Disable SSH on Cisco routers/switches CBC encryption
Hello
Our customer ordered PenTest, and as a feedback, they got recommendation "disable SSH Mode CBC Ciphers, and don't allow that CTR ciphers ' and 'Disable weak SSH MD5 and algorithms MAC 96 bits' on their switches Cisco 4506-E with CIsco IOS 15.0
I went through Cisco documentation that I could find, also tried to find commands on the switch itself, but I found no way to manipulate these SSH options. (SSH v2 only is already set up)
Is it possible to do this on Cisco IOS? If this is not the case, what are my options?
You can use an external server for authentication. But that will not change anything in the encryption.
RAY will be fine for authentication, if you are also looking strong authorization, you should look into GANYMEDE +.
Back to you initial problem:
Some long time there was a similar problem with a client and it resolved in the following way:
- All routers and switches had a class of only two Linux servers access to access devices through SSH.
- The SSH server was accessed by admins and used as a jumping point to access the routers/switches
- Linux servers had a put to update the ssh-server config to allow only the strong crypto to Admins and also check the administrative work.
With this, there was strong crypto by the admin-workstations to linux server and pretty weak crypto of the Linux for routers switches (which was at the time-3900XL-2950). But as the linux-boxes have been placed in the management network, all on the risk has been reduced.
Tags: Cisco Network
Similar Questions
-
PowerConnect switch and Cisco routers
I have 4 Cisco routers connected to our Dell Powerconnect 7024. This is a laboratory environment where I'm having every act of router (2 per site) as a WAN gateway for these 2 sites.
Site 1 Site 2
2 3 router
PC - Dumb_switch PowerConnect Dumb_switch client - PC Client
Router 1 router 4
There are a few other Vlans on the switch with connected devices. With the current configuration, these two sites can communicate with any other "site" connected to the switch on each route, with the exception of the other.
Directly connected to the router interfaces are in trunk mode, as it's the only way I could get the dell to connect with the Cisco. Ive read in other threads that the general mode is usually suggested on the powerconnect switch, but had no luck with this configuration.
Router 1---> item in gi1/0/15 (vlan 10)
Router 2---> item in gi1/0/14 (vlan 11)
Router 3---> item in gi1/0/22 (vlan 16)
Router 4---> article gi1/0/23 (vlan 14)
Example: a ping from Site 1 can reach int 22 of the switch without problem, but I can't ping jump according to R3. As all the other devices on this switch can talk to these sites, I'm not clear if the problem is my config switch dell or routers. Any input would be greatly appreciated. Thank you!
! Current configuration:
! Description of the system "PowerConnect 7024, 5.1.2.3, VxWorks 6.6"
! 5.1.2.3 system software version
! 'Normal' system operation mode
!
Configure
GVRP enable
VLAN 2-7, 9-14, 16
output
VLAN 2
name 'BOSTON '.
output
VLAN 3
name "MIAMI".
output
VLAN 4
name of 'THE
output
VLAN 5
name "SEATTLE".
output
VLAN 6
name "DALLAS".
output
VLAN 7
name "London".
output
VLAN 9
name "Frankfurt".
output
VLAN 10
name "Rome".
output
VLAN 11
name "Sczecin.
output
VLAN 12
name "Budapest".
output
VLAN 13
name "Moscow".
output
VLAN 14
name "Quebec".
output
-Other - or ITU (q)
VLAN 16
name "Winnipeg".
output
hostname "Devlin".
