crypto - small issue PKI certificates
Hey all, just a quick question regarding Cryptography certificate keys. I noticed on our routers DMVPN, appears a large hex key.
For example:
TP-self-signed-708137789 crypto pki certificate chain
certificate self-signed 01
308201B 6 A0030201 02020101 3082024D 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 37303831 33373738 39301E17 313231 31313331 39323230 0D 6174652D
375A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3730 38313337
06092A 86 4886F70D 01010105 37383930 819F300D 00308189 02818100 0003818D
3412 D 002 B6C79947 025566ABF2C7A830...
quit smoking
What is the key? Is this related to the star VPN authentication?
The self-signed certificate can be associated with DMVPN but it can also be associated with other things. For example, if you configure ip http secure server it will cause a self-signed certificate to generate.
HTH
Rick
Sent by Cisco Support technique iPad App
Tags: Cisco Network
Similar Questions
-
Hey! I recently did the update - I know, I'm behind. But now I can't yet see how to add a glyph to a simple letter in my text. It is driving my crazy because its a small issue. Help!
Hey everybody! I appreciate your answers. I ended up understanding what I was doing wrong. I work with a split screen, but it does default to Live view mode - I have never exploited in Live view mode so I assumed it was the update. When I finally realized it and he moved on to design, I could add it without problem!
Thank you once again (:)
-
Hi Experts,
I configured a certificate on unsaccountinunsgroup, it sends an email per person and per group can do a groupby on unsgroup about it and send.
Thank you
Pradeep Pola
I think you can provide a value for config parm 'QER\Attestation\MailTemplateIdents\RequestApproverByCollection '.
D1IM must use this e-mail template for email collection instead of an individual email basis of the certificate. Your e-mail template can then be configured to provide some message is required.
HTH
ELSA
-
Issue of certificate IOS content filtering
Hello
Regarding the configuration of the Cisco IOS content filtering, the certificate that must be downloaded from this page (applicationshttp://cisco.com/en/US/products/ps5854/products_configuration_example09186a0080816c23.shtml the router IP address... What happens if it's not a static public ip address and a dynamic?
Ill be grateful with any input on this...
Thank you and best regards,
The cert install page auto request ip address in order to go to the router and the provision by installing cert on this.
If the router must have http enabled from this page will give you the ip address and the tool will ask you the credentials of the router and connect and install the necessary certificate.
If the ip address is dynamic bit is important because you will need to install the cert only once.
I hope it helps.
PK
-
When you run the crypto isakmp debug is there a way to limit the output to only a specific piece of information. Example, I want to see only the debug information for the x.x.x.x ip address and no one else. Is it possible to do it with the debug command?
Thank you
Hello
On the router, you can use the command "debug crypto condition equal."
Debug condition crypto peers?
group filter name of unity of the IKE peer group
IKE peer host name filter FULL host name
IPv4 filter address IP IKE peer
subnet range of IKE peer IP address
IKE peer username filter FULL domain name username
In your case, the ipv4 option will limit debugs it to a host.
There is a similar command that was made available in 8.0 (2) on the SAA.
Debug condition crypto peers?
HostName or the peer A.B.C.D address or host name
Name of host or X:X:X:X:X peer IPv6 address or host name
Let me know if it helps.
Kind regards
Loren
-
Discover 5.1 upgrade issue SSL certificates
So I heard that the SSL stuff in 5.1 is different from previous versions and by reading the upgrade guide, I think I'll be ok as I am now however, it is always nice to get confirmation currently we lack 5.0 on all pieces of our environment in mind, we have a Secure Gateway in our DMZ for external access and the main connection inside our LAN Server. Both servers use a CA signed SSL cert (generic) and both decide the same DNS name (on the outside using the public DNS records inside using internal DNS records). For example, if on an iPad, the connection to the server is configured as view.mydomain.com with the same DNS name resolved to our external public IP address that points to the gateway secure in the demilitarized zone. Inside, I have a DNS entry that points "display" then inside of the connection to the server. Everything works well and we don't get the guests of SSL certificate. My question is that, if I understand although it for upgrading view must import existing certificates because they are without my intervention, see below:
NOTE: If your original discovers servers already have SSL certificates signed by a CA, the upgrade.View important your signed certificate CA in Windows Server certificate store.So in that spirit I'm ok to proceed with the upgrade, as I normally would or do I need to set up an internal CA authority etc.?Thank you!I think your ok to continue, but I would go ahead and have the facility ready guide in case you have problems. Just saw a blog post by Jason Boche onto the upgrade of his laboratory experience.
