SFE2000 & ACL to stop VLAN traffic

Similar Messages

• Switch port in dot1x multi-auth mode stops passing traffic

  Dear All,
  I am experiencing a problem on a Catalyst 4510 (cat4500-ipbasek9-mz.122-53.SG.bin) with 802.1x configured. Client PCs are connected via a mini desktop switch to a Cat 4510 switched port in multi-auth mode. The configuration of the port follows:
  interface GigabitEthernet2/34
  switchport mode access
  ip arp inspection limit rate 30
  authentication host-mode multi-auth
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  dot1x pae authenticator
  dot1x timeout tx-period 5
  dot1x max-reauth-req 6
  spanning-tree portfast
  ip verify source vlan dhcp-snooping
  end
  It happens from time to time that the Cat 4510 port stops passing traffic. Reconnecting the mini switch recovers the communication. Client PCs connected to the mini switch seem to be authorized at the moment when the problem occures. The RADIUS Termination-Action attribute is set to RADIUS-Request. The problem is not present if "authentication periodic" is disabled.
  Did anyone experience a simmilar problem? Any advice?
  Thanks.
  Mirek

  We have the same issue on 3750E switch running 12.2.(58)SE

• ACL to allow SNMP traffic

  I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.
  ip access-list extended ABC-ACL
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
  permit icmp X.X.0.0 0.0.255.255 host SERVER_IP
  Additional permit statements omited.

  HMidkiff wrote:I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.ip access-list extended ABC-ACL
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
  permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
  HMidkiff wrote:I created an ACL to allow SNMP traffic through.  Once I applied it traffic does not pass.  Should be pretty simple.  Below is what I used.  I am using SNMP v2.ip access-list extended ABC-ACL
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmp
  permit udp X.X.0.0 0.0.255.255 host SERVER_IP eq snmptrap
  permit icmp X.X.0.0 0.0.255.255 host SERVER_IPAdditional permit statements omited.
  Where it is applied it to a L3 switch vlan interface or a router interface, which direction etc.,.
  Is the SNMP traffic from a specific device, you could add a permit log for that specific device to see what ports it is using.
  Also, where is the SNMP coming from in your acl ? if it is the x.x.0.0 network the acl should be -
  permit udp x.x.0.0 0.0.255.255 eq snmp host SERVER_IP eq snmp
  etc..
  Jon

• ACL's in VLAN Catalyst 3550

  Hello !!
  We have a Switch Catalyst 3550 - 12G
  IOS : Version 12.2(25)SEA
  I need to implement ACL security in VLAN's. But, it did't work.
  VLAN 11 Definition :
  interface Vlan11
  description VLAN - RED WAN
  ip address 192.168.21.1 255.255.255.0
  Interface association (g0/7) with VLAN 11 and extended ACL (ip1)
  interface GigabitEthernet0/7
  switchport access vlan 11
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 11
  switchport mode dynamic desirable
  ip access-group ip1 in
  ACL definition :
  ip access-list extended ip1
  permit ip 192.168.70.0 0.0.0.255 any
  deny ip any any
  This configuration must allow ip communication between 192.168.70.0 / 24 and 192.168.21.0 / 24. However it does't work.
  Inter VLAN communication are ok.
  Any Suggest ?
  .... Switch Conf. attach
  Tks.
  John Nanez E.

  Try putting on the SVI for vlan 11 (interface vlan 11) . don't think you can put it on a individual interface and have it work . Also they way you wrote it you'll have to put it as out on the vlan because you are permitting a address from another network to the vlan 11 address space thus it would have to block the traffic "out" to the devices on vlan 11 .