location 1/0 2. PowerConnect 7024
clock timezone-5 minutes 0
battery
1 2 Member! PCT7024
output
out-of-band interface
Shutdown
output
no ip domain-lookup
"local" IP domain name
IP routing
IP route 0.0.0.0 0.0.0.0 172.16.37.3
IP route 172.16.37.160 255.255.255.240 172.16.37.162
IP route 172.16.37.112 255.255.255.240 172.16.37.162
IP route 172.16.37.112 255.255.255.240 172.16.37.147
IP route 172.16.37.144 255.255.255.240 172.16.37.147
IP route 172.16.37.240 255.255.255.240 172.16.37.244
IP route 172.16.37.224 255.255.255.240 172.16.37.244
IP route 172.16.37.224 255.255.255.240 172.16.37.217
-Other - or ITU (q)
IP route 172.16.37.208 255.255.255.240 172.16.37.217
ARP 172.16.37.162 0022.9057.7F51
interface vlan 1
IP 172.16.37.4 255.255.255.240
bandwidth 10000
IP ospf cost 10
output
interface vlan 2
IP 172.16.37.17 255.255.255.240
output
interface vlan 3
IP 172.16.37.33 255.255.255.240
output
interface vlan 4
IP 172.16.37.49 255.255.255.240
output
interface vlan 5
IP 172.16.37.65 255.255.255.240
output
interface vlan 6
IP 172.16.37.81 255.255.255.240
output
interface vlan 7
-Other - or ITU (q)
IP 172.16.37.97 255.255.255.240
output
interface vlan 9
IP 172.16.37.129 255.255.255.240
bandwidth 10000
output
interface vlan 10
IP 172.16.37.145 255.255.255.240
bandwidth 1000
IRDP IP
output
interface vlan 11
IP 172.16.37.161 255.255.255.240
bandwidth 1000
IRDP IP
output
interface vlan 12
IP 172.16.37.177 255.255.255.240
bandwidth 100000
output
interface vlan 13
IP 172.16.37.193 255.255.255.240
bandwidth 1000
output
interface vlan 14
IP 172.16.37.209 255.255.255.240
bandwidth 1000
output
interface vlan 16
IP 172.16.37.241 255.255.255.240
bandwidth 1000
IP ospf cost 100
output
No flowcontrol
!
interface item in gi1/0/3
spanning tree portfast
output
!
interface item in gi1/0/4
spanning tree portfast
output
!
interface item in gi1/0/5
spanning tree portfast
switchport access vlan 2
output
!
interface item in gi1/0/6
spanning tree portfast
switchport access vlan 3
output
!
interface item in gi1/0/7
spanning tree portfast
switchport access vlan 4
output
!
interface item in gi1/0/8
spanning tree portfast
switchport access vlan 5
output
!
interface item in gi1/0/9
switchport access vlan 6
output
!
interface item in gi1/0/10
switchport access vlan 7
output
!
interface item in gi1/0/11
spanning tree portfast
switchport mode trunk
output
!
interface item in gi1/0/12
spanning tree portfast
switchport mode trunk
output
!
interface item in gi1/0/13
switchport access vlan 9
output
!
interface item in gi1/0/14
Speed 100
full duplex
switchport mode trunk
switchport general allowed vlan add 10 tag
switchport access vlan 10
output
!
interface item in gi1/0/15
Speed 100
full duplex
switchport mode trunk
switchport general allowed vlan add 11 tag
switchport access vlan 11
output
!
interface item in gi1/0/16
switchport access vlan 12
output
!
interface item in gi1/0/17
switchport access vlan 12
output
!
interface item in gi1/0/18
switchport access vlan 13
output
!
interface item in gi1/0/19
switchport access vlan 13
output
!
interface item in gi1/0/22
Speed 100
full duplex
switchport mode trunk
switchport general allowed vlan add 16 tag
switchport access vlan 16
output
!
interface item in gi1/0/23
Speed 100
full duplex
switchport mode trunk
VLAN allowed switchport General add 14
switchport access vlan 14
output
!
interface item in gi1/0/24You could probably create a static route in Router 1 router 4 with a priority which is better than the other options, so we're going unless the link is down.
-
Issue of Telnet and SSH on Cisco 3750.
I turn on Cisco 3750 and everything so I wasn't able to connect in the area. I even changed the source interface and update transport under the VTY lines input method, no luck.
Can I choose to disable SSH by removing the corresponding lines of configs and RSA keys. And I changed the entry to transport back to Telnet. After the reboot of the switch, I'm still not able to connect despite the fact that the box is accessible.
Any help?
Thank you
Jean-Marie
Hello
This should help to confirm the configuration and troubleshooting SSH on your device: -.
http://www.Cisco.com/c/en/us/support/docs/security-VPN/Secure-Shell-SSH/4145-SSH.html
I hope this helps.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Problem on the establishment of a GRE/IPsec tunnel between 2 cisco routers
Hello world
I am trying to establish a GRE IPsec tunnel between two cisco routers (2620XM and a 836).
I created a tunnel interfaces on both routers as follows.
2620XM
interface Tunnel0
IP 10.1.5.2 255.255.255.252
tunnel source x.x.x.x
tunnel destination y.y.y.y
end
836
interface Tunnel0
IP 10.1.5.1 255.255.255.252
tunnel source y.y.y.y
tunnel destination x.x.x.x
end
and configuration of isakmp/ipsec as follows,
2620XM
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address y.y.y.y no.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_melissia
!
myvpn 9 ipsec-isakmp crypto map
defined peer y.y.y.y
Set transform-set to_melissia
match address 101
2620XM-router #sh ip access list 101
Expand the access IP 101 list
10 permit host x.x.x.x y.y.y.y host will
836
crypto ISAKMP policy 10
md5 hash
preshared authentication
ISAKMP crypto key {keys} address x.x.x.x No.-xauth
!
