Nat in Cisco IOS 9.1

Similar Messages

• NAT in CISCO 4500x

  Hello,
  We recently bought CISCO4500X Switches and planning to configure them as core switches. Unfortunately, these swithces are not supporting NAT. 
  Here is the sh version result. Is this because of hardware limitation or IOS ?. Will it be resolved if we upgrade the license ?. if yes, What license.. Any suggestion ?. Please.!
  CORE-SWITCH32#sh version
  Cisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSALK9-M), Version 03.04.02.SG RELEASE SOFTWARE (fc1)
  Technical Support: _http://www.cisco.com/techsupport
  Copyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Thu 05-Sep-13 19:06 by prod_rel_team
  Cisco IOS-XE software, Copyright (c) 2005-2010, 2012 by cisco Systems, Inc.
  All rights reserved.  Certain components of Cisco IOS-XE software are
  licensed under the GNU General Public License ("GPL") Version 2.0.  The
  software code licensed under GPL Version 2.0 is free software that comes
  with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
  GPL code under the terms of GPL Version 2.0.  For more details, see the
  documentation or "License Notice" file accompanying the IOS-XE software,
  or the applicable URL provided on the flyer accompanying the IOS-XE
  software.
  ROM: 15.0(1r)SG6
  CORE-SWITCH32 uptime is 5 days, 2 hours, 37 minutes
  Uptime for this control processor is 4 days, 9 hours, 18 minutes
  System returned to ROM by SSO Switchover
  Running default software
  Jawa Revision 2, Winter Revision 0x0.0x1C
  Last reload reason: Stateful Switchover
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  _http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  License Information for 'WS-C4500X-32'
      License Level: entservices   Type: Permanent
      Next reboot license Level: entservices
  cisco WS-C4500X-32 (MPC8572) processor (revision 4) with 4194304K/20480K bytes of memory.
  Processor board ID XXXXXXXXX
  MPC8572 CPU at 1.5GHz, Cisco Catalyst 4500X
  Last reset from Reload
  6 Virtual Ethernet interfaces
  80 Ten Gigabit Ethernet interfaces
  511K bytes of non-volatile configuration memory.
  Configuration register is 0x2101
  Tz,
  Tamil

  Hi,
  take a look here for the NAT support on 4500
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a008011c629.shtml
  Regards
  Alain
  Don't forget to rate helpful posts.

• Cisco IOS Router to PIX VPN Issues

  Hi Everyone,
  I have a small issue here which someone may be able to shed some light on.
  I have a Cisco IOS router which is terminating a site-to-site VPN connection on the dialer interface. The PIX on the other end is behind a NAT router. The tunnel is being established and one subnet is able to see another when the tunnel is up. The thing we are having an issue is both networks on each side of the VPN contain multiple subnets and i cannot connect to all the subnets over the same tunnel.
  Any ideas.

  Yes all this is setup.
  I have just found out that Cisco IOS can only make connections from 1 network per crypt map unless multiple connections are made from server to host. This is quite disturbing because i have not seen this in any documentation.
  Does anyone know of IOS to PIX IPsec with multiple subnets on each side of the network.

• H323 NAT on cisco router

  I get to know that cisco router doesnt do h323 natting properly ,, Is this correct ???
  but D-link and planet routers do .
  actually its looks to me the matter of IOS of cisco , so any cisco IOS available to h323 natting ???

  http://cisco.com/en/US/products/sw/iosswrel/ps1834/products_feature_guide09186a0080080535.html

