|
jwh posted:I suspect the answer will depend heavily on what kind of features you need- what kind of features do you need? Also, what kind of interfaces are you terminating? Girdle Wax posted:Like jwh said, do you need full table BGP or anything like that? If so your step up from the 7206 is probably going to be to a 7600/GSR 12k/ASR1k. Actually that does kinda cramp things, as we use BGP for our /20 Primarily we have 2-3 GbE peers on two 7206VXRs on our border, plus two more 7206VXRs on the inside with five DS3's for T1 and DSL customers and then ~10 racks of colo space. The 7206's are huge and old, and falling apart, plus we're looking at moving colos, so getting a new border switch/router is looking very attractive.
|
#
?
Sep 11, 2008 21:04
|
|
|
|
| # ? May 15, 2024 06:23 |
|
|
Routemaps and source routing. I have finaly gotten some images that does source routing for my oldish 3750 and newer 4503 switches. I have been searching around for about docs on source routing but there aren't really alot of information about it out there. My question is, will it forward in hardware or software on my devices? They will be routing about 800-900mbit so software isn't really desired. conntrack fucked around with this message at 12:09 on Sep 15, 2008 |
|
#
?
Sep 15, 2008 11:30
|
|
|
http://www.google.com/search?hl=en&q=source+routing&btnG=Google+Search Run this by me again, what are you trying to accomplish?
|
|
#
?
Sep 15, 2008 12:15
|
|
|
I suck at the posting today . Policy routing with route maps was what i was getting at. I have four subnets and would like to try out some policy routing things.
|
|
#
?
Sep 15, 2008 12:25
|
|
|
Is anyone doing rogue wireless detection with the lightweight equipment? If so, I'd like to hear about it.
|
|
#
?
Sep 15, 2008 22:20
|
|
|
I learned a cool command from another Cisco guy - debug icmp trace. (Well it was cool to me) I found the L3 3750 doesn't have it, or from what I can tell, an equivelant. Is there? Is it just an ASA command? Does it work on routers?
|
|
#
?
Sep 16, 2008 22:50
|
|
|
debug ip icmp ? I'm not familiar with what the trace command does.
|
|
#
?
Sep 17, 2008 00:08
|
|
|
I have a stupid yet infuriating problem, the business that I'm at uses ftp for some scan program they have and way back in June apparantly it stopped working. Now they need to use it again. It uses passive ftp, connects and then only sends 4.140KB worth of data exactly before timing out. Active ftp works just fine. They have a Cisco PIX 506E and if I bypass it and plug directly into the modem passive ftp works just fine. I ran wireshark and found that it connects just fine, the client starts sending data to the server 1.380KB at a time. It sends 6 packets before it craps out, the first two packets have unique sequence numbers and the last 4 are the same. I'm assuming it's missing an ACK or something even though I'm getting other ACKs from the server and is trying to resend the data? Here is the conf file with the sensitive bits changed: PIX Version 6.1(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password hMDD1bC3TScc9BU. encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname stupidpix domain-name stupidpix.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list outin permit icmp any any pager lines 24 interface ethernet0 10full interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute ip address inside 10.1.2.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group outin in interface outside timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet timeout 5 ssh timeout 5 dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside terminal width 80 Cryptochecksum:f5721e9494b342883ab991d28db906da Anyone have any ideas what could be causing this? Any help at all would be greatly appreciated.
|
|
#
?
Sep 17, 2008 18:39
|
|
|
We need to see the access-list portions. access-group outin in interface outside Says to apply access-list "outin" to the inbound direction of the OUTSIDE interface, but the only outin acl I see is: access-list outin permit icmp any any . Have you removed most of it?
|
|
#
?
Sep 17, 2008 18:56
|
|
|
routenull0 posted:We need to see the access-list portions. That's actually the complete sh conf, I thought there'd be more sensitive stuff in there but I ended up only changing the hostname. I apologize, I'm unfamiliar with PIX devices, is there another command I should use? Also, on further inspection it seems as though the server is sending acks after it gets the first two packets of data, but wireshark shows that there's a tcp checksum error. It actually shows this if I'm behind the Cisco or not. Is it possible the cisco is blocking it based on that? If so, I know this is a seperate problem that needs resolved but is it possible to let that stuff through for the time being? EDIT - Went on the server and disabled checksum offloading on the network card and the tcp checksum errors went away. Still same problems though. Recluse fucked around with this message at 19:17 on Sep 17, 2008 |
|
#
?
