The Cisco Short Questions Thread v12.4.9(WTF)

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›431 »

CrazyLittle: Sep 11, 2001; Clapping Larry

Have any of you guys ever worked with a vwic-2mft-t1? I've got one at a customer site where if the T1 in s0/0/0 drops, it also takes down the T1 in the adjacent port s0/0/1. Any ideas why that might happen?

# ? Aug 19, 2009 01:08

Adbot: ADBOT LOVES YOU

# ? May 15, 2024 19:27

jwh: Jun 12, 2002

CrazyLittle posted:

Have any of you guys ever worked with a vwic-2mft-t1? I've got one at a customer site where if the T1 in s0/0/0 drops, it also takes down the T1 in the adjacent port s0/0/1. Any ideas why that might happen?

Are you only clocking off the first T1? Configure your router to secondary clock the second T1 controller.

# ? Aug 19, 2009 05:37

adorai: Nov 2, 2002; 10/27/04 Never forget; Grimey Drawer

I am going crazy with a complete newbie question I am sure. I had this config working on an ASA 5505, but we decided to build a completely seperate segment with our old pix, and the identical config does not seem to work. Here is the relevant section of code:

code:

access-list Outside_access_in extended permit tcp any any eq ftp
access-list Outside_access_in extended permit tcp any any eq ssh
static (inside,Outside) aaa.bbb.ccc.ddd internal-host netmask 255.255.255.255
access-group Outside_access_in in interface Outside

I have tried to perform a packet trace using asdm, and it drops it on the implied drop directly below the ftp and ssh allows.

# ? Aug 20, 2009 02:57

CrazyLittle: Sep 11, 2001; Clapping Larry

jwh posted:

Are you only clocking off the first T1? Configure your router to secondary clock the second T1 controller.

Thanks I'll double check that.

# ? Aug 20, 2009 04:16

FatCow: Apr 22, 2002; I MAP THE FUCK OUT OF PEOPLE

If these are PRIs another thing to check is where your D channel(s) are. If you only have a D on the first T1 the 2nd can't run without it up.

This doesn't apply if you are using them for data.

# ? Aug 20, 2009 14:46

Tremblay: Oct 8, 2002; More dog whistles than a Petco

adorai posted:

I am going crazy with a complete newbie question I am sure. I had this config working on an ASA 5505, but we decided to build a completely seperate segment with our old pix, and the identical config does not seem to work. Here is the relevant section of code:
code:
access-list Outside_access_in extended permit tcp any any eq ftp
access-list Outside_access_in extended permit tcp any any eq ssh
static (inside,Outside) aaa.bbb.ccc.ddd internal-host netmask 255.255.255.255
access-group Outside_access_in in interface Outside
I have tried to perform a packet trace using asdm, and it drops it on the implied drop directly below the ftp and ssh allows.

So what version of code on the pix? 6,7,8? Is the ip address aaa.bbb.ccc.ddd the same IP as the outside interface?

# ? Aug 20, 2009 20:45

CrazyLittle: Sep 11, 2001; Clapping Larry

FatCow posted:

If these are PRIs another thing to check is where your D channel(s) are. If you only have a D on the first T1 the 2nd can't run without it up.

This doesn't apply if you are using them for data.

Nah it's a MLPPP bundle of data T1s. (BTW, MLPPP over DSL is fun stuff)

Turns out that the dead T1 was set to line clocking. The good T1 was set to internal. When the dead T1 would flap it would take down the good one. I set both T1s to line clocking and that solved the inter-dependency problems.

# ? Aug 21, 2009 01:32

Herv: Mar 24, 2005; Soiled Meat

Bumped into this little (forgotten) gem today. It hides in the telco closet passing VoIP traffic all day.

2950-4 uptime is 1 year, 20 weeks, 6 days, 11 hours, 3 minutes

Quality was an issue so I wanted to check things end to end for the first time in forever.

