|
You'll be looking at the access-lists (sh access-list) and making sure you have allowances for icmp traffic on the inside to get out.
|
#
?
Oct 4, 2008 01:41
|
|
|
|
| # ? May 14, 2024 21:06 |
|
|
Syano posted:In the same vein as the previous post, I had an ASA 5505 preconfiged and shipped out to a remote site by a vendor. The device is responding to pings on its outside interface, the vpn back home is up, I can ssh in, I can talk to hosts on the inside of the ASA, however the ASA itself will not respond to my pings from its inside interface nor can I get into the ASDM. I can ssh into the outside interface but I am worthless once at the console. What should I be looking for? icmp permit any inside http <inside mgmt host> 255.255.255.255 inside
|
|
#
?
Oct 4, 2008 02:11
|
|
|
Fanatastic. I will learn this crap yet. Ok here is another one. I have an 1841 at a branch office with the following interfaces: Serial 0/0 - Private WAN link back to home office Eth 0/0 - Internet connection for this branch office Eth 0/1.1 - VLAN1 for branch office users Eth 0/1.2 - VLAN2 for guest wireless access I need to set up ACLs that allow the VLAN2 users to only route through Eth 0/0 to get to the internet and prevent them from getting to any of the private network segments. I was playing with ACLs Friday afternoon on this device and Im not sure how but in one single click of apply through the SDM I brought the entire building down and locked myself out from fixing it. Had to drive 30 minutes after work to bring it back up.
|
|
#
?
Oct 5, 2008 14:47
|
|
|
Who's the goon who resells used Cisco gear?
|
|
#
?
Oct 6, 2008 20:38
|
|
|
Mierdaan posted:Who's the goon who resells used Cisco gear? M@
|
|
#
?
Oct 6, 2008 21:14
|
|
|
Thanks jwh.
|
|
#
?
Oct 6, 2008 21:17
|
|
|
Syano posted:Fanatastic. I will learn this crap yet. access-lists are dangerous. Don't forget that the moment you configure one, it automatically gives itself an implicit default deny at the end. As to your question, how you build that access-list will depend on where you want to filter the traffic. If this network is for guest wireless access, which presumably means guest Internet access, then life gets a little bit more challenging, because of the "any" assumption that comes with Internet access. You could, for instance, build an access-list applied in the 'in' direction on Fa0/1.2 that denies traffic to each of your production network(s), but ends with 'permit ip any any'. Alternately, you could instead configure an access-list on Fa0/1.1 in the 'out' direction that does a 'deny ip <whatever your guest IP space is> any' followed by a 'permit ip any any'. You could also maybe policy route something when the outgoing interface matches Fa0/1.2, like: route-map test match interface fa0/1.1 set interface null0 conf t int fa0/1.2 ip policy route-map test Although I bet the CPU hit on the PBR is more than doing the acl, maybe. Don't honestly know.
|
|
#
?
Oct 6, 2008 21:39
|
|
|
Criminey. I didnt know about the implicit deny once you build the ACL. That sure explains a ton So does that in turn mean without any ACLs that there is no implicit deny? Syano fucked around with this message at 22:19 on Oct 6, 2008 |
|
#
?
Oct 6, 2008 22:15
|
|
|
Syano posted:Criminey. I didnt know about the implicit deny once you build the ACL. That sure explains a ton Correct. Things get interesting when you have access-lists configured but the access-lists don't actually exist yet- interfaces will continue to move traffic right up until you configure the first line in that access-list, at which point, the default deny will appear unbeknown to you, and your interface will no longer pass traffic. Things get even more interesting when you look at how processor-originated traffic won't trigger outbound acls. This can make for some real confusion, because you can, for instance, do this: conf t int s0/0 ip address 172.29.2.1 255.255.255.252 access-group 100 out ^Z Now, without access-list 100 existing, that interface will move traffic just fine. Now imagine you want to create an access-list to only allow a host, say, 1.1.1.1, out this interface. conf t access-list 100 permit ip host 1.1.1.1 any ^Z And then, to see if it's "working", you do: ping 172.29.2.2 The ping will work, and you most likely won't realize that s0/0 just stopped passing traffic for everybody other than 1.1.1.1. This is counter-intuitive, because the access-list is working, but your local ping just said otherwise. I don't know whether the PIX/ASA has the same kind of behavior with respect to locally originated traffic. But IOS definitely has some very real caveats you need to understand. Unfortunately, even if you do understand them, you don't tend to remember then until they hurt you terribly. edit: rewritten slightly to make things clearer. jwh fucked around with this message at 22:49 on Oct 6, 2008 |
|
#
?