Sep 17, 2008 19:08
|
|
|
Recluse posted:That's actually the complete sh conf, I thought there'd be more sensitive stuff in there but I ended up only changing the hostname. I apologize, I'm unfamiliar with PIX devices, is there another command I should use? You have other working services behind this firewall? I assume web surfing is working since you are posting? Any hosted devices like webservers etc? You can try a "show access-list", but I assume you won't get much back if that was the complete "sh conf". The config is basically only allowing ICMP inbound, denying all other inbound traffic unless the session was created from the inside.
|
|
#
?
Sep 17, 2008 19:38
|
|
|
routenull0 posted:You have other working services behind this firewall? I assume web surfing is working since you are posting? Any hosted devices like webservers etc? Yeah show access-list brought the same thing. Shouldn't passive work since the client initiates both connections? I tried permit tcp any any but that didn't work either.
|
|
#
?
Sep 17, 2008 19:56
|
|
|
Recluse posted:Yeah show access-list brought the same thing. Shouldn't passive work since the client initiates both connections? I tried permit tcp any any but that didn't work either. Yeah the config would allow it blindly. Do you seen in wireshark the PASV exchange to a higher dynamic port?
|
|
#
?
Sep 17, 2008 20:05
|
|
|
routenull0 posted:Yeah the config would allow it blindly. Do you seen in wireshark the PASV exchange to a higher dynamic port? Yeah, it started addressing it on n+2. Weirdly enough, messing around with it but not changing anything it actually went a little further and acked once for a total of 8 unique sequency # packets. I'm wondering if this isn't just a flaky pix?
|
|
#
?
Sep 17, 2008 20:34
|
|
|
Recluse posted:Also, on further inspection it seems as though the server is sending acks after it gets the first two packets of data, but wireshark shows that there's a tcp checksum error. It actually shows this if I'm behind the Cisco or not. Is it possible the cisco is blocking it based on that? If so, I know this is a seperate problem that needs resolved but is it possible to let that stuff through for the time being? If you're sniffing from the box using checksum offloading, you'll always see this, since wireshark captures the data from inside the network stack but the checksum isn't calculated until the packet leaves the physical interface. You probably know this, but just in case, don't go permanently disabling tcp checksum offloading on your server(s) because of this.
|
|
#
?
Sep 18, 2008 00:31
|
|
|
Ninja Rope posted:If you're sniffing from the box using checksum offloading, you'll always see this, since wireshark captures the data from inside the network stack but the checksum isn't calculated until the packet leaves the physical interface. Thank you for this, I had re-enabled it but I'm glad to know why it was doing that. Also, thank you for your help as well routenull0. I've got another pix same model I'll try copying the config to and seeing what happens. After that one fluke though, it always crapped out after the first 3 data packets. Weird stuff.
|
|
#
?
Sep 18, 2008 02:20
|
|
|
I learned recently that some organizations are moving towards a security setup involving a Mars box, IPS module for the ASA, and the Cisco Security Agent. Can anyone chime in on how good this setup is for security? Is it all Cisco marketing or the future golden age of security? Thanks
|
|
#
?
Sep 18, 2008 11:55
|
|
|
One more question. What is everyone using to backup router/switch configs? We have so many at this point, that manually copying them to a tftp server is an administrative nightmare. I did some checking and found Kiwi Cat tools will do the job, but I'm not sure if management would make the purchase. Is this a good product? Are there any others? Thanks
|
|
#
?
Sep 18, 2008 12:21
|
|
|
ObamaisaTerrist posted:One more question. What is everyone using to backup router/switch configs? We have so many at this point, that manually copying them to a tftp server is an administrative nightmare. We used: http://shrubbery.net/rancid/ in conjunction with custom scripts that would log in to all the devices and dump the config for us. With rancid, you can "rebuild" a config from the diffs and non-diff scans.
|
|
#
?
Sep 18, 2008 13:46
|
|
|
ObamaisaTerrist posted:One more question. What is everyone using to backup router/switch configs? We have so many at this point, that manually copying them to a tftp server is an administrative nightmare. We use SolarWinds Cirrus, which works pretty well. It's slow to back up 400+ devices (apparently there's no parallelism to the get process), but it works. Plus the reports are pretty to look at. RANCID is probably the way to go if you have time to set it up correctly. quote:I learned recently that some organizations are moving towards a security setup involving a Mars box, IPS module for the ASA, and the Cisco Security Agent.
|
|
#
?
Sep 18, 2008 16:59
|
|
|
We are using Ciscoworks. Not only backs up configs, but does a whole lot of other things also. May be a bit pricey, but its worth it.
|
|
#
?
