RPC fails through 881 Point to point Tunnel for VEEAM
Hi I have inherited 2 881's
We are setting up a Veeam server to Replicate a Hyper-V host.
When I try and add the remote hyper-v server through the P2P VPN VEEAM comes back with an error. "Unable to connect via WMI".
WMI is enabled on the target server firewalls are down and AV software removed. If I'm in the same subnet the WMI works. It feels like the VPN is blocking WMI.
Everything else seems to be working through the P2P VPN.
Thanks
Traffic is initiated through device 1
881 Device 1 Config
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
interface Loopback0
no ip address
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.x.x.x255.255.255.240
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.11.1 255.255.255.0
ip access-group 130 in
ip access-group 130 out
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 10.10.21.10 10.10.21.80
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.123.165.1 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.11.5 25 interface FastEthernet4 25
ip nat inside source static tcp 10.10.11.5 9091 interface FastEthernet4 9091
ip nat inside source static tcp 10.10.11.9 80 interface FastEthernet4 80
ip nat inside source static tcp 10.10.11.9 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 23 permit 10.10.11.0 0.0.0.255
access-list 23 permit 10.10.21.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 216.123.165.0 0.0.0.15 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.10.11.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.11.9
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 10.10.11.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 106 deny ip 10.10.11.0 0.0.0.255 10.10.21.0 0.0.0.255
access-list 106 permit ip 10.10.11.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 120 remark CCP_ACL Category=16
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.11.0 0.0.0.255 any
access-list 120 permit ip 10.10.21.0 0.0.0.255 any
access-list 130 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 130 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 130 permit ip any any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
banner exec ^CC
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CC
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
scheduler max-task-time 5000
end
CarePathBackupRouter#
881 Device 2 Config
service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-sll-zone-in-zone source ssl-zone destination in-zone
service-policy type inspect sdm-pol-ssl-vpn-traffic
zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone
service-policy type inspect sdm-policy-sdm-cls--2
interface Loopback0
ip address 10.10.50.1 255.255.255.0
interface FastEthernet0
switchport access vlan 2
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.x.x.x255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Virtual-Template5
ip unnumbered FastEthernet4
zone-member security ssl-zone
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan2
description $FW_DMZ$
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
ip local pool SDM_POOL_1 10.10.50.2 10.10.50.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.10.5 25 interface FastEthernet4 25
ip nat inside source static tcp 10.10.20.100 80 interface FastEthernet4 80
ip nat inside source list 120 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.20.100 443 interface FastEthernet4 443
ip nat inside source static tcp 10.10.10.5 9091 216.x.x.x9091 extendable
ip access-list extended DMZOutbound
remark CCP_ACL Category=128
permit ip host 10.10.20.4 any
permit ip host 10.10.20.5 any
ip access-list extended LANtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
permit ip any host 10.10.20.4
permit ip any host 10.10.20.100
ip access-list extended SDM_4
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended VPNZtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
permit ip any host 10.10.20.4
ip access-list extended VPNtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
ip access-list extended WANtoOWA
remark CCP_ACL Category=128
permit ip any host 10.10.10.5
ip access-list extended WebsiteViewer
remark CCP_ACL Category=128
permit ip host 10.10.20.5 any
permit ip host 10.10.20.4 any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 10.10.20.1
permit ip any host 10.10.20.2
permit ip any host 10.10.20.3
permit ip any host 10.10.20.4
permit ip any host 10.10.20.5
permit ip any host 10.10.20.6
permit ip any host 10.10.20.7
permit ip any host 10.10.20.8
permit ip any host 10.10.20.9
permit ip any host 10.10.20.10
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.20.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.20.0 0.0.0.255
access-list 23 permit 10.10.50.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 permit ip 207.164.203.24 0.0.0.7 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit tcp any host 192.168.1.111 eq smtp
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.10.20.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.10.20.100
access-list 105 remark CCP_ACL Category=4
access-list 105 permit ip host 10.10.10.0 any
access-list 105 permit ip host 10.10.20.0 any
access-list 105 permit ip host 10.10.50.0 any
access-list 120 deny ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 120 deny ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.20.0 0.0.0.255 any
access-list 121 permit ip 10.10.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 121 permit ip 10.10.50.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 150 permit tcp any any eq 8081
access-list 190 permit ip any host 10.10.10.7
access-list 190 permit ip host 10.10.10.7 any
no cdp run
control-plane
banner exec ^CCCCCCCCCC
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CCCCCCCCCC
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
scheduler max-task-time 5000
webvpn gateway gateway_1
ip address 216.x.x.xport 8081
ssl trustpoint TP-self-signed-3840840377
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context WebVPN
title "CarePath WebVPN"
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
url-list "CarePath"
heading "CarePath Websites"
url-text "CPNet" url-value "http://10.10.10.100/CPnet/"
url-text "CarePath External Website" url-value "http://www.carepath.ca"
url-text "Navigator" url-value "http://10.10.10.103"
policy group policy_1
url-list "CarePath"
functions svc-enabled
svc address-pool "SDM_POOL_1"
svc msie-proxy option auto
svc split include 10.10.0.0 255.255.0.0
svc dns-server primary 10.10.10.5
virtual-template 5
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 20
inservice
end
CarePathRouterB#
Ok I think I messed up.
Here's the configs again.