• Wireshark capture on access port displays different vlan traffic

  Hi Guys,
  i have a nexus 4001i Blade Center Switch where i have a server connected in mode access to a particular vlan.
  when i use wireshark on this port, i see different traffic conversations of different servers in different vlans which seems strange to me.
  anybody have an idea why a server in mode access with wireshark is able to view different vlan traffic? I also see non multicast and non broadcast converations.
  the port the server is connected to is not a monitor port but only in switch port mode access.
  thanks in advance for you feedback

  Hi,
  So it looks like you're getting unicast traffic flooded to all ports. There are a couple of reasons I've come across that can cause this.
  Asymmetric routing: See Unicast Flooding in Switched Campus Networks and/or Case Study #8: Asymmetric Routing and HSRP (Excessive Flooding of Unicast Traffic in Network with Routers That Run HSRP) for details of why it happens and how to prevent it.
  Microsoft Network Load Balancing. As per the Microsoft Troubleshooting NLB:
  In unicast mode (the default Forefront TMG cluster operation mode) NLB induces switch flooding, by design, relaying packets sent to the VIP addresses to all cluster hosts. Switch flooding is part of the NLB strategy for obtaining the best throughput for any specific load of client requests. However, if the NLB interfaces share the switch with other (non-cluster) computers, switch flooding can add to the other computers' network overhead by including them in the flooding and consequently have a detrimental effect on network and/or server performance.
  Regards

• Vlan traffic is not passing through Wireless Bridge

  Hi,
  Recently we have placed wireless bridge in our network (Cisco AIR-BR1410A-E-K9 model). Now after installing the bridge we are facing the issue like only the management interface traffic is reachable through bridge, but not able to reach other vlan traffic.
  like management range is in vlan 1 (which inlcudes AP' Switch and router) and the bridge IP's are also in Vlan 1.
  Switch port is kept in trunk mode both ends of bridge. still other vlan traffic is not reachable, do we have to place any special configuration for this ?
  all the business users are in Vlan 3
  all the sale team users are in vlan 123.
  now problem is other end switches are reachable for me through bridge that is in vlan 1, but vlan 3 and vlan 123 are not reachable for me.users are not getting IP's, when we assigned the static ip address and tested still it is not working.
  i am attaching my wireless bridge configuration in the discussion, please help on this issue.
  Root Bridge ---- Non--Rootbridge--- Cisco Switch--Cisco Switch..
  now i am able to those two switch also, but not able to reach the vlan 3 users who are connected to that switches.

  Hi,
  infrastructure-ssid has been placed at both end still not able to get IP's to the devices.
  I am not able to attach txt files in the reply, could you please let me know your email ID so that i will send the config files to your ID.

• Stop DHCP traffic from passing across interfaces

  I'm having an issue with dhcp traffic passing across my cisco ASA 5510 interfaces.
  Example of setup
  Company 1 connected to interface 1 has its own dhcp server
  Company 2 connected to interface 2 has its own dhcp server.
  Some users are getting there ip address from the other companys dhcp server. The 2 companys should pass traffic to each other but not dhcp.
  Is there anyway to stop dhcp traffic from crossing interfaces
  Shane

  usually have to permit DHCP traffic explicitly. Specification of the DHCP client-server protocol describes several cases when packets must have the source address of 0x00000000 or the destination address of 0xffffffff. Anti-spoofing policy rules and tight inclusive firewalls often stop such packets. Multi-homed DHCP servers require special consideration and further complicate configuration.
  To allow DHCP, network administrators need to allow several types of packets through the server-side firewall. All DHCP packets travel as UDP datagrams; all client-sent packets have source port 68 and destination port 67; all server-sent packets have source port 67 and destination port 68. For example, a server-side firewall should allow the following types of packets:
  * Incoming packets from 0.0.0.0 or dhcp-pool to dhcp-ip
  * Incoming packets from any address to 255.255.255.255
  * Outgoing packets from dhcp-ip to dhcp-pool or 255.255.255.255
  where dhcp-ip represents any address configured on a DHCP server host and dhcp-pool stands for the pool from which a DHCP server assigns addresses to clients
  An example in an ASA would similar to the following.
  For blocking client:
  access-list TEST extended deny udp any any eq bootpc
  For blocking server:
  or access-list TEST extended deny udp any any eq bootps
  Hope that helps.

• CCE 507 stops forwarding traffic to internet

  Our CE (which is our proxy server) constantly stops forwarding traffic to the internet. The engine does not freeze or lock up because I can telnet into it and reload and everything is fine then. This has starting happening in the last two weeks. The engine is integraded with Websense filtering. Could I be experiencing hardware issues? I did recently upgraded websense to the latest version and also upgraded the PIX 515 Firewall IOS to the latest. I am thinking maybe upgrade the IOS on the engine. Any guidance would be appreciated. Thanks in advance.