Not one error in just under 1.5 years, well poo poo.

code:

2950-4#sh int fas 0/12
FastEthernet0/12 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 000c.ce75.a48c (bia 000c.ce75.a48c)
  Description: TRUNK_TO_SWITCH!
  MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:03, output hang never
  Last clearing of "show interface" counters 38w6d
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue :0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute ouxtput rate 0 bits/sec, 0 packets/sec
     642395658 packets input, 4379949689 bytes, 0 no buffer
     Received 379798443 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 384324429 multicast, 0 pause input
     0 input packets with dribble condition detected
     382332985 packets output, 4035146017 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

# ? Aug 21, 2009 02:16

Tremblay: Oct 8, 2002; More dog whistles than a Petco

Herv posted:

Bumped into this little (forgotten) gem today. It hides in the telco closet passing VoIP traffic all day.

2950-4 uptime is 1 year, 20 weeks, 6 days, 11 hours, 3 minutes

Quality was an issue so I wanted to check things end to end for the first time in forever.

Not one error in just under 1.5 years, well poo poo.
code:
  Last clearing of "show interface" counters 38w6d

But yes, its nice when poo poo just runs

# ? Aug 21, 2009 05:42

Herv: Mar 24, 2005; Soiled Meat

Tremblay posted:

But yes, its nice when poo poo just runs .

I saw that! Tellin yah.

# ? Aug 21, 2009 05:57

adorai: Nov 2, 2002; 10/27/04 Never forget; Grimey Drawer

Tremblay posted:

So what version of code on the pix? 6,7,8? Is the ip address aaa.bbb.ccc.ddd the same IP as the outside interface?

7.2 and yes it is.

# ? Aug 21, 2009 14:24

Tremblay: Oct 8, 2002; More dog whistles than a Petco

adorai posted:

7.2 and yes it is.

You can't use the actual IP address of the interface in the NAT statement. Use the interface keyword instead.

Herv posted:

I saw that! Tellin yah.

# ? Aug 21, 2009 16:12

inignot: Sep 1, 2003; WWBCD?

I can't claim credit for this, as I've only been at this place a year:

code:

sw1-msfc1#sh ver
Cisco Internetwork Operating System Software 
IOS (tm) MSFC Software (C6MSFC-JSV-M), Version 12.1(8b)E10, EARLY DEPLOYMENT RELEASE SOFTWARE (fc3)
TAC Support: [url]http://www.cisco.com/tac[/url]
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 18-Apr-02 00:46 by hqluong
Image text-base: 0x60008950, data-base: 0x6184E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(8b)E10, EARLY DEPLOYMENT RELEASE SOFTWARE (fc3)

sw1-msfc1 uptime is 4 years, 31 weeks, 6 days, 17 hours, 15 minutes
System returned to ROM by power-on
System restarted at 16:59:59 EST Mon Jan 10 2005
Running default software

cisco Cat6k-MSFC (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID xxxxxxxx
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
14 Virtual Ethernet/IEEE 802.3  interface(s)
123K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

sw1-msfc1#

Of course, this is a hilariously out of date switch. Sup1/MFSC1 in hybrid mode.

# ? Aug 21, 2009 16:22

Tremblay: Oct 8, 2002; More dog whistles than a Petco

inignot posted:

I can't claim credit for this, as I've only been at this place a year:

code:

sw1-msfc1#sh ver
Cisco Internetwork Operating System Software 
IOS (tm) MSFC Software (C6MSFC-JSV-M), Version 12.1(8b)E10, EARLY DEPLOYMENT RELEASE SOFTWARE (fc3)
TAC Support: [url]http://www.cisco.com/tac[/url]
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 18-Apr-02 00:46 by hqluong
Image text-base: 0x60008950, data-base: 0x6184E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(8b)E10, EARLY DEPLOYMENT RELEASE SOFTWARE (fc3)

sw1-msfc1 uptime is 4 years, 31 weeks, 6 days, 17 hours, 15 minutes
System returned to ROM by power-on
System restarted at 16:59:59 EST Mon Jan 10 2005
Running default software

cisco Cat6k-MSFC (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID xxxxxxxx
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
14 Virtual Ethernet/IEEE 802.3  interface(s)
123K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

sw1-msfc1#

Of course, this is a hilariously out of date switch. Sup1/MFSC1 in hybrid mode.