Device 1
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.10.08 11:11:23 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 14737 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname CarePathBackupRouter
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 10000
no logging console
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
--More-- aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3598019594
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3598019594
revocation-check none
rsakeypair TP-self-signed-3598019594
crypto pki certificate chain TP-self-signed-3598019594
certificate self-signed 01
3082025D 308201C6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353938 30313935 3934301E 170D3132 30333038 32333235
30395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35393830
31393539 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B290 42576863 0D990847 52965EB6 37067C00 38E8AFDC A2A4352C 5DD36F7A
--More-- 2F5CA25C B586E580 00E7F634 2437B446 DEF48F61 DA8D307C 47157F18 ED555E11
D7AEEF72 6C6CE291 1506D9E3 EF32D956 2E7677D6 710B370E 5A8E5115 33A92F11
44562D62 1452435C 3723126B E279C9DE 217077CF 1320D7C2 CF1BE495 1351B500
7B210203 010001A3 81843081 81300F06 03551D13 0101FF04 05300301 01FF302E
0603551D 11042730 25822343 61726550 61746842 61636B75 70526F75 7465722E
796F7572 646F6D61 696E2E63 6F6D301F 0603551D 23041830 1680142D A4BC83A1
785F6C73 DD8A98F1 8CBFACB1 D1287530 1D060355 1D0E0416 04142DA4 BC83A178
5F6C73DD 8A98F18C BFACB1D1 2875300D 06092A86 4886F70D 01010405 00038181
00B02915 B9C40F05 DC7DE975 67982D89 6C781413 5C2F0F3A 76CEEFD1 45DE776D
6D2B875F 0109EBBA E106BD35 CAE1F188 4D038977 E8FC77AC E8E1FC8A 14C88C3F
8CE98F32 69C1C7A8 E9C6394D 8A285A40 701115EC FBBB092D 23B13FA5 977D82EA
E5090F60 DC0B3480 96BDC5BB C1393AB0 5C135C70 6DA3926E 233E0824 982F6010 FF
quit
ip source-route
ip dhcp excluded-address 10.10.10.1
ip cef
no ip domain lookup
ip domain name yourdomain.com
ip port-map user-protocol--1 port tcp 9091
--More-- ip inspect log drop-pkt
no ipv6 cef
multilink bundle-name authenticated
vtp mode transparent
username vinadmin privilege 15 secret 5 $1$fDR/$CNiqlhaGh1/86.yaksu9J1
username bannayar secret 5 $1$WQH0$lqEvJa6vyCgG8P6ZCKFV30
username kabaines secret 5 $1$qghZ$KIzZ4AvLHuxpxdT8lPXu00
username ecousineau secret 5 $1$0vGF$/hFzdgUsjNy4KhQbBEJXX1
username ddepetrillo secret 5 $1$J.Z.$r2Hvj0wy65KdU2DB8RybI.
username dfulogsi secret 5 $1$mBGJ$pOTWXESj5IrNoHcp4a6Dg1
username whryniuk secret 5 $1$aiXM$V7Ivp7w9WGPfp7ZvNUuxw.
username lhryniuk secret 5 $1$ZMWh$q1TcQiQCnOcOc3386C60./
username dthomson secret 5 $1$oSuN$9iRmSxMzpFiJZ7J./DXwN/
username smoore secret 5 $1$DRy7$yYXbtjMqP6eNVNWf82qit1
username wpowell secret 5 $1$gK57$oUtnIg6xk6tV8xofNCWZj.
username pcarter secret 5 $1$FNOP$kwi.OJx9PTQqYRFFc3Lw11
username mferguson secret 5 $1$JAkk$yZ8gLDfpLjhoBUY2xiKGt0
username kmcdonald secret 5 $1$e6zr$WxiKO0Aqee2mUb3GtcOwK1
username drorovan secret 5 $1$q/bp$qpIgTq2zo3CUZtsMKYB9d/
--More-- username jragaz secret 5 $1$3xZ7$Cvg8Er8k5khygwd.Dg/Xh1
username pmajor secret 5 $1$u7up$X0HemguPY9Ng1vKxcAz.81
username borovan secret 5 $1$4Lje$BYGyz2EhCxE.FVql5tddA0
username jgowing secret 5 $1$YAsY$36ioJChe4Se786FyVOwZO/
username GGarcia secret 5 $1$9QO0$qEaHekjre5tWLc4HNnLhd/
username rbergeron secret 5 $1$8oB6$yk3IoBFJo/ndzRCoQTGPQ1
username rsimpson secret 5 $1$dnSM$KOiCXCpX6jgv/Z/WLt/qM0
username kgodbout secret 5 $1$xDkJ$OoOKh8KtQDy4h2CsnGl1V/
username amcgowan secret 5 $1$e9fw$xByQdweSgJKomCoa42Xhd.
username mstevelic secret 5 $1$dM72$u3W/r5o.WIULnYZMVLx.00
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key CarePathPSKJ0k1r address 63.250.109.214 255.255.255.248
crypto isakmp client configuration group VPNGroup
key Pa$$w0rd
dns 10.10.11.5
domain carepath.local
pool SDM_POOL_1
--More-- acl 103
max-users 70
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPNGroup
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to Carepath HO
set peer 63.250.109.214
--More-- set transform-set ESP-3DES-SHA1
match address 107
archive
log config
hidekeys
vlan 2-3,10,20
vlan 30
name Internal
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 108
class-map type inspect match-all sdm-nat-http-1
match access-group 102
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
--More-- match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
match access-group 101
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
--More-- match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
--More-- match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-http-1
--More-- inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class class-default
pass
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
--More-- class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
--More-- zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
interface Loopback0
no ip address
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 216.123.165.9 255.255.255.240
--More-- ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.11.1 255.255.255.0
ip access-group 130 in
ip access-group 130 out
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
--More-- !
ip local pool SDM_POOL_1 10.10.21.10 10.10.21.80
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 216.123.165.1 permanent
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.11.5 25 interface FastEthernet4 25
ip nat inside source static tcp 10.10.11.5 9091 interface FastEthernet4 9091
ip nat inside source static tcp 10.10.11.9 80 interface FastEthernet4 80
ip nat inside source static tcp 10.10.11.9 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
--More-- ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
no logging trap
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 23 permit 10.10.11.0 0.0.0.255
access-list 23 permit 10.10.21.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 216.123.165.0 0.0.0.15 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.10.11.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.11.9
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 10.10.11.0 0.0.0.255 any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 105 remark CCP_ACL Category=0
--More-- access-list 105 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 106 deny ip 10.10.11.0 0.0.0.255 10.10.21.0 0.0.0.255
access-list 106 permit ip 10.10.11.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255 log
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 120 remark CCP_ACL Category=16
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.11.0 0.0.0.255 any
access-list 120 permit ip 10.10.21.0 0.0.0.255 any
access-list 130 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 130 permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 130 permit ip any any
no cdp run
--More-- !
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
banner exec ^CC
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
--More-- Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CC
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
--More-- NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
scheduler max-task-time 5000
end
CarePathBackupRouter#
Device 2
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.10.08 11:05:59 =~=~=~=~=~=~=~=~=~=~=~=
sh run
Building configuration...
