Policy routing and black hole filtering on 6500
I have a 6500 with many SVIs configured and every one with multiple ip addresses. The users are accessing the network through these SVIs. For access control I use the black hole filtering method by dinamically injecting static routes to Null 0 for every user that is not authenticated.
But I need these users to reach one server to authenticate.
Is there a way to do this besides putting the server inside every VLAN ? Something like policy routing all the packets to the server to exit the server interface and the response packets to reach the user bypassing the global routing table ? Maybe using a vrf for the server only ?
Thanx.
Dave Northampton UK here.
We seem to have different consumer laws to US it seems?
Here the RETAILER is wholly responsible for the goods he sells. If such a case as this arose there would be NO time limit of 15 days, if the goods were found not to be of "merchantable quality" the time factor would not matter, certainly up to a year!
Certainly a retailer can take matters up with their supplier/manfctr but the CUSTOMER must get a new, working product PDQ or a total refund..IN CASH or put on a card, no credit notes or any other such swaddling!
Of course! Many shops wriggle and tell people porkies but in the end that is da law!
Dave.
Similar Messages
-
Introduce second default gateway into policy-based routing and optimization
Questions:
1) How to get the second PBR_DEFAULT_GATEWAY address 10.20.20.3 into the policy-based routing for redundancy?
2) Any optimizations as more and more traffic (policy-based routed and otherwise) goes through interface Gi1/0/1?
Address range A.B.0.0/16 represents assigned Internet-routable addresses.
Network also uses 10.0.0.0/8, 172.16.0.0/20, 192.168.0.0/16.
DEFAULT_GATEWAY router participates in OSPF and injects the default routes 0.0.0.0/0 10.10.10.1 and 0.0.0.0/0 10.20.20.1 into OSPF.
PBR_DEFAULT_GATEWAY router participates in OSPF but filters out default routes injected by DEFAULT_GATEWAY router.
ROUTER_A participates in OSPF and receives default routes injected by DEFAULT_GATEWAY router.
ROUTER_A contains the attached policy-routing configuration that allows the subnet A.B.30.0/24 to route anywhere on the network and uses PBR_DEFAULT_GATEWAY as the way out.Ok I will see if I can run out to work and try this today..
After thinking about this, If I need to get to local ip addresses (192.168.1.0 and 192.168.128.0), I might have to change my route map to include those ranges in an ACL, then assign the 172.20.200.1 as the gateway to get to those networks, with the last statement being the traffic to be sent out the firewall
for instance
# Access to one of my local networks
access-list 101 permit ip 172.20.200.0 0.0.0.255 192.168.1.0 0.0.0.255
# Send Internet traffic to ASA/PIX
access-list 172 permit ip 172.20.200.0 0.0.0.255 any
route-map pix-172-20-200 permit 10
match ip address 101
set ip next-hop 172.20.200.1
route-map pix-172-20-200 permit 20
match ip address 172
set ip next-hop 172.20.200.2
and so on?
I know I need to be in front of my switch to test the change from set ip default next-hop to set ip next-hop...
I wantto make sure I can still get to the local networks I need to get to.
I appreciate all your help, and I will test this later on today..
Thanks
Don Hickey -
Black hole and BOTNET filter ?
Hi all,
I have a query regarding black hole and botnet.
My customer tends to receive traffic which is not destining to anywhere. He wants to achieve the following. He wants to capture the traffic per SPAN and then direct them to a firewall on the inside interface and then apply botnet filter. He has a catalyst where some VRF are defined. One of the VRF is named as "SOME-VRF-BHOLE” This VRF will be mirrored to a other port and this traffic will sent so the inside interface of a firewall where Botnet feature is active.
My first question, is this doable, I mean if the traffic is black holed then the first thing which will happen by the ASA is to drop the traffic as it gets traffic destine to nowhere, if it’s a SYN/ACK then the ASA will drop the packet due to spoofing. So in other words there should be a flowing traffic which goes through the ASA to be able to apply the botnet filter. Or could someone confirm this mothered my customer has explained could be done at all.
Thanks in advance
LanceHello Lance,
I answered a query like this I think 2 days ago...
So you want to filter traffic via the botnet feature ( you will need to make sure the ASA has access to the internet ofcourse so it can contact the Security Intelligence Servers )
The ASA will drop the packets if they are spoofed and you have the RPF check on.
If the traffic goes to nowhere the ASA ofcourse will drop it ( No route to host x.x.x.x)
And if we receive a SYN-ACK where there has not been a SYN, traffic will be drop due to the TCP inspection failure (unless u configure a TCP state bypass)
Julio
Remember to rate all of the helpful posts.
