show ip cache flow

Can we find if a stream is using tcp or udp by using the command 'sh ip cache flow? indicate here 06 and 11?

Routert #sh ip cache flow

Vl52 TE3/4 10.2.1.1 1.1.1.1 06 48 0017 8389

Vl59 192.168.1.1 Te3/4 10.2.2.2 11 b 007 007 b 0

Hello

The hexadecimal values for the upper layer protocol: 6 in hexadecimal is 6 in December and 11 in hex is 17 Dec

as you'll see here 6 = tcp and udp = 17

http://www.IANA.org/assignments/Protocol-numbers/Protocol-numbers.XML

Kind regards.

Alain

Remember messages useful rate.

Tags: Cisco Network

Similar Questions

Word 2007 toolbars icons not showing - icon Cache problem?

Announcement on behalf of my brother, he is using Word 2007 and is having a problem that when it opens, all the toolbars that are normally he presents, however, they have no icons.

For example, he can click on the white square where the B for "BOLD" should be and it works fine, however the B is not there, the same for every icon on the tool bar, there the dropdown list font size, but not the icon saying size etc. Since he knows not all icons on all toolbars out of heart he has trouble using the program now.

I was wondering if this could be a problem with the Office/Word icon Cache, but I don't have any idea how to solve this problem, in this case.

Hello

Check with the experts here: (re - ask your question in these groups)

Discussions in Word Application errors
http://www.Microsoft.com/Office/Community/en-us/default.mspx?DG=Microsoft.public.Word.application.errors&lang=en&CR=us

Office newsgroups
http://www.Microsoft.com/Office/Community/en-us/FlyoutOverview.mspx

and here:

Microsoft.public.word.application.errors discussions
http://www.Microsoft.com/communities/newsgroups/list/en-us/default.aspx?DG=Microsoft.public.Word.application.errors&cat=en_us_f09268b3-8479-4cea-8037-d168d96833ac&lang=en&CR=us

Welcome to Microsoft Discussion groups
http://www.Microsoft.com/communities/newsgroups/list/en-us/default.aspx?GUID=1A61081E-1F66-5F7F-B5BA-04767E55A63B

I hope this helps.
Rob - bicycle - Mark Twain said it is good.

after update to camera raw the photodownloader shows a blue flower no nef file

after update to camera raw, I tried to use photo downloader. No NEF files appear. They are replaced by a blue chart with a picture of a flower.

What is the

PhotoDownloader

Shared photos showing the data flow but it is off

Hello

My phone keeps telling that storage is almost full and when I went into settings - storage - and camera is that Shared Photo Stream uses 4 KB. I don't even have Shared Photo Stream active... anyone know how to find these photos or how to remove the data used? Thank you

Hello monkeyface0508,

Thank you for using communities of Apple Support. It is my understanding that photo stream is too much space on your iPhone 6 sec, even if you do not use. I know how valuable storage capacity can be on any device. I want to ensure that your data and storage are accurate.

Given that you have confirmed that the photo stream is turned off, I recommend you to restart the phone. This can solve many unexpected behaviours. Follow the steps below to restart.
1. Press and hold the sleep/wake button until the Red slider appears.
2. Drag the slider to turn off your device completely off.
3. Once the device turns off, press and hold the sleep/wake button again until you see the Apple logo.
Restart your iPhone, iPad or iPod touch

In addition, check your Photos app to see if there is an album of Photo Stream shown. Please use the link below for more information on checking your storage space.
Check the storage on your iPhone, iPad and iPod touch

Have a great day!

Applet JIT does not

Hi team, Okay, so what we have observed in our network is that flow-export sometimes causes high interface utilization and as a workaround, we remove and re-add flow export commands. Now there are short burstd of traffic as well, so I want to add a condition where "burst happens 3 times in 60s, then trigger the event". As I cannot test in production router, so I am testing on a lab switch and there is not much traffic on it. txload/rxload is 1 and hence my applet looks like this: sw1-trn-mr3.hyd.shaw.net#sh run | b event manager event manager applet test authorization bypass event tag 1 interface name GigabitEthernet0/4 parameter txload entry-op ge entry-val 1 entry-type value exit-op lt exit-val 1 exit-type value poll-interval 10 event tag 2 interface name GigabitEthernet0/4 parameter rxload entry-op ge entry-val 1 entry-type value exit-op lt exit-val 1 exit-type value poll-interval 10 trigger occurs 3 period 60 correlate event 1 or event 2 action 1.1 cli command "enable" action 1.2 syslog msg "Interface utilization has risen again. " action 1.3 cli command "show proc cpu | append flash:test" action 1.4 cli command "show interface GigabitEthernet0/4 | append flash:test" action 1.6 cli command "show ip cache flow | append flash:test" action 1.7 cli command "show tech | append flash:test" action 2.2 cli command "no ip flow-export source GigabitEthernet0/4" action 2.3 cli command "no ip flow-export destination 192.168.1.1 2055" action 2.5 cli command "ip flow-export source GigabitEthernet0/4" action 2.6 cli command "ip flow-export destination 192.168.1.1 2055" action 2.9 cli command "end" ! end The thing is it does not work. I turned on debugs and I see this. Mar 3 15:30:46: fh_send_intf_fd_msg: msg_type=114 Mar 3 15:30:46: fh_send_intf_fd_msg: sval=0 Mar 3 15:30:46: fh_send_intf_fd_msg: msg_type=114 Mar 3 15:30:46: fh_send_intf_fd_msg: sval=0 Mar 3 15:30:54: fh_fd_intf_process_async Mar 3 15:30:54: fh_fd_intf_param_fetch:I/F=GigabitEthernet0/4 txload=1 Mar 3 15:30:54: intf_value_uint_compare:op1=1 op2=1 ret=TRUE Mar 3 15:30:54: intf_entry_value_check:Returning TRUE Mar 3 15:30:54: fh_fd_intf_event_match: re = 0x5849AA0, num_matches = 1 Mar 3 15:30:54: fh_fd_intf_start_poll_timer: start_t=10000 Mar 3 15:30:54: fh_fd_intf_process_poll_timer: update_t=0 Mar 3 15:30:54: fh_fd_intf_param_fetch:I/F=GigabitEthernet0/4 rxload=1 Mar 3 15:30:54: intf_value_uint_compare:op1=1 op2=1 ret=TRUE Mar 3 15:30:54: intf_entry_value_check:Returning TRUE Mar 3 15:30:54: fh_fd_intf_event_match: re = 0x56D793C, num_matches = 1 Mar 3 15:30:54: fh_fd_intf_start_poll_timer: start_t=10000 Mar 3 15:30:54: fh_fd_intf_process_poll_timer: update_t=0 Mar 3 15:30:54: fh_send_intf_fd_msg: msg_type=64 Mar 3 15:30:54: fh_send_intf_fd_msg: sval=63 Mar 3 15:30:54: fh_send_intf_fd_msg: msg_type=64 Mar 3 15:30:54: fh_send_intf_fd_msg: sval=0 Mar 3 15:31:04: fh_fd_intf_process_async Mar 3 15:31:04: fh_fd_intf_param_fetch:I/F=GigabitEthernet0/4 txload=1 Mar 3 15:31:04: intf_value_uint_compare:op1=1 op2=1 ret=FALSE Mar 3 15:31:04: intf_exit_value_check: re=0x5849AA0, returning=FALSE Mar 3 15:31:04: intf_exit_comb_check:Returning FALSE Mar 3 15:31:04: fh_fd_intf_event_match: re = 0x5849AA0, num_matches = 0 Mar 3 15:31:04: fh_fd_intf_start_poll_timer: start_t=10000 Mar 3 15:31:04: fh_fd_intf_process_poll_timer: update_t=0 Mar 3 15:31:04: fh_fd_intf_param_fetch:I/F=GigabitEthernet0/4 rxload=1 Mar 3 15:31:04: intf_value_uint_compare:op1=1 op2=1 ret=FALSE Mar 3 15:31:04: intf_exit_value_check: re=0x56D793C, returning=FALSE Mar 3 15:31:04: intf_exit_comb_check:Returning FALSE Mar 3 15:31:04: fh_fd_intf_event_match: re = 0x56D793C, num_matches = 0 Only the first time, it returns TRUE. After that, it returns FALSE always and hence the condition "trigger occurs 3 period 60" does not match and hence no event is triggered. Where am I going wrong? Appreciate your help on this.

