Ip flow-top-talkers support

Similar Messages

• Cannot config "ip flow-top-talkers" on 7606-S

  We have a router 7606-S is running IOS 12.2 (33r) SRD2 and Internet BGP protocol.
  I tried to enable Flow Top Talkers on it to check Top 10 flow talkers.
  1.configure interface:
  Router(config-if)#ip flow ingress
  2.configure
  Router(config)#ip flow-top-talkers
  but it shows:
  Router((config)#ip flow-top-talkers
                              ^
  % Invalid input detected at '^' marker.
  Router(config)#ip flow-?
  flow-aggregation  flow-cache  flow-capture  flow-egress  flow-export
  I then tried command
  Router#show ip flow top-talkers 
  % Top talkers not configured
  Can anyone advice if anything I miss please?
  Thanks in advance.

  Does your switch have a network services module installed?
  Note Flexible NetFlow is supported only on the Catalyst 3750-X and 3560-X switch running the IP base or IP services feature set and equipped with the network services module. It is not supported on switches running the NPE or the LAN base image.

• 6500 ip flow top-talkers

  Hi All,
  i would like to enable "ip flow-top-talkers" in 6500 in native mode.
  this command is not supported in current version.
  is there any alernative command or it won't support.
  running ios is s72033-pk9sv-mz.122-18.SXD5.bin
  Thanx in advance for the response.
  Regards,
  Rajesh

  This command was introduced only from 12.2(25)S and this feature was integrated into 12.3(11)T. So,if you are using any lower version other than this,this command will not work at all.If possible,better download any of the above 2 versions from cisco website and upgrade your IOS.

• Show ip flow top-talkers

  what happened to this command in the new IOS 15.1(1) with flexflow;
  sh ip flow top-talkers...
  Thanks,
  Sinan

  Hi Maicon,
  Under "ip flow-top-talkers", you need to configure "sort-by" as it's required to run top-talkers command.
  Yoong Seong

• "show ip flow top-talkers" output question

  Hello all,
  I have a question about the "show ip flow top-talkers" command. The top enry for this 1841 router with a T1 connection is always this line:
  SrcIf            SrcIPaddress    DstIf         DstIPaddress    Pr SrcP   DstP  Bytes
  Se0/1/0       64.32.253.138   Local         71.16.240.14    32 6EB0 306B  2366K
  How do I get more information about this connection? I looked at ip protocol 32 and it says it is the MERIT Internodal Protocol. Also what does the bytes field mean? Is that bytes per second or per "flow"?

  Hello,
    protocol is 0x32 (in hex) = 50 (dec). This protocol is ESP. I assume, this flow is an IPSEC tunnel.
  The endpoint is your device (regarding to dest interface = local). The "Bytes" field means number of
  bytes in the flow. It is not releated to bytes/sec. Please, feel free to contact me if you need more
  information.
  Kind regards,
  Jan Nejman
  Caligare, co.
  http://www.caligare.com/

• Does WCCP skew results of 'ip flow top-talkers'?