For this community that's as important as a thanks. -
Native VLAN and the "Black Hole"
While reviewing the configuration of a network that I'm supporting, it seems that the original design of the network has the black hole VLAN as the native VLAN. At the least this seems incorrect, and possibly very dangerous, but I'm not exactly sure why or how to articulate that. Can someone confirm or deny this suspicion?
In addition, I had two further questions regarding the practice of using a black hole VLAN:
1. If you have any unused ports, it seems more practical to just admin down these ports instead of creating an unused VLAN. Is there some added advantage to ALSO putting these ports in an unused VLAN (e.g. 999)? If the port was needed, you can simply admin up the port, during which time you could also change any needed VLAN configurations. In other words, you'd have to log into the device and make changes whether you went with the admin down method, the Black Hole VLAN method, or both. So what's the point?
2. Assuming you do use the Black Hole VLAN as an added security method, I feel that including that VLAN in the "switchport trunk allowed vlan" command is counterproductive, but I'm not fully able to articulate why. Can someone help me with this?
Thanks for any information or suggestions that you may have.Assuming you mean a vlan for unused ports when you refer to a black hole vlan. If so the key things are -
a) that vlan does not have a L3 vlan interface (SVI) for it as there is no need to route it
b) any unused ports are shutdown
if you follow the above then I can't see the danger in using the native vlan but I wouldn't do it regardless of that. I would have a dedicated native vlan and a separate vlan for unused ports.
To my mind there should be no ports allocated to the native vlan (other than trunk ports obviously).
The benefit of using a dedicated vlan for unused ports is -
a) it provides an additional level of security. People make mistakes and having to do multiple things to enable a port requires more attention than simply doing a "no shut" on the interface.
The more attention someone is paying the more likely they will get it right or at least the less likely they will make a mistake.
b) if you don't use an unused vlan you are leaving all the ports in the default vlan which is vlan 1 and this should be avoided as this vlan is overused already eg. switch control plane traffic is sent on this vlan for example and often the switch management interfaces are in this vlan.
As far as allowing the unused vlan on trunk links it is totally unnecessary and in fact you really don't want to do that. The idea of the unused vlan is for non communication so it would make no sense to allow it on trunk links.
In my last place of work we used vlan 998 as the unused vlan and vlan 999 as the native vlan.
Neither had an SVI for it.
If by black hole vlan you meant something else then please clarify.
Jon -
Policy Based Routing and IP Helper
Can anyone help with an issue i am having with PBR and an IP Helper. I cannot get devices in the VLAN with the associated SVI to get DHCP addresses, there is no DHCP server in the VLAN so an IP Helper is used but whenever i enable PBR on the SVI, DHCP stops working. The switch is a 6506 Catalyst running Version 12.2(17d)SXB11 of IOS
The SVI config for the VLAN is as below
ip address 10.2.60.254 255.255.255.0
ip helper-address 10.10.80.200
ip helper-address 10.10.80.201
ip policy route-map ACPBR
no ip igmp snooping explicit-tracking
no ipv6 mld snooping explicit-tracking
no ipv6 mld snooping
a route map configured as follows
route-map ACPBR permit 10
match ip address ACPBR_ACL
set ip default next-hop 10.99.1.252
route-map ACPBR permit 20
set default interface Null0
and an access list as follows
ip access-list extended ACPBR_ACL
deny udp any any eq bootps log
permit ip 10.2.60.0 0.0.0.255 any
So any DHCP traffic should hit the deny command and drop back to the normal routing process, at least thats my understanding. The logs on the 6506 even show the DENY being hit, see below
list ACPBR_ACL denied udp 0.0.0.0(68) -> 255.255.255.255(67), 1 packet
Can anyone advise why this may be happening, if i add the PBR to the SVI DHCP stops working, if i remove it then it starts working so it is definately PBR doing something.
Thanks
RyanRyan,
The deny line in your ACL merely causes the DHCP traffic to be not processed in the ACPBR block 10. However, for this traffic, the processing of the route-map continues to block 20 with the set default interface Null0 command. This could be the cause of the drops you are seeing. Remember, the permit/deny in ACL here only select packets to be dealt with in the particular route-map block. However, it is the permit/deny in the route-map block header that determines whether the packet is going to be PBR-ed or normally routed.