Oct 6, 2008 22:41
|
|
|
Is it possible to make an Ethernet connection participate in a Multilink interface? I currently have 2 T1 lines to a remote office. They're setup using standard WIC-1DSU cards. Each interface has PPP encapsulation and they are members of multilink1 which is where I do all of my routing. We're getting a 10Mb fiber connection now between the 2 offices. It has an Ethernet hand-off. I'm using Cisco1841s with Advanced IP Services. I'd like to build some sort of virtual point-to-point interface on FE0/1 and have it joined to multilink1. The contracts for the T1s will still be active for a few months, not to mention that since the fiber is new it'd be nice to have the T1s to fall back on. Is any of this even possible?
|
|
#
?
Oct 6, 2008 23:28
|
|
|
Wizzle posted:Is it possible to make an Ethernet connection participate in a Multilink interface? Not that easily, you'd need to set up some kind of IGP between the routers at either end (OSPF, EIGRP) and use that to fail over between the 2 separate links.
|
|
#
?
Oct 7, 2008 02:00
|
|
|
jwh posted:access-lists are dangerous. Don't forget that the moment you configure one, it automatically gives itself an implicit default deny at the end. That really is mind boggling. I understand why my network guy took a better offer now. On the other hand I am extremely glad I am learning this stuff. I think I will set up an ACL on the 'in' direction of my guest VLAN to deny traffic to the production networks. Provided this project works fine, my next one is going to be to set up a VPN across the internet connection that production network users can use if the serial connection ever fails.
|
|
#
?
Oct 7, 2008 02:46
|
|
|
Edit: Double post
|
|
#
?
Oct 7, 2008 02:46
|
|
|
Question on redundant supervisor engines. I didn't know a thing about them until earlier today when the network hiccuped and nothing could be reached. It boiled down to being the core L3 switch - a 4507 with redundant sups. Reminded us of that time about 2 weeks ago when the switch rebooted for a still undetermined reason (by abort something or other 0x0 - but I digress). Anyways, the difference is that according to the uptime counter, it hadn't rebooted since that time 2 weeks ago. We grabbed the output of the 'show redund history' command. Can someone give me a brief overview of what it means, particularly why it looks like the second sup wasn't in standby until this morning. Why did the switch become temporarily unavailable this morning? Could it not even be related to the sups whatsoever? Assume no work was being done on the device at that time this morning. 