VRF not work
Hello!
We have cat3550 12.1(19)EA1a and we want to setup VRF in next scheme:
cat3550------(inside)PIX(dmz)----r2600
------------tunnel1-------
r2600 is a exit point of all tunnels and is a point of connection VRF and global routing.
There are two subnets,which we want to connect each other and connect these subnets to the rest net.
we are using two tunnels to 2600 router and VRF
that are a VRF and EIGRP parts from our config:
ip vrf MMM
rd 1016:247
interface Tunnel1
ip vrf forwarding MMM
ip unnumbered Vlan247
tunnel source Loopback0
tunnel destination 192.168.240.254
interface Vlan247
ip vrf forwarding MMM
ip address 192.168.247.46 255.255.255.240
no ip redirects
router eigrp 1016
network 192.168.0.37 0.0.0.0
network 192.168.37.0 0.0.0.255
network 192.168.40.128 0.0.0.15
network 192.168.252.32 0.0.0.3
network 192.168.252.36 0.0.0.3
no auto-summary
eigrp router-id 192.168.0.37
no eigrp log-neighbor-changes
ip route 0.0.0.0 0.0.0.0 192.168.252.33
ip route 0.0.0.0 0.0.0.0 192.168.252.37 2
ip route vrf MMM 0.0.0.0 0.0.0.0 Tunnel1
ip route vrf MMM 192.168.247.48 255.255.255.248 Tunnel1
where 192.168.247.48 255.255.255.248 - another subnet in VRF
All nodes from cat3550 in vlan247 must go to inside nodes using VRF and tunnel, all others using usual routing (EIGRP).
So,we want to access mail server 192.168.7.33, which is located in inside net (not VRF), but not successfull.
As I see all packets from node in VLAN247 are go straight on to server (not via tunnel),and back packets go via PIX (because there are no subnets 192.168.247.48 255.255.255.248 and 192.168.247.32 255.255.255.240 in EIGRP routing, and PIX is a default routing point)
and I see PIX log message like this:
Deny tcp src inside:192.168.7.33/110 dst dmz:192.168.247.35/49384 by access-group "acl_inside"
(permit clause is from DMZ to INSIDE zone, not vice versa)
However when i do
telnet 192.168.7.33 110 /vrf MMM
from cat3550
it works fine!
and I see that packets go correctly via tunnel and then via PIX to server.
Accessing between subnets 192.168.247.48 255.255.255.248 and 192.168.247.32 255.255.255.240 is fine too! (why???)
I tried set
ip route vrf MMM 192.168.7.33 255.255.255.255 Tunnel1
but no effect.
What I do wrong? Why does it not work?
I hope I explain clearly.
Thanks!
I found that VRF work correctly when and only when destination host not in global routing (EIGRP in my case). But this happen with ip of nodes within VLAN, ip address of VLAN on cisco is access correctly anytime.
Why? Does anybody knows it?
help me,please!
Similar Messages
-
Cisco 1841 as PPTP client Does not work
Dear All,
I have Cisco 1841 router running the below roles
1) SSL VPN Server
2) PPTP Server
3) Site to Site Connection with Sonicwall router
I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
I went through below
http://www.mreji.eu/content/cisco-router-pptp-client
https://supportforums.cisco.com/thread/2167562
But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
protocol pptp
rotary-group 4
Please Advise and Help
Regards
Hasan Reza
My Current Config is as below
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
exit
Gateway#show run |
Building configuration...