Assuming you want to keep the DHCP traffic to be normally routed, one of ways of doing that would be:
ip access-list extended ACPBR_ACL deny udp any any eq bootps log permit ip 10.2.60.0 0.0.0.255 any!ip access-list extended ACPBR_DHCP permit udp any any eq bootps!route-map ACPBR permit 10 match ip address ACPBR_ACL set ip default next-hop 10.99.1.252!route-map ACPBR deny 15 match ip address ACPBR_DHCP!route-map ACPBR permit 20 set default interface Null0
This configuration causes the DHCP traffic to be processed in block 15, and because of the deny action in the block header, the traffic should fall back to normal routing.
While I am somewhat surprised that the PBR would affect broadcasts (it should not, and perhaps it affects only a part of the DHCP communication that does happen to be unicasted), I believe this modification of your config is worth trying.
Best regards,
Peter -
Multiple routing tables and/or policy routing
Hey all,
I'm trying to configure a Mac Mini (10.8) for multiple routing tables and policy routing. This server runs Ostinato, a freeware traffic generator. My purpose is to generate traffic on multiple VLANs towards different gateways and different destinations. To that end, I have VLAN tagged the (only) Ethernet port and configured 5 VLANs on it. The first one has the default route (I manage this Mac over this VLAN). The other four have IP addresses in the test range I'm using.
The goal is to have traffic sourced from IP-address-X go out vlanX towards gateway-X. It's counterpart on the far end runs Linux and I have configured it in this way:
ip route add default via <gateway-X> dev ethX table X
ip rule add from <network-X> table X priority X
Researching on OpenBSD forums (since it's the base of MacOS X), provided this:
route -T X add 0.0.0.0/0 -iface <gateway-X>
echo pass in from <network-X> to 0.0.0.0/0 rtable X | pfctl -mf -
However, the Mountain Lion "route" command does not support the -T option, so that killed that idea. Another forum suggested that this would have worked on 10.4:
ipfw add X fwd <gateway-X> ip from <IP-address-X> to any
I tried this on 10.8 though the man page says it's deprecated, and (surprise, surprise) it did not work.
Any ideas to get this working appreciated!
Thanks,
AaronStill doesn't have it in 10.9.4.
irene:~ cschwartz$ sudo bash
bash-3.2# route -T add
route: illegal option -- T
usage: route [-dnqtv] command [[modifiers] args]
I'm guessing you want policy-based routing due to VLANs...? If you can get a USB-to-Ethernet adapter, then maybe you can work around this by using multiple physical links instead of VLAN tagging. But if you need source-based routing etc. then no. -
Policy Routing - Unix and MS (Dare I ask?)
Guys,
Need to route out of a dual homed Unix and Windows box based on the source address or source interface as not to follow the default route.
ie, Packet arrives at host x on interface eth0 but the default route is out of eth1 so I get assemetric packet forwarding on the box.
I think ipfw is the way to policy route on unix, but anyone got a plan for windows?
Many thx indeed, and kind regards,
KenThe standard action, as performed by router software (such as Cisco IOS), is to select the next hop address and the output device. I will refer to this action as a "match & set" style of action. However, Linux takes a much more flexible approach. In Linux, there are several actions to choose from. The default action performs a route lookup from a specified destination-based routing table. The match & set action then becomes the simplest case of Linux route selection, which is realized when the specified destination-based routing table contains only a single default route. Linux supports multiple routing tables, containing multiple standard destination routes. Bear in mind that each of these routing tables is the same as the entire routing table for any other OS. Linux effectively provides 255 Ciscos to choose from. (For number freaks, Linux 2.2.12 supports 255 routing tables, 255 aggregate realms, and 232 (4294967296 decimal) policy rule priorities.
-
Mac Address Filtering Issue with DI-624 router and HP D110 Wireless Printer
Just got the D110 Wireless Printer and cannot connect to the wireless router.
I have a D-Link DI-624 Air Plus Xtreme G 2.4GHz Wireless Router.
The error message that I'm recieving from the printer is that "Mac address filtering may be enabled on your wireless router. This can prevent your HP printer from connecting to your wireless network during setup....etc."
The D-Link is setup using WPA-PSK security. If I turn off all security than the wireless printer is able to connect. With WPA-PSK or even WEP enabled I cannot connect the printer to the wireless router. There is no connection to hardwire the printer and the router.
I've logged on to the router's admin and have confirmed several times that Mac filtering is turned off by going to Advanced > Filters > Mac Filters > and choosing Disabled Mac Filters. Where else is this setting? Why is the printer not able to connect?
Further, I check the logs on the router and it shows "Wireless PC Connected" and "Authentication Success" with a note that has the Mac Hardware Address matching the printer's mac hardware address on the Wireless Network Test Report. It would appear that the router is letting the Print in but that the printer is not able to communicate for some reason. It even shows under status > wireless that the printer is connected.
