Speaking of talk (VIGOR to CISCO) routing
Hi all
I have a problem with my config, it's a 7 rays star configuration. The address of the network hub is the 192.168.6.0.
I wish that sites spoke to communicate to other rays through the hub. The site talks are the routers of the force and the hub is a cisco 1842, the routing table is present on the vigors. I assume it's an ACL problem, but I've spent the last 3 hours trying figure this one and got no where, can anyone help?
I also nat has ports 80, 443, that work very well from outside the local network, but do not work inside? Anyone got any suggestions?
Thank you
Mark
192.168.6.0 HUB
192.168.18.0 TALK
192.168.23.0 TALK
192.168.28.0 SPEAKS
192.168.48.0 TALK
192.168.78.0 TALK
192.168.88.0 TALK
192.168.108.0 TALK
10.0.0.0 SPEAKS
Current configuration: 4558 bytes
!
version 12.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
BURTON hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
activate the password xxxxxxxxxxxxxx
!
No aaa new-model
IP cef
!
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
!
!
name of the server IP 62.XX.x.2
name of the server IP 195.xxx.xxx.10
!
!
Crypto pki trustpoint TP-self-signed-692553461
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 692553461
revocation checking no
rsakeypair TP-self-signed-692553461
!
!
TP-self-signed-692553461 crypto pki certificate chain
certificate self-signed 01
308201A 5 A0030201 02020101 3082023C 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 36393235 35333436 31301E17 313031 31323530 39353934 0D 6174652D
315A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 4365 72746966 69636174 652 3639 32353533 642D
06092A 86 4886F70D 01010105 34363130 819F300D 0003818D 00308xxx 02818100
BA51CDF7 D418D270 7DCE516E 1ADE6DF5 82FE4507 CD1EBE0A 4B6E4B15 9A3C20ED
B1D19FC9 63D0B925 0A4611FF CE8D935C 264FC3FE DF8BFAC2 76EC38ED 68115F43
20A68D85 C04A564E 8BDE86FE 127F79B4 8E123D9C 8430940C BCD5CDA4 ADAAE387
FA1E14A6 ECF92197 0CF54E89 B33915E7 A4E01EC7 CE45DDF6 AA60D168 38C92E67
02030100 01A 36630 03551 D 13 64300F06 0101FF04 05300301 01FF3011 0603551D
11040A 30 08820642 5552544F 4E301F06 23 04183016 03551D 8014645E 3FDE4E90
A8773580 81EE4217 F4821238 993A301D 0603551D 0E041604 14645E3F DE4E90A8
77358081 EE4217F4 3A300D06 01040500 03818100 86F70D01 82123899 092A 8648
914EE910 C1EFCDB3 2C3B277B 45E4149F B8A78E94 94D6558F 7A1D5B45 D057DC02
1FCF0C28 5B29728B 9480E807 D7E7DF9E 751DD005 E108D94B 6B3FC03B 8EB1603B
9AF1E4CA 49067084 5B906C74 4D07217A 13FD0113 B721068A 3EC6C990 54101B4B
FC9860E4 3xxxB064 586EC91D EF7C5A8F 8BBF33C6 29BCF148 A7E2B987 F2A028F8
quit smoking
!
!
!
!
crypto ISAKMP policy 1
md5 hash
preshared authentication
Group 2
life 3600
!
crypto ISAKMP policy 5
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxxxxxxxxx address 77.xxx.xxx.176
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.85
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.9
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.81
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.228
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.153
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.10
ISAKMP crypto key xxxxxxxxxx address 85.xxx.xxx.61
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac 3DES-SHA
Crypto ipsec transform-set AES - SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set compression-SHA-3DES esp-3des esp-hmac-sha-comp-lzs
Crypto ipsec transform-set AES-SHA-compression, hmac-sha-esp esp - aes comp-lzs
Crypto ipsec transform-set esp cm-transformset-1-esp-sha-hmac
Crypto ipsec transform-set esp - esp-sha-hmac this_should_work
!
card card-VPN-1 10 ipsec-isakmp crypto
the value of 77.xxx.xxx.176 peer
Set transform-set this_should_work
match the stores addresses
!
card crypto ipsec VPN - card - 1 isakmp 11
the value of 85.xxx.xxx.85 peer
Set transform-set this_should_work
match address dalby
!
card card-VPN-1 12 ipsec-isakmp crypto
the value of 85.xxx.xxx.9 peer
Set transform-set this_should_work
match address braintree
!
card card-VPN-1 13 ipsec-isakmp crypto
the value of 85.xxx.xxx.81 peer
Set transform-set this_should_work
match address corby
!
card card-VPN-1 14 ipsec-isakmp crypto
the value of 85.xxx.xxx.228 peer
Set transform-set this_should_work
match against glasgow
!
card card-VPN-1 15 ipsec-isakmp crypto
the value of 85.xxx.xxx.153 peer
Set transform-set this_should_work
match address hadleigh
!
card card-VPN-1 16 ipsec-isakmp crypto
the value of 85.xxx.xxx.10 peer
Set transform-set this_should_work
northwich match address
!
card card-VPN-1 17 ipsec-isakmp crypto
the value of 85.xxx.xxx.61 peer
Set transform-set this_should_work
match address wycombe
!