  Apparently the version of Websense that I was running was not making the CE very happy. I upgraded to a new version and ever since the problem has not arise. But I am having one issue with the CE. There is one website that generates errors when going through the CE proxy server. Although when bypassing the proxy server(CE), there are no errors generated. It is only when going through the proxy that the error is generated. The error does not reflect a Websense blocking page. So it only leads me to believe that the problem is on the CE. I would like to upgrade the IOS on the CE to the latest software in an effort to resolve this. If I upgrade, should I be aware of any problems with the configuration not working after the upgrade. The device is a CE 507 with software version 2.51. Any history on this type of problem? Any help would be appreciated. I have pasted the exact error generated from the site. Thanks again.
  Network Error
  The server yearbookavenue1.jostens.com returned an invalid response to your request for http://yearbookavenue1.jostens.com/cgi-bin/exe2004/year2004.exe?f_4194e967209

• Monitoring VLAN traffic

  I moved from 2500 series routers to a switched network using a Catalyst 3750 and 3560 switches over the course of the last year. In my routed network I used MRTG to monitor traffic on my interfaces. In my switched network environment I have not been able to find a free or low cost tool that will monitor VLAN traffic. Any suggestions?

  I have the same problem and found these links that provided answers:
  http://forums.cacti.net/about29656.html&highlight=
  http://www.experts-exchange.com/Hardware/Networking_Hardware/Switches/Q_23738165.html
  Vlans on 3560s, 3750s and 3550s do not show stats.  The packets are forwarded with the ASIC chips and do not cross the CPU for actual processing.  To actually see the traffic you will need to turn off CEF, which decrases the performance significantly (not recommended, see links above).

• VLAN Traffic Monitoring

  Hi all
  I have a 2900XL core switches which in turn connected to several 2950 switches. All are connected to VLAN 1.
  I have a few questions:
  When people say broadcast traffic should not be more than 20% of the VLAN traffic.
  1. Does it mean the broadcast of a single port in the 2950 switch or the core switch ?
  2. How do i know the VLAN traffic ?
  Any tools etc and how is the setup?
  Hope comeone can help. :)
  Thanks in Advance.
  Alan

  Hi Narayanan,
  This is Guru Prasad.R from Saksoft Ltd. I am working as Network Engineer for past 1 year here. Also i had worked as part-time technical assistace in Networking Environment for 3 years too.
  Since, i am new guy to this networking world i may require your guidance, support for making my career the best one.
  I had finished my CCNA & 2-MCP exams one for Server 03 & another for Exchange Server 03. Also currently i doing with CCNP-Switching[BCMSN] exam.
  Kindly help me to make my career the best one. Expeting your kindness on the same.
  I had noted down ur contact number in Cisco profile. Below given my contact details:
  Guru Prasad.R
  Mobile: +91-9840822258
  Mail id: [email protected]
  Expecting your reply mail for the same.
  Thanks & Regards,
  Guru Prasad .R

• ACLs never apply to traffic generated by the router

  http://www.ciscopress.com/articles/article.asp?p=174313&seqNum=4&rl=1
  "Another special note on Cisco ACLs is that ACLs never apply to traffic generated by the router. So, even if you have an inbound and an outbound ACL on a router denying all traffic, the router will still be able to send any packet it wants; the return packet, however, will be blocked as usual".
  Is it (the return packet, however, will be blocked as usual) the case all the time ? if it is the case could you please explain ?

  Thanks Rick,,,I need some clarification about the below scenario please:
  suppose I have got R1 (one of many routers) with two interfaces serial0/0 and e0/0,,,the ip address for serial0/0 192.168.0.1/24
  the ip address for e0/0 172.16.0.1/16.
  R1(config)=access-list 101 deny ip any any
  R1(config)#interafec serial 0/0
  R1(config-if)#ip access-group out
  R1(config)=access-list 150 deny ip any any
  R1(config)#interafec fastethernet 0/0
  R1(config-if)#ip access-group in
  Now we satisfied the condition which it says: "where there is an outbound ACL and an inbound ACL and they both deny all traffic".
  1- ((The inbound ACL will deny all traffic)).
  This is obvious because any packet trys to enter the router R1, the ACL will check both ip addresses for the source (any) and destination (can be one of the interfaces belong to R1),,,,because it match the condition for ACL, it will be dropped.
  2- ((In this case the outbound ACL can deny transit traffic, but can not deny packets generated by the router which will be transmitted)).
  This first paragraph (In this case the outbound ACL can deny transit traffic) is fine,,,the second one which is : " but can not deny packets generated by the router which will be transmitted",,,,,,,my understanding is this when packets generated by router R1, these packets have got source ip address and destination ip address.
  The source and destination ip addresses still matching the condition of ACL , why should't it be
  denied ?