Current configuration : 25109 bytes
! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Gateway
boot-start-marker
boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
logging buffered 4096
no logging console
enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
no aaa new-model
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.236.5.1 10.236.5.20
ip dhcp excluded-address 10.236.5.21 10.236.5.50
ip dhcp excluded-address 172.21.51.2 172.21.51.50
ip dhcp pool ContosoPool
network 10.236.5.0 255.255.255.0
default-router 10.236.5.254
dns-server 213.42.20.20 195.229.241.222
ip dhcp pool DMZ
network 172.21.51.0 255.255.255.0
dns-server 172.21.51.10
default-router 172.21.51.1
domain-name contoso.local
ip cef
ip domain name contoso.local
ip name-server 213.42.20.20
ip name-server 195.229.241.22
ip name-server 195.229.241.222
ip ddns update method dyndns
HTTP
add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 1 0 0
multilink bundle-name authenticated
vpdn enable
vpdn-group 2
request-dialin
protocol l2tp
initiate-to ip 173.195.0.42
vpdn-group RAS-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
crypto pki token default removal timeout 0
crypto pki trustpoint TP.StartSSL.CA
enrollment terminal pem
revocation-check none
crypto pki trustpoint TP.StartSSL-vpn
enrollment terminal pem
usage ssl-server
serial-number none
fqdn ssl.spktelecom.com
ip-address none
revocation-check crl
rsakeypair RSA.StartSSL-vpn
crypto pki trustpoint TP-self-signed-1981248591
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1981248591
revocation-check none
rsakeypair TP-self-signed-1981248591
crypto pki trustpoint VMWare
enrollment terminal
revocation-check crl
crypto pki trustpoint OWA
enrollment terminal pem
revocation-check crl
crypto pki certificate chain TP.StartSSL.CA
certificate ca 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP.StartSSL-vpn
certificate 0936E1
(removed the certificate info for clarity)9
quit
certificate ca 18
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP-self-signed-1981248591
certificate self-signed 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain VMWare
certificate ca 008EDCE6DBCE6B
(removed the certificate info for clarity)
quit
crypto pki certificate chain OWA
(removed the certificate info for clarity)
license udi pid CISCO1841 sn FCZ122191TW
archive
log config
hidekeys
username admin privilege 15 password 7 1304131F02023B7B7977
username ali password 7 06070328
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 84000
crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map mydyn 10
set transform-set strongsha
crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
interface FastEthernet0/0
description Internal Network (Protected Interface)
ip address 10.236.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
interface Virtual-Template1
ip unnumbered Dialer1
peer default ip address dhcp-pool ContosoPool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 eap
interface Dialer1
ip ddns update hostname XXXXXXX.dyndns.org
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
ppp pap sent-username vermam password 7 13044E155E0913323B
crypto map Dxb-Auh
interface Dialer2
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 2
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2 callin
ppp eap refuse
ppp chap hostname hasanreza
ppp chap password 7 070E2541470726544541
interface Dialer995
no ip address
ip local pool webssl 10.236.6.10 10.236.6.30
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list nat interface Dialer1 overload
ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.21.51.0 255.255.255.0 10.236.5.253
ip access-list extended internal
permit ip any 10.236.5.0 0.0.0.255
ip access-list extended nat
deny ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
deny ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 any
ip access-list extended nonat
permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
ip access-list extended sslacl
ip access-list extended webvpn
permit tcp any any eq 443
logging esm config
access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway1
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint TP.StartSSL-vpn
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context webvpn
ssl authenticate verify all
url-list "Webservers"
heading "SimpleIT Technologies NBNS Servers"
url-text "Google" url-value "www.google.com"
url-text "Mainframe" url-value "10.236.5.2"
url-text "Mainframe2" url-value "https://10.236.5.2"
nbns-list "ContosoServer"
nbns-server 10.236.5.10
nbns-server 10.236.5.11
nbns-server 10.236.5.12
port-forward "PortForwarding"
local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
policy group policy1
url-list "Webservers"
port-forward "PortForwarding"
nbns-list "ContosoServer"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
svc address-pool "webssl"
svc default-domain "Contoso.Local"
svc keep-client-installed
svc split include 10.236.5.0 255.255.255.0
svc split include 10.236.6.0 255.255.255.0
svc split include 172.31.1.0 255.255.255.0
svc split include 172.21.51.0 255.255.255.0
svc dns-server primary 172.21.51.10
default-group-policy policy1
gateway gateway1
inservice
end
Gateway#Dear All,
I have Cisco 1841 router running the below roles
1) SSL VPN Server
2) PPTP Server
3) Site to Site Connection with Sonicwall router
I want the router to be configured a pptp client to internet vpn server (so that i will get a fixed public ip )
Once i get this ip address i want to use this connection to accept in coming connection and forward ports to internal host,
I went through below
http://www.mreji.eu/content/cisco-router-pptp-client
https://supportforums.cisco.com/thread/2167562
But it does not work as i do not have the option for the below 2 commands in vpdn-group 2 section.(Please see section in blue)
protocol pptp
rotary-group 4
Please Advise and Help
Regards
Hasan Reza
My Current Config is as below
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.06.09 17:55:23 =~=~=~=~=~=~=~=~=~=~=~=
exit
Gateway#show run |
Building configuration...