!
Crypto ipsec transform-set esp - esp-md5-hmac to_metamorfosi
!
myvpn 10 ipsec-isakmp crypto map
defined peer x.x.x.x
Set transform-set to_metamorfosi
match address 101
836-router #sh access list 101
Expand the access IP 101 list
10 licences will host host x.x.x.x y.y.y.y
Unfortunately I had no isakmp security associations at all and when I enter the debugging to this output.
CRYPTO: IPSEC (crypto_map_check_encrypt_core): CRYPTO: removed package as currently being created cryptomap.
Any ideas why I get this result? Any help will be a great help
Thank you!!!
I think it's possible. It seems to me that you are assuming that the address of the interface where goes the card encryption is peering address. While this is the default action, it is possible to configure it differently.
As you have discovered the card encryption must be on the physical output interface. If you want the peering address to have a different value of the physical interface address outgoing, then you can add this command to your crypto card:
card crypto-address
so if you put loopback0 as the id_interface then he would use loopback0 as peering address even if the card encryption may be affected on serial0/0 or another physical interface.
HTH
Rick
-
How can I upgrade images IOS system of routers, switches and firewalls
Hello
I am very surprised and fewer still understand how the program license or the Cisco's IOS upgrades are done. I have several routers, switches & ASA who I wan upgrading of IOS, but I can't do it. How ever I can download these images on the internet, but I want to know how can I do this Cisco as I don't trust these IOS is available on the internet.
According to my study I found that I need to have the number of Cisco Service contract for the devices so that I can download updated the IOS Images for them.
Someone kindly explain what are the best methods for requirements above.
Concerning
@Mohammed
You are right about a contract of service. Cisco calls this Smartnet support. It includes both supported hardware (i.e. returns for defective equipment), software support (including the right to download and upgrade your software) and technical assistance (through the Cisco TAC). SMARTnet is charged separately for each device covered. Once you have it, your cisco.com username must be associated with your service contract number. This will allow then allows you to download the software of cisco.com. (There are a few cases where you don't have to have a support contract - especially when there is a safety notice (PSIRT) indicating that the Cisco software was flawed it was released at the beginning.)
Each product (or product family) has a product on cisco.com support page. This page includes release notes, Setup guide, user guides and links to downloads of software for this product. Start by reading the release notes and determine which (if any) update is appropriate for your product. Then, you can download and upgrade the software if necessary.
-
Connect a Cisco L3 switch behind a 871 using easyvpn
Hello
It is our habit to use easyvpn on 871 routers to connect our remote to our ASA 5500 VPN concentrators.
It works well, we define them VLAN on the 871 and connect Cisco L2 switches behind the VPN routers.
Problem is that now we have to connect the Cisco L3 switch behind the VPN routers and if we face problems of routing...
No way to make works for all the VLAN defined on the switch of L3!
I guess we have to use a specific configuration (IRB?).
Or do we have to use IPSEC-L2L instead of the easyvpn?
Thanks for your help.
Kind regards
Patrick Lee
Patrick,
It will certainly benefit you started.
You can google some more for that.
Someone posted this on the forums, but I think you might want to ask them
https://supportforums.Cisco.com/docs/doc-3066;JSESSIONID=444194CDE250004E116705FF0ADAD955. Node0
I hope this helps.
Marcin
Edit: many thing depend on whether you use NEM and if you plan to use. If you in any qustions stumple - post here.
-
Configuration of multiple L2L on cisco routers problems
Hi all, I have two cisco routers (Cisco 2911 and 871) I'm trying to establish a VPN L2L with. Each has a VPN configured to our cooperate Office located to the top and work. I'm now trying to establish VPN site to site in these two remote sites. I have my cryptographic cards and NoNats valuable traffic however set up, I don't even see a coming phase upwards.
I attached each config. Most of my experience of site to another is of pix and ASA, so I'm curious to know if there is something else I need to do on my external interface to allow several VPN?
Can you see where I am going wrong?
Thank you
Dan
Hi Dan,.
You can only have one card encryption on an interface (as well as on Pix / Asa). However, this encryption card can have multiple entries.
The Scottsdale router, so now instead of:
card crypto Chandler-address FastEthernet4
Chandler 2-isakmp ipsec crypto map
...
