CSCug34485 - IOS OSPF LSA type vulnerability Injection
Hi people,
We are preparing the upgrade of all our routers to fix this bug or close this vulnerability.
We have some devices form the SXJ which run the 12.2 (33). However, the corrected version "known" indicates that the version 12.2 (33) SXJ6 should fix this bug, but I can't find anthing about it in the notes.
How can I do / remember it's really solved? Is this a mistake in the notes?
See you soon
Alex
The release notes are now updated. Thank you for bringing This problem to our attention.
Tags: Cisco Tools
Similar Questions
-
Hello guys,.
It is my first post here, so be gentle.
I'm playing with OSPF and I came across something that I can't explain.
Installation program:
A router receiving a network from two places:
R5(config-Router) #do sh ip route 155.1.67.0
Routing for 155.1.67.0/24 entry
Known via "ospf 1", distance 110, 66, type inter area metric
155.1.0.3 was last updated on Serial0/0 ago 00:00:16
Routing descriptor blocks:
155.1.0.3, 150.1.3.3, there is, via Serial0/0 00:00:16
Metric route 66, number of shares of traffic is 1
* 155.1.0.1, 150.1.6.6, there is, via Serial0/0 00:00:16
Metric route 66, number of shares of traffic is 1What I'm trying to do is change the ad for the road from 150.1.6.6, so that it doesn't settle in the routing table:
router ospf 1
Log-adjacency-changesdistance 250 150.1.6.6 0.0.0.0 67
!
access-list 67 allow 155.1.67.0
If I look at the routing table after I applied the config, I get:
O AI 155.1.67.0/24 [110/66] via 155.1.0.3, 00:12:24, Serial0/0
[110/66] via 155.1.0.1, 00:12:24, Serial0/0If I look at the "debug ip routing" output:
* 04:04:16.198 Mar 1: RT: Add 155.1.67.0/24 via 155.1.0.1, ospf metric [250/66]
* 04:04:16.198 Mar 1: RT: NET-RED 155.1.67.0/24
* 04:04:16.198 Mar 1: RT: Add 155.1.67.0/24 via 155.1.0.3, ospf metric [110/66]
* 04:04:16.198 Mar 1: RT: NET-RED 155.1.67.0/24If I change the config for ospf with the pub of 255
router ospf 1
Log-adjacency-changesdistance 255 150.1.6.6 0.0.0.0 67
!
access-list 67 allow 155.1.67.0
The road to 150.1.6.6 do not settle, and the "debug ip routing" is:
* 04:20:00.510 Mar 1: RT: Add 155.1.67.0/24 via 155.1.0.3, ospf metric [110/66]
* 04:20:00.510 Mar 1: RT: NET-RED 155.1.67.0/24Anyone know what is happening? Why doesn't the AD gets changed for the maximum value (255), but not for a smaller.
Thank you
Mihai
When I try to manipulate the AD it changes it for the two routes.
O AI 4.4.4.0 [200/21] via 13.13.13.3, 00:00:51, FastEthernet0/1
[200/21] via 12.12.12.2, 00:00:51, FastEthernet0/0
If I have the value 255 AD, then it is removed as if it were for you as well.
4.0.0.0/24 is divided into subnets, subnets 1
O AI 4.4.4.0 [110/21] via 13.13.13.3, 00:00:02, FastEthernet0/1
If I add then another order of distance, then it works.
4.0.0.0/24 is divided into subnets, subnets 1
O AI 4.4.4.0 [200/21] via 13.13.13.3, 00:00:02, FastEthernet0/1
So if I remove the command 255 distance it does not at all.
O AI 4.4.4.0 [110/21] via 13.13.13.3, 00:00:02, FastEthernet0/1
[110/21] via 12.12.12.2, 00:00:02, FastEthernet0/0
If this function seems not work reliably. If we look at in-LSDB:
R1 #sh ip ospf data sum 4.4.4.0
Router OSPF with ID (1.1.1.1) (process ID 1)
Summary Net link States (zone 0)
Routing Bit set on this LSA
LS age: 1392
Options: (no TOS-capability, DC, upwards)
LS type: Links (Network) summary
The link state ID: 4.4.4.0 (summary network number)
Advertising router: 2.2.2.2
LS number of Seq: 80000002
Checksum: 0x29F3
Length: 28
Network mask: 24
TOS: metric 0: 11
Routing Bit set on this LSA
LS age: 1354
Options: (no TOS-capability, DC, upwards)
LS type: Links (Network) summary
The link state ID: 4.4.4.0 (summary network number)
Advertising router: 3.3.3.3
LS number of Seq: 80000002
Checksum: 0xB0E
Length: 28
Network mask: 24
TOS: metric 0: 11
Via 2.2.2.2 is older. We will try to make one at older 3.3.3.3 and then set distance.
R2 #clear ip ospf proc
Reset ALL OSPF process? [No]: Yes
R1 #sh ip ospf data sum 4.4.4.0
Router OSPF with ID (1.1.1.1) (process ID 1)
Summary Net link States (zone 0)
Routing Bit set on this LSA
LS age: 26
Options: (no TOS-capability, DC, upwards)
LS type: Links (Network) summary
The link state ID: 4.4.4.0 (summary network number)
Advertising router: 2.2.2.2
LS number of Seq: 80000003
Checksum: 0x27F4
Length: 28
Network mask: 24
TOS: metric 0: 11
Routing Bit set on this LSA
LS age: 1569
Options: (no TOS-capability, DC, upwards)
LS type: Links (Network) summary
The link state ID: 4.4.4.0 (summary network number)
Advertising router: 3.3.3.3
LS number of Seq: 80000002
Checksum: 0xB0E
Length: 28
Network mask: 24
TOS: metric 0: 11
R1(config-Router) #do sh run | s router ospf
router ospf 1
router ID 1.1.1.1
Log-adjacency-changes
distance 200 2.2.2.2 0.0.0.0 1
R1(config-Router) #no distance 200 2.2.2.2 0.0.0.0 1
R1(config-Router) #distance 200 3.3.3.3 0.0.0.0 1
R1 (config - Router) #^ Z
R1 #sh ip route
Code: C - connected, S - static, mobile R - RIP, M-, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2
i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2
-IS inter area, * - candidate failure, U - static route by user
o - ODR, P - periodic downloaded route static
Gateway of last resort is not set
4.0.0.0/24 is divided into subnets, subnets 1
O AI 4.4.4.0 [200/21] via 13.13.13.3, 00:00:03, FastEthernet0/1
[200/21] via 12.12.12.2, 00:00:03, FastEthernet0/0
So it seems that it only works for the oldest instance of the LSA, but then it changes for the two neighbours. So I can't work reliably on functionality
R1 #sh worm | I have IOS
Cisco IOS Software, software 3700 (C3725-ADVENTERPRISEK9-M), Version 12.4 (15) T10, VERSION of the SOFTWARE (fc3)
Daniel Dib
CCIE #37149Please evaluate the useful messages.
-
NO OSPF routes in the database, but in the Routing Table (read you correct)
Hi all
I have a lab of two roads R1 & R2 (connected with Ethernet link) like:<------------------>R1, R2
I can see, OSPF learned routes are Routing Table, but not in the database (read you right).
