Forwarding Traffic
Currently our Cisco Router handles our DSL traffic. The DSL traffic goes directly to the cisco router and then out to the rest of the world, the traffic never hits our switch. I would like to use a bandwidth management device (BCU) to throttle customers speed and usage. The BCU can monitor traffic based on IP or MAC, the problem is since all of the DSL traffic goes directly to the router the BCU can not see the traffic. Is there a way to forward the traffic out of the router onto the switch before it goes to the outside world?
Here is a copy of my current config on the router.
Current configuration : 24237 bytes
Last configuration change at 07:38:53 alaska Thu Nov 20 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Ruby
boot-start-marker
boot system flash:c2800nm-spservicesk9-mz.151-4.M5.bin
boot-end-marker
logging buffered 1000000
no logging console
logging monitor errors
enable secret 4 yEAnMHaKvo3cNEKVqKgx4rqwj1d3GAwBM32MEZQgzlY
enable password 7 03174D022616354F
no aaa new-model
clock timezone alaska -9 0
clock summer-time akst recurring
no network-clock-participate wic 1
network-clock-participate wic 2
no network-clock-participate aim 0
dot11 syslog
ip source-route
ip cef
ip dhcp relay information option
ip dhcp relay information policy keep
no ip dhcp relay information check
ip flow-cache timeout active 1
ip domain name yukontel.net
ip name-server 10.17.1.3
ip dhcp-server 10.17.1.8
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
crypto pki token default removal timeout 0
license udi pid CISCO2851 sn FTX1208A0BH
controller T1 0/1/0
mode atm aim 0
controller T1 0/1/1
mode atm aim 0
controller T1 0/2/0
mode atm aim 0
cablelength short 133
controller T1 0/2/1
mode atm aim 0
interface Loopback0
ip address 172.16.0.1 255.255.255.255
interface GigabitEthernet0/0
description Lyman Brothers Network
ip address 216.10.51.82 255.255.255.248
ip access-group 101 in
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description Ruby DSL network
bandwidth 1200
ip address 10.17.1.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0/0
no ip address
load-interval 30
shutdown
duplex auto
speed auto
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
interface ATM0/2/1
no ip address
no scrambling-payload
no atm ilmi-keepalive
no atm enable-ilmi-trap
interface ATM0/2/0
description LET-1-1 T1X
bandwidth 1200
ip dhcp relay information trusted
no ip address
ip flow ingress
no scrambling-payload
no atm auto-configuration
no atm ilmi-keepalive
no atm address-registration
no atm ilmi-enable
no atm enable-ilmi-trap
atm uni-version 3.1
interface ATM0/2/0.1 point-to-point
description LET-1-7-1
ip dhcp relay information option subscriber-id atm0/2/0.1
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/34
encapsulation aal5snap
interface ATM0/2/0.2 point-to-point
description LET-1-7-2
ip dhcp relay information option subscriber-id atm0/2/0.2
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/35
encapsulation aal5snap
interface ATM0/2/0.3 point-to-point
description LET-1-7-3
ip dhcp relay information option subscriber-id atm0/2/0.3
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/36
encapsulation aal5snap
interface ATM0/2/0.4 point-to-point
description LET-1-7-4
ip dhcp relay information option subscriber-id atm0/2/0.4
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/37
encapsulation aal5snap
interface ATM0/2/0.5 point-to-point
description LET-1-7-5
ip dhcp relay information option subscriber-id atm0/2/0.5
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/38
encapsulation aal5snap
interface ATM0/2/0.6 point-to-point
description LET-1-7-6
ip dhcp relay information option subscriber-id atm0/2/0.6
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/39
encapsulation aal5snap
interface ATM0/2/0.7 point-to-point
description LET-1-8-1
ip dhcp relay information option subscriber-id atm0/2/0.7
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/40
encapsulation aal5snap
interface ATM0/2/0.8 point-to-point
description LET-1-8-2
ip dhcp relay information option subscriber-id atm0/2/0.8
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/41
encapsulation aal5snap
interface ATM0/2/0.9 point-to-point
description LET-1-8-3
ip dhcp relay information option subscriber-id atm0/2/0.9
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/42
encapsulation aal5snap
interface ATM0/2/0.10 point-to-point
description LET-1-8-4
ip dhcp relay information option subscriber-id atm0/2/0.10
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/43
encapsulation aal5snap
interface ATM0/2/0.11 point-to-point
description LET-1-8-5
ip dhcp relay information option subscriber-id atm0/2/0.11
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/44
encapsulation aal5snap
interface ATM0/2/0.12 point-to-point
description LET-1-8-6
ip dhcp relay information option subscriber-id atm0/2/0.12
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/45
encapsulation aal5snap
interface ATM0/2/0.13 point-to-point
description LET-1-9-1
ip dhcp relay information option subscriber-id atm0/2/0.13
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/46
encapsulation aal5snap
interface ATM0/2/0.14 point-to-point
description LET-1-9-2
ip dhcp relay information option subscriber-id atm0/2/0.14
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/47
encapsulation aal5snap
interface ATM0/2/0.15 point-to-point
description LET-1-9-3
ip dhcp relay information option subscriber-id atm0/2/0.15
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/48
encapsulation aal5snap
interface ATM0/2/0.16 point-to-point
description LET-1-9-4
ip dhcp relay information option subscriber-id atm0/2/0.16
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/49
encapsulation aal5snap
interface ATM0/2/0.17 point-to-point
description LET-1-9-5
ip dhcp relay information option subscriber-id atm0/2/0.17
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/50
encapsulation aal5snap
interface ATM0/2/0.18 point-to-point
description LET-1-9-6
ip dhcp relay information option subscriber-id atm0/2/0.18
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/51
encapsulation aal5snap
interface ATM0/2/0.19 point-to-point
description LET-1-10-1
ip dhcp relay information option subscriber-id atm0/2/0.19
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/52
encapsulation aal5snap
interface ATM0/2/0.20 point-to-point
description LET-1-10-2
ip dhcp relay information option subscriber-id atm0/2/0.20
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/53
encapsulation aal5snap
interface ATM0/2/0.21 point-to-point
description LET-1-10-3
ip dhcp relay information option subscriber-id atm0/2/0.21
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/54
encapsulation aal5snap
interface ATM0/2/0.22 point-to-point
description LET-1-10-4
ip dhcp relay information option subscriber-id atm0/2/0.22
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/55
encapsulation aal5snap
interface ATM0/2/0.23 point-to-point
description LET-1-10-5
ip dhcp relay information option subscriber-id atm0/2/0.23
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/56
encapsulation aal5snap
interface ATM0/2/0.24 point-to-point
description LET-1-10-6
ip dhcp relay information option subscriber-id atm0/2/0.24
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/57
encapsulation aal5snap
interface ATM0/2/0.25 point-to-point
description LET-1-11-1
ip dhcp relay information option subscriber-id atm0/2/0.25
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/58
encapsulation aal5snap
interface ATM0/2/0.26 point-to-point
description LET-1-11-2
ip dhcp relay information option subscriber-id atm0/2/0.26
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/59
encapsulation aal5snap
interface ATM0/2/0.27 point-to-point
description LET-1-11-3
ip dhcp relay information option subscriber-id atm0/2/0.27
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/60
encapsulation aal5snap
interface ATM0/2/0.28 point-to-point
description LET-1-11-4
ip dhcp relay information option subscriber-id atm0/2/0.28
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/61
encapsulation aal5snap
interface ATM0/2/0.29 point-to-point
description LET-1-11-5
ip dhcp relay information option subscriber-id atm0/2/0.29
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/62
encapsulation aal5snap
interface ATM0/2/0.30 point-to-point
description LET-1-11-6
ip dhcp relay information option subscriber-id atm0/2/0.30
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/63
encapsulation aal5snap
interface ATM0/2/0.31 point-to-point
description LET-1-12-1
ip dhcp relay information option subscriber-id atm0/2/0.31
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/64
encapsulation aal5snap
interface ATM0/2/0.32 point-to-point
description LET-1-12-2
ip dhcp relay information option subscriber-id atm0/2/0.32
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/65
encapsulation aal5snap
interface ATM0/2/0.33 point-to-point
description LET-1-12-3
ip dhcp relay information option subscriber-id atm0/2/0.33
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/66
encapsulation aal5snap
interface ATM0/2/0.34 point-to-point
description LET-1-12-4
ip dhcp relay information option subscriber-id atm0/2/0.34
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/67
encapsulation aal5snap
interface ATM0/2/0.35 point-to-point
description LET-1-12-5
ip dhcp relay information option subscriber-id atm0/2/0.35
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/68
encapsulation aal5snap
interface ATM0/2/0.36 point-to-point
description LET-1-12-6
ip dhcp relay information option subscriber-id atm0/2/0.36
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/69
encapsulation aal5snap
interface ATM0/2/0.37 point-to-point
description LET-1-13-1
ip dhcp relay information option subscriber-id atm0/2/0.37
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/70
encapsulation aal5snap
interface ATM0/2/0.38 point-to-point
description LET-1-13-2
ip dhcp relay information option subscriber-id atm0/2/0.38
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/71
encapsulation aal5snap
interface ATM0/2/0.39 point-to-point
description LET-1-13-3
ip dhcp relay information option subscriber-id atm0/2/0.39
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/72
encapsulation aal5snap
interface ATM0/2/0.40 point-to-point
description LET-1-13-4
ip dhcp relay information option subscriber-id atm0/2/0.40
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/73
encapsulation aal5snap
interface ATM0/2/0.41 point-to-point
description LET-1-13-5
ip dhcp relay information option subscriber-id atm0/2/0.41
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/74
encapsulation aal5snap
interface ATM0/2/0.42 point-to-point
description LET-1-13-6
ip dhcp relay information option subscriber-id atm0/2/0.42
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/75
encapsulation aal5snap
interface ATM0/2/0.43 point-to-point
description LET-1-14-1
ip dhcp relay information option subscriber-id atm0/2/0.43
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/76
encapsulation aal5snap
interface ATM0/2/0.44 point-to-point
description LET-1-14-2
ip dhcp relay information option subscriber-id atm0/2/0.44
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/77
encapsulation aal5snap
interface ATM0/2/0.45 point-to-point
description LET-1-14-3
ip dhcp relay information option subscriber-id atm0/2/0.45
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/78
encapsulation aal5snap
interface ATM0/2/0.46 point-to-point
description LET-1-14-4
ip dhcp relay information option subscriber-id atm0/2/0.46
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/79
encapsulation aal5snap
interface ATM0/2/0.47 point-to-point
description LET-1-14-5
ip dhcp relay information option subscriber-id atm0/2/0.47
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/80
encapsulation aal5snap
interface ATM0/2/0.48 point-to-point
description LET-1-14-6
ip dhcp relay information option subscriber-id atm0/2/0.48
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/81
encapsulation aal5snap
interface ATM0/2/0.49 point-to-point
description LET-1-15-1
ip dhcp relay information option subscriber-id atm0/2/0.49
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/82
encapsulation aal5snap
interface ATM0/2/0.50 point-to-point
description LET-1-15-2
ip dhcp relay information option subscriber-id atm0/2/0.50
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/83
encapsulation aal5snap
interface ATM0/2/0.51 point-to-point
description LET-1-15-3
ip dhcp relay information option subscriber-id atm0/2/0.51
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/84
encapsulation aal5snap
interface ATM0/2/0.52 point-to-point
description LET-1-15-4
ip dhcp relay information option subscriber-id atm0/2/0.52
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/85
encapsulation aal5snap
interface ATM0/2/0.53 point-to-point
description LET-1-15-5
ip dhcp relay information option subscriber-id atm0/2/0.53
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/86
encapsulation aal5snap
interface ATM0/2/0.54 point-to-point
description LET-1-15-6
ip dhcp relay information option subscriber-id atm0/2/0.54
ip unnumbered Loopback0