Current configuration : 29587 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Router
boot-start-marker
boot system flash c880data-universalk9-mz.124-24.5.T.bin
boot-end-marker
security passwords min-length 1
logging buffered 4096
enable secret 5 $1$tRc6$Pk3N1aDAx4E2rAYAJ90mH1
aaa new-model
aaa authentication login default local
--More-- aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-3840840377
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3840840377
revocation-check none
rsakeypair TP-self-signed-3840840377
crypto pki certificate chain TP-self-signed-3840840377
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383430 38343033 3737301E 170D3134 30393132 31303431
34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
--More-- 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343038
34303337 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E66E C34A4C46 E413B794 5FB510D3 A306C684 9ED25F03 4B850571 D8E7561B
F66A4AA7 AE9E606C B440A785 3CE4A763 1C1A52FF 112D4CB9 CB755AA5 479F1508
775EED5D EEE09429 6D62FA24 C2B053F8 B8A09A91 3B5EAD10 9B7E2B0A 5AA92137
13DF18C1 4616B18C FD3662C1 A2813A66 2484E2B5 C56B607A 92E21E0F BD0D54CB
01930203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15526F75 7465722E 63617265 70617468 2E6C6F63 616C301F
0603551D 23041830 168014D4 3B765BFE CE03F36B 9714FB7D 1E31015E 9B5D2830
1D060355 1D0E0416 0414D43B 765BFECE 03F36B97 14FB7D1E 31015E9B 5D28300D
06092A86 4886F70D 01010405 00038181 0081DE27 6994F293 40268BED F231747F
A0FB4FE6 BAD884C8 D9395782 35FD0450 57E74E6E E8E3575E 8F08FC1D 2916A16D
5DDBA88C 1299FF6C D7293908 DE3CFF1E 29B1BC43 48D68718 51ED7651 E032E50C
B6DC8607 56D2E957 46DDC00F BF5B81AC 9AA2CB21 1E566639 10E207E3 21CB0127
61C16AF4 CB1B5AEE 3559D0B2 3AC9603B E5
quit
ip source-route
ip dhcp excluded-address 10.10.20.1 10.10.20.10
ip dhcp excluded-address 10.10.10.1 10.10.10.19
ip dhcp excluded-address 10.10.10.91 10.10.10.254
--More-- ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.5
lease 0 2
ip dhcp pool sdm-pool1
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
no ip cef
ip domain name carepath.local
ip name-server 10.10.10.5
no ipv6 cef
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
--More--
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
--More-- server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
username forrestja secret 5 $1$0M.C$jSf2s6jBJc.BhOHEQz6Z7/
username Mckyedo secret 5 $1$.oVV$osTs3rwN6PDW1r1ratB/Y/
username kabaines secret 5 $1$05fS$aQmBAn5OPzemwHISAcjA91
username ecousineau secret 5 $1$chbt$y8i/cTvlKaoi7M6IK9XQz0
username danidepetrillo secret 5 $1$ClAB$cL.ISVieN3dtuXKYboyiO/
username ddepetrillo secret 5 $1$/8z2$zo9yhdXX0injN5sR.o.gc.
username dfulogsi secret 5 $1$7kTK$48wgcGO5ne4/p069y6hNX.
username whryniuk secret 5 $1$4K6u$hQkC7ZproSeYzXuF6C9z61
username lhryniuk secret 5 $1$XHHt$MFNNStOiC6dgfY93laFrU1
username amcgowan secret 5 $1$40Fm$O5QuPgLtQU0uq.9KbxW0M1
username dthomson secret 5 $1$CAZB$VF0qQbZ/zECKv3QfIDhuD.
username cshirley secret 5 $1$A395$0hL0DnNysybt51exyXWrN1
username smoore secret 5 $1$YFq4$j7UTBgdbQMikKGyDhAPCP.
username jzemaitis secret 5 $1$KiOv$Y22d.91YFkVaDcHc9JfL90
--More-- username wpowell secret 5 $1$ECmG$dQvMWSXWQqPSM/SWMm6Ja0
username vinadmin privilege 15 secret 5 $1$XJMD$kQLDFx1u5IKBNqtMtg4dL0
username Admin secret 5 $1$O3rB$H003Fl.KI7vNzSxRpsB5t.
username shirleyco secret 5 $1$aTod$A91adrDfFQrKx31aAe3/z0
username mferguson secret 5 $1$XISU$UjnnmGN22rzIf7xnX0CEc.
username kmcdonald secret 5 $1$cv4K$uuotKYnegG6.y4R7YRiyW1
username mstevelic secret 5 $1$.isq$wi/HGo0IkZWmoBY..QEeD/
username drorovan secret 5 $1$L799$Sz04d/XVM/g5Y62z5W.1/0
username jragaz secret 5 $1$hmK5$z/tvrdohCMiEprCW9p9Yq.
username pmajor secret 5 $1$CxxE$9hgS21SbVhVdOmUaRdvgs/
username borovan secret 5 $1$fsw9$ZIIUltJ9Cc7nBpmuswIDs.
username leedo secret 5 $1$xnMk$6IQf2FzK1L5QMgjfRx8.h.
username jgowing secret 5 $1$EVEP$YjxyE5Lw.hcivE.JqbH0Y/
username royst secret 5 $1$/wbP$W3daZVjU3bYAtR9x01nEh.
username rbergeron secret 5 $1$EeAx$ipFbCd0SwjTLUB/8pCMxR0
username rsimpson secret 5 $1$cvh6$0MVp4eSyhij0NCX6NUDGK1
username ssaraydarian secret 5 $1$YJV7$v14qULB7TFYsTEVcvyC8o.
username Leeke secret 5 $1$IH5i$.yJJW7mKF.sD7DIr53AXc0
username hooman secret 5 $1$eJ3J$OKcje0Q.K5o.IOJJ.it0D1
username cmills secret 5 $1$QH8Z$QZqY8kJEvpp/WBQIAl7yn0
username bannayar secret 5 $1$erc7$EhY2OUL2okAuJw6.VFwvW.
username alstiburek secret 5 $1$5FSX$5RJb1h0NBYyH6q93aXT3U.
username pcarter secret 5 $1$dVJI$EnovCDfEe3SakN15Q9kkW.
--More-- username dlinardos password 0 zckNW80240*
username janarthans view root secret 5 $1$A5c8$x/d03.bT3e29fTJ2Iunt/1
username palmerb view root secret 5 $1$MlTf$szxQvyRJBzRnofARAWP0z0
username lrobichaud privilege 0 secret 5 $1$nztN$hieW9P/XYakZ8aDxvc/hc/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp key CarePathPSKJ0k1r address 216.x.x.x
crypto isakmp client configuration group VPNGroup
key Pa$$w0rd
dns 10.10.10.5
domain Carepath.local
pool SDM_POOL_1
acl 100
--More-- max-users 28
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group VPNGroup
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Apply the crypto map on the peer router's interface having IP address 216.x.x.x that connects to this router.
