|
jbiel posted:You are essentially firewall'd off, twice. Once by them and once by your ISA server. Ok, this makes perfect sense to me. Thanks for everyones comments.
|
# ? Feb 5, 2008 21:08 |
|
|
# ? May 14, 2024 09:20 |
|
Campbell posted:I've been advised that I need to get a Cisco 2620 to handle the Ethernet Handoff from our ISP. If your ISP is handing you ethernet, presumably copper ethernet, simply buy a Cisco 871. They're about $400 from CDW. Sure, you could buy a 2621, which has two ethernet ports, but I wouldn't bother- the 871 is newer, has better code, and is much less noisy.
|
# ? Feb 5, 2008 23:06 |
|
The setup this ISP has given me is weird. This router is supposed to route the WAN IP they gave me into a usable IP block on a totally different subnet. Will the 871 accomplish this so that I can have it sit like this: Handoff 65.x.x.1 <-> 65.x.x.2 (Cisco 871) 66.x.x.1 <-> 66.x.x.2 (Nat/Firewall) 192.168.x.x Getting thrown into IT situations totally out of your depth is fun...right?
|
# ? Feb 6, 2008 03:38 |
|
Campbell posted:The setup this ISP has given me is weird. This router is supposed to route the WAN IP they gave me into a usable IP block on a totally different subnet. What they are going to do is a build a /30 between you and them, and then also route whatever netblock you have down that /30, common practice with some ISPs. I believe the 871 is setup the same way the 851 I installed at my wifes church. You can only build one routed interface on it and one single vlan interface.
|
# ? Feb 6, 2008 04:08 |
|
I don't have a question, rather a statement. Upgrading Call Manager is a long and worrisome process and overall a pain in the balls.
|
# ? Feb 6, 2008 04:10 |
|
jbiel posted:What they are going to do is a build a /30 between you and them, and then also route whatever netblock you have down that /30, common practice with some ISPs. Yep that sounds totally right. So when you setup your 851, did you set it up like in my little chart and have a firewall sitting after the 851 that NAT'd out your usable netblock to whatever internal ports/IP's you wanted? Also, how difficult is setup on one of these guys?
|
# ? Feb 6, 2008 04:54 |
|
Campbell posted:Yep that sounds totally right. So when you setup your 851, did you set it up like in my little chart and have a firewall sitting after the 851 that NAT'd out your usable netblock to whatever internal ports/IP's you wanted? The 851 I setup, I have doing the ACL/NAT all in one. Setup can be easy via the SDM.
|
# ? Feb 6, 2008 05:52 |
|
Wow, VPNs have been a real pain in my butt lately, especially these two issues: 1)When I change the state of my vpnc connection (connecting or disconnecting), any ssh sessions I have running on my laptop (Kubuntu 7.10) completely freeze; the only thing I can do is close the terminal session tab. Anyone had similar experiences? 2)The Cisco SSL VPN client for Linux seems to work fine with Red Hat and OpenSuse 10.3, but if I use Ubuntu Gutsy, it refuses to work. I can connect to the vpn server just fine, but when I try to go ANYWHERE, website, pinging anything, I get nothing; no receiving traffic, no transmit traffic, beyond what it says I sent (typically ~6kB recieved) in the connection stats window. Again, anyone else have issues with this?
|
# ? Feb 7, 2008 02:30 |
|
I have a pretty simple question in theory but I'm having some real trouble with it. I have a Cisco ASA 5505 running 7.2(1). It's sitting behind a cable router setup in bridge mode. The issue is that I want to run a public server behind the firewall. I have it setup, however the captures show that all of the packets hit the firewall then drop like they have nowhere to go. They are not dropping due to the acl so I was thinking the NAT but I have a specific NAT tied to the external IP address back into my internal server IP address. I mean this isn't a difficult task at all... in fact it's the most basic and simple of tasks but it just will not work. Now my hunch is that there may be some issue with only having an outside interface ip pool of 1 for static NATing? <Cloud> -> Cable Bridge -> DHCP Outside interface -> NAT to internal IP / ACL allow -> Inside interface -> Server/Switch I mean I've watched the packets and the logs on the firewall and it points me straight at a NAT issue everytime but nothing else has a problem transversing the interfaces except for these inbound connections.