Thanks.

You have a condition of release of ' lt 1. This means that the burden must fall below 1 until the event to rearm. In this case, it seems that the load is always 1, so you will not see the three events occur. You have to push some of the traffic through this interface to complete your test.

In addition, you are away:

Action 2.1, cli «config t» command

And probably, you will need to extend the first event with a maxrun parameter I am sure that this policy will have more than 20 seconds to run.

IOS monitoring packages

Hi ARSHAD,.

Posted by: albertobrivio - May 19, 2006, 8:11 am PST

I would like to know if in IOS environment command like "show conn" or "capture" normally available in the firewall PIX, so take a look at the passage of package source/destination address/port interface.

Concerning

Alberto Brivio

Alberto,

If you have IOS Firewall context, then you can get the output as

See IP inspect session details (if you have a firewall IOS configured and applied on the interface).

If you want to monitor all packets go out from the interface, you must check the technology "netflow".

Activate "penetration of ip stream" on the specific interface and then 'show ip cache flow' you will be able to see the flow of traffic.

If you are interested in some features like 'tcpdump' ability to sniff in IOS let me know as well.

Thanks and greetings

Arshad

Return VPN traffic flows do not on the tunnel

Hello.

I tried to find something on the internet for this problem, but am fails miserably. I guess I don't really understand how the cisco decides on the road.

In any case, I have a Cisco 837 which I use for internet access and to which I would like to be able to complete a VPN on. When I vpn (using vpnc in a Solaris box as it happens which is connected to the cisco ethernet interface), I can establish a VPN and when I ping a host on the inside, I see this package ping happen, however, the return package, the cisco 837 is trying to send via the public internet facing interface Dialer1 without encryption. I can't work for the life of me why.

(Also note: I can also establish a tunnel to the public internet, but again, I don't can not all traffic through the tunnel.) I guess I'm having the same problem, IE back of packages are not going where it should be, but I do know that for some, on the host being ping well, I can see the ping arriving packets and the host responds with a response to ICMP echo).

Here is the version of cisco:

version ADSL #show
Cisco IOS software, software C850 (C850-ADVSECURITYK9-M), Version 12.4 (15) T5, VERSION of the SOFTWARE (fc4)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Updated Friday 1 May 08 02:07 by prod_rel_team

ROM: System Bootstrap, Version 12.3 (8r) YI4, VERSION of the SOFTWARE

ADSL availability is 1 day, 19 hours, 27 minutes
System to regain the power ROM
System restarted at 17:20:56 CEST Sunday, October 10, 2010
System image file is "flash: c850-advsecurityk9 - mz.124 - 15.T5.bin".

Cisco 857 (MPC8272) processor (revision 0 x 300) with 59392K / 6144K bytes of memory.
Card processor ID FCZ122391F5
MPC8272 CPU Rev: Part Number 0xC, mask number 0 x 10
4 interfaces FastEthernet
1 ATM interface
128 KB of non-volatile configuration memory.
20480 bytes K of on board flash system (Intel Strataflash) processor

Configuration register is 0 x 2102

And here is the cisco configuration (IP address, etc. changed of course):

