Cisco 6500's inside the VSS Configuration. Port ID's channel
Hello
I have a pair of 6500's Setup with VSS and there is currently only one link between then. However, one end of the link is Po10 and the other end is on Po25. If I move the Po10 Po25, things will break? It seems to work fine now. I am about to add a second link and I am concerned about the current configuration. It makes more sense for me to have the two ends of the same binding on the same port channel ID. I have seen documentation that States otherwise however.
Interface Port-channel10
No switchport
no ip address
pass the virtual link 1
MLS qos trust cos
no consistency mls qos channel
!
Interface Port-channel25
No switchport
no ip address
pass the virtual link 2
MLS qos trust cos
no consistency mls qos channel
DTC_6509s_VSS #sh run int Te1/5/4
Building configuration...
Current configuration: 116 bytes
!
interface TenGigabitEthernet1/5/4
No switchport
no ip address
MLS qos trust cos
channel-group 10 mode on
end
DTC_6509s_VSS #sh run int Te2/5/4
Building configuration...
Current configuration: 116 bytes
!
interface TenGigabitEthernet2/5/4
No switchport
no ip address
MLS qos trust cos
channel-group 25 mode on
end
DTC_6509s_VSS #.
DTC_6509s_VSS #sh vslp lmp sum
Example #1:
Summary of the LMP
Information about the link: configured: operational 1: 1
Peer Peer Peer Peer timers running
Interface Interface state flag MAC indicator switch (time remaining)
--------------------------------------------------------------------------------
4/5/TE1 VSFP VSFP operational 0026.0a26.84c0 2 Te2/5/4 T4 (24ms)
T5 (s 59.95)
DTC_6509s_VSS #sh switch port-channel virtual link
Flags: - Low P - D bundled in port-channel
I have - autonomous s - suspended
H Eve (LACP only)
R - Layer 3 S - Layer2
U - N running - is not in service, no aggregation
f cannot allocate an aggregator
M not in use, no aggregation due to minimum links has not met
m don't use, port do not associate due to not meeting minimum links
u - unfit to tied selling
d default port
w waiting to be aggregated
Protocol for the Port-Channel port group
------+-------------+-----------+-------------------
10 Po10 (RU) - Te1/5/4 (P)
25 Po25 (RU) - Te2/5/4 (P)
Hello
It doesn't make a difference if you do both sides with the same channel id or not. The ID of the port channel is a logical interface that does not impact on the etherchannel between them at all. So, you can leave one side Po10 and other like Po25 without problem. Just make sure you have at least one member of the Portchannel Active physical interfaces for not losing your connection to VSS.
Kind regards
Mohamed
Tags: Cisco Network
Similar Questions
-
How better to configure ports of ether-channel for use with iSCSI?
I had a quick glance and find a number of different discussions about the best solution for simlar scenarios but nothing quite close enough to convince me to implement the proposed solution.
The configuration that I was left with is not ideal, because it is not redundent. So I need to find a quick solution pritty.
Two cards (each NIC goes to different switch) - Console of Service
Two network cards (both in the same key) - vMotion
Two network cards (they both go to the same switch) - Prod (10 discussions)
Two network cards (they both go to the same switch in an ether channel) - storage (iSCSI)
The environment is a cluster of three ESXi 4.1 ENT U1 + environment, connected to a vCenter STD.
Here's what I intend to allocate, but hoped a nice person enough to suggest the best configuration. I realize the number of connections to Prod is excessive and we will reach neaver as bandwidth, but I have free network cards.
Two cards (each NIC goes to different switch) - Console of Service
Two cards (each NIC goes to different switch) - vMotion
Four NICs (two pairs in different switches) - Prod (10 discussions)
Four (#) - storage (iSCSI) network interface cards
The part that concerns me is get the configuration for storage network cards just like we use the ether-channel, which seems to complicate things from what I've read.
So in summary I want to use four NICs for storage and bandwidth is not wasted I currenlty have using the channel of the ether. If I can work it another way without the use of ether-channel I am pleased to see again.
If I have not provided enough information to evaluate, please let me know and I'll give you more.
Thanks in advance for any helpful information.
So in summary I want to use four NICs for storage and bandwidth is not wasted I currenlty have using the channel of the ether. If I can work it another way without the use of ether-channel I am pleased to see again.
