask 255.255.255.255
static (inside,outside) 216.33.198.147 10.203.204.147 netmask 255.255.255.255
static (inside,outside) 216.33.198.148 10.203.204.148 netmask 255.255.255.255
static (inside,outside) 216.33.198.149 10.203.204.149 netmask 255.255.255.255
static (inside,outside) 216.33.198.150 10.203.204.150 netmask 255.255.255.255
static (inside,outside) 216.33.198.151 10.203.204.151 netmask 255.255.255.255
static (inside,outside) 216.33.198.152 10.203.204.152 netmask 255.255.255.255
static (inside,outside) 216.33.198.153 10.203.204.153 netmask 255.255.255.255
static (inside,outside) 216.33.198.154 10.203.204.154 netmask 255.255.255.255
static (inside,outside) 216.33.198.155 10.203.204.155 netmask 255.255.255.255
static (inside,outside) 216.33.198.156 10.203.204.156 netmask 255.255.255.255
static (inside,outside) 216.33.198.157 10.203.204.157 netmask 255.255.255.255
static (inside,outside) 216.33.198.158 10.203.204.158 netmask 255.255.255.255
static (inside,outside) 216.33.198.159 10.203.204.159 netmask 255.255.255.255
static (inside,outside) 216.33.198.160 10.203.204.160 netmask 255.255.255.255
static (inside,outside) 216.33.198.161 10.203.204.161 netmask 255.255.255.255
static (inside,outside) 216.33.198.162 10.203.204.162 netmask 255.255.255.255
static (inside,outside) 216.33.198.163 10.203.204.163 netmask 255.255.255.255
static (inside,outside) 216.33.198.164 10.203.204.164 netmask 255.255.255.255
static (inside,outside) 216.33.198.165 10.203.204.165 netmask 255.255.255.255
static (inside,outside) 216.33.198.166 10.203.204.166 netmask 255.255.255.255
static (inside,outside) 216.33.198.167 10.203.204.167 netmask 255.255.255.255
static (inside,outside) 216.33.198.168 10.203.204.168 netmask 255.255.255.255
static (inside,outside) 216.33.198.169 10.203.204.169 netmask 255.255.255.255
static (inside,outside) 216.33.198.170 10.203.204.170 netmask 255.255.255.255
static (inside,outside) 216.33.198.171 10.203.204.171 netmask 255.255.255.255
static (inside,outside) 216.33.198.172 10.203.204.172 netmask 255.255.255.255
static (inside,outside) 216.33.198.173 10.203.204.173 netmask 255.255.255.255
static (inside,outside) 216.33.198.174 10.203.204.174 netmask 255.255.255.255
static (inside,outside) 216.33.198.175 10.203.204.175 netmask 255.255.255.255
static (inside,outside) 216.33.198.176 10.203.204.176 netmask 255.255.255.255
static (inside,outside) 216.33.198.177 10.203.204.177 netmask 255.255.255.255
static (inside,outside) 216.33.198.178 10.203.204.178 netmask 255.255.255.255
static (inside,outside) 216.33.198.179 10.203.204.179 netmask 255.255.255.255
static (inside,outside) 216.33.198.180 10.203.204.180 netmask 255.255.255.255
static (inside,outside) 216.33.198.181 10.203.204.181 netmask 255.255.255.255
static (inside,outside) 216.33.198.182 10.203.204.182 netmask 255.255.255.255
static (inside,outside) 216.33.198.183 10.203.204.183 netmask 255.255.255.255
static (inside,outside) 216.33.198.184 10.203.204.184 netmask 255.255.255.255
static (inside,outside) 216.33.198.185 10.203.204.185 netmask 255.255.255.255
static (inside,outside) 216.33.198.186 10.203.204.186 netmask 255.255.255.255
static (inside,outside) 216.33.198.187 10.203.204.187 netmask 255.255.255.255
static (inside,outside) 216.33.198.188 10.203.204.188 netmask 255.255.255.255
static (inside,outside) 216.33.198.189 10.203.204.189 netmask 255.255.255.255
static (inside,outside) 216.33.198.190 10.203.204.190 netmask 255.255.255.255
static (inside,outside) 216.33.198.191 10.203.204.191 netmask 255.255.255.255
static (inside,outside) 216.33.198.192 10.203.204.192 netmask 255.255.255.255
static (inside,outside) 216.33.198.193 10.203.204.193 netmask 255.255.255.255
static (inside,outside) 216.33.198.194 10.203.204.194 netmask 255.255.255.255
static (inside,outside) 216.33.198.195 10.203.204.195 netmask 255.255.255.255
static (inside,outside) 216.33.198.196 10.203.204.196 netmask 255.255.255.255
static (inside,outside) 216.33.198.197 10.203.204.197 netmask 255.255.255.255
static (inside,outside) 216.33.198.198 10.203.204.198 netmask 255.255.255.255
static (inside,outside) 216.33.198.199 10.203.204.199 netmask 255.255.255.255
static (inside,outside) 216.33.198.200 10.203.204.200 netmask 255.255.255.255