ip helper-address 10.17.1.8
ip flow ingress
ip nat inside
ip virtual-reassembly in
atm route-bridged ip
no atm enable-ilmi-trap
pvc 1/87
encapsulation aal5snap
interface ATM0/1/1
no ip address
no scrambling-payload
no atm ilmi-keepalive
no atm enable-ilmi-trap
interface ATM0/1/0
no ip address
no scrambling-payload
no atm ilmi-keepalive
no atm enable-ilmi-trap
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip flow-export source GigabitEthernet0/1
ip flow-export version 9 peer-as
ip flow-export destination 10.17.1.8 2055
ip flow-export destination 10.17.1.18 9995
ip nat inside source list 10 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.17.1.21 80 216.10.51.82 80 extendable
ip nat inside source static tcp 10.17.1.10 443 216.10.51.82 443 extendable
ip nat inside source static tcp 10.17.1.6 472 216.10.51.82 472 extendable
ip nat inside source static tcp 10.17.1.5 2001 216.10.51.82 2001 extendable
ip nat inside source static tcp 10.17.1.36 3389 216.10.51.82 3389 extendable
ip nat inside source static tcp 10.17.1.36 5800 216.10.51.82 5800 extendable
ip nat inside source static tcp 10.17.1.19 5808 216.10.51.82 5808 extendable
ip nat inside source static tcp 10.17.1.36 5900 216.10.51.82 5900 extendable
ip nat inside source static tcp 10.17.1.19 5908 216.10.51.82 5908 extendable
ip nat inside source static tcp 10.17.1.12 8071 216.10.51.82 8071 extendable
ip nat inside source static tcp 10.17.1.188 18098 216.10.51.82 18098 extendable
ip nat inside source static tcp 10.17.1.189 18099 216.10.51.82 18099 extendable
ip nat inside source static tcp 10.17.1.21 22096 216.10.51.82 22096 extendable
ip nat inside source static 10.17.1.8 216.10.51.83
ip nat inside source static 10.17.1.2 216.10.51.85
ip nat inside source static tcp 10.17.1.6 80 216.10.51.86 80 extendable
ip nat inside source static tcp 10.17.1.20 443 216.10.51.86 443 extendable
ip nat inside source static tcp 10.17.1.16 472 216.10.51.86 472 extendable
ip nat inside source static tcp 10.17.1.15 2001 216.10.51.86 2001 extendable
ip nat inside source static tcp 10.17.1.6 2247 216.10.51.86 2247 extendable
ip nat inside source static tcp 172.16.0.108 3389 216.10.51.86 3389 extendable
ip nat inside source static tcp 172.16.0.108 5800 216.10.51.86 5800 extendable
ip nat inside source static tcp 172.16.0.108 5900 216.10.51.86 5900 extendable
ip nat inside source static tcp 10.17.1.42 5901 216.10.51.86 5901 extendable
ip nat inside source static tcp 10.17.1.18 8068 216.10.51.86 8068 extendable
ip nat inside source static tcp 10.17.1.189 18098 216.10.51.86 18098 extendable
ip nat inside source static tcp 10.17.1.42 22470 216.10.51.86 22470 extendable
ip nat inside source static tcp 10.17.1.18 22472 216.10.51.86 22472 extendable
ip nat inside source static tcp 10.17.1.23 22477 216.10.51.86 22477 extendable
ip route 0.0.0.0 0.0.0.0 216.10.51.81
access-list 10 permit 172.16.0.0 0.0.0.255
access-list 10 permit 10.17.1.0 0.0.0.255
access-list 91 permit 173.246.38.114
access-list 91 permit 209.165.168.182
access-list 91 permit 216.67.90.78
access-list 91 permit 209.165.145.160 0.0.0.7
access-list 91 permit 216.10.51.64 0.0.0.31
access-list 91 permit 209.112.180.128 0.0.0.31
access-list 91 permit 216.137.207.176 0.0.0.15
access-list 91 permit 10.17.1.0 0.0.0.15
access-list 91 permit 10.17.1.0 0.0.0.63
access-list 101 permit tcp 66.0.0.0 0.255.255.255 216.10.51.80 0.0.0.7
access-list 101 permit tcp 64.0.0.0 0.255.255.255 216.10.51.80 0.0.0.7
access-list 101 permit tcp 67.0.0.0 0.255.255.255 216.10.51.80 0.0.0.7
access-list 101 permit tcp 216.0.0.0 0.255.255.255 216.10.51.80 0.0.0.7
access-list 101 permit tcp 209.0.0.0 0.255.255.255 216.10.51.80 0.0.0.7
access-list 101 permit tcp 98.245.0.0 0.0.255.255 216.10.51.80 0.0.0.7
access-list 101 permit tcp any host 216.10.51.82 eq 5800
access-list 101 permit tcp any host 216.10.51.82 eq 5900
access-list 101 permit tcp any 216.10.51.80 0.0.0.7 eq www
access-list 101 permit tcp any 216.10.51.80 0.0.0.7 eq 443
access-list 101 permit tcp any 216.10.51.80 0.0.0.7 eq 8071
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
snmp-server engineID local 0000000902000003E3276D80
snmp-server community svi373 RO
snmp-server community public RO
snmp-server community svi7yukon RO
snmp-server location YTC Ruby Alaska
snmp mib community-map public engineid 800000090300001906187B50
snmp mib community-map svi7yukon engineid 800000090300001818A27470
control-plane
bridge 2 protocol ieee
mgcp profile default
line con 0
line aux 0
line vty 0 4
password 7 06121F2214571C120A19
login
transport input all
scheduler allocate 20000 1000
ntp server 10.17.1.8
ntp server 10.17.1.42
end
Ruby# exit
Hello Nagendra,
Thanks for reply. Yes that is correct. I want my 1 PW traffic over LDP based LSP while the other PW to same destination 1.1.1.1 over TE tunnel. Please note that I have Cisco 2921 router as PE and it seems that it does not support "preferred-path interface" feature.
Please see the output from my router:
PE2(config)#pseudowire-class test1
PE2(config-pw-class)#encapsulation mpls
PE2(config-pw-class)#?
Pseudowire-class configuration commands:
default Set a command to its defaults
encapsulation Data encapsulation method
exit Exit from Pseudowire-class configuration mode
interworking Interworking options for pseudowire
no Negate a command or set its defaults
protocol Signaling protocol to use
status Enable pseudowire status extensions in label advertisement and label notification messages. This is not advised unless your
peer router also supports this functionality as it may lead to premature enabling of the dataplane on that peer.
In my question I have posted a link to this document http://www.cisco.com/c/en/us/td/docs/ios/12_2sr/12_2sra/feature/guide/srtunsel.html where "preferred-path interface" feature is explained but it is for 7600 platform. That is why I took a different approach to forward the traffic with route-map. Please advise.
Similar Messages
-
How do I forward traffic to an IP Address from a gateway through an extreme?
I have a DVR for a Camera system attached to a WiFi Ethernet device (becuase there is too far a distance between the DVR and Cable Gateway). When it was attached directly attached to the cable modem, I used Port Forwarding to route traffic to the DVR. That worked great. NOW I have to use the WiFi adapter and that is connecting to the Airport Extreme. The Aiport Extreme is connected to that cable modem.
So I understand how to forward traffic from the modem to an IP address (the Extreme's IP perhaps ??) but then how do I send that traffic through the Extreme to the wifi-ethernet adapter connected to the DVR ?I am on my mobile phone getting an address of 10...83 through the router 10...1.
Then the DVR setup on 10...69 IS accessible.
When I switch my wifi off (on the mobile phone) and I use the ip address (23…94) of the modem w/ port specification I do not get connected.
When I plug DIRECTLY into the Cable Modem and get an IP address of 10…53, via (Mac OS X) I CAN access the DVR again with ip of 10…69.
When I use WIFI (via the AE) I get an IP Address of 10…44 and CAN access the DVR as well.
I have also confirmed traffic is port forwarding to .69:7000 as per the port specified on the DVR.
So with all that it is confirmed, I tried it again and and still not working...
THEN I reset the AE, Resset the Wifi Adapter, Reset the DVR and updated Firmwares, started with the basics outline from everyone and IT'S WORKING!!
I believe it was actually all the AE and requiring a reset on that device.
Thank you again for all the help, this was a fun challenge! -
Only system vlans forward traffic on 1000v
I am trying to migrate to a Nexus 1000v vDS but only VM's in the system VLAN can forward traffic. I do not want to make my voice vlan a system VLAN but that is the only way I can get a VM in that VLAN to work properly. I have a host with its vmk in the L3Control port group. From the VSM, a show module shows the VEM 3 with an "ok" status. I currently only have 1 NIC under the vDS control. My VM's using the VM_Network port group work fine and can forward traffic normally. When I put a VM in the Voice_Network port group I lose communication with it. If I add vlan 5 as a system vlan to my Uplink port profile then the VM's in the Voice_Network work properly. I thought you shouldn't create system vlans for each vlan and only use it for critical management functions so I would rather not make it a system vlan. Below is my n1k config. The upstream switch is a 2960X with the "switchport mode trunk" command. Am I missing something that is not allowing VLAN 5 to communicate over the Uplink port profile?
port-profile type ethernet Unused_Or_Quarantine_Uplink
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet VM_Network
vmware port-group
switchport mode access
switchport access vlan 1
no shutdown
system vlan 1
max-ports 256
description VLAN 1
state enabled
port-profile type vethernet L3-control-vlan1
capability l3control
vmware port-group L3Control
switchport mode access
switchport access vlan 1
no shutdown
system vlan 1
state enabled
port-profile type ethernet iSCSI-50
vmware port-group "iSCSI Uplink"
switchport mode trunk
switchport trunk allowed vlan 50
switchport trunk native vlan 50
mtu 9000
channel-group auto mode active
no shutdown
system vlan 50
state enabled
port-profile type vethernet iSCSI-A
vmware port-group
switchport access vlan 50
switchport mode access
capability iscsi-multipath
no shutdown
system vlan 50
state enabled
port-profile type vethernet iSCSI-B
vmware port-group
switchport access vlan 50
switchport mode access
capability iscsi-multipath
no shutdown
system vlan 50
state enabled
port-profile type ethernet Uplink
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 1,5
no shutdown
system vlan 1
state enabled
port-profile type vethernet Voice_Network
vmware port-group
switchport mode access
switchport access vlan 5
no shutdown
max-ports 256
description VLAN 5
state enabledBelow is the output you requested. Thank you.
~ # vemcmd show card
Card UUID type 2: 4c4c4544-004c-5110-804a-b9c04f564831
Card name: synergvm5
Switch name: synergVSM
Switch alias: DvsPortset-0
Switch uuid: 7d e9 0d 50 b3 3b 25 47-64 14 61 c0 3f c0 7b d9
Card domain: 4094
Card slot: 3
VEM Tunnel Mode: L3 Mode
L3 Ctrl Index: 49
L3 Ctrl VLAN: 1
VEM Control (AIPC) MAC: 00:02:3d:1f:fe:02
VEM Packet (Inband) MAC: 00:02:3d:2f:fe:02
VEM Control Agent (DPA) MAC: 00:02:3d:4f:fe:02
VEM SPAN MAC: 00:02:3d:3f:fe:02
Primary VSM MAC : 00:50:56:aa:70:b9
Primary VSM PKT MAC : 00:50:56:aa:70:bb
Primary VSM MGMT MAC : 00:50:56:aa:70:ba
Standby VSM CTRL MAC : 00:50:56:aa:70:b6
Management IPv4 address: 172.30.2.64
Management IPv6 address: 0000:0000:0000:0000:0000:0000:0000:0000
Primary L3 Control IPv4 address: 172.30.100.1
Secondary VSM MAC : 00:00:00:00:00:00
Secondary L3 Control IPv4 address: 0.0.0.0
Upgrade : Default
Max physical ports: 32
Max virtual ports: 216
Card control VLAN: 1
Card packet VLAN: 1
Control type multicast: No
Card Headless Mode : No
Processors: 16
Processor Cores: 8
Processor Sockets: 2
Kernel Memory: 62904468
Port link-up delay: 5s
Global UUFB: DISABLED
Heartbeat Set: True
PC LB Algo: source-mac
Datapath portset event in progress : no
Licensed: Yes
~ # vemcmd show port
LTL VSM Port Admin Link State PC-LTL SGID Vem Port Type
24 Eth3/8 UP UP FWD 0 vmnic7
49 Veth1 UP UP FWD 0 vmk1
50 Veth2 UP UP FWD 0 XP-Voice.eth0
51 Veth3 UP UP FWD 0 synergPresence.eth0
~ # vemcmd show port vlans
Native VLAN Allowed
LTL VSM Port Mode VLAN State* Vlans
24 Eth3/8 T 1 FWD 1
49 Veth1 A 1 FWD 1
50 Veth2 A 1 FWD 1
51 Veth3 A 5 FWD 5
* VLAN State: VLAN State represents the state of allowed vlans.
~ # vemcmd show bd
Number of valid BDS: 10
BD 1, vdc 1, vlan 1, swbd 1, 5 ports, ""
Portlist:
BD 2, vdc 1, vlan 3972, swbd 3972, 0 ports, ""
Portlist:
BD 3, vdc 1, vlan 3970, swbd 3970, 0 ports, ""
Portlist:
BD 4, vdc 1, vlan 3969, swbd 3969, 2 ports, ""
Portlist:
8
9
BD 5, vdc 1, vlan 3968, swbd 3968, 3 ports, ""
Portlist:
1 inban
5 inband port securit
11
BD 6, vdc 1, vlan 3971, swbd 3971, 2 ports, ""
Portlist:
14
15
BD 7, vdc 1, vlan 5, swbd 5, 1 ports, ""
Portlist:
51 synergPresence.eth0
BD 8, vdc 1, vlan 50, swbd 50, 0 ports, ""
Portlist:
BD 9, vdc 1, vlan 77, swbd 77, 0 ports, ""
Portlist:
BD 10, vdc 1, vlan 199, swbd 199, 0 ports, ""
Portlist:
~ # -
How ASA forwarding traffic to AIP-SSM
Hi All,
Can someone help how ASA device forwarding traffic to AIP-SSM? I'm not taking abt Configuration part like Class-map, policy-map and service policy....want to understand the traffic flow from ASA once traffic matched with ACL to AIP-SSM.
From one of Cisoc document, understood that the module using a Cisco Propietary protocol for communicating with ASA appliance.
================================================================================================================
FYR from Cisco Website:
Q. How does the Cisco ASA AIP-SSM plug into and communicate with the appliance?
A. The Cisco ASA AIP-SSM plugs directly into the SSM slot in the Cisco ASA appliance's chassis. This provides a direct connection to the appliance's backplane. Once the module is installed, a proprietary protocol runs over the bus and controls data flow and messaging between the module and appliance.