1w5d RF_STATUS_PEER_COMM(401) Redundancy Mode RF(29) op=0 1w5d RF_STATUS_PEER_COMM(401) GALIOS_CONFIG_SYNC(55) op=0 1w5d *my state = STANDBY COLD(4) *peer state = DISABLED(1) 1w5d Reloading peer (communication down) 1w5d *my state = ACTIVE-FAST(9) peer state = DISABLED(1) 1w5d RF_STATUS_MAINTENANCE_ENABLE(403) Redundancy Mode RF(29) op=0 1w5d RF_STATUS_MAINTENANCE_ENABLE(403) GALIOS_CONFIG_SYNC(55) op=0 1w5d RF_PROG_ACTIVE_FAST(200) RF_INTERNAL_MSG(0) op=0 rc=11 1w5d RF_PROG_ACTIVE_FAST(200) Redundancy Mode RF(29) op=0 rc=11 1w5d RF_PROG_ACTIVE_FAST(200) GALIOS_CONFIG_SYNC(55) op=0 rc=11 1w5d RF_PROG_ACTIVE_FAST(200) RF_LAST_CLIENT(65000) op=0 rc=11 1w5d *my state = ACTIVE-DRAIN(10) peer state = DISABLED(1) 1w5d RF_PROG_ACTIVE_DRAIN(201) RF_INTERNAL_MSG(0) op=0 rc=11 1w5d RF_PROG_ACTIVE_DRAIN(201) Redundancy Mode RF(29) op=0 rc=11 1w5d RF_PROG_ACTIVE_DRAIN(201) GALIOS_CONFIG_SYNC(55) op=0 rc=11 1w5d RF_PROG_ACTIVE_DRAIN(201) RF_LAST_CLIENT(65000) op=0 rc=11 1w5d *my state = ACTIVE_PRECONFIG(11) peer state = DISABLED(1) 1w5d RF_PROG_ACTIVE_PRECONFIG(202) RF_INTERNAL_MSG(0) op=0 rc=11 1w5d RF_PROG_ACTIVE_PRECONFIG(202) Redundancy Mode RF(29) op=0 rc=11 1w5d RF_PROG_ACTIVE_PRECONFIG(202) GALIOS_CONFIG_SYNC(55) op=0 rc=11 1w5d RF_PROG_ACTIVE_PRECONFIG(202) RF_LAST_CLIENT(65000) op=0 rc=11 1w5d *my state = ACTIVE_POSTCONFIG(12) peer state = DISABLED(1) 1w5d RF_PROG_ACTIVE_POSTCONFIG(203) RF_INTERNAL_MSG(0) op=0 rc=11 1w5d RF_PROG_ACTIVE_POSTCONFIG(203) Redundancy Mode RF(29) op=0 rc=11 1w5d RF_PROG_ACTIVE_POSTCONFIG(203) GALIOS_CONFIG_SYNC(55) op=0 rc=11 1w5d RF_PROG_ACTIVE_POSTCONFIG(203) RF_LAST_CLIENT(65000) op=0 rc=11 1w5d *my state = ACTIVE(13) peer state = DISABLED(1) 1w5d RF_PROG_ACTIVE(204) RF_INTERNAL_MSG(0) op=0 rc=11 1w5d RF_PROG_ACTIVE(204) Redundancy Mode RF(29) op=0 rc=11 1w5d RF_PROG_ACTIVE(204) GALIOS_CONFIG_SYNC(55) op=0 rc=11 1w5d RF_PROG_ACTIVE(204) RF_LAST_CLIENT(65000) op=0 rc=11 1w5d RF_STATUS_PEER_PRESENCE(400) Redundancy Mode RF(29) op=0 1w5d RF_STATUS_PEER_PRESENCE(400) GALIOS_CONFIG_SYNC(55) op=0 1w5d Reloading peer (peer presence lost) 1w5d RF_EVENT_GO_ACTIVE(511) op=0 1w5d Configuration parsing complete 1w5d System initialization complete Oct 7 08:43:42 Changing to system clock timestamps at uptime 1w5d Oct 7 08:43:42 RF_STATUS_PEER_PRESENCE(400) Redundancy Mode RF(29) op=1 Oct 7 08:43:42 RF_STATUS_PEER_PRESENCE(400) GALIOS_CONFIG_SYNC(55) op=1 Oct 7 08:43:47 *my state = ACTIVE(13) *peer state = UNKNOWN(0) Oct 7 08:43:47 RF_STATUS_PEER_COMM(401) Redundancy Mode RF(29) op=1 Oct 7 08:43:47 RF_STATUS_PEER_COMM(401) GALIOS_CONFIG_SYNC(55) op=1 Oct 7 08:43:47 RF_PROG_PLATFORM_SYNC(300) RF_INTERNAL_MSG(0) op=0 rc=11 Oct 7 08:43:47 RF_PROG_PLATFORM_SYNC(300) Redundancy Mode RF(29) op=0 rc=11 Oct 7 08:43:47 RF_PROG_PLATFORM_SYNC(300) GALIOS_CONFIG_SYNC(55) op=0 rc=0 Oct 7 08:43:47 RF_EVENT_CLIENT_PROGRESSION(503) GALIOS_CONFIG_SYNC(55) op=1 rc=0 Oct 7 08:43:50 RF_EVENT_PEER_PROG_DONE(506) GALIOS_CONFIG_SYNC(55) op=300 Oct 7 08:43:50 RF_PROG_PLATFORM_SYNC(300) RF_LAST_CLIENT(65000) op=0 rc=0 Oct 7 08:43:50 RF_EVENT_CLIENT_PROGRESSION(503) RF_LAST_CLIENT(65000) op=1 rc=0 Oct 7 08:43:50 RF_EVENT_PEER_PROG_DONE(506) RF_LAST_CLIENT(65000) op=300 Oct 7 08:43:56 *my state = ACTIVE(13) *peer state = STANDBY COLD(4)
|
|
#
?