!
!
interface FastEthernet0/0
Description $ETH - LAN$
IP 192.168.6.40 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
interface FastEthernet0/1
no ip address
Shutdown
automatic duplex
automatic speed
!
ATM0/0/0 interface
no ip address
no ip mroute-cache
No atm ilmi-keepalive
Bundle-enable
DSL-automatic operation mode
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
ATM0/1/0 interface
no ip address
no ip mroute-cache
No atm ilmi-keepalive
Bundle-enable
DSL-automatic operation mode
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
!
interface Dialer0
the negotiated IP address
NAT outside IP
IP virtual-reassembly
encapsulation ppp
Dialer pool 1
Dialer-Group 1
PPP reliable link
Authentication callin PPP chap Protocol
PPP chap hostname xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
PPP chap password 0 xxxxxxxx
PPP ipcp dns request
reorganizes the PPP link
multilink PPP Panel
PPP multilink sliding 16 mru
period of PPP multilink fragment 10
Panel multilink PPP interleave
multiclass multilink PPP
card crypto card-VPN-1
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
!
IP http server
IP http secure server
overload of IP nat inside source list 100 interface Dialer0
!
corby extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
northwich extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
wycombe extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
hadleigh extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
extended IP access list stores
ip licensing 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
dalby extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
glasgow extended IP access list
ip licensing 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
braintree extended IP access list
ip licensing 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
IP Internet traffic inbound-ACL extended access list
permit any isakmp udp host 77.xxx.xxx.176 eq
allow a host 77.xxx.xxx.176 esp
permit any isakmp udp host 85.xxx.xxx.85 eq
allow a host 85.xxx.xxx.85 esp
permit any isakmp udp host 85.xxx.xxx.9 eq
allow a host 85.xxx.xxx.9 esp
permit any isakmp udp host 85.xxx.xxx.81 eq
allow a host 85.xxx.xxx.81 esp
permit any isakmp udp host 85.xxx.xxx.228 eq
allow a host 85.xxx.xxx.228 esp
permit any isakmp udp host 85.xxx.xxx.153 eq
allow a host 85.xxx.xxx.153 esp
permit any isakmp udp host 85.xxx.xxx.10 eq
allow a host 85.xxx.xxx.10 esp
permit any isakmp udp host 85.xxx.xxx.61 eq
allow a host 85.xxx.xxx.61 esp
!
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.78.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.88.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.48.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.23.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.28.0 0.0.0.255
access-list 100 deny ip 192.168.6.0 0.0.0.255 192.168.108.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 any
Dialer-list 1 ip protocol allow
public RO SNMP-server community
!
!
control plan
!
!
Line con 0
line to 0
line vty 0 4
password: xxxxxxxxxxxxxxx
opening of session
!
Scheduler allocate 20000 1000
end
Also check this important Information on Vigor holding ipsec his.
https://supportforums.Cisco.com/thread/257320?decorator=print&displayFullThread=true
Manish
Tags: Cisco Security
Similar Questions
-
PIX v7 speaks to talk about vpn access via the hub of pix
Hello
Does anyone know if the v7 PIX code supports the overs speaks of talking about VPN connectivity?
For example, 3 sites, Hub, to talk to and A of spoke spoke of b and B connect in the hub (PIX) with VPN.
With earlier versions of the software, the rays would not be able to communicate. Is this possible with the new version of the code?
Thank you
Hello
As long as the hub is running v7, you should be able to do. See
for an example.
HTH
Kind regards
Cathy
-
I hava a ME Cisco 3400 with physical single port available for a cable connection.
The ISP give me an IP address interface = 89.120.29.89 to act as a gateway to the IP Address of the host, which is provided for in the order 89.120.29.90.
The host computer is a dual Xeon computer with two NICs for LAN and WAN.
Fields of application: to install a windows 2008 R2 between public and private network server.
Even though I know it's not recomanded, I put the DNS role and directories Active Directory roles installed on the same computer, the computer above, (I do not have enough computer for roles different place on different computers)
The desired configuration:
To have installed with his roles behind a WS2008R2 has RRAS. without a VPN.
b with VPN
and for WAN access for the client computers of the private LAN Windows 7 OS. (The basin of LAN address 192.168.0.1 - 255).
First step : to have internet access in the browser (I use Google chrome) (without taking into account the DNS and AD)
Network configuration:
Map NETWORK WAN, at the top of the stack of liaison in the Control Panel/network connections and sharing:
Host IP: 89.120.29.90
Mask: 255.255.255.252
Gateway: 89.120.29.89
DNS: 193.231.100.130 my ISP name server address.