• ISE 1.1.3 en Cisco IOS SCEP

  Hi,
  I'm running Cisco ISE 1.1.3.124 and a Cisco IOS 2811 (c2800nm-spservicesk9-mz.150-1.M2.bin) which I configured the be a SCEP server.
  PKI Authentication and enrollment of a Cisco switch with this SCEP server is running well but BYOD clients enrollment via EAP-TLS (1024/2048) giving me the following error on the Cisco IOS SCEP server:
  SCEP#
  .Mar 17 15:21:59.446: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok
          Protocol = HTTP/1.1 Method = GET Query = operation=PKIOperation&message=MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgU
  AMIAGCSqGSIb3DQEHAaCAJIAEggPoMIAGCSqGSIb3DQEHA6CAMIACAQAxggEvMIIBKwIBADATMA4xDDAKBgNVBAMTA2lzZQIBA
  TANBgkqhkiG9w0BAQEFAASCAQAmbK6WZ5L6gw+uh7h4Qi53XL76QsBNcY8E6cMxWDp8hWbLvujNOylSvJLF
  .Mar 17 15:21:59.446:
  .Mar 17 15:21:59.454: CRYPTO_CS: received a SCEP request, 3652 bytes
  .Mar 17 15:21:59.454: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_10  
  .Mar 17 15:21:59.482: CRYPTO_CS: scep msg type - 19
  .Mar 17 15:21:59.482: CRYPTO_CS: trans id - 9871e81c65121310b77df8b341c7c887a5392da2
  .Mar 17 15:21:59.486: CRYPTO_CS: failed to open env data
  .Mar 17 15:21:59.486: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_10  
  .Mar 17 15:21:59.486: CRYPTO_CS: failed to read SCEP request
  .Mar 17 15:21:59.502: Sun, 17 Mar 2013 15:21:59 GMT 10.0.0.164 /cgi-bin/pkiclient.exe ok
  SCEP#
  I'm stuck now on the message: failed to open env data. So can anyone explain what the meaning is of this message or maybe know if IOS SCEP with ISE is supported ?
  Thanks in advance.
  greetz Michel
  btw the tracelog of the switch enrollment with IOS SCEP is below:
  SCEP#
  .Mar 17 14:57:10.932: Sun, 17 Mar 2013 14:57:10 GMT 10.0.0.161 /cgi-bin/pkiclient.exe ok
          Protocol = HTTP/1.0 Method = GET Query = operation=PKIOperation&message=MIIGWgYJKoZIhvcNAQcCoIIGSzCCBkcCAQExCzAJBgUrDgMCGgUAMIIDAAYJKoZI
  hvcNAQcBoIIC8QSCAu0wggLpBgkqhkiG9w0BBwOgggLaMIIC1gIBADGBujCBtwIB
  ADAgMBsxGTAXBgNVBAMTEGNhLndlc3R3aWp6ZXIubmwCAQEwDQYJKoZIhvcNAQEB
  BQAEgYAo/LNaINm+tcgzF8V8d7d5x
  .Mar 17 14:57:10.932:
  .Mar 17 14:57:10.936: CRYPTO_CS: received a SCEP request, 2210 bytes
  .Mar 17 14:57:10.940: CRYPTO_CS: read SCEP: registered and bound service SCEP_READ_DB_1   
  .Mar 17 14:57:10.948: CRYPTO_CS: scep msg type - 19
  .Mar 17 14:57:10.948: CRYPTO_CS: trans id - 59D142A6D0F525668626A435229BAAF1
  .Mar 17 14:57:11.040: CRYPTO_CS: read SCEP: unregistered and unbound service SCEP_READ_DB_1   
  .Mar 17 14:57:11.040: CRYPTO_CS: received an enrollment request
  .Mar 17 14:57:11.040: CRYPTO_PKI: creating trustpoint clone ise1
  .Mar 17 14:57:11.040: CRYPTO_CS: checking policy for enrollment request ID=1
  .Mar 17 14:57:11.040: CRYPTO_CS: request has been authorized, transaction id=59D142A6D0F525668626A435229BAAF1
  .Mar 17 14:57:11.040: CRYPTO_CS: locking the CS
  .Mar 17 14:57:11.040: CRYPTO_CS: added CDP extension
  .Mar 17 14:57:11.044: CRYPTO_CS: added key usage extension
  .Mar 17 14:57:11.044: CRYPTO_CS: Validity: 13:57:11 UTC Mar 17 2013-13:57:11 UTC Oct 3 2013
  .Mar 17 14:57:11.128: CRYPTO_CS: writing serial number 0x2.
  .Mar 17 14:57:11.180: CRYPTO_CS: file opened: nvram:ise.ser
  .Mar 17 14:57:11.180: CRYPTO_CS: Writing 32 bytes to ser file
  .Mar 17 14:57:13.864: CRYPTO_CS: reqID=1 granted, fingerprint=2
  .Mar 17 14:57:13.864: CRYPTO_CS: unlocking the CS
  .Mar 17 14:57:13.864: CRYPTO_CS: write SCEP: registered and bound service SCEP_WRTE_DB_1   
  .Mar 17 14:57:13.984: CRYPTO_CS: write SCEP: unregistered and unbound service SCEP_WRTE_DB_1   
  .Mar 17 14:57:13.988: CRYPTO_CS: Certificate generated and sent to requestor
  .Mar 17 14:57:13.988: CRYPTO_CS: removing trustpoint clone ise1

  Michel,
  Officially supported it is not:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCud86973
  Some people mentioned varios degrees of "having it working".
  In your case it's the envelope data which appears to be a problem for IOS.
  M.