How can it be possible? I saw the other direction several times i.e. the routes in the database but not in the routing table (like, VPN L3 remote end when we use the ability VRF-lite, or we try to remove from the interarea road of the LSA, but that is not the concern here)
I captured a few newspapers & running Setup two routers. Please check and let me know what I am doing wrong.
I erased the OSPF neighborship several times but still the same. Tried to bounce e1/1 on R2, but no luck.
R2 #ping 3.3.3.3 lo3 Yes
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 3.3.3.3, time-out is 2 seconds:
Packet sent with the source 2.2.2.2 address
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 64/76/108 ms
R2 #.
R1
R1 #.
R1 #show int ip short bones
Interface area PID IP address/mask cost of State Nbrs F/C
Lo0 9.9.0.1/32 LOOP 1 1 0 0/0
Lo3 3.3.3.3/32 LOOP 1 1 0 0/0
Et1/0 1 0 9.9.12.1/24 10 DR 1/1
R1 #.
R1 #.
R1 #show ip ospf da
Router OSPF with ID (9.9.12.1) (process ID 1)
Router link States (zone 0)
Number of links ID ADV router age Seq # Link Checksum
9.9.12.1 9.9.12.1 255 0 x 80000028 0x00BE86 3
9.9.12.2 9.9.12.2 256 0 80000032 0x0067F8 x 2
NET link States (zone 0)
Link ID ADV router age Seq # Checksum
9.9.12.1 9.9.12.1 255 0 x 80000003 0x00BDFC
R1 #.
R1 #.
#show ip route R1 | b door
Gateway of last resort is not set
2.0.0.0/32 is divided into subnets, subnets 1
O 2.2.2.2 [110/11] via 9.9.12.2, 00:04:17, Ethernet1/0
3.0.0.0/32 is divided into subnets, subnets 1
C 3.3.3.3 is directly connected, Loopback3
9.0.0.0/8 is variably divided into subnets, 3 subnets, 2 masks
C 9.9.0.1/32 is directly connected, Loopback0
C 9.9.12.0/24 is directly connected, Ethernet1/0
The 9.9.12.1/32 is directly connected, Ethernet1/0
R1 #.
R1 #.
R1 #show ip os not
Neighbor ID Pri State Dead Time Interface address
9.9.12.2 1 FULL/BDR 9.9.12.2 Ethernet1/0 00:00:36
R1 #.
R1 #.
R1 #show run | s r o
router ospf 1
Log-adjacency-changes
R1 #.
R1 #.
************* R2 ********************
R2 #.
R2 #show int ip short bones
Interface area PID IP address/mask cost of State Nbrs F/C
Lo3 2.2.2.2/32 LOOP 1 1 0 0/0
Et1/1 1 0 10 BDR 1/1 9.9.12.2/24
R2 #.
R2 #.
R2 #show run | router s o
router ospf 1
Log-adjacency-changes
passive-interface Loopback3
2.2.2.2 network 0.0.0.0 area 0
Network 9.9.12.0 0.0.0.255 area 0
R2 #.
R2 #show da os ip
Router OSPF with ID (9.9.12.2) (process ID 1)
Router link States (zone 0)
Number of links ID ADV router age Seq # Link Checksum
9.9.12.1 9.9.12.1 326 0 x 80000028 0x00BE86 3
9.9.12.2 9.9.12.2 325 80000032 0x0067F8 0 x 2
NET link States (zone 0)
Link ID ADV router age Seq # Checksum
9.9.12.1 9.9.12.1 326 0 x 80000003 0x00BDFC
R2 #.
R2 #.
R2 #show ip road | b door
Gateway of last resort is not set
2.0.0.0/32 is divided into subnets, subnets 1
C 2.2.2.2 is directly connected, Loopback3
3.0.0.0/32 is divided into subnets, subnets 1
O 3.3.3.3 [110/11] via 9.9.12.1, 00:05:22, Ethernet1/1
9.0.0.0/8 is variably divided into subnets, 3 subnets, 2 masks
9.9.0.1/32 [110/11] via 9.9.12.1, 00:05:22, Ethernet1/1
C 9.9.12.0/24 is directly connected, Ethernet1/1
The 9.9.12.2/32 is directly connected, Ethernet1/1
R2 #.
R2 #.
R2 #show ip os not
Neighbor ID Pri State Dead Time Interface address
9.9.12.1 1 FULL/DR 00:00:30 9.9.12.1 Ethernet1/1
R2 #.
R2 #.
Hello
an OSPF router generates only a router-LSA (Type-1) by Area.This router-LSA contains a list with all the links in this area.
You can see your telesignalisations with 'show ip ospf router of database' - 'show ip ospf database' rather an overview:
Router Link States (Area 0)Link ID ADV Router Age Seq# Checksum Link count9.9.12.1 9.9.12.1 326 0x80000028 0x00BE86 3
Router 9.9.12.1 announces a router-LSA for area 0 and the LSA contains 3 links. Apparently, you created the Loopback IPs when adjacency was already formed, if not the router ID would be defined the highest loopback IP (maybe that's the reason for your confusion). HTHRolf -
Hello guys.
I'm looking on the web for some time to learn about the architecture used on iOS as the type of file system, the system management process and memory management system.
Can anyone help me to get some documents.
Thank you in advance.
If I were you, I would like to ask here Developer Forums
-
IOS 9.3.1 replace 9.3 before updating?
I've got 9.3 update message in my iPad2 that fortunately I have not being updated due to its problems. I always use 9.2.1
With the new 9.3.1 now released is anyone able to tell me if the advice of 9.3 previous update are removed by Apple and replaced by the later version. of course, I don't want to Update 9.3 simply that it is "inline" next, if this can be done I have to jump 9.3.1 going on I tunes. Thank you
Only the most recent iOS will be installed. Since iOS 9.3.1 is more recent than iOS 9.3, 9.3.1 is iOS that will be installed. You'll have no choice.
To be sure, the most recent update is actually installed (assuming that you mean that the iOS 9.3 update is already downloaded on your device), remove this update file under
Settings/general/storage & use iCloud / Manage Storage. Now find the application to update iOS 9.3, type on the application, and then on remove App.
Now, go back to settings/general/Software Update and the new IOS 9.3.1 will be found and downloaded to your device. Update after the download finished.
-
I saw the docs that show how to configure ASA-ASA VPN share OSPF routes and for IOS to IOS OSPF sharing routes. Is it possible to get the ASA to IOS device?
I'm supposed to put in place a DMVPN through some remote sites, and there is an ASA one of the sites. The EIGRP routes are expected to be shared across the DMVPN (I suppose could go to OSPF if necessary). My plan for the site of the SAA was to set up a VPN site-to-site regular with the DMVPN hub and redistribute OSPF and EIGRP routes in the other, so the rays can talk to the ASA branch by the hub.
Is it possible, or I have to use static routes to and from the network of the ASA?
Xavier,
In the road map you must place a match statement corresponding prefixes/subnets that you would like to advertise in EIGRP.
About the ASA, normally you have not to, but I don't see a problem with the addition of statements of IPP in crypto card (normally).