When i spoke to HP, they said to contact the router company and that they could not help. When I called D-Link they said tech support is no longer available for the model. I'm stuck, can anybody help?
This question was solved.
View Solution.Windows XP, tried both the front of the printer as well as connecting via USB and using the software.
After a few hours on the phone with both D-Link and HP, the issue has been resolved.
Apparently eventhough Mac Filtering was disabled (set to Disabled MAC Filters), the Mac address had to be entered into the router to allow it while keeping the setting to Disabled Mac Filters. To me it appeared counter intuitive to enter the Mac address while it's set to Disabled Mac Filters so I did not try that before getting on the phone with HP. Further on this, the problem did not go away right after adding the mac address but rather after restarting the router as the mac address addition did not take effect without a reboot of the device.
HP was much more helpful than D-Link on this one though it would be nice for HP to add to their instructions and Wireless Network Test Report to add the Mac address just in case. I would have tried that step if it was stated that it's okay to add the mac address and keep mac filters disabled. -
PMTU-D Black Hole Detection Missing? Cause of some conn hangs.
In looking through the kernel source, it appears that Apple has left out one of the most important parts of Path MTU Discovery (RFC1191) as suggested in RFC2923. Since Path MTU Discovery is enabled by default, this may cause some of you to have 15 minute hangs and ultimate termination of connections when large packets are sent to specific hosts.
Other than DNS and Wireless network drops, MTU settings appear to be one of the single most problematic things going on with OS X right now.
For those who are not familiar with MTU, here's a brief rundown.
10/100 Ethernet networks support a base MTU of around 1514 bytes. This is the max number of bytes that a packet is able to be in order to get put on an Ethernet network (and be within spec). Gigabit Ethernet allows for larger, but we won't go into that.
You're probably more used to hearing 1500, however, that is the MTU for IP (or the Ethernet payload) as the Ethernet header itself is 14 bytes.
In that 1500 bytes, you have to fit your IP header, ICMP/TCP/UDP header, and any higher layer protocols and data, each layering on top of the next.
|<--Ethernet (14 Bytes)--><--IP (20 Bytes)--><--TCP (20 Bytes)--><--Data (1460 Bytes)-->|
So that is how things look on a local area network.
Once the WAN comes into play, the Ethernet header is stripped off leaving only the IP packet and another header put in its place to get it over the next link. This process goes on and on and on until the packet finally reaches its destination.
But here's the problem - what if there is ANOTHER layer between the Ethernet and IP stack?
This is actually quite common and you're probably using it now. The protocol PPP over Ethernet (PPPoE) fits between the Ethernet header and the IP header and adds another 8 bytes to this packet size.
So now we end up with:
|<--Ethernet (14 Bytes)--><--PPPoE (8 Bytes)--><--IP (20 Bytes)--><--TCP (20 Bytes)--><--Data (1452 Bytes)-->|
Notice that we now can't put as much data in this packet or we'll end up with a packet that is too big to fit on the Ethernet network.
The PPPoE header will ultimately get taken off once the packet gets where it needs to go at your ISP, but there may be other 'tunnels' between you and your ultimate destination and continue to strip off space of how much data you can put into a packet.
So how do you know how much data you can put into a packet when you don't own or know anything about the network between you and the destination?
That's where Path MTU Discovery comes into play.
It used to be that IP packets would be fragmented (split up) if a packet was too big to get put on the next network. This process of fragmentation causes overhead for both the router having to split up the packets and the receiving device that has to put them all back together again (and make sure they go in the right order).
So in order to reduce this overhead and also ensure that you are always sending the largest packets possible from end to end, IP stacks started setting the 'Don't Fragment' bit in the IP header. This instructs routers to throw away the packet if it is too big when it gets there.
When the packet gets thrown away due to it being too large, the router that throws it away also sends an ICMP packet (an IP diagnostics message) back to the sender telling it what the MTU is of the interface that couldn't take the packet. The sender can then re-calculate things based on that value and resend.
This works great EXCEPT when there are firewalls in the way (or broken routers, which is less likely these days). Many firewalls will not allow these ICMP messages to go back to the sender. Therefore, your host never receives the message that it is supposed to reduce the size of the packet and keeps trying and trying for about 15 minutes until it finally dies.
This is one reason why you may be seeing long hangs that ultimately end in termination of your connection.
RFC2923 goes into some options to work past this issue.