================================================================================================================
Regards,
S.VinothHey ,
as you mentioned above , it uses a cisco Probietary protocol for that communication , there are two interfaces , control channel and data channnel , data channel is where the traffic being forwarded , the backplane is the connection between the ASA and the IPS interface .
Hope that this helps .
Mohammad. -
CCE 507 stops forwarding traffic to internet
Our CE (which is our proxy server) constantly stops forwarding traffic to the internet. The engine does not freeze or lock up because I can telnet into it and reload and everything is fine then. This has starting happening in the last two weeks. The engine is integraded with Websense filtering. Could I be experiencing hardware issues? I did recently upgraded websense to the latest version and also upgraded the PIX 515 Firewall IOS to the latest. I am thinking maybe upgrade the IOS on the engine. Any guidance would be appreciated. Thanks in advance.
Apparently the version of Websense that I was running was not making the CE very happy. I upgraded to a new version and ever since the problem has not arise. But I am having one issue with the CE. There is one website that generates errors when going through the CE proxy server. Although when bypassing the proxy server(CE), there are no errors generated. It is only when going through the proxy that the error is generated. The error does not reflect a Websense blocking page. So it only leads me to believe that the problem is on the CE. I would like to upgrade the IOS on the CE to the latest software in an effort to resolve this. If I upgrade, should I be aware of any problems with the configuration not working after the upgrade. The device is a CE 507 with software version 2.51. Any history on this type of problem? Any help would be appreciated. I have pasted the exact error generated from the site. Thanks again.
Network Error
The server yearbookavenue1.jostens.com returned an invalid response to your request for http://yearbookavenue1.jostens.com/cgi-bin/exe2004/year2004.exe?f_4194e967209 -
CGS-2520-16S-8PC only half of SFP Ports forwarding Traffic
HI all,
we have two CGS-2520-16S-8PC with links in different directions. All SFP Ports are UP but only the half of it forwarding Traffic. We need all Ports .
In one of the Cisco documents I found this hind : "The100BASE-FX SFP ports and the 10/100 PoE ports are grouped in pairs. The first member of the pair (port 1) is above the second member (port 2) on the left. Port 3 is above port 4, and so on. The dual-purpose ports are numbered 1 and 2. "
But more about it is not found in the documemnts. So i have no clue how to bring all Ports to forward traffic.
Have some one an idea ?
PhilippSorry but a gigabit-only transceiver will not work on 100 Mbps-only SFP ports.
There's almost always a good reason why something is not listed in the compatibility table. -
ASA 5510 with Cisco 2811 Router Behind it - Not forwarding traffic
Hi all,
Some might know that I have been dealing with an issue where I cannot seem to get forwarded packets to reach their destinations behind an ASA 5510 that has a Cisco 2811 connected directly behind it.
Some examples that work.
I can SSH into the ASA.
I can SSH to the Cisco Routers behind the ASA.
I cannot reach items beind the Cisco Routers.
My Configuration is this (I am sure I included a bunch of info I didn't need to, but I am hoping it'll help!):
I have a static Ip assigned to my Ouside Interface Ethernet 0/1
It has an IP address of 199.195.xxx.xxx
I am trying to learn how to shape network traffic (this is all new to me) via the ASA and the Routers to specific devices.
The Inside Interface on the ASA is 10.10.1.1 255.255.255.252
The Outside Interface on the 2811 is 10.10.1.2 255.255.255.252
I can ping the router from the ASA. I can SSH through the ASA to the router.
BUT I CANNOT ACCESS DEVICES BEHIND THE ROUTER.
So, I wanted to BAM that statement above because I just don't kjnow where the issue is. Is the issue on the router or the ASA, my guess is, the router, but I just don't know.
Here are my configs, helpfully someone can help.
ASA errors on the ASDM when I try and hit resources; specifically a web device behind the ASA and the 2811. It's Ip address 192.168.1.5 it's listening on port 80.Static IP, not assigned via DHCP.
6
Feb 14 2014
19:38:56
98.22.121.x
41164
192.168.1.5
80
Built inbound TCP connection 1922859 for Outside:98.22.121.x/41164 (98.22.121.x/41164) to Inside:192.168.1.5/80 (199.195.168.x/8080)
6
Feb 14 2014
19:38:56
10.10.1.2
80
98.22.121.x
41164
Deny TCP (no connection) from 10.10.1.2/80 to 98.22.121.x/41164 flags SYN ACK on interface Inside
ASA5510# sh nat
Auto NAT Policies (Section 2)
1 (DMZ) to (Outside) source static ROUTER-2821 interface service tcp ssh 2222
translate_hits = 1, untranslate_hits = 18
2 (Inside) to (Outside) source static ROUTER-2811 interface service tcp ssh 222
translate_hits = 0, untranslate_hits = 13
3 (VOIP) to (Outside) source static ROUTER-3745 interface service tcp ssh 2223
translate_hits = 0, untranslate_hits = 3
4 (Inside) to (Outside) source static RDP-DC1 interface service tcp 3389 3389
translate_hits = 0, untranslate_hits = 236
5 (Inside) to (Outside) source static WEBCAM-01 interface service tcp www 8080
translate_hits = 0, untranslate_hits = 162
Manual NAT Policies (Section 3)
1 (any) to (Outside) source dynamic PAT-SOURCE interface
translate_hits = 1056862, untranslate_hits = 83506
ASA5510# show access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list USERS; 1 elements; name hash: 0x50681c1e
access-list USERS line 1 standard permit 10.10.1.0 255.255.255.0 (hitcnt=0) 0xdd6ba495
access-list Outside_access_in; 5 elements; name hash: 0xe796c137
access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh (hitcnt=37) 0x5a53778d
access-list Outside_access_in line 1 extended permit tcp host 98.22.121.x host 10.10.1.2 eq ssh (hitcnt=37) 0x5a53778d
access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh (hitcnt=8) 0x9f32bc21
access-list Outside_access_in line 2 extended permit tcp host 98.22.121.x host 10.10.0.2 eq ssh (hitcnt=8) 0x9f32bc21
access-list Outside_access_in line 3 extended permit tcp host 98.22.121.x interface Outside eq https (hitcnt=0) 0x385488b2
access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x object WEBCAM-01 eq www (hitcnt=60) 0xe66674ec
access-list Outside_access_in line 4 extended permit tcp host 98.22.121.x host 192.168.1.5 eq www (hitcnt=60) 0xe66674ec
access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389 (hitcnt=3) 0x02f13f4e
access-list Outside_access_in line 5 extended permit tcp host 98.22.121.x host 192.168.1.2 eq 3389 (hitcnt=3) 0x02f13f4e
access-list dmz-access-vlan1; 1 elements; name hash: 0xc3450860
access-list dmz-access-vlan1 line 1 extended permit ip 128.162.1.0 255.255.255.0 any (hitcnt=0) 0x429fedf1
access-list dmz-access; 3 elements; name hash: 0xf53f5801
access-list dmz-access line 1 remark Permit all traffic to DC1
access-list dmz-access line 2 extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2 (hitcnt=0) 0xd2dced0a
access-list dmz-access line 3 remark Permit only DNS traffic to DNS server
access-list dmz-access line 4 extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain (hitcnt=0) 0xbb21093e
access-list dmz-access line 5 remark Permit ICMP to all devices in DC
access-list dmz-access line 6 extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x71269ef7
CISCO-2811#show access-lists
Standard IP access list 1
10 permit any (1581021 matches)
CISCO-2811#show translate
CISCO-2811#show route
CISCO-2811#show route-map
CISCO-2811#show host
CISCO-2811#show hosts
Default domain is maladomini.int
Name/address lookup uses domain service
Name servers are 192.168.1.2, 199.195.168.4, 205.171.2.65, 205.171.3.65, 8.8.8.8
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
api.mixpanel.com None (temp, OK) 2 IP 198.23.64.21
198.23.64.22
198.23.64.18
198.23.64.19
198.23.64.20
ASA5510:
ASA5510# sh run all
: Saved
ASA Version 9.1(4)
command-alias exec h help
command-alias exec lo logout
command-alias exec p ping
command-alias exec s show
terminal width 80
hostname ASA5510
domain-name maladomini.int
enable password x encrypted
no fips enable
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
xlate per-session permit tcp any4 any4
xlate per-session permit tcp any4 any6
xlate per-session permit tcp any6 any4
xlate per-session permit tcp any6 any6
xlate per-session permit udp any4 any4 eq domain
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
passwd x encrypted
names
dns-guard
lacp system-priority 32768
interface Ethernet0/0
description LAN Interface
speed auto
duplex auto
no flowcontrol send on
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.252
delay 10
interface Ethernet0/1
description WAN Interface
speed auto
duplex auto
no flowcontrol send on
nameif Outside
security-level 0
ip address 199.195.168.xxx 255.255.255.240
delay 10
interface Ethernet0/2
description DMZ
speed auto
duplex auto
no flowcontrol send on
nameif DMZ
security-level 100
ip address 10.10.0.1 255.255.255.252
delay 10
interface Ethernet0/3
description VOIP
speed auto
duplex auto
no flowcontrol send on
nameif VOIP
security-level 100
ip address 10.10.2.1 255.255.255.252
delay 10
interface Management0/0
speed auto
duplex auto
management-only
shutdown
nameif management
security-level 0
no ip address
delay 10
regex _default_gator "Gator"
regex _default_firethru-tunnel_2 "[/\\]cgi[-]bin[/\\]proxy"
regex _default_shoutcast-tunneling-protocol "1"
regex _default_http-tunnel "[/\\]HT_PortLog.aspx"
regex _default_x-kazaa-network "[\r\n\t ]+[xX]-[kK][aA][zZ][aA][aA]-[nN][eE][tT][wW][oO][rR][kK]"
regex _default_msn-messenger "[Aa][Pp][Pp][Ll][Ii][Cc][Aa][Tt][Ii][Oo][Nn][/\\][Xx][-][Mm][Ss][Nn][-][Mm][Ee][Ss][Ss][Ee][Nn][Gg][Ee][Rr]"
regex _default_GoToMyPC-tunnel_2 "[/\\]erc[/\\]Poll"
regex _default_gnu-http-tunnel_uri "[/\\]index[.]html"
regex _default_aim-messenger "[Hh][Tt][Tt][Pp][.][Pp][Rr][Oo][Xx][Yy][.][Ii][Cc][Qq][.][Cc][Oo][Mm]"
regex _default_gnu-http-tunnel_arg "crap"
regex _default_icy-metadata "[\r\n\t ]+[iI][cC][yY]-[mM][eE][tT][aA][dD][aA][tT][aA]"
regex _default_GoToMyPC-tunnel "machinekey"
regex _default_windows-media-player-tunnel "NSPlayer"
regex _default_yahoo-messenger "YMSG"
regex _default_httport-tunnel "photo[.]exectech[-]va[.]com"
regex _default_firethru-tunnel_1 "firethru[.]com"
checkheaps check-interval 60
checkheaps validate-checksum 60
boot system disk0:/asa914-k8.bin
ftp mode passive
clock timezone UTC 0
dns domain-lookup Outside
dns server-group DefaultDNS
name-server 199.195.168.4
name-server 205.171.2.65
name-server 205.171.3.65
domain-name maladomini.int
same-security-traffic permit inter-interface
object service ah pre-defined
service ah
description This is a pre-defined object
object service eigrp pre-defined
service eigrp
description This is a pre-defined object
object service esp pre-defined
service esp
description This is a pre-defined object
object service gre pre-defined
service gre
description This is a pre-defined object
object service icmp pre-defined
service icmp
description This is a pre-defined object
object service icmp6 pre-defined
service icmp6
description This is a pre-defined object
object service igmp pre-defined
service igmp
description This is a pre-defined object
object service igrp pre-defined
service igrp
description This is a pre-defined object
object service ip pre-defined
service ip
description This is a pre-defined object
object service ipinip pre-defined
service ipinip
description This is a pre-defined object
object service ipsec pre-defined
service esp
description This is a pre-defined object
object service nos pre-defined
service nos
description This is a pre-defined object
object service ospf pre-defined
service ospf
description This is a pre-defined object
object service pcp pre-defined
service pcp
description This is a pre-defined object
object service pim pre-defined
service pim
description This is a pre-defined object
object service pptp pre-defined
service gre
description This is a pre-defined object
object service snp pre-defined
service snp
description This is a pre-defined object
object service tcp pre-defined
service tcp
description This is a pre-defined object
object service udp pre-defined
service udp
description This is a pre-defined object
object service tcp-aol pre-defined
service tcp destination eq aol
description This is a pre-defined object
object service tcp-bgp pre-defined
service tcp destination eq bgp
description This is a pre-defined object
object service tcp-chargen pre-defined
service tcp destination eq chargen
description This is a pre-defined object
object service tcp-cifs pre-defined
service tcp destination eq cifs
description This is a pre-defined object
object service tcp-citrix-ica pre-defined
service tcp destination eq citrix-ica
description This is a pre-defined object
object service tcp-ctiqbe pre-defined
service tcp destination eq ctiqbe
description This is a pre-defined object
object service tcp-daytime pre-defined
service tcp destination eq daytime
description This is a pre-defined object
object service tcp-discard pre-defined
service tcp destination eq discard
description This is a pre-defined object
object service tcp-domain pre-defined
service tcp destination eq domain
description This is a pre-defined object
object service tcp-echo pre-defined
service tcp destination eq echo
description This is a pre-defined object
object service tcp-exec pre-defined
service tcp destination eq exec
description This is a pre-defined object
object service tcp-finger pre-defined
service tcp destination eq finger
description This is a pre-defined object
object service tcp-ftp pre-defined
service tcp destination eq ftp
description This is a pre-defined object
object service tcp-ftp-data pre-defined
service tcp destination eq ftp-data
description This is a pre-defined object
object service tcp-gopher pre-defined
service tcp destination eq gopher
description This is a pre-defined object
object service tcp-ident pre-defined
service tcp destination eq ident
description This is a pre-defined object
object service tcp-imap4 pre-defined
service tcp destination eq imap4
description This is a pre-defined object
object service tcp-irc pre-defined
service tcp destination eq irc
description This is a pre-defined object
object service tcp-hostname pre-defined
service tcp destination eq hostname
description This is a pre-defined object
object service tcp-kerberos pre-defined
service tcp destination eq kerberos
description This is a pre-defined object
object service tcp-klogin pre-defined
service tcp destination eq klogin
description This is a pre-defined object
object service tcp-kshell pre-defined
service tcp destination eq kshell
description This is a pre-defined object
object service tcp-ldap pre-defined
service tcp destination eq ldap
description This is a pre-defined object
object service tcp-ldaps pre-defined
service tcp destination eq ldaps