  I have a router that has been configured to show ip flow top-talker information.  I recently added a WAAS to this site that is using WCCP redirection.  The 'top-talkers' output on the router still works - but shows source/destination of the router and WAAS device as the talkers for all traffic that has been redirected.  I'm not able to see that actual client IPs for that traffic .. and that is the majority of my traffic.  Is there any way to still be able to view this traffic as I did before?  If I dump netflow to an actual netflow server instead of using top-talkers will that work - or will it display the same thing?
  Router configuration:
  interface multilink1
  ip flow ingress
  interface gi0/0
  ip flow ingress
  ip flow-top-talkers
    top 25
    sort-by bytes
  Now when I do a 'show ip flow top-talkers', here's what I see:  10.10.11.18 is WAAS and 10.10.255.11 is loopback of the router.
  SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP Bytes
  Gi0/0.1       10.10.11.18     Mu1           10.10.255.11    2F 0000 0000   141M
  Gi0/0.1       10.10.11.18     Mu1           10.10.255.11    2F 0000 0000    12M
  Gi0/0.1       10.10.11.124    Gi0/0.1       10.10.10.53     06 1058 0A26  1801K
  Gi0/0.1       10.10.11.54     Gi0/0.1       10.10.10.5      06 0E0C 0A26   882K
  Gi0/0.1       10.10.11.107    Gi0/0.1       10.10.10.50     06 043D 05D6   736K
  Gi0/0.1       10.10.11.60     Gi0/0.1       10.10.10.5      06 0409 0A26   723K
  Gi0/0.1       10.10.11.103    Gi0/0.1       10.10.10.5      06 0407 0A26   713K
  Gi0/0.1       10.10.11.120    Gi0/0.1       10.10.10.14     06 0456 05D6   531K
  Gi0/0.1       10.10.11.237    Gi0/0.1       10.10.10.27     06 238C 110E   527K
  Gi0/0.1       10.10.11.62     Gi0/0.1       10.10.10.53     06 C00E 05D6   463K
  Gi0/0.1       10.10.11.125    Gi0/0.1       10.10.10.30     06 12A1 1F90   355K
  Gi0/0.1       10.10.11.115    Gi0/0.1       10.10.10.14     06 042C 05D6   336K
  Gi0/0.1       10.10.11.137    Gi0/0.1       10.10.10.6      06 04AC 0D3D   244K
  Gi0/0.1       10.10.11.154    Gi0/0.1       10.10.10.53     06 0A0D 0A26   216K
  Gi0/0.1       10.10.11.66     Gi0/0.1       10.10.10.6      06 C018 05D6   195K
  Gi0/0.1       10.10.11.91     Gi0/0.1       10.10.10.5      06 0439 05D6   145K
  Gi0/0.1       10.10.11.58     Gi0/0.1       10.10.10.14     06 0458 05D6   134K
  Gi0/0.1       10.10.11.127    Gi0/0.1       10.10.10.30     06 0618 1F90   115K
  Gi0/0.1       10.10.11.18     Local         10.10.255.11    11 0800 0800    96K
  Gi0/0.1       10.10.11.147    Gi0/0.1       10.10.10.14     06 118F 0A26    88K
  Gi0/0.1       10.10.11.95     Gi0/0.1       10.10.10.14     06 0C35 0D3D    84K
  Gi0/0.1       10.10.11.105    Gi0/0.1       10.10.10.27     06 C98F 01BD    70K
  Gi0/0.1       10.10.11.117    Gi0/0.1       10.10.10.53     06 CB1A 0D3D    41K
  Gi0/0.1       10.10.11.65     Gi0/0.1       10.10.10.14     06 0EF9 05D6    40K
  Gi0/0.1       10.10.11.112    Gi0/0.1       10.10.10.21     06 08D5 0D3D    37K
  Thanks!

  I believe the problem is caused because I have the WAAS appliance in the same subnet as users.  I am using the 'egress-method negotiated-return intercept-method wccp' on the WAAS to send the traffic back to the router.  This uses GRE, which is causing the cache flow data to show up the way it is. 
  I will have to move the WAAS to a different subnet and change the return method.