With regard to orders. I always refer people to self-help ;-)
http://www.Cisco.com/en/us/products/ps10591/products_product_indices_list.html
more precisely:
http://www.Cisco.com/en/us/docs/iOS/MCL/allreleasemcl/all_book.html
Docs IPP:
Redistribution of EIGRP:
In any case take step by step, start by checking what the situation will be when you insert routes into the routing on the hub by RRI table. Then, if necessary, redistribute static routes in EIGRP.
Marcin
-
I've updated yesterday my adobe reader software on my iPad Air yesterday. When I try to highlight the text he become total darkness of the highlighted text.
I hope that you can help me
Hello
We have received your PDF document by e-mail. Thank you!
I opened the PDF in Acrobat Reader, the desktop version and confirmed that your highlight color is set to black and opacity is set to 100%.
I suspect that accidentally set you the highlight color in black by Acrobat Reader for iOS on your iPad Air. (The default color is yellow).
To change the highlight color
- Open your PDF document in Acrobat Reader for iOS.
- Type on the black nail in the document.
- Select 'Color'... "in the context menu that appears.
- Click the color you want in the color scheme.
It can be difficult to see due to the background color of your PDF document. But you can see that the highlight color has changed and the highlighted text is readable now.
Optionally, you can change its opacity by selecting 'opacity '.... "in step 3 above.
Acrobat Reader will remember your highlight color choice next time.
I hope this helps.
-
iOS TextInput displayAsPassword don't displayAsPassword
I am building an application to launch simultaneously on Android, iOS and the office. The application includes a connection that is connected to a system of vBulletin and I met an important issue (the customer is adamant must be fixed). On iOS, if you type in a TextInput that has its displayAsPassword is set to true, it will show plain text as you type. Once you click on the TextInput, it displays correctly.
Here is the code I use in Flex
<s:TextInput id="inputField" width="100%" styleName="loginFields" text="Password" focusAlpha="0" focusEnabled="false" autoCorrect="false" />
I then attach thematic demonstrations for the input field that perform these functions.
private var defaultText:String = 'Password'; private var passwordDisplay:Boolean = true; private function focusIn (e:FocusEvent = null):void { if (this.inputField.text == this.defaultText){ this.inputField.text = ''; } if (this.passwordDisplay){ this.inputField.displayAsPassword = true; } } private function focusOut (e:FocusEvent = null):void { if (this.inputField.text == ''){ this.inputField.text = this.defaultText; if (this.passwordDisplay){ this.inputField.displayAsPassword = false; } } }There are a lot more code in the file, but that's the only relevant. Fundamentally, the focus in, it checks if the text == the default text. If so, he empty the field. It then sets displayAsPassword to true. Focus on, it checks if the field is empty. If this is the case, it restores the default domain and displayAsPassword to false. I know the default text is integrated, but I need more features it offers.
Now this problem (display password in plaintext, while emphasis is placed on field) is present in iOS only and it does not occur in the emulator. It works perfectly and as expected on Android and desktop. I tried to manually recreate the features (possible, but is not ideal because caretIndex isn't a TextInput property), I tried to hide the TextInput and layering of a "•" field that corresponds to the length of the entry (not possible because TextInput is StageText). I don't know what else I can try here. Any ideas?
Thanks in advance for any help here.
Data sheet:
- Built and compiled using FlashBuilder 4.6
- With the help of Air 3.1
- Update on OS X Lion
- Tested on both 1st and 3rd gen iPads
- Using Flex SDK 4.6.0
The answer to this question was provided by a user on StackOverflow.
We have burned by some issues w/StageText when it first came out, I don't know if they have been addressed. A quick test (change the skin class for
spark.skins.mobile.TextInputSkin) can tell if that is the case. -
What are the area NSSA and TNSSA?
What is the significance of these?
What type of LSA types may be announced in these areas OSPF?
the difference between totally truncated and NSSA, it is totally truncated area does not allow summary routes to other regions and no external. Instead, he receives a default route from area border router. The NSSA is basically identical to a truncated area it does not summary routes, but in case you need to redistribute connected routes or any other routing protocol, you can use an NSSA, which will allow the external routes as Type 7 LSAS.
-
ASA 8.6 - l2l IPsec tunnel established - not possible to ping
Hello world
I have a problem of configuration of the CISCO ASA 5512-x (IOS 8.6).
The IPsec tunnel is created between ASA and an another non-CISCO router (hereinafter "router"). I can send packets ping from router to ASA, but ASA is NOT able to meet these demands. Sending requests of ASA is also NOT possible.
I'm trying to interconnect with the network 192.168.2.0/24 (CISCO, interface DMZ) premises and 192.168.3.0/24 (router).
The CISCO ASA has a static public IP address. The router has a dynamic IP address, so I use the dynamic-map option...
Here is the output of "show run":
---------------------------------------------------------------------------------------------------------------------------------------------
ASA 1.0000 Version 2
!
ciscoasa hostname
activate oBGOJTSctBcCGoTh encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
address IP X.X.X.X 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
the IP 192.168.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif DMZ
security-level 50
IP 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
management only
!
passive FTP mode
internal subnet object-
192.168.0.0 subnet 255.255.255.0
object Web Server external network-ip
host Y.Y.Y.Y
Network Web server object
Home 192.168.2.100
network vpn-local object - 192.168.2.0
Subnet 192.168.2.0 255.255.255.0
network vpn-remote object - 192.168.3.0
subnet 192.168.3.0 255.255.255.0
outside_acl list extended access permit tcp any object Web server
outside_acl list extended access permit tcp any object webserver eq www
access-list l2l-extensive list allowed ip, vpn-local - 192.168.2.0 vpn-remote object - 192.168.3.0
dmz_acl access list extended icmp permitted an echo
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
MTU 1500 DMZ
management of MTU 1500
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
NAT (DMZ, outside) static static vpn-local destination - 192.168.2.0 vpn-local - 192.168.2.0, 192.168.3.0 - remote control-vpn vpn-remote control - 192.168.3.0
!
internal subnet object-
NAT dynamic interface (indoor, outdoor)
Network Web server object
NAT (DMZ, outside) Web-external-ip static tcp www www Server service
Access-Group global dmz_acl
Route outside 0.0.0.0 0.0.0.0 Z.Z.Z.Z 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 management
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown warmstart of cold start
IKEv1 crypto ipsec transform-set ikev1-trans-set esp-3des esp-md5-hmac
Crypto ipsec ikev2 proposal ipsec 3des-GNAT
Esp 3des encryption protocol
Esp integrity md5 Protocol
Crypto dynamic-map dynMidgeMap 1 match l2l-address list
Crypto dynamic-map dynMidgeMap 1 set pfs
Crypto dynamic-map dynMidgeMap 1 set ikev1 ikev1-trans-set transform-set
Crypto dynamic-map dynMidgeMap 1 set ikev2 ipsec-proposal 3des-GNAT
Crypto dynamic-map dynMidgeMap 1 life span of seconds set association security 28800
Crypto dynamic-map dynMidgeMap 1 the value reverse-road
midgeMap 1 card crypto ipsec-isakmp dynamic dynMidgeMap
midgeMap interface card crypto outside
ISAKMP crypto identity hostname
IKEv2 crypto policy 1
3des encryption
the md5 integrity
Group 2
FRP md5
second life 86400
Crypto ikev2 allow outside
Crypto ikev1 allow outside
IKEv1 crypto policy 1
preshared authentication
3des encryption
md5 hash
Group 2
life 86400
Telnet timeout 5
SSH timeout 5
Console timeout 0
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
WebVPN
internal midgeTrialPol group policy
attributes of the strategy of group midgeTrialPol
L2TP ipsec VPN-tunnel-Protocol ikev1, ikev2
enable IPSec-udp
tunnel-group midgeVpn type ipsec-l2l
tunnel-group midgeVpn General-attributes
Group Policy - by default-midgeTrialPol
midgeVpn group of tunnel ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.
pre-shared-key authentication local IKEv2 *.