OK, I can browse the internet.
Second stage. (Consider DNS and Active Directories)
DNS instaled role for this computer.
AD installed as a global catalog.
NETWORK WAN server that is directly connected to the Cisco router:
Conection area 3
Properties:
Client for Microsoft Netwaork: not verified
Network Load Balancing: not verified
File and shared printer: not verified
QoSPacketScheduler: not verified;
Microsoft Network Monitor 3 pilot: not verified
IPv4 ; checked
Pilot a Link Layer Topology Mapper i/o: checked
Link layer Discover responder: checked
IPv4 tab
Host IP: 89.120.29.90
Mask: 255.255.255.252
Gateway: 89.120.29.89
DNS: 193.231.100.130 my ISP name server address.
under the tab advanced
IP settings : even that, tab IPV4 with automatic metric check;
DNS tab :
Add primary and connection suffixes DNS specific: not verified
Add suffixes primary DNS suffixes parents: not verified
Add this DNS suffixes: no
Registry deals with this connection in DNS: not verified;
Use this connection DNS suffix in DNS registration: not verified;
WINS tab : enable search LMHOST: not verified
Enable NetBios over TCP IP: don't check;
Disable NetBios on TCP IP: checked;
Connection to the local network 2
Properties :
Client for Microsoft Netwaork: checked
Network Load Balancing: no
File and shared printer: checked
QoS Packet Scheduler: not verified;
Microsoft Network Monitor 3 pilot: not verified
IPv4 checked
Pilot a Link Layer Topology Mapper i/o: checked
Link layer Discover responder: checked
IPv4 tab
NETWORK LAN CARD: 192.168.0.101
Mask: 255.255.255.0
Gateway: 192.168.0.1
under Advanced tab:
IP settings : even that, tab IPV4 with automatic metric check;
DNS tab :
Add primary and connection suffixes DNS specific: checked
Add suffixes primary DNS suffixes parents: not verified
Add this DNS suffixes: no
Registry deals with this connection in DNS: checked;
Use this connection DNS suffix in DNS registration: checked;
WINS tab : enable search LMHOST: not verified
Enable NetBios over TCP IP: check;
Disable NetBios on TCP IP: not verified;
Install RRAS as NAT (NAT) under any condition imposed by DHCP(not installed) in ideea that RRAS will generate the private IP address of the DHCP allocator.
In any case, for the beginning, I have a fix IP, do not get IP automatically.
At this point, it gets the configuration simple posible for RRAS follows:
3, LAN connection that corespond to the WAN interface IP:
"NAT configured for the following Internet interface: Local Area Connection 3.
The clients on the local network will assign the IP addresses of the following range:network address: 192.168.0.0. netmask 255.255.0.0.
After Windows RRAS are open:
The Network Interfaces tab:
NICs are enabled and connected;
UAL remotely & policies:
Launch NPS,
on the NPS server tab:
Allow access to successful Active Directory directories:
Properties: authentication: port 1812,1645
kept port 1813,1646;
on the accounting tab: nothing;
under NPS policies:
Grant permission for the RRAS server under builin\Administrator of the accounts;
On strategy and the type of server unspecified (NAT do not exist as an entry in the drop-down list server dwn)
under the static road: nothing;
under the IPv4 tab or both are there(there IP) and are up
under NAT
Connection to the local network 3: public interface connected to the internet
enable NAT on this interface:
under the address pool: ISP addresses public;(two addresses)
under the terms of service and the ports: Web server: http 80.
(I have I have a static IP address for the client computer in mind, I set up a single customer).
At the client computer :
configured as domain customer and added to the users AD and computer AD
logon to the domain:
Local Area Connection
Properties:
Client for Microsoft Netwaork: checked
Network Load Balancing: not verified
File sharing and printer: checked
QoS Packet Scheduler: checked;
Microsoft Network Monitor 3 pilot: not verified
IPv4 ; checked
Pilot a Link Layer Topology Mapper i/o: checked
Link layer Discover responder: checked
IPv4 tab
Host IP: 192.168.0.101
Mask: 255.255.0.0
Gateway: 192.168.0.1
DNS: (auto-add the same to the local machine).
under the tab advanced
IP settings : even that, tab IPV4 with automatic metric check;
DNS tab :
Add primary and connection suffixes DNS specific: checked
Add suffixes primary DNS suffixes parents: not verified
Add this DNS suffixes: no
Registry deals with this connection in DNS: checked;
Use this connection DNS suffix in DNS registration: checked;
WINS tab : enable search LMHOST: not verified
Enable NetBios over TCP IP: checked;
Disable NetBios on TCP IP: not verified;
right now the 192.168.0.101 client cannot connect to internet through RRAS.