• Cisco2821 - ip flow top talkers = cache is empty

  Hi Everyone,
  I've been fighting an issue with a 2821 router for some time now. I'm trying to pull the top talkers from an interface, however the cache is empty. I verified the configuration with a known working 2821 and the output for the interfaces are the same. Any help would be greatly appreciated!
  NON-WORKING:::
  interface GigabitEthernet0/0
   description P2P Comcast NLAN to ENET
   ip address 10.103.2.6 255.255.255.0
   ip flow ingress
   ip flow egress
   duplex full
   speed 100
  interface GigabitEthernet0/1
   description connect to JDR_3560_2
   ip address 10.200.12.1 255.255.255.0
   duplex auto
   speed auto
  interface Serial0/1/0
   no ip address
   shutdown
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
  no ip http server
  no ip http secure-server
  ip flow-cache timeout active 1
  ip flow-export source GigabitEthernet0/0
  ip flow-export version 5
  ip flow-export destination 10.100.1.58 2055
  ip flow-top-talkers
   top 25
   sort-by bytes
  logging 10.100.1.17
  logging 10.100.1.119
  WORKING CONFIG:
  interface GigabitEthernet0/0
   description Comcast MetroEthernet  CID: 54.VLXP.006454.CPLC
   ip address 10.103.2.5 255.255.255.0
   ip flow ingress
   ip flow egress
   ip pim sparse-dense-mode
   ip igmp query-interval 125
   duplex full
   speed 100
   service-policy output WAN-EDGE
  ip flow-cache timeout active 1
  ip flow-export source GigabitEthernet0/0
  ip flow-export version 5
  ip flow-export destination 10.100.6.111 2055
  ip flow-export destination 10.100.1.58 2055
  ip flow-top-talkers
   top 30
   sort-by bytes
  ip mroute 0.0.0.0 0.0.0.0 10.103.2.240
  logging 10.100.1.17
  logging 10.100.1.40
  logging 10.100.1.119

  Hi,
  I'm not a Netflow expert by let's try; config seems to be correct, could you post the output of
  sh ip flow export
  sh ip flow top-talker
  sh ver
  enrico

• Netflow top talkers query

  Hi Folks,
            I was trying to use the top talkers feature to find the culprits hogging my bandwidth. I am pertty new top talker feature and its implemented on a 6500 with sup720. I have a couple of queries w.r.t this.
  * tried to configure the cort by bytes feature got a warning that its not supported on the hardware based model.So is there any way to use sort by bytes on the sup 720?
  * The O/P fileds of a show ip flow top-talkers are usually,
  SrcIf            SrcIPaddress     DstIf            DstIPaddress    Pr SrcP DstP  Pkts( had to use sort by packets due to warning)
  Now is this pkts field the number of packets calculated between the cache-timeout value or is it the total seen so far? Will it be the same for sort by bytes too? Total bytes seen for this flow rather than a realtime bytes/sec or bytes/cache time-out value.
  If this is the case then its actually not a real time top talker value right? Please help
  Thanks,
  Prakadeesh

  The --command -- sh ip cache flow shows the cache-timeout value only not the collective bytes of data ; if you need the Total bytes seen for this flow  you need to use the Crannog netflow Tracker kind of tools or you need to use " ip accounting " and clear the counter manually as and when required !!!
  And it  its actually a real time top talker value  for that specifed cache-timeout value and i found most of the time it shows the correct top-talker many times !!!!!!!!!!!!!!!!!!!

• Netflow top-talkers configuration

  Hello
  I would like to know the purpose of these configuration commands :
  ip flow-top-talkers
  top 50
  sort-by packets
  cache-timeout 2000
  match source address 192.1.1.97/32
  match destination address 192.1.1.110/32
  This is extracted from a documentation from Cisco.
  For me there is no sense to configure a top talkers : how do we know that this will be the top talkers ?
  Thanks  for help
  Regards

  Top talkers are based on the conversations or flows  generating the heaviest traffic on your routing device. A flow refers to  traffic from source A to source B through any interface of the router  and "heaviest traffic" means volume of traffic generated. They can be  sorted based on any one of the following criteria:
  1. By the total number of packets in each top talker
  2. By the total number of bytes in each top talker
  There are further filter options, which can done using "match statements".
  For  eg, if you simply enable top talkers for 50 and set the sort feature  based on packets, the 50 conversations who were sending the most traffic  (volume - KB, MB, GB) will be taken and displayed. The displayed  conversations will be sorted based on the packet counts in the flow.
  If you add an match IP source statement to the above  example, then the same as above is done but only flows whose source IP  is the same as in the match statement is captured.
  If you add a match source and destination IP, then  only the top 50 flows between those 2 IP Addresses will be captured and  displayed.
  Regards,
  Don Thomas Jacob
  www.netflowanalyzer.com
  NOTE: Please rate posts and close questions if you have got the answer.

