Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«431 »
 
  • Post
  • Reply
some kinda jackal
Feb 25, 2003

 
 
 OSPF question. I'm only familiar with OSPF at a CCNA level so I don't have too much background on summarization across ABRs. Purely a thought experiment right now:

If you have an ABR in area 1 responsible for the following subnets:

172.16.0.0 - 172.16.7.0
192.168.0.0 - 192.168.7.0

Both of these can be summarized down to a /21, but since you issue an area 1 range command, am I right in assuming that you can only summarize one of these down, while the other would remain unsummarized? Or can you issue multiple area 1 range commands without them overwriting each other?

Furthermore, is it just bad network design to put two dissimilar subnets which will never have a chance of summarizing down in the same area? I'm guessing it is, unless there's something I'm not seeing.

Edit: Oh wait nevermind you can have multiple area N range commands in any given area, I'm not sure why I thought otherwise. I just summarized down a ton of dissimilar subnets down to two or three.

:love: GNS3

some kinda jackal fucked around with this message at 19:28 on Jun 21, 2010

* # ? Jun 21, 2010 18:51
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 22, 2024 08:41
  • Quote
Bardlebee
Feb 24, 2009

Im Blind.
Hey guys, I have not had the chance to test out my NAT settings yet, unfortunately I have to wait till tomorrow. But here is another question.

With my Cisco 1811 router, can I block websites? I only want to block about five websites and I would really rather not have to buy extra equipment. Not that I don't want to, but management won't.

Is there a way I cann re-route a domain name such as facebook.com and shoot it to something useless like 0.0.0.0? Or block it all together?

* # ? Jun 23, 2010 14:59
  • Quote
Harry Totterbottom
Dec 19, 2008

Bardlebee posted:

Hey guys, I have not had the chance to test out my NAT settings yet, unfortunately I have to wait till tomorrow. But here is another question.

With my Cisco 1811 router, can I block websites? I only want to block about five websites and I would really rather not have to buy extra equipment. Not that I don't want to, but management won't.

Is there a way I cann re-route a domain name such as facebook.com and shoot it to something useless like 0.0.0.0? Or block it all together?

The only thing you can really do is block ip addresses. If you had an ASA you might be able to add in regular expressions to block (haven't played with this so I'm not sure). You might be able to get away with using the free OpenDNS web filtering so you don't have to purchase a new device.

* # ? Jun 23, 2010 15:56
  • Quote
Bardlebee
Feb 24, 2009

Im Blind.

Harry Totterbottom posted:

The only thing you can really do is block ip addresses. If you had an ASA you might be able to add in regular expressions to block (haven't played with this so I'm not sure). You might be able to get away with using the free OpenDNS web filtering so you don't have to purchase a new device.

Doing more research before I found this post, I used OpenDNS and it has worked very well. Beyond what I expected. I only need to block about five, but it allows for a free account with up to 25 blocks/whitelists.

So I think I am good and thanks for the suggestion! Now if only I can convince my employer to have a domain controller in our 100 user company :(

* # ? Jun 23, 2010 16:21
  • Quote
Richard Noggin
Jun 6, 2005
Redneck By Default
 Woohoo! It looks like ASA 5505s are starting to be stocked again.

* # ? Jun 23, 2010 21:25
  • Quote
CrazyDutchie
Aug 5, 2005

Pussy Noise posted:


I don't think it's an xlate issue, or at least clearing the relevant xlates doesn't change the situation. So why does my FWSM eat my DHCP packets? Why is there nothing at all in logs about any of this?
Are you natting the private vlans to the shared vlan? If not, you must do this on a FWSM. This is because the fwsm architecture causes some issues relating to mac adresses and if you dont nat the private network to the public network, the fwsm does not know to which context or interface the packet should be forwarded.

* # ? Jun 24, 2010 11:17
  • Quote
ate shit on live tv
Feb 15, 2004

by Azathoth
I don't know if there are any BGP experts here, but I have a question.

We have Qwest for our MPLS connections between our 30 remote sites. Qwest had a snafu and our HUB BGP routers which usually have around 30 networks suddenly got 3000+ routes, which killed connectivity to our remote sites. They were bad routes that went elsewhere in the Qwest cloud and not to our remote offices.