access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 216.33.198.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
group-policy test internal
group-policy test attributes
dns-server value 10.203.204.14 10.203.204.15
split-tunnel-policy tunnelspecified
split-tunnel-network-list value test_splitTunnelAcl
default-domain value yorkmedia.local
webvpn
group-policy tunneltest internal
group-policy tunneltest attributes
dns-server value 10.203.204.14 4.2.2.2
default-domain value yorkmedia.local
webvpn
group-policy testpol internal
group-policy testpol attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelall
split-tunnel-network-list value dc2vpn_splitTunnelAcl
webvpn
group-policy aes internal
group-policy aes attributes
dns-server value 10.203.204.14 10.203.204.15
vpn-tunnel-protocol IPSec
group-lock value aestest
webvpn
group-policy grouptest internal
group-policy grouptest attributes
dns-server value 10.203.204.14 4.2.2.2
default-domain value yorkmedia.local
webvpn
group-policy dc2vpntest internal
group-policy dc2vpntest attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dc2vpntest_splitTunnelAcl
webvpn
group-policy dc2vpn internal
group-policy dc2vpn attributes
dns-server value 10.203.204.14 10.203.204.15
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dc2vpn_splitTunnelAcl
webvpn
group-policy BMSTV internal
group-policy BMSTV attributes
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
client-firewall none
client-access-rule none
webvpn
username mmaxey password zSSKHLc.gx8szpy2 encrypted privilege 15
username mmaxey attributes
vpn-group-policy dc2vpn
webvpn
username jjohnstone password qElIg/rYW4OoTIEP encrypted privilege 15
username jjohnstone attributes
vpn-group-policy dc2vpntest
webvpn
username sragona password ZgCBom/StrITlFdU encrypted
username sragona attributes
vpn-group-policy dc2vpn
webvpn
username admin password 5zvQXQPrcnyHyGKm encrypted
username seng password PP8UcINDKi7BSsj2 encrypted
username seng attributes
vpn-group-policy dc2vpn
webvpn
username chauser password I3OIxCe8FBONQlhK encrypted
username chauser attributes
vpn-group-policy dc2vpn
webvpn
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 65.123.204.0 255.255.254.0 outside
http 0.0.0.0 0.0.0.0 outside
http 10.203.204.0 255.255.254.0 inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group7
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map 60 match address outside_cryptomap_60
crypto map outside_map 60 set peer 165.89.240.1
crypto map outside_map 60 set transform-set ESP-3DES-SHA
crypto map outside_map 60 set security-association lifetime seconds 28800
crypto map outside_map 60 set security-association lifetime kilobytes 4608000
crypto map outside_map 80 match address outside_cryptomap_80
crypto map outside_map 80 set pfs
crypto map outside_map 80 set peer 64.19.183.67
crypto map outside_map 80 set transform-set ESP-3DES-SHA
crypto map outside_map 80 set security-association lifetime seconds 28800
crypto map outside_map 80 set security-association lifetime kilobytes 4608000
crypto map outside_map 100 match address outside_cryptomap_100
crypto map outside_map 100 set pfs
crypto map outside_map 100 set peer 64.241.196.50
crypto map outside_map 100 set transform-set ESP-3DES-SHA
crypto map outside_map 100 set security-association lifetime seconds 28800
crypto map outside_map 100 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption aes-256
isakmp policy 30 hash sha
isakmp policy 30 group 5
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication pre-share
isakmp policy 50 encryption aes-256
isakmp policy 50 hash sha
isakmp policy 50 group 7
isakmp policy 50 lifetime 86400
isakmp nat-traversal 20
isakmp ipsec-over-tcp port 10000
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group dc2vpn type ipsec-ra
tunnel-group dc2vpn general-attributes
address-pool vpnpool
default-group-policy dc2vpn
tunnel-group dc2vpn ipsec-attributes
pre-shared-key *
tunnel-group test type ipsec-ra
tunnel-group test general-attributes
default-group-policy test
tunnel-group test ipsec-attributes
pre-shared-key *
tunnel-group 165.89.240.1 type ipsec-l2l
tunnel-group 165.89.240.1 general-attributes