• 5505 stops passing traffic with 9.1.3

  I have a 5505 setup in my home office.  It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days.  I figured this was just the interim release blues and waited until 9.1.3 came out.  However, with 9.1.3 the problem is even worse.  I'm actually not exactly sure what's going on.  Here's what I've noticed:
  I get a lot of DNS connections with the "h" flag (H.225 traffic) set.  This seems like it might have some relation to the problem:
  UDP outside  216.218.130.2:53 inside  192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
  I also get these in 9.1.2 (which works fine), but far fewer.  When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
  When traffic stops passing, the ASA itself can no longer get to the Internet.  I can't ping my Comcast router (actually in my office, L2 adjacent to ASA).  I also have some SLA probes going to the Internet which fail.  If I do a clear conn all, then everything starts working again for a while.  The BTF (dynamic-filter) feature seems to make it worse.  If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
  policy-map global_policy
  class inspection_default
    inspect dns dns-ipm dynamic-filter-snoop
  What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag.  I don't believe that should be possible so perhaps a bug?
  Ideas?

  I have a 5505 setup in my home office.  It generally works well but I noticed when I upgraded it to 9.1.2.8 it would stop passing traffic after a few days.  I figured this was just the interim release blues and waited until 9.1.3 came out.  However, with 9.1.3 the problem is even worse.  I'm actually not exactly sure what's going on.  Here's what I've noticed:
  I get a lot of DNS connections with the "h" flag (H.225 traffic) set.  This seems like it might have some relation to the problem:
  UDP outside  216.218.130.2:53 inside  192.168.234.146:50705, idle 0:00:18, bytes 534, flags h
  I also get these in 9.1.2 (which works fine), but far fewer.  When traffic stops passing on my ASA, I notice that I have tons of these connections in 9.1.3.
  When traffic stops passing, the ASA itself can no longer get to the Internet.  I can't ping my Comcast router (actually in my office, L2 adjacent to ASA).  I also have some SLA probes going to the Internet which fail.  If I do a clear conn all, then everything starts working again for a while.  The BTF (dynamic-filter) feature seems to make it worse.  If I remove it (remove dynamic-filter-snoop part) then it takes a lot longer before it stops passing traffic:
  policy-map global_policy
  class inspection_default
    inspect dns dns-ipm dynamic-filter-snoop
  What's really strange, is even if I remove all service-policy commands, I still get connections with the "h" flag.  I don't believe that should be possible so perhaps a bug?
  Ideas?

• Routing VLAN traffic

  Is it possible to route VLAN traffic?
  We have two buildings, each with several Catalyst 2950s and a 2651 router hosting several VLANS.
  Can we connect the 2651s together and expand the VLANs into the other building?

  HI
  Can u give info about how these two buildings are connected to each-other.and as far routing in concerned u can configure sub-interfaces under u r physical inteface on u r router.Are this 2950's connected in 2651,if they how r u r vlans spread.r u using any sort of vtp.if u r 2950's are connected to 2651 then u can go for sub-interfaces per vlan.
  for example if u r having 3 vlans then u can configure the the physical interface on u r router as
  interface f0/0.1
  encapsulation dot1q 1
  ip address 192.168.1.1 255.255.255.0
  and so on
  Thanks
  Mahmood

• Wifi stops passing traffic on original ipad and ipad 2 running ios 5.0.1

  I actually just started having this issue with my Original iPad and my iPad 2. From what I'm seeing is not a loss of signal but a loss of connectivity, they just stop passing traffic. When this is happening its sometimes to both iPads but not always. And both our iPhones do not experience the issue while the iPads are having the problem. (all devices running ios 5 and connected to the same AP). Wired devices also do not have any issues wile this is happening to the iPads.
  What I have tried so far:
  1. Changing Channels on the AP to a less congested channel (didn't help)
  2. Shutting wifi off on ipad, then turning back on, solves issue for a random amount of time, then it happens again
  3. Rebooting ipad, sometimes does not help at all until you turn off the radio on the ipad, then back on
  I was ready to get a new router/ap but after reading some other comments, this may be an issue with other people.

