Policy routing and black hole filtering on 6500

I have a 6500 with many SVIs configured and every one with multiple ip addresses. The users are accessing the network through these SVIs. For access control I use the black hole filtering method by dinamically injecting static routes to Null 0 for every user that is not authenticated.
But I need these users to reach one server to authenticate.
Is there a way to do this besides putting the server inside every VLAN ? Something like policy routing all the packets to the server to exit the server interface and the response packets to reach the user bypassing the global routing table ? Maybe using a vrf for the server only ?
Thanx.

Dave Northampton UK here.
We seem to have different consumer laws to US it seems?
Here the RETAILER is wholly responsible for the goods he sells. If such a case as this arose there would be NO time limit of 15 days, if the goods were found not to be of "merchantable quality" the time factor would not matter, certainly up to a year!
Certainly a retailer can take matters up with their supplier/manfctr but the CUSTOMER must get a new, working product PDQ or a total refund..IN CASH or put on a card, no credit notes or any other such swaddling!
Of course! Many shops wriggle and tell people porkies but in the end that is da law!
Dave.

Similar Messages

  • Introduce second default gateway into policy-based routing and optimization

    Questions:
    1) How to get the second PBR_DEFAULT_GATEWAY address 10.20.20.3 into the policy-based routing for redundancy?
    2) Any optimizations as more and more traffic (policy-based routed and otherwise) goes through interface Gi1/0/1?
    Address range A.B.0.0/16 represents assigned Internet-routable addresses.
    Network also uses 10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16.
    DEFAULT_GATEWAY router participates in OSPF and injects the default routes 0.0.0.0/0 10.10.10.1 and 0.0.0.0/0 10.20.20.1 into OSPF.
    PBR_DEFAULT_GATEWAY router participates in OSPF but filters out default routes injected by DEFAULT_GATEWAY router.
    ROUTER_A participates in OSPF and receives default routes injected by DEFAULT_GATEWAY router.
    ROUTER_A contains the attached policy-routing configuration that allows the subnet A.B.30.0/24 to route anywhere on the network and uses PBR_DEFAULT_GATEWAY as the way out.

    Ok I will see if I can run out to work and try this today..
    After thinking about this, If I need to get to local ip addresses (192.168.1.0 and 192.168.128.0), I might have to change my route map to include those ranges in an ACL, then assign the 172.20.200.1 as the gateway to get to those networks, with the last statement being the traffic to be sent out the firewall
    for instance
    # Access to one of my local networks
    access-list 101 permit ip 172.20.200.0 0.0.0.255 192.168.1.0 0.0.0.255
    # Send Internet traffic to ASA/PIX
    access-list 172 permit ip 172.20.200.0 0.0.0.255 any
    route-map pix-172-20-200 permit 10
    match ip address 101
    set ip next-hop 172.20.200.1
    route-map pix-172-20-200 permit 20
    match ip address 172
    set ip next-hop 172.20.200.2
    and so on?
    I know I need to be in front of my switch to test the change from set ip default next-hop to set ip next-hop...
    I wantto make sure I can still get to the local networks I need to get to.
    I appreciate all your help, and I will test this later on today..
    Thanks
    Don Hickey

  • Black hole and BOTNET filter ?

    Hi all,
    I have a query regarding black hole and botnet.
    My customer tends to receive traffic which is not destining to anywhere.  He wants to achieve the following. He wants to capture the traffic per SPAN and then direct them to a firewall on the inside interface and then apply botnet filter. He has a catalyst where some VRF are defined. One of the VRF is named as "SOME-VRF-BHOLE” This VRF will be mirrored to a other port and this traffic will sent so the inside interface of a firewall where Botnet feature is active.
    My first question, is this doable, I mean if the traffic is black holed then the first thing which will happen by the ASA is to drop the traffic as it gets traffic destine to nowhere, if it’s a SYN/ACK then the ASA will drop the packet due to spoofing. So in other words there should be a flowing traffic which goes through the ASA to be able to apply the botnet filter. Or could someone confirm this mothered my customer has explained could be done at all.
    Thanks in advance
    Lance

    Hello Lance,
    I answered a query like this I think 2 days ago...
    So you want to filter traffic via the botnet feature ( you will need to make sure the ASA has access to the internet ofcourse so it can contact the Security Intelligence Servers )
    The ASA will drop the packets if they are spoofed and you have  the RPF check on.
    If the traffic goes to nowhere the ASA ofcourse will drop it ( No route to host x.x.x.x)
    And if we receive a SYN-ACK where there has not been a SYN, traffic will be drop due to the TCP inspection failure (unless u configure a TCP state bypass)
    Julio
    Remember to rate all of the helpful posts.
    For this community that's as important as a thanks.

  • Native VLAN and the "Black Hole"

    While reviewing the configuration of a network that I'm supporting, it seems that the original design of the network has the black hole VLAN as the native VLAN.  At the least this seems incorrect, and possibly very dangerous, but I'm not exactly sure why or how to articulate that.  Can someone confirm or deny this suspicion?
    In addition, I had two further questions regarding the practice of using a black hole VLAN:
    1.  If you have any unused ports, it seems more practical to just admin down these ports instead of creating an unused VLAN.  Is there some added advantage to ALSO putting these ports in an unused VLAN (e.g. 999)?  If the port was needed, you can simply admin up the port, during which time you could also change any needed VLAN configurations.  In other words, you'd have to log into the device and make changes whether you went with the admin down method, the Black Hole VLAN method, or both.  So what's the point?
    2. Assuming you do use the Black Hole VLAN as an added security method, I feel that including that VLAN in the "switchport trunk allowed vlan" command is counterproductive, but I'm not fully able to articulate why.  Can someone help me with this?
    Thanks for any information or suggestions that you may have.