Current configuration : 25109 bytes
! Last configuration change at 13:33:57 UTC Sun Jun 9 2013 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname Gateway
boot-start-marker
boot system flash c1841-advsecurityk9-mz.151-2.T1.bin
boot-end-marker
logging buffered 4096
no logging console
enable secret 5 $1$SciF$TlX1tR5qaG9ZE7pdZHcRJ/
no aaa new-model
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.236.5.1 10.236.5.20
ip dhcp excluded-address 10.236.5.21 10.236.5.50
ip dhcp excluded-address 172.21.51.2 172.21.51.50
ip dhcp pool ContosoPool
network 10.236.5.0 255.255.255.0
default-router 10.236.5.254
dns-server 213.42.20.20 195.229.241.222
ip dhcp pool DMZ
network 172.21.51.0 255.255.255.0
dns-server 172.21.51.10
default-router 172.21.51.1
domain-name contoso.local
ip cef
ip domain name contoso.local
ip name-server 213.42.20.20
ip name-server 195.229.241.22
ip name-server 195.229.241.222
ip ddns update method dyndns
HTTP
add http://xxxxxx:[email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://xxxxxx:yyyyy@@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 1 0 0
multilink bundle-name authenticated
vpdn enable
vpdn-group 2
request-dialin
protocol l2tp
initiate-to ip 173.195.0.42
vpdn-group RAS-VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel timeout no-session 15
crypto pki token default removal timeout 0
crypto pki trustpoint TP.StartSSL.CA
enrollment terminal pem
revocation-check none
crypto pki trustpoint TP.StartSSL-vpn
enrollment terminal pem
usage ssl-server
serial-number none
fqdn ssl.spktelecom.com
ip-address none
revocation-check crl
rsakeypair RSA.StartSSL-vpn
crypto pki trustpoint TP-self-signed-1981248591
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1981248591
revocation-check none
rsakeypair TP-self-signed-1981248591
crypto pki trustpoint VMWare
enrollment terminal
revocation-check crl
crypto pki trustpoint OWA
enrollment terminal pem
revocation-check crl
crypto pki certificate chain TP.StartSSL.CA
certificate ca 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP.StartSSL-vpn
certificate 0936E1
(removed the certificate info for clarity)9
quit
certificate ca 18
(removed the certificate info for clarity)
quit
crypto pki certificate chain TP-self-signed-1981248591
certificate self-signed 01
(removed the certificate info for clarity)
quit
crypto pki certificate chain VMWare
certificate ca 008EDCE6DBCE6B
(removed the certificate info for clarity)
quit
crypto pki certificate chain OWA
(removed the certificate info for clarity)
license udi pid CISCO1841 sn FCZ122191TW
archive
log config
hidekeys
username admin privilege 15 password 7 1304131F02023B7B7977
username ali password 7 06070328
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 84000
crypto isakmp key admin_123 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
crypto ipsec security-association lifetime seconds 28800
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
crypto ipsec transform-set strongsha esp-3des esp-sha-hmac
crypto dynamic-map mydyn 10
set transform-set strongsha
crypto map Dxb-Auh 1000 ipsec-isakmp dynamic XXXXXXXXXX
interface FastEthernet0/0
description Internal Network (Protected Interface)
ip address 10.236.5.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
interface Virtual-Template1
ip unnumbered Dialer1
peer default ip address dhcp-pool ContosoPool
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 eap
interface Dialer1
ip ddns update hostname XXXXXXX.dyndns.org
ip ddns update dyndns
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1450
dialer pool 1
ppp pap sent-username vermam password 7 13044E155E0913323B
crypto map Dxb-Auh
interface Dialer2
mtu 1460
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123
dialer vpdn
dialer-group 2
ppp pfc local request
ppp pfc remote apply
ppp encrypt mppe auto
ppp authentication ms-chap ms-chap-v2 callin
ppp eap refuse
ppp chap hostname hasanreza
ppp chap password 7 070E2541470726544541
interface Dialer995
no ip address
ip local pool webssl 10.236.6.10 10.236.6.30
ip forward-protocol nd
ip http server
ip http secure-server
ip nat inside source list nat interface Dialer1 overload
ip nat inside source static tcp 10.236.5.12 25 interface Dialer1 25
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.21.51.0 255.255.255.0 10.236.5.253
ip access-list extended internal
permit ip any 10.236.5.0 0.0.0.255
ip access-list extended nat
deny ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
deny ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 any
ip access-list extended nonat
permit ip 10.236.5.0 0.0.0.255 172.19.19.0 0.0.0.255
permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
ip access-list extended sslacl
ip access-list extended webvpn
permit tcp any any eq 443
logging esm config
access-list 101 permit ip 10.236.5.0 0.0.0.255 172.31.1.0 0.0.0.255
control-plane
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
line vty 5 15
exec-timeout 0 0
login local
transport preferred ssh
transport input telnet ssh
scheduler allocate 20000 1000
webvpn gateway gateway1
ip interface Dialer1 port 443
ssl encryption rc4-md5
ssl trustpoint TP.StartSSL-vpn
inservice
webvpn install svc flash:/webvpn/anyconnect-win-3.1.00495-k9.pkg sequence 1
webvpn install csd flash:/webvpn/sdesktop.pkg
webvpn context webvpn
ssl authenticate verify all
url-list "Webservers"
heading "SimpleIT Technologies NBNS Servers"
url-text "Google" url-value "www.google.com"
url-text "Mainframe" url-value "10.236.5.2"
url-text "Mainframe2" url-value "https://10.236.5.2"
nbns-list "ContosoServer"
nbns-server 10.236.5.10
nbns-server 10.236.5.11
nbns-server 10.236.5.12
port-forward "PortForwarding"
local-port 3389 remote-server "10.236.5.10" remote-port 3389 description "Server-DC01"
policy group policy1
url-list "Webservers"
port-forward "PortForwarding"
nbns-list "ContosoServer"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
svc address-pool "webssl"
svc default-domain "Contoso.Local"
svc keep-client-installed
svc split include 10.236.5.0 255.255.255.0
svc split include 10.236.6.0 255.255.255.0
svc split include 172.31.1.0 255.255.255.0
svc split include 172.21.51.0 255.255.255.0
svc dns-server primary 172.21.51.10
default-group-policy policy1
gateway gateway1
inservice
end
Gateway# -
Why does this NAT configuration not work ?