Sep 18, 2008 17:30
|
|
|
routenull0 posted:We used: http://shrubbery.net/rancid/ in conjunction with custom scripts that would log in to all the devices and dump the config for us. Seconding Rancid. We use it, and it's great to just have a CVS store of your files. We also have it setup to email everyone changes. Just make sure you have all of your passwords written down somewhere secure.
|
|
#
?
Sep 18, 2008 22:18
|
|
|
ObamaisaTerrist posted:I learned recently that some organizations are moving towards a security setup involving a Mars box, IPS module for the ASA, and the Cisco Security Agent. I've seen this setup implemented - mostly in financial settings. Personally speaking I think it is a bit overkill, since MARS does the job of the IDS in the ASA anyway. The latest version of CSA apparently has horrible problems with heuristic pattern matching (ex: XXX-XX-XXXX aka SSN's). Lots of false positives.
|
|
#
?
Sep 19, 2008 05:04
|
|
|
ObamaisaTerrist posted:One more question. What is everyone using to backup router/switch configs? We have so many at this point, that manually copying them to a tftp server is an administrative nightmare. I'm probably in the minority here but I'm a big fan of Kiwi (Cat Tools and Syslog). Its what - $395? Yes you can script stuff out yourself but why bother, that's not much to mess with for the ease and config comparisons you get emailed to you.
|
|
#
?
Sep 19, 2008 05:10
|
|
|
Thanks for the info. I learned that we have Ciscoworks already. It just hasn't been configured properly. I spent probably 2 hours googling and going through the menus yesterday in an attempt to schedule a backup of configs. I have to say that the Ciscoworks GUI is one of the most horrible things I've had to manuver through. Have the time it opens up a new window everytime you click on something, and then has to load java on top of that. The horror....The horror. I also downloaded an eval copy of Kiwi Cat Tools. Much better, but I had difficulties properly formatting the CSV file to import one campus' list of switches. Once done, it did execute properly and get all the configs.
|
|
#
?
Sep 19, 2008 12:41
|
|
|
Have you tried Cisco Configuration Professional? http://www.cisco.com/en/US/products/ps9422/index.html It's a free tool to smartnet owners and can be used to back up configs (not on schedules though as far as I know). I haven't used it yet but it looks like it could be useful for a UC500 when it will support it. I'd rather configure CME with a GUI, the CLI involves much typing.
|
|
#
?
Sep 19, 2008 15:18
|
|
|
Recluse posted:I have a stupid yet infuriating problem, the business that I'm at uses ftp for some scan program they have and way back in June apparantly it stopped working. Now they need to use it again. It uses passive ftp, connects and then only sends 4.140KB worth of data exactly before timing out. Active ftp works just fine. They have a Cisco PIX 506E and if I bypass it and plug directly into the modem passive ftp works just fine. I've had issues with fixup and a smtp server that did not comply to standards. If i remeber correctly the fixup command implements a kind of deep inspection of the traffic and also opens up any ports required inbound by the protocol. I would suggest trying, as a test, the command "no fixup ftp 21" and configuring the ACLs to allow traffic from an external client to the ftp server inbound and from the server to client outbound, and see if this sorts out the problem. It would be less secure though.
|
|
#
?
Sep 19, 2008 16:22
|
|
|
Thanks so much for the help - I'm learning quite a bit. i have an access list now. On a layer 3 3750, if I wanted to deny one host to a server, how do I do this? I tried the following: code:
|
|
#
?
Sep 20, 2008 18:05
|
|
|
You need to add a permit any any rule below the current one (implicit deny!)and apply it to an interface.
|
|
#
?
Sep 20, 2008 18:42
|
|
|
I have two 6509s running HSRP. I recently put a static NAT entry on each of them (for the same address). Now I'm getting duplicate IP errors. After some research, this appears to be caused by NAT not being HSRP-aware. Each address is being bound to the physical MACs and not the HSRP MAC. The solution appears to be this: http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnthsrp.html ...BUT of course it's not supported by the 6500 series. Are there any other tricks I can use to make this work? I'd like to avoid putting routers in front of these switches just to handle NAT.
|
|
#
?
Sep 20, 2008 18:50
|
|
|
After some research, I think I can just make static ARP aliases on each switch so they'll respond to the NAT addresses with the HSRP MAC. ARP requests will each get two replies, one from each switch, but that shouldn't hurt anything since the MACs are identical (the HSRP virtual MAC). I'll lose NAT state but that's better that buying a pair of routers.
|
|
#
?