|
# ? Feb 7, 2008 03:26 |
|
Have you tried running packet tracer to see what rule (or lack thereof) it points to as the problem? You're going to need a NAT rule, _and_ an incoming access rule on the Outside interface.
|
# ? Feb 7, 2008 03:53 |
|
reborn posted:I have a pretty simple question in theory but I'm having some real trouble with it. I have a Cisco ASA 5505 running 7.2(1). It's sitting behind a cable router setup in bridge mode. The issue is that I want to run a public server behind the firewall. I have it setup, however the captures show that all of the packets hit the firewall then drop like they have nowhere to go. They are not dropping due to the acl so I was thinking the NAT but I have a specific NAT tied to the external IP address back into my internal server IP address. I mean this isn't a difficult task at all... in fact it's the most basic and simple of tasks but it just will not work. You are going to have to allow the port(s) you are NAT'ing to the outside interface acl. I am not sure where your acl is just yet. code:
|
# ? Feb 7, 2008 03:55 |
|
Herv posted:You are going to have to allow the port(s) you are NAT'ing to the outside interface acl. I am not sure where your acl is just yet. code:
|
# ? Feb 7, 2008 05:19 |
|
OK the one x factor is I don't use these things in Bridged mode, just Routed. I was assuming that traffic was working outbound, and that inbound port forwarding wasn't. Looking at the config, I am surprised it is working at all, but this may be due to 'bridged mode'. Having said that (could all be wrong based on that one fact) looking at the config you are NAT'ing the entire outside interface to the 192.168.1.29 host. Normally on single IP interfaces you would do a static tcp map. code:
code:
I don't see a NAT 1 statement to correspond with your GLOBAL 1. poo poo, not sure if that is due to bridged, but there should be a code:
The Global 2 is another weird one, but we can leave that alone for now. I never use outbound access lists, but I am not sure your about your local living arrangements and such. Hope this helps a bit.
|
# ? Feb 7, 2008 07:41 |
|
Ignore the router being in bridged mode. Look at it this way. When I take the firewall out of the picture there are no issues. With the firewall in I have trouble but the packets are getting to the firewall. The blanket NAT really is just to cover my bases. I was beating my head against the wall so hard with this that I decided to take out all the random problems that could come up. I've tried a blanket ACL for all ports, I've tried the blanket NAT, and I've tried just about everything. I'll try adding a NAT 1 statement and narrowing my port NAT to the ports I need.
reborn fucked around with this message at 14:18 on Feb 7, 2008 |
# ? Feb 7, 2008 14:15 |
|
reborn posted:Ignore the router being in bridged mode. Look at it this way. When I take the firewall out of the picture there are no issues. With the firewall in I have trouble but the packets are getting to the firewall. The blanket NAT really is just to cover my bases. I was beating my head against the wall so hard with this that I decided to take out all the random problems that could come up. I've tried a blanket ACL for all ports, I've tried the blanket NAT, and I've tried just about everything. I'll try adding a NAT 1 statement and narrowing my port NAT to the ports I need. Oh, router in bridged mode. Once again, I misunderstood. The PIX/ASA can operate as a router or bridge, hehe. But let's keep it simple and not talk about bridging firewalls, they are too loving weird. Ok in a nutshell: NAT 1 statement will allow OUTBOUND connetions, and it latches onto its corresponding GLOBAL 1 statement. This means that NAT 1 0.0.0.0 0.0.0.0 0 0 will allow ANY ip address behind