;
This issue is beyond the scope of this site and must be placed on Technet or MSDN
-
I'd like to find the password for my Cisco router
I can't connect to my network wirelessly on my ereader, because I don't know what is the password when asked.
Read the manual for the device (Cisco router) should tell you what the password by default is to manage the router (if this does not work... it should tell you how to configure the default router, so you can use the default password to reconfigure) so you can go and change the password to access wireless to something You know.
-
Printer won't talk about newly installed router
Printer Photosmart B 110, Mac OSX 10.7.3, won't talk again needs passphrase router, what is it?
Hello high-Legh
Was your previous router password? Sounds like your new a fact and he needs to connect to the router. If you do not know the password for the router I suggest to ask the person who created the new router. In other words, you can get it using HP Network Diagnostic Utility. You can find it on the link below.
To find your WPA or WEP key, you can run the program and select Tools on the left. Then on the right should be a button "recover WPA/WEP". A window should appear and you should see another button labeled "show password wireless". This should be your password for your network.
http://h10025.www1.HP.com/ewfrf/wc/softwareDownloadIndex?cc=us&LC=en&softwareitem=MP-96434-1 -
Cisco router linksys e1000 wireless
a friend of my sister bought a cisco router (see the above subject line). Unfortunately, I was not home at the same time. Currently, there are a desktop wired to the router and a laptop with a Wi - Fi connection. The person who set up the router I forgot the username and the password of the router (didn't even bother to write this info). I convey my computer laptop home from work where I had a connection to internet/router. My laptop (Dell classroom business), I can see the two connections without wire (secured and unsecured comments). When I try to connect to the secure connection I do not get any screen of security, connection, etc., guests. He said something like 'try to check the security info' - do not remember the exact verbage. Anyway, I can not connect. The signal strength is strong - the bars are green. Can connect to the connection of comments, I am not always invited for any connection and safety info. Run the ipconfig/all command confirms the connection. I have still no internet access. Don't know why, but the signal strength readings 'poor' - a single green bar (while the secure connection shows all the force green signal bars). I have installed / configured several wireless - never had a problem. I need to recover the connection info router without having to perform a hard reset on the router (I have same access limitted in my house of sisters/partners where the router). Is there a way to do it. I spoke twice to the cisco technical support and received two different answers (not according to the first call, open Explorer, go to programs/cisco for the info). This must be done on the computer that was used to install the cisco installation disc). Help, please!
There are a lot of things I want to share with you on your router E1000 installation:
1 E1000 comes with an installation CD that has CIsco Connect (the icon looks like a house) to easily manage your wireless network (you can easily get your password for the Cisco connection). Cisco Connect (CCC) is generally accessible to the computer that is first used to install the router (maybe this is why the tech officer ask you to go to the computer used to install this)
2 E1000 broadcasts 2 signals of the main network and - network of comments. Once you click on the name of the network, you can easily connect the guest network seems to be unsecured However, when you access a Web site you will be asked a password. Always secure line.
3. you can actually access to internet but not wireless cable but to the router.
4. If you don't have the computer used to install the router, you must reconfigure and the first thing to do is to reset the router. You must configure manually if you do not have the installation cd.
You can try these links:
-
PowerConnect 6248 switch for Cisco router
Hello
I'm new to this forum and I have a problem at the moment between a Cisco router and a dell pc6248. The problem is that I lost conectivity in VLAN 1 when I connect the router to a trunk port in the switch, however I conectivity VLAN 2 through this link to trunk. The configuration of the switch:
interface ethernet 1/g48
switchport mode trunk
switchport trunk allowed vlan add 1-2
output
interface ethernet 1/g43
switchport mode access
switchport access vlan 2
output
On router
fast interface 0/1
no ip address
no downtime
fast interface 0/1.1
encapsulation dot1q 1 native
IP 192.200.3.1 255.255.255.0
fast interface 0/1.2
encapsulation dot1q 2
IP 192.168.51.33 255.255.255.248
output
With the above configuration, I lost conectivity with the host in the vlan 1 - 192.200.3.x/24, but I win conectivity VLAN 2, when I connect the router to the 48 trunk port in the switch. This means that the trunk link for VLAN 2 work but not for VLAN 1.
I read on the port of general mode, where I can configure the pvid of the port as 1 (vlan1) and it would be the unttag VLAN (even natively in Cisco), and I can configure the VLAN 2 like the tag, all this in the same port. What do you think about this? Someone have set up something like that?
Best regards
Erasmo
PD: I write from Chile, I apologize for my English.
I agree with you, I would try the general mode on the PowerConnect switch.
mode console # switchport general
Console # switchport General allowed vlan add 2 tag
Console # switchport pvid General 1
Keep us updated.
-
Cisco router WIFI does not work after turning off the power
I have a CISCO router that worked very well until someone turned off the power for a few minutes. I tried to unplug the modem, the router and the laptop and waited a bit. Then I turned on the modem, then the router, then my laptop but it is still not in communication with the modem. I can use the modem with a hard connection to the laptop but need the WiFi as well as others can use it. Help, please.