One way that this can be done, Windows Vista for instance does this, is for the system to keep an eye on how many max sized packets get retransmitted. After a certain number (lets say 5), the system assumes that it is not getting this ICMP notification and cuts the size of that packet in half so it can now get the data through - assuming that smaller packets are better than no packets getting sent.
It may also (and does with Vista) temporarily disable the setting of the 'Don't Fragment' bit and allow the routers to just take care of things. So in Vista, you'll see the page stutter for a second, and then continue to load, where an OS X system will sit there and hang for 15 minutes.
This is where OS X goes wrong. This behavior is called PMTU-D Black Hole Detection and does not appear to be in the IP stack for Leopard (and probably not previous releases).
So what can you do.
You have a few options, some of which I've already provided to a few folks (although without the mathematics so it's just a rough guess value).
First, you can just disable PMTU-D. The command to do this is:
sudo sysctl -w net.inet.tcp.pathmtudiscovery=0
This is a 'quick fix' but does eliminate the benefits that PMTU-D provides.
Second, you can calculate out what size MTU seems to work for you by working backwards and configure that on something within your control.
If your home router supports it, that's a good place to reduce the MTU since it only comes into play when you're using your Internet connection and not when hosts within the same network talk to each other. So if you place the MTU of 1472 on your router and your host sends it a 1500 byte packet, it will send back the ICMP message telling you to reduce it down to 1472.
If your router doesn't support it, you can reduce the MTU on your macs physical interface. This isn't always the best solution since you really should then reduce the MTU on each of your local systems or you could run into issues locally.
The command to do this is:
sudo ifconfig en1 mtu 1472
To make this permanent for Ethernet, set it in the Network settings. For Airport, search the forums. I provided an update you can make to one of the preferences files manually to do this (don't remember what file right now).
I have found a couple of sites (Washington Mutual's website for instance) that appear to have configuration issues internal to their network in which a device behind a firewall (possibly the web server, load balancer, or IPSec added) that may have an MTU less than 1500 set on it AND a firewall blocking ICMP packets from coming back. These sites will throw off your math since you can no longer assume a max size of 1500 for IP packets. In this specific case, you have to assume 1480.
Third, you can adjust the MSS setting (Max Segment Size) in the kernel to a value that is 20 bytes smaller than what you would otherwise set the MTU to. This ensures that the TCP stack doesn't put more than that amount of data in any single packet (therefore, eliminating the MTU issue), however, this will not work for UDP.
Finally, you can submit a bug report to let Apple know that PMTU-D Black Hole detection is something that we need.
So what kind of impact does this have on performance?
This will depend on what solution you choose, what the performance of your home router is, and the load on the various servers that have to potentially re-assemble the packets.
That said, knocking things all the way down to 1400 bytes, I am able to still get at least 15 Mbps up and down stream over the Internet.
If you have any questions on this post, please post and i'll do my best to respond. Hopefully this will help one more person resolve their performance issues with Leopard.Hi Karsten and thanks for the suggestion!
I have exempted internal networks and can connect them via the VPN connection. I also got connectivity to the outside world with nat (outside,outside) and 'same-security-traffic permit intra-interface'.
A question remains though. At the moment, all traffic gets out of the network through the 'outside' interface IP (.22). I'd rather use a dedicated address from the /29 on GigabitEthernet0/0. Is this possible to achieve that? To put it differently, I'd like to NAT the VPN range onto an address that is not the 'outside' interface, like I did in this statement, for instance:
nat (v200,outside) source dynamic v200_private v200_public
My other question is, whether the single NAT statement [nat (outside,outside) dynamic interface] is sufficient for VPN traffic and whether the original statement can be removed [nat (vpn,outside) source dynamic vpn_pool vpn_public].
Thanks once again for the tips!
R. -
Hello,
We currently have our gateway / web filter routing setup in this manor:
lan --- 2921 ---asa(firewall) ---internet
|
------ web filter
So the traffic destined to the internet that is not supposed to be filtered goes right through the router to the asa. The traffice that is destined to be filtered gets policy routed to the web filter which then gets routed back to the 2921 and out to the asa. This is a bad design, I will admit that.
What I want to do is this:
lan - 2921 --- asa(firewall) --- internet
| |
--- web filter ---
With this change the traffic will not have to go back to the router and then back out to the asa. This will cut the traffic going through the router in half, which will result in lower cpu usage.
My question about changing this is as follows.