default-group-policy BMSTV
tunnel-group 165.89.240.1 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 3600 retry 2
tunnel-group 64.19.183.67 type ipsec-l2l
tunnel-group 64.19.183.67 ipsec-attributes
pre-shared-key *
tunnel-group 64.241.196.50 type ipsec-l2l
tunnel-group 64.241.196.50 ipsec-attributes
pre-shared-key *
isakmp keepalive disable
tunnel-group dc2vpntest type ipsec-ra
tunnel-group dc2vpntest general-attributes
default-group-policy dc2vpntest
tunnel-group dc2vpntest ipsec-attributes
pre-shared-key *
tunnel-group aestest type ipsec-ra
tunnel-group aestest general-attributes
address-pool vpnpool
default-group-policy aes
tunnel-group aestest ipsec-attributes
pre-shared-key *
tunnel-group TunnelGroup1 type ipsec-ra
tunnel-group TunnelGroup1 general-attributes
address-pool vpnpool
telnet 10.203.204.10 255.255.255.255 inside
telnet timeout 5
ssh 65.123.204.0 255.255.254.0 outside
ssh 10.203.204.0 255.255.254.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd lease 3600
dhcpd ping_timeout 50
class-map rtsp-traffic
match access-list rtsp-acl
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
class rtsp-traffic
inspect rtsp
service-policy global_policy global
tftp-server inside 10.203.204.10 dc2asa01/config
Cryptochecksum:6d74d3994ea6764893c420f477568aac
: endYou have three site-site VPNs and a remote access VPN setup. so the statement "Suddenly no one can access the remote LAN over VPN. " is a bit ambiguous in that context.
From which source to what destination is not working for you? -
Multiple WAN site redundancy design review (dark fiber, p2p, DMVPN)
I'm re-designing a couple of wan sites. I'm using EIGRP over both some leased dark fiber and p2p provider connections. The attached (pdf) physical topology says it all, I'm thinking of using ip sla to track and inject routes over prefered connections, but really just looking for feed back if someone is interested in taking a look.
I've bought 2 2951's with es3g-16-p modules so I can build svi's and do hsrp between the paths, building redundancy between the 3 available paths back to our enterprise core (1Gbps, 40Mbps, 50Mbps).
multiple vlans at both sites...
e.g.: (wan site1 (vlan 10-15), want site2 (vlan 16-20))
Thoughts and thanks?hi there
not sure why you need to use DMVPN if it all internal same internal network unless you need to have all the traffic between sites to be encrypted
anyway in general i would say of use the direct link to reach the directly connected networks per site
example using site one 100M link to reach DC and WAN
and use site2 50M local link to reach WAN as primary path and use the site1-site2 fibre to reach DC as primary path for site2 this could archive a good load sharing and reduce the load on the link between site1 and site2
IP SLA in a topology like your for sure can very helpful to improve failover time and make the routing more topology aware
hope this helps -
How to Enable Wake On Lan over the Internet??
Hi, I am using RV220W with the latest firmware, I want to make "Wake on LAN" work for my NAS, I found the following description on Internet:
"If you wish to use Wake On Lan over the internet you will need to set up your destination firewall/router to allow "Subnet Directed Broadcasts". Most routers and firewalls disable this option by default.
You will then need to allow traffic through on your firewall/router on a specific port. The choice of ports is up to you."
So how can I enable "Subnet Directed Broadcasts" on RV220W??
Thanks.
RaymondHi Jasbryan,
If RV220W doesn't forward UDP to a broadcast address, could you ( i.e. Cisco) provide a tools for sending WOL Magic Packet to the LAN on Router Device Manager page?
I see many routers also provide this tools from their manager page.
Thanks.
Raymond -
10 Gb oversubscribed port for Dark Fiber ring
Hi, I understand that for an 8-port 10Gb module (6509) ports 1,2,5 & 6 are the only performance 10 Gb ports (true 20Gb at full duplex) Does this mean I will not get the 10Gb throughput for another port, I'm debating whether or not it is worth moving my 10Gb optical circuit (dark fiber) on a port #4 to a "performance" port such as 1,2,5 or 6. Thanks to all for your input.