set peer 216.x.x.x
set transform-set ESP-3DES-SHA1
--More-- match address SDM_4
archive
log config
hidekeys
ip ftp username cisco
ip ftp password <removed>
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 107
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 108
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
--More-- match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-1
match access-group 103
match protocol http
class-map type inspect match-any https
match protocol https
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map https
match access-group name WANtoOWA
class-map type inspect match-all sdm-nat-http-2
match access-group 104
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol tcp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CCP-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
--More-- class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 106
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any http
match protocol dns
match protocol http
match protocol https
match protocol icmp
match protocol smtp
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
--More-- match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-cls--2
match class-map http
match access-group name DMZOutbound
class-map type inspect match-all sdm-cls--1
match access-group name VPNZtoDMZ
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
--More-- match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-all ipsec-class
match protocol isakmp
match protocol ipsec-msft
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
--More-- class-map type inspect match-all webvpn-8081
match access-group 150
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any sdm-ssl-vpn-traffic
match access-group 121
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-any WebsiteViewer
match protocol smtp
match protocol https
match protocol http
match protocol ftp
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
--More-- class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
--More-- match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match protocol http
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
--More-- match text-chat
match search-file-name
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect match-all sdm-cls-ccp-permit-dmzservice-2
match access-group name VPNtoDMZ
class-map type inspect match-all sdm-cls-ccp-permit-dmzservice-3
match class-map WebsiteViewer
match access-group name WebsiteViewer
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all sdm-cls-ccp-permit-dmzservice-1
match access-group name LANtoDMZ
class-map type inspect edonkey match-any ccp-app-edonkeychat
--More-- match search-file-name
match text-chat
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class class-default
--More-- drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-http-1
--More-- inspect
class type inspect sdm-nat-http-2
inspect
class type inspect sdm-ssl-vpn-traffic
inspect
class type inspect ccp-icmp-access
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class class-default
drop
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
--More-- log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-imap
--More-- inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
--More-- log
allow
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--1
class type inspect sdm-cls--1
inspect
class class-default
drop
policy-map type inspect sdm-pol-Out-to-Self
class type inspect SDM_VPN_PT
pass
class type inspect webvpn-8081
class type inspect SDM_EASY_VPN_SERVER_TRAFFIC
pass
class class-default
drop
policy-map type inspect sdm-pol-ssl-vpn-traffic
class type inspect sdm-ssl-vpn-traffic
inspect
--More-- class class-default
drop
policy-map type inspect sdm-policy-sdm-cls--2
class type inspect sdm-cls--2
inspect
class class-default
drop
policy-map type inspect ccp-permit-dmzservice
class type inspect sdm-cls-ccp-permit-dmzservice-3
inspect
class type inspect sdm-cls-ccp-permit-dmzservice-2
inspect
class type inspect sdm-cls-ccp-permit-dmzservice-1
inspect
class type inspect ccp-dmz-traffic
inspect
class type inspect CCP-Voice-permit
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-1
--More-- inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class class-default
pass
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class class-default
drop log
zone security dmz-zone
zone security out-zone
zone security in-zone
zone security ezvpn-zone
--More-- zone security ssl-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect sdm-pol-Out-to-Self
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-zone-dmz-zone source ezvpn-zone destination dmz-zone
--More-- service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-sll-zone-in-zone source ssl-zone destination in-zone
service-policy type inspect sdm-pol-ssl-vpn-traffic
zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone
service-policy type inspect sdm-policy-sdm-cls--2
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination ssl-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
interface Loopback0
ip address 10.10.50.1 255.255.255.0
interface FastEthernet0
switchport access vlan 2
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
--More-- interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address 63.250.109.214 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Virtual-Template5
ip unnumbered FastEthernet4
zone-member security ssl-zone
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
--More-- ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Vlan2
description $FW_DMZ$
ip address 10.10.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security dmz-zone
ip local pool SDM_POOL_1 10.10.50.2 10.10.50.30
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 63.250.109.209
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.10.10.5 25 interface FastEthernet4 25
--More-- ip nat inside source static tcp 10.10.20.100 80 interface FastEthernet4 80
ip nat inside source static tcp 10.10.20.100 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.5 9091 63.250.109.214 9091 extendable
ip access-list extended DMZOutbound
remark CCP_ACL Category=128
permit ip host 10.10.20.4 any
permit ip host 10.10.20.5 any
ip access-list extended LANtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
permit ip any host 10.10.20.4
permit ip any host 10.10.20.100
ip access-list extended SDM_4
remark CCP_ACL Category=4
remark IPSec Rule
permit ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
--More-- permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended VPNZtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
permit ip any host 10.10.20.4
ip access-list extended VPNtoDMZ
remark CCP_ACL Category=128
permit ip any host 10.10.20.5
ip access-list extended WANtoOWA
remark CCP_ACL Category=128
permit ip any host 10.10.10.5
ip access-list extended WebsiteViewer
remark CCP_ACL Category=128
permit ip host 10.10.20.5 any
permit ip host 10.10.20.4 any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any host 10.10.20.1
permit ip any host 10.10.20.2
permit ip any host 10.10.20.3
--More-- permit ip any host 10.10.20.4
permit ip any host 10.10.20.5
permit ip any host 10.10.20.6
permit ip any host 10.10.20.7
permit ip any host 10.10.20.8
permit ip any host 10.10.20.9
permit ip any host 10.10.20.10
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.20.0 0.0.0.255
access-list 23 remark CCP_ACL Category=17
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.20.0 0.0.0.255
access-list 23 permit 10.10.50.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
--More-- access-list 101 permit ip 10.10.20.0 0.0.0.255 any
access-list 101 permit ip 207.164.203.24 0.0.0.7 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit tcp any host 192.168.1.111 eq smtp
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.10.20.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.10.20.100
access-list 105 remark CCP_ACL Category=4
access-list 105 permit ip host 10.10.10.0 any
access-list 105 permit ip host 10.10.20.0 any
access-list 105 permit ip host 10.10.50.0 any
access-list 106 remark CCP_ACL Category=128
access-list 106 permit ip host 216.x.x.x any
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip 10.10.11.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 120 remark CCP_ACL Category=18
access-list 120 deny ip 10.10.10.0 0.0.0.255 10.10.50.0 0.0.0.255
access-list 120 deny ip 10.10.20.0 0.0.0.255 10.10.50.0 0.0.0.255
--More-- access-list 120 deny ip 10.10.10.0 0.0.0.255 10.10.11.0 0.0.0.255
access-list 120 permit ip 10.10.20.0 0.0.0.255 any
access-list 120 permit ip 10.10.10.0 0.0.0.255 any
access-list 121 permit ip 10.10.50.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 121 permit ip 10.10.50.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 150 permit tcp any any eq 8081
access-list 190 permit ip any host 10.10.10.7
access-list 190 permit ip host 10.10.10.7 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 120
control-plane
banner exec ^CCCCCCCCCCCCC
--More--
% Password expiration warning.