Current configuration: 7782 bytes
!
! Last configuration change at 11:57:21 CEST Monday, October 11, 2010 by bautsche
! NVRAM config updated at 11:57:22 CEST Monday, October 11, 2010 by bautsche
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname adsl
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5
!
AAA new-model
!
!
AAA authentication login local_authen local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec local local_author
AAA authorization sdm_vpn_group_ml_1 LAN
!
!
AAA - the id of the joint session
clock timezone gmt 0
clock daylight saving time UTC recurring last Sun Mar 01:00 last Sun Oct 01:00
!
!
dot11 syslog
no ip source route
dhcp IP database dhcpinternal
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.7.1 10.10.7.99
DHCP excluded-address IP 10.10.7.151 10.10.7.255
!
IP dhcp pool dhcpinternal
import all
Network 10.10.7.0 255.255.255.0
router by default - 10.10.7.1
Server DNS 212.159.6.9 212.159.6.10 212.159.13.49 212.159.13.50
!
!
IP cef
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
no ip bootp Server
nfs1 host IP 10.10.140.207
name of the IP-server 212.159.11.150
name of the IP-server 212.159.13.150
!
!
!
username password cable 7
username password bautsche 7
vpnuser password username 7
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
Prior authentication group part 2
the local address SDM_POOL_1 pool-crypto isakmp client configuration
!
ISAKMP crypto client configuration group groupname2
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
!
ISAKMP crypto client configuration group groupname1
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
ISAKMP crypto sdm-ike-profile-1 profile
groupname2 group identity match
client authentication list sdm_vpn_xauth_ml_1
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
ISAKMP crypto profile sdm-ike-profile-2
groupname1 group identity match
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac ESP_MD5_3DES
Crypto ipsec transform-set ESP-AES-256-SHA aes - esp esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
crypto dynamic-map SDM_DYNMAP_1 2
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
Crypto ctcp port 10000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
!
!
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
waiting-224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description $FW_INSIDE$
10.10.7.1 IP address 255.255.255.0
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
map SDM_CMAP_1 crypto
Hold-queue 100 on
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
No cutting of the ip horizon
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
Dialer-Group 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname
PPP chap password 7
map SDM_CMAP_1 crypto
!
local IP SDM_POOL_1 10.10.148.11 pool 10.10.148.20
IP local pool public_184 123.12.12.184
IP local pool public_186 123.12.12.186
IP local pool public_187 123.12.12.187
IP local pool internal_9 10.10.7.9
IP local pool internal_8 10.10.7.8
IP local pool internal_223 10.10.7.223
IP local pool internal_47 10.10.7.47
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 10.10.140.0 255.255.255.0 10.10.7.2
!
no ip address of the http server
no ip http secure server
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source static 10.10.7.9 123.12.12.184
IP nat inside source static tcp 10.10.7.8 22 123.12.12.185 22 Expandable
IP nat inside source static tcp 10.10.7.8 25 123.12.12.185 25 expandable
IP nat inside source static tcp 10.10.7.8 80 123.12.12.185 80 extensible
IP nat inside source static tcp 10.10.7.8 443 123.12.12.185 443 extensible
IP nat inside source static tcp 10.10.7.8 993 123.12.12.185 993 extensible
IP nat inside source static tcp 10.10.7.8 123.12.12.185 1587 1587 extensible
IP nat inside source static tcp 10.10.7.8 8443 123.12.12.185 8443 extensible
IP nat inside source static 10.10.7.223 123.12.12.186
IP nat inside source static 10.10.7.47 123.12.12.187
!
record 10.10.140.213
access-list 18 allow one
access-list 23 permit 10.10.140.0 0.0.0.255
access-list 23 permit 10.10.7.0 0.0.0.255
Access-list 100 category SDM_ACL = 2 Note
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole
Note access-list 121 SDM_ACL category = 17
access-list 121 deny udp any eq netbios-dgm all
access-list 121 deny udp any eq netbios-ns everything
access-list 121 deny udp any eq netbios-ss all
access-list 121 tcp refuse any eq 137 everything
access-list 121 tcp refuse any eq 138 everything
access-list 121 tcp refuse any eq 139 all
access ip-list 121 allow a whole
access-list 125 permit tcp any any eq www
access-list 125 permit udp any eq isakmp everything
access-list 125 permit udp any any eq isakmp
access-list 194 deny udp any eq isakmp everything
access-list 194 deny udp any any eq isakmp
access-list 194 allow the host ip 123.12.12.184 all
IP access-list 194 allow any host 123.12.12.184
access-list 194 allow the host ip 10.10.7.9 all
IP access-list 194 allow any host 10.10.7.9
access-list 195 deny udp any eq isakmp everything
access-list 195 deny udp any any eq isakmp
access-list 195 allow the host ip 123.12.12.185 all
IP access-list 195 allow any host 123.12.12.185
access-list 195 allow the host ip 10.10.7.8 all
IP access-list 195 allow any host 10.10.7.8
not run cdp
public_185 allowed 10 route map
corresponds to the IP 195
!
public_184 allowed 10 route map
corresponds to the IP 194
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 100
!
!
control plan
!
!
Line con 0
connection of authentication local_authen
no activation of the modem
preferred no transport
telnet output transport
StopBits 1
line to 0
connection of authentication local_authen
telnet output transport
StopBits 1
line vty 0 4
access-class 23 in
privilege level 15
authorization exec local_author
connection of authentication local_authen
length 0
preferred no transport
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
130.88.202.49 SNTP server
130.88.200.98 SNTP server
130.88.200.6 SNTP server
130.88.203.64 SNTP server
end

Any help would be appreciated.

Thank you very much.

Ciao,.

Eric

Hi Eric,.

(Sorry for the late reply - needed some holidays)

So I see that you have a few steps away now. I think that there are 2 things we can try:

1)

I guess you have provided that:

IP nat inside source overload map route SDM_RMAP_1 interface Dialer1

Since the routemap refers to ACL 100 to define the traffic to be translated, we can exclude traffic that initiates the router:

Access-list 100 category SDM_ACL = 2 Note

access-list 100 deny ip 123.12.12.185 host everything
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole

Which should prevent the source udp 4500 to 1029 changing port

OR

2)

If you prefer to use a different ip address for VPN,

Then, you can use a loop like this:

loopback interface 0

123.12.12.187 the IP 255.255.255.255

No tap

map SDM_CMAP_1 crypto local-address loopback 0

I don't think you should apply card encryption to the loopback interface, but it's been a while since I have configured something like that, so if you have problems first try and if still does not get the crypto debugs new (isakmp + ipsec on the vpn, nat router on the router of the client package).