the firewall to make an outbound connection, using the outside interfaces IP address. Your 'blanket' NAT will actually break things if you only have one public ip address. Bottom line, you do not want to forward all 65535 TCP, UDP, and ALL IP PROTOCOLS from your ASA's outside interface to the inside PC. The ASA actually needs to receive some traffic, not forward it ALL to the inside PC. Hope this is becoming more clear. Having said that, do you see how weird your GLOBAL 2 is just sitting there, with no corresponding NAT statement. In fact, delete that poo poo. Take out the NAT statement you have, put in a nat 1 0.0.0.0 0.0.0.0 for the simplest version of that line. You should immediately be able to surf the web, if not blocked by ACL's. Now for inbound connections, make the TCP nat statements as needed. On both interfaces (just for troubleshooting) put PERMIT IP ANY ANY at the top of the ACL, use the GUI for this. Once you know you can pass traffic put an ACL on the outside interface, BUT keep in mind it doesn't matter if you are NAT'ing a single IP address. If the port isn't NAT'd its not going through. With wide open ACL's you are just left with NAT to govern the network traffic which is where your stick in the spokes is. This advice is now guaranteed(tm) seeing how your router is bridged and the firewall is in 'routed' mode. Just forget anything I said about a bridging firewall, they are just too fugggin wierd and I was going to ask you what the gently caress you were doing with a bridging firewall on a home network, but nevermind that. Hope this get's yer ASA going, and if all else fails wipe it and use the setup wizard!
|
# ? Feb 7, 2008 14:57 |
|
I've got a 2801 router with a VWIC-2MFT-T1, two WIC-1DSU-T1-V2 cards, and a WIC-1ADSL card in it. For some reason it won't let me configure the t1 controller on the vwic. Every time I try to assign the timeslots it gives me this error:code:
code:
|
# ? Feb 14, 2008 20:09 |
|
Dumb question, but are all of those interface cards being used? What's the memory usage on the router look like?
|
# ? Feb 14, 2008 21:27 |
|
InferiorWang posted:Dumb question, but are all of those interface cards being used? What's the memory usage on the router look like? It's a 2801 with a stupid amount of ram for what we're doing (simple MLPPP + ADSL backup) code:
|
# ? Feb 14, 2008 23:35 |
|
CrazyLittle posted:How the hell do I get this thing working? http://www.cisco.com/en/US/docs/routers/access/1700/1721/software/feature/guide/t1e11721.html#wp144665 quote:Note When NMSI mode is configured, the controller will support only one channel-group. If you try to configure more than one channel-group, the following error message will occur: how's your clocking? post your config... network-clock-participate ? network-clock-select ?
|
# ? Feb 15, 2008 04:59 |
|
Midnj posted:http://www.cisco.com/en/US/docs/routers/access/1700/1721/software/feature/guide/t1e11721.html#wp144665 There are zero channel-groups created so far, so the link you posted isn't it. Also that's for a 1700 series router. The router I'm working on is a 2801. quote:no aaa new-model
|
# ? Feb 15, 2008 07:09 |
|
jwh posted:If your ISP is handing you ethernet, presumably copper ethernet, simply buy a Cisco 871. They're about $400 from CDW. Sure, you could buy a 2621, which has two ethernet ports, but I wouldn't bother- the 871 is newer, has better code, and is much less noisy. I am supposed to upgrade a customer to a metro ethernet connection to their remote sites and I'm not sure if the hardware/IOS can support it or not. They currently have 2611 routers running IOS 12.0 (28) in each of 7 sites. Each router currently has 1 ethernet LAN port which is connected to the interior. Will this setup support an ethernet WIC?