-
Logins appears not all issuing server certificates
I try to use the dial-up connections to connect a T60P to our secure WLAN. The appropriate server certificate "Equifax Secure Certificate Authority" is not in the list, but it is on the PC.
If I use the XP network settings for the wireless, this certificate is in the list and I am able to connect as well use it. However, I would use instead the dial-up connection software to manage many different places. Shouldn't the access connections software to use the same certificates found in Windows?
I use XP SP3 and all available updates Windows and Access Connections 5.02.
Does anyone know how to add the certificate "Equifax Secure Certificate Authority" to the list?
Also to note that on an other T61 Vista PC "Equifax Secure Certificate Authority" appears in the dial-up connections and Vista network settings. For example, this problem may be limited to XP.
Thanks to robto, this problem has been solved by following the instructions in this thread:
-
Issue of certificate/encryption Adobe
I have a project that I need some advice on. My company has certain confidential documents that are saved as.
PDF files. At this moment we are mailing these documents in other offices that need these documents. Recently, we went without paper or at least try to go paperless. I want to be able to send these documents by e-mail to these offices. I know that I can encrypt & password protect these documents but I would like to be able to create a type of certificate from Adobe and remote offices by e-mail the certificate to install on a computer. Then, when the Agency receives the certificate, the pdf file does not open unless it's on the computer that has the certificate installed, & then there was also the password to view the pdf file... Is this possible? I am running Adobe Pro V9. Thank you
Again, Adobe password protection is essentially worthless. If it is confidential, personal information on these files you may find yourself in hot water if someone gets ahold of them. Do not rely on this topic.
You can compress files and adding a password to that. Zip the files is recommended in any case, as PDF files are used to get damaged when sent by e-mail (which is improving all the time but is still not without flaws).
The best would be to make them on a secure site which is password protected, so you can send them the link, but which can also be a spendy.
-
Small issue related to Pocket projectors
I bought a Pocket projector a while for personal meetings, I had to do. I use it once in a while, but I want to get more mileage out of it. I want to buy a rocket (not really a fan of apple products) and I found a great deal on one locally. My question is: what kind of video on the capabilities of the "rocket"? It would be easy to hook up to my projector? From what I can tell, the aaxa p2 a vga Pocket projector, a / v out, headphone jack and a miniusb port. I can't seem to find a cable "sansa fuze" on the site of aaxa so I will try to know what I need to get before I pick up the "rocket".
http://www.aaxatech.com/products/p2_pico_projector.htm - click on accessories. they have only ipod/psp/zune. Made the "rocket" a / v out as the zune? This might work if she does. Help, please!
For now, I put just videos and images directly on the device, but there only 1gig of memory onboard. I thought I was doing the "rocket" to double as something that I can use to watch videos and go to the gym with.
-
Several small issues, no doubt easy for you, difficult for me! Help! :) link provided
* Many thanks to KEN so far!
Mods: can delete nicely related first post
So here I am: SITE!
(DW CC)I'm married to this model, if while I appreciate all the advice against it, I need to to its glorious end I go nuts and now a deadline.
Here's what I messed up with for a week with little success. I really feel I have tried everything. Felt crazy several times.
-for background images to display in their entirety! Cut, can't scroll to see all this.
-to be able to move the white translucent content area ("blob")... but it remains right + centered vertically. Also, I'd be happy if I could just move its position on the home page.
-for the 'blob' to stay put where I want it to be, as well as the menu and other objects
-want each page to have its own url (/, / author, etc.), but with the sliding content blob still work (if possible)
-for the menu to stay in place and be centered... I got close enough, but it is not perfect, and it moves also when resizing... want it fixed in one place
-to add a slideshow on the page of the snippet (there is code for it, but I don't know if you'll be able to see it because it doesn't have its own page) I was playing with it in vain: Slideshow HTML
I want everything must be static and functional (menu, 'blob', background) to keep a consistent look.