• Basic questions about CISCO IOS

  Hi everybody, Jack here,
  I have some basic questions about the Cisco IOS, could someone help me addressing some of them please? Any feedback would be greatly appreciated.
  Basically, I have two IP addresses assigned by our Cable ISP. From what I understood you can configure a Cisco router for multiple IP addresses using the IOS, thereby allowing someone like myself to take advantage of having multiple IP addresses. This may seem unnecessary to some, but I've always wanted to put the 2nd IP address to use, since after all, I've been paying for it.
  I was just wondering if someone could confirm that what I'm hoping to accomplish is indeed within the capability of the Cisco IOS (i.e. Fully utilize my 2 IP addresses). As well, if someone could kindly suggest a decent CISCO router for online gaming home use that would be super awesome!
  Thank you all so much for reading through the wall of text:)
  Jack

  Jack
  Certainly using multiple IP addresses is in the capability of Cisco IOS routers. How they can be used depends on the relationship of the IP addresses. I am assuming that we are talking about IP addresses assigned for the user to use and that the IP address for the ISP connection is not one of these that we are talking about.
  If both of the IP addresses that you have been assigned are within the same subnet then you would assign one of the addresses to the router interface to establish IP communication between the router and the ISP and to enable Internet connectivity for the devices inside your network that will use the router as their gateway to the Internet. The other address that is assigned can be used for address translation and in particular for static address translation which would make one of your devices inside to be reachable for connections initiated from the Internet (if that is something that you might want to do).
  If the addresses that are assigned to you are in different subnets then you could assign one address to the outside router interface and assign the other address to the router inside interface. Or you could use the second address for address translation.
  I do not have much expertise with online gaming, but I would think that either the Cisco 881 router or the 890 router might be appropriate for you. If 100 Mb connection is sufficient then probably the 881 would be the one to look at. If you need Gig connection then look at the 890.
  HTH
  Rick

• Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring

  Hi all,
  I am implementing Cisco Prime Collaboration to monitor the quality of the VoIP call.
  I am following all the steps that I have to do to accomplish this task at this link:
  http://docwiki.cisco.com/wiki/Setting_up_Devices_for_Prime_Collaboration_Assurance#Configuring_Unified_Contact_Center_Enterprise_Devices
  And now I am arrived on this step:
  Configure Cisco Mediatrace, Cisco IOS IP SLA, and Performance Monitoring
  Not all the Cisco devices that I have on the network are "Mediatrace, IP SLA and Performance Monitoring" capabilities. The core switch is one of them.
  What will happen if some devices are configured with these capabilities and some are not?
  Are the data provided from Cisco Collaboration still reliable?
  Thanks in advance.
  Luigi

  I can't see a reason why the 2 features won't work together. The 2 features will work just fine with each other.
  Unfortunately there is no sample config with both feature in the same document, but it will work just fine.

• Cisco IOS XE is vulnerable to CVE-2014-0160 - aka Heartbleed CSCuo19730 on Cisco 4500E IOS XE?

  Hello Experts,
  I need to find out what exact IOS XE software version on Catalyst 4507E will affect by Heartbleed.
  Cisco WS-C4507R+E
  WS-X45-SUP7-E
  Thanks in advance.

  @apieper, looking at the bug details, it doesn't look like you are affected.
  Conditions:
  Cisco IOS XE devices running release 3.11.0S, 3.11.1S or 3.12.0S and with the WebUI interface over HTTPs enabled. No other versions of Cisco IOS XE are affected.
  Devices with the WebUI interface enabled and using HTTPs as transport protocol will include the following configuration:
  transport-map type persistent webui http-webui
  secure-server
  ip http secure-server
  transport type persistent webui input http-webui
  Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S but WITHOUT the WebUI interface enabled, or with the WebUI interface enabled but NOT using HTTPs as transport protocol are NOT AFFECTED by this vulnerability.
  Devices running IOS XE release 3.11.0S, 3.11.1S or 3.12.0S and with the HTTPs server enabled (by including in their configuration the line "ip http secure-server") are NOT affected. Both the HTTPs server and the WebUI interface need to be enabled for a device to be vulnerable.

• Cisco IOS SLB or CSM?

  I am trying to inform myself if Cisco IOS supports Server Load Balancing (SLB) without the CSM. It appears this software has been integrated into a hardware module known as a Content Switching Module. (CSM)
  Aside from cost and being a hardware module (faster) in a IOS based Catalyst 6500, Is there a functional advantage / disadvantage of using the Cisco CSM over Cisco IOS Server Load Balancing or vice versa. Any comments would be appreciated. Thanks.
  Mark

  IOS SLB shares the same software code base as Cisco IOS and has all the software features sets of Cisco IOS software. IOS SLB is recommended for customers desiring complete integration of SLB technology into traditional Cisco switches and routers.
  The CSM is specifically designed to meet the demands of large Internet service providers (ISPs), Co-location facilities, Application service providers (ASPs), and Enterprise web server farms.
  These links might help you gain a better understanding:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121limit/121e/121e8/iosslb8e.htm#xtocid32
  http://www.cisco.com/en/US/partner/products/hw/modules/ps2706/products_qanda_item09186a0080092384.shtml
  http://www.cisco.com/warp/customer/cc/pd/si/casi/ca6000/prodlit/ccsm_ds.htm

• Recovering from "no cisco IOS image file" error

  I have a aironet1200 series access point, and attempted to update it to a newer IOS software release. However it never came back up after the update, and upon reboot the 3 status lights show red, green, red, which apparently means there is 'no cisco IOS image file'. Is there a way to recover from this error? It has a RJ45 style console port, can I use thi to recover?