Oct 8, 2008 03:28
|
|
|
J Crewl posted:Question on redundant supervisor engines. What version of code? Assuming the sups are identical, you are running in SSO mode correct? Can you paste the redundancy configuration section? I have handfuls of 6500s, 7600s and these 4500s in the field and from time to time we notice the Hot sup loses connectivity with the Standby for a split second and then eventually recovers, but this shouldn't cause any network issues. Only time you should see a hiccup is when the Hot Sup goes offline and the Standby recovers, and at that point, you might drop a ping or two, nothing more (if properly configured). Cisco's common answer "re-seat the modules" for the first few times, eventually they will replace the Sup if it continues. H.R. Paperstacks fucked around with this message at 12:09 on Oct 8, 2008 |
|
#
?
Oct 8, 2008 12:05
|
|
|
Thanks for your reply, null0. I'm 99% sure it is NOT running SSO mode. I'll check today what it is using - just don't know the command off the top of my head. IOS version is 12.1(12c) lol. Anything else?
|
|
#
?
Oct 8, 2008 14:08
|
|
|
Wizzle posted:Is it possible to make an Ethernet connection participate in a Multilink interface? I'm just talking out of my rear end here, but if you can establish a PPP-like connection over it you may be able to add it to the multilink group. PPPoE and PPTP both appear the same as straight PPP on Linux boxes and I have seen people use MLPPP over PPPoE before. I have no idea whether Cisco treats it the same way or if one can use two different types of PPP links in one multilink bundle.
|
|
#
?
Oct 8, 2008 14:23
|
|
|
J Crewl posted:Thanks for your reply, null0. I'm 99% sure it is NOT running SSO mode. I'll check today what it is using - just don't know the command off the top of my head. IOS version is 12.1(12c) lol. Anything else? Is there a reason why you are not running SSO? Are their routed interfaces on the 4507? If you so a "sh redundancy" you will see: code:code:H.R. Paperstacks fucked around with this message at 16:46 on Oct 8, 2008 |
|
#
?
Oct 8, 2008 16:44
|
|
|
I've got a good one: Does PIX (v8) support stateful inspection for both BEA Weblogic's T3/T3s protocols as well as FTPS (FTP over ssl, not SFTP, all traffic is sent on 21) This is a 5 million dollar question to my company at the moment... Anyone seen T3 work with PIX 8 or ASA?
|
|
#
?
Oct 8, 2008 17:50
|
|
|
routenull0 posted:Is there a reason why you are not running SSO? Are their routed interfaces on the 4507? routenull0 posted:If you do a "sh redundancy" you will see: my state = 13 -ACTIVE peer state = 4 -STANDBY COLD Mode = Duplex Unit = Secondary Unit ID = 2 Redundancy Mode (Operational) = RPR Redundancy Mode (Configured) = RPR Split Mode = Disabled Manual Swact = Enabled Communications = Up client count = 4 client_notification_TMR = 30000 milliseconds keep_alive TMR = 9000 milliseconds keep_alive count = 0 keep_alive threshold = 18 RF debug mask = 0x0 routenull0 posted:Look for this section in the config: redundancy mode rpr main-cpu auto-sync standard Bonus points if someone can lead me in the direction of why this happened two weeks ago: System returned to ROM by abort at PC 0x0 It's sort of a non-issue, except that if this device is starting to have issues or goes down for any period of time we are f'ed. J Crewl fucked around with this message at 02:02 on Oct 9, 2008 |
|
#
?