    Assuming you mean a vlan for unused ports when you refer to a black hole vlan. If so the key things are  -
    a) that vlan does not have a L3 vlan interface (SVI) for it as there is no need to route it
    b) any unused ports are shutdown
    if you follow the above then I can't see the danger in using the native vlan but I wouldn't do it regardless of that. I would have a dedicated native vlan and a separate vlan for unused ports.
    To  my mind there should be no ports allocated to the native vlan (other than trunk ports obviously).
    The benefit of using a dedicated vlan for unused ports is -
    a)  it provides an additional level of security. People make mistakes and having to do multiple things to enable a port requires more attention than simply doing a "no shut" on the interface.
    The more attention someone is paying the more likely they will get it right or at least the less likely they will make a mistake.
    b) if you don't use an unused vlan you are leaving all the ports in the default vlan which is vlan 1 and this should be avoided as this vlan is overused already eg. switch control plane traffic is sent on this vlan for example and often the switch management interfaces are in this vlan.
    As far as allowing the unused vlan on trunk links it is totally unnecessary and in fact you really don't want to do that. The idea of the unused vlan is for non communication so it would make no sense to allow it on trunk links.
    In my last place of work we used vlan 998 as the unused vlan and vlan 999 as the native vlan.
    Neither had an SVI for it.
    If by black hole vlan you meant something else then please clarify.
    Jon

  • Policy Based Routing and IP Helper

    Can anyone help with an issue i am having with PBR and an IP Helper.  I cannot get devices in the VLAN with the associated SVI to get DHCP addresses, there is no DHCP server in the VLAN so an IP Helper is used but whenever i enable PBR on the SVI, DHCP stops working.  The switch is a 6506 Catalyst running Version 12.2(17d)SXB11 of IOS
    The SVI config for the VLAN is as below
    ip address 10.2.60.254 255.255.255.0
    ip helper-address 10.10.80.200
    ip helper-address 10.10.80.201
    ip policy route-map ACPBR
    no ip igmp snooping explicit-tracking
    no ipv6 mld snooping explicit-tracking
    no ipv6 mld snooping
    a route map configured as follows
    route-map ACPBR permit 10
    match ip address ACPBR_ACL
    set ip default next-hop 10.99.1.252
    route-map ACPBR permit 20
    set default interface Null0
    and an access list as follows
    ip access-list extended ACPBR_ACL
    deny udp any any eq bootps log
    permit ip 10.2.60.0 0.0.0.255 any
    So any DHCP traffic should hit the deny command and drop back to the normal routing process, at least thats my understanding.  The logs on the 6506 even show the DENY being hit, see below
    list ACPBR_ACL denied udp 0.0.0.0(68) -> 255.255.255.255(67), 1 packet
    Can anyone advise why this may be happening, if i add the PBR to the SVI DHCP stops working, if i remove it then it starts working so it is definately PBR doing something.
    Thanks
    Ryan

    Ryan,
    The deny line in your ACL merely causes the DHCP traffic to be not processed in the ACPBR block 10. However, for this traffic, the processing of the route-map continues to block 20 with the set default interface Null0 command. This could be the cause of the drops you are seeing. Remember, the permit/deny in ACL here only select packets to be dealt with in the particular route-map block. However, it is the permit/deny in the route-map block header that determines whether the packet is going to be PBR-ed or normally routed.
    Assuming you want to keep the DHCP traffic to be normally routed, one of ways of doing that would be:
    ip access-list extended ACPBR_ACL deny udp any any eq bootps log permit ip 10.2.60.0 0.0.0.255 any!ip access-list extended ACPBR_DHCP permit udp any any eq bootps!route-map ACPBR permit 10 match ip address ACPBR_ACL set ip default next-hop 10.99.1.252!route-map ACPBR deny 15 match ip address ACPBR_DHCP!route-map ACPBR permit 20 set default interface Null0
    This configuration causes the DHCP traffic to be processed in block 15, and because of the deny action in the block header, the traffic should fall back to normal routing.
    While I am somewhat surprised that the PBR would affect broadcasts (it should not, and perhaps it affects only a part of the DHCP communication that does happen to be unicasted), I believe this modification of your config is worth trying.
    Best regards,
    Peter

  • Multiple routing tables and/or policy routing

    Hey all,
    I'm trying to configure a Mac Mini (10.8) for multiple routing tables and policy routing.  This server runs Ostinato, a freeware traffic generator.  My purpose is to generate traffic on multiple VLANs towards different gateways and different destinations.  To that end, I have VLAN tagged the (only) Ethernet port and configured 5 VLANs on it.  The first one has the default route (I manage this Mac over this VLAN).  The other four have IP addresses in the test range I'm using. 
    The goal is to have traffic sourced from IP-address-X go out vlanX towards gateway-X.  It's counterpart on the far end runs Linux and I have configured it in this way:
    ip route add default via <gateway-X> dev ethX table X
    ip rule add from <network-X> table X priority X
    Researching on OpenBSD forums (since it's the base of MacOS X), provided this:
    route -T X add 0.0.0.0/0 -iface <gateway-X>
    echo pass in from <network-X> to 0.0.0.0/0 rtable X | pfctl -mf -
    However, the Mountain Lion "route" command does not support the -T option, so that killed that idea.  Another forum suggested that this would have worked on 10.4:
    ipfw add X fwd <gateway-X> ip from <IP-address-X> to any
    I tried this on 10.8 though the man page says it's deprecated, and (surprise, surprise) it did not work. 
    Any ideas to get this working appreciated!
    Thanks,
    Aaron

    Still doesn't have it in 10.9.4.
    irene:~ cschwartz$ sudo bash
    bash-3.2# route -T add
    route: illegal option -- T
    usage: route [-dnqtv] command [[modifiers] args]
    I'm guessing you want policy-based routing due to VLANs...? If you can get a USB-to-Ethernet adapter, then maybe you can work around this by using multiple physical links instead of VLAN tagging. But if you need source-based routing etc. then no.

  • Policy Routing - Unix and MS (Dare I ask?)

    Guys,
    Need to route out of a dual homed Unix and Windows box based on the source address or source interface as not to follow the default route.
    ie, Packet arrives at host x on interface eth0 but the default route is out of eth1 so I get assemetric packet forwarding on the box.
    I think ipfw is the way to policy route on unix, but anyone got a plan for windows?
    Many thx indeed, and kind regards,
    Ken

    The standard action, as performed by router software (such as Cisco IOS), is to select the next hop address and the output device. I will refer to this action as a "match & set" style of action. However, Linux takes a much more flexible approach. In Linux, there are several actions to choose from. The default action performs a route lookup from a specified destination-based routing table. The match & set action then becomes the simplest case of Linux route selection, which is realized when the specified destination-based routing table contains only a single default route. Linux supports multiple routing tables, containing multiple standard destination routes. Bear in mind that each of these routing tables is the same as the entire routing table for any other OS. Linux effectively provides 255 Ciscos to choose from. (For number freaks, Linux 2.2.12 supports 255 routing tables, 255 aggregate realms, and 232 (4294967296 decimal) policy rule priorities.