The 6708-10G card has 2 connections to the switch fabric
Fabric Channel #1: Ports 2, 3, 6, 8
Fabric Channel #2: Ports 1, 4, 5, 7
As far as i understand it that means that if you want 10Gbps on the port you can only use 2 ports from each fabric channel.
Cisco have provided a command to automatically shutdown ports 3,4,7,8 so that you are not oversubscribed on this module. But i don't think you have to use 1,2,5 & 6. You could use port 4 as long as you only used one other port from that fabric channel group ie. 1,5 or 7 and you would still get the full 10Gbps throughput.
Note i haven't actually tested the above but it is based on the way that all the 6500 fabric enabled modules work.
Jon -
How to setup if both node MXP_MR_10DME_C GE down when dark fiber LOS
Hi,
I have both ONS15454 have MXP_MR_10DME_C.
When dark fiber LOS both node MXP GE port status color are green and brown randomly.
May I setup when dark fiber LOS then both node GE status down? How?
Thanks,
Adam -
Testing New dark fiber installation
What is the best way and/or best software for testing a new installation of dark fiber, not only the physical but also test for L2 errors etc, the fiber connects / terminates at two 6500's and will be configuring a /30 network as to not disrupt anything else in the network, thanks in advance.
In addition to OTDR testing of the fiber, once you plug it in and assign IP addresses from the /30 subnet, you could run IP Service Level Agreement (SLA) performance tests between the two 6500s.
Set one end up to be the "sender" and the other end to be the "responder". Configure a test or simulation that generates packet traffic between them. Sender sends to responder, which in turn returns it to sender. If you have NTP time synchronization configured on the 6500 switches, IP SLA can measure not only packet loss (indicating a questionable or saturated link) and in which direction the loss occurred; it can also report on the variability in delivery timing between packets, and lots more.
Depending on the age of your IOS, it may be termed IP SAA (for Service Assurance Agent) instead of IP SLA.
See the Cisco White Paper "Cisco IOS IP Service Level Agreements" at the following link for more details:
http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white_paper0900aecd8017f8c9.html
Oh, and I forgot to mention the best part: it's free. -
Wake On Lan (over Internet) support for WRT610N
Dear Linksys/Cisco
Please please,we need Wake On Lan (over Internet) support for the WRT610N.
Whether it's implemented with static arp, or by allowing port forwards to the broadcast address doesn't really matter I guess.
Please consider this for inclusion in a future firmware upgrade.
Best regards
Henrik Schack
DenmarkLinksys routes don't support WOL. It's not possible to enter static entries into the router's ARP tables which would be necessary to have permanent access to the IP address of the computer. Basically, after some time of inactivity the router "forgets" the MAC address of your computer...
-
Extending SAN - Native FC over DWDM Experiences
We are in the process of adding a new Data Center which will be geographically located about 60 miles from our existing Data Center, the solution I'm proposing for continuous SAN access and replication is deploying a DWDM solution (Ciena or Cisco) to be able to extend native Fiber Channel to the new Data Center which will provide for an easier and staged migration. My only concern is latency over DWDM for FC since the distance is about 60 miles, does anyone have a real life experience or have been through this type of deployment and can provide me with some feedback, advice, "what to look for" etc, will the distance be an issue using DWDM? I appreciate your responses, thank you.
A bit late but hopefully not too late to be useful.
I have two remote Data Centers thanks to a merger. Both are less than 6 miles by car and we have two paths to each of them. Both the second paths are about 34 miles in a wild ring thanks to a very important customer down south.
Our network engineer who controls the ONS doesn't have a clue about FC and has a bad attitude to boot. IP doesn't have any problems with latency but he had no idea about the SAN and latency.
I found he had somehow or another got 1 out of the four paths to go down the long link and the other 3 were using the short link. Our sync HDS True Copy got very upset about this and I could not work out why. We were getting terrible timeouts of about 300 ms. This bought down a couple of mission critical apps that relied on response times of less than about 20 ms. They would not write to disk at the remote size in enough time. We worked the problem out after a bit of yelling at each other. Now he knows to always use both paths if he fails them over and to actually let me know he is doing something. To be fair, the Brocade switches also sharing the links identified the link distance mismatch.