I thank very you MUCH for your time guys! I need help!
t
-Recommendations for adding a coil simple slideshow/photo /.
Look at jQuery Cycle2, Cycle2 demos.
on getting the box to slide in and out at the time to choose a new menu item
I do not recommend your site like this. I'm not a big fan of page 1 sites. If JavaScript is disabled, menus will not do anything, the content is not displayed. About 5% of users have no script for security reasons. This could cause problems of great conviviality. I think that it is better to build your site with web pages instead of 1 long AJAX/JSON driven page. You get more traction with search engines if you have several web pages with unique page titles. And generate traffic to websites in the search engines.
You PM'd me on different background images. This is easily possible using the CSS code integrated on your internal site pages and changing the property background for use to a different URL.
Would like to know how to break the text up into columns within the content boxes
Columns CSS explained:
http://CSS-tricks.com/Almanac/properties/c/columns/
Nancy O.
-
Helllo, stupid question of HFM. You can change a member name in HFM? I was surprised to hear a person HFM here that you couldn't. He said that we cannot change the alias.
The amount of effort to rename is minimal,
The effort will be measured according to the amount of data you will have to reconcile after extraction and loading the data from the old to the renowned entities. You should also check if there are special rules and reports associated with these entities, it will affect everything that is not built dynamically. -
Crypto pki Server missing option "info".
After upgraging to IOS c2800nm-advsecurityk9 - mz.151 - 2.T1.bin, option requests information Server CA cryptographic pki no longer exist, the serv crypto pki CA-SERVER command is available, but only with the following options.
CA #crypto CA-SERVER pki Server?
grant of Grant applications
password One Time Password registration CEP
reject to reject registration applications
Remove delete database registration applications
pick up a registration request
revoke the certificate to revoke
start the boot server
Stop stop server
trim Trim the CRL based on the expired certificates file.
cancel the Unrevoke Certificate revocation.
.
.
is there a new way to look at "pending" spoke or customer requests or I do something (or many things) incorrectly?
.
.
.
.
.
.
.
I have configured the CA server as:
.
host name of the CA SERVER
IP - test.lab domain name
Server 192.168.0.1
clock timezone IS - 5
summer time clock
NTP master 3
source NTP loopback0.
IP http server
.
the encryption key generate label CA-SERVER rsa keys general module exportable 1024
key export cryptographic rsa CA-SERVER pem usbflash0 url: 3des
crypto CA-Server PKI
(ca-server) # database url usbflash0:
database (ca-server) # full level
(ca-) # transmitter servername CN = blah blah blah
# lifetime ca-certificate 730 (ca-server)
life certificate (ca-server) # 750
CRL lifetime (ca-server) # 336
(ca-server) # no shutdown
end.
.
.
.
R1 #sh crypto pki Server
CA SERVER certificate:
Status: enabled
Status: enabled
Configuration of the server is locked (enter 'closed' to unlock)
Name of the issuer: CN = blah blah blah
Imprint of cert CA: # # # #.
Licensing mode: manual
Last serial number of the certificate issued (hex): 1
CA certificate expiration timer: 11:57:05 EST October 3, 2012
CRL NextUpdate timer: 11:57:00 GMT October 18, 2010
Current main repository: usbflash0:
Database level: Complete - CERT issued all written as.cer .
.
TKS for any assistance.
Frank
Hi, Frank:
Yes, this command has been deprecated in the new IOS code. You should be able to use the command a show crypto pki Server AC-query SERVER to get the same good news.
Thank you
Wen
-
Using MS CA issued certificate
Looking for setup guide to use 2-factor authentication in an MS Windows environment. My setup: MS Windows 2012 area including MS Certificate Services, MS Windows with AnyConnect clients. ASA-ASA-5515/ASDM VPN device 9.2(2)4/7.3(1). I would use the Microsoft CA has issued personal certificates and domain user name and password for authentication of the user's windows when establishing VPN. How can I set the ASA to validate the user issued MS CA certificate to the MS-CA-Server? All the examples of configuration, I've seen uses the SCEP Protocol where the ASA asked a certificate to the CA Server MS on behalf of the user. This is not what I want. I would like that the client AnyConnect to present the certificate already issued (in the certificates MMC console: certificates - current user-> personal-> certificates) to the ASA. ASA then validates the certificate.