interface FastEthernet0/0
description To Cable Modem
ip address dhcp
ip nat outside
interface FastEthernet0/1
description To LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip nat pool ovrld 72.186.194.72 72.186.194.72 netmask 255.255.192.0
ip nat inside source list NATOUT pool ovrld overload
ip access-list standard NATOUT
permit 192.168.1.0 0.0.0.255 log
Show ip nat translations shows no translations.
The Stats
Dynamic mappings:
-- Inside Source
[Id: 3] access-list NATOUT pool ovrld refcount 0
pool ovrld: netmask 255.255.192.0
start 72.186.194.72 end 72.186.194.72
type generic, total addresses 1, allocated 0 (0%), misses 0
Queued Packets: 0
I can get one device to translate with a static but the dynamic does not work.Hey Rolf. I used the commands like you said but it will not translate anything unless the entry is static.
ip nat inside source static 192.168.1.2 72.186.*.72 is what im using to get my main node translated while i figure out this problem. The configuration worked fine until I upgraded IOS from 12.3 to 12.4. Thats when it quit translating. My config follows. Keep in ming that when i tried your commands I removed the static entry for 192.168.1.2
Building configuration...
[OK]
HEADEND(config)#do sh run
Building configuration...
Current configuration : 3267 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname HEADEND
boot-start-marker
boot-end-marker
enable secret 5 $1$vk5M$eGiHBbhKZrvPdNz0aXhve1
no aaa new-model
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.250 192.168.1.254
ip dhcp pool DEESPOOL
network 192.168.1.0 255.255.255.0
dns-server 65.32.5.111 65.32.5.112
domain-name dbtech.netpros.com
default-router 192.168.1.254
crypto pki trustpoint TP-self-signed-3843280569
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3843280569
revocation-check none
rsakeypair TP-self-signed-3843280569
crypto pki certificate chain TP-self-signed-3843280569
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383433 32383035 3639301E 170D3032 30333031 30333331
30305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38343332
38303536 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD0F 1F06509B 67D1C1F4 C9AEFA31 89A8C059 4B17CDE8 95F23275 CFB9AC41
D784F703 C25B630D A0461FB1 114B3608 B3387518 8F552DD7 41796488 F0C79FC0
103A2C3F FFE388FE 7970D921 C5F754D1 68A15518 F30F91CC 26884284 5C8C3275
B06A584D 96D2D5CB 92068B40 C05C8A4E 80E9CCE0 2DE5883F 9EF405BB 89252921
B03D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17484541 44454E44 2E74616D 70616261 792E7272 2E636F6D
301F0603 551D2304 18301680 14E92E8B 5F671437 6F383CCD 42AD6AE8 4CC47730
F9301D06 03551D0E 04160414 E92E8B5F 6714376F 383CCD42 AD6AE84C C47730F9
300D0609 2A864886 F70D0101 04050003 81810055 7BE1410C C73F83F3 26B30B9A
569ED607 9FDCB6CD 46125795 0A8137EF 930C195B 19E79813 B6DF9B2D 6809F4A2
A5F0BDB0 03DF87D2 81643EC7 5D619E65 132B1C12 61FB212B DAEB02A2 56E63559
D931DF1F A3817AAF F21D8EE0 D0741B96 DBF52051 78964876 5AB7E319 5A051455
4EA9186D 1E9ABC81 00573284 564D6BE7 486681
quit
username derek privilege 15 secret 5 $1$rBZD$NqY/hkTEpcZV4rYqwtKAD.
interface FastEthernet0/0
description To Cable Modem
ip address dhcp
ip nat outside
duplex auto
speed auto
interface FastEthernet0/1
description To LAN
ip address 192.168.1.254 255.255.255.0
ip nat inside
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list NATOUT interface FastEthernet0/0 overload
ip access-list standard NATOUT
permit 192.168.1.0 0.0.0.255 log
control-plane
line con 0
line aux 0
This is very odd it is like dynamic NAT is just broken. -
I have been trying to get my Nexus 1KV working with AAA/TACACS+ and I'm stumped.
The short version is that I see where the issue is, but can't seem to resolve it.
When I try to log in using TACACS, it fails. The ACS server reports InvalidPassword.