Another issue was turning on In Order Delivery for the mainframe. That should not be mixed with other general traffic. HDS are also (quitely) adamant that you should not mix sync and async from the same ports on the storage. I had to seperate them so we have one pair for sycn and another pair for async. It looks like a SAN problem but its the different writing patterns for sync and asnyc.
60 miles is too long for HDS sync TC. I believe there is an unwritten law that 32 to 34 miles is the longest to use for sync TC. Async is not a problem. I have not used any FC accelerators. I also have EMC arrays and I have no replication issues with them either.
When I first set up the native FC over ONS, I did a fair bit of measuring and testing. Our Exchange geo cluster using sync TC normally ran at about 5 ms response times down both paths. Thats a write to the remote Data Centre and then a write to the storage on site. Heavy work showed about 10 to 12 ms. MS suggest anything less than 20 ms. 32 miles is about 0.5 of a ms extra for latency so I never actually noticed any difference with either path.
I did a lot of async tc to keep replica's of important systems offsite and once all the fine points were worked out, it was a great solution.
60 miles could be 160 using the other path.
I have not tried FCIP but I believe there are no issues with it if the IP latency is acceptable.
Balancing of backups is a pain. The backup system might have 10 tape drives available and they will use the ones on one path and nothing on the other path. That causes congestion and slow response.. blah.. blah.. They don't care. Also, use a port channel as you need two ISL's..
NEVER tell anyone that your ISL's are over distance unless you absolutely have too. Companies will always blame that. I have a mixture of Brocade and Cisco switches using the ONS. I had a problem with my Brocade fabric and Brocade immediately stopped working on the problem as they blamed the ONS for creating timeouts, etc.. etc.. It had nothing to do with it but you see what I am saying.
Stephen -
Safety of MS Sharing on LAN over TCP/IP via NetBIOS and/or Direct SMB
Shalini Sampath Kumar at http://answers.microsoft.com/en-us/windows/forum/windows_7-security/ suggested I post this question over
here:
What is the safest recommended way to set up MS File and Printer Sharing on a LAN with both Windows 7 Pro and XP Pro machines? Does "Direct hosting of SMB over TCP/IP," help? What about setting a "Scope ID" (or did that go out
with Windows NT)?
Background: I've been trained to be paranoid about NetBIOS over TCP/IP. Right now I have only XP Pro machines on my peer-to-peer workgroup LAN (behind a NAT router and with Simple File Sharing turned off), on which File and Printer Sharing has been
unbound from TCP/IP and bound to NetBEUI instead, so I feel fairly safe. Port scanning by ShieldsUp doesn't see any ports through the router, open or closed -- in other words, it appears to be "stealthed," for what that's worth. With
NetBIOS disabled on all computers inside the LAN, however, can I perform a valid test of what will happen when File and Printer Sharing is re-bound to TCP/IP?
My New Problem: I'm planning to add Window 7 Pro machines, for which NetBEUI isn't an option, and then to transition entirely to Win7 before XP goes off extended support in April. I will still use a peer-to-peer architecture with password-protected
sharing turned on (no HomeGroup). It appears that I can still get rid of NetBIOS (and WINS) in favor of "Direct hosting of SMB over TCP/IP," which sounds safer. Apparently then only port 445 will be vulnerable instead of ports 137-139.
In any case I want to do everything I can to protect my file-sharing port(s) from the Internet (e.g., from anyone who might break into my LAN either by making a wireless connection or by hacking the router itself). Can anybody give a clear set of steps
to change sharing from NetBIOS (which I would like to disable entirely) to direct hosting of SMB and to verify that I'm protected as well as possible?
I will have to completely revamp the network-file-sharing configuration of my XP machines as soon as the first Win7 machine goes on line (and possibly tweak the configuration of Win7 as well), perhaps as early as this week. I want to do this in the way that
maximizes security to the extent possible. Thanks in advance more details and guidance on this topic! -- JCW2
P.S. -- These computers are all laptops and will be used away from my home LAN -- another reason for paranoia about File and Printer Sharing. I realize that Windows 7 provides an easy way to disable F&PS by selecting any new network location as
"public," but XP does not (as far as I know). Fixing that will take more effort and be harder to remember... -- JCW2Removing the NetBIOS transport has several advantages compared to NetBIOS over TCP, you can find detailed infromation in the following KB
Direct hosting of SMB over TCP/IP
http://support.microsoft.com/kb/204279/en-us
Yolanda
TechNet Community Support
Hi again -- I think I'm slowly catching up with you. Following from my previous message...