HTH

Herbert

problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

Some basic information:

I work at a seller who needs from one site to the other tunnel. There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system. I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range. So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator. The hosts behind the tunnel use 20x.x.x.x public IP addresses.

My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper. The seller sees my packages and provider host meets them and sends them to the tunnel. They never reach the external interface on my Cisco router.

I'm from the external interface so that my endpoint and the peers are the same IP address. (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.) Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host. Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel. The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel. The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

Here is what we have done so far:

(1) confirm the config with the help of Cisco 2811. The tunnel is up. SH cyrpto ipa wristwatch tunnel upward.
(2) turn on Nat - T side of the tunnel VPN landscapers
(3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
(4) successfully, tunnel and reach a different configuration hosting
(5) to confirm all the settings of tunnel with the seller
(6) the seller confirmed that his side host has no way and that it points to the default gateway
(7) to rebuild the tunnel from scratch
8) confirm with our ISP that no way divert traffic elsewhere. My gateway lSP sees my directly connected external address.
(9) confirm that the ACL matches with the seller
(10) I can't get the Juniper because he is in production and in constant use

Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

Options or ideas are welcome. I had countless sessions with Cisco webex, but do not have access to the hub of the seller. I can forward suggestions.

Here's a code

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2

Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

Crypto-map dynamic dynmap 30
Set transform-set RIGHT

ISAKMP crypto key address No.-xauth

interface FastEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
IP 255.255.255.240
IP access-group 107 to
IP access-group out 106
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
crypto mymap map

logging of access lists (applied outside to get an idea of what will happen. No esp traffic happens, he has never hits)

allowed access list 106 esp host host newspaper
106 ip access list allow a whole
allowed access list 107 esp host host Journal
access-list 107 permit ip host host Journal

access-list 107 permit ip host host Journal
107 ip access list allow a whole

Crypto isa HS her
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
QM_IDLE ASSETS 0 1010

"Mymap" ipsec-isakmp crypto map 1
Peer =.
Extend the 116 IP access list
access - list 116 permit ip host host (which is a public IP address))
Current counterpart:
Life safety association: 4608000 kilobytes / 2800 seconds
PFS (Y/N): N
Transform sets = {}
myTrans,
}

OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

(4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

!
(1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

!
IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

!

(6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

!

(2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

(3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

(1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

!

(5) crypto-nat route-map permit 5 <> condition for the specific required NAT
corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

(7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1). When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2). When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4). We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

Result Cache not used

Hello
I'm on Oracle Database 11 g Release 11.2.0.3.0 and Application Express 4.2.2.00.11
How to use trick cache result?
How do you get the same result shown in Figuree 3 (apex.oracle.com Application Express 4.2.6.00.03) ?
I try to use the result cache but explain plan does not appear to be used (Figure 1)
Then I tried ' alter table STUDENT result_cache (FORCE mode); In figure 2, you could see that column in the table of students result_cache was changed to 'force' but explain the plan shows yet cache result being used.
Figure 1
Figure 2
Figure 3 (from apex.oracle.com workspace)

Hello

Thank you all for your answers.

According to Oracle Help Center (11 g release 2) this is a feature reserved for Enterprise Edition. And Apex.oracle.com from today using Oracle Database 11 g Enterprise Edition Release 11.2.0.4.0 - 64 bit Production.

While I'm using Oracle Database 11 g Release 11.2.0.3.0 - 64 bit Production it is why in the screenshots above I could not duplicate the result in apex.oracle.com

https://docs.Oracle.com/CD/E11882_01/license.112/e47877/editions.htm#DBLIC116

vSphere networking performance counters - Teddy bear use of flow compared to its use

I am responsible for a vSphere 5.1 environment that uses NFS data warehouses and I'm trying to collect metrics on how much bandwidth is used to access NFS data stores. When I did it first a week ago, I ran esxtop and looked at network and sort by Mbps passed parameters and what he was able to indicate what vmnic NFS vmkernel was linked to. I then took a look at the usage meter vmnic for a total of send/receive KB/s. During my research, I ran across another counter: "use of flow rates for NFS Teddy." Here's the problem, when we look at the use and Teddy flow using the counters from NFS on the same vmnic over the same period of time, the use of flow for meter NFS shows bandwidth much higher than that of the meter use (see image). What gives?

What I forgot to mention, is that measures to counter throughput.usage.nfs report a higher flow rate than the physical NETWORK adapter can handle. The highest Summit on the graph shows about a flow of 13 GB/s on a network card 1 GB. I spoke with a VMware engineer friend and he said it looks like the meter is mislabeled in vCenter. I verified this by looking at the use of the NFS in vCenter Operations Manager metric and compared to the metric of its use on the same physical NETWORK adapter and the metric NFS for the NIC I was looking at showed approximately 23.8 MB/s (if I assume that the unit of measure of labelling was supposed to be B/s and not KB/s) and usage was about 24.2 MB / s. The metric of higher use is due to the fact that the environment is badly designed by my predecessor and the NFS Sharing vmkernel rising with VM networks (something that I am trying to solve).