description This is a pre-defined object
object service tcp-login pre-defined
service tcp destination eq login
description This is a pre-defined object
object service tcp-lotusnotes pre-defined
service tcp destination eq lotusnotes
description This is a pre-defined object
object service tcp-nfs pre-defined
service tcp destination eq nfs
description This is a pre-defined object
object service tcp-netbios-ssn pre-defined
service tcp destination eq netbios-ssn
description This is a pre-defined object
object service tcp-whois pre-defined
service tcp destination eq whois
description This is a pre-defined object
object service tcp-nntp pre-defined
service tcp destination eq nntp
description This is a pre-defined object
object service tcp-pcanywhere-data pre-defined
service tcp destination eq pcanywhere-data
description This is a pre-defined object
object service tcp-pim-auto-rp pre-defined
service tcp destination eq pim-auto-rp
description This is a pre-defined object
object service tcp-pop2 pre-defined
service tcp destination eq pop2
description This is a pre-defined object
object service tcp-pop3 pre-defined
service tcp destination eq pop3
description This is a pre-defined object
object service tcp-pptp pre-defined
service tcp destination eq pptp
description This is a pre-defined object
object service tcp-lpd pre-defined
service tcp destination eq lpd
description This is a pre-defined object
object service tcp-rsh pre-defined
service tcp destination eq rsh
description This is a pre-defined object
object service tcp-rtsp pre-defined
service tcp destination eq rtsp
description This is a pre-defined object
object service tcp-sip pre-defined
service tcp destination eq sip
description This is a pre-defined object
object service tcp-smtp pre-defined
service tcp destination eq smtp
description This is a pre-defined object
object service tcp-ssh pre-defined
service tcp destination eq ssh
description This is a pre-defined object
object service tcp-sunrpc pre-defined
service tcp destination eq sunrpc
description This is a pre-defined object
object service tcp-tacacs pre-defined
service tcp destination eq tacacs
description This is a pre-defined object
object service tcp-talk pre-defined
service tcp destination eq talk
description This is a pre-defined object
object service tcp-telnet pre-defined
service tcp destination eq telnet
description This is a pre-defined object
object service tcp-uucp pre-defined
service tcp destination eq uucp
description This is a pre-defined object
object service tcp-www pre-defined
service tcp destination eq www
description This is a pre-defined object
object service tcp-http pre-defined
service tcp destination eq www
description This is a pre-defined object
object service tcp-https pre-defined
service tcp destination eq https
description This is a pre-defined object
object service tcp-cmd pre-defined
service tcp destination eq rsh
description This is a pre-defined object
object service tcp-sqlnet pre-defined
service tcp destination eq sqlnet
description This is a pre-defined object
object service tcp-h323 pre-defined
service tcp destination eq h323
description This is a pre-defined object
object service tcp-udp-cifs pre-defined
service tcp-udp destination eq cifs
description This is a pre-defined object
object service tcp-udp-discard pre-defined
service tcp-udp destination eq discard
description This is a pre-defined object
object service tcp-udp-domain pre-defined
service tcp-udp destination eq domain
description This is a pre-defined object
object service tcp-udp-echo pre-defined
service tcp-udp destination eq echo
description This is a pre-defined object
object service tcp-udp-kerberos pre-defined
service tcp-udp destination eq kerberos
description This is a pre-defined object
object service tcp-udp-nfs pre-defined
service tcp-udp destination eq nfs
description This is a pre-defined object
object service tcp-udp-pim-auto-rp pre-defined
service tcp-udp destination eq pim-auto-rp
description This is a pre-defined object
object service tcp-udp-sip pre-defined
service tcp-udp destination eq sip
description This is a pre-defined object
object service tcp-udp-sunrpc pre-defined
service tcp-udp destination eq sunrpc
description This is a pre-defined object
object service tcp-udp-tacacs pre-defined
service tcp-udp destination eq tacacs
description This is a pre-defined object
object service tcp-udp-www pre-defined
service tcp-udp destination eq www
description This is a pre-defined object
object service tcp-udp-http pre-defined
service tcp-udp destination eq www
description This is a pre-defined object
object service tcp-udp-talk pre-defined
service tcp-udp destination eq talk
description This is a pre-defined object
object service udp-biff pre-defined
service udp destination eq biff
description This is a pre-defined object
object service udp-bootpc pre-defined
service udp destination eq bootpc
description This is a pre-defined object
object service udp-bootps pre-defined
service udp destination eq bootps
description This is a pre-defined object
object service udp-cifs pre-defined
service udp destination eq cifs
description This is a pre-defined object
object service udp-discard pre-defined
service udp destination eq discard
description This is a pre-defined object
object service udp-domain pre-defined
service udp destination eq domain
description This is a pre-defined object
object service udp-dnsix pre-defined
service udp destination eq dnsix
description This is a pre-defined object
object service udp-echo pre-defined
service udp destination eq echo
description This is a pre-defined object
object service udp-www pre-defined
service udp destination eq www
description This is a pre-defined object
object service udp-http pre-defined
service udp destination eq www
description This is a pre-defined object
object service udp-nameserver pre-defined
service udp destination eq nameserver
description This is a pre-defined object
object service udp-kerberos pre-defined
service udp destination eq kerberos
description This is a pre-defined object
object service udp-mobile-ip pre-defined
service udp destination eq mobile-ip
description This is a pre-defined object
object service udp-nfs pre-defined
service udp destination eq nfs
description This is a pre-defined object
object service udp-netbios-ns pre-defined
service udp destination eq netbios-ns
description This is a pre-defined object
object service udp-netbios-dgm pre-defined
service udp destination eq netbios-dgm
description This is a pre-defined object
object service udp-ntp pre-defined
service udp destination eq ntp
description This is a pre-defined object
object service udp-pcanywhere-status pre-defined
service udp destination eq pcanywhere-status
description This is a pre-defined object
object service udp-pim-auto-rp pre-defined
service udp destination eq pim-auto-rp
description This is a pre-defined object
object service udp-radius pre-defined
service udp destination eq radius
description This is a pre-defined object
object service udp-radius-acct pre-defined
service udp destination eq radius-acct
description This is a pre-defined object
object service udp-rip pre-defined
service udp destination eq rip
description This is a pre-defined object
object service udp-secureid-udp pre-defined
service udp destination eq secureid-udp
description This is a pre-defined object
object service udp-sip pre-defined
service udp destination eq sip
description This is a pre-defined object
object service udp-snmp pre-defined
service udp destination eq snmp
description This is a pre-defined object
object service udp-snmptrap pre-defined
service udp destination eq snmptrap
description This is a pre-defined object
object service udp-sunrpc pre-defined
service udp destination eq sunrpc
description This is a pre-defined object
object service udp-syslog pre-defined
service udp destination eq syslog
description This is a pre-defined object
object service udp-tacacs pre-defined
service udp destination eq tacacs
description This is a pre-defined object
object service udp-talk pre-defined
service udp destination eq talk
description This is a pre-defined object
object service udp-tftp pre-defined
service udp destination eq tftp
description This is a pre-defined object
object service udp-time pre-defined
service udp destination eq time
description This is a pre-defined object
object service udp-who pre-defined
service udp destination eq who
description This is a pre-defined object
object service udp-xdmcp pre-defined
service udp destination eq xdmcp
description This is a pre-defined object
object service udp-isakmp pre-defined
service udp destination eq isakmp
description This is a pre-defined object
object service icmp6-unreachable pre-defined
service icmp6 unreachable
description This is a pre-defined object
object service icmp6-packet-too-big pre-defined
service icmp6 packet-too-big
description This is a pre-defined object
object service icmp6-time-exceeded pre-defined
service icmp6 time-exceeded
description This is a pre-defined object
object service icmp6-parameter-problem pre-defined
service icmp6 parameter-problem
description This is a pre-defined object
object service icmp6-echo pre-defined
service icmp6 echo
description This is a pre-defined object
object service icmp6-echo-reply pre-defined
service icmp6 echo-reply
description This is a pre-defined object
object service icmp6-membership-query pre-defined
service icmp6 membership-query
description This is a pre-defined object
object service icmp6-membership-report pre-defined
service icmp6 membership-report
description This is a pre-defined object
object service icmp6-membership-reduction pre-defined
service icmp6 membership-reduction
description This is a pre-defined object
object service icmp6-router-renumbering pre-defined
service icmp6 router-renumbering
description This is a pre-defined object
object service icmp6-router-solicitation pre-defined
service icmp6 router-solicitation
description This is a pre-defined object
object service icmp6-router-advertisement pre-defined
service icmp6 router-advertisement
description This is a pre-defined object
object service icmp6-neighbor-solicitation pre-defined
service icmp6 neighbor-solicitation
description This is a pre-defined object
object service icmp6-neighbor-advertisement pre-defined
service icmp6 neighbor-advertisement
description This is a pre-defined object
object service icmp6-neighbor-redirect pre-defined
service icmp6 neighbor-redirect
description This is a pre-defined object
object service icmp-echo pre-defined
service icmp echo
description This is a pre-defined object
object service icmp-echo-reply pre-defined
service icmp echo-reply
description This is a pre-defined object
object service icmp-unreachable pre-defined
service icmp unreachable
description This is a pre-defined object
object service icmp-source-quench pre-defined
service icmp source-quench
description This is a pre-defined object
object service icmp-redirect pre-defined
service icmp redirect
description This is a pre-defined object
object service icmp-alternate-address pre-defined
service icmp alternate-address
description This is a pre-defined object
object service icmp-router-advertisement pre-defined
service icmp router-advertisement
description This is a pre-defined object
object service icmp-router-solicitation pre-defined
service icmp router-solicitation
description This is a pre-defined object
object service icmp-time-exceeded pre-defined
service icmp time-exceeded
description This is a pre-defined object
object service icmp-parameter-problem pre-defined
service icmp parameter-problem
description This is a pre-defined object
object service icmp-timestamp-request pre-defined
service icmp timestamp-request
description This is a pre-defined object
object service icmp-timestamp-reply pre-defined
service icmp timestamp-reply
description This is a pre-defined object
object service icmp-information-request pre-defined
service icmp information-request
description This is a pre-defined object
object service icmp-information-reply pre-defined
service icmp information-reply
description This is a pre-defined object
object service icmp-mask-request pre-defined
service icmp mask-request
description This is a pre-defined object
object service icmp-mask-reply pre-defined
service icmp mask-reply
description This is a pre-defined object
object service icmp-traceroute pre-defined
service icmp traceroute
description This is a pre-defined object
object service icmp-conversion-error pre-defined
service icmp conversion-error
description This is a pre-defined object
object service icmp-mobile-redirect pre-defined
service icmp mobile-redirect
description This is a pre-defined object
object network ROUTER-2811
host 10.10.1.2
object network ROUTER-2821
host 10.10.0.2
object network WEBCAM-01
host 192.168.1.5
object network DNS-SERVER
host 192.168.1.2
object network ROUTER-3745
host 10.10.2.2
object network RDP-DC1
host 192.168.1.2
object-group network PAT-SOURCE
network-object 10.10.1.0 255.255.255.252
network-object 10.10.0.0 255.255.255.252
network-object 10.10.2.0 255.255.255.252
network-object 192.168.0.0 255.255.255.0
network-object 172.16.10.0 255.255.255.0
network-object 172.16.20.0 255.255.255.0
network-object 128.162.1.0 255.255.255.0
network-object 128.162.10.0 255.255.255.0
network-object 128.162.20.0 255.255.255.0
object-group network DM_INLINE_NETWORK_2
network-object host 98.22.121.x
object-group network Outside_access_in
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object gre
access-list USERS standard permit 10.10.1.0 255.255.255.0
access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2811 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.121.x object ROUTER-2821 eq ssh
access-list Outside_access_in extended permit tcp host 98.22.121.x interface Outside eq https
access-list Outside_access_in extended permit tcp host 98.22.121.x object WEBCAM-01 eq www
access-list Outside_access_in extended permit tcp host 98.22.121.x object RDP-DC1 eq 3389
access-list dmz-access-vlan1 extended permit ip 128.162.1.0 255.255.255.0 any
access-list dmz-access remark Permit all traffic to DC1
access-list dmz-access extended permit ip 128.162.1.0 255.255.255.0 host 192.168.1.2
access-list dmz-access remark Permit only DNS traffic to DNS server
access-list dmz-access extended permit udp 128.162.1.0 255.255.255.0 host 192.168.1.2 eq domain
access-list dmz-access remark Permit ICMP to all devices in DC
access-list dmz-access extended permit icmp 128.162.1.0 255.255.255.0 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging buffer-size 4096
logging asdm-buffer-size 100
logging asdm informational
logging flash-minimum-free 3076
logging flash-maximum-allocation 1024
logging rate-limit 1 10 message 747001
logging rate-limit 1 1 message 402116
logging rate-limit 1 10 message 620002
logging rate-limit 1 10 message 717015
logging rate-limit 1 10 message 717018
logging rate-limit 1 10 message 201013
logging rate-limit 1 10 message 201012
logging rate-limit 1 1 message 313009
logging rate-limit 100 1 message 750003