The CLI on the Nexus shows:
2011 Sep 9 16:37:13 NY_nexus1000v %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
2011 Sep 9 16:37:14 NY_nexus1000v %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user gtopf from 192.168.20.151 - sshd[15675]
2011 Sep 9 16:37:23 NY_nexus1000v %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user gtopf from 192.168.20.151 - sshd[15672]
And an AAA test from the nexus fails.
I have good connectivity between the two boxes, I can ping, and obviously the failed login showing on ACS shows that it's talking, but it's just not working.
My config is below (omitted ethernet port configs)
!Command: show running-config
!Time: Fri Sep 9 16:45:49 2011
version 4.2(1)SV1(4a)
no feature telnet
feature tacacs+
feature lacp
username admin password 5 $1$Q50UpgN/$4eu39QmZHLTf3FAkwwdOF1 role network-admin
banner motd #Nexus 1000v Switch#
ssh key rsa 2048
ip domain-lookup
ip domain-lookup
ip name-server 192.168.20.10
tacacs-server timeout 30
tacacs-server host 192.168.20.30 key 7 "j3gp0"
aaa group server tacacs+ TacServer
server 192.168.20.30
deadtime 15
use-vrf management
source-interface mgmt0
hostname NY_nexus1000v
ntp server 192.168.20.10
aaa authentication login default group TacServer
aaa authentication login console group TacServer
aaa authentication login error-enable
tacacs-server directed-request
vrf context management
ip route 0.0.0.0/0 192.168.240.1
vlan 1,20,40,240
lacp offload
port-channel load-balance ethernet source-mac
port-profile default max-ports 32
port-profile type ethernet Unused_Or_Quarantine_Uplink
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type ethernet system-uplink
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 20,40,240
channel-group auto mode active
no shutdown
system vlan 240
description "System profile for critical ports"
state enabled
port-profile type vethernet data20
vmware port-group
switchport mode access
switchport access vlan 20
no shutdown
description "Data profile for VM traffic 20 VLAN"
state enabled
port-profile type vethernet data40
vmware port-group
switchport mode access
switchport access vlan 40
no shutdown
description "Data profile for VM traffic 40 VLAN"
state enabled
port-profile type vethernet data240
vmware port-group
switchport mode access
switchport access vlan 240
no shutdown
description "Data profile for VM traffic 240 VLAN"
state enabled
port-profile type vethernet system-upilnk
description "Uplink profile for VM traffic"
vdc NY_nexus1000v id 1
limit-resource vlan minimum 16 maximum 2049
limit-resource monitor-session minimum 0 maximum 2
limit-resource vrf minimum 16 maximum 8192
limit-resource port-channel minimum 0 maximum 768
limit-resource u4route-mem minimum 32 maximum 32
limit-resource u6route-mem minimum 16 maximum 16
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8
interface port-channel1
inherit port-profile system-uplink
vem 3
interface port-channel2
inherit port-profile system-uplink
vem 4
interface port-channel3
inherit port-profile system-uplink
vem 5
interface port-channel4
inherit port-profile system-uplink
vem 6
interface mgmt0
ip address 192.168.240.10/24
interface control0
line console
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-1
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-1
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-2
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-2
svs-domain
domain id 500
control vlan 240
packet vlan 240
svs mode L2
svs connection vcenter
protocol vmware-vim
remote ip address 192.168.20.127 port 80
vmware dvs uuid "52 8b 1d 50 44 9d d7 1f-b6 25 76 f1 f7 97 d8 5e" datacenter-name 28th St Datacenter
max-ports 8192
connect
vsn type vsg global
tcp state-checks
vnm-policy-agent
registration-ip 0.0.0.0
shared-secret **********
log-levelFYI...
I was able to get TACACS+ auth working using the commands in the Original Post (without the two additional suggestions) as follows...
1000v# conf t
1000v(config)# feature tacacs+
1000v(config)# tacacs-server host 192.168.1.1 key 0
1000v(config)# aaa group server tacacs+ TacServer
1000v(config-tacacs+)# server 192.168.1.1
1000v(config-tacacs+)# use-vrf management
1000v(config-tacacs+)# source-interface mgmt 0
1000v(config-tacacs+)# aaa authentication login default group TacServer local
1000v(config)# aaa authentication login error-enable
1000v(config)# tacacs-server directed-request
I guess the OP had some other problem (perhaps incorrect shared secret??) -
TACACS not working - Need help
Hi,
I have implemented the TACACS in VPN VRF environment but the same is not working, I am not able to route the ACS servers IP's through the VRF-VPN.
Configuration pasted below
aaa authentication login default group tacacs+ line
aaa authentication login no_tacacs line
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
ip tacacs source-interface VLAN1
tacacs-server host X.X.X.X
tacacs-server host 10.10.10.4
tacacs-server key 7 ####################333
tacacs-server administration
aaa group server tacacs+ tacacs1
server-private 10.10.10.4 key ############
ip vrf forwarding LAN
ip tacacs source-interface VLAN1Hi sorry for late reply.