!
map Scottsdale address FastEthernet4 crypto
Scottsdale 1 isakmp ipsec crypto map
...
You must configure:
map Scottsdale address FastEthernet4 crypto
Scottsdale 1 isakmp ipsec crypto map
...
Scottsdale 2-isakmp ipsec crypto map
...
And of course, there must be a similar change on the other router.
HTH
Herbert
-
How to take backup of configurations of routers/switches by a script automated
Hi friends,
Can someone suggest me a script to do the backup of the devices(routers/switches) network. As the running configuration with only once for all devices.
Thank you
Mohammad.
Two ways you can do this but it must be enabled on each device, if you do not have something like LMS/premium to seize all the configs devices centrally
Command and tftp configuration of a device on your network of archives
http://www.Cisco.com/c/en/us/TD/docs/iOS/fundamentals/command/reference/cf_book/cf_a1.html#wp1018716
or use a job of kroon, the calendar and send it to a storage device
just a few options it is probably more ways as well
Edit
You can use the EEM aswell
-
Hi Expert,
How to distinguish the physical interface and logic (subinterface) interface to the Cisco router/Switch? Can you please clarify a formal way for this so have?
A physical interface is numbered with the same name of the interface when printing on the physical port. For example "GigabitEthernet 0/1" corresponds to port 1 of the 0 module (or the base unit).
A logical interface can be a subinterface on a routed port and will have a point ("". "") preceding the number sous-interface (ex. GigabitEthernet 0/1.1). It can also be a loop or a virtual interface (on a router this could also include interfaces like the tunnel and virtual tunnel or VTI types). A switch may also have a VLAN logical interfaces (e.g. interface vlan 1) which are used as layer 3 virtual interfaces of type.
-
Is there an SSH for Cisco LMS interface?
Hello
Is there an SSH for Cisco LMS interface? Now when I try SSHing in I'm just met a guest for ciscoworks scp. I am trying to access so that I can add new devices by using the dcrcli command without having to RDP in the machine that is running on LMS.
In addition, is accessible for LMS api soap from the outside? I tried to make it work using soapui but ended up which put on hold after that I read somewhere else that the API is not available outside, I thought I'd check here if to see if it's actually true.
Thank you
When LMS runs on one machine virtual ('soft machine'), ADE-OS based on Linux is exposed through ssh.
When LMS is running on a windows server, there is no interface to ssh for the application of the LMS.
In this case, the command line utilities are more or less accessible via a Windows command prompt that would require the native console or server access to the RDP.
The different functions available cli are detailed here:
http://www.Cisco.com/c/en/us/TD/docs/net_mgmt/ciscoworks_lan_management _...
I've never seen someone try to use LMS via the API if you are in a very small set of users there. LMS being in its sunset, I wouldn't hold much hope for us to open.
-
Time-out for ARP cache on Cisco routers
Hello
I was reading a book on Cisco routers, in which the author said: "the router resets the age ARP meter to zero whenever he sees valid traffic from the corresponding device.» This ensures that the addresses of active devices are never emptied in the cache, regardless of how long they have been known. »
I'm really surprised at this topic because I always thought the age counter ARP was an absolute of the meter and not compared to the last time a package was seen coming from the corresponding IP address. After reading this, I did a few tests that tend to confirm the age counter ARP is absolute and that he cares not if we have movement active in the corresponding period of INQUIRY or not.
: Question 1 can someone confirm this please?
I am unable to find clear statements in the Cisco documentation.
QUESTION 2: when the router sends a new ARP request?
For example, when the time-out of the ARP is 4 hours or 240 minutes (default value of Cisco), the router sends an ARP request reaching 239 minutes (1 minute before the expiration time). This value is a fixed (send us a 1 minute before aging ARP request) or is it a relative value (x % of the value of timeout)?
Thanks for your help.
Sam
I have some additional information that might help. I found an ad of a Cisco engineer, which gives some information about the behavior of ARP in Cisco IOS. He said clearly (and is an example) that if Cisco receives an ARP to a host request it will use this request to refresh the ARP entry and reset the timer so that the entrance without making its own application ARP. Maybe that's the behavior they were trying to talk in the IOS Cookbook.
It also speaks to a unicast ARP request 60 seconds before the expiration of the entry so that the entry can be updated. It does not specifically say, but I think that this interval is fixed.