logging rate-limit 100 1 message 750002
logging rate-limit 100 1 message 750004
logging rate-limit 1 10 message 419003
logging rate-limit 1 10 message 405002
logging rate-limit 1 10 message 405003
logging rate-limit 1 10 message 421007
logging rate-limit 1 10 message 405001
logging rate-limit 1 10 message 421001
logging rate-limit 1 10 message 421002
logging rate-limit 1 10 message 337004
logging rate-limit 1 10 message 337005
logging rate-limit 1 10 message 337001
logging rate-limit 1 10 message 337002
logging rate-limit 1 60 message 199020
logging rate-limit 1 10 message 337003
logging rate-limit 2 5 message 199011
logging rate-limit 1 10 message 199010
logging rate-limit 1 10 message 337009
logging rate-limit 2 5 message 199012
logging rate-limit 1 10 message 710002
logging rate-limit 1 10 message 209003
logging rate-limit 1 10 message 209004
logging rate-limit 1 10 message 209005
logging rate-limit 1 10 message 431002
logging rate-limit 1 10 message 431001
logging rate-limit 1 1 message 447001
logging rate-limit 1 10 message 110003
logging rate-limit 1 10 message 110002
logging rate-limit 1 10 message 429007
logging rate-limit 1 10 message 216004
logging rate-limit 1 10 message 450001
flow-export template timeout-rate 30
flow-export active refresh-interval 1
mtu Inside 1500
mtu Outside 1500
mtu management 1500
mtu DMZ 1500
mtu VOIP 1500
icmp unreachable rate-limit 1 burst-size 1
icmp deny any Outside
asdm image disk0:/asdm-715.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network ROUTER-2811
nat (Inside,Outside) static interface service tcp ssh 222
object network ROUTER-2821
nat (DMZ,Outside) static interface service tcp ssh 2222
object network WEBCAM-01
nat (Inside,Outside) static interface service tcp www 8080
object network ROUTER-3745
nat (VOIP,Outside) static interface service tcp ssh 2223
object network RDP-DC1
nat (Inside,Outside) static interface service tcp 3389 3389
nat (any,Outside) after-auto source dynamic PAT-SOURCE interface
access-group Outside_access_in in interface Outside
ipv6 dhcprelay timeout 60
router rip
network 10.0.0.0
version 2
no auto-summary
route Outside 0.0.0.0 0.0.0.0 199.195.168.113 1
route Inside 128.162.1.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.10.0 255.255.255.0 10.10.0.2 1
route Inside 128.162.20.0 255.255.255.0 10.10.0.2 1
route Inside 172.16.10.0 255.255.255.0 10.10.1.2 1
route Inside 172.16.20.0 255.255.255.0 10.10.1.2 1
route Inside 192.168.1.0 255.255.255.0 10.10.1.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action continue
no cts server-group
no cts sxp enable
no cts sxp default
no cts sxp default source-ip
cts sxp reconciliation period 120
cts sxp retry period 120
user-identity enable
user-identity domain LOCAL
user-identity default-domain LOCAL
user-identity action mac-address-mismatch remove-user-ip
user-identity inactive-user-timer minutes 60
user-identity poll-import-user-group-timer hours 8
user-identity ad-agent active-user-database full-download
user-identity ad-agent hello-timer seconds 30 retry-times 5
no user-identity user-not-found enable
aaa authentication ssh console LOCAL
http server enable 443
http 0.0.0.0 0.0.0.0 Inside
http 98.22.121.x 255.255.255.255 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove fan-failure power-supply power-supply-presence cpu-temperature chassis-temperature power-supply-temperature chassis-fan-failure
no snmp-server enable traps memory-threshold
no snmp-server enable traps interface-threshold
no snmp-server enable traps remote-access session-threshold-exceeded
no snmp-server enable traps connection-limit-reached
no snmp-server enable traps cpu threshold rising
no snmp-server enable traps ikev2 start stop
no snmp-server enable traps nat packet-discard
snmp-server enable
snmp-server listen-port 161
fragment size 200 Inside
fragment chain 24 Inside
fragment timeout 5 Inside
no fragment reassembly full Inside
fragment size 200 Outside
fragment chain 24 Outside
fragment timeout 5 Outside
no fragment reassembly full Outside
fragment size 200 management
fragment chain 24 management
fragment timeout 5 management
no fragment reassembly full management
fragment size 200 DMZ
fragment chain 24 DMZ
fragment timeout 5 DMZ
no fragment reassembly full DMZ
fragment size 200 VOIP
fragment chain 24 VOIP
fragment timeout 5 VOIP
no fragment reassembly full VOIP
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp Inside
no sysopt noproxyarp Outside
no sysopt noproxyarp management
no sysopt noproxyarp DMZ
no sysopt noproxyarp VOIP
service password-recovery
no crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 64
crypto ipsec security-association pmtu-aging infinite
crypto ipsec fragmentation before-encryption Inside
crypto ipsec fragmentation before-encryption Outside
crypto ipsec fragmentation before-encryption management
crypto ipsec fragmentation before-encryption DMZ
crypto ipsec fragmentation before-encryption VOIP
crypto ipsec df-bit copy-df Inside
crypto ipsec df-bit copy-df Outside
crypto ipsec df-bit copy-df management
crypto ipsec df-bit copy-df DMZ
crypto ipsec df-bit copy-df VOIP
crypto ca trustpool policy
revocation-check none
crl cache-time 60
crl enforcenextupdate
crypto isakmp identity auto
crypto isakmp nat-traversal 20
crypto ikev2 cookie-challenge 50
crypto ikev2 limit max-in-negotiation-sa 100
no crypto ikev2 limit max-sa
crypto ikev2 redirect during-auth
crypto ikev1 limit max-in-negotiation-sa 20
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Inside
ssh 98.22.121.x 255.255.255.255 Outside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
vpn-addr-assign aaa
vpn-addr-assign dhcp
vpn-addr-assign local reuse-delay 0
ipv6-vpn-addr-assign aaa
ipv6-vpn-addr-assign local reuse-delay 0
no vpn-sessiondb max-other-vpn-limit
no vpn-sessiondb max-anyconnect-premium-or-essentials-limit
no remote-access threshold
l2tp tunnel hello 60
tls-proxy maximum-session 100
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate conn-limit-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate icmp-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate icmp-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate syn-attack rate-interval 600 average-rate 100 burst-rate 200
threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160
threat-detection rate fw-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate fw-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate inspect-drop rate-interval 600 average-rate 400 burst-rate 1600
threat-detection rate inspect-drop rate-interval 3600 average-rate 320 burst-rate 1280
threat-detection rate interface-drop rate-interval 600 average-rate 2000 burst-rate 8000
threat-detection rate interface-drop rate-interval 3600 average-rate 1600 burst-rate 6400
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 24.56.178.140 source Outside prefer
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl certificate-authentication fca-timeout 2
webvpn
memory-size percent 50
port 443
dtls port 443
character-encoding none
no http-proxy
no https-proxy
default-idle-timeout 1800
portal-access-rule none
no csd enable
no anyconnect enable
no tunnel-group-list enable
no tunnel-group-preference group-url
rewrite order 65535 enable resource-mask *
no internal-password
no onscreen-keyboard
no default-language
no smart-tunnel notification-icon
no keepout
cache
no disable
max-object-size 1000
min-object-size 0
no cache-static-content enable
lmfactor 20
expiry-time 1
no auto-signon
no error-recovery disable
no ssl-server-check
no mus password
mus host mus.cisco.com
no hostscan data-limit
: # show import webvpn customization
: Template
: DfltCustomization
: # show import webvpn url-list
: Template
: # show import webvpn translation-table
: Translation Tables' Templates:
: PortForwarder
: banners
: customization
: url-list
: webvpn
: Translation Tables:
: fr PortForwarder
: fr customization
: fr webvpn
: ja PortForwarder
: ja customization
: ja webvpn
: ru PortForwarder
: ru customization
: ru webvpn
: # show import webvpn mst-translation
: No MS translation tables defined
: # show import webvpn webcontent
: No custom webcontent is loaded
: # show import webvpn AnyConnect-customization
: No OEM resources defined
: # show import webvpn plug-in
group-policy DfltGrpPolicy internal
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
ipv6-vpn-filter none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-clientless
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
client-bypass-protocol disable
gateway-fqdn none
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
msie-proxy pac-url none
msie-proxy lockdown enable
vlan none
nac-settings none
address-pools none
ipv6-address-pools none
smartcard-removal-disconnect enable
scep-forwarding-url none
client-firewall none
client-access-rule none
webvpn
url-list none
filter none
homepage none
html-content-filter none
port-forward name Application Access
port-forward disable
http-proxy disable
sso-server none
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface private none
anyconnect firewall-rule client-interface public none
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles none
anyconnect ask none
customization none
keep-alive-ignore 4
http-comp gzip
download-max-size 2147483647
upload-max-size 2147483647
post-max-size 2147483647
user-storage none
storage-objects value cookies,credentials
storage-key none
hidden-shares none
smart-tunnel disable
activex-relay enable
unix-auth-uid 65534
unix-auth-gid 65534
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
smart-tunnel auto-signon disable
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
smart-tunnel tunnel-policy tunnelall
always-on-vpn profile-setting
password-policy minimum-length 3
password-policy minimum-changes 0
password-policy minimum-lowercase 0
password-policy minimum-uppercase 0
password-policy minimum-numeric 0
password-policy minimum-special 0
password-policy lifetime 0
no password-policy authenticate-enable
quota management-session 0
tunnel-group DefaultL2LGroup type ipsec-l2l
tunnel-group DefaultL2LGroup general-attributes
no accounting-server-group
default-group-policy DfltGrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup type remote-access
tunnel-group DefaultRAGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultRAGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultRAGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultRAGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
tunnel-group DefaultWEBVPNGroup type remote-access
tunnel-group DefaultWEBVPNGroup general-attributes
no address-pool
no ipv6-address-pool
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy DfltGrpPolicy
no dhcp-server
no strip-realm
no nat-assigned-to-public-ip
no scep-enrollment enable
no password-management
no override-account-disable
no strip-group
no authorization-required
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization DfltCustomization
authentication aaa
no override-svc-download
no radius-reject-message
no proxy-auth sdi
no pre-fill-username ssl-client
no pre-fill-username clientless
no secondary-pre-fill-username ssl-client
no secondary-pre-fill-username clientless
dns-group DefaultDNS
no without-csd
tunnel-group DefaultWEBVPNGroup ipsec-attributes
no ikev1 pre-shared-key
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
tunnel-group DefaultWEBVPNGroup ppp-attributes
no authentication pap
authentication chap
authentication ms-chap-v1
no authentication ms-chap-v2
no authentication eap-proxy
class-map type inspect http match-all _default_gator
match request header user-agent regex _default_gator
class-map type inspect http match-all _default_msn-messenger
match response header content-type regex _default_msn-messenger
class-map type inspect http match-all _default_yahoo-messenger
match request body regex _default_yahoo-messenger
class-map type inspect http match-all _default_windows-media-player-tunnel
match request header user-agent regex _default_windows-media-player-tunnel
class-map type inspect http match-all _default_gnu-http-tunnel
match request args regex _default_gnu-http-tunnel_arg
match request uri regex _default_gnu-http-tunnel_uri
class-map type inspect http match-all _default_firethru-tunnel
match request header host regex _default_firethru-tunnel_1
match request uri regex _default_firethru-tunnel_2
class-map type inspect http match-all _default_aim-messenger
match request header host regex _default_aim-messenger
class-map type inspect http match-all _default_http-tunnel
match request uri regex _default_http-tunnel
class-map type inspect http match-all _default_kazaa
match response header regex _default_x-kazaa-network count gt 0
class-map type inspect http match-all _default_shoutcast-tunneling-protocol
match request header regex _default_icy-metadata regex _default_shoutcast-tunneling-protocol
class-map class-default
match any
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all _default_GoToMyPC-tunnel
match request args regex _default_GoToMyPC-tunnel
match request uri regex _default_GoToMyPC-tunnel_2
class-map type inspect http match-all _default_httport-tunnel
match request header host regex _default_httport-tunnel
policy-map type inspect rtsp _default_rtsp_map
description Default RTSP policymap
parameters
policy-map type inspect ipv6 _default_ipv6_map
description Default IPV6 policy-map
parameters
verify-header type
verify-header order
match header routing-type range 0 255
drop log
policy-map type inspect h323 _default_h323_map
description Default H.323 policymap
parameters
no rtp-conformance
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no message-length maximum server
dns-guard
protocol-enforcement
nat-rewrite
no id-randomization
no id-mismatch
no tsig enforced
policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
no allow-tls
match cmd line length gt 512
drop-connection log
match cmd RCPT count gt 100
drop-connection log
match body line length gt 998
log
match header line length gt 998
drop-connection log
match sender-address length gt 320
drop-connection log
match MIME filename length gt 255
drop-connection log
match ehlo-reply-parameter others
mask
policy-map type inspect ip-options _default_ip_options_map
description Default IP-OPTIONS policy-map
parameters
router-alert action allow
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225 _default_h323_map
inspect h323 ras _default_h323_map
inspect rsh
inspect rtsp
inspect esmtp _default_esmtp_map
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options _default_ip_options_map
inspect icmp
inspect icmp error
inspect pptp
class class-default
policy-map type inspect sip _default_sip_map
description Default SIP policymap
parameters
im
no ip-address-privacy
traffic-non-sip
no rtp-conformance
policy-map type inspect dns _default_dns_map
description Default DNS policy-map
parameters
no message-length maximum client
no message-leI ran those commands while I had the nat off on the router and here are the results. note, i didn't make any changes to the ASA as you only said to remove the router RIP which I did and reloaded and no change.