--More--
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
--More--
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
--More-- this session.
It is strongly suggested that you create a new username with a privilege level
--More--
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
--More--
Replace <myuser> and <mypassword> with the username and password you
want to use.
--More--
^C
banner login ^CCCCCCCCCCCCC
--More--
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
--More--
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
--More--
PUBLICLY-KNOWN CREDENTIALS
--More-- Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
--More--
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
--More--
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
--More--
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
--More--
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
--More-- no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
scheduler max-task-time 5000
webvpn gateway gateway_1
ip address 216.x.x.x port 8081
ssl trustpoint TP-self-signed-3840840377
inservice
webvpn install svc flash:/webvpn/svc_1.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context WebVPN
title "CarePath WebVPN"
secondary-color white
title-color #669999
text-color black
ssl authenticate verify all
--More-- !
url-list "CarePath"
heading "CarePath Websites"
url-text "CPNet" url-value "http://10.10.10.100/CPnet/"
url-text "CarePath External Website" url-value "http://www.carepath.ca"
url-text "Navigator" url-value "http://10.10.10.103"
policy group policy_1
url-list "CarePath"
functions svc-enabled
svc address-pool "SDM_POOL_1"
svc msie-proxy option auto
svc split include 10.10.0.0 255.255.0.0
svc dns-server primary 10.10.10.5
virtual-template 5
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_2
gateway gateway_1
max-users 20
inservice
end
--More--
Router#
Similar Messages
-
Hi Everyone,
I have a program that sends information(analog output) to lab windows cvi in the form of a text file or user input.
The program runs on the computers that I have the field point explorer and lab windows cvi installed on. In order to run the program without always installing labwindows/cvi and field point; I wanted to create an executable file that could be load on another computer.
I used the create distribution kit part of labwindows/cvi to do this.After creating the distribution kit, I then installed it
to another computer.
My user interface appears on the screen, when the user clicks on the exe. file, but no data is sent to the field point module. I know that the data is being read from the user and textfile because in it appears in the uir.
The following are some details about the problem:
1. On another computer without labwindows/cvi and field point explorer not installed - no data is sent to field point module
I know this because a current is being read on the current meter connected to field point module.
My questions are the following:
1. What are the possible reasons for the data not being sent to the field point module?
2. Do I still need to create an iak. (Installing Field point Explorer) file stored on any new computer that I install my created distribution kit file too?
Thankyou very much for any help that you can provide. I greatly appreciate it.
Faen9901Re: Hello, I have created a distribution kit for my program.The problem is that the when the program is installed onto another computer, it fails to communicate with field point (Using FP-AO-200 and FP-AO-1000). Help is greatly appreciated, Thanks faen9901Faen9901,
1) If you do not install FieldPoint Explorer, the FieldPoint Server is not installed so there is nothing on the target computer that knows how to talk to the FieldPoint system.
2) Yes, you need an IAK file on the target computer. Assuming the settings (i.e. com port#) are identical you can simply include the iak file as part of the distribution.
3) You also need to include as part of your installer the file "fplwmgr.dll". If this file is not installed, your program will not be able to access the FieldPoint Server. Alternatively, this file is installed automatically if FieldPoint Explorer detects LabWindows/CVI or Measurement Studio Development versions on the target computer or if you choose to do a custom FieldPoint Explorer installation and
choose to provide LabWindows/CVI support.
Regards,
Aaron -
Jmeter fails to test a BPEL with point to point JMS
Hi all,
Do you have any idea to Jmeter testing with Oracle BPEL. I configured my Jmeter with a point to point JMS.Then I send a request to a Oracle JMS queue using BPEL locator API.An MDB listens to that request queue pickup the message payload and initiate the BPEL using that i/p payload.BPEL itself after finishes its task call a ws which sends the result to another JMS queue listened by Jemeter.Now when I run Jmeter with this conf BPEL initiates properly by the request queue listener MDB, Jmeter listening to that receive queue appropriately receives the message from the receiving queue, but unfortunately i can't get any response in Jemeter Result view Tree.Jmeter fails to render the specific result to it's view tree.
I have used following list of jars to send a message payload and receiving it by Jmeter to Jmeter lib.
Apache Specific
activemq-all-5.0.0.jar
Oracle Specific
javax77.jar
jta.jar
jms.jar
oc4j.jar
oc4j-internal.jar
optic.jar
The jars are sufficient and enough to send a request to a Jms queue.I have wriiten an alternative oracle JMS client and used those Jars and did a lot of trial and error and finally reduced to this number of Jars.But why Jmeter can't render the result to its result view tree that I can't understand where it receives the result message successfully from the receive queue.
Any reply or suggestion is most welcome.
Thanks in advance.sorry for the late reply. The problem is that Oracle XDK is not compatible with the junitreport task. I believe there are some post install steps (due to licensing issues) that you need to perform before running the ant task. This is noted in the release notes (copied below):
1. base site for xalan is http://xml.apache.org/xalan-j/ site. to download, go to: http://www.apache.org/dyn/closer.cgi/xml/xalan-j. then from the recommended mirror site download xalan-j_2_7_0-bin.zip.
2. unzip this file.
3. copy unzip_dir\xalan-j_2_7_0\serializer.jar to Oracle_Home\bpel\lib\serializer_2.7.0.jar. copy unzip_dir\xalan-j_2_7_0\xalan.jar to Oracle_Home\bpel\lib\xalan_2.7.0.jar. Note the filename change
4. no change to obsetenv is needed. -
Hi all
In my project, I need to use SSL, however, there is a server at the middle that connects to the Internet and I want to make a point-to-point SSL connection with the Internet client through that middle server. The following is the network configuration of the system.
Server A is the server that proccesses the data and it has no internet connection.
Server B is connected with Server A with a leased line and it has internet connection, so that client with Internet access can connect to it.
Client uses the Internet and connects to Server A through Server B.
Now I want to know if it is possible that Client can make a point-to-point SSL connection to Server A because I don't want my data to be decrypted by Server B.
Thank you !
Edmond(My remarks might be entirely beside the point. Nevertheless.)
Here a Web Service seems appropiate; Sun has its SDK, IBM offers things also, etcetera.
The advantage of a web service, is that inside the message envelope several parts can have different encryption. Just for these kind of indirect tunneling web services are meant. In fact "web" is just a buzz word, communication by email is just an option too.