First of all, let me squash the myth an EtherChannel gives you additional bandwidth for iSCSI. Each iSCSI initiator can use an uplink to an iSCSI target vSphere being limited to a hash value "IP". Given that the source and destination IPs are always the same, the hash is always the same.
I wrote about it here in my post seriously, Stop "Using Port channels for vSphere storage traffic":
http://wahlnetwork.com/2013/03/05/stop-using-port-channels-to-vSphere-hosts/
I recommend to use the vmkernel ports link. It is available in 4.1, but not through the GUI.
-
The switch configuration of 6500 catalyst for IPS Inline the METHOD works
I understand how to configure the switch Catalyst 6500 so that the monitoring of ports are access ports in two VLAN separate operation online.
However, I don't see any document that describes how the desired VLAN traffic gets forced through the IPS.
"Promiscuous" mode, you can use copy/capture VACL and forwards traffic wished the METHOD of analysis. I don't see how to get traffic desired through the IPS.
Note that the 6500 host is running native SXE IOS 12.2 (18).
Thanks for any help.
A transparent firewall is a pretty good comparison.
Say you have vlan 10 with 100 PCs and 1 router for the network.
If you want to apply a transparent firewall on this vlan you can put not just the Firewall interface on vlan 10. Nothing would go through the firewall.
Instead, you need to create a new vlan, say 1010. Now you place the Firewall interface on vlan 10 and the other on the vlan 1010. Nothing is still going through the firewall. So now move you that router from vlan 10 to vlan 1010. Everything you do is to change the vlan, IP address and the mask of the router remain the same.
The firewall transparent bridge vlan 10 and vlan 1010. The SCP on the vlan 10 ae is able to communicate and through the router, but must go through the transparent firewall to do.
The firewall is transparent because there no IP Route between 2 VLANS, instead, the same IP subnet is on the VLAN and the transparent firewall ensuring the beidges between the 2 VLANS.
The transparent firewall can do firewall between the SCP on the vlan 10 and the router on vlan 1010. But PC has vlan 10 talks for PC B on vlan 10, then the transparent firewall does not see and cannot block this traffic.
An InLine sensor is very similar to the transparent firewall and will fill between the 2 VLANS. And similarly an InLine sensor is able to monitor InLine between PCs traffic on vlan 10 and the router on vlan 1010, but will not be able to monitor the traffic between 2 PCs on vlan 10.
Now the PC on the other vlan and the router on a virtual LAN is a classic deployment for the sensors online, but your VLAN need not be divided in this way. You can choose to place some servers in one vlan and desktop to another vlan. You subdivide them VLAN to whatever the logical method for your deployment.
Now for the surveillance of several VLANs the same principle still applies. You can't control traffic between machines on the same vlan. So for each the VLAN that you want to analyze, you will need to create a new vlan and divide the machines between the 2 VLANS.
In your case with Native IOS, you are limited to only 1 pair of VLAN for InLine followed, but your desired deployment would require 20 pairs of vlan.
The IPS 5.1 software now has the ability to manage the 20 pairs, but the native IOS software doesn't have the ability to send the 40 VLAN (20 pairs) to the JOINT-2.
Changes in native IOS are in testing right now, but I have not heard a release date for these changes.
Now cat BONES has already made these changes. So here is a breakdown of basic of what you could do in the BONE of cat and you can use to prepare for a deployment native IOS when it came out.
For VLAN 10-20 and 300-310, you want monitored, you will need to break each of those VLANs in VLAN 2.
Let's say that keep us it simple and add 500 to each vlan in order to create the new VLAN for each pair.
Therefore, the following pairs:
10/510, 511/11, 12/512, etc...
300/800, 801/301, 302/802, etc...
You configure the port to probe trunk all 40 VLAN:
set the trunk 5/7 10-20 300-310 510-520 800-810
(And then clear all other vlans off this trunk to clean things up)
In the configuration of JOINT-2 create the 20 pairs of vlan inline on interface GigabitEthernet0/7
NW on each of VLAN original 20 leave the default router for each LAN virtual vlan original to the vlan 500 +.
At this point, you should be good to go. The JOINT-2 will not track traffic that remains inside each of the 20 VLAN original, but would monitor the traffic is routed in and out of each of the 20 VLAN.