As long as the statements ip nat outside on the Fastethernet 0/0 is off and the ip nat inside is off on the vlan and the overload statement is taken out, I cannot hit the internet.
CISCO-2811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-2811(config)#int
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/1.3
CISCO-2811(config-subif)#no ip nat inside
CISCO-2811(config-subif)#exit
CISCO-2811(config)#inter
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/0
CISCO-2811(config-if)#no ip nat outside
CISCO-2811(config-if)#exit
CISCO-2811(config)#$nside source list 1 interface FastEthernet0/0 overload
Dynamic mapping in use, do you want to delete all entries? [no]: y
CISCO-2811(config)#exit
CISCO-2811#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.1.1 202 c47d.4f3b.8ea6 ARPA FastEthernet0/0
Internet 10.10.1.2 - 0019.55a7.2ae8 ARPA FastEthernet0/0
Internet 172.16.10.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.1
Internet 172.16.10.3 238 0011.5c73.28c1 ARPA FastEthernet0/1.1
Internet 172.16.10.50 72 cc2d.8c78.065a ARPA FastEthernet0/1.1
Internet 172.16.20.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.2
Internet 172.16.20.3 196 0011.5c73.28c2 ARPA FastEthernet0/1.2
Internet 192.168.1.1 - 0019.55a7.2ae9 ARPA FastEthernet0/1.3
Internet 192.168.1.2 0 0024.e864.01a8 ARPA FastEthernet0/1.3
Internet 192.168.1.3 155 0011.5c73.28c0 ARPA FastEthernet0/1.3
Internet 192.168.1.5 61 4802.2a4c.1c74 ARPA FastEthernet0/1.3
Internet 192.168.1.20 0 5cf9.dd52.5fa9 ARPA FastEthernet0/1.3
Internet 192.168.1.50 0 308c.fb47.f2d9 ARPA FastEthernet0/1.3
Internet 192.168.1.51 1 ec35.8677.4057 ARPA FastEthernet0/1.3
Internet 192.168.1.52 1 b418.d136.ef72 ARPA FastEthernet0/1.3
Internet 192.168.1.53 1 8853.9572.e113 ARPA FastEthernet0/1.3
Internet 192.168.1.54 12 0009.b044.9f23 ARPA FastEthernet0/1.3
Internet 192.168.1.55 0 f47b.5e9a.7ae5 ARPA FastEthernet0/1.3
Internet 192.168.1.149 0 001e.4fc5.a199 ARPA FastEthernet0/1.3
Internet 192.168.1.174 0 b8ac.6fff.af83 ARPA FastEthernet0/1.3
CISCO-2811#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.1.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.1.1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.1.0/30 is directly connected, FastEthernet0/0
L 10.10.1.2/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks
C 172.16.10.0/24 is directly connected, FastEthernet0/1.1
L 172.16.10.1/32 is directly connected, FastEthernet0/1.1
C 172.16.20.0/24 is directly connected, FastEthernet0/1.2
L 172.16.20.1/32 is directly connected, FastEthernet0/1.2
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, FastEthernet0/1.3
L 192.168.1.1/32 is directly connected, FastEthernet0/1.3
ASA
ASA5510# sh arp
Inside 10.10.1.2 0019.55a7.2ae8 12342
Outside 199.195.168.113 000c.4243.581a 2
Outside 199.195.168.116 e05f.b947.116b 2436
Outside 199.195.168.120 0017.c58a.1123 9192
DMZ 10.10.0.2 0025.849f.63e0 3192
VOIP 10.10.2.2 000d.bcdc.fc40 7754
ASA5510# sh route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 199.195.168.113 to network 0.0.0.0
S 172.16.20.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S 172.16.10.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S 128.162.1.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
S 128.162.10.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
S 128.162.20.0 255.255.255.0 [1/0] via 10.10.0.2, DMZ
C 199.195.168.112 255.255.255.240 is directly connected, Outside
C 10.10.0.0 255.255.255.252 is directly connected, DMZ
C 10.10.1.0 255.255.255.252 is directly connected, Inside
S 192.168.1.0 255.255.255.0 [1/0] via 10.10.1.2, Inside
S* 0.0.0.0 0.0.0.0 [1/0] via 199.195.168.113, Outside
ASA5510# show xlate
35 in use, 784 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from DMZ:10.10.0.2 22-22 to Outside:199.195.168.x 2222-2222
flags sr idle 481:54:14 timeout 0:00:00
TCP PAT from Inside:10.10.1.2 22-22 to Outside:199.195.168.x 222-222
flags sr idle 51:06:46 timeout 0:00:00
TCP PAT from VOIP:10.10.2.2 22-22 to Outside:199.195.168.x 2223-2223
flags sr idle 687:32:27 timeout 0:00:00
TCP PAT from Inside:192.168.1.2 3389-3389 to Outside:199.195.168.x 3389-3389
flags sr idle 457:17:01 timeout 0:00:00
TCP PAT from Inside:192.168.1.5 80-80 to Outside:199.195.168.x 8080-8080
flags sr idle 52:18:58 timeout 0:00:00
NAT from Outside:0.0.0.0/0 to any:0.0.0.0/0
flags sIT idle 353:10:21 timeout 0:00:00
UDP PAT from any:10.10.1.2/52581 to Outside:199.195.168.x/52581 flags ri idle 0:00:00 timeout 0:00:30
UDP PAT from any:10.10.1.2/55389 to Outside:199.195.168.x/55389 flags ri idle 0:00:03 timeout 0:00:30
UDP PAT from any:10.10.1.2/51936 to Outside:199.195.168.x/51936 flags ri idle 0:00:04 timeout 0:00:30
UDP PAT from any:10.10.1.2/51345 to Outside:199.195.168.x/51345 flags ri idle 0:00:09 timeout 0:00:30
UDP PAT from any:10.10.1.2/55985 to Outside:199.195.168.x/55985 flags ri idle 0:00:18 timeout 0:00:30
UDP PAT from any:10.10.1.2/49368 to Outside:199.195.168.x/49368 flags ri idle 0:00:22 timeout 0:00:30
UDP PAT from any:10.10.1.2/52441 to Outside:199.195.168.x/52441 flags ri idle 0:00:23 timeout 0:00:30
TCP PAT from any:10.10.1.2/57908 to Outside:199.195.168.x/57908 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57907 to Outside:199.195.168.x/57907 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57906 to Outside:199.195.168.x/57906 flags ri idle 0:08:37 timeout 0:00:30
TCP PAT from any:10.10.1.2/57896 to Outside:199.195.168.x/57896 flags ri idle 0:09:09 timeout 0:00:30
TCP PAT from any:10.10.1.2/57879 to Outside:199.195.168.x/57879 flags ri idle 0:10:23 timeout 0:00:30
TCP PAT from any:10.10.1.2/49441 to Outside:199.195.168.x/49441 flags ri idle 0:20:52 timeout 0:00:30
TCP PAT from any:10.10.1.2/57868 to Outside:199.195.168.x/57868 flags ri idle 0:25:28 timeout 0:00:30
TCP PAT from any:10.10.1.2/60519 to Outside:199.195.168.x/60519 flags ri idle 0:44:11 timeout 0:00:30
TCP PAT from any:10.10.1.2/60491 to Outside:199.195.168.x/60491 flags ri idle 0:44:20 timeout 0:00:30
TCP PAT from any:10.10.1.2/60484 to Outside:199.195.168.x/60484 flags ri idle 0:44:35 timeout 0:00:30
TCP PAT from any:10.10.1.2/60480 to Outside:199.195.168.x/60480 flags ri idle 0:44:51 timeout 0:00:30
TCP PAT from any:10.10.1.2/53851 to Outside:199.195.168.x/53851 flags ri idle 0:54:14 timeout 0:00:30
TCP PAT from any:10.10.1.2/57812 to Outside:199.195.168.x/57812 flags ri idle 0:58:30 timeout 0:00:30
TCP PAT from any:10.10.1.2/57810 to Outside:199.195.168.x/57810 flags ri idle 0:58:32 timeout 0:00:30
TCP PAT from any:10.10.1.2/53847 to Outside:199.195.168.x/53847 flags ri idle 1:00:18 timeout 0:00:30
TCP PAT from any:10.10.1.2/57808 to Outside:199.195.168.x/57808 flags ri idle 1:07:58 timeout 0:00:30
TCP PAT from any:10.10.1.2/60406 to Outside:199.195.168.x/60406 flags ri idle 1:42:13 timeout 0:00:30
TCP PAT from any:10.10.1.2/49259 to Outside:199.195.168.x/49259 flags ri idle 7:39:44 timeout 0:00:30
TCP PAT from any:10.10.1.2/49191 to Outside:199.195.168.x/49191 flags ri idle 7:42:39 timeout 0:00:30
TCP PAT from any:10.10.1.2/55951 to Outside:199.195.168.x/55951 flags ri idle 23:11:40 timeout 0:00:30
TCP PAT from any:10.10.1.2/55944 to Outside:199.195.168.x/55944 flags ri idle 23:15:19 timeout 0:00:30
TCP PAT from any:10.10.1.2/55942 to Outside:199.195.168.x/55942 flags ri idle 23:15:24 timeout 0:00:30
ASA5510# sh conn all
149 in use, 815 most used
TCP Outside 74.125.193.108:993 Inside 10.10.1.2:57879, idle 0:12:37, bytes 6398, flags UIO
TCP Outside 174.35.24.74:80 Inside 192.168.1.20:53879, idle 0:00:01, bytes 0, flags saA
TCP Outside 174.35.24.74:80 Inside 192.168.1.20:53878, idle 0:00:01, bytes 0, flags saA
TCP Outside 17.149.36.177:5223 Inside 10.10.1.2:60480, idle 0:16:53, bytes 4539, flags UIO
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53877, idle 0:00:02, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53876, idle 0:00:02, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53875, idle 0:00:05, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53874, idle 0:00:05, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53872, idle 0:00:11, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53871, idle 0:00:11, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53868, idle 0:00:08, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53867, idle 0:00:08, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53860, idle 0:00:17, bytes 0, flags saA
TCP Outside 98.22.121.19:443 Inside 192.168.1.20:53859, idle 0:00:17, bytes 0, flags saA
TCP Outside 17.172.233.95:5223 Inside 10.10.1.2:49191, idle 0:18:48, bytes 7384, flags UIO
TCP Outside 17.178.100.43:443 Inside 10.10.1.2:57810, idle 0:56:21, bytes 5797, flags UFIO
TCP Outside 23.206.216.93:80 Inside 10.10.1.2:53847, idle 0:54:15, bytes 2683, flags UFIO
TCP Outside 143.127.93.90:80 Inside 10.10.1.2:49259, idle 0:12:20, bytes 13315, flags UIO
TCP Outside 74.125.225.53:443 Inside 192.168.1.20:53864, idle 0:00:11, bytes 0, flags saA
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49204, idle 0:00:04, bytes 67, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:50122, idle 0:00:07, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63275, idle 0:00:08, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63306, idle 0:00:18, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65059, idle 0:00:22, bytes 46, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64681, idle 0:00:30, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64661, idle 0:00:30, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.20:55618, idle 0:00:32, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65056, idle 0:00:33, bytes 48, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:59433, idle 0:00:41, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.20:52178, idle 0:00:42, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:61414, idle 0:00:43, bytes 34, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65438, idle 0:00:44, bytes 44, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63686, idle 0:00:44, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65416, idle 0:00:45, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:53047, idle 0:00:47, bytes 32, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:62213, idle 0:00:46, bytes 74, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:52347, idle 0:00:46, bytes 92, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:58069, idle 0:00:46, bytes 64, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.52:50753, idle 0:00:46, bytes 74, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65381, idle 0:00:50, bytes 50, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65082, idle 0:00:50, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64038, idle 0:00:50, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49309, idle 0:00:51, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64034, idle 0:00:51, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49197, idle 0:00:51, bytes 50, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64728, idle 0:00:51, bytes 49, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64309, idle 0:00:51, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63289, idle 0:00:51, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64174, idle 0:00:52, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:39286, idle 0:01:09, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63726, idle 0:01:09, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65482, idle 0:01:12, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65091, idle 0:01:13, bytes 61, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64976, idle 0:01:13, bytes 57, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63749, idle 0:00:51, bytes 103, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64043, idle 0:01:14, bytes 52, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64267, idle 0:01:24, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:64467, idle 0:01:26, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:65504, idle 0:01:26, bytes 46, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:38946, idle 0:01:35, bytes 33, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63701, idle 0:01:38, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63879, idle 0:01:46, bytes 45, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:58516, idle 0:01:49, bytes 51, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:63227, idle 0:01:51, bytes 62, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.174:65446, idle 0:01:53, bytes 43, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.2:49166, idle 0:01:55, bytes 54, flags -