  • Mac Address Filtering Issue with DI-624 router and HP D110 Wireless Printer

    Just got the D110 Wireless Printer and cannot connect to the wireless router. 
    I have a D-Link DI-624 Air Plus Xtreme G 2.4GHz Wireless Router.
    The error message that I'm recieving from the printer is that "Mac address filtering may be enabled on your wireless router. This  can prevent your HP printer from connecting to your wireless network during setup....etc."
    The D-Link is setup using WPA-PSK security. If I turn off all security than the wireless printer is able to connect. With WPA-PSK or even WEP enabled I cannot connect the printer to the wireless router. There is no connection to hardwire the printer and the router.
    I've logged on to the router's admin and have confirmed several times that Mac filtering is turned off by going to Advanced > Filters > Mac Filters > and choosing Disabled Mac Filters. Where else is this setting? Why is the printer not able to connect?
    Further, I check the logs on the router and it shows "Wireless PC Connected" and "Authentication Success" with a note that has the Mac Hardware Address matching the printer's mac hardware address on the Wireless Network Test Report. It would appear that the router is letting the Print in but that the printer is not able to communicate for some reason. It even shows under status > wireless that the printer is connected.
    When i spoke to HP, they said to contact the router company and that they could not help. When I called D-Link they said tech support is no longer available for the model. I'm stuck, can anybody help?
    This question was solved.
    View Solution.

    Windows XP, tried both the front of the printer as well as connecting via USB and using the software.
    After a few hours on the phone with both D-Link and HP, the issue has been resolved.
    Apparently eventhough Mac Filtering was disabled (set to Disabled MAC Filters), the Mac address had to be entered into the router to allow it while keeping the setting to Disabled Mac Filters. To me it appeared counter intuitive to enter the Mac address while it's set to Disabled Mac Filters so I did not try that before getting on the phone with HP. Further on this, the problem did not go away right after adding the mac address but rather after restarting the router as the mac address addition did not take effect without a reboot of the device. 
    HP was much more helpful than D-Link on this one though it would be nice for HP to add to their instructions and Wireless Network Test Report to add the Mac address just in case. I would have tried that step if it was stated that it's okay to add the mac address and keep mac filters disabled.

  • PMTU-D Black Hole Detection Missing?  Cause of some conn hangs.

    In looking through the kernel source, it appears that Apple has left out one of the most important parts of Path MTU Discovery (RFC1191) as suggested in RFC2923. Since Path MTU Discovery is enabled by default, this may cause some of you to have 15 minute hangs and ultimate termination of connections when large packets are sent to specific hosts.
    Other than DNS and Wireless network drops, MTU settings appear to be one of the single most problematic things going on with OS X right now.
    For those who are not familiar with MTU, here's a brief rundown.
    10/100 Ethernet networks support a base MTU of around 1514 bytes. This is the max number of bytes that a packet is able to be in order to get put on an Ethernet network (and be within spec). Gigabit Ethernet allows for larger, but we won't go into that.
    You're probably more used to hearing 1500, however, that is the MTU for IP (or the Ethernet payload) as the Ethernet header itself is 14 bytes.
    In that 1500 bytes, you have to fit your IP header, ICMP/TCP/UDP header, and any higher layer protocols and data, each layering on top of the next.
    |<--Ethernet (14 Bytes)--><--IP (20 Bytes)--><--TCP (20 Bytes)--><--Data (1460 Bytes)-->|
    So that is how things look on a local area network.
    Once the WAN comes into play, the Ethernet header is stripped off leaving only the IP packet and another header put in its place to get it over the next link. This process goes on and on and on until the packet finally reaches its destination.
    But here's the problem - what if there is ANOTHER layer between the Ethernet and IP stack?
    This is actually quite common and you're probably using it now. The protocol PPP over Ethernet (PPPoE) fits between the Ethernet header and the IP header and adds another 8 bytes to this packet size.
    So now we end up with:
    |<--Ethernet (14 Bytes)--><--PPPoE (8 Bytes)--><--IP (20 Bytes)--><--TCP (20 Bytes)--><--Data (1452 Bytes)-->|
    Notice that we now can't put as much data in this packet or we'll end up with a packet that is too big to fit on the Ethernet network.
    The PPPoE header will ultimately get taken off once the packet gets where it needs to go at your ISP, but there may be other 'tunnels' between you and your ultimate destination and continue to strip off space of how much data you can put into a packet.
    So how do you know how much data you can put into a packet when you don't own or know anything about the network between you and the destination?
    That's where Path MTU Discovery comes into play.
    It used to be that IP packets would be fragmented (split up) if a packet was too big to get put on the next network. This process of fragmentation causes overhead for both the router having to split up the packets and the receiving device that has to put them all back together again (and make sure they go in the right order).
    So in order to reduce this overhead and also ensure that you are always sending the largest packets possible from end to end, IP stacks started setting the 'Don't Fragment' bit in the IP header. This instructs routers to throw away the packet if it is too big when it gets there.
    When the packet gets thrown away due to it being too large, the router that throws it away also sends an ICMP packet (an IP diagnostics message) back to the sender telling it what the MTU is of the interface that couldn't take the packet. The sender can then re-calculate things based on that value and resend.
    This works great EXCEPT when there are firewalls in the way (or broken routers, which is less likely these days). Many firewalls will not allow these ICMP messages to go back to the sender. Therefore, your host never receives the message that it is supposed to reduce the size of the packet and keeps trying and trying for about 15 minutes until it finally dies.
    This is one reason why you may be seeing long hangs that ultimately end in termination of your connection.
    RFC2923 goes into some options to work past this issue.
    One way that this can be done, Windows Vista for instance does this, is for the system to keep an eye on how many max sized packets get retransmitted. After a certain number (lets say 5), the system assumes that it is not getting this ICMP notification and cuts the size of that packet in half so it can now get the data through - assuming that smaller packets are better than no packets getting sent.
    It may also (and does with Vista) temporarily disable the setting of the 'Don't Fragment' bit and allow the routers to just take care of things. So in Vista, you'll see the page stutter for a second, and then continue to load, where an OS X system will sit there and hang for 15 minutes.
    This is where OS X goes wrong. This behavior is called PMTU-D Black Hole Detection and does not appear to be in the IP stack for Leopard (and probably not previous releases).
    So what can you do.
    You have a few options, some of which I've already provided to a few folks (although without the mathematics so it's just a rough guess value).
    First, you can just disable PMTU-D. The command to do this is:
    sudo sysctl -w net.inet.tcp.pathmtudiscovery=0
    This is a 'quick fix' but does eliminate the benefits that PMTU-D provides.
    Second, you can calculate out what size MTU seems to work for you by working backwards and configure that on something within your control.
    If your home router supports it, that's a good place to reduce the MTU since it only comes into play when you're using your Internet connection and not when hosts within the same network talk to each other. So if you place the MTU of 1472 on your router and your host sends it a 1500 byte packet, it will send back the ICMP message telling you to reduce it down to 1472.
    If your router doesn't support it, you can reduce the MTU on your macs physical interface. This isn't always the best solution since you really should then reduce the MTU on each of your local systems or you could run into issues locally.
    The command to do this is:
    sudo ifconfig en1 mtu 1472
    To make this permanent for Ethernet, set it in the Network settings. For Airport, search the forums. I provided an update you can make to one of the preferences files manually to do this (don't remember what file right now).
    I have found a couple of sites (Washington Mutual's website for instance) that appear to have configuration issues internal to their network in which a device behind a firewall (possibly the web server, load balancer, or IPSec added) that may have an MTU less than 1500 set on it AND a firewall blocking ICMP packets from coming back. These sites will throw off your math since you can no longer assume a max size of 1500 for IP packets. In this specific case, you have to assume 1480.
    Third, you can adjust the MSS setting (Max Segment Size) in the kernel to a value that is 20 bytes smaller than what you would otherwise set the MTU to. This ensures that the TCP stack doesn't put more than that amount of data in any single packet (therefore, eliminating the MTU issue), however, this will not work for UDP.
    Finally, you can submit a bug report to let Apple know that PMTU-D Black Hole detection is something that we need.
    So what kind of impact does this have on performance?
    This will depend on what solution you choose, what the performance of your home router is, and the load on the various servers that have to potentially re-assemble the packets.
    That said, knocking things all the way down to 1400 bytes, I am able to still get at least 15 Mbps up and down stream over the Internet.
    If you have any questions on this post, please post and i'll do my best to respond. Hopefully this will help one more person resolve their performance issues with Leopard.