So in order to prevent that in the future the only solutiopn we can come up with is route white list so that only our remote sites will be in the routing tables. The problem is that we have to apply this map everywhere, and if we add a new site we have to update all of our offices. Obviously this sucks, so anyone know a better or correct way of doing this?

We can't use community values because Qwest won't support them, we are also in the process of getting another MPLS provider, but that is a slow expensive process.

* # ? Jun 24, 2010 15:25
  • Quote
jwh
Jun 12, 2002

Powercrazy posted:

I don't know if there are any BGP experts here, but I have a question.

We have Qwest for our MPLS connections between our 30 remote sites. Qwest had a snafu and our HUB BGP routers which usually have around 30 networks suddenly got 3000+ routes, which killed connectivity to our remote sites. They were bad routes that went elsewhere in the Qwest cloud and not to our remote offices.

So in order to prevent that in the future the only solutiopn we can come up with is route white list so that only our remote sites will be in the routing tables. The problem is that we have to apply this map everywhere, and if we add a new site we have to update all of our offices. Obviously this sucks, so anyone know a better or correct way of doing this?

We can't use community values because Qwest won't support them, we are also in the process of getting another MPLS provider, but that is a slow expensive process.
What was the AS-path on the leaked routes?

* # ? Jun 24, 2010 18:09
  • Quote
ragzilla
Sep 9, 2005
don't ask me, i only work here

Powercrazy posted:

We can't use community values because Qwest won't support them, we are also in the process of getting another MPLS provider, but that is a slow expensive process.

Qwest won't forward your communities if you send them (try sending them, see if they show up)? The only other option would be what jwh is thinking (set up as-path filters), anything else would be an ugly hack.

* # ? Jun 24, 2010 19:01
  • Quote
ate shit on live tv
Feb 15, 2004

by Azathoth
Hmm, as-path filters eh?

Here is a subset of the paths we were getting.

*> 1.0.0.1/32 208.46.155.225 0 209 65002 i
*> 1.0.0.2/32 208.46.155.225 0 209 65003 i
*> 3.3.3.0/30 208.46.155.225 0 209 209 ?
*> 10.0.0.0/24 208.46.155.225 0 209 i
*> 10.0.0.0/23 208.46.155.225 0 209 209 ?
*> 10.0.0.0/16 208.46.155.225 0 209 ?
*> 10.0.0.0/12 208.46.155.225 0 209 209 ?
*> 10.0.0.0 208.46.155.225 0 209 i
*> 10.0.0.1/32 208.46.155.225 0 209 2005 ?
*> 10.0.0.2/32 208.46.155.225 0 209 2005 ?
*> 10.0.0.200/32 208.46.155.225 0 209 209 i
*> 10.0.1.0/24 208.46.155.225 0 209 65000 i
*> 10.0.2.0/24 208.46.155.225 0 209 i
*> 10.0.56.0/24 208.46.155.225 0 209 65000 i
*> 10.0.77.0/24 208.46.155.225 0 209 65065 i
*> 10.1.0.0/24 208.46.155.225 0 209 ?
*> 10.1.0.0/16 208.46.155.225 0 209 ?
*> 10.1.1.0/24 208.46.155.225 0 209 ?
*> 10.1.1.224/27 208.46.155.225 0 209 65200 i
*> 10.1.2.0/28 208.46.155.225 0 209 2006 2009 116 i
*> 10.1.2.0/24 208.46.155.225 0 209 ?
*> 10.1.129.0/24 208.46.155.225 0 209 65024 65004 11158 65007 i

And here is what we normally get....