Excessive memory allocation in the cache nodes

All,
I'm on the 3.6.1.8 consistency and Java 1.7.0_40. Bunch is - Xms100m-Xmx1280m - XX: + UseParallelOldGC
I am seeding a problem suddenly in my cache nodes where they are allocating and releasing the very large amount of memory very quickly. GC happens about every 2-3 seconds and the release of about 400 MB. GC itself is fast enough. The volume of operations against the cache (gets, puts, entrySets) seems pretty normal. I took some thread dumps and see what seems to be cache queries, if each dump is different. (It is not as if a thread is blocked or whatever it is). All requests must be indexed. Eclipse MAST pointing some of my caches as being the largest consumers of memory, which does not at all surprise me. There have not been any change in code or configuration in almost 2 months.
Newspapers of coherence is complained mainly just delays in communication (DEBUG, WARN not) due to distance GC, which I do not doubt. I don't know how to determine which objects are actually get awarded and thrown.
Sample GC output below:
2014 01-29 T 12: 46:53.640 - 0600: [GC [PSYoungGen: 435520 K - > 448 K (436224 K)] 1237751 K - > 802823 K (1257984 K), dry 0,0229380] [time: user = 0.02 sys = 0.00, true = 0.02 seconds]
2014 01-29 T 12: 46:56.385 - 0600: [GC [PSYoungGen: 435648 K - > 320 K (436224 K)] 1238023 K - > 802967 K (1257984 K), dry 0,0244490] [time: user = 0.02 sys = 0.00, true = 0.03 seconds]
2014 01-29 T 12: 46:58.551 - 0600: [GC [PSYoungGen: 435520 K - > 256 K (436224 K)] 1238167 K - > 803079 K (1257984 K), dry 0,0242600] [time: user = 0.02 sys = 0.00, true = 0.02 seconds]
2014 01-29 T 12: 47:00.454 - 0600: [GC [PSYoungGen: 435456 K - > 384 K (436224 K)] 1238279 K - > 803295 K (1257984 K), dry 0,0278340] [time: user = 0.02 sys = 0.00, true = 0.03 seconds]
2014 01-29 T 12: 47:03.087 - 0600: [GC [PSYoungGen: 435584 K - > 384 K (436224 K)] 1238495 K - > 803383 K (1257984 K), dry 0,0287130] [time: user = 0.02 sys = 0.00, true = 0.03 seconds]
2014 01-29 T 12: 47:06.553 - 0600: [GC [PSYoungGen: 435584 K - > 416 K (436224 K)] 1238583 K - > 803627 K (1257984 K), dry 0,0229790] [time: user = 0.02 sys = 0.00, true = 0.02 seconds]
2014 01-29 T 12: 47:08.894 - 0600: [GC [PSYoungGen: 435616 K - > 416 K (436224 K)] 1238827 K - > 803851 K (1257984 K), dry 0,0167050] [time: user = 0.03 sys = 0.00, true = 0.02 seconds]
2014 01-29 T 12: 47:11.446 - 0600: [GC [PSYoungGen: 435616 K - > 256 K (436224 K)] 1239051 K - > 803947 K (1257984 K), dry 0,0387630] [time: user = 0.02 sys = 0.00, true = 0.04 seconds]
Any ideas?
Thank you

It seems that the index was not used. I have no idea how this could happen. Clues were:

1. some of the thread dumps showing objects cached during the evaluation of the query during deserialization. This should not happen if the index is used.

2. There is a preponderance of these same items cached in the "inaccessible objects" (garbage) as indicated by Eclipse MAST.

Suddenly, I fixed the problem by using the command line query tool. In my view, show "ensure index on " did. I had hoped that he would at least confirm whether the index exists, but right at that time, I published this command the problem magically disappeared. I did not use the command 'create index '.

IE cache on the browser back side

Hi all
I have a form page, a page of action and a confirmation page.
I send the form page... takes me to the action page where I validate the fields... fields are NOT valid... I place the data and the error message in the session and redirect (cflocation) to the form page. In the page of form I to store session variables (err message and incorrect data) into local variables, destroy the session variables and use local variables afterwards.
Now I have the correct values and submit the form again... going... valid action page and then redirect to the confirmation page.
Now if I use my browser back from the confirmation page, it takes me to the page of form with the validation error message and incorrect data... I understand that the IE 7 browser uses the cache to get the data... but I tried to use cfheader and META tags to avoid pulling... always pulls of browser cache cache... This does not happen in Firefox. I use the following code.
< name cfheader = 'cache-control' value = "no-store, no-cache, must-revalidate" >
< name cfheader = "pragma" value = "no-cache" >
< name cfheader = "expires" value = "#getHttpTimeString (now ()) #" >
< META HTTP-EQUIV = "expires" CONTENT = "-1" >
< META HTTP-EQUIV = "pragma" CONTENT = "no-cache" >
< META HTTP-EQUIV = "cache-control" CONTENT = "no-store, no-cache, must-revalidate" >
Any thoughts on how this can be resolved?

Hi Madhu,

I am back. I revisited the thread and my test code. The first code that worked for me is, in fact, not very different from the one I gave above. Only the headers, no tag meta. And my headers are more or less the same as those of the original of your post, too! So why it works for me and not for you?

The crucial point to be noted is that if IE buttons next and previous shows pages cached, then it may be that these pages were already stored as history. This means that, in your case, IE must have disobeyed the directive no.-cache. How?

My first guess is: the web server. If you're using ColdFusion's built-in JRun Web Server, for example, then who might be the index. This web server uses the HTTP/1.0 protocol to answer. Current browsers expect the HTTP/1.1 version. For example, the Cache-Control header was introduced in HTTP/1.1. It could be that HTTP/1.0 is too old for IE and, possibly, that IE is not backward compatible as the HTTP protocol is concerned. Test for to do us next is to compare the behavior of the headers for HTTP/1.0 and HTTP/1.1 web servers.

New episode does not appear in iTunes

Hello

I have a problem, my flow

http://hypnowords.Podbean.com/feed/

works but I have the new episode I posted recently, this morning, does not Hypnowords https://itunes.apple.com/de/podcast/hypnowords-podcast/id1062592743?l=en in the store.

Can you help me please?

Concerning

Daniel

Episode 2, released today, shows for subscribers, both in the iTunes Store. You were lucky it as it can normally take 1-2 days for a new episode to appear in the store puts it in cache flows, checking them in some sort of rotation (Subscribers see pretty quickly as their iTunes application reads the stream directly).

Cisco 877W DHCP does not automatically fill the Windows/Mac customers with DNS server entries

I have a 877W which was operational on Verizon for about 5 years. It never automatically distributed info DNS server for customers who get DHCP issued IP address. I have to manually enter the DNS entries to each client. What happened to other sites where I've got installed on AT & T as well as 877 unified communications.

Here is the config. Thanks in advance for the help.

Building configuration...