    Hi Karsten and thanks for the suggestion!
    I have exempted internal networks and can connect them via the VPN connection. I also got connectivity to the outside world with nat (outside,outside) and 'same-security-traffic permit intra-interface'.
    A question remains though. At the moment, all traffic gets out of the network through the 'outside' interface IP (.22). I'd rather use a dedicated address from the /29 on GigabitEthernet0/0. Is this possible to achieve that? To put it differently, I'd like to NAT the VPN range onto an address that is not the 'outside' interface, like I did in this statement, for instance:
    nat (v200,outside) source dynamic v200_private v200_public
    My other question is, whether the single NAT statement [nat (outside,outside) dynamic interface] is sufficient for VPN traffic and whether the original statement can be removed [nat (vpn,outside) source dynamic vpn_pool vpn_public].
    Thanks once again for the tips!
    R.

  • Web filter policy route

    Hello,
    We currently have our gateway / web filter routing setup in this manor:
    lan --- 2921 ---asa(firewall) ---internet
              |
               ------  web filter
    So the traffic destined to the internet that is not supposed to be filtered goes right through the router to the asa.  The traffice that is destined to be filtered gets policy routed to the web filter which then gets routed back to the 2921 and out to the asa.  This is a bad design, I will admit that.
    What I want to do is this:
    lan - 2921 --- asa(firewall) --- internet
              |                    |
              --- web filter ---
    With this change the traffic will not have to go back to the router and then back out to the asa.  This will cut the traffic going through the router in half, which will result in lower cpu usage.
    My question about changing this is as follows.
    The asa has a route to the lan networks that are getting filtered.  Lets say they are 172.16.0.0/16.  The route comes from the lan which is advertiesed to the router which in turn is advertized to the asa.  If I use a route-map to policy route certain networks to the web filter, will the return traffic go back through the web filter or will it go back directly to the router?  I don'th have a spare ASA to test this with.
    Thanks,
    Dan.

    not possible.
    If you want this behavior, you can achieve it by source nating on the next-hop all traffic going to the CSS. This will force the CSS to responds back to the nated ip address on the same interface.
    Gilles.

  • Reactivation Black Hole

    You are now entering the reactivation black hole! Have spent the last 6 weeks trying to get my case resolved with no success.
    Summary
    1. Reactivation for Master Collection CS3 prompted reactivation. Reactivation failed. Called support and still failed with them as well.
    2. Sat on hold for 5 hours again and was told to de-install.
    3. De-install did not work and used cleaner at level 4 which allowed me to re-enter the serial number but also removed Acrobat professional and Director 11.5. Have also Production Premium on a second system as well. New activation only allows me to enter Production Premium serial with a check mark and not Master Collection which shows and X.
    4. Oh wait, where are the download installs for CS3. No longer available depending on when you purchased them.
    5. Running only a few programs with Production preium serial as Master Collection serial is not recognized and does not work even though it is in my registed history with Adobe.
    6. I never asked to go through this reactivation process and was happy with CS3 till software stopped working and was forced to enter the black hole.
    7. From what I can tell there is no resolution possible here.
    8. Guess the only way out is to find a crack that will bypass this mess Adobe has created since they are unable to resolve this after 6 weeks and many hours on my part installing and reinstalling only some of the installs as not all are still available for CS3. I only use fully purchased software, however if this is the only way out is to crack it, well that is it, I give up.