However I hope, that someone else might have a more direct solution. -
Design Help with MPLS/BGP and Point to Point VPNs using OSPF as backup
I need some advice on the configuration I want to implement. Basically we have a MPLS cloud using BGP. We are using OSPF for internal routing. Everything is working fine. Now we want to add a Point to Point VPN using new Cisco ASA's for a backup path at all of our remote locations. We want it to be on standby. I want to use OSPF for this. Miami and LA are datacenters. I want the VPN's to go into both datacenters if possible running OSPF for backups. I have a feeling this will be very tricky. I also wanted to use floating routes. Now I know I get the VPN's up and running using OSPF with no problem. Here are my questions:
But being that I am using different areas, will OSPF through the VPN work correctly? I have the Cisco PDF on setting this up but it looks like they are using the same, AREA0, in the example.
Can I get both VPN's to work with no problems? Or will it be too much of a pain?
What would you guys suggest?
Thanks.We are implementing the same solution, and was only able to make this work using HSRP one router for the MPLS connection and one for the VPN tunnel. I opened a TAC case and the tech couldn't get it to work either. I was able to establish the Lan-2-lan tunnel but triggering the route update was the problem. We ended up pulling our ASA5505's out and putting in 1841 routers.
-
Can't ping routers across point-to-point frame-relay
'evening,
Really basic setup. Designed with Packet Tracer, trying to ping routers across a point-to-point frame-relay. I've designed this according to three different training sources who all say the same thing. Yet, all pings failed.
The shows:
R1
R1#copy run st
Destination filename [startup-config]?
Building configuration...
[OK]
R1#show run
Building configuration...
Current configuration : 883 bytes
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R1
no ip domain-lookup
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
interface Serial1/0
no ip address
encapsulation frame-relay
interface Serial1/0.12 point-to-point
ip address 192.168.12.1 255.255.255.0
frame-relay interface-dlci 102
interface Serial1/0.13 point-to-point
ip address 192.168.13.1 255.255.255.0
frame-relay interface-dlci 103
ip classless
end
R1#show frame-relay lmi
LMI Statistics for interface Serial1/0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 638 Num Status msgs Rcvd 638
Num Update Status Rcvd 0 Num Status Timeouts 16
LMI Statistics for interface Serial1/0.12 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 0 Num Status msgs Rcvd 0
Num Update Status Rcvd 0 Num Status Timeouts 16
LMI Statistics for interface Serial1/0.13 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 0 Num Status msgs Rcvd 0
Num Update Status Rcvd 0 Num Status Timeouts 16
R1#show frame-relay map
Serial1/0.12 (up): point-to-point dlci, dlci 102, broadcast, status defined, active
Serial1/0.13 (up): point-to-point dlci, dlci 103, broadcast, status defined, active
R1#show frame-relay pvc
PVC Statistics for interface Serial1/0 (Frame Relay DCE)
DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.12
input pkts 14055 output pkts 32795 in bytes 1096228
out bytes 6216155 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 32795 out bcast bytes 6216155
DLCI = 103, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.13
input pkts 14055 output pkts 32795 in bytes 1096228
out bytes 6216155 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 32795 out bcast bytes 6216155
R2
R2#SHOW RUN
Building configuration...
Current configuration : 772 bytes
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R2
no ip domain-lookup
interface Serial1/0
no ip address
encapsulation frame-relay
interface Serial1/0.12 point-to-point
ip address 192.168.12.2 255.255.255.0
frame-relay interface-dlci 201
ip classless
end
R2#show fr map
Serial1/0.12 (up): point-to-point dlci, dlci 201, broadcast, status defined, active
R2#show fr pvc
PVC Statistics for interface Serial1/0 (Frame Relay DTE)
DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.12
input pkts 14055 output pkts 32795 in bytes 1096228
out bytes 6216155 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 32795 out bcast bytes 6216155
R2#show fr lmi
LMI Statistics for interface Serial1/0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 679 Num Status msgs Rcvd 678
Num Update Status Rcvd 0 Num Status Timeouts 16
LMI Statistics for interface Serial1/0.12 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 0 Num Status msgs Rcvd 0
Num Update Status Rcvd 0 Num Status Timeouts 16
R3
R3#show run
Building configuration...
Current configuration : 772 bytes
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
hostname R3
interface Serial1/0
no ip address
encapsulation frame-relay
interface Serial1/0.13 point-to-point
ip address 192.168.13.2 255.255.255.0
frame-relay interface-dlci 301
ip classless
end
R3#show fr map
Serial1/0.13 (up): point-to-point dlci, dlci 301, broadcast, status defined, active
R3#show fr lmi
LMI Statistics for interface Serial1/0 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 703 Num Status msgs Rcvd 702
Num Update Status Rcvd 0 Num Status Timeouts 16
LMI Statistics for interface Serial1/0.13 (Frame Relay DTE) LMI TYPE = CISCO
Invalid Unnumbered info 0 Invalid Prot Disc 0
Invalid dummy Call Ref 0 Invalid Msg Type 0
Invalid Status Message 0 Invalid Lock Shift 0
Invalid Information ID 0 Invalid Report IE Len 0
Invalid Report Request 0 Invalid Keep IE Len 0
Num Status Enq. Sent 0 Num Status msgs Rcvd 0
Num Update Status Rcvd 0 Num Status Timeouts 16
R3#show fr pvc
PVC Statistics for interface Serial1/0 (Frame Relay DTE)
DLCI = 301, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial1/0.13
input pkts 14055 output pkts 32795 in bytes 1096228
out bytes 6216155 dropped pkts 0 in FECN pkts 0
in BECN pkts 0 out FECN pkts 0 out BECN pkts 0
in DE pkts 0 out DE pkts 0
out bcast pkts 32795 out bcast bytes 6216155
Any input would really be appreciated.
ThanksTurns out the mistake was not adding a mask to the subnet. Ex:
Router_2(config_router)# network 192.168.0.0 0.0.255.255
Router_2(config_router)# network 172.27.0.0 0.0.255.255
Doing that on both routers made the hosts capable of pinging each other.
Thanks for the tips everyone -
I have a tableView displaying a list of contacts from a Cloud Database. After selecting a contact, I push to a programmatically created MKMapView. Then I display the initial region (the view) that includes the users current location (starting point) and their selected destination (end point).
Now I want to display annotations (as described in the Location Awareness Programming Guide) that displays polylines which will represent the turn-by-turn navigation IN MY OWN APPLICATION, and not in the Map App currently used in IOS6.
Due to licensing and its becoming depricated in IOS 6, I do not want to get routing data from the Google Maps API. How do I get routing data from the IOS 6 Map App (powered by TomTom) so I can display the point-to-point annotations (turn-by-turn navigation) without leaving my own application?