• How to get Top Talkers on ASA ?

  hi Friends,
  We ahave ASA 5510 and 5520 @ our office. We are not using any netflow tools in order to get the talk talklers.
  As this firewalls are shared firewall (used by different Projects), we are not able to get , which project is using more traffic and which is less.
  Can someone help me out in this ?
  Regards
  Nirav Bhatt

  I know this is an old thread, but I'm hoping this will come in handy for anyone doing a search.
  All our 5505's and 5510's are on ASA 8.2(5) and didn't get some of the nicer "top 10" features that come with later versions.  I always assumed it was due to the ASA version, but I built an ASA recently on 8.2(5) which has ASDM 7.1(2) on it and the pie charts for top talkers is there now.
  I'm in the process of updating all our devices to ASDM 7.1(2) and it's given us a lot more visibility of the network.

• ASA5505 - IP FLOW TOP or IP Accounting

  How does one find the top user or IP accounting with this ASA5505 v7.22 device?
  With 1841 ISR:
  sh ip accounting
  sh ip flow top
  Very lame if they don't have similar commands or capabilities on the ASA series.                   

  David,
  The version that you are running is very old. The IP accounting Im not sure what it does, but the show IP flow, I am almost 99% sure that it has to do with Netflow, which was introduced on the ASA in version 8.2 and higher.
  Just looked for the IP accounting and mostlikely, all that you are asking for is implemented on Netflow, here is more info:
  https://supportforums.cisco.com/docs/DOC-6114
  You can upgrade to 8.2.1 not having to do much of a change, now that you know that you are running an old version, please do not consider to (mind as well) upgrade to the latest version without reading what it first needs to be done. The upgrade to 8.2.1 should not be much of a change.
  Mike Rojas

• Work Flow of  a Support Project

  Hi Gurus,
               Could Anyone mail the work flow of solving tickets by introducing new configuration in a support project and its authorizations to [email protected]
  Regards,
  Sarosh

  Any AE project requires some planning. The more elements that are involved, the greater the level of planning. I just recently completed a project that involved 3D modeling, client supplied video to be used as a texture, and AE for final composite. We didn't draw any storyboards, but we did look at a bunch of similar animations and make a fist full of notes. If I were to attempt a James Bond style open I'd be sketching out storyboards, looking at every James Bond open that I could find, looking at every similar movie or TV show open that I could find, and brainstorming with colleagues, and working out a production timeline and budget. There's nothing worse than shooting some footage without a plan then trying to bend it into an concept that just doesn't fit.
  I suspect you wanted a to do list. Well here it is.
  1. Write a script for your open including all the elements that must be there
  2. Turn the script into a storyboard
  3. Block out the required shots so that they will work with your concept (IOW shoot your greenscreen footage with the same lens angle of view that you're going to use for the 3D camera in AE so that the perspectives match)
  4. Do some tests in AE using at least shape layers for the elements
  5. Make sure that you have all the tools you need (IOW plug-ins, cameras, lights, skills, music, sound effects)
  6. Shoot what you've put on the storyboard
  7. Shoot some extra footage
  8. Start laying out the elements
  9. Render out some motion tests
  10. Refine, Refine, Refine
  11. Wait a day or two
  12. Final polish and render
  Hope this helps.

• Cisco Cube Flow around mode supported for CVP 10

  Hi Guys,
  We are deploying CVP 10.5, our ingress gateway for the CVP is a CUBE. We know that in CVP 8.0 the media flow around is not supported, but we don't know if in the version 10 is supported. does anybody knows about it?

  Hi,
  Please refer to page no 75. Its mentioned --With flow-around mode, you lose the ability to do DTMF interworking,transcoding, and other key functions such as telephone and media capabilities.
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/customer_voice_portal/srnd/10_5/CCVP_BK_C17804D9_00_cisco-unified-customer-voice-portal.pdf
  I hope this will help you.