    Hello Lance,
    I answered a query like this I think 2 days ago...
    So you want to filter traffic via the botnet feature ( you will need to make sure the ASA has access to the internet ofcourse so it can contact the Security Intelligence Servers )
    The ASA will drop the packets if they are spoofed and you have  the RPF check on.
    If the traffic goes to nowhere the ASA ofcourse will drop it ( No route to host x.x.x.x)
    And if we receive a SYN-ACK where there has not been a SYN, traffic will be drop due to the TCP inspection failure (unless u configure a TCP state bypass)
    Julio
    Remember to rate all of the helpful posts.
    For this community that's as important as a thanks.

  • HT3180 The internet provider reset my router and now my apple Tv does not work in netflix i get ATV-ui10 error and when i perform a network test it works fine but no movies are coming up on the screen and you cannot select anything.

    The internet provider reset my router and now I cannot use Apple Tv.  I tired restore and reseting the apple tv and the Network test is fine.  Netflix shows error atv-ui10 and you no movies come up it just shoes black tickets at the top of the screen and says i am not connect.  Internet works fine.

    Delete/forget the network connection on the ATV and reconnect to the network.
    Power cycle the router.

  • Site to Site VPN Problems With 2801 Router and ASA 5505

    Hello,
    I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
    IP scheme at SIte A:
    IP    172.19.3.x
    sub 255.255.255.128
    GW 172.19.3.129
    Site A Ciscso 2801 Router
    Current configuration : 11858 bytes
    version 12.4
    service timestamps debug datetime localtime
    service timestamps log datetime localtime show-timezone
    service password-encryption
    hostname router-2801
    boot-start-marker
    boot-end-marker
    logging message-counter syslog
    logging buffered 4096
    aaa new-model
    aaa authentication login userauthen group radius local
    aaa authorization network groupauthor local
    aaa session-id common
    clock timezone est -5
    clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
    dot11 syslog
    ip source-route
    ip dhcp excluded-address 172.19.3.129 172.19.3.149
    ip dhcp excluded-address 172.19.10.1 172.19.10.253
    ip dhcp excluded-address 172.19.3.140
    ip dhcp ping timeout 900
    ip dhcp pool DHCP
       network 172.19.3.128 255.255.255.128
       default-router 172.19.3.129
       domain-name domain.local
       netbios-name-server 172.19.3.7
       option 66 ascii 172.19.3.225
       dns-server 172.19.3.140 208.67.220.220 208.67.222.222
    ip dhcp pool VoiceDHCP
       network 172.19.10.0 255.255.255.0
       default-router 172.19.10.1
       dns-server 208.67.220.220 8.8.8.8
       option 66 ascii 172.19.10.2
       lease 2
    ip cef
    ip inspect name SDM_LOW cuseeme
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW ftp
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW netshow
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW sqlnet
    ip inspect name SDM_LOW streamworks
    ip inspect name SDM_LOW tftp
    ip inspect name SDM_LOW tcp
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW vdolive
    no ip domain lookup
    ip domain name domain.local
    multilink bundle-name authenticated
    key chain key1
    key 1
       key-string 7 06040033484B1B484557
    crypto pki trustpoint TP-self-signed-3448656681
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
    revocation-check none
    rsakeypair TP-self-signed-344bbb56681
    crypto pki certificate chain TP-self-signed-3448656681
    certificate self-signed 01
      3082024F
                quit
    username admin privilege 15 password 7 F55
    archive
    log config
      hidekeys
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp key XXXXX address 209.118.0.1
    crypto isakmp key xxxxx address SITE B Public IP
    crypto isakmp keepalive 40 5
    crypto isakmp nat keepalive 20
    crypto isakmp client configuration group IISVPN
    key 1nsur3m3
    dns 172.19.3.140
    wins 172.19.3.140
    domain domain.local
    pool VPN_Pool
    acl 198
    crypto isakmp profile IISVPNClient
       description VPN clients profile
       match identity group IISVPN
       client authentication list userauthen
       isakmp authorization list groupauthor
       client configuration address respond
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map Dynamic 5
    set transform-set myset
    set isakmp-profile IISVPNClient
    qos pre-classify
    crypto map VPN 10 ipsec-isakmp
    set peer 209.118.0.1
    set peer SITE B Public IP
    set transform-set myset
    match address 101
    qos pre-classify
    crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
    track 123 ip sla 1 reachability
    delay down 15 up 10
    class-map match-any VoiceTraffic
    match protocol rtp audio
    match protocol h323
    match protocol rtcp
    match access-group name VOIP
    match protocol sip
    class-map match-any RDP
    match access-group 199
    policy-map QOS
    class VoiceTraffic
        bandwidth 512
    class RDP
        bandwidth 768
    policy-map MainQOS
    class class-default
        shape average 1500000
      service-policy QOS
    interface FastEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
    ip address 172.19.3.129 255.255.255.128
    ip access-group 100 in
    ip inspect SDM_LOW in
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface FastEthernet0/0.10
    description $ETH-VoiceVLAN$$
    encapsulation dot1Q 10
    ip address 172.19.10.1 255.255.255.0
    ip inspect SDM_LOW in
    ip nat inside
    ip virtual-reassembly
    interface FastEthernet0/1
    description "Comcast"
    ip address PUB IP 255.255.255.248
    ip access-group 102 in
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map VPN
    interface Serial0/1/0
    description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
    bandwidth 1536
    no ip address
    encapsulation frame-relay IETF
    frame-relay lmi-type ansi