Please find below the logs from the router
Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): free_rec, count 2
Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): Setting session id 283 : db=846968EC
Feb 12 14:10:28.748: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
Feb 12 14:10:35.450: AAA/BIND(000000BA): Bind i/f
Feb 12 14:10:35.450: AAA/ACCT/EVENT/(000000BA): CALL START
Feb 12 14:10:35.450: Getting session id for NET(000000BA) : db=83E3E3B0
Feb 12 14:10:35.450: AAA/ACCT(00000000): add node, session 284
Feb 12 14:10:35.450: AAA/ACCT/NET(000000BA): add, count 1
Feb 12 14:10:35.450: Getting session id for NONE(000000BA) : db=83E3E3B0
Feb 12 14:10:36.014: AAA/AUTHEN/LOGIN (000000BA): Pick method list 'default'
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): STOP protocol reply FAIL
Feb 12 14:10:38.749: AAA/ACCT(000000B9): Accouting method=NOT_SET
Feb 12 14:10:38.749: AAA/ACCT(000000B9): Send STOP accounting notification to EM successfully
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): Tried all the methods, osr 0
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) Record not present
Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) reccnt 2, csr FALSE, osr 0
Feb 12 14:10:46.011: AAA/AUTHEN/LINE(000000BA): GET_PASSWORD
Feb 12 14:11:14.326: AAA/AUTHOR: config command authorization not enabled
Feb 12 14:11:14.326: AAA/ACCT/CMD(000000B9): Pick method list 'default'
Feb 12 14:11:14.326: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83E2FF8C, Name default
Feb 12 14:11:14.330: Getting session id for CMD(000000B9) : db=846968EC
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): add, count 3
Feb 12 14:11:14.330: AAA/ACCT/EVENT/(000000B9): COMMAND
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 1
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): free_rec, count 2
Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Setting session id 285 : db=846968EC
Feb 12 14:11:14.330: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Pick method list 'default'
Feb 12 14:11:16.642: AAA/ACCT/SETMLIST(000000BA): Handle 0, mlist 83E2FEEC, Name default
Feb 12 14:11:16.642: Getting session id for EXEC(000000BA) : db=83E3E3B0
Feb 12 14:11:16.642: AAA/ACCT(000000BA): add common node to avl failed
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): add, count 2
Feb 12 14:11:16.642: AAA/ACCT/EVENT/(000000BA): EXEC DOWN
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Accounting record not sent
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): free_rec, count 1
Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA) reccnt 1, csr FALSE, osr 0
Feb 12 14:11:18.425: AAA/AUTHOR: config command authorization not enabled
Feb 12 14:11:18.425: AAA/ACCT/243(000000B9): Pick method list 'default'
Feb 12 14:11:18.425: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83144FF8, Name default
Feb 12 14:11:18.425: Getting session id for CMD(000000B9) : db=846968EC
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): add, count 3
Feb 12 14:11:18.425: AAA/ACCT/EVENT/(000000B9): COMMAND
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 2
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): free_rec, count 2
Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Setting session id 286 : db=846968EC
Feb 12 14:11:18.429: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
Feb 12 14:11:18.649: AAA/ACCT/EVENT/(000000BA): CALL STOP
Feb 12 14:11:18.649: AAA/ACCT/CALL STOP(000000BA): Sending stop requests
Feb 12 14:11:18.649: AAA/ACCT(000000BA): Send all stops
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): STOP
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Method list not found
Feb 12 14:11:18.649: AAA/ACCT(000000BA): del node, session 284
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): free_rec, count 0
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA) reccnt 0, csr TRUE, osr 0
Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Last rec in db, intf not enqueued -
Not work tablet UI on Prestigio 5080 PRO tablet
I read that browser.ui.layout.tablet = "1" can fix this problem. But it not works. I can work only in pnone interface that is not good for my 8'' tablet.
Would it be possible for you to share the problematic pdf and OS information with us at [email protected] so that we may investigate?
Thanks,
Adobe Reader Team -
Why self-defined access sequences of free goods can not work?
Hi gurus,
I have maintained access sequences of free goods self-defined.but when i creat the SO it does not work!
when i used the standard access sequences ,it is OK .
Can anybody tell me why?
thanks in advanceDear Sandy,
Go to V/N1 transaction select your self defined access sequence then go in to the accesses and fields and check all fields are activated.
Make sure that these fields are flowing in your sales order.
I hope this will help you,
Regards,
Murali. -
Adobe bridge raw not working with windows vista in photoshop cc, why?
adobe bridge raw not working in photoshop cc, is there a fix?
Your sure your using photoshop cc on windows vista?
I was under the impression that photoshop cc would not even install on windows vista.
What version of camera raw do you have?
In photoshop under Help>About Plugin does it list Camera Raw and if so which version is it?