*> 10.1.41.92/30 208.46.155.225 0 209 4755 ?
*> 10.255.255.0/30 208.46.155.225 0 209 i
*> 10.255.255.4/30 208.46.155.225 0 209 i
*> 63.149.44.72/30 208.46.155.225 0 209 ?
*> 63.226.75.124/30 208.46.155.225 0 209 ?
*> 63.227.224.144/30
208.46.155.225 0 209 ?
*> 63.229.104.184/30
208.46.155.225 0 209 i
*> 63.231.5.100/30 208.46.155.225 0 209 ?
*> 65.100.13.28/30 208.46.155.225 0 209 i
*> 65.115.53.64/30 208.46.155.225 0 209 ?
*> 65.115.53.66/32 208.46.155.225 0 209 ?
*> 67.131.252.240/30
208.46.155.225 0 209 i
*> 67.131.252.244/30
208.46.155.225 0 209 ?
*> 67.131.252.246/32
208.46.155.225 0 209 ?
*> 67.148.31.112/30 208.46.155.225 0 209 ?
*> 67.148.89.248/30 208.46.155.225 0 209 i
*> 67.148.141.176/30
208.46.155.225 0 209 ?
*> 67.148.251.88/30 208.46.155.225 0 209 i
*> 72.164.125.240/30
208.46.155.225 0 0 209 ?
*> 72.164.126.48/30 208.46.155.225 0 0 209 ?
*> 146.198.158.48/30
208.46.155.225 0 209 2006 i

See the problem is the bogus routes we are getting are similar to what we are expecting, so...

ate shit on live tv fucked around with this message at 19:26 on Jun 24, 2010

* # ? Jun 24, 2010 19:14
  • Quote
jwh
Jun 12, 2002

 Well, there's not a lot you can do in that case. Particularly because the only decision you can really make is whether to move data into the provider's network, and if they're leaking routes between VRFs accidentally, you're not going to be able to influence forwarding inside their core anyhow.

* # ? Jun 24, 2010 21:35
  • Quote
thiscommercialsucks
Jun 13, 2009

by T. Mascis

Martytoof posted:

OSPF question. I'm only familiar with OSPF at a CCNA level so I don't have too much background on summarization across ABRs. Purely a thought experiment right now:

If you have an ABR in area 1 responsible for the following subnets:

172.16.0.0 - 172.16.7.0
192.168.0.0 - 192.168.7.0

Both of these can be summarized down to a /21, but since you issue an area 1 range command, am I right in assuming that you can only summarize one of these down, while the other would remain unsummarized? Or can you issue multiple area 1 range commands without them overwriting each other?
You can use multiple area range commands; you are not correct in your assumption. The ABR will summarize both ranges of networks.

quote:

Furthermore, is it just bad network design to put two dissimilar subnets which will never have a chance of summarizing down in the same area? I'm guessing it is, unless there's something I'm not seeing.
Bad network design? It depends how much control you have over the design of the network I suppose. If you have multiple discontiguous networks spanning multiple OSPF areas, you might want to reconsider your design, but sometimes things just are what they are.


quote:

Edit: Oh wait nevermind you can have multiple area N range commands in any given area, I'm not sure why I thought otherwise. I just summarized down a ton of dissimilar subnets down to two or three.
Oh cool, I neglected to read this part of your post before replying.

* # ? Jun 25, 2010 04:43
  • Quote
ate shit on live tv
Feb 15, 2004

by Azathoth

jwh posted:

Well, there's not a lot you can do in that case. Particularly because the only decision you can really make is whether to move data into the provider's network, and if they're leaking routes between VRFs accidentally, you're not going to be able to influence forwarding inside their core anyhow.

Yea I was afraid of this. I'm going to try to prepend our AS a few times and then see if I can white list only those routes which have our AS in them 3 times. Its not an elegant solution, but its better than using a route white list for all our remote sites.

* # ? Jun 25, 2010 14:32
  • Quote
Bardlebee
Feb 24, 2009

Im Blind.
Going back to my NAT issue, I am testing it tonight, but I have some new information that I wanted to give you all in case it's important in my NAT config.

There is a Cisco 2600 attached to the current router (the lovely retail one) that goes from the lovely retail's WAN port to its Fastethernet port, there is a cable going from the Cisco 2600 labeled T1/CSU/DSU, this goes to a white box which I assume is the modem. My assumption is that the router connects to this Cisco 2600, which is a T1 line and then connects to the modem.

I don't think this should cause an issue and if it doesn't work I am going to draw a pretty picture with descriptive labels.

Side Note: If I want to have a dhcp pool of 192.168.2.100-199, would I use an exclude command?