Oct 9, 2008 01:53
|
|
|
J Crewl posted:Let's go with "a lack of understanding of all the available options." No, no routed interfaces. I'd start by getting off the 12.1 tree, get on to something like 12.2.xx, it is a bit more stable, but it depends on what SUP engines you have, you can list them via "sh module". Once on a newer version of code, if the SUPs are the same hardware (memory, etc), ptu them into SSO mode via the "redundancy" command in global config. Honestly, copy what I pasted and apply it to your config when ready, that keeps all the configs sync'd between the two. SSO will only work if both SUPs are identical though. (Unless you have some reason to not wanting to go to 12.1 that is. The upgrade procedure can be an in depth process requiring some downtime to hardboot the standby on the new code and such, so if you are not comfortable with restarting the entire system, you might want to get a consultant in there.) Here is some basic info on RPR / RPR+ / SSO: http://www.networksystemsdesignline.com/howto/showArticle.jhtml?articleId=192202366&pgno=3 SSO is the newer version of RPR / RPR+. H.R. Paperstacks fucked around with this message at 13:04 on Oct 9, 2008 |
|
#
?
Oct 9, 2008 02:39
|
|
|
wolrah posted:I'm just talking out of my rear end here, but if you can establish a PPP-like connection over it you may be able to add it to the multilink group. PPPoE and PPTP both appear the same as straight PPP on Linux boxes and I have seen people use MLPPP over PPPoE before. I have no idea whether Cisco treats it the same way or if one can use two different types of PPP links in one multilink bundle. This was what I was wondering as well. But my experience with PPPoE is pretty much limited to lovely Linksys devices on lovely DSL connections.
|
|
#
?
Oct 9, 2008 06:29
|
|
|
Wizzle posted:Is any of this even possible? Not that I know of- is the ethernet circuit from the same provider as the T1s?
|
|
#
?
Oct 9, 2008 16:09
|
|
|
Wizzle posted:Is any of this even possible? Possible and advisable are two different things. Take the previous advice about running an IGP; it's less effort and more sane.
|
|
#
?
Oct 9, 2008 18:41
|
|
|
jwh posted:Not that I know of- is the ethernet circuit from the same provider as the T1s? No, thankfully, it's not the same provider. (Customer service is awful). inignot posted:Possible and advisable are two different things. Take the previous advice about running an IGP; it's less effort and more sane. Sounds reasonable enough. I'll plan on doing that. Wizzle fucked around with this message at 04:48 on Oct 10, 2008 |
|
#
?
Oct 10, 2008 04:44
|
|
|
Wizzle posted:No, thankfully, it's not the same provider. (Customer service is awful). In that case, MLPPP is probably not going to work- MLPPP fragments need to be reassembled by the same next-hop to function correctly.
|
|
#
?
Oct 10, 2008 04:49
|
|
|
jwh posted:In that case, MLPPP is probably not going to work- MLPPP fragments need to be reassembled by the same next-hop to function correctly. If I'm interpreting the first post on this topic correctly, the T1s are direct point-to-point, so the next hop is the other side. If the fiber is treated the same way (basically if a broadcast packet would make it to the other side) one could establish PPPoE over it and in theory MLPPP should work. If the fiber is routed, a PPTP link could be used instead of PPPoE. I know MLPPP is supported on "virtual" PPP links like PPPoE and PPTP, the question is whether the devices on each end can support putting different types of PPP links all in the same MLPPP bundle.
|
|
#
?
Oct 10, 2008 16:52
|
|
|
wolrah posted:I know MLPPP is supported on "virtual" PPP links like PPPoE and PPTP, the question is whether the devices on each end can support putting different types of PPP links all in the same MLPPP bundle. No. All the connections in a bundle pretty much need to be the same media because the packets have to arrive in the same order or else you'll get a ton of errors on the line. I tried doing a DSL+T1 MLPPP bundle once and it ran slower than a single T1. Two DSL lines in a bundle is very nice though.
|
|
#
?
Oct 10, 2008 17:02
|
|
|
CrazyLittle posted:No. All the connections in a bundle pretty much need to be the same media because the packets have to arrive in the same order or else you'll get a ton of errors on the line. I tried doing a DSL+T1 MLPPP bundle once and it ran slower than a single T1. Two DSL lines in a bundle is very nice though. Good to know. I've only ever run MLPPP on T1s, so I've never had to dive in to the specifics.
|
|
#
?