UDP Outside 199.195.168.4:53 Inside 192.168.1.55:56680, idle 0:02:01, bytes 33, flags -
UDP Outside 192.55.83.30:53 Inside 192.168.1.2:65073, idle 0:00:44, bytes 50, flags -
TCP Outside 74.125.193.109:993 Inside 10.10.1.2:57808, idle 0:39:33, bytes 6392, flags UFIO
TCP Outside 74.125.225.54:443 Inside 192.168.1.20:53863, idle 0:00:13, bytes 0, flags saA
TCP Outside 143.127.93.89:80 Inside 10.10.1.2:60519, idle 0:46:30, bytes 346, flags UO
TCP Outside 74.125.225.32:443 Inside 192.168.1.20:53881, idle 0:00:01, bytes 0, flags saA
TCP Outside 74.125.225.32:443 Inside 192.168.1.20:53880, idle 0:00:01, bytes 0, flags saA
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:60627, idle 0:00:39, bytes 78, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:52088, idle 0:00:39, bytes 86, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:50533, idle 0:00:39, bytes 76, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:63347, idle 0:00:39, bytes 80, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:62213, idle 0:00:40, bytes 37, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:52347, idle 0:00:40, bytes 46, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:58069, idle 0:00:40, bytes 32, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.52:50753, idle 0:00:40, bytes 37, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -
UDP Outside 205.171.3.65:53 Inside 192.168.1.174:50791, idle 0:01:25, bytes 35, flags -
TCP Outside 74.125.225.46:443 Inside 192.168.1.20:53870, idle 0:00:08, bytes 0, flags saA
TCP Outside 17.173.255.101:443 Inside 10.10.1.2:53851, idle 0:56:33, bytes 58, flags UfIO
TCP Outside 64.4.23.147:33033 Inside 10.10.1.2:55944, idle 0:44:45, bytes 558164, flags UFIO
TCP Outside 74.125.225.35:443 Inside 192.168.1.20:53869, idle 0:00:09, bytes 0, flags saA
UDP Outside 64.4.23.175:33033 Inside 192.168.1.174:26511, idle 0:01:17, bytes 28, flags -
UDP Outside 192.54.112.30:53 Inside 192.168.1.2:65380, idle 0:00:44, bytes 49, flags -
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57908, idle 0:10:47, bytes 7895, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57907, idle 0:10:49, bytes 20323, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57906, idle 0:10:47, bytes 6539, flags UIO
TCP Outside 74.125.142.108:993 Inside 10.10.1.2:57868, idle 0:27:44, bytes 6395, flags UIO
TCP Outside 91.190.218.59:443 Inside 10.10.1.2:55942, idle 0:41:39, bytes 2727, flags UFIO
TCP Outside 17.172.233.123:5223 Inside 10.10.1.2:49441, idle 0:23:10, bytes 4409, flags UIO
TCP Outside 74.125.225.41:443 Inside 192.168.1.20:53862, idle 0:00:16, bytes 0, flags saA
TCP Outside 74.125.225.41:443 Inside 192.168.1.20:53861, idle 0:00:16, bytes 0, flags saA
TCP Outside 143.127.93.115:80 Inside 10.10.1.2:60406, idle 0:42:59, bytes 970, flags UFIO
TCP Outside 143.127.93.118:80 Inside 10.10.1.2:60484, idle 0:46:54, bytes 328, flags UO
TCP Outside 17.172.233.98:5223 Inside 10.10.1.2:57896, idle 0:11:28, bytes 5081, flags UIO
UDP Outside 111.221.74.16:33033 Inside 192.168.1.174:26511, idle 0:01:18, bytes 31, flags -
TCP Outside 17.149.36.103:5223 Inside 192.168.1.174:60729, idle 0:00:04, bytes 0, flags saA
UDP Outside 192.5.6.30:53 Inside 192.168.1.2:65317, idle 0:00:44, bytes 51, flags -
UDP Outside 192.12.94.30:53 Inside 192.168.1.2:65356, idle 0:00:44, bytes 54, flags -
TCP Outside 17.149.36.180:5223 Inside 10.10.1.2:55951, idle 0:46:08, bytes 14059, flags UFIO
UDP Outside 111.221.74.28:33033 Inside 192.168.1.174:26511, idle 0:01:20, bytes 33, flags -
TCP Outside 63.235.20.160:80 Inside 192.168.1.20:53873, idle 0:00:08, bytes 0, flags saA
TCP Outside 50.19.127.112:443 Inside 192.168.1.50:60678, idle 0:00:00, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60728, idle 0:00:14, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60727, idle 0:00:15, bytes 0, flags saA
TCP Outside 65.55.122.234:80 Inside 192.168.1.174:60726, idle 0:00:15, bytes 0, flags saA
TCP Outside 65.55.122.234:443 Inside 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA
TCP Outside 65.55.122.234:2492 Inside 192.168.1.174:2492, idle 0:00:16, bytes 0, flags saA
UDP Outside 157.55.56.170:33033 Inside 192.168.1.174:26511, idle 0:01:21, bytes 37, flags -
TCP Outside 74.125.230.207:443 Inside 192.168.1.20:53866, idle 0:00:11, bytes 0, flags saA
TCP Outside 74.125.230.207:443 Inside 192.168.1.20:53865, idle 0:00:11, bytes 0, flags saA
UDP Outside 111.221.74.18:33033 Inside 192.168.1.174:26511, idle 0:01:17, bytes 29, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:55546, idle 0:00:06, bytes 46, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:60277, idle 0:00:06, bytes 46, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:55618, idle 0:00:34, bytes 43, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:60627, idle 0:00:36, bytes 78, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:52088, idle 0:00:36, bytes 86, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:50533, idle 0:00:36, bytes 76, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.52:63347, idle 0:00:36, bytes 80, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:56958, idle 0:01:24, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:51360, idle 0:01:26, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.174:50791, idle 0:01:27, bytes 35, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.20:54134, idle 0:01:46, bytes 34, flags -
UDP Outside 8.8.8.8:53 Inside 192.168.1.174:58516, idle 0:01:50, bytes 51, flags -
TCP Outside 23.207.7.46:80 Inside 192.168.1.55:59350, idle 0:00:02, bytes 0, flags saA
TCP Outside 23.207.7.46:80 Inside 192.168.1.55:59349, idle 0:00:16, bytes 0, flags saA
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:50122, idle 0:00:09, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:48088, idle 0:00:42, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:62213, idle 0:00:45, bytes 74, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:52347, idle 0:00:45, bytes 92, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:58069, idle 0:00:45, bytes 64, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.52:50753, idle 0:00:45, bytes 74, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:61414, idle 0:00:47, bytes 34, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:54481, idle 0:01:08, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:52254, idle 0:01:09, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:40285, idle 0:01:34, bytes 33, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.174:65446, idle 0:01:55, bytes 43, flags -
UDP Outside 205.171.2.65:53 Inside 192.168.1.55:46155, idle 0:02:00, bytes 33, flags -
UDP Outside 66.104.81.70:5070 Inside 192.168.1.174:57609, idle 0:00:11, bytes 46, flags -
UDP Outside 64.4.23.156:33033 Inside 192.168.1.174:26511, idle 0:01:14, bytes 38, flags -
TCP Outside 65.54.167.15:12350 Inside 10.10.1.2:60491, idle 0:11:02, bytes 1405, flags UIO
TCP Outside 17.172.192.35:443 Inside 10.10.1.2:57812, idle 0:56:11, bytes 6116, flags UFIO
UDP Outside 157.55.56.176:33033 Inside 192.168.1.174:26511, idle 0:01:16, bytes 32, flags -
TCP Inside 192.168.1.20:53667 NP Identity Ifc 10.10.1.1:22, idle 0:00:00, bytes 37555, flags UOB
TCP Inside 10.10.1.2:53431 NP Identity Ifc 10.10.1.1:22, idle 0:09:03, bytes 20739, flags UOB
Ran on the ASA while overload statements were down on the router:
ASA5510# packet-tracer input Inside tcp 192.168.1.100 12345 8.8.8.8 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside
Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1988699, packet dispatched to next module
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow
Had to put these back in to get to the internet:
CISCO-2811#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CISCO-2811(config)#inter
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/0
CISCO-2811(config-if)#ip nat
CISCO-2811(config-if)#ip nat Outside
CISCO-2811(config-if)#exit
CISCO-2811(config)#in
CISCO-2811(config)#interface f
CISCO-2811(config)#interface fastEthernet 0/1.3
CISCO-2811(config-subif)#ip nat inside
CISCO-2811(config-subif)#exit
CISCO-2811(config)#$de source list 1 interface FastEthernet0/0 overload
CISCO-2811(config)#
Screenshot of ASDM: -
Little help please with forwarding traffic to proxy server!
hi all, little help please with this error message
i got this when i ran my code and requested only the home page of the google at my client side !!
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-shockwave-flash, */*
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.2; .NET CLR 2.0.50727)
Host: www.google.com
Connection: Keep-Alive
Cookie: PREF=ID=a21457942a93fc67:TB=2:TM=1212883502:LM=1213187620:GM=1:S=H1BYeDQt9622ONKF
HTTP/1.0 200 OK
Cache-Control: private, max-age=0
Date: Fri, 20 Jun 2008 22:43:15 GMT
Expires: -1
Content-Type: text/html; charset=UTF-8
Content-Encoding: gzip
Server: gws
Content-Length: 2649
X-Cache: MISS from linux-e6p8
X-Cache-Lookup: MISS from linux-e6p8:3128
Via: 1.0
Connection: keep-alive
GET /8SE/11?MI=32d919696b43409cb90ec369fe7aab75&LV=3.1.0.146&AG=T14050&IS=0000&TE=1&TV=tmen-us%7Cts20080620224324%7Crf0%7Csq38%7Cwi133526%7Ceuhttp%3A%2F%2Fwww.google.com%2F HTTP/1.1
User-Agent: MSN_SL/3.1 Microsoft-Windows/5.1
Host: g.ceipmsn.com
HTTP/1.0 403 Forbidden
Server: squid/2.6.STABLE5
Date: Sat, 21 Jun 2008 01:46:26 GMT
Content-Type: text/html
Content-Length: 1066
Expires: Sat, 21 Jun 2008 01:46:26 GMT
X-Squid-Error: ERR_ACCESS_DENIED 0
X-Cache: MISS from linux-e6p8
X-Cache-Lookup: NONE from linux-e6p8:3128
Via: 1.0
Connection: close
java.net.SocketException: Broken pipe // this is the error message
at java.net.SocketOutputStream.socketWrite0(Native Method)
at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:92)
at java.net.SocketOutputStream.write(SocketOutputStream.java:115)
at java.io.DataOutputStream.writeBytes(DataOutputStream.java:259)
at SimpleHttpHandler.run(Test77.java:61)
at java.lang.Thread.run(Thread.java:595)
at Test77.main(Test77.java:13)please could just tell me what is wrong with my code ! this is the last idea in my G.p and am havin difficulties with that cuz this is the first time dealin with java :( the purpose of my code to forward the http traffic from client to Squid server ( proxy server ) then forward the response from squid server to the clients !
thanx a lot,
this is my code :
import java.io.*;
import java.net.*;
public class Test7 {
public static void main(String[] args) {
try {
ServerSocket serverSocket = new ServerSocket(1416);
while(true){
System.out.println("Waiting for request");
Socket socket = serverSocket.accept();
new Thread(new SimpleHttpHandler(socket)).run();
socket.close();
catch (Exception e) {
e.printStackTrace();
class SimpleHttpHandler implements Runnable{
private final static String CLRF = "\r\n";
private Socket client;
private DataOutputStream writer;
private DataOutputStream writer2;
private BufferedReader reader;
private BufferedReader reader2;
public SimpleHttpHandler(Socket client){
this.client = client;
public void run(){
try{
this.reader = new BufferedReader(
new InputStreamReader(
this.client.getInputStream()
InetAddress ipp=InetAddress.getByName("192.168.6.29"); \\ my squid server
System.out.println(ipp);
StringBuffer buffer = new StringBuffer();
Socket ss=new Socket(ipp,3128);
this.writer= new DataOutputStream(ss.getOutputStream());
writer.writeBytes(this.read());
this.reader2 = new BufferedReader(
new InputStreamReader(
ss.getInputStream()
this.writer2= new DataOutputStream(this.client.getOutputStream());
writer2.writeBytes(this.read2());
this.writer2.close();
this.writer.close();
this.reader.close();
this.reader2.close();
this.client.close();
catch(Exception e){
e.printStackTrace();
private String read() throws IOException{
String in = "";
StringBuffer buffer = new StringBuffer();
while(!(in = this.reader.readLine()).trim().equals("")){
buffer.append(in + "\n");
buffer.append(in + "\n");
System.out.println(buffer.toString());
return buffer.toString();
private String read2() throws IOException{
String in = "";
StringBuffer buffer = new StringBuffer();
while(!(in = this.reader2.readLine()).trim().equals("")){
buffer.append(in + "\n");
System.out.println(buffer.toString());
return buffer.toString();
Edited by: Tareq85 on Jun 20, 2008 5:22 PM -
VPN stops forwarding traffic on subsequent connections (Cisco 861)
Hello everyone,
I have a very strange problem on 2 (independent) Cisco 861 routers in different places.