|
# ? Feb 15, 2008 21:26 |
|
Kreg posted:Each router currently has 1 ethernet LAN port which is connected to the interior. Will this setup support an ethernet WIC? The only WIC ethernet module I know of is the WIC-4ESW (a 4-port ethernet switch, wich can do at least some kind of routing), but that would require an IOS upgrade to work. There is the WIC-1ENET 10Mbit one, but I don't think it works in the 2600. Is the NM slot available? If so, get a NM-1FE or NM-2FE2W or something. Can usually be found pretty cheap. I need to do some NAT stuff, and while I could easily have pulled it off on a big firewall, what I have to work with is a 2801 router and my IOS-fu is rather weak when it comes to NAT. Here is my artistic rendition of the situation: Fa0/0 = 192.168.10.17/24 (an internal transit network, where there are more routers with various nets) Fa0/1 = 10.161.17.1/25 (client network, private IP range assigned by partner company) Vlan93 = 10.161.7.3/29 (small handover network to some VPN gateway, which is not under my control). The interface itself is a SVI on a WIC-4ESW, shouldn't matter too much I hope. We have a bunch of clients on a network assigned to us by a partner company (which then leads on to a client, and that's the only network allowed in through their firewalls). I need to access a few of their systems from other parts of our internal network, and therefore need to NAT things to have it allowed in. Some parts of the traffic coming in on Fa0/0 to certain destinations (as specified/allowed by an access list) need to be NAT:ed, and the NAT source needs to be an address inside 10.161.17.0/25. I can steal a small subnet for this. There is another access list already for specifying what stuff between the 10.161.17.0/25 net and the external company is allowed. Traffic between the 10.161.17.0/25 and the rest of the internal network and to some other attached stuff is not to be NAT:ed, only traffic to a few specified destinations (those at the external company). I guess I should specify a loopback interface with the NAT source address, and some clever access list trickery to specify what is allowed through and NAT:ed, but I'm not sure how it all fits together, or even if it is at all possible. Is it?
|
# ? Feb 17, 2008 21:40 |
|
CrazyLittle posted:I've got a 2801 router with a VWIC-2MFT-T1, two WIC-1DSU-T1-V2 cards, and a WIC-1ADSL card in it. For some reason it won't let me configure the t1 controller on the vwic. Every time I try to assign the timeslots it gives me this error: You can't use Slot0 for non-voice cards. http://www.cisco.com/en/US/docs/routers/access/2800/hardware/installation/guide/01_hw.html#wp1095473
|
# ? Feb 18, 2008 00:37 |
|
Tremblay posted:You can't use Slot0 for non-voice cards. aaaaah gently caress. I had a funny feeling it was this. thanks!
|
# ? Feb 18, 2008 20:00 |
|
What can cause a router to not see any CDP neighbors (and not show up on other routers)? I have a 2801 router, which simply doesn't see anyone else on CDP. I'm pretty sure it used to, but now it plain refuses to. It is actually the 2801 I'm having some NAT questions about. It has a twin brother (they serve the same client networks with HSRP), and that one looks just as it should. HSRP works fine, it seems to have settled down without any further errors. OSPF neighbors show up as they should, but CDP is completely silent. Looks like this: code:
Its counterpart ("router02") sees the CDP neighbors it should see on Fa0/0: code:
|
# ? Feb 18, 2008 21:49 |
|
This is a pretty simple question. I have little cisco knowledge, but I have noticed our AP1231G Aironet router is sending out a lot of bad packets. It currently has 114454 Total Output Errors, and running wifi utilities on our tablets show failed packets coming in. The firmware is 12.3(7)JA and I tried changing the channel, just in case. Should I update the software? Note: Specifically we are getting Header CRC errors. 1282533301 total 890 last 5 seconds
|
# ? Feb 19, 2008 01:04 |
|
ionn posted:What can cause a router to not see any CDP neighbors (and not show up on other routers)? It's a Chinese knock off. They never got CDP right.
|
# ? Feb 19, 2008 02:17 |
|
Is there a way to configure a router, switch, etc. to push the logs to an external server? Or some sort of external log configuration for advanced debugging?
|
# ? Feb 20, 2008 06:39 |
|
Spazz posted:Is there a way to configure a router, switch, etc. to push the logs to an external server? Or some sort of external log configuration for advanced debugging? Syslog? Check out the "logging" command.