Due to a bug of switch, you may need to have an extra PC moved to the same vlan as the router if the switch/MSFC is used as the router and that you deploy with a JOINT-2.
-
Problem with RADIUS and VRF in Cisco 6500
Hello
I have the following config of the radius authentication:
AAA new-model
AAA authentication login default local radius group
AAA authorization exec default local radius group
AAA - the id of the joint session
IP source-interface Vlan31 vrf LEGACY RADIUS
Server RADIUS auth-port host 10.10.4.18 1645 1646 acct-port-key 7 XXXXXXXX
Server RADIUS auth-port host 10.10.5.15 1812 1813 acct-port-key 7 XXXXXXXX
RADIUS vsa server send accounting
RADIUS vsa server send authentication
The work of Don t of authentication
The sniffer radius server does not detect the Cisco 6500 packages, but the 6500 icmp packets do very well.
# Ping vrf LEGACY 10.10.4.18 SOUrce VLAN 31 C6500
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 10.10.4.18, wait time is 2 seconds:
Packet sent with a source address of 10.10.5.254
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 1/1/1 ms
interface Vlan31
XXXX description
IP vrf forwarding LEGACY
IP 10.10.5.254 255.255.254.0
no ip redirection
no ip proxy-arp
no ip mroute-cache
end
It has fix my configuration?
Can you help me?
What IOS version you run on your 6500?
Try the following:
AAA new-model
!
RADIUS AAA server group RADLegacy
10.10.4.18 server host
10.10.5.15 server host
IP vrf forwarding LEGACY
!
Group AAA authentication login default local RADLegacy
default AAA authorization exec RADLegacy local group
!
-
A server is now accessible from external network access using the IP and port in browser below http
http://x.x.x.x:8080For the same, we have configured (static NAT) port forwarding in cisco security 1905.
The application is also accessible via IP and the internal network port internal (ie. http://y.y.y.y:8080)
Is there a way I can configure my 1905 Cisco as well as internal network (ie. machine B) I can access the application using the IP and the public port and not with the IP address internal? From now on, I'm not able to do the same.
The current configurations are as follows:
access-list 1 permit y.y.y.0 0.0.0.255
IP nat inside source list 1 interface GigabitEthernet0/0 overload
IP nat inside source tcp static y.y.y.y 8080 interface GigabitEthernet0/0 8080Hello
You can try Domainless Nat.
no nat ip within the source list 1 interface GigabitEthernet0/0 overload
no nat inside source tcp ip static y.y.y.y 8080 interface GigabitEthernet0/0 8080int gig0/0
no nat inside ip
activate nat IPint gig0/1
no nat inside ip
activate nat IPIP nat source list 1 interface GigabitEthernet0/0 overload
interface IP nat source tcp static y.y.y.y 8080 GigabitEthernet0/0 8080RES
Paul
-
Redirect port on the router Cisco 881 can following the active WAN Interface
Hello
Is there a way to make the port Fowarding after the Active Wan Interface?
In this case the port Fowarding only works when the interface is active is GigabitEthernet0/0
Bureau3616 (config) # ip nat inside source tcp static 192.168.2.xxx 3389 interface GigabitEthernet0/0 3387
If our ISP-1 failure on WAN-1 Interface GigabitEthernet0/0 switch to internet access automatically to ISP - 2 WAN-2 on GigabitEthernet0/1 but the port forwarding does not work because it is fixed to the other interface only and I is not the way to port forwarding follow the WAN an actress.
Let me know please if anyone has an idea.
It is a part of my config
! NAT configuration
Bureau3616 (config) # ip nat inside source map route NAT-WAN1 interface GigabitEthernet0/0 overload
Bureau3616 (config) # ip nat inside source map route NAT-WAN2 interface GigabitEthernet0/1 overload
Bureau3616 (config) # NAT-WAN1 allowed 10 route map
Ip address of Bureau3616 (config-route-map) # match 100
Bureau3616 (config-route-map) # match interface GigabitEthernet0/0
Bureau3616 (config-route-map) #exit
Bureau3616 (config) # NAT-WAN2 allowed 10 route map
Ip address of Bureau3616 (config-route-map) # match 100
Bureau3616 (config-route-map) # match interface GigabitEthernet0/1
Bureau3616 (config-route-map) #exit
! Port Fowarding configuration
Bureau3616 (config) #ip avant-protocole nd
Bureau3616 (config) # ip nat inside source tcp static 192.168.2.xxx 3389 interface GigabitEthernet0/1 3387
Thank you!