* # ? Jun 25, 2010 17:46
  • Quote
reborn
Feb 21, 2007

 I'm having issues with multicasting between vlan's on the same stack. I've got a 3750 stack with a bunch of phones on it. The voip server which the phones must communicate with is on VLAN100, while the phones are all on VLAN10.

I have multicast routing enabled via ip multicast-routing distributed as that was all I could do with this IOS revision. I've got ip pim sparse-dense-mode enabled on each of the vlan's but when I try and page (our paging system uses multicast) and do a show ip mroute the outgoing interface list only shows VLAN100 and not VLAN10. Also if I do a debug session and watch the log nothing ever responds on VLAN10.

The TTL is 3 hops for the multicasts so that isn't it. I'm just lost and put a call in with TAC but they are slow as hell right now.

* # ? Jun 25, 2010 17:51
  • Quote
jwh
Jun 12, 2002

 The only advice I have to go download mcast.exe and start putting some data on the wire. That in conjunction with appropriate debugs on the 3750.

* # ? Jun 25, 2010 18:41
  • Quote
thiscommercialsucks
Jun 13, 2009

by T. Mascis

Bardlebee posted:

Going back to my NAT issue, I am testing it tonight, but I have some new information that I wanted to give you all in case it's important in my NAT config.

There is a Cisco 2600 attached to the current router (the lovely retail one) that goes from the lovely retail's WAN port to its Fastethernet port, there is a cable going from the Cisco 2600 labeled T1/CSU/DSU, this goes to a white box which I assume is the modem. My assumption is that the router connects to this Cisco 2600, which is a T1 line and then connects to the modem.

I don't think this should cause an issue and if it doesn't work I am going to draw a pretty picture with descriptive labels.

Side Note: If I want to have a dhcp pool of 192.168.2.100-199, would I use an exclude command?

Depends how you have the lovely retail router set up; RIP? Static route? NAT of the WAN port? Which device is going to do NAT?

For DHCP configuration, yeah you'll want to use
ip dhcp excluded-address 192.168.2.1 192.168.2.99 and
ip dhcp excluded-address 192.168.2.200 192.168.2.254 under global config mode

* # ? Jun 25, 2010 23:03
  • Quote
ate shit on live tv
Feb 15, 2004

by Azathoth
So I've found a better solution than per-site filtering for BGP routes.

pre:
m2821a-germany#sh ip bgp
*> 67.148.251.88/30 63.229.104.185 0 209 i
*> 72.164.125.240/30 63.229.104.185 0 209 ?
*> 72.164.126.48/30 63.229.104.185 0 209 ?
*> 146.198.158.48/30  63.229.104.185 0 209 2006 i
*> 172.16.77.0/24  63.229.104.185  0 209 209 209 209 209 209 i
*> 172.16.88.1/32  63.229.104.185  0 209 209 209 209 209 209 i


I created a route filter for our outgoing routes and prepended the transit AS to it 4 or 5 times. So then presumably we can filter based on the number of AS prepends. Kind of a hack job, but there we go. Now all I need to do is whip-up an inclusive regex.

* # ? Jun 26, 2010 19:18
  • Quote
some kinda jackal
Feb 25, 2003

 
 
 I'm finding that if I power on a router which has no startup-config, but has an ethernet link out of the lab rack into my home router, then that router will put the interface into DHCP mode automatically, without any explicit configuration on my part.

This has happened on both my 2620XM 12.4(5) and 3640 12.4(8).

I'm looking for some article on Cisco's site which might document this behaviour, but so far I'm coming up empty. do any of you guys have any leads?

This might be obvious behaviour to some of you guys, but honestly it just startled me that Cisco would put any interface into auto DHCP and issue a 'no shutdown' without your express request.