• Top Processors supported on 3000 N100 768-04U

  Can anyone confirm the fastest processor I would be able to put in this system?
  It currently has a T2060 processor. 
  I would like to go all the way to the t7200 if it will work...
  thanks
  --tmac

  It seems that the N100 utilizes either the 945GM or 945PM chipset. If that's the case, you should be able to go up to the Core 2 Duo T7600 [2.33GHz]. However, you may experience elevated operating temperatures as the T7600 consumes more power than the Pentium Dual Core T2060.
  **Please confirm the chipset with CPU-Z.
  If you are looking for increased performance, a 7200RPM hard drive would be ideal.
  Message Edited by ortegaluis on 04-15-2009 08:31 PM
  Message Edited by ortegaluis on 04-15-2009 08:32 PM
  \\ I do not respond to PM regarding individual tech support. Keep discussions in the forum for the benefit of others //

• Remote site to site VPN user cannot access LAN resources

  Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned.
  What do I need to do to fix this?
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname SFGallery
  boot-start-marker
  boot-end-marker
  no logging buffered
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  clock timezone PCTime -7 0
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 172.16.0.1 172.16.3.99
  ip dhcp excluded-address 172.16.3.200 172.16.3.254
  ip dhcp pool SFGallery172
  import all
  network 172.16.0.0 255.255.252.0
  domain-name xxxxxxxxxxxx
  dns-server 10.10.10.10
  default-router 10.10.10.94
  netbios-name-server 10.10.10.10
  ip domain name gpgallery.com
  ip name-server 10.10.10.10
  ip name-server 8.8.8.8
  ip name-server 8.8.4.4
  ip name-server 10.10.10.80
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  crypto pki trustpoint test_trustpoint_config_created_for_sdm
  subject-name [email protected]
  revocation-check crl
  crypto pki trustpoint SFGallery_Certificate
  enrollment selfsigned
  serial-number none
  ip-address none
  revocation-check crl
  rsakeypair SFGallery_Certificate_RSAKey 512
  crypto pki certificate chain test_trustpoint_config_created_for_sdm
  crypto pki certificate chain SFGallery_Certificate
  certificate self-signed 01
  xxxxxx
  quit
  license udi pid CISCO2911/K9 sn FTX1542AKJ3
  license boot module c2900 technology-package securityk9
  license boot module c2900 technology-package datak9
  hw-module sm 1
  object-group network Corp
  172.16.4.0 255.255.252.0
  10.10.10.128 255.255.255.224
  object-group network SFGallery
  172.16.0.0 255.255.252.0
  10.10.10.0 255.255.255.128
  object-group network NY
  10.10.10.160 255.255.255.224
  172.16.16.0 255.255.252.0
  object-group network GPAll
  group-object SFGallery
  group-object NY
  group-object Corp
  username xxx
  username xxx
  username xxx
  username xxx
  redundancy
  no ip ftp passive
  ip ssh version 1
  class-map type inspect match-all CCP_SSLVPN
  match access-group name CCP_IP
  policy-map type inspect ccp-sslvpn-pol
  class type inspect CCP_SSLVPN
  pass
  zone security sslvpn-zone
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key TempVPN1# address xx.xx.xx.xx
  crypto isakmp client configuration group SFGallery
  key Peters2011
  dns 10.10.10.10 10.10.10.80
  wins 10.10.10.10 10.10.10.80
  domain gpgallery.com
  pool SDM_POOL_1
  acl 111
  save-password
  split-dns gpgallery.com
  max-users 25
  max-logins 3
  netmask 255.255.252.0
  banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C
  crypto isakmp profile ciscocp-ike-profile-1
  match identity group SFGallery
  client authentication list ciscocp_vpn_xauth_ml_3
  isakmp authorization list ciscocp_vpn_group_ml_2
  client configuration address respond
  virtual-template 3
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set security-association idle-time 43200
  set transform-set ESP-3DES-SHA3
  set isakmp-profile ciscocp-ike-profile-1
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel toxx.xx.xx.xx
  set peer xx.xx.xx.xx
  set transform-set ESP-3DES-SHA1
  match address 107
  reverse-route
  interface Loopback1
  ip address 192.168.5.1 255.255.255.0
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  description T1 Cybermesa$ETH-WAN$
  ip address xx.xx.xx.xx 255.255.255.240
  ip access-group 105 in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
  interface GigabitEthernet0/1
  description LANOverloadNet$ETH-WAN$
  no ip address
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/2
  description LAN$ETH-LAN$
  ip address 10.10.10.2 255.255.255.128
  ip access-group 100 in
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface FastEthernet0/0/0
  ip address 192.168.100.1 255.255.255.0
  ip access-group ReplicationIN out
  duplex auto
  speed auto
  interface GigabitEthernet1/0
  description $ETH-LAN$
  ip address 172.16.0.1 255.255.252.0