You need to contact support with your Cisco router. It looks like it might have been reset and the installation needs again.
-
Cisco router 892 IPSec initiator?
Hi all!
I have the IPSec tunnel between Cisco router 892 (c890-universalk9 - mz.154 - 3.M4.bin) and Cisco PIX 515E (ver. 8.0 (4) 28) with 5 subnets behind PIX.
PIX configured to deal with two-way-type of connection, but router support not =)
So, when I generate intresting hosts behind the router traffic IPSec does not work. When I generate traffic hosts behind PIX , everything works, but I need to be initiator on the side of the router :-(
Is there a way to make my initiator 892 tunnel Cisco IPSec router to work with Cisco PIX / ASA?
I'm afraid I should replace the router to another device = (())
Thank you!
Hi Yura Kazakevich,
Try to enable pfs on the router:
map SDM_CMAP_1 1 ipsec-isakmp crypto
Set of pfs
Hope this info helps!
Note If you help!
-JP-
-
Internal and external customers see certificate of Cisco router, NOT Exchange SSL certificate
Cisco 876 Integrated Services router (ISR)
Exchange Server 2010 SP1Customer: 2013 Outlook, OWA, ActiveSync WP7/WP8 (?)
Put us in place a new Cisco ISR. Almost everything works fine, with a few exceptions. Exchange e-mail stopped altogether for several days until I realized that I needed to redirect the ports, SMTP, HTTP, and HTTPS, by external to the Exchange Server. Now, mail flow is fine, but...
Every time I start Outlook, I get a certificate error. When I look at the certificate in the error popup, it points actually to certificate self-signed Cisco router. When we try to use the Windows phones, they get a "certificate error" and direct the user to the network administrator. Even with OWA: a certificate error, even if it can be "accepted" / overridden.
Each customer can still work, with the exception of Windows phones. In Outlook and OWA, mail is always be sent and received, but must be accepted manually that the certificate is wrong before the customer takes care, and then it takes a little longer to load.
Any ideas?
I did "" port forwarding on the pots of 25, 80 and 443. Again, I did it yesterday and now mail seems to flow, whereas before, even if we could enter the client with Certificate error, message not be received. (There was also a problem with mail however not passed, but that was due to our mail relay provider and was set yesterday as well...)
Everything worked fine with the previous router (obviously). It was a high-end, the level of consumption Fritz! Box commonly used in Germany. I also had to allow ports through this box is not unlike using the nat ip inside static commands on the 876, but I don't know what he could have let his own or why SRI is the Exchange Server application SSL certificate hijacking.
Thanks in advance for any help.
jeremyNLSO
CCNA Routing & Switching, CCNA security
MCITP, MCTS
Berlin, GermanyIf we have actually figured this out today. The internal DHCP Server distributing the a DNS Server public as well as the internal DNS. The internal DNS was time and the customer became the external IP address of the public DNS and it received an unexpected cert of the router. Once we removed the public DNS servers from the DHCP server and used only DNS servers in-house, that the issue went away. Logical after we realized what was going on.
-
Hi Expert,
How to distinguish the physical interface and logic (subinterface) interface to the Cisco router/Switch? Can you please clarify a formal way for this so have?
A physical interface is numbered with the same name of the interface when printing on the physical port. For example "GigabitEthernet 0/1" corresponds to port 1 of the 0 module (or the base unit).
A logical interface can be a subinterface on a routed port and will have a point ("". "") preceding the number sous-interface (ex. GigabitEthernet 0/1.1). It can also be a loop or a virtual interface (on a router this could also include interfaces like the tunnel and virtual tunnel or VTI types). A switch may also have a VLAN logical interfaces (e.g. interface vlan 1) which are used as layer 3 virtual interfaces of type.
-
No network on computer - 2 routers, 1 no CISCO router.
Hi guys!
I hope someone can help me with that.
First some information about what material I got.
I got a Cisco 860VAE router, I didn't get no cable from the console (so I'm connected to telnet), I got a home router also (got it from my ISP).I use my router I have of my TV service provider, so I can't remove it just... boring...
I was getting the Cisco router because I am a Cisco CCNA student at my school (first year) and I thought it might be cool to NetFlowThe router I got from my ISP is quite advanced so not a lot of options here. In any case, it uses the 10.0.0.0/8 range IP
Then my CISCO router uses the ip range 192.168.1.0/24The problem is that I can't connect to the internet from my computer (I know...)
Let me show you my config(remember I'm NEW) race:
Current configuration: 2500 bytes
!
! Last configuration change at 18:04:48 UTC Wednesday, January 15, 2014, by admin
version 15.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
!
no set record in buffered memory
activate tnhtc92DsfdXBhelxjLWJy3243i4ntXrpb4RdfFmfqY secret 4
!