    interface Serial0/1/0.1 point-to-point
    bandwidth 1536
    ip address 152.000.000.18 255.255.255.252
    ip access-group 102 in
    ip verify unicast reverse-path
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    frame-relay interface-dlci 500 IETF 
    crypto map VPN
    service-policy output MainQOS
    interface Serial0/2/0
    description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
    ip address 123.252.123.102 255.255.255.252
    ip access-group 102 in
    ip inspect SDM_LOW out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    crypto map VPN
    service-policy output MainQOS
    ip local pool VPN_Pool 172.20.3.130 172.20.3.254
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
    ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
    ip route 122.112.197.20 255.255.255.255 209.252.237.101
    ip route 208.67.220.220 255.255.255.255 50.78.233.110
    no ip http server
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip flow-top-talkers
    top 20
    sort-by bytes
    ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
    ip nat inside source route-map PAETEC interface Serial0/2/0 overload
    ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
    ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
    ip access-list extended VOIP
    permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
    permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
    ip radius source-interface FastEthernet0/0
    ip sla 1
    icmp-echo 000.67.220.220 source-interface FastEthernet0/1
    timeout 10000
    frequency 15
    ip sla schedule 1 life forever start-time now
    access-list 23 permit 172.19.3.0 0.0.0.127
    access-list 23 permit 172.19.3.128 0.0.0.127
    access-list 23 permit 173.189.251.192 0.0.0.63
    access-list 23 permit 107.0.197.0 0.0.0.63
    access-list 23 permit 173.163.157.32 0.0.0.15
    access-list 23 permit 72.55.33.0 0.0.0.255
    access-list 23 permit 172.19.5.0 0.0.0.63
    access-list 100 remark "Outgoing Traffic"
    access-list 100 deny   ip 67.128.87.156 0.0.0.3 any
    access-list 100 deny   ip host 255.255.255.255 any
    access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit tcp host 172.19.3.190 any eq smtp
    access-list 100 permit tcp host 172.19.3.137 any eq smtp
    access-list 100 permit tcp any host 66.251.35.131 eq smtp
    access-list 100 permit tcp any host 173.201.193.101 eq smtp
    access-list 100 permit ip any any
    access-list 100 permit tcp any any eq ftp
    access-list 101 remark "Interesting VPN Traffic"
    access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 101 permit tcp any any eq ftp
    access-list 101 permit tcp any any eq ftp-data
    access-list 102 remark "Inbound Access"
    access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
    access-list 102 permit udp any host 152.179.53.18 eq isakmp
    access-list 102 permit esp any host 152.179.53.18
    access-list 102 permit ahp any host 152.179.53.18
    access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
    access-list 102 permit udp any host 209.000.000.102 eq isakmp
    access-list 102 permit esp any host 209.000.000.102
    access-list 102 permit ahp any host 209.000.000.102
    access-list 102 permit udp any host PUB IP eq non500-isakmp
    access-list 102 permit udp any host PUB IP eq isakmp
    access-list 102 permit esp any host PUB IP
    access-list 102 permit ahp any host PUB IP
    access-list 102 permit ip 72.55.33.0 0.0.0.255 any
    access-list 102 permit ip 107.0.197.0 0.0.0.63 any
    access-list 102 deny   ip 172.19.3.128 0.0.0.127 any
    access-list 102 permit icmp any any echo-reply
    access-list 102 permit icmp any any time-exceeded
    access-list 102 permit icmp any any unreachable
    access-list 102 permit icmp any any
    access-list 102 deny   ip any any log
    access-list 102 permit tcp any host 172.19.3.140 eq ftp
    access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
    access-list 102 permit udp any host SITE B Public IP  eq non500-isakmp
    access-list 102 permit udp any host SITE B Public IP  eq isakmp
    access-list 102 permit esp any host SITE B Public IP
    access-list 102 permit ahp any host SITE B Public IP
    access-list 110 remark "Outbound NAT Rule"
    access-list 110 remark "Deny VPN Traffic NAT"
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
    access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
    access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 110 permit ip 172.19.3.128 0.0.0.127 any
    access-list 110 permit ip 172.19.10.0 0.0.0.255 any
    access-list 198 remark "Networks for IISVPN Client"
    access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 199 permit tcp any any eq 3389
    route-map PAETEC permit 10
    match ip address 110
    match interface Serial0/2/0
    route-map COMCAST permit 10
    match ip address 110
    match interface FastEthernet0/1
    route-map VERIZON permit 10
    match ip address 110
    match interface Serial0/1/0.1
    snmp-server community 123 RO
    radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
    control-plane
    line con 0
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    line vty 5 15
    access-class 23 in
    privilege level 15
    transport input telnet ssh
    scheduler allocate 20000 1000
    ntp server 128.118.25.3
    ntp server 217.150.242.8
    end
    IP scheme at site B:
    ip     172.19.5.x
    sub  255.255.255.292
    gw   172.19.5.65
    Cisco ASA 5505 at Site B
    ASA Version 8.2(5)
    hostname ASA5505
    domain-name domain.com
    enable password b04DSH2HQqXwS8wi encrypted
    passwd b04DSH2HQqXwS8wi encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 172.19.5.65 255.255.255.192
    interface Vlan2
    nameif outside
    security-level 0
    ip address SITE B public IP 255.255.255.224
    boot system disk0:/asa825-k8.bin
    ftp mode passive
    clock timezone est -5
    clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
    dns server-group DefaultDNS
    domain-name iis-usa.com
    same-security-traffic permit intra-interface