  ip nat inside
  ip virtual-reassembly in
  interface GigabitEthernet1/1
  description Internal switch interface connected to EtherSwitch Service Module
  no ip address
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback1
  interface Virtual-Template2
  ip unnumbered Loopback1
  zone-member security sslvpn-zone
  interface Virtual-Template3 type tunnel
  ip unnumbered GigabitEthernet0/0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  no ip address
  ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254
  ip forward-protocol nd
  ip http server
  ip http access-class 1
  ip http authentication local
  no ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip flow-top-talkers
  top 10
  sort-by bytes
  cache-timeout 60000
  ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
  ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
  ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable
  ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable
  ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable
  ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable
  ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
  ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
  ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable
  ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable
  ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
  ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
  ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
  ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent
  ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent
  ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent
  ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent
  ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent
  ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent
  ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent
  ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent
  ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent
  ip access-list extended CCP_IP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended ReplicationIN
  remark CCP_ACL Category=1
  permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  deny   ip any any
  ip access-list extended ReplicationOUT
  remark CCP_ACL Category=1
  deny   ip any any
  no logging trap
  logging 10.10.10.107
  access-list 1 permit 192.168.1.2
  access-list 1 remark CCP_ACL Category=1
  access-list 1 permit 72.216.51.56 0.0.0.7
  access-list 1 permit 172.16.0.0 0.0.3.255
  access-list 1 permit 172.16.4.0 0.0.3.255
  access-list 1 permit 10.10.10.128 0.0.0.31
  access-list 1 remark Auto generated by SDM Management Access feature
  access-list 1 permit xx.xx.xx.xx 0.0.0.15
  access-list 1 permit 10.10.10.0 0.0.0.127
  access-list 100 remark Auto generated by SDM Management Access feature
  access-list 100 remark CCP_ACL Category=1
  access-list 100 permit tcp object-group GPAll object-group NY eq www
  access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2
  access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2
  access-list 100 permit ip any host 10.10.10.2
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443
  access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd
  access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd
  access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd
  access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd
  access-list 100 deny   tcp any host 10.10.10.2 eq telnet
  access-list 100 deny   tcp any host 10.10.10.2 eq 22
  access-list 100 deny   tcp any host 10.10.10.2 eq www
  access-list 100 deny   tcp any host 10.10.10.2 eq 443
  access-list 100 deny   tcp any host 10.10.10.2 eq cmd
  access-list 100 deny   udp any host 10.10.10.2 eq snmp
  access-list 100 permit udp any eq domain host 10.10.10.2
  access-list 100 permit udp host 10.10.10.80 eq domain any
  access-list 100 permit udp host 10.10.10.10 eq domain any
  access-list 100 permit ip any any
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark CCP_ACL Category=1
  access-list 101 permit ip 72.216.51.56 0.0.0.7 any
  access-list 101 permit ip 172.16.0.0 0.0.3.255 any
  access-list 101 permit ip 172.16.4.0 0.0.3.255 any
  access-list 101 permit ip 10.10.10.128 0.0.0.31 any
  access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any
  access-list 101 permit ip host 192.168.1.2 any
  access-list 101 permit ip 10.10.10.0 0.0.0.127 any
  access-list 102 remark Auto generated by SDM Management Access feature
  access-list 102 remark CCP_ACL Category=1
  access-list 102 permit ip 72.216.51.56 0.0.0.7 any
  access-list 102 permit ip 172.16.0.0 0.0.3.255 any
  access-list 102 permit ip 172.16.4.0 0.0.3.255 any
  access-list 102 permit ip 10.10.10.128 0.0.0.31 any
  access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any