No aaa new-model
WAN ethernet mode
!
!
!
IP dhcp pool ccp_pool
import all
network 192.168.1.0 255.255.255.0
Server DNS 8.8.8.8 8.8.4.4
!
!
!
!
IP flow-cache timeout active 1
8.8.8.8 IP name-server
IP-server names 8.8.4.4
IP cef
No ipv6 cef
!
!
!
!
!
username admin privilege 15 secret 4 lUgFIkgcrt4SYXMq7jZtxq52lwdfgkj238
!
!
VDSL controller 0
Shutdown
!
!
!
!
!
interface Loopback0
IP 11.0.0.1 255.255.255.0
penetration of the IP stream
stream IP output
!
interface Loopback1
no ip address
!
ATM0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
interface Ethernet0
no ip address
penetration of the IP stream
stream IP output
Shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
spanning tree portfast
!
interface GigabitEthernet0
Description $ETH - WAN$
the IP 10.0.0.1 255.0.0.0
penetration of the IP stream
stream IP output
automatic duplex
automatic speed
!
interface Vlan1
IP 192.168.1.1 255.255.255.0
penetration of the IP stream
stream IP output
!
interface Vlan2
no ip address
penetration of the IP stream
stream IP output
!
interface Dialer0
no ip address
penetration of the IP stream
stream IP output
!
router RIP
version 2
10.0.0.0 network
network 192.168.1.0
No Auto-resume
!
by default-gateway IP 10.0.0.100
IP forward-Protocol ND
IP http server
local IP http authentication
no ip http secure server
capture IP stream vlan id
IP flow-export Vlan1 source
IP flow-export version 9
192.168.1.3 IP flow-export destination 9991
!
IP route 0.0.0.0 0.0.0.0 10.0.0.100
IP route 10.0.0.0 255.0.0.0 GigabitEthernet0
IP route 192.168.1.0 255.255.255.0 Vlan1
!
MAC-address-table-aging time 15
!
public RW SNMP-server community
RO SNMP-Server Community public
Server SNMP ifindex persist
config SNMP-server enable traps
public version 2 c SNMP-server host 10.0.0.3
!
control plan
!
connection of the banner ^ C * CISCO * ^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 60 0
Cisco password
Synchronous recording
local connection
transport telnet entry
!
Scheduler allocate 1000-60000
!
endI haven't CHANGED anything!
Some of it was just conjecture...When I try Googles PING DNS(IP: 8.8.8.8) of the router I get
Send 5, echoes ICMP 100 bytes to 8.8.8.8, time-out is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 36/39/40 msWhen I try to PING my own computer DNS googles, I get
Request timed out.
Request timed out.
Request timed out.My CISCO router ip: 192.168.1.1 (vlan1) 10.0.0.1(gigabitethernet/WAN)
My ip from the ISP router: 10.0.0.100
My computer ip: 192.168.1.3 gateway: 192.168.1.1Try to do a topology of MY ISP text-> router ISP-> Switch-> CISCO router-> workstation
It's not like I can configure RIP on my ISP router if... ? And BTW, my cisco router only support RIP as the routing protocol
Then what should I do?You need to configure nat on the Cisco. I'm assuming that the ISP router connects to G0 on the Cisco. The ISP router probably does not know on your subnet 192.168.1.0/24 and you can't nat several subnets in their router anyway. You need to with the Cisco nat address 10.0.0.0/8 on Cisco.
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
IP nat inside source list 100 interface g0 overload
int g0
NAT outside IP
int vlan 1
IP nat inside
Get rid of these:
IP route 10.0.0.0 255.0.0.0 GigabitEthernet0
IP route 192.168.1.0 255.255.255.0 Vlan1
You don't need them because these two subnets will be seen as connected routes.
You will also need to add a default router in your dhcp pool:
IP dhcp pool ccp_pool
default router 192.168.1.1
And you can get rid of this line as well:
by default-gateway IP 10.0.0.100
HTH,
JohnPlease note all useful messages *.
-
L2TP/ipsec passthrough firewall of cisco router
Hello! I have the following problem.
External network users wish to connect internal Windows to network and share resources 2012 (start the software, files, etc)
So it's time to deploy a vpn server and as I did not have a free license to run on my windows 2012, I decided to use my qnap for it (because it has this built-in feature) so I chose l2tp/ipsec and tested on the laboratory at home with simple tplink router with upnp function and it worked like a charm.
However, in the real production environment, I need to use the cisco router, and this is how the story begins ;)
Thus, clients with their machines say (7, 8.1, 10) must pass router cisco (with nat) firewall and access a vpn server and the internal network on qnap.
I googled for sample configuration, but most of them related to the configuration of the router as a vpn server, and I want to achieve is to make my pass router vpn traffic. Once I found the same sample of pptp config, I have modified it a bit, but do not know if it works because I have not yet tested.