Current configuration: 7987 bytes
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
Cod of hostname
!
boot-start-marker
boot-end-marker
!
logging buffered debugging 51200
recording console critical
enable secret 5 jSwA $1$ $ 3B5lJNqm0ewh
!
AAA new-model
!
!
AAA authentication local-to-remote login
local remote of the AAA authorization network
!
AAA - the id of the joint session
!
resources policy
!
PCTime-6 timezone clock
PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00
IP subnet zero
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.7.1 192.168.7.19
DHCP excluded-address IP 192.168.7.70 192.168.7.254
!
IP dhcp pool sdm-pool1
import all
network 192.168.7.0 255.255.255.0
router by default - 192.168.7.1
DNS-server 68.238.96.12 68.238.112.12
!
!
inspect the IP name DEFAULT100 cuseeme
inspect the IP name DEFAULT100 ftp
inspect the IP h323 DEFAULT100 name
inspect the IP icmp DEFAULT100 name
inspect the IP name DEFAULT100 netshow
inspect the IP rcmd DEFAULT100 name
inspect the IP name DEFAULT100 realaudio
inspect the name DEFAULT100 rtsp IP
inspect the IP name DEFAULT100 esmtp
inspect the IP name DEFAULT100 sqlnet
inspect the name DEFAULT100 streamworks IP
inspect the name DEFAULT100 tftp IP
inspect the tcp IP DEFAULT100 name
inspect the IP udp DEFAULT100 name
inspect the name DEFAULT100 vdolive IP
synwait-time of tcp IP 10
IP domain name cods.com
name of the IP-server 68.238.96.12
name of the IP-server 68.238.112.12
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
!
!
Crypto pki trustpoint TP-self-signed-437228204
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 437228204
revocation checking no
rsakeypair TP-self-signed-437228204
!
!
TP-self-signed-437228204 crypto pki certificate chain
certificate self-signed 01
30820254 308201BD A0030201 02992101 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 34333732 32383230 34301E17 303731 30313632 33333131 0D 6174652D
395A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 4365 72746966 69636174 652 3433 37323238 642D
06092A 86 4886F70D 01010105 32303430 819F300D 00308189 02818100 0003818D
BF73E16C 24A3FB0B A44C83C8 45ACEC75 163C2F0A 87836F7F A43FEB72 0EF26AFA
C7F35ED6 CBCC6853 5E82B0A6 1FD8020B F3630023 AB30B870 B3155EE6 86988910
4ACF5121 1CBFF4DC B705DF1E 5D0D698F 06493 D 3DD8D036 42 FE450D21 E26A4DAF
CE6BA806 81A9F451 0246698E DA7B49E3 160F115C E1104FA9 31FA3C15 CD 782 279
02030100 01A37E30 7C300F06 03551 D 13 0101FF04 05300301 01FF3029 0603551D
20821E63 11042230 6F64732E 6F666472 63697479 6E677370 69707069 72696E67
732E636F 6D301F06 23 04183016 24 D 77493 80142FA3 03551D 52CF7094 B847B6EB
1385E2E5 0F3A301D 0603551D 0E041604 142FA324 D7749352 CF7094B8 47B6EB13
85E2E50F 3A300D06 092 HAS 8648 01040500 03818100 076EE499 12F46D79 86F70D01
375B7EA6 C9279DA4 B32723B5 908C9FB8 D42CB978 BB24A8FE 73579A3D CA 5130, 87
B7716644 7E13710D C6E6360C D0A36F7B F62540E2 0C33523B E50396B9 2EF66FA7
56519E62 E55EAF3C E1D9BEC9 3AE67B59 75E61F06 B649E90A 2798F755 7A020F0A
F8BDABFA 1EE37B6A A918560D DA45AD70 801BC66E 94D1468E
quit smoking
username privilege 15 secret $5 1jgO$sGD@#l4yTtLtYoEZbh/Wl steal551.
!
!
door-key crypto vpn_ddaus
pre-shared key address 0.0.0.0 0.0.0.0 - key stealthfortyfor5
door-key crypto vpn_rmlfk
address of pre-shared-key 205.30.134.22 key stealthfortyfor5
!
crypto ISAKMP policy 10
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 30
BA 3des
preshared authentication
Group 2
invalid-spi-recovery crypto ISAKMP
ISAKMP crypto keepalive 20
!
Configuration group isakmp crypto VPNRemote client
key ConnectNow45
pool ippool
ISAKMP crypto vpnclient profile
VPNRemote identity group match
client authentication list for / remote
Remote ISAKMP authorization list
client configuration address respond
Crypto isakmp CODS_DDAUS profile
key ring vpn_ddaus
function identity address 0.0.0.0
Crypto isakmp CODS_RMLFK profile
key ring vpn_rmlfk
function identity address 205.30.134.22 255.255.255.255
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
vpnclient Set isakmp-profile
Crypto-map dynamic dynmap 12
Set transform-set RIGHT
CODS_DDAUS Set isakmp-profile
!
!
MYmap 1 ipsec-isakmp crypto map
defined by peer 205.30.134.22
Set transform-set RIGHT
CODS_RMLFK Set isakmp-profile
match address CODS_to_RMFLK
map mymap 65535-isakmp ipsec crypto dynamic dynmap
!
Bridge IRB
!
!
interface Loopback10
IP 1.1.1.1 255.255.255.0
!
ATM0 interface
no ip address
route IP cache flow
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
Description $FW_OUTSIDE$ $ES_WAN$
Check IP unicast reverse path
inspect the DEFAULT100 over IP
NAT outside IP
IP virtual-reassembly
PVC 0/35
aal5snap encapsulation
!
Bridge-Group 2
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
no ip-cache cef route
no ip route cache
!
encryption vlan 1 tkip encryption mode
!
SSID tsunami
VLAN 1
open authentication
authentication wpa key management
Comments-mode
WPA - psk ascii 7 14231A0E01053324363F363B36150E050B08585E
!
base speed - 1.0 2.0 basic basic-5, 5 6.0 9.0 basic-11, 0 12.0 18.0 24.0 36.0 48.0 54.0
root of station-role
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route cache
no link-status of snmp trap
No cdp enable
Bridge-Group 1
Bridge-group subscriber-loop-control 1
Bridge-Group 1 covering-disabled people
Bridge-Group 1 block-unknown-source
No source of bridge-Group 1-learning
unicast bridge-Group 1-floods
!
interface Vlan1
Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW $FW_INSIDE$
no ip address
IP tcp adjust-mss 1452
Bridge-Group 1
!
interface BVI1
Description $ES_LAN$ $FW_INSIDE$
192.168.7.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
route IP cache flow
IP tcp adjust-mss 1412
!
interface control2
IP 70.14.49.134 255.255.255.0
NAT outside IP
IP virtual-reassembly
crypto mymap map
!
local pool IP 10.10.10.1 ippool 10.10.10.254
IP classless
IP route 0.0.0.0 0.0.0.0 70.14.49.1
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
overload of IP nat inside source list 133 interface control2
!
CODS_to_RMFLK extended IP access list
IP 192.168.7.0 allow 0.0.0.255 192.168.1.0 0.0.0.255
!
recording of debug trap
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 100 remark self-generated by the configuration of the firewall Cisco SDM Express
Access-list 100 = 1 SDM_ACL category note
access-list 100 deny ip 70.14.49.0 0.0.0.255 any
access-list 100 deny ip 255.255.255.255 host everything
access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
access ip-list 100 permit a whole
access-list 101 permit ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 133 deny ip 192.168.7.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 133 deny ip 192.168.7.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 133 deny ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 133 deny ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 133 allow ip 192.168.7.0 0.0.0.255 any
not run cdp
mymap permit 10 route map
corresponds to the IP 111
set ip next-hop 1.1.1.2
!
!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
Bridge Protocol ieee 2
IP road bridge 2
connection of the banner ^ CAuthorized access only!
Unplug IMMEDIATELY if you are not an authorized user. ^ C
!
Line con 0
no activation of the modem
telnet output transport
line to 0
telnet output transport
line vty 0 4
privilege level 15
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
end