    object-group network old hosting provider
    network-object 72.55.34.64 255.255.255.192
    network-object 72.55.33.0 255.255.255.0
    network-object 173.189.251.192 255.255.255.192
    network-object 173.163.157.32 255.255.255.240
    network-object 66.11.1.64 255.255.255.192
    network-object 107.0.197.0 255.255.255.192
    object-group network old hosting provider
    network-object host 172.19.250.10
    network-object host 172.19.250.11
    access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
    access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
    access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
    access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
    access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
    access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
    access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
    access-list 10 extended permit icmp any any echo-reply
    access-list 10 extended permit icmp any any time-exceeded
    access-list 10 extended permit icmp any any unreachable
    access-list 10 extended permit icmp any any traceroute
    access-list 10 extended permit icmp any any source-quench
    access-list 10 extended permit icmp any any
    access-list 10 extended permit tcp object-group old hosting provider any eq 3389
    access-list 10 extended permit tcp any any eq https
    access-list 10 extended permit tcp any any eq www
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
    pager lines 24
    logging enable
    logging timestamp
    logging console emergencies
    logging monitor emergencies
    logging buffered warnings
    logging trap debugging
    logging history debugging
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    ip verify reverse-path interface inside
    ip verify reverse-path interface outside
    ip audit name jab attack action alarm drop reset
    ip audit name probe info action alarm drop reset
    ip audit interface outside probe
    ip audit interface outside jab
    ip audit info action alarm drop reset
    ip audit attack action alarm drop reset
    ip audit signature 2000 disable
    ip audit signature 2001 disable
    ip audit signature 2004 disable
    ip audit signature 2005 disable
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit 75.150.169.48 255.255.255.240 outside
    icmp permit 72.44.134.16 255.255.255.240 outside
    icmp permit 72.55.33.0 255.255.255.0 outside
    icmp permit any outside
    icmp permit 173.163.157.32 255.255.255.240 outside
    icmp permit 107.0.197.0 255.255.255.192 outside
    icmp permit 66.11.1.64 255.255.255.192 outside
    icmp deny any outside
    asdm image disk0:/asdm-645.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 100
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group 10 in interface outside
    route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
    timeout xlate 3:00:00
    timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    http 107.0.197.0 255.255.255.192 outside
    http 66.11.1.64 255.255.255.192 outside
    snmp-server host outside 107.0.197.29 community *****
    snmp-server host outside 107.0.197.30 community *****
    snmp-server host inside 172.19.250.10 community *****
    snmp-server host outside 172.19.250.10 community *****
    snmp-server host inside 172.19.250.11 community *****
    snmp-server host outside 172.19.250.11 community *****
    snmp-server host outside 68.82.122.239 community *****
    snmp-server host outside 72.55.33.37 community *****
    snmp-server host outside 72.55.33.38 community *****
    snmp-server host outside 75.150.169.50 community *****
    snmp-server host outside 75.150.169.51 community *****
    no snmp-server location
    no snmp-server contact
    snmp-server community *****
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto map VPNMAP 10 match address 110
    crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
    crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
    crypto map VPNMAP 10 set security-association lifetime seconds 86400
    crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
    crypto map VPNMAP interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 20
    authentication pre-share
    encryption 3des
    hash md5
    group 2
    lifetime 86400
    telnet 172.19.5.64 255.255.255.192 inside
    telnet 172.19.3.0 255.255.255.128 outside
    telnet timeout 60
    ssh 0.0.0.0 0.0.0.0 inside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0
    management-access inside
    dhcpd dns 172.19.3.140
    dhcpd wins 172.19.3.140
    dhcpd ping_timeout 750
    dhcpd domain iis-usa.com
    dhcpd address 172.19.5.80-172.19.5.111 inside
    dhcpd enable inside
    threat-detection basic-threat
    threat-detection scanning-threat shun except object-group old hosting provider
    threat-detection statistics
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ntp server 128.118.25.3 source outside
    ntp server 217.150.242.8 source outside
    tunnel-group 72.00.00.7 type ipsec-l2l
    tunnel-group 72.00.00.7 ipsec-attributes
    pre-shared-key *****
    tunnel-group old vpn public ip type ipsec-l2l
    tunnel-group old vpn public ip ipsec-attributes
    pre-shared-key *****
    tunnel-group SITE A Public IP  type ipsec-l2l
    tunnel-group SITE A Public IP  ipsec-attributes
    pre-shared-key *****
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect netbios
      inspect tftp
      inspect pptp
      inspect sip 
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    call-home
    profile CiscoTAC-1
      no active
      destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
      destination address email [email protected]
      destination transport-method http
      subscribe-to-alert-group diagnostic
      subscribe-to-alert-group environment
      subscribe-to-alert-group inventory periodic monthly
      subscribe-to-alert-group configuration periodic monthly
      subscribe-to-alert-group telemetry periodic daily
    Cryptochecksum:
    : end