  access-list 102 permit ip host 192.168.1.2 any
  access-list 102 permit ip 10.10.10.0 0.0.0.127 any
  access-list 103 remark Auto generated by SDM Management Access feature
  access-list 103 remark CCP_ACL Category=1
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443
  access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd
  access-list 103 deny   tcp any host 172.16.0.1 eq telnet
  access-list 103 deny   tcp any host 172.16.0.1 eq 22
  access-list 103 deny   tcp any host 172.16.0.1 eq www
  access-list 103 deny   tcp any host 172.16.0.1 eq 443
  access-list 103 deny   tcp any host 172.16.0.1 eq cmd
  access-list 103 deny   udp any host 172.16.0.1 eq snmp
  access-list 103 permit ip any any
  access-list 104 remark CCP_ACL Category=4
  access-list 104 remark IPSec Rule
  access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
  access-list 105 remark Auto generated by SDM Management Access feature
  access-list 105 remark CCP_ACL Category=1
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31
  access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255
  access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443
  access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd
  access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd
  access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd
  access-list 105 deny   tcp any host xx.xx.xx.xx eq telnet
  access-list 105 deny   tcp any host xx.xx.xx.xx eq 22
  access-list 105 deny   tcp any host xx.xx.xx.xx eq www
  access-list 105 deny   tcp any host xx.xx.xx.xx eq 443
  access-list 105 deny   tcp any host xx.xx.xx.xx eq cmd
  access-list 105 deny   udp any host xx.xx.xx.xx eq snmp
  access-list 105 permit tcp any host xx.xx.xx.xx eq 443
  access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
  access-list 105 permit udp any eq domain host xx.xx.xx.xx
  access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx
  access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx
  access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp
  access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp
  access-list 105 remark IPSec Rule
  access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
  access-list 105 permit ip any any
  access-list 106 remark CCP_ACL Category=2
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
  access-list 106 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
  access-list 106 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 106 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
  access-list 106 permit ip 10.10.10.0 0.0.0.255 any
  access-list 107 remark CCP_ACL Category=4
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
  access-list 107 remark IPSec Rule
  access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
  access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 107 remark IPSec Rule
  access-list 107 deny   ip 172.16.0.0 0.0.255.255 host 10.10.10.177
  access-list 108 remark CCP_ACL Category=2
  access-list 108 remark IPSec Rule
  access-list 108 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
  access-list 108 permit ip 70.56.215.0 0.0.0.255 any
  access-list 109 remark CCP_ACL Category=2
  access-list 109 remark IPSec Rule
  access-list 109 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
  access-list 109 remark IPSec Rule
  access-list 109 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
  access-list 109 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
  access-list 109 remark IPSec Rule
  access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
  access-list 109 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
  access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
  access-list 109 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
  access-list 109 permit ip 172.16.0.0 0.0.255.255 any
  access-list 111 remark CCP_ACL Category=4
  access-list 111 permit ip 10.10.10.0 0.0.0.127 any
  access-list 111 permit ip 10.10.10.128 0.0.0.31 any
  access-list 111 permit ip 172.16.0.0 0.0.3.255 any
  access-list 111 permit ip 172.16.4.0 0.0.3.255 any
  access-list 111 permit ip 10.10.10.160 0.0.0.31 any
  route-map SDM_RMAP_4 permit 1
  match ip address 109
  route-map SDM_RMAP_1 permit 1
  match ip address 106
  route-map SDM_RMAP_2 permit 1
  match ip address 108
  snmp-server community public RO
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps vrrp
  snmp-server enable traps transceiver all
  snmp-server enable traps ds1
  snmp-server enable traps call-home message-send-fail server-fail
  snmp-server enable traps tty
  snmp-server enable traps eigrp
  snmp-server enable traps ospf state-change
  snmp-server enable traps ospf errors
  snmp-server enable traps ospf retransmit
  snmp-server enable traps ospf lsa
  snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