Hello

Can you try to remove the IMPORT ALL of the dhcp pool

RES
Paul

Sent by Cisco Support technique iPad App

TCP Window Scaling issues

We have Cisco 2800 to each of our four locations that are managed by our ISP. We had problems with them, I got them to send me the configuration files of one of them, but nothing jumps out to me.

You must disable TCP Window Scaling/tuning on all our Machines 7/Server Windows 2012 (by running netsh interface tcp set global autotuning = disabled in the command line)

If we have not this is very slow to load even a Web page and cannot download a file (even something as small as 2 MB). Mobile devices have no hope to work on our network now because of this. This isn't a question on our XP remaning machines bit, but I think that XP did not use Window Scaling is the reason.

Any ideas what could be causing this? I intend to replace it soon with our own routers, because they do not want to configure the secondary interfaces for our VLAN, but in the meantime I need this job.

Thanks in advanced for any help.

Here is the Config with Sensative information deleted

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

hostname REMOVED

boot-start-marker

boot-end-marker

logging buffered 8192 debugging

no logging console

enable secret REMOVED

no aaa new-model

resource policy

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

no ip dhcp use vrf connected

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

no ip ips deny-action ips-interface

no ftp-server write-enable

crypto pki trustpoint TP-self-signed-REMOVED

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-REMOVED

revocation-check none

rsakeypair TP-self-signed-REMOVED

crypto pki certificate chain TP-self-signed-REMOVED

certificate self-signed 01

REMOVED

quit

class-map match-all VOIP

match access-group 120

policy-map VOIP

class VOIP

priority 1000

class class-default

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key REMOVED address 0.0.0.0 0.0.0.0

no crypto isakmp ccm

crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac

crypto ipsec profile SDM_Profile1

set transform-set VPN

crypto ipsec profile SDM_Profile2

set transform-set VPN

interface Tunnel0

description $FW_INSIDE$

bandwidth 3000

ip address 10.10.200.1 255.255.255.0

ip access-group 101 in

no ip redirects

ip mtu 1400

ip nhrp authentication VPN

ip nhrp map multicast dynamic

ip nhrp network-id 100000

ip nhrp holdtime 360

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1360

ip ospf network broadcast

ip ospf priority 20

delay 10

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel key 100000

tunnel protection ipsec profile SDM_Profile1

interface Null0

no ip unreachables

interface Loopback0

ip address 192.168.210.1 255.255.255.255

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

interface FastEthernet0/0

description $FW_INSIDE$

ip address 10.10.100.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip policy route-map server-nat

duplex auto

speed auto

no mop enabled

service-policy output VOIP

interface FastEthernet0/1

description $FW_OUTSIDE$

ip address IP REMOVED NETMASK REMOVED

ip access-group 102 in

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect DEFAULT100 out

ip virtual-reassembly

ip route-cache flow

load-interval 30

duplex auto

speed auto

no mop enabled

interface FastEthernet0/1/0

load-interval 30

interface FastEthernet0/1/1

interface FastEthernet0/1/2

interface FastEthernet0/1/3

router ospf 100

log-adjacency-changes

passive-interface FastEthernet0/0

passive-interface FastEthernet0/1

passive-interface FastEthernet0/1/0

network 10.10.100.0 0.0.0.255 area 0

network 10.10.200.0 0.0.0.255 area 0

network 10.10.201.0 0.0.0.255 area 0

network 192.168.210.1 0.0.0.0 area 0

ip classless

ip route 0.0.0.0 0.0.0.0 REMOVED

ip route REMOVED NETMASK REMOVED

ip flow-capture ip-id

ip flow-capture mac-addresses

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 30000

ip http server

ip http authentication local

ip http secure-server

ip nat pool nat REMOVED netmask REMOVED

ip nat inside source list 150 interface FastEthernet0/1 overload

access-list 100 deny ip 10.10.200.0 0.0.0.255 any

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 100 deny ip 10.10.201.0 0.0.0.255 any