Here is the link if you want to see the details:
http://puck.nether.NET/pipermail/Cisco-NSP/2005-February/017400.html
Regarding the error in the book, I worked as an examiner on a few pounds and can tell you that the authors and reviewers are working hard to do the right thing. But sometimes mistakes are not captured and appear in the publication. With the amount of detail covered in the book some mistakes are bound to crawl through.
HTH
Rick
-
Cisco Catalyst 4503-> Cisco 3560 L3-> Cisco 2960 L2-> Cisco SMB switch
Hi Experts,
I am trying to add a Cisco SMB SF300 - 24 Switch to an infrastructure that has only the Cisco Catalyst switches
The base layer is Cisco Cataylst 4503. Distribution is Cisco Catalyst 3560 and Cisco 2960 switches access layer.
There are about 30 VLAN present in the infrastructure that is announced to all switches using VTP. Inter VLAN routing takes place at basic switches
by creating the Interface VLAN for each VLAN of L2.
1. the new 150 VLAN must be created on the new Cisco SMB switch. If I create a corresponding interface 150 VLAN on core switches, it will forward the other VLANs traffic just as he is currently working for Cisco 2960 Catayst switches?
2. While they inspected, I could see that the DERIVATIVE is not supported on the Cisco SMB switches and I would need to go GVRP if I need to make advertising information to other switches VLAN. But since GVRP is only supported on CatOS and there is no inter operability between GVRP and DERIVED, I would need to manually create the VLAN on the new switch. Is this correct?
Help, please!
Thank you very much
ANUP
Good afternoon Anup Sasikumar
Please use our forum
My name is Johnnatan I am part of the community of support to small businesses, I saw your post and I understand that you want to configure VTP and GVRP.
I'm afraid you will have to configure it manually each Vlan in each device CatOS GVRP, in order to keep their databases vlan in sync. As you say, VTP is support it not in CatOS
You can try to connect the two protocols, but I encourage you do not follow this procedure.
On your question about intervlan routing, if you create a corresponding interface 150 VLANS on switches to base it is routed, if your configuration is correct (port access, ports of junction, intervlan etc..)
I hope that you will find this answer useful, if it was satisfactory to you, please indicate the question as answer.
Please evaluate the useful messages.
Greetings,
Johnnatan Rodriguez Miranda.
Support of Cisco network engineer
-
I'm looking to deploy a series 5100 Cisco NEXUS switch at 10 Gbps.
I know that the Nexus is supposed to work with the converged network adapter (for 10 Gbps FCoE, etc.), but can it operate without an ANC?
I want to put some passthrough 10 Gbps modules in my Dell m1000 chassis and the cables directly to the Nexus switch.
I know that the Nexus is perhaps overstated for this solution, but it is a step in the UCS solution for us.
Thoughts?
James
Hi, you don't need special drivers for "low latency" 10 Gbit ethernet on a 5 k.
for example, to switch non-nexus 5 k
PING 10.10.10.1 (10.10.10.1) 56 (84) bytes of data.
64 bytes of 10.10.10.1: icmp_seq = 1 ttl = 255 time = 0,530 ms
64 bytes of 10.10.10.1: icmp_seq = 2 ttl = 255 time = 0.618 ms
and a nexus 5000 with a qlogic 8152
PING 172.16.78.3 (172.16.78.3) 56 (84) bytes of data.
64 bytes from 172.16.78.3: icmp_seq = 1 ttl = 128 time = 0.150 ms
64 bytes from 172.16.78.3: icmp_seq = 2 ttl = 128 time = 0,134 ms
Oracle rac cluster will fly!
-
MS NLB Multicast configuration on Cisco Bladecenter switches mode
We seek to MS NLB Multicast configuration on Cisco Bladecenter switches mode. We are adding static ARP and CAM entries for each port on the switches kernel that
the Bladecenters are connected to, or just the port of the virtual machine arrives at
push traffic at this time here? If we add it to a single port,
How vmotion will work... because it seems that we have to manually
transfer the arp from one port to the other entry.
We add the static ARP entry to the entire Cisco switch. If you can VMotion VMs NLB to another host that is physically connected to another switch, then this switch have thus added ARP entry. We have not tested the configuration only on the specified ports. But if you do, make sure that you include all the ports connected to the physical switch (if for DS you have four natachasery configured in a vSwitch...).
Here's a guide to how we have configured it several times in our society.
-
Cisco Cisco IPSEC VPN to encrypt but not decrypt
Hello
I have a vpn ipsec problem.
packets are encapsulated and décapsulés but only in one direction. I don't understand why.