You can, but you can't use transfer based on the interface of the to do. It should be based on the address itself. It's fine if you have static addresses or reserved on your WAN interfaces, but pose a problem if the addresses are dynamic:
ip nat inside source static tcp 192.168.2.x 3389 1.1.1.1 3389 route-map NAT-WAN1ip nat inside source static tcp 192.168.2.x 3389 2.2.2.2 3389 route-map NAT-WAN2
Replace the address of your interface WAN1 and 2.2.2.2 with the address of your 1.1.1.1 WAN2 interface. Applying the road maps will work pretty much the same way as it does with your statements of overload. Each transmission NAT rule applies only to the traffic corresponding to rules of the road map. -
WRT54GL cannot transmit from inside the LAN port?
Hello
I have a Server servers running several (HTTP, SVN, FTP,...) inside my network.
I used to have a SMC router in the past, and of course I had to use port forwarding.
This is why I realized that when we "talk" to the server, I can 'talk' to the router that will forward requests to the right compurer, based on the NAT table. If, for example, that if I move the SVN server, I don't have to change the path to the repository, change the NAT entry is OK in this case.
If this is not understandable, here 's another report.
However, I discovered that even if my new WRT54GL seems to be much more advanced, it cannot do this. Requests made to the router from within the local network are not transferred to the right place.
Is there a way to accomplish what we need, or at least a road map? It's sad that the SMC products otherwise is not very reliable can do...
Kind regards
Matej
Well, I have it solved.
I tried to convey the SVN, HTTP, FTP, and SSH.
However, it was not working when the server IP assigned by DHCP.
When I set up (the server within the LAN) to use the static IP address, not only that port forwarding began to make sense, but I have seen web pages by typing my public IP address in the browser on a computer inside the LAN.
What surprised me, is that it only worked when the server had assigned auto private IP address. I know that these addresses change so it would not very long work, but it did not work even before that t has changed...
-
I have two monitors U2715H connected via a CDM-> DP cable each to a docking station E-Port Plus (in fact an Advanced Port Replicator EURO2) in which sits a laptop Latitude E7450 processor and controller. All items are brand new. E7450 processor and controller is equipped with 16 GB of RAM and two graphics cards: Intel HD 5500 Graphics and NVIDIA GeForce 840 M; selection is automatic, which usually means that the 5500 is running. It runs Windows 7 Enterprise SP1 (64-bit). The docking station has apparently DP 1.2 a capacity (for chaining) but DP 1.2 is disabled in both monitors.
I have correctly configured the system to have Windows desktop space both monitors at 2560 x 1440 resolution, even with screen internal latitude as a third request for an extension to its full resolution (1920 x 1080). The main screen can be set to one of the two (or three) and I can successfully move the sequence of monitors around (left, middle, right).
There is therefore no doubt about the ability of the system to support the planned configuration. However, when I dock the Latitude (most with the lid closed) and start, most of the time he is unable to restore the configuration of the two external monitors. Some of the symptoms are: one or two monitors go black, indicating the cable connected but no signal from the docking station. If there is a picture on one of the monitors at startup, it may or may not contain the login screen. (I can still log in because I know which keystrokes to send.) If the login screen is visible, it is usually in low resolution. If I have several active screens, but one is black, I can move the mouse pointer (or an entire window) on the screen black (in the middle or on the side), but it is not visible here.
Both monitors come right out of the box and the only change I made is to move from the DP to the mDP as input channel. I reinstalled the cables and exchanged the cables between the two DPs on the docking station. I turned the market monitors. I ran the self-test the requirements on both monitors. The connection of the laptop on the docking station is a little wobbly, but I use the spacer provided for the E7450 processor and controller and making sure the connection is correct and stable. I've updated all the drivers and BIOS of processors E7450 and controller. I recently saw a reference to a BIOS for the docking station; I didn't know it existed, but I'm not.
The installation instructions provided with the monitors were a note on consulting the CD provided for the use of the screen to maximum resolution. E7450 processor and controller is not an optical drive, but I read all of the documentation for the monitor to Support technical without finding what whatsoever to shed light on the situation (in addition to ensure that the graphics card and drivers are up to the task).