access-list 101 remark Tunnel ACL

access-list 101 deny ip REMOVED 0.0.0.7 any log

access-list 101 deny ip host 255.255.255.255 any log

access-list 101 deny ip 127.0.0.0 0.255.255.255 any log

access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.110.0 0.0.0.255 log

access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.120.0 0.0.0.255 log

access-list 101 permit ip 10.10.100.0 0.0.0.255 10.10.130.0 0.0.0.255 log

access-list 101 permit ip host 10.10.100.10 any log

access-list 101 permit ip host 10.10.100.12 any log

access-list 101 permit ip host 10.10.100.20 any log

access-list 101 permit ip host 10.10.100.21 any log

access-list 101 permit ip host 10.10.100.45 any log

access-list 101 permit ip any host 10.10.100.10 log

access-list 101 permit ip any host 10.10.100.12 log

access-list 101 permit ip any host 10.10.100.20 log

access-list 101 permit ip any host 10.10.100.21 log

access-list 101 permit ip any host 10.10.100.45 log

access-list 101 permit ospf any any

access-list 101 permit icmp any any

access-list 101 deny ip 10.10.100.0 0.0.0.255 any log

access-list 101 permit ip 10.10.110.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 101 permit ip 10.10.120.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 101 permit ip 10.10.130.0 0.0.0.255 10.10.100.0 0.0.0.255

access-list 102 remark Outside ACL

access-list 102 permit tcp host REMOVED host REMOVED eq 22

access-list 102 permit tcp REMOVED 0.0.0.15 host REMOVED eq 22

access-list 102 permit udp any host REMOVED eq non500-isakmp

access-list 102 permit udp any host REMOVED eq isakmp

access-list 102 permit esp any host REMOVED

access-list 102 permit ahp any host REMOVED

access-list 102 permit gre any host REMOVED

access-list 102 permit icmp any host REMOVED echo-reply

access-list 102 permit icmp any host REMOVED time-exceeded

access-list 102 permit icmp any host REMOVED unreachable

access-list 102 permit ip any host 10.10.100.10

access-list 102 permit ip any host 10.10.100.12

access-list 102 permit ip any host 10.10.100.20

access-list 102 permit ip any host 10.10.100.21

access-list 102 permit ip any host 10.10.100.45

access-list 102 deny ip 10.10.100.0 0.0.0.255 any

access-list 102 deny ip 10.10.200.0 0.0.0.255 any

access-list 102 deny ip 10.0.0.0 0.255.255.255 any

access-list 102 deny ip 172.16.0.0 0.15.255.255 any

access-list 102 deny ip 192.168.0.0 0.0.255.255 any

access-list 102 deny ip 127.0.0.0 0.255.255.255 any

access-list 102 deny ip host 255.255.255.255 any

access-list 102 deny ip host 0.0.0.0 any

access-list 103 permit ip REMOVED 0.0.0.15 any

access-list 103 permit ip 10.10.200.0 0.0.0.255 any

access-list 103 permit ip 10.10.100.0 0.0.0.255 any

access-list 103 permit ip 10.10.110.0 0.0.0.255 any

access-list 103 permit ip 10.10.120.0 0.0.0.255 any

access-list 103 permit ip 10.10.130.0 0.0.0.255 any

access-list 110 deny ip host 10.10.100.12 10.10.110.0 0.0.0.255

access-list 110 deny ip host 10.10.100.12 10.10.130.0 0.0.0.255

access-list 110 deny ip host 10.10.100.10 10.10.110.0 0.0.0.255

access-list 110 deny ip host 10.10.100.10 10.10.130.0 0.0.0.255

access-list 110 deny ip host 10.10.100.20 10.10.110.0 0.0.0.255

access-list 110 deny ip host 10.10.100.20 10.10.130.0 0.0.0.255

access-list 110 deny ip host 10.10.100.21 10.10.110.0 0.0.0.255

access-list 110 deny ip host 10.10.100.21 10.10.130.0 0.0.0.255

access-list 110 deny ip host 10.10.100.45 10.10.110.0 0.0.0.255

access-list 110 deny ip host 10.10.100.45 10.10.130.0 0.0.0.255

access-list 110 permit ip host 10.10.100.12 any

access-list 110 permit ip host 10.10.100.10 any

access-list 110 permit ip host 10.10.100.20 any

access-list 110 permit ip host 10.10.100.21 any

access-list 110 permit ip host 10.10.100.45 any

access-list 120 permit udp any any eq 5060

access-list 150 deny ip host 10.10.100.10 any

access-list 150 deny ip host 10.10.100.12 any

access-list 150 deny tcp host 10.10.100.20 any eq 3389

access-list 150 deny ip host 10.10.100.21 any

access-list 150 deny tcp host 10.10.100.45 any eq 22

access-list 150 deny tcp host 10.10.100.45 any eq 443

access-list 150 deny udp host 10.10.100.45 any eq 5060

access-list 150 deny udp host 10.10.100.45 any range 10000 10500

access-list 150 deny ip 10.10.110.0 0.0.0.255 any

access-list 150 deny ip 10.10.120.0 0.0.0.255 any

access-list 150 deny ip 10.10.130.0 0.0.0.255 any

access-list 150 permit ip 10.10.100.0 0.0.0.255 any

route-map server-nat permit 10

match ip address 110

set ip next-hop 10.10.200.3

control-plane

banner motd ^CC

<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>

Authorized access only

<@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>

Disconnect IMEDIATELY if you are not an authorized user !

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

access-class 103 in

privilege level 15

transport input ssh

line vty 5 15

access-class 103 in

privilege level 15

transport input ssh

end

Hello Jason,

you will find articles from may saying that MS AutoFix feature does not work well with some firewall stateful inspection and/or VPN.

At CSC, I found another interesting:

https://supportforums.Cisco.com/thread/2169557

Maybe Joseph joins this discussion later with some new or additional information.

Best regards

Rolf

show ip cache flow

Similar Questions

PhotoDownloader

http://hypnowords.Podbean.com/feed/

Maybe you are looking for