Somebody on another forum mentioned creating "Hosts" files on each computer to substitute for the DNS server that I don't have on my workgroup. This is intriguing if I can figure out how to set it up. (I've heard it said that taking control of
your "Hosts" file is a good safety precaution anyhow, since it is a frequent target of hackers trying to divert legitimate Web requests to their own malicious sites.) Does anybody have tips and/or references that would help me accomplish the name resolution
there?
Finally, what functionality do I really lose by going the Direct-Hosting-of-SMB-with-Hosts-file (or drive mapping) route as opposed to using NetBIOS over TCP/IP? Granted, any new machine added to the network would also have to be added to all the "Hosts"
files (or mapped to a new drive letter) on each machine; but given that I already have to add it to the MAC filter and assign it a DHCP reservation in my router, this isn't a heavy burden for something that doesn't happen often. Would everything then
work the same as if NetBIOS were providing the name resolution?
One missing piece that I see so far -- it's not obvious how this same trick would apply to printer sharing (although I'm not using that feature right now anyhow). Could this be handled seamlessly through the "Hosts" file as well?
Thanks and Best Regards to All -- JCW2 -
Prioritize LAN over Wifi in Windows 7
Is there a similiar setting in Windows 7 that tells the PC to always use the LAN connection over WiFi when detected? Also, is there a away to push this setting out via Registry or GPO?
Minimize the number of simultaneous connections to the Internet or a Windows Domain
This policy restricts simultaneous connections to the Internet or Domain network. If there
is at least one active connection to the Internet, a new connection (automatic) to the Internet will not be made. This is the same for Domain network. Manual connection will not affected by this policy. If there are multiple simultaneous connections to the
Internet or Domain (i.e., plug-in Ethernet while already connected to WiFi), the less preferred connection (i.e., WiFi) will be disconnected after the OS detects that it is no longer actively being used (i.e., network traffic over the less preferred connection
drops below a certain threshold).
Path: Computer Configuration » Administrative Templates » Network » Windows Connection
Manager
JasonHi,
I haven't found this similiar policy in Windows 7, but we can change the order in this way
Open the Network and Sharing Center.
Click Change adapter settings.
Press <kbd>alt</kbd> to make the menus visible, select Advanced Settings... from the
Advanced menu.
Reorder the items in Connections so that you Local Area Connection is on top.
Or you can manually configure the Metric on each adapter, please refer to this link:
An explanation of the Automatic Metric feature for Internet Protocol routes
http://support.microsoft.com/kb/299540/en-us
If you want to change the order in all PCs in a domain, I suggest you write a logon script, then push it to all client via GPO, you can refer to this link
http://www.chrisleblanc.org/modify-network-card-bindings-script-command-line/
NOTE
This response contains a reference to a third party World
Wide Web site. Microsoft is providing this information as a convenience to you.
Microsoft does not control these sites and has not tested any software or information found
on these sites.
or this script form Technet website
Disable Auto Connect on Wireless Network Script
http://gallery.technet.microsoft.com/scriptcenter/Disable-Auto-Connect-on-59c83f1e
Yolanda Zhu
TechNet Community Support
Maybe you are looking for
-
The Apple-provided iCal Applescript, Create Event Summary, has an issue: (when printing the events of this month) it does not print the events in date-time order, but jumbles that order. How is that Ascript determining the order it does show, and how
-
SX280 HS no longer recognized as connected to any computer/ device
I purchased the brand new PowerShot SX280 HS three weeks ago. Being a person that actually reads directions and owners manuals, I followed the Getting Started booklet exactly as stated to connect the camera to my Win 7 (64-bit) PC, and it worked well
-
User exit for four quaters of a year
Hi All, I need to write an user exit to fetch the Quater1(3 months) to Quater4 from a Calyear. If the user enters 2008 then i want to get the sales for the 4 quaters for an year in separate columns. I think of creating 4 restrcited KFs with the sale
-
Passing a parameter to a LookupDispatchAction
Hi guys. Any idea how am I gonna do that? I be got a LookupDispatchAction that has 3-4 methods. The method I am trying to access needs to be passed a parameter. I can get the parameter like <html:link page="/updateTLDThrottle.do" paramId="tldName" pa
-
PR overall release data inconsistencies
Hi Guru, can anyone advise if anyone experience data inconsistencies issues in EBAN table if PR overall release is implemented? would appreciate if you could share the SAP OSS note if you have. Thanks in advance