Edit: Oh ok I found it: AutoInstall. Seriously didn't know it existed. A little aggravating that I can't disable it out of the box in rommon or something, because this way I have to keep the uplink unplugged until I boot the router or face a mountain of TFTP error messages and a DHCP IP.

some kinda jackal fucked around with this message at 00:04 on Jun 27, 2010

* # ? Jun 26, 2010 21:17
  • Quote
Bardlebee
Feb 24, 2009

Im Blind.
Ok, so I tried using the NAT config recommended and I was half successful. When I do a ping 8.8.8.8 to googles DNS it works fine on the router. I can even do a traceroute all the way there. However, when I plug a computer into the Fastethernet 9 port I can't get out, however I do get an IP address of 192.168.2.2 so DHCP is working fine. I attempt a ping 8.8.8.8 on the computer and I can't ping anything outside my network.

I am sure its just one config line I am missing, but I can't figure out what. Is my VLAN1 supposed to have my internal IP? This is what I get from a show run, sh int fastethernet 9, and a sh ip int brief.

I am not sure what I am missing, but I have a feeling it is something to do with the vlan configuration. :(

code:

Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0             111.111.111.112  YES NVRAM  up                    up
FastEthernet1              unassigned      YES NVRAM  up                    down
FastEthernet2              unassigned      YES unset  up                    down
FastEthernet3              unassigned      YES unset  up                    down
FastEthernet4              unassigned      YES unset  up                    down
FastEthernet5              unassigned      YES unset  up                    down
FastEthernet6              unassigned      YES unset  up                    down
FastEthernet7              unassigned      YES unset  up                    down
FastEthernet8              unassigned      YES unset  up                    down
FastEthernet9              unassigned      YES unset  up                    up
Vlan1                      192.168.2.1     YES NVRAM  up                    up
Async1                     unassigned      YES NVRAM  down                  down
NVI0                       111.111.111.112 YES unset  up                    up
WG-STSC#sh run
Building configuration...

Current configuration : 3773 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname WG-STSC
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3872896560
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3872896560
 revocation-check none
 rsakeypair TP-self-signed-3872896560
!
!
crypto pki certificate chain TP-self-signed-3872896560
 certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383732 38393635 3630301E 170D3130 30363235 31363337
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38373238
  39363536 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BE8A B5790460 A9253C5A 38A1933A 19925684 71E3593E F352827B CA66CCC1
  024EEC73 63C2FB7E DE069B52 F335D5EA A1A0839F A9E6104E EC45ABFA 8DA03006
  BD0FE01F 35D15726 8D8E23E5 21BCD930 D220CE65 4528F3DC BA15C82F 4720549B
  5EA44127 8DA7E630 EC359BC4 502C5E31 9DC8DA5E FF3D0393 DE10ED8D BC0013F5
  2FD30203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
  551D1104 12301082 0E57472D 53545343 2E574753 54534330 1F060355 1D230418
  30168014 176C5BC2 2E35E8A6 02309904 DA180631 A77880D9 301D0603 551D0E04
  16041417 6C5BC22E 35E8A602 309904DA 180631A7 7880D930 0D06092A 864886F7
  0D010104 05000381 81008D31 D77BC5FC 24ECF53F D08E4371 5677043A 6A3F0D17
  4E066A7B 8AB49E22 3B8F260F B8BB3723 2F10042A 66D44365 04F56FDB CD6DD582
  7C1C0E80 E73093F2 00880ECB 11050139 A40B8767 F6D7EF2B BA3DDE2F 8DFA7D3C
  58B8C04C 209A6D80 2C55F9B2 53BC4827 C92DEB9E E3865133 B6111C49 E98E486D
  8C638C74 52170C4E AEBA
        quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool 192.168.2.0/24
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 66.196.216.10
!
ip dhcp pool 192.168.2.0\24
   dns-server 192.168.2.113 255.255.255.0
!
!
ip domain name WGSTSC
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 $1$okPG$sSaKRYxgE8z7A/oZYTN9k0
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
 ip address 111.111.111.112 255.255.255.240
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
 speed 100
!
interface Vlan1
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Async1
 no ip address
 encapsulation slip
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 111.111.111.111
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Vlan1 overload
ip nat inside source list 102 interface FastEthernet0 overload
ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
line vty 16
 privilege level 15
 login local
 transport input all
!
end

WG-STSC#sh int faste9
FastEthernet9 is up, line protocol is up
  Hardware is FastEthernet, address is 0014.a832.8691 (bia 0014.a832.8691)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 10
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 2000 bits/sec, 2 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     5235 packets input, 530176 bytes, 0 no buffer
     Received 2093 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     2375 packets output, 189848 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

* # ? Jun 28, 2010 14:03
  • Quote
Harry Totterbottom
Dec 19, 2008
 sh xlate

This should show if you're getting translations or not.