(click on the words Camera Raw to see the version)
Camera raw doesn't work if it's a camera raw file or some other file type such as jpeg or tif?
What camera are the camera raw files from?
Officially camera raw 8.3 is the latest version of camera raw that will work on windows vista. -
Adobe Bridge CS5 in windows 7 not working?
Adobe Bridge CS5 in windows 7 not working. I was using bridge perfectly for last 2 years. It stops working since 3 days. I tried to install updates. Showing some error to install.
Tried to install creative cloud..again some error. Error code : 82
Could you please advice how I can fix my adobe bridge.https://www.youtube.com/watch?v=xDYpTOoV81Q&feature=youtu.be
please check this video I uploaded..this is what happens when I click adobe bridge.. just blinks and go off. bridge not working on task manager -
ADOBE CLOUD ON MY DESKTOP WILL NOT WORK. IT LOADS UP BUT NOTHING FILLS THE WINDOW
ADOBE CLOUD ON MY DESKTOP WILL NOT WORK. IT LOADS UP BUT NOTHING FILLS THE WINDOW
BLANK Cloud Screen http://forums.adobe.com/message/5484303 may help
-and step by step http://forums.adobe.com/thread/1440508?tstart=0
-and http://helpx.adobe.com/creative-cloud/kb/blank-white-screen-ccp.html -
Partner application logoff not working
We have a partner application registered with sso with custom login screen. The login works fine. We use the following code to logoff the partner application in logoff.jsp
response.setHeader("Osso-Return-Url", "http://my.oracle.com" );
response.sendError(470, "Oracle SSO");
session.invalidate();
but the logoff is not working properly. It is not invalidating the session and the logout http request is not going from the application server to the sso server.
Are there any additional configurations for SSO logoff.Any help is appreciated.
ThanksHi
The WF should also trigger if i add the Partner function in UI.If i change any Attribute the WF triggers but i dont want to change the attribute when i add the partner function.
If i have only one event for WF that is Partner Change the WF will not trigger it for the 1st time when i save the UI. But next i come to the same saved doc and add a partner function then the Wf triggers.
So this means that Partner change is active.
the issue here is i need to trigger the WF on , the 1st time i save the UI, for which i wil be using Attribute Change and next time when i come back to saved doc the and add only the partner function and no changes are made to attributes the WF should again trigger.
Thanks
Tarmeem -
IPhone 4 Voice Memos not working/saving
Hi there,
I'm having trouble with my voice memos too. Up until yesterday they were working fine and now, even though the record button works, the stop button does not and I can only pause them. Worse again is that the button to go into the menu to view all voice memos is not working so I can't play them from my iPhone and nothing new is saving to my iTunes. Please help!I've always had the "Include Voice Memos" option selected. I think that only pertains to syncing voice memos from iTunes to the iPhone after it has been copied to iTunes. It has to be the new OS/iTunes not communicating that new memos have been recorded. For some reason they won't sync when I want them to, and then a few syncs later they magically appear.
By the way, I'm VERY comfortable with the iTunes and iPhone systems. I've been using iTunes for 5 years, and I've been recording class lectures with the iPhone voice memo app (and another app) for a couple years. It's not an error of not seeing that the memos were added; they don't exist in my library or music folders.
JUST OUT OF CURIOSITY, POST WHICH FIRMWARE YOU ARE RUNNING EXACTLY!!!
I'm on an iPhone 4, running firmware 4.0.1 -
Installed Premiere Pro CS4 but video display does not work?
I just got my copy of CS$. After installing Premiere I found two things that seem very wrong:
1) video display does not work, not even the little playback viewer next to improted film clips located on the project / sequence window. Audio works fine.
2) the UI is way too slow for my big beefy system.
My pc is a dual boot Vista-32 and XP system with 4GB of memory installed and nvidia geforce 280 graphics board with plenty of GPU power. The CS4 is installed on the Vista-32 partition. My windows XP partition on the same PC with Premiere CS2 works great and real fast.
Any ideas how to solve this CS4 install issue?
RonI would like to thank Dan, Hunt, and Haram:
The problem is now very clear to me. The problem only shows up with video footage imported into PP CS4 encoded with "MS Video 1" codec. So this seems to be a bug. The codec is very clearly called out and supported within various menues but video with this codec just will not play in any monitor or preview window. In addition the entire product looks horrible with respect to performance while PP CS4 trys its best to play the video. Audio will start playing after about 30 seconds. And once in awhile part of video shows up at the wrong magnification before blanking out again.
My suggestion to the Adobe team: fix the bug and add some sample footage to the next release so new installations can test their systems with known footage.