|
# ? Feb 20, 2008 06:47 |
|
Spazz posted:Is there a way to configure a router, switch, etc. to push the logs to an external server? Or some sort of external log configuration for advanced debugging? Google syslog.
|
# ? Feb 20, 2008 07:00 |
|
Spazz posted:Is there a way to configure a router, switch, etc. to push the logs to an external server? Or some sort of external log configuration for advanced debugging? Depending on the router you can also export netflow information. I'm not certain how detailed the syslog junk gets, but netflow is fun to walk through if you have a server that can handle your bandwidth. If you want basic command logging, tacacs+ (aaa) lets you log user commands.
|
# ? Feb 20, 2008 16:23 |
|
Is it possible to have two default routes with different metrics? The situation I'm looking at is where two internet links are being terminated on separate routers and there needs to be some automatic redundancy in the event of one going down. They're both on the same internal subnet, so I was hoping I could get away with assigning a default route pointing down the internet link, and then another default route with a higher metric pointing at the other router. Is there a better solution in this case?
|
# ? Feb 21, 2008 01:36 |
|
Smegmatron posted:Is it possible to have two default routes with different metrics? This is usually done in the case of a backup WAN connection by using a floating static route. Basically the default route is learned via a dynamic routing protocol and a backup static route is put in place with a high metric. That static 'floats' until the dynamic one goes away and then becomes active.
|
# ? Feb 21, 2008 03:47 |
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Admin distance fuckery like this is what you want. Alternately you can look into this scary looking feature. http://www.cisco.com/en/US/tech/tk1335/tsd_technology_support_sub-protocol_home.html
|
# ? Feb 22, 2008 00:38 |
|
OER is actually really neat. I've never come across a situation where I actually had to use it, but it's in the bag of tricks. I prefer BGP for that sort of stuff but for most people BGP isn't really an option due to hardware limitations etc. I'm sitting the ISCW on next Friday and it looks to have a ton of SDM. I wish Cisco would stop pimping their GUI on their tests. I just love learning stuff which I will never use. Paul Boz_ fucked around with this message at 09:56 on Feb 22, 2008 |
# ? Feb 22, 2008 09:52 |
|
The nice part about the SDM sims in ISCW are that they don't let you go anywhere other than where you need to be, which saves time. This means if you're REALLY lost about where to go, just click around till it actually lets you go somewhere.
|
# ? Feb 22, 2008 15:29 |
|
Question on uRPF loose mode pertaining to the Cisco platform. If I have the command "ip verify unicast source reachable-via any allow-default" on an interface, and I am accepting a default route from that interface, it would seem like (from a quick reading of the documentation) I should never get a verify-drop on that interface. However, my understanding is that if any specific match resolves to a null0 route on the Cisco routers, it will drop that route properly - and this matches what I see in my production routers, as I see verify-drops and suppressed drops quite often on those interfaces. Does anybody know of documentation to back this up, or am I wrong on my presumption on why I am seeing those verify-drops?
|
# ? Feb 22, 2008 16:36 |
|
I currently have lab access to a CCNA lab for the evening through a class I took. Anyone care to hop on AIM and give me some suggestions for things to work on configuring and whatnot? It's really kinda pointless when I have a step by step guide in front of me, yaknow? AIM in profile if so.
|
# ? Feb 23, 2008 03:38 |
|
Walked posted:I currently have lab access to a CCNA lab for the evening through a class I took. Anyone care to hop on AIM and give me some suggestions for things to work on configuring and whatnot? It's really kinda pointless when I have a step by step guide in front of me, yaknow? Just read the subject and not the how to the follows. See if you can make it work.
|
# ? Feb 23, 2008 06:59 |
|
|
# ? May 14, 2024 09:20 |
|
On a similar topic of CrazyLittle's last issue, can I use a voice card in all of the slots of a 1760 router? I've got three fxo cards I need to install in a router. The last two slots are marked for voice only, but I wasn't quite sure if I could use the second slot for the remaining VIC.
|
# ? Feb 25, 2008 16:34 |