Also
ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113

That will only translate tcp, ping is icmp.

You might want to kill that line, as well as the one below.
no ip nat inside source list 1 interface Vlan1 overload

Harry Totterbottom fucked around with this message at 15:16 on Jun 28, 2010

* # ? Jun 28, 2010 14:56
  • Quote
Bardlebee
Feb 24, 2009

Im Blind.

Harry Totterbottom posted:

sh xlate

This should show if you're getting translations or not.

Also
ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113

That will only translate tcp, ping is icmp.

I don't think I really need any static can I kill this line?

EDIT: Killing the Vlan inside line won't stop my NAT? Ill try both and get back to you on this. Thanks!

* # ? Jun 28, 2010 15:17
  • Quote
Harry Totterbottom
Dec 19, 2008

Bardlebee posted:

I don't think I really need any static can I kill this line?

EDIT: Killing the Vlan inside line won't stop my NAT? Ill try both and get back to you on this. Thanks!

You're not killing the Vlan inside line, you're killing the nat line that says use VLAN1 as your nat IP address.

You're leaving
ip nat inside source list 102 interface FastEthernet0 overload

So that's saying the inside source list 102 will use interface FEth0 as the address that is translated to in overload mode.

The line above it (that you'll remove) says
nat the inside source list 1 and use interface VLAN1 as the address that is translated to in overload. Which is basically saying take ip's in access list 1 (which is the ip range in VLAN1) and nat it using the ip's in VLAN1.

* # ? Jun 28, 2010 15:39
  • Quote
Harry Totterbottom
Dec 19, 2008

Bardlebee posted:

I don't think I really need any static can I kill this line?

EDIT: Killing the Vlan inside line won't stop my NAT? Ill try both and get back to you on this. Thanks!

Yes kill that line, you snuck in before my edits.

so

no ip nat inside source list 1 interface Vlan1 overload
no ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113

then attempt to send traffic across the wire

show xlate

You should then see stuff in that table.

* # ? Jun 28, 2010 15:45
  • Quote
Bardlebee
Feb 24, 2009

Im Blind.

Harry Totterbottom posted:

Yes kill that line, you snuck in before my edits.

so

no ip nat inside source list 1 interface Vlan1 overload
no ip nat inside source static tcp 192.168.2.1 6113 interface FastEthernet0 6113

then attempt to send traffic across the wire

show xlate

You should then see stuff in that table.

Oh ok, thanks for clearing that up. Will show xlate only work when its connected to the wire?

I cannot test it until early morning tomorrow and it does not recognize (nor does it have a command when I ? it.) for show xlate... the commands I get from x? are: x25, x28, x29, xconnect, and xsm.

I'll let you know what I find.

* # ? Jun 28, 2010 16:33
  • Quote
ior
Nov 21, 2003

What's a fuckass?

Bardlebee posted:

Oh ok, thanks for clearing that up. Will show xlate only work when its connected to the wire?

I cannot test it until early morning tomorrow and it does not recognize (nor does it have a command when I ? it.) for show xlate... the commands I get from x? are: x25, x28, x29, xconnect, and xsm.

I'll let you know what I find.

show xlate is for pix / ASA, you want show ip nat trans

* # ? Jun 28, 2010 18:25
  • Quote
Harry Totterbottom
Dec 19, 2008

ior posted:

show xlate is for pix / ASA, you want show ip nat trans

Doh, right here. I'm only doing nat on my firewalls so I forgot to check the syntax difference.

* # ? Jun 28, 2010 19:59
  • Quote
ozmunkeh
Feb 28, 2008

hey guys what is happening in this thread
 Say I have some internal hosts that need temporary RDP access from outside. I have two spare public IP addresses. Will this snippet work on the ASA?