Like ASA forward validation of name and password of the user to the LDAP server - in my case the domain controllers Windows Ms. How do I configure this?
Best regards, HenrikTake a look at this configuration guide:
It appears to address the case of the use you want to re certificates. They use local authentication as the second factor of authentication, but you could also just use AD or LDAP or RADIUS as your AAA server.
-
Change the certificate used by a Cisco 3850
I have a new L3 3850 switch. He had a self-signed certificate installed when I first started the switch. The certificate is displayed either 512 or 1024 in length. I would like to create a key of 2048 in length. Can I issue the command generated rsa encryption key and specify the length of 2048 and I get a new cert. I can't just understand hw to make the new cert as the active cert.
When he started it first, here is the configuration of the switch section:
Crypto pki trustpoint TP-self-signed-127070658
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 127070658
revocation checking no
rsakeypair TP-self-signed-127070658
!
!
TP-self-signed-127070658 crypto pki certificate chain
certificate self-signed 01 nvram:IOS - Self-Sig #1.cer
When I create new cert and validate them with the copy running-config startup-config and then recharge, it will show that the new cert is stored in NVRAM:private - config, but it does not show the cert when I cd in NVRAM: and issue the dir command. What is the right order to get the new cert to use.
Here are the results of the dir command:
2049 rw-1897
startup-config 2050-3821
private-config 2051 rw-1897
base-config 1 0
rf_cold_starts 2 cpu_trap.eci of
- rw - 1079 4 rw-1072
cpu_threshold_trap.eci 6 - rw - 886
memory_trap.eci 7 - rw - 858
rf_trap.eci 8 rw-3123
wireless_trap.eci 11 - rw - 270
ma_trap_keyword 12-86
- persistent data 14 - rw - 578
IOS-Self-Sig #1.cer -rw-0 15
ifIndex-table William Coats
I was wondering how to do it myself, so I took him as a small project on our laboratory 3650. The documentation leaves to be desired, but I finally thought to it.
1 generate a 2048 bit rsa key pair:
seclab-3650 (config) #crypto generate keys rsa 2048 2048-bit-key module label
2. create a trustpoint specifying registration self-signed and tell the TP to use this key pair
seclab-3650 (config) #cry pki trustpoint 2048-bit-TP
seclab-3650(ca-trustpoint) #enrollment selfsigned
seclab-3650(ca-trustpoint) #usage - server ssl
seclab-3650(ca-trustpoint) #on nvram:
seclab-3650(ca-trustpoint) #rsakeypair 2048-bit-key
seclab-3650(ca-trustpoint) #exit
3 register the trustpoint - at this point the switch will generate the 2048-bit certificate.
seclab-3650 (config) #crypto pki enroll 2048-bit-TP
% Include the serial number of the router in the name of the topic? [Yes/No]: Yes
% Include an IP address in the name of the topic? [None]:
Generate a self signed certificate router? [Yes/No]: Yes
Router self-signed certificate created successfully
seclab-3650 (config) #.
4. tell your ip http secure server to use this trustpoint
seclab-3650 (config) #ip http secure-trustpoint 2048-bit-TP
Once I did this, I can go to the switch via https and see the key of 2048 bits being used in the self-signed certificate. Click on the image below to enlarge:
-
We have Cisco 2800 to each of our four locations that are managed by our ISP. We had problems with them, I got them to send me the configuration files of one of them, but nothing jumps out to me.
You must disable TCP Window Scaling/tuning on all our Machines 7/Server Windows 2012 (by running netsh interface tcp set global autotuning = disabled in the command line)
If we have not this is very slow to load even a Web page and cannot download a file (even something as small as 2 MB). Mobile devices have no hope to work on our network now because of this. This isn't a question on our XP remaning machines bit, but I think that XP did not use Window Scaling is the reason.
Any ideas what could be causing this? I intend to replace it soon with our own routers, because they do not want to configure the secondary interfaces for our VLAN, but in the meantime I need this job.