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:fa02572f9ff8add7bbfe622a4801e606
: end
------------------------------------------------------------------------------------------------------------------------------
X.X.X.X - ASA public IP
Y.Y.Y.Y - a web server
Z.Z.Z.Z - default gateway
-------------------------------------------------------------------------------------------------------------------------------
ASA PING:
ciscoasa # ping DMZ 192.168.3.1
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.3.1, time-out is 2 seconds:
?????
Success rate is 0% (0/5)
PING from router (debug on CISCO):
NAT ciscoasa #: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
NAT: untranslation - outside:192.168.2.1/0 to DMZ:192.168.2.1/0
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 0 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 1 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = 2 len = 40
Outside ICMP echo request: 192.168.3.1 DMZ:192.168.2.1 ID = 3859 seq = len 3 = 40
-------------------------------------------------------------------------------------------------------------------------------
ciscoasa # show the road outside
Code: C - connected, S - static, RIP, M - mobile - IGRP, R - I, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2, E - EGP
i - IS - L1 - IS - IS level 1, L2 - IS - IS IS level 2, AI - IS inter zone
* - candidate by default, U - static route by user, o - ODR
P periodical downloaded static route
Gateway of last resort is Z.Z.Z.Z to network 0.0.0.0
C Z.Z.Z.0 255.255.255.0 is directly connected to the outside of the
S 192.168.3.0 255.255.255.0 [1/0] via Z.Z.Z.Z, outdoors
S * 0.0.0.0 0.0.0.0 [1/0] via Z.Z.Z.Z, outdoors
-------------------------------------------------------------------------------------------------------------------------------
Do you have an idea that I am wrong? Probably some bad NAT/ACL I suppose, but I could always find something only for 8.4 iOS and not 8.6... Perhaps and no doubt I already missed the configuration with the unwanted controls, but I've tried various things...
Please, if you have an idea, let me know! Thank you very much!
Hello
I've never used "global" option in ACL, but it looks to be the origin of the problem. Cisco doc.
"The global access rules are defined as a special ACL that is processed for each interface on the device for incoming traffic in the interface. Thus, although the ACL is configured once on the device, it acts as an ACL defined for Management In secondary interface-specific. (Global rules are always in the direction of In, never Out Management). "
You ACL: access-list extended dmz_acl to any any icmp echo
For example, when you launch the ASA, there is an echo response from the router on the external interface--> global can block.
Then to initiate router, the ASA Launches echo-reply being blocked again.
Try to add permit-response to echo as well.
In addition, you can use both "inspect icmp" in world politics than the ACL.
If none does not work, you can run another t-shoot with control packet - trace on SAA.
THX
MS
-
Cisco ipsec Vpn connects but cannot communicate with lan
I have a version of cisco 1921 15.2 (4) M3 I install vpn ipsec and may have customers to connect but cannot ping anything inside. A glimpse of what could be wrong with my config would be greatly appreciated. I posted the configuration as well as running a few outings of ipsec. I also tried with multiple operating systems using cisco vpn client and shrewsoft. I am able to connect to the other VPN ipsec running 1921 both of these computers by using a client.
Thanks for any assistance
SH run
!
AAA new-model
!
!
AAA authentication login radius_auth local radius group
connection of AAA VPN_AUTHEN group local RADIUS authentication
AAA authorization network_vpn_author LAN
!
!
!
!
!
AAA - the id of the joint session
clock timezone PST - 8 0
clock to summer time recurring PST
!
no ip source route
decline of the IP options
IP cef
!
!
!
!
!
!
no ip bootp Server
no ip domain search
domain IP XXX.local
inspect the high IP 3000 max-incomplete
inspect the low IP 2800 max-incomplete
IP inspect a low minute 2800
IP inspect a high minute 3000
inspect the IP icmp SDM_LOW name
inspect the IP name SDM_LOW esmtp
inspect the tcp IP SDM_LOW name
inspect the IP udp SDM_LOW name
IP inspect name SDM_LOW ssh
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
!
Crypto pki trustpoint TP-self-signed-2909270577
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2909270577
revocation checking no
rsakeypair TP-self-signed-2909270577
!
!
TP-self-signed-2909270577 crypto pki certificate chain
certificate self-signed 01
license udi pid CISCO1921/K9 sn FTX1715818R
!
!
Archives
The config log
Enable logging
size of logging 1000
notify the contenttype in clear syslog
the ADMIN_HOSTS object-group network
71.X.X.X 71.X.X.X range
!
name of user name1 secret privilege 15 4 XXXXXXX!
redundancy
!
!
!
!
!
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
property intellectual ssh event logging
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group roaming_vpn
key XXXXX
DNS 192.168.10.10 10.1.1.1
XXX.local field
pool VPN_POOL_1
ACL client_vpn_traffic
netmask 255.255.255.0
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
!
!
crypto dynamic-map VPN_DYNMAP_1 1
Set the security association idle time 1800
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
list of authentication of card crypto SDM_CMAP_1 client VPN_AUTHEN
map SDM_CMAP_1 isakmp authorization list network_vpn_author crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic VPN_DYNMAP_1 ipsec crypto
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP 76.W.E.R 255.255.255.248
IP access-group ATT_Outside_In in
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the SDM_LOW over IP
IP virtual-reassembly in
load-interval 30
automatic duplex
automatic speed
No cdp enable
No mop enabled
map SDM_CMAP_1 crypto
!
interface GigabitEthernet0/1
no ip address
load-interval 30
automatic duplex
automatic speed
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 1 native
IP 192.168.10.1 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
property intellectual accounting-access violations
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
10.1.1.254 IP address 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
!
interface GigabitEthernet0/1,200
encapsulation dot1Q 200
IP 10.1.2.254 255.255.255.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
local IP VPN_POOL_1 192.168.168.193 pool 192.168.168.254
IP forward-Protocol ND
!
IP http server
IP http authentication aaa-authentication of connection ADMIN_AUTHEN
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP nat inside source map route ATT_NAT_LIST interface GigabitEthernet0/0 overload
IP nat inside source static tcp 192.168.10.10 25 expandable 25 76.W.E.R
IP nat inside source static tcp 192.168.10.10 80 76.W.E.R 80 extensible
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 443 443
IP nat inside source static tcp 192.168.10.10 76.W.E.R expandable 987 987
IP route 0.0.0.0 0.0.0.0 76.W.E.F
!