  Got it sorted, managed to find the manual which goes through this in it's entirety!

• Catalyst c3750g Cisco IOS 12.2 (25) SEE2 support SSH

  I need some help configuring SSH on a 48 port Switch Cisco WS-C3750G-48TS that is running Cisco IOS 12.2(25) SEE2.
  I have attempted to set it up, but I had no luck.  If anyone can give me any assistance to this let me know.

  Hi Mike
  Based on your existing IOS level (iP Base/IP services/Adv IP services) you should upgrade your switch to one of the IOS versions given below, to have SSH:
  c3750-ipbasek9-mz.12.2-52.SE - min flash 16, DRAM 128
  c3750-ipservicesk9-mz.12.2-52.SE - min flash 16, DRAM 128
  c3750-advipservicesk9-mz.12.2-46.SE - min flash 16, DRAM 128
  Once you have your IOS upgraded, define hostname, domain name, crypto rsa key, and transport input commands on the switch to have it converted to SSH..
  Hope this helps.. All the best
  Raj

• I can not install the Cisco IOS on the AP 1200.

  I can not install the Cisco IOS on the AP 1200 series.
  Displays error:
  ap: tar -xtract tftp: / / 192.168.1.11/temp/c1200-k9w7-tar.123-7.JA3.tar flash:
  tftp: / / 192.168.1.11/c1200-k9w7-tar.123-7.JA3.tar: connection timed out
  These procedures were done:
  flash_init
  tftp_init
  ether_init
  set IP_ADDR 192.168.1.21
  set NETMASK 255.255.255.0
  set DEFAULT_ROUTER 192.168.1.11    (PC's IP with FTP).
  Can someone please help?

  Resolved
  Recommendations were made by Mr. Talal Fraij.
  Tftpd32 application was used.
  Image File (C1200-k9w7-tar.123-7.JA3.tar) root directory.
  Antivirus disabled.
  Firewall disabled.
  I want to acknowledge the help of
  Mr. Talal Fraij.
  If not for your help would be without sleep for a long time .. kkkk

• Is there a Cisco AireOS to Cisco IOS XE conversion tool?

  Hi,
  We're currently migrating some AireOS WLCs networks into 5760 IOS XE.
  Is there a tool or procedure available to converte an Cisco AireOS configuration into Cisco IOS XE?
  I'm currently looking into the the "Cisco AireOS to Cisco IOS XE Command Mapping Reference, Cisco IOS XE Release 3SE" document and I was wondering is there is an easy way to do this
  Kind regards,
  Vasco

  There is not real tool that does this conversion.  It's best to treat this as a Greenfield implementation.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• Cisco IOS 12.2 (50) SE2 Netflow support

  hi to everyboby,
  I'm trying to understand if the IOS version "Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(50)SE2, RELEASE SOFTWARE (fc2)" supports the netflow feature.
  I'm trying to configure the cisco WS-C3750G-12S for sending netflow datagrams but I don't find the commands like "ip flow-export".
  This cisco official document says that the commands for enabling netflow are not supported.
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_35_se/configuration/guide/swuncli.html#wp1060525
  Is It true or I'm missing something?
  Thank you very much!
    giorgio

  No, Netflow is not support on the Cat2K and Cat3K switches.  See http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps6601/prod_white_paper0900aecd80406232.html .

• Cisco IOS CA

  Team,
  I am using Cisco IOS XE Software, Version 03.15.00.S - Standard Support Release Cisco IOS Software, CSR1000V Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(2)S, RELEASE SOFTWARE (fc3) to support my Cisco IOS CA.
  In a nutshell, I am trying to support a FlexVPN - Win7 VPN client as per tac document id 115907
  In this document, it states that OpenSSL CA is used but a Cisco IOS CA can also be used. When testing I am at a point where my certificates do not match the example:
  The TAC document example:
  X509v3 extensions:
    X509v3 Key Usage: F0000000
      Digital Signature
      Non Repudiation
      Key Encipherment
      Data Encryption
  My lab version:
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
  Question - How do I get these alternate extensions using the Cisco IOS CA?
  Chris

  Hi Marcin,
  You have the same as I - I got my lab working - I tripped up on the KeyUsage thinking that my VPN headend Cisco CSR needed these same extensions as my Win7 client did. When I adjusted my Win7 CSR to feature these extra extensions and re-enrolled, everything is working.
  Thanks for your help,
  Chris