That right there is VXR levels of rock.

# ? Aug 21, 2009 16:31

adorai: Nov 2, 2002; 10/27/04 Never forget; Grimey Drawer

Tremblay posted:

You can't use the actual IP address of the interface in the NAT statement. Use the interface keyword instead.

This was the solution, thank you very much.

# ? Aug 21, 2009 23:17

Herv: Mar 24, 2005; Soiled Meat

inignot posted:

I can't claim credit for this, as I've only been at this place a year:

code:

sw1-msfc1#sh ver
Cisco Internetwork Operating System Software 
IOS (tm) MSFC Software (C6MSFC-JSV-M), Version 12.1(8b)E10, EARLY DEPLOYMENT RELEASE SOFTWARE (fc3)
TAC Support: [url]http://www.cisco.com/tac[/url]
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 18-Apr-02 00:46 by hqluong
Image text-base: 0x60008950, data-base: 0x6184E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(8b)E10, EARLY DEPLOYMENT RELEASE SOFTWARE (fc3)

sw1-msfc1 uptime is 4 years, 31 weeks, 6 days, 17 hours, 15 minutes
System returned to ROM by power-on
System restarted at 16:59:59 EST Mon Jan 10 2005
Running default software

cisco Cat6k-MSFC (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID xxxxxxxx
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
14 Virtual Ethernet/IEEE 802.3  interface(s)
123K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

sw1-msfc1#

Of course, this is a hilariously out of date switch. Sup1/MFSC1 in hybrid mode.

Nice metrics there, sure its ancient, but I guess it's still slinging it as per spec at worst. There was an 'uptime' thread around here a few years back. I think some BSD box had the big score but poo poo 4+ years has to be a top 3 at least.

Man, someone should bounce it just to be 'that guy'. Not me though.

# ? Aug 22, 2009 04:20

brent78: Jun 23, 2004; I killed your cat, you druggie bitch.

I'm trying to configure a 3825 that I bought refurb. I throw a console cable on it and boot, but after the following messages I don't get a prompt or anything (I hit return multiple times). Any ideas?

System restarted --
Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 25-Feb-09 22:21 by prod_rel_team
*Aug 22 00:03:56.967: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
*Aug 22 00:03:57.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Aug 22 00:03:57.515: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Aug 22 00:03:57.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Aug 22 00:03:57.515: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Aug 22 00:03:57.731: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down

After these last lines I get no response from the console

# ? Aug 22, 2009 05:14

Tremblay: Oct 8, 2002; More dog whistles than a Petco

brent78 posted:

I'm trying to configure a 3825 that I bought refurb. I throw a console cable on it and boot, but after the following messages I don't get a prompt or anything (I hit return multiple times). Any ideas?

System restarted --
Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 25-Feb-09 22:21 by prod_rel_team
*Aug 22 00:03:56.967: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
*Aug 22 00:03:57.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Aug 22 00:03:57.515: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Aug 22 00:03:57.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Aug 22 00:03:57.515: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Aug 22 00:03:57.731: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down

How long are you waiting? Have you tried ROMMON? If you pull the flash card is there a crashinfo file?

# ? Aug 22, 2009 06:50

ragzilla: Sep 9, 2005; don't ask me, i only work here

brent78 posted:

I'm trying to configure a 3825 that I bought refurb. I throw a console cable on it and boot, but after the following messages I don't get a prompt or anything (I hit return multiple times). Any ideas?