ATT_Outside_In extended IP access list
permit tcp object-group ADMIN_HOSTS any eq 22
allow any host 76.W.E.R eq www tcp
allow any host 76.W.E.R eq 443 tcp
allow 987 tcp any host 76.W.E.R eq
allow any host 76.W.E.R eq tcp smtp
permit any any icmp echo response
allow icmp a whole
allow udp any any eq isakmp
allow an esp
allow a whole ahp
permit any any eq non500-isakmp udp
deny ip 10.0.0.0 0.255.255.255 everything
deny ip 172.16.0.0 0.15.255.255 all
deny ip 192.168.0.0 0.0.255.255 everything
deny ip 127.0.0.0 0.255.255.255 everything
refuse the ip 255.255.255.255 host everything
refuse the host ip 0.0.0.0 everything
NAT_LIST extended IP access list
IP 10.1.0.0 allow 0.0.255.255 everything
permit ip 192.168.10.0 0.0.0.255 any
deny ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
refuse the 10.1.1.0 ip 0.0.0.255 192.168.168.192 0.0.0.63
deny ip 10.1.2.0 0.0.0.255 192.168.168.192 0.0.0.63
client_vpn_traffic extended IP access list
permit ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
ip licensing 10.1.1.0 0.0.0.255 192.168.168.192 0.0.0.63
IP 10.1.2.0 allow 0.0.0.255 10.1.1.0 0.0.0.255
!
radius of the IP source-interface GigabitEthernet0/1.10
Logging trap errors
logging source hostname id
logging source-interface GigabitEthernet0/1.10
!
ATT_NAT_LIST allowed 20 route map
corresponds to the IP NAT_LIST
is the interface GigabitEthernet0/0
!
!
SNMP-server community [email protected] / * /! s RO
Server enable SNMP traps snmp authentication linkdown, linkup warmstart cold start
Server enable SNMP traps vrrp
Server SNMP enable transceiver traps all the
Server enable SNMP traps ds1
Enable SNMP-Server intercepts the message-send-call failed remote server failure
Enable SNMP-Server intercepts ATS
Server enable SNMP traps eigrp
Server enable SNMP traps ospf-change of State
Enable SNMP-Server intercepts ospf errors
SNMP Server enable ospf retransmit traps
Server enable SNMP traps ospf lsa
Server enable SNMP traps ospf nssa-trans-changes state cisco-change specific
SNMP server activate interface specific cisco-ospf traps shamlink state change
SNMP Server enable neighbor traps cisco-specific ospf to the State shamlink change
Enable SNMP-Server intercepts specific to cisco ospf errors
SNMP server activate specific cisco ospf retransmit traps
Server enable SNMP traps ospf cisco specific lsa
SNMP server activate license traps
Server enable SNMP traps envmon
traps to enable SNMP-Server ethernet cfm cc mep-top low-mep Dispatcher loop config
Enable SNMP-Server intercepts ethernet cfm overlap missing mep mep-unknown service-up
Server enable SNMP traps auth framework sec-violation
Server enable SNMP traps c3g
entity-sensor threshold traps SNMP-server enable
Server enable SNMP traps adslline
Server enable SNMP traps vdsl2line
Server enable SNMP traps icsudsu
Server enable SNMP traps ISDN call-information
Server enable SNMP traps ISDN layer2
Server enable SNMP traps ISDN chan-not-available
Server enable SNMP traps ISDN ietf
Server enable SNMP traps ds0-busyout
Server enable SNMP traps ds1-loopback
SNMP-Server enable traps energywise
Server enable SNMP traps vstack
SNMP traps enable mac-notification server
Server enable SNMP traps bgp cbgp2
Enable SNMP-Server intercepts isis
Server enable SNMP traps ospfv3-change of State
Enable SNMP-Server intercepts ospfv3 errors
Server enable SNMP traps aaa_server
Server enable SNMP traps atm subif
Server enable SNMP traps cef resources-failure-change of State peer peer-fib-state-change inconsistency
Server enable SNMP traps memory bufferpeak
Server enable SNMP traps cnpd
Server enable SNMP traps config-copy
config SNMP-server enable traps
Server enable SNMP traps config-ctid
entity of traps activate SNMP Server
Server enable SNMP traps fru-ctrl
SNMP traps-policy resources enable server
Server SNMP enable traps-Manager of event
Server enable SNMP traps frames multi-links bundle-incompatibility
SNMP traps-frame relay enable server
Server enable SNMP traps subif frame relay
Server enable SNMP traps hsrp
Server enable SNMP traps ipmulticast
Server enable SNMP traps msdp
Server enable SNMP traps mvpn
Server enable SNMP traps PNDH nhs
Server enable SNMP traps PNDH nhc
Server enable SNMP traps PNDH PSN
Server enable SNMP traps PNDH exceeded quota
Server enable SNMP traps pim neighbor-rp-mapping-change invalid-pim-message of change
Server enable SNMP traps pppoe
Enable SNMP-server holds the CPU threshold
SNMP Server enable rsvp traps
Server enable SNMP traps syslog
Server enable SNMP traps l2tun session
Server enable SNMP traps l2tun pseudowire status
Server enable SNMP traps vtp
Enable SNMP-Server intercepts waas
Server enable SNMP traps ipsla
Server enable SNMP traps bfd
Server enable SNMP traps gdoi gm-early-registration
Server enable SNMP traps gdoi full-save-gm
Server enable SNMP traps gdoi gm-re-register
Server enable SNMP traps gdoi gm - generate a new key-rcvd
Server enable SNMP traps gdoi gm - generate a new key-fail
Server enable SNMP traps gdoi ks - generate a new key-pushed
Enable SNMP traps gdoi gm-incomplete-cfg Server
Enable SNMP-Server intercepts gdoi ks-No.-rsa-keys
Server enable SNMP traps gdoi ks-new-registration
Server enable SNMP traps gdoi ks-reg-complete
Enable SNMP-Server Firewall state of traps
SNMP-Server enable traps ike policy add
Enable SNMP-Server intercepts removal of ike policy
Enable SNMP-Server intercepts start ike tunnel
Enable SNMP-Server intercepts stop ike tunnel
SNMP server activate ipsec cryptomap add traps
SNMP server activate ipsec cryptomap remove traps
SNMP server activate ipsec cryptomap attach traps
SNMP server activate ipsec cryptomap detach traps
Server SNMP traps enable ipsec tunnel beginning
SNMP-Server enable traps stop ipsec tunnel
Enable SNMP-server holds too many associations of ipsec security
Enable SNMP-Server intercepts alarm ethernet cfm
Enable SNMP-Server intercepts rf
Server enable SNMP traps vrfmib vrf - up low-vrf vnet-trunk-up low-trunk-vnet
Server RADIUS dead-criteria life 2
RADIUS-server host 192.168.10.10
Server RADIUS 2 timeout
Server RADIUS XXXXXXX key
!
!
!
control plan
!
!Line con 0
privilege level 15
connection of authentication radius_auth
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
privilege level 15
connection of authentication radius_auth
entry ssh transport
line vty 5 15
privilege level 15
connection of authentication radius_auth
entry ssh transport
!