Thanks in advanced for any help.
Here is the Config with Sensative information deleted
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname REMOVED
!
boot-start-marker
boot-end-marker
!
logging buffered 8192 debugging
no logging console
enable secret REMOVED
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-REMOVED
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-REMOVED
revocation-check none
rsakeypair TP-self-signed-REMOVED
!
!
crypto pki certificate chain TP-self-signed-REMOVED
certificate self-signed 01
REMOVED
quit
!
class-map match-all VOIP
match access-group 120
!
!
policy-map VOIP
class VOIP
priority 1000
class class-default
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key REMOVED address 0.0.0.0 0.0.0.0
no crypto isakmp ccm
!
!
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set VPN
!
crypto ipsec profile SDM_Profile2
set transform-set VPN
!
!
!
!
!
interface Tunnel0
description $FW_INSIDE$
bandwidth 3000
ip address 10.10.200.1 255.255.255.0
ip access-group 101 in
no ip redirects
ip mtu 1400
ip nhrp authentication VPN
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 360
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1360
ip ospf network broadcast
ip ospf priority 20
delay 10
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile SDM_Profile1
!
interface Null0
no ip unreachables
!
interface Loopback0
ip address 192.168.210.1 255.255.255.255
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 10.10.100.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip policy route-map server-nat
duplex auto
speed auto
no mop enabled
service-policy output VOIP
!
interface FastEthernet0/1
description $FW_OUTSIDE$
ip address IP REMOVED NETMASK REMOVED
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1/0
load-interval 30
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
router ospf 100
log-adjacency-changes
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
passive-interface FastEthernet0/1/0
network 10.10.100.0 0.0.0.255 area 0
network 10.10.200.0 0.0.0.255 area 0
network 10.10.201.0 0.0.0.255 area 0
network 192.168.210.1 0.0.0.0 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 REMOVED
ip route REMOVED NETMASK REMOVED
ip route REMOVED NETMASK REMOVED
ip route REMOVED NETMASK REMOVED
!
ip flow-capture ip-id
ip flow-capture mac-addresses
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 30000
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool nat REMOVED netmask REMOVED
ip nat inside source list 150 interface FastEthernet0/1 overload
!
access-list 100 deny ip 10.10.200.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 deny ip 10.10.201.0 0.0.0.255 any
access-list 101 remark Tunnel ACL
access-list 101 deny ip REMOVED 0.0.0.7 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.110.0 0.0.0.255 log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.120.0 0.0.0.255 log
access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.130.0 0.0.0.255 log
access-list 101 permit ip host 10.10.100.10 any log
access-list 101 permit ip host 10.10.100.12 any log
access-list 101 permit ip host 10.10.100.20 any log
access-list 101 permit ip host 10.10.100.21 any log
access-list 101 permit ip host 10.10.100.45 any log
access-list 101 permit ip any host 10.10.100.10 log
access-list 101 permit ip any host 10.10.100.12 log
access-list 101 permit ip any host 10.10.100.20 log
access-list 101 permit ip any host 10.10.100.21 log
access-list 101 permit ip any host 10.10.100.45 log
access-list 101 permit ospf any any
access-list 101 permit icmp any any
access-list 101 deny ip 10.10.100.0 0.0.0.255 any log
access-list 101 permit ip 10.10.110.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 permit ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 permit ip 10.10.130.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 102 remark Outside ACL
access-list 102 permit tcp host REMOVED host REMOVED eq 22
access-list 102 permit tcp REMOVED 0.0.0.15 host REMOVED eq 22
access-list 102 permit udp any host REMOVED eq non500-isakmp
access-list 102 permit udp any host REMOVED eq isakmp
access-list 102 permit esp any host REMOVED
access-list 102 permit ahp any host REMOVED
access-list 102 permit gre any host REMOVED
access-list 102 permit icmp any host REMOVED echo-reply
access-list 102 permit icmp any host REMOVED time-exceeded
access-list 102 permit icmp any host REMOVED unreachable
access-list 102 permit ip any host 10.10.100.10
access-list 102 permit ip any host 10.10.100.12