Once I connected, I can manage to make it all in order by randomly (?) lower the resolution of the screen, change the position of the main screen (left-center-right), deselection reselection CDM as entry way and forcing other changes. Once the two or all three screens in operation, I can put them all to maximum resolution and beginning of work. However, it is rather annoying and I would like to have a stable configuration.
The configuration seems to survive power cycling of the laptop / station but not if I also disconnect the laptop. I should mention that when I detach the E7450 processor and controller, I can use it in other configurations, with or without other external monitors through other ports, before turning it off and later re - anchor as described. However, for the first month I had two old non-moniteurs Dell of any resolution (on DVI and VGA ports) connected to the docking station and the configuration is stable, and for years I used for my older Latitude with a docking station that is older, remembering his device between different hardware configurations.
Please, someone - and Dell support staff in particular?
(Editing/updating after transfer of the Forum/devices/Forum/computer laptop and video monitors)
A brief update of the Denmark...
We have experienced the issue for several months since the purchase of laptops E7450 processor and controller and docks of Port E II.
(HDMI screens / black screens with flashing DisplayPort).But the new Dock firmware A07 21 v3.10.1. April seems to have solved all our problems.
Here is the link VMM3320 STD HUB Firmware for E5250/E5450/E5550/E7250/processors E7450 and controller:
Best regards
Martin -
Configuring the additional server ports
Hi, if I use 2 ports per chassis of the server and want to add another 2, in addition to plug the cables and the settings, on the interconnection ports to "Set up as a Server Port" y at - it something else which is necessary and there is no interruption of traffic?
Hello David,.
If the links between IOM and FI server ports are individual links, then you will recognize the chassis to initialize the new links. This will cause disturbances of the network for a few seconds.
There is no need to re - recognize the chassis if there is a channel of port of fabric between the IOM and FI.
HTH
Padma
-
What is the right configuration of the port for my Photosmart C6180 using 32-bit Windows 8?
Hi all
I have a HP Photosmart C6180. I recently changed to Windows 8 32-bit. I downloaded the HP Windows 8 drivers, but I still have problems with the printer. In Control Panel, the printer status says "error". I think that it could possibly be a problem with the printer port settings. So, my question is, what is the right configuration of the port for my Photosmart C6180 using 32-bit Windows 8?
I would greatly appreciate any help you can give me. Thanks, JoeRocket
Hello JoeRocket,
Welcome to the HP Forums!
I understand that your Photosmart C6180 enjoys a status of "error". I will do my best to help you! I would start by following this entire document on "Printer is off-line" Message appears on the computer and the printer does not print.
This document provides steps to check the printer driver and port of your computer. Please post your results, I'll be looking forward to hear from you.
Have a good night!
-
Put virtual machines inside the VMkernel port group
Hello
Network for administrators of VMware SIAS layout:
"You can not put VMs within that group of port because it is made especially for a VMkernel port."
However, I use ESXi 5.5 and is able to put normal interface of VM inside the vmk port group. (I only created 1 vmk port group so all virtual machines in the same group with the vmkernel interface)
May I know if this is a new feature, or something is wrong?
Thank you!
This may be possible with distributed switches not with standard switches.
-
Print the best configuration of work - inside edge crosstalk between facing pages?
I am putting together a 32pp A4 report with InDesign CS3 that will be printed to PDF in China. I am based in the United Kingdom, and I will pass the file to printing electronically. I speak some Chinese, but my client has an office in China and a member of their staff (non-expert graphics) will be the man in the middle.
For now I'll implement my document with facing pages and 5mm of eave. I remember a recent UK print job by using the same configuration of document that when I got out in PDF format to use the settings from bleed paper is TICKING, the Printing Office has complained that the images that filled one side of the A4 and served outside/top/bottom of the page not to bleed inside. I asked them how to give them what they need and they said "spreads" face should be 'divided into single pages"before I made the PDF - this would purge on all 4 sides. I didn't know how to do that and maintain the facing pages for me to design in a way spread by spread, so I asked them. They could not tell me, so I left as it was. In the end they had to cut the pages a little more inside to get rid of any white paper.
I'm very keen to avoid any problems at all with this print job, if I want to get the installation program and treat just in my head from the start.
So my question: How can I configure this document in order to minimize the problems of the printer? I don't mind if it means another process before exporting it, I don't know what that might be.