Scheduler allocate 20000 1000
NTP-Calendar Update
Server NTP 192.168.10.10
NTP 64.250.229.100 Server
!
endRouter ipsec crypto #sh her
Interface: GigabitEthernet0/0
Tag crypto map: SDM_CMAP_1, local addr 76.W.E.Rprotégé of the vrf: (none)
local ident (addr, mask, prot, port): (0.0.0.0/0.0.0.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.168.213/255.255.255.255/0/0)
current_peer 75.X.X.X port 2642
LICENCE, flags is {}
#pkts program: 1953, #pkts encrypt: 1953, #pkts digest: 1953
#pkts decaps: 1963, #pkts decrypt: 1963, #pkts check: 1963
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 76.W.E.R, remote Start crypto. : 75.X.X.X
Path mtu 1500, mtu 1500 ip, ip mtu IDB GigabitEthernet0/0
current outbound SPI: 0x5D423270 (1564619376)
PFS (Y/N): N, Diffie-Hellman group: noSAS of the esp on arrival:
SPI: 0x2A5177DD (709982173)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2115, flow_id: VPN:115 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301748/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x5D423270 (1564619376)
transform: esp-3des esp-sha-hmac.
running parameters = {Tunnel UDP-program}
Conn ID: 2116, flow_id: VPN:116 on board, sibling_flags 80000040, crypto card: SDM_CMAP_1
calendar of his: service life remaining (k/s) key: (4301637/2809)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVE (ACTIVE)outgoing ah sas:
outgoing CFP sas:
Routing crypto isakmp #sh its
IPv4 Crypto ISAKMP Security Association
DST CBC conn-State id
76.W.E.R 75.X.X.X QM_IDLE 1055 ACTIVEIPv6 Crypto ISAKMP Security Association
In your acl, nat, you will need to refuse your VPN traffic before you allow the subnet at all. Just put all the declarations of refusal before the declarations of licence.
Sent by Cisco Support technique iPhone App
-
IPSEC tunnel and Routing Support protocols
Hello world
I read that IPSEC does not support routing with VPN's Site to the other protocols because both are Layer4.
This means that if Site A must reach the B Site over a WAN link, we use static IP on the Site A and Site B router?
In my lab at home I config Site to Site VPN systems and they work correctly using OSPF does that mean that IPSEC supports the routing protocol?
IF someone can explain this please?
OSPF config one side
router ospf 1
3.4.4.4 router ID
Log-adjacency-changes
area 10-link virtual 10.4.4.1
passive-interface Vlan10
passive-interface Vlan20
3.4.4.4 to network 0.0.0.0 area 0
network 192.168.4.0 0.0.0.255 area 10
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
3550SMIA #sh ip route
Code: C - connected, S - static, mobile R - RIP, M-, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2
i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2
-IS inter area, * - candidate failure, U - static route by user
o - ODR, P - periodic downloaded route static
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
192.168.12.0/24 [13/110] through 192.168.5.3, 3d17h, FastEthernet0/11
100.0.0.0/32 is divided into subnets, subnets 1
O 100.100.100.100 [110/3] through 192.168.5.3, 3d17h, FastEthernet0/11
3.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks
O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 3.4.4.0/24 is directly connected, Loopback0
C 192.168.30.0/24 is directly connected, Vlan30
64.0.0.0/32 is divided into subnets, subnets 1
O E2 64.59.135.150 [110/300] through 192.168.5.3, 1d09h, FastEthernet0/11
4.0.0.0/32 is divided into subnets, subnets 1
O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 192.168.10.0/24 is directly connected, Vlan10
172.31.0.0/24 is divided into subnets, 4 subnets
O E2 172.31.3.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.2.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.1.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.0.0 [110/300] through 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.11.0/24 [110/3] through 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
C 192.168.99.0/24 is directly connected, FastEthernet0/8
192.168.20.0/24 C is directly connected, Vlan20
192.168.5.0/31 is divided into subnets, subnets 1
C 192.168.5.2 is directly connected, FastEthernet0/11
C 10.0.0.0/8 is directly connected, Tunnel0
192.168.6.0/31 is divided into subnets, subnets 1
O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
192.168.1.0/24 [13/110] through 192.168.5.3, 3d17h, FastEthernet0/11
O * E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
B side Config
Side A
router ospf 1
Log-adjacency-changes
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
1811w # sh ip route
Code: C - connected, S - static, mobile R - RIP, M-, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2
i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2
-IS inter area, * - candidate failure, U - static route by user
o - ODR, P - periodic downloaded route static
Gateway of last resort is 192.168.99.2 to network 0.0.0.0
192.168.12.0/24 [110/14] through 192.168.99.2, 3d17h, FastEthernet0
100.0.0.0/32 is divided into subnets, subnets 1
O 100.100.100.100 [110/4] through 192.168.99.2, 3d17h, FastEthernet0
3.0.0.0/32 is divided into subnets, 2 subnets
O 3.3.3.3 [110/3] through 192.168.99.2, 3d17h, FastEthernet0
O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
64.0.0.0/32 is divided into subnets, subnets 1
O E2 64.59.135.150 [110/300] through 192.168.99.2, 1d09h, FastEthernet0
4.0.0.0/32 is divided into subnets, subnets 1
O 4.4.4.4 [110/3] through 192.168.99.2, 3d17h, FastEthernet0
O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
172.31.0.0/24 is divided into subnets, 4 subnets
O E2 172.31.3.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.2.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.1.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.0.0 [110/300] through 192.168.99.2, 3d17h, FastEthernet0
O 192.168.11.0/24 [110/4] through 192.168.99.2, 3d17h, FastEthernet0
C 192.168.98.0/24 is directly connected, BVI98
C 192.168.99.0/24 is directly connected, FastEthernet0
O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.5.0/31 is divided into subnets, subnets 1
O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.6.0/31 is divided into subnets, subnets 1
O 192.168.6.2 [110/3] through 192.168.99.2, 3d17h, FastEthernet0
192.168.1.0/24 [110/14] through 192.168.99.2, 3d17h, FastEthernet0
O * E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
Thank you
Mahesh
Mahesh.
Indeed, solution based purely crypto-card are not compatible with a routing protocol. Crypto card however is the legacy config we support on IOS. The best practice is to use the protection of tunnel. Any routing protocol would work then.
for example
https://learningnetwork.Cisco.com/docs/doc-2457
It's the best solution we currenty have
-
Cisco 861 DHCP + public static IPs + NAT/DNAT. Help.
Hello
I used to use a server of self-made CentOS for intranet for my small office, but I have bouth a few days ago a router Cisco 861 to replace the linux machine.
My needs:
1. I have 2 public classes of IP from my ISP. 1 class is limitted 80mbit upload, the other to 30mbit upload. So I need some sort of DNAT to be able to know exactly what intranet computer uses internet great and including a single internet limitted.
2. I need DHCP server with static IP addresses (a computer must always have the same IP address, etc)... I have my needs for this.
3. also I need external access to certain servers on the inside (web, ftp, etc.)