access-list 102 permit ip any host 10.10.100.20
access-list 102 permit ip any host 10.10.100.21
access-list 102 permit ip any host 10.10.100.45
access-list 102 deny ip 10.10.100.0 0.0.0.255 any
access-list 102 deny ip 10.10.200.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 103 permit ip REMOVED 0.0.0.15 any
access-list 103 permit ip 10.10.200.0 0.0.0.255 any
access-list 103 permit ip 10.10.100.0 0.0.0.255 any
access-list 103 permit ip 10.10.110.0 0.0.0.255 any
access-list 103 permit ip 10.10.120.0 0.0.0.255 any
access-list 103 permit ip 10.10.130.0 0.0.0.255 any
access-list 110 deny ip host 10.10.100.12 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.12 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.10 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.10 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.20 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.20 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.21 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.21 10.10.130.0 0.0.0.255
access-list 110 deny ip host 10.10.100.45 10.10.110.0 0.0.0.255
access-list 110 deny ip host 10.10.100.45 10.10.130.0 0.0.0.255
access-list 110 permit ip host 10.10.100.12 any
access-list 110 permit ip host 10.10.100.10 any
access-list 110 permit ip host 10.10.100.20 any
access-list 110 permit ip host 10.10.100.21 any
access-list 110 permit ip host 10.10.100.45 any
access-list 120 permit udp any any eq 5060
access-list 150 deny ip host 10.10.100.10 any
access-list 150 deny ip host 10.10.100.12 any
access-list 150 deny tcp host 10.10.100.20 any eq 3389
access-list 150 deny ip host 10.10.100.21 any
access-list 150 deny tcp host 10.10.100.45 any eq 22
access-list 150 deny tcp host 10.10.100.45 any eq 443
access-list 150 deny udp host 10.10.100.45 any eq 5060
access-list 150 deny udp host 10.10.100.45 any range 10000 10500
access-list 150 deny ip 10.10.110.0 0.0.0.255 any
access-list 150 deny ip 10.10.120.0 0.0.0.255 any
access-list 150 deny ip 10.10.130.0 0.0.0.255 any
access-list 150 permit ip 10.10.100.0 0.0.0.255 any
!
route-map server-nat permit 10
match ip address 110
set ip next-hop 10.10.200.3
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner motd ^CC
<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
Authorized access only
<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>
Disconnect IMEDIATELY if you are not an authorized user !
^C
!
line con 0
login local
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
access-class 103 in
privilege level 15
login local
transport input ssh
line vty 5 15
access-class 103 in
privilege level 15
login local
transport input ssh
!
end
Hello Jason,
you will find articles from may saying that MS AutoFix feature does not work well with some firewall stateful inspection and/or VPN.
At CSC, I found another interesting:
https://supportforums.Cisco.com/thread/2169557
Maybe Joseph joins this discussion later with some new or additional information.
Best regards
Rolf
Maybe you are looking for
-
The messages seem to leave the server after I the download or remove them and they are not visible to the user of the joint account. There was to be a check on previous versions of TBird to leave messages on the server, it has now disappeared, or I c
-
Photo sharing to Google - Google + Photos and Panoramio accounts
I put internet accounts set up for Flickr so that I can upload Photos to Flickr using the Menu sharing. I created an internet account to Google. The only apps I have to select from on Google share is usual: Mail, Contacts, calendars, Messages, Notes.
-
Satellite A300 - 21 c - impossible to adjust the brightness of the screen
Hello I am not able to adjust the brightness of my screen on my Satellite A300 - 21 c - control panel-> the menu options of power does not give me the opportunity to do, and my Fn keys do not work either (can't adjust the brightness). The operating s
-
Hello everyone, I'm a newbe for these phones, and I think I can have messed up my Firefox. I downloaded the new Firefox 4 and deleted the one provided on the phone. I also downloaded Adobe flash 10.2. It seems that now I can't watch Utube videos. The
-
HPDM and "Device ID" problem with Citrix virtual card
In our image, there is the Citrix "virtual" adaptor, and this seems becausing a "Device ID" conflcit with some computers. I'm sitting here, watching the HPDM to change host name and the IP address of the line of the device so that the device ID is re