System restarted --
Cisco IOS Software, 3800 Software (C3825-ADVIPSERVICESK9-M), Version 12.4(24)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 25-Feb-09 22:21 by prod_rel_team
*Aug 22 00:03:56.967: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing a cold start
*Aug 22 00:03:57.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Aug 22 00:03:57.515: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Aug 22 00:03:57.515: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Aug 22 00:03:57.515: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Aug 22 00:03:57.731: %LINK-5-CHANGED: Interface GigabitEthernet0/1, changed state to administratively down

After these last lines I get no response from the console

Tried setting confreg 0x2142 in rommon to skip config if any? (as well as normalize the console speed etc in case it's doing a late speed change?)

# ? Aug 22, 2009 14:00

Weissbier: Apr 8, 2007; good for the soul

I have a rather odd question about finding devices plugged into your cisco switches.

We have guys that are setting up Kronos time keeping equipment at a multitude of locations. These Kronos devices have a mac address that begins 0040.

If you happen to be on the right switch, then you can issue a:

sh mac-address-table | incl 0040
13 0040.5801.dd37 STATIC Fa0/20
13 0040.5801.dda7 STATIC Fa0/21

and of course if there's one on that switch, you'll the Fa port where it is attached.

If I'm not on the correct switch, I'll see the trunked Gi interface where it is:

sh mac-address-table | incl 0040
13 0040.5801.dd37 DYNAMIC Gi1/0/9
13 0040.5801.dda7 DYNAMIC Gi1/0/9

Here's where I'm stuck. I can issue a sh cdp neigh and it will tell me the hostname of gi1/0/9, but I have no means of really knowing what the ip of that switch is so I can connect to it. Is there any way to find these devices without ssh'ing into every switch to find that hostname?

# ? Aug 22, 2009 14:26

ior: Nov 21, 2003; What's a fuckass?

Weissbier posted:

Is there any way to find these devices without ssh'ing into every switch to find that hostname?

Use the 'detail' parameter to sh cdp nei.

code:

labcore01#sh cdp neighbors gigabitEthernet 1/8 detail
-------------------------
Device ID: sw21-1.core.emelab.net
Entry address(es): 
  IP address: 10.203.204.121
....
....
....

# ? Aug 22, 2009 14:58

ior: Nov 21, 2003; What's a fuckass?

brent78 posted:

After these last lines I get no response from the console

Make sure RTS/CTS is turned off on your serialport. This tends to make it 'read only'.

# ? Aug 22, 2009 14:59

ior: Nov 21, 2003; What's a fuckass?

inignot posted:

I can't claim credit for this, as I've only been at this place a year:

code:

sw1-msfc1#sh ver
Cisco Internetwork Operating System Software 
IOS (tm) MSFC Software (C6MSFC-JSV-M), Version 12.1(8b)E10, EARLY DEPLOYMENT RELEASE SOFTWARE (fc3)
TAC Support: [url]http://www.cisco.com/tac[/url]
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 18-Apr-02 00:46 by hqluong
Image text-base: 0x60008950, data-base: 0x6184E000

ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE 
BOOTFLASH: MSFC Software (C6MSFC-BOOT-M), Version 12.1(8b)E10, EARLY DEPLOYMENT RELEASE SOFTWARE (fc3)

sw1-msfc1 uptime is 4 years, 31 weeks, 6 days, 17 hours, 15 minutes
System returned to ROM by power-on
System restarted at 16:59:59 EST Mon Jan 10 2005
Running default software

cisco Cat6k-MSFC (R5000) processor with 114688K/16384K bytes of memory.
Processor board ID xxxxxxxx
R5000 CPU at 200Mhz, Implementation 35, Rev 2.1, 512KB L2 Cache
Last reset from power-on
Bridging software.
X.25 software, Version 3.0.0.
SuperLAT software (copyright 1990 by Meridian Technology Corp).
TN3270 Emulation software.
14 Virtual Ethernet/IEEE 802.3  interface(s)
123K bytes of non-volatile configuration memory.
4096K bytes of packet SRAM memory.

16384K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102

sw1-msfc1#

Of course, this is a hilariously out of date switch. Sup1/MFSC1 in hybrid mode.