Does the access-list need to know the port numbers for the public IP addresses I'm using (33891, 33892, 33893), or does it only care about the destination ports?

code:
object-group service rdp-services tcp
 description Temp RDP services
 port-object eq 3389

object-group network rdp-hosts
 description Temp RDP hosts
 network-object host HOST1_PUBLIC_IP
 network-object host HOST2_PUBLIC_IP
  
access-list outside_access_in extended permit tcp any object-group rdp-hosts object-group rdp-services 

static (inside,outside) tcp HOST1_PUBLIC_IP 3389 HOST_A_PRIVATE_IP 3389 netmask 255.255.255.255
static (inside,outside) tcp HOST2_PUBLIC_IP 33891 HOST_B_PRIVATE_IP 3389 netmask 255.255.255.255 
static (inside,outside) tcp HOST2_PUBLIC_IP 33892 HOST_C_PRIVATE_IP 3389 netmask 255.255.255.255 
static (inside,outside) tcp HOST2_PUBLIC_IP 33893 HOST_D_PRIVATE_IP 3389 netmask 255.255.255.255

access-group outside_access_in in interface outside
On the router we used to have I would just write a whole bunch of "ip nat inside source static...." statements but the ASA is different.

* # ? Jun 28, 2010 21:37
  • Quote
Bardlebee
Feb 24, 2009

Im Blind.

Harry Totterbottom posted:

Doh, right here. I'm only doing nat on my firewalls so I forgot to check the syntax difference.

Thanks for the help!

Finally got NAT to work and I was able to reach out. Most of all I learned a little in the process! I will be doing the final step which is doing the five VPN's we have, they're pretty basic so I am going to give it a shot.

* # ? Jun 29, 2010 14:02
  • Quote
Harry Totterbottom
Dec 19, 2008

Bardlebee posted:

Thanks for the help!

Finally got NAT to work and I was able to reach out. Most of all I learned a little in the process! I will be doing the final step which is doing the five VPN's we have, they're pretty basic so I am going to give it a shot.

:cool::hf::cool:

Glad it worked.

* # ? Jun 29, 2010 14:47
  • Quote
Richard Noggin
Jun 6, 2005
Redneck By Default

ozmunkeh posted:

Say I have some internal hosts that need temporary RDP access from outside. I have two spare public IP addresses. Will this snippet work on the ASA?

Does the access-list need to know the port numbers for the public IP addresses I'm using (33891, 33892, 33893), or does it only care about the destination ports?

code:
object-group service rdp-services tcp
 description Temp RDP services
 port-object eq 3389

object-group network rdp-hosts
 description Temp RDP hosts
 network-object host HOST1_PUBLIC_IP
 network-object host HOST2_PUBLIC_IP
  
access-list outside_access_in extended permit tcp any object-group rdp-hosts object-group rdp-services 

static (inside,outside) tcp HOST1_PUBLIC_IP 3389 HOST_A_PRIVATE_IP 3389 netmask 255.255.255.255
static (inside,outside) tcp HOST2_PUBLIC_IP 33891 HOST_B_PRIVATE_IP 3389 netmask 255.255.255.255 
static (inside,outside) tcp HOST2_PUBLIC_IP 33892 HOST_C_PRIVATE_IP 3389 netmask 255.255.255.255 
static (inside,outside) tcp HOST2_PUBLIC_IP 33893 HOST_D_PRIVATE_IP 3389 netmask 255.255.255.255

access-group outside_access_in in interface outside
On the router we used to have I would just write a whole bunch of "ip nat inside source static...." statements but the ASA is different.


You'll need to specify all the mapped addresses in the ACL or object-group. NAT is applied only if traffic matches an ACL entry.

code:
object-group service rdp-services tcp
 description Temp RDP services
 port-object eq 3389
 port-object eq 33891
 ...
 port-object eq 33893

* # ? Jun 29, 2010 16:32
  • Quote
ozmunkeh
Feb 28, 2008

hey guys what is happening in this thread
 Actually, yes, that makes total sense. Thanks!

* # ? Jun 29, 2010 16:49
  • Quote
n0tqu1tesane
May 7, 2003

She was rubbing her ass all over my hands. They don't just do that for everyone.
Grimey Drawer
Is there any way to specify which phones will fall into SRST mode on CallManager or the local router? We've got several sites with 2821s and more than 50 phones, and want to specify which phones will fall into SRST modes, and which phones just won't work.