    I have removed the old "set peer" and have added:
    IOS router:
    access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
    ASA fw:
    access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
    on the router I have also added;
    access-list 110 deny  ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
    Here is my acl :
    access-list 110 remark "Outbound NAT Rule"
    access-list 110 remark "Deny VPN Traffic NAT"
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
    access-list 110 deny   ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
    access-list 110 deny   ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.11
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 host 172.19.250.10
    access-list 110 permit ip 172.19.3.128 0.0.0.127 any
    access-list 110 permit ip 172.19.10.0 0.0.0.255 any
    access-list 110 deny   ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
    access-list 198 remark "Networks for IISVPN Client"
    access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
    access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
    Still no ping tothe other site.

  • I am unable to browse internet from my cisco 881 router and configuration is below could any one help me in this regard

    HOME#sho run
    Building configuration...
    Current configuration : 5657 bytes
    ! Last configuration change at 10:51:11 UTC Fri May 17 2013 by admin
    version 15.0
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname HOME
    boot-start-marker
    boot-end-marker
    logging buffered 51200 warnings
    enable secret 5 $1$bgx9$VrtQW3Wg182VyYhKAHLbN.
    no aaa new-model
    memory-size iomem 10
    crypto pki trustpoint TP-self-signed-1190003239
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1190003239
    revocation-check none
    rsakeypair TP-self-signed-1190003239
    crypto pki certificate chain TP-self-signed-1190003239
    certificate self-signed 01
      3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31313930 30303332 3339301E 170D3133 30353137 31303333
      35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31393030
      30333233 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100C002 80BBF151 E095E469 AA7DBB18 2A9E3CC2 4AC223F6 ABE0AF49 876C1203
      65D0E246 786F174D E5B7897A 44C5755A 2571E58A 184A6C62 DD992A2A D8A24878
      25A8D3C3 03F5D3C2 522EC8BB 302B0CCD 2945087A 7AF01418 D0056679 6F64DB4A
      BE2D5DA1 106CD03A 83B422A2 3CCBAE88 F2413123 12269390 6949DFE0 411118E7
      8F210203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
      551D1104 16301482 12484F4D 452E7777 772E7961 686F6F2E 636F6D30 1F060355
      1D230418 30168014 3D2D854D 1203F50D 77F4ABC5 B61CEAF6 C922F4DF 301D0603
      551D0E04 1604143D 2D854D12 03F50D77 F4ABC5B6 1CEAF6C9 22F4DF30 0D06092A
      864886F7 0D010104 05000381 8100B24C 48BACACE 87ADEA03 386F2045 CC89624A
      4EB1AD09 062EB2A4 CF4C96CA 0B2CF001 BD2C3804 8DC47FED 6A5B5F0D 3965AC6E
      4FC4682F 707E4132 8F27C083 C7FAE1BD 21D055E6 C79D5DAD 051B6321 D35DB4F2
      044E6BBD DAD08B6A 6ED87C7E 08F4F7E1 4EFDFB6F 867AF6FA 84165CFC D219D56F
      A82EABD4 AD9CFA24 A5088145 E571
            quit
    ip source-route
    ip routing protocol purge interface
    ip dhcp excluded-address 10.10.10.1
    ip dhcp pool ccp-pool
       import all
       network 10.10.10.0 255.255.255.248
       default-router 10.10.10.1
       domain-name www.google.com
       dns-server 192.168.1.1
       lease 0 2
    ip cef
    ip domain name www.yahoo.com
    ip name-server 84.235.6.55
    ip name-server 84.235.57.230
    no ipv6 cef
    multilink bundle-name authenticated
    license udi pid CISCO881-SEC-K9 sn FCZ1516933C
    username admin privilege 15 password 0 cisco
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface FastEthernet4
    ip address dhcp
    ip access-group 101 in
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 10.10.10.1 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip nat enable
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    interface Vlan2
    no ip address
    ip nat inside
    ip virtual-reassembly
    ip default-gateway 192.168.1.1
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 101 interface FastEthernet4 overload
    ip route 0.0.0.0 0.0.0.0 FastEthernet4
    access-list 23 permit 10.10.10.0 0.0.0.7
    access-list 101 permit ip any any
    dialer-list 1 protocol ip permit
    no cdp run
    control-plane
    banner exec ^C
    % Password expiration warning.
    Cisco Configuration Professional (Cisco CP) is installed on this device
    and it provides the default username "cisco" for  one-time use. If you have
    already used the username "cisco" to login to the router and your IOS image
    supports the "one-time" user option, then this username has already expired.
    You will not be able to login to the router with this username after you exit
    this session.
    It is strongly suggested that you create a new username with a privilege level
    of 15 using the following command.
    username <myuser> privilege 15 secret 0 <mypassword>
    Replace <myuser> and <mypassword> with the username and password you
    want to use.
    ^C
    banner login ^C
    Cisco Configuration Professional (Cisco CP) is installed on this device.
    This feature requires the one-time use of the username "cisco" with the
    password "cisco". These default credentials have a privilege level of 15.
    YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
    PUBLICLY-KNOWN CREDENTIALS
    Here are the Cisco IOS commands.
    username <myuser>  privilege 15 secret 0 <mypassword>
    no username cisco
    Replace <myuser> and <mypassword> with the username and password you want
    to use.
    IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
    NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
    For more information about Cisco CP please follow the instructions in the
    QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
    ^C
    banner motd ^Cuthorized ^C
    line con 0
    login local
    no modem enable
    line aux 0
    line vty 0 4
    access-class 23 in
    privilege level 15
    password cisco
    logging synchronous
    login local
    transport input telnet ssh
    scheduler max-task-time 5000
    end

    HOME#ping 4.2.2.2
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
    Success rate is 0 percent (0/5)
    HOME#sh ip int br
    Interface                  IP-Address      OK? Method Status                Protocol
    FastEthernet0              unassigned      YES unset  down                  down
    FastEthernet1              unassigned      YES unset  down                  down
    FastEthernet2              unassigned      YES unset  down                  down
    FastEthernet3              unassigned      YES unset  down                  down
    FastEthernet4              192.168.1.120   YES DHCP   up                    up 
    NVI0                       10.10.10.1      YES unset  up                    up 
    Vlan1                      10.10.10.1      YES NVRAM  down                  down
    Vlan2                      unassigned      YES NVRAM  down                  down
    HOME#
    fast ethernet is connected to my internet connection

  • Safari 5.1 in iMac OS X 10.6.8.Adding Bookmarks to "unsorted Bookmarks" folder puts them in a black hole.  I can't find the "UB" folder.  Where is it? Should I add it to the folder list somewhere on the left pane? OR? Help, please!

    Safari 5.1 in iMac OS X 10.6.8.Adding Bookmarks to "unsorted Bookmarks" folder puts them in a black hole.  I can't find the "UB" folder.  Where is it? Should I add it to the folder list somewhere on the left pane? OR? Help, please!

    It looks like that the installation process of one of the applications have caused some trouble. One of them may have changed or added kext files.
    For that, the Window server crashed if you try to open a non Apple application like Firefox
    Start the system in safe mode by holding the shift key on power on.
    If save mode is reached, perform a permissions repair with the Disk Utility.
    Don't bother about upcoming warnings like "could not repair file xy" as that occur cause you use the tool on a running system and opened files can not get touched by the tool.
    After repair is done reboot system to normal and try to open Firefox.
    If the problem persits, please report back here.
    Lupunus

Maybe you are looking for

  • Can a tabular form be created/used against a GLOBAL TEMP TABLE?

    We are trying to simplify our apex applications. In doing so, we are examing the many collections we use to create tablular forms. These collections currently are tricky to manage and we are considering moving them to either VIEWS or GLOBAL TEMPORARY

  • Flat File reconciliation failing with no error

    Hello, I'm trying to set up flat file reconciliation with OIM 11g. I've followed this guide http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/oim/10.1.4/oim/obe12_using_gtc_for_reconciliation/using_the_gtc.htm and configured the mapping f

  • Multiple text colors in my spry menu

    Can I make multiple text colors in my spry menu? I want to match the text color on one of my spry menu items to the hover color so that you know which link you are currently visiting. I haven't posted the site yet until I work out all the kinks. So,

  • I've got a nested table issue..

    Okay, first off: in Oracle 9i is there an option to nest a table inside a nested table? I got the impression it is an option; & I'd like further info on this. ..& on to the issue I've got: I've got one nested table object that I've identified in the

  • Error in Genral Information Link for only one subordinate

    Dear SAP Guru, I facing 1 issue . when i want to see the General information of one of my subordinate under MSS > Team then i m getting 500 inter server error. But rest of all subordinate i can see it successfully. The 1 thing is that for this employ