In any case, could you check my config and see if it's ok? I'm doing a static nat for vpn 192.168.5.253 server to external address?
Also, here is a short pattern
vpn client VPN server (win 7,8,10)---routeur cisco 1921 - qnap)
xxx.194 cloud 5,254 5.253 (internal network)
test #show runn
Building configuration...Current configuration: 3611 bytes
!
! Last modified at 19:31:01 UTC Wednesday, may 4, 2016 configuration by
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
hostname test
!
boot-start-marker
boot-end-marker
!
!
enable secret $5
!
No aaa new-model
!
!
!
!
!
!
!
!
!
!
!
DHCP excluded-address IP 192.168.5.200 192.168.5.254
DHCP excluded-address IP 192.168.5.1 192.168.5.189
!
pool dhcp IP network
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
network domain name
xxx.x.xxx.244 DNS server
!
!
!
IP domain name temp
IP cef
No ipv6 cef
!
Authenticated MultiLink bundle-name Panel
!
CTS verbose logging
!
!
license udi pid CISCO1921/K9 sn xxxxxx
licence start-up module c1900 technology-package securityk9
!
!
username secret abc 5
username privilege 15 7 cisco password
!
redundancy
!
!
!
!
!
property intellectual ssh version 2
!
type of class-card inspect entire game cm_helpdek_protocols
http protocol game
https protocol game
ssh protocol game
type of class-card inspect entire game cm_gre_protocols
Access-group name WILL
type of class-card inspect entire game cm_icmp
group-access icmp name game
type of class-card inspect the correspondence cm_helpdesk
match the name of group-access helpdesk
type of class-card inspect entire game inside_to_outside
h323 Protocol game
match Protocol pptp
ftp protocol game
tcp protocol match
udp Protocol game
match icmp Protocol
!
type of policy-card inspect pm_outside_to_inside
class type inspect cm_gre_protocols
Pass
class type inspect cm_icmp
inspect
class type inspect cm_helpdesk
inspect
class class by default
Drop newspaper
type of policy-card inspect pm_inside_to_outside
class type inspect inside_to_outside
inspect
class type inspect cm_gre_protocols
Pass
class class by default
Drop newspaper
!
area inside security
Description inside the zone of confidence
security of the outside area
Outside the untrusted area description
source of zonep_insiede_to_outside security pair area inside the destination outside
type of service-strategy inspect pm_inside_to_outside
source of zonep_outside_to_inside security zone-pair outside the destination inside
type of service-strategy inspect pm_outside_to_inside
!
!
!
!
!
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
Description 'LAN '.
IP 192.168.5.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
security of the inside members area
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description "WAN CID: xxxxx".
IP address xxx.xxx.xxx.194 255.255.255.252
NAT outside IP
IP virtual-reassembly in
security of the outside Member area
automatic duplex
automatic speed
!
IP forward-Protocol ND
!
IP http server
local IP http authentication
no ip http secure server
!
IP nat pool network xxx.xxx.xxx.201 xxx.xxx.xxx.201 netmask 255.255.255.248
IP nat inside source list 1 pool overload the network
IP route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
GRE extended IP access list
Note ACL to allow ACCORD of PPTP OUTBOUND
allow a gre
permit any any eq udp 1701
allow udp any any eq isakmp
permit any any eq non500-isakmp udp
helpdesk extended IP access list
IP enable any host 192.168.5.253
icmp extended IP access list
allow icmp any host 192.168.5.253
!
!
!
access-list 1 permit 192.168.5.0 0.0.0.255
!
control plan
!
!
!
Line con 0
local connection
line to 0
line 2
no activation-character
No exec
preferred no transport
transport output pad telnet, rlogin xxxxx
StopBits 1
line vty 0 4
local connection
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
endKind regards
Andrew
Once the client has been connected to the VPN, you want traffic back to flow to the client. Which can be easily received with "inspect".
And from the point of view of the firewall, you do not have ESP-traffic (which would be the IP/50). You have only UDP traffic (initially UDP/500 which goes into UDP/4500)
And you are right with your last ACE. That of a lot to permissive and not necessary for this function.
-
Cisco router access outside the local network interface
Hi all!
I have Cisco router 892 (c890-universalk9 - mz.154 - 3.M4.bin) with firewall area and based on routing strategies.
Everything works fine, but now I need to have the ability to access external router interface IP LAN addresses.
For example, I PAT 192.168.4.1 port 8443 to the outside interface IP (93.93.93.2 for example) and I need to check LAN 93.93.93.2:8443.