  snmp-server enable traps ospf cisco-specific state-change shamlink interface
  snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
  snmp-server enable traps ospf cisco-specific errors
  snmp-server enable traps ospf cisco-specific retransmit
  snmp-server enable traps ospf cisco-specific lsa
  snmp-server enable traps license
  snmp-server enable traps envmon
  snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
  snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
  snmp-server enable traps flash insertion removal
  snmp-server enable traps c3g
  snmp-server enable traps ds3
  snmp-server enable traps adslline
  snmp-server enable traps vdsl2line
  snmp-server enable traps icsudsu
  snmp-server enable traps isdn call-information
  snmp-server enable traps isdn layer2
  snmp-server enable traps isdn chan-not-avail
  snmp-server enable traps isdn ietf
  snmp-server enable traps ds0-busyout
  snmp-server enable traps ds1-loopback
  snmp-server enable traps energywise
  snmp-server enable traps vstack
  snmp-server enable traps mac-notification
  snmp-server enable traps bgp
  snmp-server enable traps isis
  snmp-server enable traps rf
  snmp-server enable traps aaa_server
  snmp-server enable traps atm subif
  snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
  snmp-server enable traps memory bufferpeak
  snmp-server enable traps cnpd
  snmp-server enable traps config-copy
  snmp-server enable traps config
  snmp-server enable traps config-ctid
  snmp-server enable traps entity
  snmp-server enable traps fru-ctrl
  snmp-server enable traps resource-policy
  snmp-server enable traps event-manager
  snmp-server enable traps frame-relay multilink bundle-mismatch
  snmp-server enable traps frame-relay
  snmp-server enable traps frame-relay subif
  snmp-server enable traps hsrp
  snmp-server enable traps ipmulticast
  snmp-server enable traps msdp
  snmp-server enable traps mvpn
  snmp-server enable traps nhrp nhs
  snmp-server enable traps nhrp nhc
  snmp-server enable traps nhrp nhp
  snmp-server enable traps nhrp quota-exceeded
  snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
  snmp-server enable traps pppoe
  snmp-server enable traps cpu threshold
  snmp-server enable traps rsvp
  snmp-server enable traps syslog
  snmp-server enable traps l2tun session
  snmp-server enable traps l2tun pseudowire status
  snmp-server enable traps vtp
  snmp-server enable traps ipsla
  snmp-server enable traps bfd
  snmp-server enable traps firewall serverstatus
  snmp-server enable traps isakmp policy add
  snmp-server enable traps isakmp policy delete
  snmp-server enable traps isakmp tunnel start
  snmp-server enable traps isakmp tunnel stop
  snmp-server enable traps ipsec cryptomap add
  snmp-server enable traps ipsec cryptomap delete
  snmp-server enable traps ipsec cryptomap attach
  snmp-server enable traps ipsec cryptomap detach
  snmp-server enable traps ipsec tunnel start
  snmp-server enable traps ipsec tunnel stop
  snmp-server enable traps ipsec too-many-sas
  snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
  snmp-server host 10.10.10.107 public
  radius-server host 10.10.10.10 key HelloSFGal1#
  control-plane
  banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C
  line con 0
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line 67
  no activation-character
  no exec
  transport preferred none
  transport input all
  transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  flowcontrol software
  line vty 0 4
  access-class 102 in
  transport input telnet
  line vty 5 15
  access-class 101 in
  transport input telnet
  scheduler allocate 20000 1000
  end

  Thanks so much, Herbert.
  As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
  I would delete these lines:
  no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable
  no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable
  no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable
  no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable
  no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable
  and replace with these
  ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
  ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
  ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
  ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
  ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable
  Then add:
  access-list 150 deny   ip host 10.10.10.95 10.10.10.160 0.0.0.31
  access-list 150 deny   ip host 10.10.10.95 172.16.8.0 0.0.3.255
  access-list 150 deny   ip host 10.10.10.130 10.10.10.160 0.0.0.31
  access-list 150 deny   ip host 10.10.10.130 172.16.8.0 0.0.3.255
  access-list 150 permit ip host 10.10.10.95 any
  access-list 150 permit ip host 10.10.10.130 any
  route-map nonat permit 10
  match ip address 150