I checked out Stack Overflow and other forums which basically left me with the impression that this is not possible. I also checked out the TomTom iPhone Mobile SDK User Guide from the TomTom Developer Portal and am still confused. It must be possible to retrieve routes, since the Map App can display turn-by-turn directions. How can I retrieve turn-by-turn data that I may display as a route within my own application?Thanks Michael. Apologies for the slow reply I was away for a bit (holiday blitz at work and visiting family madness etc.etc.) back now, I set both options you requested to "never " and retried the CMS software with no change.
I do have progress of a sort though, as a test I took a separate test PC and put a clean install of Win7 on and loaded up the CMS software (it worked perfectly) and then took the version of ole32.dll off that machine and put it onto the computer I had built
for her (using Linux) and...
got a new error code. Darn I was so sure I had found a clever solution this time lol.
Anyway now when the CMS fails it gives me a similar error but the offending module is "ntdll.dll" sooo... I tried taking the "working" version of ntdll.dll from the test box and moving it over (making sure to back up the existing ones
first so I could put them back if needed) to her new PC and the PC would not boot.
It seems to want the original versions of a few Dynamic Link Libraries and if I could somehow give it those while not breaking Win7 it should theoretically work seeing as it no longer errors with ole32.dll.
ntdll.dll however seems necessary for Win7 to boot.
So what I am wondering now is:
Is there some way to have both versions of the DLL file in the system32 folder (bypassing the "cannot have two files with the exact same name in the same folder" thing) or rename the original DLL's something else and somehow make the CMS look for
the new named versions so the system has the updated DLL's it needs to boot/run and the CMS has the old ones it wants to run or is there someway to have a self contained install of the CMS, say on a USB flash drive and give it it's own E:/windows/system32/needed
dll's path to the files it needs?
Willing to try any other options or settings you may have come up with as well.
Thanks again for your reply and my apologies for not answering sooner. -
Why does DNS server entry in ipconfig break point-to-point ethernet?
My application uses a panel pc as the user interface for a cRIO controlling a medical device. The panle pc and cRIO communicate using shared variables. During development, both devices (panel pc and cRIO) were on our company network. Curiously, when I connected them point-to-point with a crossover cable, they refused to communicate when running their LabVIEW application code. Pings from the panel pc to cRIO were successful. Much troubleshooting ensued.
Long story short, the fix was to simply delete the DNS server IP entry from both the panel pc and the cRIO ipconfig tables (see attached pic for the WinXP version of this table). If either of them had our company's DNS server IP address fillied in, my LabVIEW application would fail.
This leads me to suspect that there is something in my LabVIEW executables that wants to touch the company network. Apparently, if there is a DNS server entry in the ipconfig table, this something thinks it has a chance to "phone home" and it tries to do so. When this happens on the panel pc end of the crossover cable, the machine acts like it's locked up, but the task manager shows the CPU to be ~98% idle.
If there is no entry for a DNS server, I guess this something realizes that there is no way to "phone home", so it doesn't try and my application works great. Since the application works with no DNS server table entry, I think my crossover cable is working correctly.
Does anyone have any idea what this something might be?
Jeff
Climbing the Labview learning curve!
Sanarus Medical
Pleasanton, CA
Attachments:
IPform.gif 12 KBYou've hit the nail on the head Ben. For point to point communications, the IP addresses should be fixed, therefore there is no need for DNS. If a DNS is configured, the NIC (Network Interface Card) drivers will try to contact it.
In my test system, I need DNS for the test computer, but I am communicating with a dedicated Spectrum Analyzer over TCP/IP. So I added a second NIC. The main NIC is configured for DNS and all that jazz. The second NIC (plugged into PCI slot) is configured with a hard coded address, no DNS, no Gateway, nothing else. I connect that NIC to the spectrum analyzer using a crossover cable. The analyzer is configured with a hard coded address also. Now my computer can get on our company network, and the spectrum analyzer is isolated from the network, so it can't catch any viruses, etc., and it still talks to the computer. When using a configuration such as this, it is best to use a dedicated address for the 2nd NIC and spectrum analyzer in the range of 192.168.100.0 to 254
- tbob
Inventor of the WORM Global -
RV082 DMZ Configuration Question - Point to Point
Hello,
We have 2 offices in different countries both using the RV082 router. Currently both offices have an internet connection on WAN1 and that is working fine.
We are adding a Point to Point circuit between the two offices, and my question is on the RV082 configuration on each side.
I was going to configure WAN2 in DMZ mode on each router, then connect the point to point circuit to the WAN2 port. On the China side, the DMZ IP will have to be a private address (192.168.177.1), while the DMZ port on the San Diego side will be a public IP.
We need internal computers to be able to go to the internet normally through WAN1, but also go through WAN2 if they are trying to reach the other network. I will be adding routes on each RV082 for this.
Is there anything wrong with this configuration? Do I need to change the routers from Gateway to Router mode? Does it matter if the DMZ WAN2 port has a private IP address?
Any advice or tips are greatly appreciated!
Thank you in advance,
EricThanks Tom but that thread is not exactly what I was looking for. Mainly I just want to know if the RV082 can act as a fully functioning router with the two WAN ports going to different networks. So the LAN side would hit the router, look at the routing table and know which WAN port to go out of. Using the DMZ seems like it will work, but I have never tried it so I wanted to throw it out there and see if anyone has done this before.
-
3502p AccessPoint support MESH and Point-to-Point Wireless Bridging with Outdoor Antennas??
I need to know if 3502p with outdoor antennas supports Point-to-Point Wireless Bridging??
The 3502p is only used for arenas and or stadiums. These are different units than the 3500's and 3600's. So no they can't be.
You can use Cisco Aironet 1400 Series Wireless Bridge for a wireless link between two buildings (1km) to extend your LAN. For more detail you can go through the below link.
http://www.cisco.com/en/US/prod/collateral/wireless/ps5679/ps5279/ps5285/product_data_sheet09186a008018495c.html -
Troubleshooting wireless point to point
We have a wireless point to point link using two 1310 bridges between our campus and a remote building about 5 blocks away. Recently the link has started to go down often during the day. The following is what I am seeing in the logs:
Feb 10 04:35:04.171: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating
Station 0014.6a5b.34d0 Reason: Previous authentication no longer valid
Feb 10 04:35:13.989: %DOT11-6-ASSOC: Interface Dot11Radio0, Station HoneyCreek 0
014.6a5b.34d0 Associated KEY_MGMT[NONE]
Feb 10 04:35:42.659: %DOT11-4-MAXRETRIES: Packet to client 0014.6a5b.34d0 reache
d max retries, removing the client
From some of the research I have done this is could be due to excessive noise.
Here are some of the stats from the root bridge.