Parameters:
(Dhcp) intranet: 10.11.12.x 255.255.255.0)
1 public Internet: 89.45.204.118 255.255.255.248 (89.45.204.117 as gateway)
Public Internet 2: some other class in the same IP (assume 89.45.204.58/24 for example)
DNS: 89.45.200.1
So far so good, everything seems simple and I can do this in 2 hours on a centos linux box (correct roads, active ip Routing and some rules for NAT/SNAT/DNAT iptables).
But on this new router of Centos... Well, I am not yet able to ping the outside world, nor inside world I'm tired reading the forums, documentation... I want (at the beginning) to a simple scenario: vlan + dhcp, SEA4 with 1 public ip address and ACCESS to the real world. I was not able to reach even not that much.
OK, first of all, here is a copy of the running configuration:
Building configuration...
Current configuration: 5826 bytes
version 15.1
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname cisco861
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 [out-of-context]
activate the password [out-of-context]
!
No aaa new-model
iomem 10 memory size
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-2459631067
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2459631067
revocation checking no
rsakeypair TP-self-signed-2459631067
!
!
TP-self-signed-2459631067 crypto pki certificate chain
certificate self-signed 01
[deleted-of-context]
quit smoking
IP source-route
!
!
DHCP excluded-address IP 10.11.12.1
DHCP excluded-address IP 10.11.12.251 10.11.12.254
!
IP dhcp pool cisco861-iasi
import all
Network 10.11.12.0 255.255.255.0
domain cisco861.iasi
DNS-server 10.11.12.1 89.45.200.1
router by default - 10.11.12.1
-NetBIOS 10.11.12.2 name server 10.11.12.3
!
IP dhcp pool testPC
the host 10.11.12.111 255.255.255.0
0100.c030.1012.09 client identifier
testpc-01 customer name
!
!
IP cef
IP domain name cisco861.iasi
name of the IP-server 89.45.200.1
!
!
license udi pid CISCO861-K9 sn [out-of-context]
!
!
username admin secret of privilege 15 4 [removed-of-context]
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
external description $ ETH - LAN$
IP 89.45.204.118 255.255.255.248
NAT outside IP
IP virtual-reassembly in
full duplex
automatic speed
!
interface Vlan1
Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW
10.11.12.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
overload of IP nat inside source list 23 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 89.45.204.117
!
access-list 23 permit 10.11.12.0 0.0.0.255
Dialer-list 1 ip protocol allow
SNMP-Server RO community cisco861.Iasi
!
Line con 0
local connection
line to 0
line vty 0 4
access-class 23 in
privilege level 15
password [out-of-context]
local connection
transport input telnet ssh
!
end
(I couldn't find any CODE or a QUOTE as on other forums... so I tried to indent the config for you guys)
In addition, here are a few troubleshooting commands I used, maybe they can help some of know you what is the problem
cisco861 #show ip interface brief
Interface IP-Address OK? Method status Prot
Commissioner of official languages
FastEthernet0 unassigned YES unset upward, upward
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 89.45.204.118 YES manual up up
NVI0 89.45.204.118 YES unset upward, upward
Vlan1 10.11.12.1 YES manual up up
cisco861 #show mac-address-table
Port of destination address Destination address Type VLAN
------------------- ------------ ---- --------------------
dynamic xxxx.xxxx.xxxx 1 FastEthernet0
XXXX.xxxx.xxxx Self 1 Vlan1
ODD: it has no mac address for the connected FastEthernet 4. How comes? I changed 3 cables. All cables are OK.
cisco861 #show ip route
Code: L - local, C - connected, S - static, mobile R - RIP, M-, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2
i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2
-IS inter area, * - candidate failure, U - static route by user
o - ODR, P - periodic downloaded route static, H - PNDH, l - LISP
+ - replicated road, % - next hop override
Gateway of last resort is 89.45.204.117 to network 0.0.0.0
S * 0.0.0.0/0 [1/0] via 89.45.204.117
10.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks
C 10.11.12.0/24 is directly connected, Vlan1
L 10.11.12.1/32 is directly connected, Vlan1
89.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks
C 89.45.204.117/29 is directly connected, FastEthernet4
L 89.45.204.118/32 is directly connected, FastEthernet4
#show FastEthernet 4 router interfaces
FastEthernet4 is up, line protocol is up
Material is PQII_PRO_UEC, the address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
Description: external$ ETH - LAN$
The Internet address is 89.45.204.118/29
MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive set (10 sec)
Full-duplex, 100 MB/s, 100BaseTX/FX
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry at 00:02:54, 00:00:00 exit, exit hang never
Final cleaning of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bps, 0 packets/s
5 minute output rate 0 bps, 0 packets/s
28 sachets of entrance, 3909 bytes
Received 14 emissions (0 of IP multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
Guard Dog 0
entry packets 0 with condition of dribble detected
output of 110 packages, 25366 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
unknown protocol 0 drops
0 babbles, collision end 0, 0 deferred
1 lost carrier, 0 no carrier
output buffer, the output buffers 0 permuted 0 failures
interfaces of router #show vlan 1
Vlan1 is up, line protocol is up
Material is EtherSVI, the address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
Description: $ETH - SW - LAUNCH$ $INTF - INFO - HWIC-$4ESW
The Internet address is 10.11.12.1/24
MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive not supported
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry of 00:00:06, output ever, blocking exit ever
Final cleaning of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bps, 0 packets/s
5 minute output rate 0 bps, 0 packets/s
packets of 512, 53381 bytes, 0 no buffer entry
Received 185 broadcasts (0 of IP multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
exit 180 packages, 13248 bytes, 0 underruns
output 0 error, 1 interface resets
unknown protocol 0 drops
output buffer, the output buffers 0 permuted 0 failures
Also, I tried other combinations, as follows
- IP route static inter-vfr
- IP default-gateway 89.45.204.117 (ofc combined with no ip Routing). I can ping 8.8.8.8 in this scenario, but not other IP addresses. WTF?
- network default IP 89.45.204.117 (the bridge) - nothing
- 89.45.204.118 default IP network - bothing
- IP route 0.0.0.0 0.0.0.0 FastEthernet 4 (with or without 89.45.204.117, with or without permanent keyword)
Please, have mercy and help me.
P.S. I've also attached the configuration and troubleshooting files if it will be easier for you to follow this path.
A big thank you and God bless you!
Hello
IP nat inside source static 10.11.12.33 89.45.204.120 (host - to - host)
IP nat inside source static tcp 10.11.12.33 80 89.45.204.120 80 (port translation host-to - host)
RES
Paul
Please don't forget to rate this post if it has been helpful.
-
I'm a little confused now, because I realized that I can't understand DMVPN phases.
Can someone explain to me - what is the difference between Full-Terminal and Hub-and-Spoke network.
(1) network hub-and-Spoke - all traffic DMVPN through HUB. is it not? and the difference between dynamic and static VPN is that IPSec tunnels are only created when necessary?
(2) network terminal full - rays ask for the PNDH table hub and establish direct tunnels (traffic passes of talk of talks about his)?
When this information is correct, so where can I find a guide to configuring DMVPN in mesh network full?