Thank you very much.
You certainly don't need to split the spreads for binding, but it would be a good idea to include the same value for bleeding from the inside
as bleeding out. I think that what you are not understanding is that if you don't have line of purge showing bleeding inside, if you export a purge of 5mm for the inside value, you will get a portion of 5 mm of the opposing page - which is all you need for binding or stitching seat. If you did another piece of spiral, you need to split the pages and create a bleed around each page, because you don't want the opposing page showing a trimmed of Miss page. On perfect binding, the inside edge is not noticeable and is right next to the opposing page, so bleeding that doesn't matter as long as you have a bleeding it to avoid a white line is on a miss-plate (if you are printing colors all the way to the gutter). On the bite on horseback, the pages are actually laidout side by side, so inside gutter will not be used, but it is good to provide for prepress purposes.
Hope that helps.
-
To customize the center of port of defence
I have cisco ASA and the defence centre is managed in the virtual machine. I activate the ASA to remote access and using https://x.x.x.x access the ASA. My DC is running on the local network within the interface's IP address 192.168.1.15. It is even possible to port forward and have a DC remote desktop access. I think we could have gained access to the DC using https there had been no ASA by transfer, but now with https://x.x.x.x that I get access to the ASA, what can we do to get access to DC. Is it possible to customize the ports?
Hello
You can configure static nat on the SAA with port forwarding enabled
for example
If your public ip ASA is 1.1.1.1 and Defence Centre ip private is 2.2.2.2, then configuration will be nat auto with the syntax below:
1.1.1.1 - DCaccess network object
host 2.2.2.2
NAT (Inside, Outside) static 1.1.1.1 service tcp 443-8443
1.1.1.1 here is the name of the object for the public to the top of the asa
After that, you can access DC on
Rate if this can help
Thank you
Ankita
-
Darkness of 8.4 (1) vpn L2L filter ASA when you specify the Protocol and port
Hi all - I've spent many hours trying to diagnose this and have read several discussions and the Cisco docs unsuccessfully...
Situation: two sites running Cisco ASA 5520 on 8.4 (1) with L2L IPsec on the public internet between each of them. The configuration of IPsec and associated routing works as it should and we are able to pass traffic between networks private behind each device as expected. The problem occurs when you try to block sessions using a vpn-filter group policy configuration.
Each site has 3 private subnets that are able to communicate correctly without the vpn-filter configuration. We want to restrict access to specific protocols, hosts, and ports between each network.
SITE A: 10.10.0.0/18, 10.10.64.0/18, 10.10.128.0/18
SITE B: 10.20.0.0/18, 10.20.64.0/18, 10.20.128.0/18
When we apply a filter-vpn configuration which restricted access only two guests, as follows...
SITE A: vpn_acl_x_x_x_x list extended access permit ip host 10.20.0.1 host 10.10.0.1
SITE b: the ip host 10.10.0.1 allowed extended access list vpn_acl_x_x_x_x host 10.20.0.1
... the configuration works correctly. However, when we try to lock the configuration more far and specify the protocols and ports, as follows...
SITE A: vpn_acl_x_x_x_x list extended access permit tcp host 10.20.0.1 host 10.10.0.1 eq 22
SITE b: vpn_acl_x_x_x_x to the list of access permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
... and then try to establish a SSH connection between 10.10.0.1 and 10.20.0.1 or vice versa, the package is stopped on the side of the SOURCE. ..
Mar 22 11:58:01 x.x.x.x 22 March 2011 14:34:56: % ASA-4-106103: vpn_acl_x_x_x_x of the access list refused tcp to the user "
" inside-data/10.10.0.1(59112)-> outside-iptrans/10.20.0.1(22) hit - cnt 1 first success [0xd8d1c1b4, 0 x 0] I would really appreciate it if someone could shed some light on what is wrong with this Setup.
SOLUTION
The ACE must be implemented on the source and the end of the tunnel destination to facilitate this configuration.
EXAMPLE 1: allow SSH two-way communication between hosts on each network (SITE A can connect to SITE B, SITE B can connect to SITE A)...
SITE A:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 host 10.10.0.1 eq 22
access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
SITE B:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 eq 22 host 10.20.0.1
EXAMPLE 2: allow communication one-way SSH between hosts on each network (SITE A can connect to SITE B, SITE B is unable to connect to SITE A)...