They are both configured as easyVPN servers. One uses UDP, the other TCP. VPN clients connect by using Cisco VPN client software. This cannot be changed because the customer expects it this way. Both routers have the same problem:
* the first VPN connection after a reset works fine. Traffic passes through and it is perfectly usable. I can ping the internal network interface on the router side from the client without problems.
* the second connection (and all subsequent ones from different client machines etc.) connects fine, no errors on the client whatsoever (not sure I evaluated all possible debug output on the "server" side). However, no traffic passes through. Pings do not come back from the 861 anymore through the VPN tunnel.
I already enabled ICMP debugging and saw that pings are actually answered by the 861, but do not reach the client.The same seems to happen to any and all other packets as well.
* If I restart the 861 the very same thing happens: first VPN connection works fine. You disconnect, try another connection from the very same client computer, and it does not work anymore until the next router reset.
I append the configuration for sake of completeness. confidential parts are represented by XXX. Some ACLs are not in use right now; I used them for testing.
Quite frankly, I am out of ideas (and desperate).
Any ideas?
Best Regards
Mike
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname XXX
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 XXX
enable password 7 XXX
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone Berlin 1
crypto pki trustpoint TP-self-signed-2638506017
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2638506017
revocation-check none
rsakeypair TP-self-signed-2638506017
no ip source-route
ip cef
no ip bootp server
ip domain name local
license udi pid CISCO861-K9 sn XXX
archive
log config
hidekeys
no spanning-tree vlan 1
username root privilege 15 secret 5 XXX
username remote secret 5 XXX
crypto ctcp port 10000
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group vpn
key XXX
pool SDM_POOL_1
acl 104
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
client configuration group vpn
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
ip address 192.168.234.1 255.255.255.0
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.233.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 192.168.234.2 192.168.234.127
ip forward-protocol nd
no ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 10.179.232.0 255.255.255.0 192.168.233.2
ip route 172.16.0.0 255.255.0.0 192.168.233.2
ip access-list log-update threshold 10
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.233.0 0.0.0.255
access-list 100 remark XXX
access-list 100 permit ip 192.168.233.0 0.0.0.255 any
access-list 100 permit ip 192.168.234.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.233.0 0.0.0.255 any
access-list 101 permit ip 192.168.234.0 0.0.0.255 any
access-list 102 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
access-list 103 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255 log
access-list 103 permit ip 192.168.234.0 0.0.0.255 192.168.233.0 0.0.0.255 log
access-list 104 permit ip 192.168.233.0 0.0.0.255 any log-input
access-list 104 permit ip 192.168.234.0 0.0.0.255 any log-input
no cdp run
control-plane
banner exec ^CCC
XXX
^C
banner login ^CCC
XXX
^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
endHi,
I addded a dynamic crypto map to the configuration according to the document you sent. However, it does not work yet.
There must be some stupid mistake or mixup with the old config.
The router logs:
000038: *Mar 1 01:19:24.047 Berlin: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at XXX
000039: *Mar 1 01:19:29.403 Berlin: CTCP: cTCP connection entry not found. Dropping the packet
Correspondingly, the client retransmits a few times during a connection attempt and then fails.
The current configuration is:
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname XXX
boot-start-marker
boot-end-marker
logging buffered 51200
logging console critical
enable secret XXX
enable password XXX
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone Berlin 1
crypto pki trustpoint TP-self-signed-2638506017
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2638506017
revocation-check none
rsakeypair TP-self-signed-2638506017
no ip source-route
no ip cef
no ip bootp server
ip domain name local
license udi pid CISCO861-K9 sn XXX
archive
log config
hidekeys
no spanning-tree vlan 1
username root privilege 15 secret 5 XXX
username remote secret 5 XXX
crypto ctcp keepalive 10
crypto ctcp port 10000
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 20
crypto isakmp client configuration group vpn
key XXX
pool SDM_POOL_1
acl 105
netmask 255.255.255.0
crypto isakmp client configuration group testgroup
key XXX
pool SDM_POOL_1
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
client configuration group vpn
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto dynamic-map dynmap 5
set transform-set ESP-3DES-SHA
set isakmp-profile VPNclient
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 192.168.234.1 255.255.255.0
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
mtu 1300
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
crypto map mymap
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.233.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 192.168.234.2 192.168.234.127
ip forward-protocol nd
no ip http server
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 10.179.232.0 255.255.255.0 192.168.233.2
ip route 172.16.0.0 255.255.0.0 192.168.233.2
ip access-list log-update threshold 10
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.233.0 0.0.0.255
access-list 100 remark XXX
access-list 100 permit ip 192.168.233.0 0.0.0.255 any
access-list 100 permit ip 192.168.234.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.233.0 0.0.0.255 any
access-list 101 permit ip 192.168.234.0 0.0.0.255 any
access-list 102 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
access-list 103 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255 log
access-list 103 permit ip 192.168.234.0 0.0.0.255 192.168.233.0 0.0.0.255 log
access-list 104 permit ip 192.168.233.0 0.0.0.255 any log-input
access-list 104 permit ip 192.168.234.0 0.0.0.255 any log-input
access-list 105 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
no cdp run
control-plane
banner exec ^CCC
XXX
^C
banner login ^CCC
XXX
^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end -
Forwarding Traffic based on Domain name(Google).
Hello ,
Please let me know if this is possible.
I have a asa5520 firewall with 8.2 version.I have two ISP's coming into my firewall for Internet. Currently I am forwarding all my traffic to one of the ISP. I would like to forward only traffic to Google to the second ISP. The reason I am trying to do this is Google reports my primary IP. The message users get is "
When Google detects that a computer or phone on your network may be sending automated traffic to Google we may show the following message: "Our systems have detected unusual traffic from your computer network." after this message users will have to enter a captcha code.
This is an intermittent issue. I would like to test it by forwarding only google traffic to my second ISP. I cannot forward all the traffic to my secondary IPS the reason is I am having site to site tunnels going on my default primary route and If I do it all my tunnels would go down.
Any help regarding this issue or workaround would be appreciated.
OR if I can actually find an IP/user on my inside network which is generating hight traffic to google which is resulting in entering the captcha code and sometimes opening multiple tabs. or if I can ratelimit to allow fixed number of connections to google.
Thanks.Hello,
First of all the ASA does not support PBR so thats our first wall.
There are some tweaks that we could do with NAT but that would be based on the destination IP address. In this case you will be trying to do the NAT based on the FQDN which does not work.
You will need to determine all of the IP address of google (I know..I know ) and then configure the NAT policies to tweak the Firewall behavior.
How does this sound to you?
Looking for some Networking Assistance?
Contact me directly at [email protected]
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com -
Interface attempting to forward traffic before link is up
We have 2 3745 routers. Each one has a single link to seperate 3725. The 3745s are also linked to each other as are the 3725s. Traffic is routing fine through one link when that link goes down the traffic switches to the other link with little or no loss. When the original link is brought back up, packets are lost until the interface is in a forwarding state. It appears that traffic is forwarded through the link as soon as the link gets power. It does not wait until the interface is in a full forwarding state. We are using static routes between the 3745s and 3725s.
Thank you for any advice you maybe able to offer.Whether to post the configs or not depends on whether you want to persue this further. It may be that as long as you understand why the behavior is this way that you can live with the behavior. (It seems to me to be a somewhat minor problem - how often does the router go down and how many packets really get lost?)
But if you want to work around this behavior I think there is an alternative to consider. There is a fairly new feature in IOS called Object Tracking which can be used to control static routes. If you use this feature it would test whether the next hop address was reachable and only let the route into the table when the next hop was reachable. This link will give you information to evaluate this technique:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5413/products_feature_guide09186a00801d862d.html
Only you will be able to decide whether the additional complexity of configuring Object Tracking and the additional overhead of tracking the reachability of the next hop address are worth not losing packets when the router goes down and comes back up.
HTH
Rick -
SG500X-48 forwards traffic on all ports
Hello to everybody!
I have a problem with my SG500 which I do not understand: It is forwarding all traffic to all ports. So for
me it looks like it behaves like a hub.
Can anybody please help me?
I have a SG500X-48 with firmware version 1.2.0.97 which is in "standalone" mode with this configuration:
switch8d3012#sh run
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
no ip routing
bonjour interface range vlan 1
hostname switch8d3012
management access-list XXX-ADM
permit gigabitethernet1/48
exit
management access-class XXX-ADM
passwords aging 0
username cisco password encrypted *** privi
lege 15
no snmp-server server
snmp-server location RZ1
clock timezone " " 1
interface vlan 1
no ip address dhcp
interface gigabitethernet1/48
ip address 10.1.2.5 255.255.255.0
switch8d3012#
switch8d3012#Hi Wire Man,
By the way those switches are now on 1.4 firmware and yours is still 1.2 so would suugest you to start with upgrade.
Regards,
Aleksandra -
Hi,
I regularly use bridge domains to connect sub interfaces on different vlans using this sort of configuration:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/10.3122 l2transport
description CUSTOMER A CORE
encapsulation dot1q 3122
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
interface GigabitEthernet0/0/0/5.21
interface GigabitEthernet0/0/0/10.3122
When I try to use the same method to bridge two sub interfaces on the same physical interface so as to create a L2 VPN no data flows:
interface GigabitEthernet0/0/0/5.21 l2transport
description CUSTOMER A WAN
encapsulation dot1q 21
rewrite ingress tag pop 1 symmetric
interface GigabitEthernet0/0/0/5.22 l2transport
description CUSTOMER A WAN2
encapsulation dot1q 22
rewrite ingress tag pop 1 symmetric
l2vpn
bridge group WANLINKS
bridge-domain CUSTOMERA
interface GigabitEthernet0/0/0/5.21
interface GigabitEthernet0/0/0/5.22
If I add a BVI interface to the bridge domain then the CE devices at the remote end of the WAN interface can both ping the BVI IP but they remain unable to ping each other.
Is this because tag rewrites are not happening since packets don't leave the physical interface?
How can I work around this and establish a L2 connection between the two subinterfaces?
Thank youa vlan is usually the equivalent of an l3 subnet, so linking 2 vlans together in the same bridge domain, likely needs to come with some sort of routing (eg a BVI interface).
If these 2 vlans are still in the same subnet, then there is still arp going on, from one host to the other that traverses the bD.
you will need to verify the state of the AC, the forwarding in the BD and see if something gets dropped somewhere and follow the generic packet troubleshooting guides (see support forums for that also).
that might give a hint to what the precise issue in your forwarding is.
regards
xander -
Separating forwarded traffic from bounce back traffic
Dear All,
iMS sends bounce backs and forwarded email to tcp_local which then routes the email to the configured smarthost. Now because forwarded email is much more important than bounce back messages to fake senders, is it possible to separate them into different channels or at least to different smarthosts?
Marwan,How will you be able to tell?
If you can't tell, how can the server tell? -
I must admit, I'm an absolute n00b when it comes to networking, so please forgive me.
What I'm trying to do is this:
Internet connection ---> Router --(wlan)---> Laptop --(lan)---> Desktop
The problem is finding out how to bridge the laptop connection to output through my ethernet port. I've played around with bridge-utils, but to no avail. All help is greatly appreciated!This has been discussed a few times on this forum. Here's an article on the arch wiki: https://wiki.archlinux.org/index.php/Internet_Share
Note that you can't bridge a wired interface with a wireless interface (at least it wasn't possible the last time I checked, and I doubt it is now), so both interfaces must be in a different LAN and you must do routing between them. See the wiki.
Maybe you are looking for
-
A week ago I dropped my iPhone 5 and the screen shattered. I went to the apple store twice and was screwed around with wrong information about prices and the extent of the damage, eventually I was told that they can't replace the display and I will n
-
Solaris 10 Thread/LWP Schduling and I/O
Hi, I am using Solaris 10 on N440, 4CPU machine and java 1.5. In my code there is a server socket listener thread. On new connection a worker thread is assigned to it. This worker thread simply reads data from the connection socket and put on a queue
-
Parameters RCVPFC and SNDPFC in function module MASTERIDOC_CREATE_CLFMAS
hi , I am using the function module MASTERIDOC_CREATE_CLFMAS to trigger the idoc CLFMAS , While exporting parameters to this function i need to pass RCVPFC(Partner function of receiver) and SNDPFC(Partner function of sender) but i cannot understand w
-
Fixed layout with inDesign CC 9.3
Hello, I think I use the latest version of InDesign (I just did the update), but I can not export my .idd documents to the format .epub and preserving the layout (justified text, skip lines, paragraphs, titles). It would be really great of you to he
-
Secondary database connections
I am looking for information on Secondary database connections, especially with Oracle. Is there any other information than note 323151 (I am using the MiniSAP system for testing, therefor I do not have an official SAP customer status). I found somet