I found this guide http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801982ae.shtml , but it seems to me, this is example of Hub-and-Spoke!
I thank very you much in advance!
Hi Dimitri.
Question 1:
All traffic passes through HUB - OK
The tunnels are only created when needed between rays - correct
Question 2:
Fix
http://Cisco.com/en/us/Tech/tk583/TK372/technologies_white_paper09186a008018983e.shtml
Please take a look at the link given above.
Excerpt from the link above
"PNDH offers the opportunity for the spoke routers learn dynamically outside physical interface other routers address talk network VPN." This means that a router speaks will be enough information to dynamically build an IPsec + tunnel love directly to the other spoke routers.
The dynamic IP routing protocol running on the hub router can be configured to reflect the routes registered by one spoke back on the same interface for all other rays, but the leap following IP on these roads will usually be the hub router, not the router speaks where the hub has learned this route.
The dynamic routing protocols (RIP, OSPF and EIGRP) need to be configured on the hub router to announce routes back to the love tunnel interface and define the next IP for the router hop speaks originating for the routes registered by one spoke when the road is called back to the other rays.
Here are the requirements for Protocol routing configurations.
RIP
You should disable split horizon on the interface of tunnel love on the hub, otherwise, RIP will be registered through the love interface routes not regularize this same interface.
No cutting of the ip horizon
No other changes are needed. RIP will automatically use the original next IP Hop on the roads it advertises back on the same interface where she learned these routes.
EIGRP
You should disable split horizon on the interface of tunnel love on the hub, otherwise, EIGRP will broadcast routes recorded via the interface love not regularize this same interface.
no ip split horizon eigrp
By default, EIGRP will set the next hop IP for the router to hub for roads is advertising, even when advertising that these routes of return the same interface where he learns the. Therefore, you must in this case, the following configuration command to indicate to EIGRP to use the jump according to original when IP advertising of these roads.
no ip next-hop-self eigrp
Note: The no ip next-hop-self eigrp command will be available from Cisco IOS release 12.3 (2). For Cisco IOS versions 12.2 (13) T and 12.3 (2), you must do the following:
* If the talk-to-spoke dynamic tunnels are not wanted, then the above command is not necessary.
* If the talk-to-spoke dynamic tunnels are wanted, then you must use process switching on the interface of tunnel on the spoke routers.
* Otherwise, you will need to use another protocol for routing on the DMVPN.
OSPF
Because OSPF is a routing protocol - the status of the connection, there is not any split horizon issues. Normally, for multipoint interfaces, you configure the OSPF network type to be point-to-multipoint, but this would entail OSPF add host routes to the routing on the spoke routers table. These host routes would cause packets to networks behind the other spoke routers to transmit via the hub, rather than directly transmitted to another talk. To work around this problem, configure the OSPF network type to be broadcast using the command.
dissemination of IP ospf network
You must also make sure that the hub, router will be the designated router (DR) for IPsec + love network. This is done by setting the priority OSPF is greater than 1 on the hub and 0 on the shelves.
* Hub: ip ospf priorite2
* Speaks: ip ospf priority 0
* END OF THE SNIPPET *.
Hope that explains.
The rate of this post, if that helps.
Gilbert
-
Hello Experts,
I'm listening to VMworld 2014 - Networking: NSX for logical routing vSphere Deep Dive and came across this slide.
In above slide speaker says this DLR control THAT VM is never in the path of data between NSX Edge and logical network behind DLR. In case when DLR does OSPF adjacency with edge NSX, it must send LSA type 5 for 172.16.10/20/30.0/24 subnets because NSX edge must use 192.168.10.2 as the next hop to bypass the control DLR VM from the data path. That also means DLR VM control cannot send Type 5 LSAS when OSPF.
Correct me if I'm wrong.
NSX supports 2 types of OSPF, Normal areas and NSSA.
If your DLR and the GSS are in an NSSA and you redistribute your DLR connected routes, they will be 7 Type LSA and appear on the GSS as 'N2 - type external OSPF NSSA 2' roads.
If your DLR and the GSS are defined for an OSPF from Normal area, then you are right, they will be 5 Type LSA.
Here is an excerpt from an ip road show and see the database ip ospf to a peering with a DLR ESG into an NSSA.
ESG-nsx-01-0 > sh ip road
Code: O - derived OSPF, i - EAST drift, B - BGP derived,
C connected, S - static, L1 - IS - IS level 1, L2 - IS level - 2,
IA - OSPF inter zone, E1 - type 1, E2 external OSPF - type external OSPF 2.
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
10.29.15.0/24 O N2 [110/1] via 10.29.2.254
10.29.20.0/24 O N2 [110/1] via 10.29.2.254
10.29.21.0/24 O N2 [110/1] via 10.29.2.254
10.29.22.0/24 O N2 [110/1] via 10.29.2.254
10.29.24.0/24 O N2 [110/1] via 10.29.2.254
ESG-nsx-01-0 > sh ip ospf database
Type - 7 AS external link States (area 0.0.0.29)
Link ID ADV router age Seq Num Checksum
10.29.15.0 10.29.2.254 0x8000029a 1395 0 x 00009272
10.29.20.0 10.29.2.254 1395 0x8000038f 0x00006e9b
10.29.21.0 10.29.2.254 1395 0x800003e8 0x0000b0fe
10.29.22.0 10.29.2.254 1395 0x800003e8 0x0000a509
10.29.24.0 10.29.2.254 1395 0x8000038f 0x000042c3
And the corresponding routes on the DLR
DLR-nsx-01 > sh ip road
Code: O - derived OSPF, i - EAST drift, B - BGP derived,
C connected, S - static, L1 - IS - IS level 1, L2 - IS level - 2,
IA - OSPF inter zone, E1 - type 1, E2 external OSPF - type external OSPF 2.
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
10.29.15.0/24 C [0/0] via 10.29.15.254
10.29.20.0/24 C [0/0] via 10.29.20.254
10.29.21.0/24 C [0/0] via 10.29.21.254
10.29.22.0/24 C [0/0] via 10.29.22.254
10.29.24.0/24 C [0/0] via 10.29.24.254
See you soon
Dale
Maybe you are looking for
-
Hello worldI bought Toshiba Satellite L500-1UU and installed Ubuntu 9.10 on this, but I found very high sound products of the fan itI have been using Toshiba, but they say that this laptop does not support of Linux, is this true?and if it is true, hi
-
Writing and reading the same excel file
Hello. I wanted to write a few values in the excel sheet and after doing some math here I want to read the same file. Can I do this? Or there is a better way to accomplish the same task. Kindly help. Thank you
-
Implementation of the shift from table register
Hi all I am a novice in Labview and I'm trying to implement entrelaceur Convolutional. I have a problem with the implementation of the shift register using tables. Here I use interleaver in channel 4. First bit should go directly to the output. 2nd b
-
I got a code of error 0x8007000D
Can someone tell me what this code and what I need to do please
-
How can I upgrade to Windows 7 without product key?
I received a laptop from a friend. Initially, she had vista but upgraded to windows 7. She gave me the original vista disc and disc upgrade. Vist disc supplied with key-code. The disc of windows 7 did not come with or she can't find it. She wants me