My PC is brand new with the following "beefy" components:
Motherboard
nForce 790i SLI FTW
Features:
3x PCI Express x16 graphics support
PCI Express 2.0
NVIDIA SLI-Ready (requires multiple NVIDIA GeForce GPUs)
DDR3-2000 SLI-Ready memory w/ ERP 2.0 (requires select third party system memory)
Overclocking tools
NVIDIA MediaSheild w/ 9 SATA 3 Gb/sec ports
ESA Certified
NVIDIA DualNet and FirstPacket Ethernet technology
Registered
CPU: Intel Core 2 Quad Q9550
S-Spec: SLAWQ
Ver: E36105-001
Product Code: BX80569Q9550
Made in Malaysia
Pack Date: 09/04/08
Features:
Freq.: 2.83 GHz
L2 Cache: 12 MHz Cache
FSB: 1333 MHz (MT/s)
Core: 45nm
Code named: Yorkfield
Power:95W
Socket: LGA775
Cooling: Liquid Cooled
NVIDIAGeForce GTX 280 SC graphics card
Features:
1 GB of onboard memory
Full Microsoft DirectX 10
NVIDIA 2-way and 3-way SLI Ready
NVIDIA PureVideo HD technology
NVIDIA PhysX Ready
NVIDI CUDA technology
PCI Express 2.0 support
Dual-link HDCP
OpenGL 2.1 Capaple
Output: DVI (2 dual-link), HDTV
Western Digital
2 WD VelociRaptor 300 GB SATA Hard Drives configured as Raid 0
Features:
10,000 RPM, 3 Gb/sec transfer rate
RAM Memory , Corsair 4 GB (2 x 2 GB) 1333 MHz DDR3
p/n: TW3X4G1333C9DHX G
product: CM3X2048-1333C9DHX
Features:
XMS3 DHX Dual-Path 'heat xchange'
2048 x 2 MB
1333 MHz
Latency 9-9-9-24-2T
1.6V ver3.2 -
Ideapad A1-07 tablet wifi-bluetooth does not work!
Hello everyone. As you can see from the title on my tablet is not working wifi and bluetooth. When turning wifi tablet is reset and continues to be off and on until it forcibly turns off, and when you turn it on again, and do not touch wifi everything is normal and there are no problems with resetting. Can someone help me and give suggestion to solve this stupid problem. I'm from Croatia and I'm bad with the English writing.
Hi
Welcome To Lenovo Community
Please perform a factory reset
Please ensure you have backed any important data before doing factory reset
Hold the volume down and the power till Lenovo logo appears .
System will boot into recover mode. Follow the instructions
Hope This Helps
Cheers!!!
Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
Did someone help you today? Press the star on the left to thank them with Kudos!
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"! This will help the rest of the Community with similar issues identify the verified solution and benefit from it.
Follow @LenovoForums on Twitter! -
Polygonal lasso tool not working with stylus on Surface Pro 2
Hi guys,
I'm new here so please bare with me if I'm posting in the wrong place or don't make immediate sense.
Hardeware / software used: surface pro 2 and I'm running photoshop CS5.
Problem is a fairly basic one: I am trying to make basic selections using the polygonal lasso tool (using the stylus that comes with the tablet) but it simply will not work. All I get when I touch the stylus to the screen is the circle that appears then fades. If I attach the keypad and try using that then it works no problem at all.
Does anyone have any ideas as to whether there is a particular setting that I need to switch on or off e.g. something relating to pressure sensitivity (although not sure why this would affect this particular selection tool)?
I've searched the web and come up with nothing so far so any help is greatly appreciated!
Thanks for your time
Scottsame problem on surface pro 3 !!!!
and i think quite significant, for lot of artists using polygonal lasso a lot (including me). How come that the stupid surface cannot work properly
Maybe you are looking for
-
Safari 6.0 is not saving my bookmarks after restart
Just bought Macbook pro and noticed that my bookmarks weren't saving after rebooting. Bookmarks are there if I close and reopen Safari, but not after rebooting. Haven't installed any 3rd apps/extensions except flash. Also running Kapersky. App
-
I could not capture the entire contents of my SR-11 Sony camcorder because of a memory warning. I have 2 x 3 GB of memory on my MacPro and less on my camcorder so 1. do not understand and 2. there are some clips I captured that I would like to delete
-
10.4.6 Upgrade - post upgrade problems
I have recently upgraded from 10.4.5 t 10.4.6. Since doing so, I have experienced several problems related to my internet connection etc. When Software Update runs, I always get a (-1001) timeout error and 'Software Update can't check for updates bec
-
Arrgh!! Apple TV2 and new iMac
I have a new iMac - it's lovely but my ATV2 just won't work any more. When I go into "computers" it just can't see it, although youtube etc works just fibe. I've restarted everything and I did manage to get it working briefly - but why won't it 'jus
-
The (maximum) expected data length is 6, while the returned data length is
I would like to connect the view via the OraOLEDB.Oracle' from linked server of the MSSQL and the following column couldn't be selected. Msg 7347, Level 16, State 1, Line 2 OLE DB provider 'OraOLEDB.Oracle' for linked server 'PROD' returned data that