VPN is already mounted on another router, I want to change the router but can't get the vpn have the new router
Thank you for helping me
PS: Sorry for my English
Hello
I looked at the configuration of your router RT-897VA once again, and I don't know if static NAT statements in there are supposed to work or not, but they won't because you have not specified any inside and outside interfaces. Configuration changes below correspond to the configuration of your router RT, check if their implementation makes a difference (the changes are indicated in bold):
RT-897VA #show run
Building configuration...Current configuration: 3933 bytes
!
! 11:56:34 configuration was last modified THIS Friday, November 4, 2016
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
RT-897VA host name
!
boot-start-marker
boot-end-marker
!
!
!
No aaa new-model
clock timezone THIS 1 0
!
!
!
!
!
!
!
!
!
!!
!
!
!
domain IP XXXXX
IP-name 194.2.0.20 Server
IP-name 194.2.0.50 server
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
tunnel L2TP non-session timeout 15
!
!
default value for the field
!
!
!
!
!
!
!
CTS verbose logging
license udi pid C897VA-K9 sn FCZ2030DL
!
!
username password privilege 15 itef 0...
!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa keypair-name XXX
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes
preshared authentication
Group 2
ISAKMP crypto key cleidentique address IP-WAN-B
!
!
Crypto ipsec transform-set aes - esp esp-sha-hmac toto
tunnel mode
!
!
!
crypto map ipsec-isakmp TUNNEL 1
counterpart Set IP-WAN-B
Set transform-set toto
match address TUNNEL-DATA
crypto map ipsec-isakmp TUNNEL 2
counterpart Set IP-WAN-B
Set transform-set toto
match TUNNEL-TOIP address
!
!
!
!
!
!
ATM0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
interface Ethernet0
no ip address
Shutdown
!
interface GigabitEthernet0
Description BOX-SWITCH
switchport trunk vlan 101 native
switchport mode trunk
no ip address
spanning tree portfast
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
WAN description
IP address IP WAN - A 255.255.255.240
IP virtual-reassembly in
NAT outside IP
automatic duplex
automatic speed
card crypto TUNNEL
!
interface Vlan1
no ip address
!
interface Vlan101
VLAN-DATA description
IP 192.168.101.251 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan111
VLAN-TOIP description
IP 192.168.111.251 255.255.255.0
IP virtual-reassembly in
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source static tcp IP 25 expandable 25 192.168.101.2
IP nat inside source static tcp IP 80 80 extensible 192.168.101.2
IP nat inside source static tcp 192.168.101.2 extensible IP 443 443
IP nat inside source static tcp 192.168.101.31 3201 IP extensible 3201
IP nat inside source static tcp 192.168.101.31 80 extensible IP 3280
IP nat inside source static tcp IP 443 33443 extensible 192.168.101.11
overload of IP nat inside source list NAT interface GigabitEthernet8
IP route 0.0.0.0 0.0.0.0 XXXX (ADSL router)
IP route 192.168.100.0 255.255.255.0 IP-WAN-BNAT extended IP access list
deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.101.0 allow 0.0.0.255 any
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
TUNNEL-TOIP extended IP access list
IP 192.168.110.0 allow 0.0.0.255 192.168.111.0 0.0.0.255
!
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
permit tcp host 192.168.101.3 192.168.0.0 0.0.0.255 established
TUNNEL-TOIP extended IP access list
IP 192.168.111.0 allow 0.0.0.255 192.168.110.0 0.0.0.255
!
!
!
control plan
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
password...
opening of session
transport input telnet ssh
line vty 5 15
privilege level 15
password...
opening of session
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
!
!
end
Maybe you are looking for
-
Battery problem Satellite C660D-155
Battery suddenly stopped charging.Laptop works with the power cable is plugged.The battery symbol, said "4% available (plugged - do not load).Tried a different power cable to another Satellite, same problem. How will I know if the problem is the batt
-
Pavilion dm4 2070us: after reloading Windows 7, Wireless does not work
I reloaded the OS. I downloaded the drivers for all components but could not identify the driver for the wireless.
-
association for the desktop icons game
I removed recently a virus frommy computer manually. Now, all my desktop icons are said I need to implement file associations. I know how to get the file associations but don't know who to set up for my icons to be restore in good and due form. Help!
-
Install new hard drive with Windows XP
That's why when installing Win 2000, or Windows XP with NTFS format that it only rcognizes 137 GB and not the entire 320 GB? What Miss me.
-
installed new router now unable to connect to the internet
ROUTER WORKS, BUT CANNOT CONNECT