The asa has a route to the lan networks that are getting filtered. Lets say they are 172.16.0.0/16. The route comes from the lan which is advertiesed to the router which in turn is advertized to the asa. If I use a route-map to policy route certain networks to the web filter, will the return traffic go back through the web filter or will it go back directly to the router? I don'th have a spare ASA to test this with.
Thanks,
Dan.not possible.
If you want this behavior, you can achieve it by source nating on the next-hop all traffic going to the CSS. This will force the CSS to responds back to the nated ip address on the same interface.
Gilles. -
You are now entering the reactivation black hole! Have spent the last 6 weeks trying to get my case resolved with no success.
Summary
1. Reactivation for Master Collection CS3 prompted reactivation. Reactivation failed. Called support and still failed with them as well.
2. Sat on hold for 5 hours again and was told to de-install.
3. De-install did not work and used cleaner at level 4 which allowed me to re-enter the serial number but also removed Acrobat professional and Director 11.5. Have also Production Premium on a second system as well. New activation only allows me to enter Production Premium serial with a check mark and not Master Collection which shows and X.
4. Oh wait, where are the download installs for CS3. No longer available depending on when you purchased them.
5. Running only a few programs with Production preium serial as Master Collection serial is not recognized and does not work even though it is in my registed history with Adobe.
6. I never asked to go through this reactivation process and was happy with CS3 till software stopped working and was forced to enter the black hole.
7. From what I can tell there is no resolution possible here.
8. Guess the only way out is to find a crack that will bypass this mess Adobe has created since they are unable to resolve this after 6 weeks and many hours on my part installing and reinstalling only some of the installs as not all are still available for CS3. I only use fully purchased software, however if this is the only way out is to crack it, well that is it, I give up.Hello Lance,
I answered a query like this I think 2 days ago...
So you want to filter traffic via the botnet feature ( you will need to make sure the ASA has access to the internet ofcourse so it can contact the Security Intelligence Servers )
The ASA will drop the packets if they are spoofed and you have the RPF check on.
If the traffic goes to nowhere the ASA ofcourse will drop it ( No route to host x.x.x.x)
And if we receive a SYN-ACK where there has not been a SYN, traffic will be drop due to the TCP inspection failure (unless u configure a TCP state bypass)
Julio
Remember to rate all of the helpful posts.
For this community that's as important as a thanks. -
The internet provider reset my router and now I cannot use Apple Tv. I tired restore and reseting the apple tv and the Network test is fine. Netflix shows error atv-ui10 and you no movies come up it just shoes black tickets at the top of the screen and says i am not connect. Internet works fine.
Delete/forget the network connection on the ATV and reconnect to the network.
Power cycle the router. -
Site to Site VPN Problems With 2801 Router and ASA 5505
Hello,
I am having some issue setting up a site to site ipsec VPN between a Cisco 2801 router and a Cisco ASA 5505. I was told there was a vpn previously setup with an old hosting provider, but those connections have been servered. Right now I am trying to get the sites to talk to the 2801. Here ere are my current configs, please let me know if you need anything else. Im stumped on this one. Thanks.
IP scheme at SIte A:
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Site A Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
end
IP scheme at site B:
ip 172.19.5.x
sub 255.255.255.292
gw 172.19.5.65
Cisco ASA 5505 at Site B
ASA Version 8.2(5)
hostname ASA5505
domain-name domain.com
enable password b04DSH2HQqXwS8wi encrypted
passwd b04DSH2HQqXwS8wi encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.19.5.65 255.255.255.192
interface Vlan2
nameif outside
security-level 0
ip address SITE B public IP 255.255.255.224
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name iis-usa.com
same-security-traffic permit intra-interface
object-group network old hosting provider
network-object 72.55.34.64 255.255.255.192
network-object 72.55.33.0 255.255.255.0
network-object 173.189.251.192 255.255.255.192
network-object 173.163.157.32 255.255.255.240
network-object 66.11.1.64 255.255.255.192
network-object 107.0.197.0 255.255.255.192
object-group network old hosting provider
network-object host 172.19.250.10
network-object host 172.19.250.11
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
access-list 100 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