SITE A:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.20.0.1 eq 22 host 10.10.0.1
SITE B:
access-list vpn_acl_x_x_x_x extended permit tcp host 10.10.0.1 host 10.20.0.1 eq 22
Very good and thank you for this post. Please kindly marks the message as answered while others may learn from your post. I think that you have started a very good discussion on vpn-filter for tunnel L2L.
-
ASA 5512 Anyconnect VPN cannot connect inside the network 9.1 x
Hello
I'm new to ASA, can I please help with this. I managed to connect to the vpn through the mobility cisco anyconnect client, but I am unable to connect to the Internet. the allocated ip address was 172.16.1.60 and it seems OK, I thought my acl and nat is configured to allow and translate the given vpn ip pool but I'm not able to ping anything on the inside.
If anyone can share some light... There's got to be something escapes me...
Here's my sh run
Thank you
Raul
-------------------------------------------------------------------------------
DLSYD - ASA # sh run
: Saved
:
ASA 9.1 Version 2
!
hostname DLSYD - ASA
domain delo.local
activate the encrypted password of UszxwHyGcg.e6o4z
names of
mask 172.16.1.60 - 172.16.1.70 255.255.255.0 IP local pool DLVPN_Pool
!
interface GigabitEthernet0/0
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/1
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/2
Post description
10 speed
full duplex
nameif Ext
security-level 0
IP 125.255.160.54 255.255.255.252
!
interface GigabitEthernet0/3
Description Int
10 speed
full duplex
nameif Int
security-level 100
IP 192.168.255.2 255.255.255.252
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa912-smp - k8.bin
passive FTP mode
clock timezone IS 10
clock daylight saving time EDT recurring last Sun Oct 02:00 last Sun Mar 03:00
DNS lookup field inside
DNS domain-lookup Int
DNS server-group DefaultDNS
192.168.1.90 server name
192.168.1.202 server name
domain delo.local
permit same-security-traffic intra-interface
network dlau40 object
Home 192.168.1.209
network dlausyd02 object
host 192.168.1.202
network of the object 192.168.1.42
host 192.168.1.42
dlau-utm network object
host 192.168.1.50
network dlauxa6 object
Home 192.168.1.62
network of the 192.168.1.93 object
host 192.168.1.93
network dlau-ftp01 object
Home 192.168.1.112
dlau-dlau-ftp01 network object
network dlvpn_network object
subnet 172.16.1.0 255.255.255.0
the object-group Good-ICMP ICMP-type
echo ICMP-object
response to echo ICMP-object
ICMP-object has exceeded the time
Object-ICMP traceroute
ICMP-unreachable object
DLVPN_STAcl list standard access allowed 192.168.0.0 255.255.0.0
Standard access list DLVPN_STAcl allow 196.1.1.0 255.255.255.0
DLVPN_STAcl list standard access allowed 126.0.0.0 255.255.0.0
Ext_access_in access list extended icmp permitted any object-group Good-ICMP
Ext_access_in list extended access permitted tcp dlau-ftp01 eq ftp objects
Ext_access_in list extended access permit tcp any object dlausyd02 eq https
Ext_access_in list extended access permit tcp any object dlau-utm eq smtp
Ext_access_in list extended access permit tcp any object dlauxa6 eq 444
Ext_access_in access-list extended permitted ip object annete-home everything
pager lines 24
Enable logging
asdm of logging of information
MTU 1500 Ext
MTU 1500 Int
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 713.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (Int, Ext) static source any any destination static dlvpn_network dlvpn_network non-proxy-arp
!