Actually I just upgraded a similar box, it has 9 years of uptime when i shut it down. A drat miracle all the linecards booted back up.

# ? Aug 22, 2009 15:01

Weissbier: Apr 8, 2007; good for the soul

ior posted:

Use the 'detail' parameter to sh cdp nei.

code:

labcore01#sh cdp neighbors gigabitEthernet 1/8 detail
-------------------------
Device ID: sw21-1.core.emelab.net
Entry address(es): 
  IP address: 10.203.204.121
....
....
....

Awesome ior, thank you for that little tip!

# ? Aug 22, 2009 15:41

M@: Jul 10, 2004

A customer of mine needs help building their DOCSIS 3.0/M-CMTS lab. Does anyone have experience in that realm and want to help out?

# ? Aug 25, 2009 21:44

Syano: Jul 13, 2005

Wow. Apparently Cisco snuck in support for Active Directory into the latest software release of the TrendMicro CSC SSM. This is like, huge, for me. Is there somewhere I can sign up to a mailing list or RSS feed or something similar to see when these releases come out?

# ? Aug 26, 2009 14:11

Tremblay: Oct 8, 2002; More dog whistles than a Petco

Syano posted:

Wow. Apparently Cisco snuck in support for Active Directory into the latest software release of the TrendMicro CSC SSM. This is like, huge, for me. Is there somewhere I can sign up to a mailing list or RSS feed or something similar to see when these releases come out?

Check under "My Cisco".

# ? Aug 26, 2009 17:18

FatCow: Apr 22, 2002; I MAP THE FUCK OUT OF PEOPLE

I'm using a 3620 as a terminal server (async cards to IP). Is there anyway to see the status of the indicator lights on the back of the async cards through IOS?

[edit]
"sh line summary" I think gets me what I needed.

FatCow fucked around with this message at 19:14 on Aug 27, 2009

# ? Aug 27, 2009 19:08

Wicaeed: Feb 8, 2005

I'm looking for some help diagnosing a kind of frustrating issue with a Cisco ASA 5505:

I have the router set up to allow VPN access from a restricted set of IPs. Clients who are allowed VPN access can VPN in just fine, but once they are in, the people who are connected through the VPN can only ping two IP addresses, the internal ASA address, and it's external address. Any other IP you try to ping times out. The strange thing is that (based on what syslog is saying) there is not an ACL denying access to the rest of the hosts. For example, this is what Syslog says when I ping from a VPN client to the inside interface:

Built inbound ICMP connection for 10.10.8.240/13836 gaddr 10.10.8.1/0 laddr 10.10.8.1/0 (craig)
Teardown ICMP connection for faddr 10.10.8.240/32779 gaddr 10.10.8.1/0 laddr 10.10.8.1/0
Built inbound ICMP connection for 10.10.8.240/23779 gaddr 1010.8.1/0 laddr 10.10.8.1/0 (craig)
Teardown ICMP connection for faddr 10.10.8.240/32779 gaddr 10.10.8.1/0 laddr 10.10.8.1/0
Built inbound ICMP connection for 10.10.5.1/23779 gaddr 1010.8.1/0 laddr 10.10.8.1/0 (craig)
Teardown ICMP connection for faddr 10.10.5.1/32779 gaddr 10.10.8.1/0 laddr 10.10.8.1/0

for 3 successful pings, but when I try to reach a different ip address (10.10.8.12) it says:

Built inbound ICMP connection for faddr 10.10.8.240/4620 gaddr 10.10.8.12/0 laddr 10.10.8.12/0 (craig)
Teardown UDP connection for 4824 for outside:10.10.8.240/49828 to NP Identity Ifc:255.255.255.25/2223 duration 0:02:01 bytes 72 (craig)
Teardown UDB connection for 4821 for outisde: 10.10.8.240/57060 to inside:10.10.8.12/53 duration 0:02:15 bytes 118 (craig)

Its the same thing when trying to ping any outside IP address. Based on the fact that an ACL isn't actively denying the request, am I correct in assuming the problem is not being caused by an ACL, or is there something else that can deny traffic like this?