Any ideas?

EDIT: CallManager 7.1 and Cisco IOS Software, 2800 Software (C2800NM-SPSERVICESK9-M), Version 12.4(13a), RELEASE SOFTWARE (fc1)

n0tqu1tesane fucked around with this message at 22:20 on Jun 29, 2010

* # ? Jun 29, 2010 22:17
  • Quote
Bardlebee
Feb 24, 2009

Im Blind.
So I took a few days to research the topic of setting up a VPN, however I think I might be over my head as I am just a CCENT currently. :(

Here are the images of the two routers currently in place.

Main ROUTER being replaced by my Cisco 1811


Click here for the full 1280x800 image.

Router I want to VPN to


Click here for the full 1280x800 image.

I found this site HERE

Which is informative, yet doesn't help in the sense that my setup could be dramatically different. My question is, it seems that I am currently using DES3 encryption. My authentication is Secret and my password is: password (not my real password)

I guess really the part I am confused on is how to setup my crypto commands and how NAT complicates this process.

Router1 LAN: 192.168.2.0
Router1 Outside: 111.111.111.111

Router2 LAN: 192.168.11.0
Router2 Outside: 222.222.222.222 Sorry for the excess :words:


EDIT: Some things I was going to try here:

crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key password
pool ippool

Bardlebee fucked around with this message at 17:52 on Jun 30, 2010

* # ? Jun 30, 2010 17:46
  • Quote
jwh
Jun 12, 2002

 I think you should consider doing DMVPN. I can get you some skeletal configurations, if you like. Or you can Google them, they're pretty straightforward.

We may even have some posted in this thread, somewhere.

* # ? Jun 30, 2010 21:05
  • Quote
Bardlebee
Feb 24, 2009

Im Blind.

jwh posted:

I think you should consider doing DMVPN. I can get you some skeletal configurations, if you like. Or you can Google them, they're pretty straightforward.

We may even have some posted in this thread, somewhere.

Looking up info on DMVPN, its basically what its named. Dynamic VPN's, meaning that I don't have to adjust the 'spoke' router (i.e. the 1811 I am implementing) if I change an IP address in another site? Or is it just when I add a VPN at another site?

This sounds interesting, if not complicated. I would be interested in this, however I do not know where to start. I am having trouble just getting started and learning VPN as it is. :)

I think I will have to watch some videos for it.

EDIT: Also, would it matter that the other five satellite sites are NOT Cisco routers and are indeed lovely retail VPN routers?

* # ? Jun 30, 2010 21:56
  • Quote
ate shit on live tv
Feb 15, 2004

by Azathoth

jwh posted:

I think you should consider doing DMVPN. I can get you some skeletal configurations, if you like. Or you can Google them, they're pretty straightforward.

We may even have some posted in this thread, somewhere.

I think I may have even posted them. If not I can post some configs tomorrow.

* # ? Jun 30, 2010 23:54
  • Quote
some kinda jackal
Feb 25, 2003

 
 
 As an aside, is VPN done in-depth anywhere in the CCNP or is that more of a CCNA Security thing?

* # ? Jul 1, 2010 00:00
  • Quote
ate shit on live tv
Feb 15, 2004

by Azathoth
The concept of security certificates etc is introduced on the (now defunct) ISCW exam. But not super in depth, I have no idea why it isn't covered in more depth honestly. Even Tunneling is only covered a little on the BSCI.

* # ? Jul 1, 2010 00:08
  • Quote
Adbot
ADBOT LOVES YOU

# ? May 22, 2024 08:41
  • Quote
Harry Totterbottom
Dec 19, 2008

Powercrazy posted:

The concept of security certificates etc is introduced on the (now defunct) ISCW exam. But not super in depth, I have no idea why it isn't covered in more depth honestly. Even Tunneling is only covered a little on the BSCI.

There's a GRE tunnel on the Tshoot topology, but I think the biggest thing that is ever mentioned is just making sure that your crypto maps match.

* # ? Jul 1, 2010 00:14
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«431 »