! PAT:
IP nat inside source static tcp 192.168.4.1 8443 93.93.93.1 - extensible 8443 SDM_RMAP_1 road map
! DynNat to the internet:
IP nat inside source overload map route SDM_RMAP_1 interface GigabitEthernet0
! Routing policy
SDM_RMAP_1 allowed 10 route map
corresponds to the IP 101
match interface GigabitEthernet0! ACL 101 for routing policy
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.177.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 host 172.16.194.100
access-list 101 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.31.255.1
access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.16.194.100
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 any! ACL on the external interface:
plug-in software component gi0 extended IP access list
allow an ip
allow icmp a whole! External interface
interface GigabitEthernet0
Description $ETH - WAN$
IP 93.93.93.1 255.255.255.240
IP access-group gi0-in in
NAT outside IP
IP virtual-reassembly in
EXTENT of the Member's area network security
IP tcp adjust-mss 1452
automatic duplex
automatic speed
card crypto SDM_CMAP_2! Inside DMZ interface vlan:
interface Vlan4
IP 192.168.4.254 255.255.255.0
IP nat inside
IP virtual-reassembly in
security of the members of the DMZ
IP tcp adjust-mss 1452! Allow outbound traffic to DMZ to Internet:
Allow_All_ACL-DMZ extended IP access list
allow an esp
permit tcp host 192.168.4.1 host 192.168.111.2 eq 1521
refuse the 192.168.4.0 ip 0.0.0.255 192.168.111.0 0.0.0.255
refuse the 192.168.4.0 ip 0.0.0.255 172.17.19.0 0.0.0.255
allow icmp 192.168.4.0 0.0.0.255 any
ip licensing 192.168.4.0 0.0.0.255 any! Allow incoming traffic from the Internet to DMZ:
WAN_DMZ_ACL extended IP access list
allow tcp any a Workbench
permit tcp any any eq ftp
permit tcp any any eq 990
permit tcp everything any 51000 53000 Beach
permit tcp any any eq 995
permit tcp any any eq 465
permit tcp any any eq www
permit any any eq 443 tcp
allow icmp a whole
allow an esp
permit any any eq non500-isakmp udp
host ip 212.98.162.139 permit 192.168.4.0 0.0.0.255
IP 81.30.80.0 allow 0.0.0.255 any
IP 192.168.111.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
IP 172.17.19.0 allow 0.0.0.255 192.168.4.0 0.0.0.255
host ip 172.16.194.100 permit 192.168.4.0 0.0.0.255
host ip 172.31.255.1 permit 192.168.4.0 0.0.0.255
permit ip host 172.31.255.1 172.17.193.100
refuse an entire ip! Focus on the area of firewall:
type of class-card inspect entire game DMZ_WAN_CLASS
match the group-access name DMZ Allow_All_ACLtype of class-card inspect entire game WAN_DMZ_CLASS
match the name of group-access WAN_DMZ_ACLtype of policy-card inspect DMZ_WAN_POLICY
class type inspect DMZ_WAN_CLASS
inspect
class class by default
droptype of policy-card inspect WAN_DMZ_POLICY
class type inspect WAN_DMZ_CLASS
inspect
class class by default
dropthe DMZ security
area WAN securitySecurity WAN_DMZ of the pair area source destination WAN DMZ
type of service-strategy inspect WAN_DMZ_POLICY
destination of DMZ_WAN source DMZ area pair WAN security
type of service-strategy inspect DMZ_WAN_POLICYMaybe someone can help me to make Cisco to allow ports outside LAN using a NAT?
I did this on Mikrotik easily = |
It is due to the fact that they do not allow "hair pinning" by default, once this is configured, it will work.
Martin
-
AAA authentication in Cisco router
I want to create the user name and password with the level of prévilige for each user in the Cisco 3640 router. I don't have any authentication server, and I want to use the local database of the Cisco router to do this. Can someone suggest me how should I proceed.
Thanks in advance
Hello
If you want to create users in the local database of the router, you must use the following command
username cisco password privilege 5 test
AAA new-model
AAA authentic login default local
AAA exec default local author
Thank you
Sujit
Maybe you are looking for
-
I enter the formula INDEX (Lookup: B, MATCH(B113,Lookup::A,0)) dans C113 et tout fonctionne comme prévu dans cette cellule...)) But only in this cell... If I add another entry, it doesn't I put the formula in the cell right?
-
Gateway Laptop: plugged in, does not support
I bought my Gateway laptop in January. Randomly last night he said "plugged in, not charging" on the battery meter. I know that this is NOT a problem with the bridge because I googled this problem and common problems seems to be Vista. I tried follow
-
sticker on bottom of laptop is faded. can not read the number of product key for Vista
need a product key to enter because I had to reload everything
-
Pjoenix 810-445qe envy: Beats Audio Control Panel
This is a new PC, but the beats Control Panel seems to be a simplified version of what is shown on the HP website. A chat session with HP support gave me with the latest Realtek driver set, but the control panel is still the same after installation.
-
BlackBerry smartphone blackBerry bold 9900 QUESTION :(
I am the biggest fan of blackberry phones. I got the curve 9800 for 2 years and I decided to buy a new blackberry phone. I fell in love with the bold 9900 and a week after buying the phone it turns off suddenly and maintains several reboots on its o