access-list 10 extended deny ip 0.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 127.0.0.0 255.0.0.0 any
access-list 10 extended deny ip 169.254.0.0 255.255.0.0 any
access-list 10 extended deny ip 172.16.0.0 255.255.0.0 any
access-list 10 extended deny ip 224.0.0.0 224.0.0.0 any
access-list 10 extended permit icmp any any echo-reply
access-list 10 extended permit icmp any any time-exceeded
access-list 10 extended permit icmp any any unreachable
access-list 10 extended permit icmp any any traceroute
access-list 10 extended permit icmp any any source-quench
access-list 10 extended permit icmp any any
access-list 10 extended permit tcp object-group old hosting provider any eq 3389
access-list 10 extended permit tcp any any eq https
access-list 10 extended permit tcp any any eq www
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.0 255.255.255.128
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 object-group old hosting provider
pager lines 24
logging enable
logging timestamp
logging console emergencies
logging monitor emergencies
logging buffered warnings
logging trap debugging
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip verify reverse-path interface inside
ip verify reverse-path interface outside
ip audit name jab attack action alarm drop reset
ip audit name probe info action alarm drop reset
ip audit interface outside probe
ip audit interface outside jab
ip audit info action alarm drop reset
ip audit attack action alarm drop reset
ip audit signature 2000 disable
ip audit signature 2001 disable
ip audit signature 2004 disable
ip audit signature 2005 disable
icmp unreachable rate-limit 1 burst-size 1
icmp permit 75.150.169.48 255.255.255.240 outside
icmp permit 72.44.134.16 255.255.255.240 outside
icmp permit 72.55.33.0 255.255.255.0 outside
icmp permit any outside
icmp permit 173.163.157.32 255.255.255.240 outside
icmp permit 107.0.197.0 255.255.255.192 outside
icmp permit 66.11.1.64 255.255.255.192 outside
icmp deny any outside
asdm image disk0:/asdm-645.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0
access-group 10 in interface outside
route outside 0.0.0.0 0.0.0.0 174.78.151.225 1
timeout xlate 3:00:00
timeout conn 24:00:00 half-closed 0:10:00 udp 0:10:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 24:00:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http 107.0.197.0 255.255.255.192 outside
http 66.11.1.64 255.255.255.192 outside
snmp-server host outside 107.0.197.29 community *****
snmp-server host outside 107.0.197.30 community *****
snmp-server host inside 172.19.250.10 community *****
snmp-server host outside 172.19.250.10 community *****
snmp-server host inside 172.19.250.11 community *****
snmp-server host outside 172.19.250.11 community *****
snmp-server host outside 68.82.122.239 community *****
snmp-server host outside 72.55.33.37 community *****
snmp-server host outside 72.55.33.38 community *****
snmp-server host outside 75.150.169.50 community *****
snmp-server host outside 75.150.169.51 community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 10 match address 110
crypto map VPNMAP 10 set peer 72.00.00.7 old vpn public ip Site B Public IP
crypto map VPNMAP 10 set transform-set ESP-3DES-MD5
crypto map VPNMAP 10 set security-association lifetime seconds 86400
crypto map VPNMAP 10 set security-association lifetime kilobytes 4608000
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 172.19.5.64 255.255.255.192 inside
telnet 172.19.3.0 255.255.255.128 outside
telnet timeout 60
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 60
console timeout 0
management-access inside
dhcpd dns 172.19.3.140
dhcpd wins 172.19.3.140
dhcpd ping_timeout 750
dhcpd domain iis-usa.com
dhcpd address 172.19.5.80-172.19.5.111 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection scanning-threat shun except object-group old hosting provider
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 128.118.25.3 source outside
ntp server 217.150.242.8 source outside
tunnel-group 72.00.00.7 type ipsec-l2l
tunnel-group 72.00.00.7 ipsec-attributes
pre-shared-key *****
tunnel-group old vpn public ip type ipsec-l2l
tunnel-group old vpn public ip ipsec-attributes
pre-shared-key *****
tunnel-group SITE A Public IP type ipsec-l2l
tunnel-group SITE A Public IP ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect pptp
inspect sip
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: endI have removed the old "set peer" and have added:
IOS router:
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.65
ASA fw:
access-list 110 extended permit ip 172.19.5.64 255.255.255.192 172.19.3.128 255.255.255.128
on the router I have also added;
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
Here is my acl :
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.5.64 0.0.0.63
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
Still no ping tothe other site. -
HOME#sho run
Building configuration...