network dlausyd02 object
NAT (Int, Ext) interface static tcp https https service
dlau-utm network object
NAT (Int, Ext) interface static tcp smtp smtp service
network dlauxa6 object
NAT (Int, Ext) interface static tcp 444 444 service
network dlau-ftp01 object
NAT (Int, Ext) interface static tcp ftp ftp service
Access-group Ext_access_in in Ext interface
Route Ext 0.0.0.0 0.0.0.0 125.255.160.53 1
Route Int 192.168.0.0 255.255.0.0 192.168.255.1 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
AAA authentication enable LOCAL console
AAA authentication LOCAL telnet console
AAA authentication http LOCAL console
LOCAL AAA authentication serial console
the ssh LOCAL console AAA authentication
http server enable 44310
http server idle-timeout 30
http 192.168.0.0 255.255.0.0 Int
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
Crypto ipsec pmtu aging infinite - the security association
trustpool crypto ca policy
Telnet 192.168.1.0 255.255.255.0 management
Telnet timeout 30
SSH 192.168.0.0 255.255.0.0 Int
SSH timeout 30
SSH group dh-Group1-sha1 key exchange
Console timeout 0
No ipv6-vpn-addr-assign aaa
no local ipv6-vpn-addr-assign
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 61.8.0.89 prefer external source
SSL encryption rc4-aes128-sha1 aes256-3des-sha1 sha1 sha1
WebVPN
port 44320
allow outside
Select Ext
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
AnyConnect enable
tunnel-group-list activate
internal GroupPolicy_DLVPN group strategy
attributes of Group Policy GroupPolicy_DLVPN
WINS server no
value of server DNS 192.168.1.90 192.168.1.202
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list DLVPN_STAcl
delonghi.local value by default-field
WebVPN
AnyConnect Dungeon-Installer installed
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect ask flawless anyconnect
encrypted vendor_ipfx pb6/6ZHhaPgDKSHn password username
vendor_pacnet mIHuYi1jcf9OqVN9 encrypted password username
username admin password encrypted tFU2y7Uo15ahFyt4
type tunnel-group DLVPN remote access
attributes global-tunnel-group DLVPN
address pool DLVPN_Pool
Group Policy - by default-GroupPolicy_DLVPN
tunnel-group DLVPN webvpn-attributes
enable DLVPN group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the netbios
Review the ip options
inspect the ftp
inspect the tftp
!
global service-policy global_policy
SMTPS
Server 192.168.1.50
Group Policy - by default-DfltGrpPolicy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:67aa840d5cfff989bc045172b2d06212
: end
DLSYD - ASA #.Hello
Add just to be sure, the following configurations related to ICMP traffic
Policy-map global_policy
class inspection_default
inspect the icmp
inspect the icmp errorYour NAT0 configurations for traffic between LAN and VPN users seem to. Your Split Tunnel ACL seems fine too because it has included 192.168.0.0/16. I don't know what are the other.
I wonder if this is a test installation since you don't seem to have a dynamic PAT configured for your local network at all. Just a few static PAT and the NAT0 for VPN configurations. If it is a test configuration yet then confirmed that the device behind the ASA in the internal network has a default route pointing to the ASAs interface and if so is it properly configured?
Can you same ICMP the directly behind the ASA which is the gateway to LANs?
If you want to try ICMP interface internal to the VPN ASA then you can add this command and then try ICMP to the internal interface of the ASA
Int Management-access
As the post is a little confusing in the sense that the subject talk on the traffic doesn't work not internal to the network, while the message mentions the traffic to the Internet? I guess you meant only traffic to the local network because you use Split Tunnel VPN, which means that Internet traffic should use the VPN local Internet users while traffic to the networks specified in the ACL Tunnel Split list should be sent to the VPN.
-Jouni
Maybe you are looking for
-
If I upgraded to windows 7, the ability to go back to XP is good or not?
I upgraded from XP to win 7. is it possible to restore or use recovery and to go back to win XP?
-
Unable to connect to Fileshare on Windows Server 2008
I'm in a business with Windows 2003 Domaincontrollers network. We have a Windows 2008 servers and Clients Windows XP view. Normally I can correspond with these sahres but sometimes it starts to hang. That it is not possible to connect from any Client
-
Impossible to focus a whilw resizing photo to set as wallpaper
original title: when trying to reduce the size of wallpaper photo get no results. Select "Center" as a choice. Nothing changes. Any help greatly appreciated Need to know what to do when under 'Preferences', the procedure is followed, and no result
-
My Windows Vista Home Premium requires product activation keys, but I don't know anything about my operating system product keys, if anyone can help me in this?
-
BlackBerry Z10 Sync Network Solutions Outlook & files sent Z10... already upgraded IMAP
I use Network Solutions email and try to synchronize my files sent between Outlook (Office 2007) and e-mail Z10. Network Solutions told me I have to buy a POP to the IMAP upgrade (I did and send e-mail and reception works fine)... but I still can't s