# ? Aug 28, 2009 00:30

J Crewl: Dec 11, 2005

A couple (noob) things I need to vent/ask about..

Let's say provider A hands you the following IP information for a new circuit turn up (1xT1 IP voice/data circuit):

IP LAN Block = 9.9.9.112/28
Usable IP Range = 9.9.9.113 to 9.9.9.127

and

Circuit ID: blahblah.
Wan Link IP Address: 11.11.11.24
AR Serial INT IP Address: 11.11.11.25
CR Serial INT IP Address: 11.11.11.26
WAN Link Subnet Mask: 255.255.255.252

The provider is installing their own managed router (A) to terminate the T1 and split voice/data on different interfaces. You will install your own router (B) on the data side to firewall/tunnel/route/whatever. Given only this information what IP's do you put on your 1 WAN and 1 LAN interfaces of your router (B)?

The circuit is handed to you as ethernet from router A, not serial. Also you have a public server or two to throw into the mix. What IP's go where?

Note: I now know the answer, just wondering if I could have asked this yesterday and saved myself many hours of frustration and two pissed off bosses today, or if there's room for debate given the info I received.

e: Also, yes, I refused to email provider A for further instruction because I'm an idiot and made too many assumptions.

J Crewl fucked around with this message at 06:02 on Aug 28, 2009

# ? Aug 28, 2009 05:57

Tremblay: Oct 8, 2002; More dog whistles than a Petco

Wicaeed posted:

I'm looking for some help diagnosing a kind of frustrating issue with a Cisco ASA 5505:

I have the router set up to allow VPN access from a restricted set of IPs. Clients who are allowed VPN access can VPN in just fine, but once they are in, the people who are connected through the VPN can only ping two IP addresses, the internal ASA address, and it's external address. Any other IP you try to ping times out. The strange thing is that (based on what syslog is saying) there is not an ACL denying access to the rest of the hosts. For example, this is what Syslog says when I ping from a VPN client to the inside interface:

Built inbound ICMP connection for 10.10.8.240/13836 gaddr 10.10.8.1/0 laddr 10.10.8.1/0 (craig)
Teardown ICMP connection for faddr 10.10.8.240/32779 gaddr 10.10.8.1/0 laddr 10.10.8.1/0
Built inbound ICMP connection for 10.10.8.240/23779 gaddr 1010.8.1/0 laddr 10.10.8.1/0 (craig)
Teardown ICMP connection for faddr 10.10.8.240/32779 gaddr 10.10.8.1/0 laddr 10.10.8.1/0
Built inbound ICMP connection for 10.10.5.1/23779 gaddr 1010.8.1/0 laddr 10.10.8.1/0 (craig)
Teardown ICMP connection for faddr 10.10.5.1/32779 gaddr 10.10.8.1/0 laddr 10.10.8.1/0

for 3 successful pings, but when I try to reach a different ip address (10.10.8.12) it says:

Built inbound ICMP connection for faddr 10.10.8.240/4620 gaddr 10.10.8.12/0 laddr 10.10.8.12/0 (craig)
Teardown UDP connection for 4824 for outside:10.10.8.240/49828 to NP Identity Ifc:255.255.255.25/2223 duration 0:02:01 bytes 72 (craig)
Teardown UDB connection for 4821 for outisde: 10.10.8.240/57060 to inside:10.10.8.12/53 duration 0:02:15 bytes 118 (craig)

Its the same thing when trying to ping any outside IP address. Based on the fact that an ACL isn't actively denying the request, am I correct in assuming the problem is not being caused by an ACL, or is there something else that can deny traffic like this?

Have you read this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

Sounds like you don't have the ACL set for allowed subnets. This will cover internal access. Do these VPN users need to access the internet through the ASA or are you allowing split tunneling?