Current configuration : 5657 bytes
! Last configuration change at 10:51:11 UTC Fri May 17 2013 by admin
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname HOME
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret 5 $1$bgx9$VrtQW3Wg182VyYhKAHLbN.
no aaa new-model
memory-size iomem 10
crypto pki trustpoint TP-self-signed-1190003239
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1190003239
revocation-check none
rsakeypair TP-self-signed-1190003239
crypto pki certificate chain TP-self-signed-1190003239
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313930 30303332 3339301E 170D3133 30353137 31303333
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31393030
30333233 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C002 80BBF151 E095E469 AA7DBB18 2A9E3CC2 4AC223F6 ABE0AF49 876C1203
65D0E246 786F174D E5B7897A 44C5755A 2571E58A 184A6C62 DD992A2A D8A24878
25A8D3C3 03F5D3C2 522EC8BB 302B0CCD 2945087A 7AF01418 D0056679 6F64DB4A
BE2D5DA1 106CD03A 83B422A2 3CCBAE88 F2413123 12269390 6949DFE0 411118E7
8F210203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
551D1104 16301482 12484F4D 452E7777 772E7961 686F6F2E 636F6D30 1F060355
1D230418 30168014 3D2D854D 1203F50D 77F4ABC5 B61CEAF6 C922F4DF 301D0603
551D0E04 1604143D 2D854D12 03F50D77 F4ABC5B6 1CEAF6C9 22F4DF30 0D06092A
864886F7 0D010104 05000381 8100B24C 48BACACE 87ADEA03 386F2045 CC89624A
4EB1AD09 062EB2A4 CF4C96CA 0B2CF001 BD2C3804 8DC47FED 6A5B5F0D 3965AC6E
4FC4682F 707E4132 8F27C083 C7FAE1BD 21D055E6 C79D5DAD 051B6321 D35DB4F2
044E6BBD DAD08B6A 6ED87C7E 08F4F7E1 4EFDFB6F 867AF6FA 84165CFC D219D56F
A82EABD4 AD9CFA24 A5088145 E571
quit
ip source-route
ip routing protocol purge interface
ip dhcp excluded-address 10.10.10.1
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
domain-name www.google.com
dns-server 192.168.1.1
lease 0 2
ip cef
ip domain name www.yahoo.com
ip name-server 84.235.6.55
ip name-server 84.235.57.230
no ipv6 cef
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1516933C
username admin privilege 15 password 0 cisco
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip nat enable
ip virtual-reassembly
ip tcp adjust-mss 1452
interface Vlan2
no ip address
ip nat inside
ip virtual-reassembly
ip default-gateway 192.168.1.1
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
banner motd ^Cuthorized ^C
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password cisco
logging synchronous
login local
transport input telnet ssh
scheduler max-task-time 5000
endHOME#ping 4.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
HOME#sh ip int br
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset down down
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 192.168.1.120 YES DHCP up up
NVI0 10.10.10.1 YES unset up up
Vlan1 10.10.10.1 YES NVRAM down down
Vlan2 unassigned YES NVRAM down down
HOME#
fast ethernet is connected to my internet connection -
Safari 5.1 in iMac OS X 10.6.8.Adding Bookmarks to "unsorted Bookmarks" folder puts them in a black hole. I can't find the "UB" folder. Where is it? Should I add it to the folder list somewhere on the left pane? OR? Help, please!
It looks like that the installation process of one of the applications have caused some trouble. One of them may have changed or added kext files.
For that, the Window server crashed if you try to open a non Apple application like Firefox
Start the system in safe mode by holding the shift key on power on.
If save mode is reached, perform a permissions repair with the Disk Utility.
Don't bother about upcoming warnings like "could not repair file xy" as that occur cause you use the tool on a running system and opened files can not get touched by the tool.
After repair is done reboot system to normal and try to open Firefox.
If the problem persits, please report back here.
Lupunus
Maybe you are looking for
-
Can a tabular form be created/used against a GLOBAL TEMP TABLE?
We are trying to simplify our apex applications. In doing so, we are examing the many collections we use to create tablular forms. These collections currently are tricky to manage and we are considering moving them to either VIEWS or GLOBAL TEMPORARY
-
Flat File reconciliation failing with no error
Hello, I'm trying to set up flat file reconciliation with OIM 11g. I've followed this guide http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/oim/10.1.4/oim/obe12_using_gtc_for_reconciliation/using_the_gtc.htm and configured the mapping f
-
Multiple text colors in my spry menu
Can I make multiple text colors in my spry menu? I want to match the text color on one of my spry menu items to the hover color so that you know which link you are currently visiting. I haven't posted the site yet until I work out all the kinks. So,
-
I've got a nested table issue..
Okay, first off: in Oracle 9i is there an option to nest a table inside a nested table? I got the impression it is an option; & I'd like further info on this. ..& on to the issue I've got: I've got one nested table object that I've identified in the
-
Error in Genral Information Link for only one subordinate
Dear SAP Guru, I facing 1 issue . when i want to see the General information of one of my subordinate under MSS > Team then i m getting 500 inter server error. But rest of all subordinate i can see it successfully. The 1 thing is that for this employ