Sep 21, 2008 04:44
|
|
|
CrazyDutchie posted:You need to add a permit any any rule below the current one (implicit deny!)and apply it to an interface. Thanks. So any time you create an access-list with an implicit deny, you have to also add a line to permit any any? It doesn't assume you only want to deny one ip?
|
|
#
?
Sep 22, 2008 12:51
|
|
|
ObamaisaTerrist posted:Thanks. So any time you create an access-list with an implicit deny, you have to also add a line to permit any any? It doesn't assume you only want to deny one ip? Always remember that at the end of an ACL there is a "deny ip any any", so if you want to deny one IP but allow all other traffic, you need to do the deny, then "permit ip any any". ACLs are processed top down, line by line until a match is made.
|
|
#
?
Sep 22, 2008 13:02
|
|
|
Recently, I picked up three 2500-series routers formerly owned by the local school board, and so far I've recovered the passwords thanks to Google. However, I can't access any Cisco support stuff like IOS upgrades (the one I'm lookin at now is copyright 1997) since I obviously don't have an order number or service contract. Is there a way I can still get upgrades or am I stuck with trying to buy stuff from them directly before I can get anything?
|
|
#
?
Sep 22, 2008 15:43
|
|
|
Luigi Thirty posted:Recently, I picked up three 2500-series routers formerly owned by the local school board, and so far I've recovered the passwords thanks to Google. However, I can't access any Cisco support stuff like IOS upgrades (the one I'm lookin at now is copyright 1997) since I obviously don't have an order number or service contract. Is there a way I can still get upgrades or am I stuck with trying to buy stuff from them directly before I can get anything? Without an active service contract attached to your CCO, you cannot download latest releases. Even if you could, not much is going to run on the older 2500 series routers. Your best if you are studying would be look at picking up some sort of 2620 off ebay to work with.
|
|
#
?
Sep 22, 2008 16:08
|
|
|
ObamaisaTerrist posted:Thanks. So any time you create an access-list with an implicit deny, you have to also add a line to permit any any? It doesn't assume you only want to deny one ip? Once an access list is in place it assumes "most secure." (Though this is not an excuse, it probably helps to add implicits always regardless of firewall mode so that you remember in the future. ipfw2 for FreeBSD has both modes, so I would add it at the bottom to help myself remember how I had it setup.)
|
|
#
?
Sep 22, 2008 16:58
|
|
|
Luigi Thirty posted:Recently, I picked up three 2500-series routers formerly owned by the local school board, and so far I've recovered the passwords thanks to Google. However, I can't access any Cisco support stuff like IOS upgrades (the one I'm lookin at now is copyright 1997) since I obviously don't have an order number or service contract. Is there a way I can still get upgrades or am I stuck with trying to buy stuff from them directly before I can get anything? Even with full CCO and support access you cannot get any IOS for the 2500 series routers. I would suggest looking for an old version depository for old IOS code. I believe the latest that will run on a 2500 series is a 12.2 release, which is nice because 12.0 finally has all the usability features that you take for granted these days. The file name will be in a format like "c2500-x" Good luck finding it though. e:Hmm. Actually now that I check. It seems that engineering access has a backlog of EOL software. Tell me what kind of 2500s you have and I can get you the software if you'd like. Oh and apparently the latest version is "c2500-is-l.123-26.bin" So look for that. ate shit on live tv fucked around with this message at 19:58 on Sep 22, 2008 |
|
#
?
Sep 22, 2008 19:53
|
|
|
Powercrazy posted:e:Hmm. Actually now that I check. It seems that engineering access has a backlog of EOL software. Tell me what kind of 2500s you have and I can get you the software if you'd like. Thanks. I've got two 2524s and a 2501. I only paid $15 for the set so it's not like it's a big loss.
|
|
#
?
Sep 22, 2008 21:46
|
|
|
I'm using a Cisco 837 for ADSL on my home network. I have several IP addresses assigned to me by my ISP, but when I try a DNS lookup on my domain (which should point to one of the external IPs), for some reason I get the corresponding internal IP instead. From inside my network: code:code:Here's are the parts of my config that I think may be at all relevant: code:
|
|
#
?
Sep 22, 2008 22:16
|
|
|
|
| # ? May 15, 2024 06:23 |
|
|
DarkCow posted:I'm using a Cisco 837 for ADSL on my home network. I have several IP addresses assigned to me by my ISP, but when I try a DNS lookup on my domain (which should point to one of the external IPs), for some reason I get the corresponding internal IP instead. What DNS servers is the box you are looking up from using? Do you have a host entry in /etc/hosts (if *nix)?
|
|
#
?
Sep 22, 2008 22:55
|
|