Oct 10, 2008 17:33
|
|
|
Can anyone recommend something to monitor bandwidth on Cisco equipment? We have CSME lines from ATT, and they said they have no means of making reports on bandwidth usage. The only thing I know to do is do s sh gi 1/0/1 on a remote port, but that just gives me bytes in/out over a 5 minute interval. *EDIT* On one important switch, we are using MRTG(PRTG?) with SNMP, but to do this for every switch...Sheesh.
|
|
#
?
Oct 13, 2008 12:51
|
|
|
One more thing that is more an irritant. I upgraded the IOS on one switch to one that supported SSHv2. I'm anal retentive and wanted to clean up (delete) the old .BIN. I ended up having to delete what seemed like a ton of files/directories....HTML...Info, etc. Is there a simpler way to delete all those directories without having to CD into the directory and delete each file, then CD out to delete the directory? Thanks
|
|
#
?
Oct 13, 2008 12:58
|
|
|
ObamaisaTerrist posted:One more thing that is more an irritant. delete /all /recursive flash:/foldername
|
|
#
?
Oct 13, 2008 13:34
|
|
|
Is route failover possible using static routes? What I have is an 1841 with a serial connection and also a vpn connection to my home office. If I simply build two static routes, one with higher cost, will route failover occur if the lower cost route becomes unavailable?
|
|
#
?
Oct 13, 2008 14:33
|
|
|
ObamaisaTerrist posted:Can anyone recommend something to monitor bandwidth on Cisco equipment? We have CSME lines from ATT, and they said they have no means of making reports on bandwidth usage. Setup cacti, it isn't very hard and is very useful for the time invested in setting it up. https://www.cacti.net
|
|
#
?
Oct 13, 2008 14:45
|
|
|
Syano posted:Is route failover possible using static routes? What I have is an 1841 with a serial connection and also a vpn connection to my home office. If I simply build two static routes, one with higher cost, will route failover occur if the lower cost route becomes unavailable? Eh...it depends. If you set up two static routes with different admin distances, the one with the lower admin distance will remain in the routing table unless it's outgoing physical interface goes down; then the higher admin distance route comes into the routing table. Under that scenario a physical interface has to go down to trigger the routing change, that may or may not fit your purpose. There's also object tracking: http://www.cisco.com/en/US/docs/ios/12_3/12_3x/12_3xe/feature/guide/dbackupx.html
|
|
#
?
Oct 13, 2008 15:53
|
|
|
inignot posted:
This is.... well, fantastic. I'm astounded more every day how much the SDM sucks. Good grief
|
|
#
?
Oct 13, 2008 17:01
|
|
|
routenull0 posted:Setup cacti, it isn't very hard and is very useful for the time invested in setting it up. I was going to suggest this. We just got this setup on our core routers and it was well worth the time it took to setup and learn.
|
|
#
?
Oct 13, 2008 17:32
|
|
|
I have several cisco IP phones that are registered to a Call Manager (not express) at a remote office. These phones are set to get their DHCP from the 2811 router in the building. The Router is set to get NTP from our main router here, which gets it from the internet. All of the phones at that location display time several hours off (I can't remember if they are showing GMT or not, but they are not showing CST like they should be). Looking at the web interface on any of the phones there show the correct time and date, but the Time Zone field is blank. All the phones in our HQ building get their DHCP from a windows DHCP server, and they show the correct time on their display. Looking at the web interface on any of the phones there show the correct time and date and the Time Zone field correctly shows "Central Standard/Daylight Time" This leads me to believe that the problem is the DHCP server on the router does not tell the phones what time zone they show be in. Does anyone know how to set that on IOS's DHCP server, or have any other explanation for what the problem is?
|
|
#
?
Oct 13, 2008 21:07
|
|
|
Lowen SoDium posted:Does anyone know how to set that on IOS's DHCP server, or have any other explanation for what the problem is? option 2 hex ffff.aba0 That's assuming CST is also correct for this location. Otherwise, look here for the hex code.
|
|
#
?
Oct 13, 2008 21:32
|
|
|
|
| # ? May 14, 2024 21:06 |
|
|
wolrah posted:option 2 hex ffff.aba0 That didn't fix the time, or show the time zone on the web interface.
|
|
#
?
Oct 13, 2008 21:41
|
|