  I have exactly the same issue on my brand new iPad2 running iOS5.
  I have also changed the channel, tried different settings, etc. to no avail.
  It tends to happen when streaming video - Skype, YouTube. Also during movie downloads.
  My pc does not have this problem.
  We're you able to find a reliable solution?
  Thanks!

• VPN stops forwarding traffic on subsequent connections (Cisco 861)

  Hello everyone,
  I have a very strange problem on 2 (independent) Cisco 861 routers in different places.
  They are both configured as easyVPN servers. One uses UDP, the other TCP. VPN clients connect by using Cisco VPN client software. This cannot be changed because the customer expects it this way. Both routers have the same problem:
  * the first VPN connection after a reset works fine. Traffic passes through and it is perfectly usable. I can ping the internal network interface on the router side from the client without problems.
  * the second connection (and all subsequent ones from different client machines etc.) connects fine, no errors on the client whatsoever (not sure I evaluated all possible debug output on the "server" side). However,  no traffic passes through. Pings do not come back from the 861 anymore through the VPN tunnel.
  I already enabled ICMP debugging and saw that pings are actually answered by the 861, but do not reach the client.The same seems to happen to any and all other packets as well.
  * If I restart the 861 the very same thing happens: first VPN connection works fine. You disconnect, try another connection from the very same client computer, and it does not work anymore until the next router reset.
  I append the configuration for sake of completeness. confidential parts are represented by XXX. Some ACLs are not in use right now; I used them for testing.
  Quite frankly, I am out of ideas (and desperate).
  Any ideas?
  Best Regards
  Mike
  version 15.0
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname XXX
  boot-start-marker
  boot-end-marker
  logging buffered 51200
  logging console critical
  enable secret 5 XXX
  enable password 7 XXX
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone Berlin 1
  crypto pki trustpoint TP-self-signed-2638506017
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-2638506017
  revocation-check none
  rsakeypair TP-self-signed-2638506017
  no ip source-route
  ip cef
  no ip bootp server
  ip domain name local
  license udi pid CISCO861-K9 sn XXX
  archive
  log config
    hidekeys
  no spanning-tree vlan 1
  username root privilege 15 secret 5 XXX
  username remote secret 5 XXX
  crypto ctcp port 10000
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group vpn
  key XXX
  pool SDM_POOL_1
  acl 104
  netmask 255.255.255.0
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group vpn
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_group_ml_1
     client configuration address respond
     client configuration group vpn
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA
  set isakmp-profile ciscocp-ike-profile-1
  interface Loopback0
  ip address 192.168.234.1 255.255.255.0
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  ip address dhcp
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  duplex auto
  speed auto
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 192.168.233.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  ip local pool SDM_POOL_1 192.168.234.2 192.168.234.127
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip route 10.179.232.0 255.255.255.0 192.168.233.2
  ip route 172.16.0.0 255.255.0.0 192.168.233.2
  ip access-list log-update threshold 10
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.233.0 0.0.0.255
  access-list 100 remark XXX
  access-list 100 permit ip 192.168.233.0 0.0.0.255 any
  access-list 100 permit ip 192.168.234.0 0.0.0.255 any
  access-list 101 remark CCP_ACL Category=4
  access-list 101 permit ip 192.168.233.0 0.0.0.255 any
  access-list 101 permit ip 192.168.234.0 0.0.0.255 any
  access-list 102 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
  access-list 103 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255 log
  access-list 103 permit ip 192.168.234.0 0.0.0.255 192.168.233.0 0.0.0.255 log
  access-list 104 permit ip 192.168.233.0 0.0.0.255 any log-input
  access-list 104 permit ip 192.168.234.0 0.0.0.255 any log-input
  no cdp run
  control-plane
  banner exec ^CCC
  XXX
  ^C
  banner login ^CCC
  XXX
  ^C
  line con 0
  no modem enable
  transport output telnet
  line aux 0
  transport output telnet
  line vty 0 4
  privilege level 15
  transport input ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  end