Signal Strength : -75 dBm Connected for : 8164 seconds
Signal to Noise : 21 dBm Activity Timeout : 30 seconds
Power-save : Off Last Activity : 0 seconds ago
Apsd DE AC(s) : BK VI
Packets Input : 172019 Packets Output : 229451
Bytes Input : 28411002 Bytes Output : 237070515
Duplicates Rcvd : 71 Data Retries : 129610
Decrypt Failed : 0 RTS Retries : 18036
MIC Failed : 0 MIC Missing : 0
Packets Redirected: 0 Redirect Filtered: 0
Is there anything I can tweak on the bridges to stabilize the connection? Also, could someone explain what are good and what are bad readings for both signal strength and signal to noise?
Thanks in advance for your help.
JeffSNR - 25 dBm higher is better.
Signal Strength - -65 dBm and lower is better. -
MPLS vs Point-to-Point over Citrix Performance Difference
We run Citrix at our remote locations. We have two circuits at each location. One is a point to point for backup and the other is an MPLS circuit that is our primary. Both circuits are T-1 speeds.
We have all thin clients at our remote locations. When communication goes through the point to point circuit it utilizes much more bandwidth. Maybe 1.2 Mbps on average but when we communication through the MPLS circuit only 800 Kbps of bandwith is actually being used.
Can anyone explain this? I was thinking that maybe MPLS does a faster job of switching the packets across the WAN and that the Citrix does not need to use as much bandwidth because of this. This analyis was completed across all of our sites and in each case Citrix uses more bandwidth on a point-to-point vs an MPLS circuit. I have not had any users complain when accessing either ciruits.
What do you think is causing this?Hi,
I fully agree with Swaroop. Being an instructor teaching many MPLS classes I was frequently confronted with the opinion MPLS is "faster" as it is "switching". This is not true and I always countered this - provocantly - stating that MPLS is reducing throughput, so it is slower! What I mean writing this: given a certain topology for IP forwarding and turning on MPLS on it will increase the overhead (additional overhead by adding labels) and thus reduce end to end IP throughput. The lookup is done by the same algorithm (CEF) at wire speeds for IPv4 and labeled packets - there is no speed gain for either technology.
Do not get me wrong, this does not mean MPLS is "bad" and in fact the difference between pure IPv4 forwarding and MPLS forwarding is marginal and most likely irrelevant for any real environment. The advantages of MPLS are plenty and thus a marginal throughput difference is not the most important thing to consider.
I guess the idea of "switching is faster than routing" stems from the fact that there were times, when IPv4 forwarding ("routing") was done in CPU, thus was slow, whereas L2 forwarding ("switching") was done in hardware and thus was faster. It dates back to those days where we used AGS+ (an old router, which is EOS, EOL and most likely even EOeBay ;-) and f.e. Cat5000.
Now coming back to the observed behaviour in the original post there might be some reasons to explain it:
1) different L2 overhead as pointed out by Swaroop, especially as I would assume rather small average packetsizes.
2) Additional traffic on the P2P link not sent through the MPLS cloud - check your routing, if it is exactly the same for both links.
3) Measurement artefacts - as Swaroop pointed out. Is the load interval the same for both interfaces? I would rather use a packet analyzer than only go for a "show interface" to get precise values.
Hope this helps!
Regards, Martin -
Point to Point webservice communication
Hi Experts,
Could you please tell me, how to do point to point webservice communcation using Enterprise Portal?
Regards
SaraHi Harini,
I have to call more than 10 RPC encoded webservice from Enterprise Portal for a single scenario(Business Process). Calling many webservices are possible using XI/PI (BPM). But RPC encoded webservices I can't create it from XI, so please let me know the steps to do it using Enterprise portal.
Regards
Sara -
L2 Failover Plan for Point to Point
We have 2 point to point links from 2 different ISP's for the purpose of connecting to our data center from our office. We would like to configure a failover scenario using these two P2P links.
I have been trying with the sTP method but for some reason we could not succeed in this, could be because of the distance.
Please help me to implement a failover P2P conectivity usign this two links.Hello,
Is there a specific reason you are using Layer 2 between sites? If the links are the same bandwidth you could create a port-channel - where both physical links become one logical link, this is ideal because the fail-over is seamless without losing any connectivity and is far superior to spanning-tree.
To configure this:
interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/0/1
description Link to ISP1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
interface GigabitEthernet1/0/2
description Link to ISP2
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
This could also be accomplished with IP routing. you can can configure the interfaces as layer 3 ports and setup a routing protocol between sites - Like EIGRP. EIGRP can do equal and unequal cost load balancing or simply route all traffic via one link and automatically route via the other if the primary went down.
If you provide more data I could offer more assitance with design and configuration. -
Link Redundancy Mpls primary on ethernet & point to point secoundary leaseline on serial
hi i am having one link mpls with internet (primary) (e0/0)-10.1.1.1 and secound link point to point serial (s0/0) i want to do redundancy between two links
but problem is mpls link never shows down . so if mpls fails then my point to point should be up please Find Attach file.
can i get confuration according to my e.g. drawing
as per my knowledge ip sla track command is thier but i dont know exact command.Hi,
You are right...You should use IP SLA to track the primary link (ISP side IP)....
Try these...
track 125 ip sla 10 reachability
delay down 15 up 10
ip sla 10
icmp-echo 4.2.2.2 (change this with the exact IP) source-interface Dialer1
threshold 40
If it doesn't work, just tewak some parameters..Some the methodilogy remain same..
Good Luck !!!!
Maybe you are looking for
-
How to configure jar files in BAT file
hi to all .I have one doubt. how to configure the no.fo jar files in BAT file. can any one help me thanks
-
hi there, i have a program with ALV tree. is it possible to 'grid' the columns ? i mean to put vertical lines between each field like it is in standard-alv-grid ? reg, Martin
-
Code Olympics , registration problem
hi, I am not able to update the 'Features of Product" textbox on the registration page(GreenField Venture).The changes are not reflected.Copy-paste is also not working properly. Is someone else is also facing the same problem?
-
What additional resources are required to do the TestStand training courses I and II?
I have the TestStand course manuals for courses I and II and am currently trying to refresh what I learned a couple of months ago when I took the courses. I'm at the point where almost every VI required comes up broken because additional libraries a
-
ADFS HttpSamlMessageException: MSIS7015
Hello, We are using ADFS to logon to an external website. That is working fine, except for one user. The following error is logged: - System - Provider [ Name] AD FS 2.0 Tracing [ Guid] {f1aa12b3-dba2-4cab-b909-2c2b7afcf1fd} EventID 67 Version 0 Leve