# ? Aug 28, 2009 18:08

Wicaeed: Feb 8, 2005

Tremblay posted:

Have you read this:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml

Sounds like you don't have the ACL set for allowed subnets. This will cover internal access. Do these VPN users need to access the internet through the ASA or are you allowing split tunneling?

Awesome, that pointed me in the right direction

I had to clear out all of the existing ACL's that were being used for tunneling, once that was done I could ping hosts on both sides of the network

Now to just set it up how I want! Thanks!

# ? Aug 28, 2009 20:22

E1M6: Aug 24, 2004

I'm helping out with network overhaul at work. They're looking to get a router/firewall that can handle an average load of 50 users. They also want something that can do dual WAN with load balancing. Does anyone have any recommendations? I've setup Cisco equipment before but I get lost looking through all their offerings.

# ? Aug 28, 2009 21:40

Tremblay: Oct 8, 2002; More dog whistles than a Petco

E1M6 posted:

I'm helping out with network overhaul at work. They're looking to get a router/firewall that can handle an average load of 50 users. They also want something that can do dual WAN with load balancing. Does anyone have any recommendations? I've setup Cisco equipment before but I get lost looking through all their offerings.

For Cisco you'll want to look at the ISR line of routers with Firewall feature set. ASA will do multiple ISP connections, but it will not load balance them.

# ? Aug 29, 2009 19:37

Syano: Jul 13, 2005

Has anyone done much of anything with Cisco's wan accelerators? Specifically I am interested in any improvements to RDP traffic streams. We are committed to a thin infrustructure from here on out and would really like to reduce, as much as possible, the latency the end user sometimes experiences, especially in graphic intensive processing, ie viewing a flash animation. I know the RDP protocol already significantly compresses the data for transport but any improvement in latency from some soft of cache, if that is even possible, would be looked at as good.

# ? Sep 2, 2009 17:03

ate shit on live tv: Feb 15, 2004; by Azathoth

It seems like Cisco WAAS is exactly what you are looking for. I don't have any direct experience with it, but for certain applications its perfect.

If you are running ISRs at your sites, then all you need is a network module.

Something to look into anyway.

http://www.cisco.com/en/US/products/ps6870/index.html

# ? Sep 2, 2009 17:51

Syano: Jul 13, 2005

Powercrazy posted:

It seems like Cisco WAAS is exactly what you are looking for. I don't have any direct experience with it, but for certain applications its perfect.

If you are running ISRs at your sites, then all you need is a network module.

Something to look into anyway.

http://www.cisco.com/en/US/products/ps6870/index.html

Yeah according to all the documentation it is exactly what Im looking for. As a bonus, I already have the ISRs in place to support the add in module. However, my specific hope is reduction in latency and not neccessarily optimization of total bandwidth, although that would certainly be an added bonus. My local vendor has yet to deploy one so he felt it wasnt appropriate to tell me yes or no it would do what I want.

# ? Sep 2, 2009 18:03

CrazyDutchie: Aug 5, 2005

Yeah, we're running WAAS for all our sites also. It's great; it does offer a great increase in SMB and printperformance. We dont use it for RDP though.. Setting it up is quite easy (both inline and wccp) and it's low maintenance.

Cisco is very happy to loan you a couple of units for testing, so you may check if they can arrange it for you.

# ? Sep 2, 2009 21:40

citywok: Sep 8, 2003; Born To Surf

we've got a cisco 48 port POE gbit switch, and the thing takes like 6 weeks to enable a port. it causes TFTP/DHCP timeout issues, and makes the switch really irritating to work with. Is there a way to not make it take 90 - 120 seconds to enable a port?

# ? Sep 2, 2009 23:27

Adbot: ADBOT LOVES YOU

# ? May 15, 2024 19:27

cptInsane0: Apr 11, 2007; ...and a clown with no head

by enable a port, do you mean after you type no shutdown? or do you mean when it picks up whatever is attached to it? If you meant after you plug a computer into it, you can use portfast on those ports, but only do it for ports connected to a PC.

# ? Sep 3, 2009 00:08

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)

«‹›431 »