  Hi,
  I addded a dynamic crypto map to the configuration according to the document you sent. However, it does not work yet.
  There must be some stupid mistake or mixup with the old config.
  The router logs:
  000038: *Mar  1 01:19:24.047 Berlin: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with peer at XXX
  000039: *Mar  1 01:19:29.403 Berlin: CTCP: cTCP connection entry not found. Dropping the packet
  Correspondingly, the client retransmits a few times during a connection attempt and then fails.
  The current configuration is:
  version 15.0
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname XXX
  boot-start-marker
  boot-end-marker
  logging buffered 51200
  logging console critical
  enable secret XXX
  enable password XXX
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone Berlin 1
  crypto pki trustpoint TP-self-signed-2638506017
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-2638506017
  revocation-check none
  rsakeypair TP-self-signed-2638506017
  no ip source-route
  no ip cef
  no ip bootp server
  ip domain name local
  license udi pid CISCO861-K9 sn XXX
  archive
  log config
    hidekeys
  no spanning-tree vlan 1
  username root privilege 15 secret 5 XXX
  username remote secret 5 XXX
  crypto ctcp keepalive 10
  crypto ctcp port 10000
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp nat keepalive 20
  crypto isakmp client configuration group vpn
  key XXX
  pool SDM_POOL_1
  acl 105
  netmask 255.255.255.0
  crypto isakmp client configuration group testgroup
  key XXX
  pool SDM_POOL_1
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group vpn
     client authentication list ciscocp_vpn_xauth_ml_1
     isakmp authorization list ciscocp_vpn_group_ml_1
     client configuration address respond
     client configuration group vpn
  crypto isakmp profile VPNclient
     description VPN clients profile
     match identity group testgroup
     client authentication list clientauth
     isakmp authorization list groupauthor
     client configuration address respond
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA
  set isakmp-profile ciscocp-ike-profile-1
  crypto dynamic-map dynmap 5
  set transform-set ESP-3DES-SHA
  set isakmp-profile VPNclient
  crypto map mymap 10 ipsec-isakmp dynamic dynmap
  interface Loopback0
  ip address 192.168.234.1 255.255.255.0
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  mtu 1300
  ip address dhcp
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  duplex auto
  speed auto
  interface Virtual-Template1 type tunnel
  ip unnumbered Loopback0
  tunnel mode ipsec ipv4
  crypto map mymap
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 192.168.233.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  ip local pool SDM_POOL_1 192.168.234.2 192.168.234.127
  ip forward-protocol nd
  no ip http server
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip route 10.179.232.0 255.255.255.0 192.168.233.2
  ip route 172.16.0.0 255.255.0.0 192.168.233.2
  ip access-list log-update threshold 10
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.233.0 0.0.0.255
  access-list 100 remark XXX
  access-list 100 permit ip 192.168.233.0 0.0.0.255 any
  access-list 100 permit ip 192.168.234.0 0.0.0.255 any
  access-list 101 remark CCP_ACL Category=4
  access-list 101 permit ip 192.168.233.0 0.0.0.255 any
  access-list 101 permit ip 192.168.234.0 0.0.0.255 any
  access-list 102 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
  access-list 103 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255 log
  access-list 103 permit ip 192.168.234.0 0.0.0.255 192.168.233.0 0.0.0.255 log
  access-list 104 permit ip 192.168.233.0 0.0.0.255 any log-input
  access-list 104 permit ip 192.168.234.0 0.0.0.255 any log-input
  access-list 105 permit ip 192.168.233.0 0.0.0.255 192.168.234.0 0.0.0.255
  no cdp run
  control-plane
  banner exec ^CCC
  XXX
  ^C
  banner login ^CCC
  XXX
  ^C
  line con 0
  no modem enable
  transport output telnet
  line aux 0
  transport output telnet
  line vty 0 4
  privilege level 15
  transport input ssh
  scheduler max-task-time 5000
  scheduler allocate 4000 1000
  scheduler interval 500
  end