- Langolas
- Feb 12, 2011
-
My mustache makes me sexy, not the hat
|
BelDin posted:
Are you talking about dual homing the servers, or the FEX?
If you're not planning on pushing more than 10Gb to the core and don't need L3 to the servers, you can try what I'm planning and get a pair of 3560s or better running IP Base and redundant power supplies for a EIGRP stub switch. You can get a good level of IP gateway reliability through HSRP, and your convergence time can be tweaked to acceptable for most use.
Either that, or stack/chassis and portchannel to the core over a couple of switches. Unless you have an obscene amount of ACLs you should be able to push quite a bit of traffic with a smaller switch depending on the traffic levels you need to move. Our big goal was traffic increases in the server room, not out to the client network.
Dual homing servers and FEX. We will be doing both, but the way we want to dual home the servers requires us to have more than 96 etherchannels. From what we read on the configuration of the 2k's plugged into a 5k or 7k, you have to create etherchannels there as well. Pretty much, to make our plan for redundancy work, we need 7ks to be our core and then use 5ks for our 10gb servers and a few high priority 1gb servers
|
#
?
Oct 27, 2011 07:21
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
?
Jun 8, 2024 14:07
|
|
- bad boys for life
- Jun 6, 2003
-
by sebmojo
|
Anyone know if there is a way to deploy configurations from a term server over the lines? I have a large lab at work and it would be nice if I could just copy all the various configurations to the term serv and deploy them from there.
I would use a server, but people screw up the configs so badly that it always loses connectivity to it and ftp/tftp fails.
|
#
?
Oct 27, 2011 14:39
|
|
- Zuhzuhzombie!!
- Apr 17, 2008
-
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR
|
Bringing up this old nugget once again.
quote:policy-map police-400mb
class access-match
police cir 420000000 bc 1500000 be 3100000 conform-action transmit exceed-action drop violate-action drop
Applying this inbound/outbound on an interface. The CIR notation is in bits and is roughly 400mb. The other two notations are in bytes.
Am I correct in assuming that the first bucket (BC) is their burst rate allowing them X amount of bandwidth as long as the packet is below 1500000, and if it's above that threshold, that packet is dropped into the second bucket, and if it's above THAT threshold, it's dropped completely?
|
#
?
Oct 27, 2011 15:13
|
|
- H.R. Paperstacks
- May 1, 2006
-
This is America
My president is black
and my Lambo is blue
|
workape posted:
If you don't come here a lot and are looking for things to do/eat/see let me know.
FAB2 is getting a good look from me right now, but honestly we are barely scratching the surface of what our 7k's can do today. I've budgeted and included them in my 2012 budget/roadmap, but unless the server/storage teams really step up their requirements I doubt I'll be making that move.
I am going to be up there on and off between now and Feb. standing everything up, so a list of the hot spots would be great, just toss it in a PM if you can.
I don't think we'll push the Juniper EX line we got as hard as they are anticipating, but we will see. We mainly move data via quad-band infiniband anyway, so the 10GbE stuff is mainly for WAN provider and other data applications, but we only tech refresh every 3 years, so I wanted to go big now in case something happened next year and I was ready. I was really impressed by the new Nexus stuff, the timing just wasn't right when it comes to government purchasing. Having two hot-sites completely different vendors at the core would make for a management nightmare for me.
|
#
?
Oct 27, 2011 15:56
|
|
- jwh
- Jun 12, 2002
-
|
Zuhzuhzombie!! posted:
Bringing up this old nugget once again.
Applying this inbound/outbound on an interface. The CIR notation is in bits and is roughly 400mb. The other two notations are in bytes.
Am I correct in assuming that the first bucket (BC) is their burst rate allowing them X amount of bandwidth as long as the packet is below 1500000, and if it's above that threshold, that packet is dropped into the second bucket, and if it's above THAT threshold, it's dropped completely?
What platform are you policing on? There are often platform specific caveats with respect to policing.
Similarly, the MQC shaping syntax is a little easier to work with (although that may or may not be an option for you).
|
#
?
Oct 27, 2011 16:01
|
|
- Zuhzuhzombie!!
- Apr 17, 2008
-
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR
|
jwh posted:
What platform are you policing on? There are often platform specific caveats with respect to policing.
Similarly, the MQC shaping syntax is a little easier to work with (although that may or may not be an option for you).
This is usually on Cisco 3750s. We also have these setup on two 6500s.
|
#
?
Oct 27, 2011 16:09
|
|
- jwh
- Jun 12, 2002
-
|
I thought the 3750 and 3750-Es had some real restrictions when egress policing- is that not true?
|
#
?
Oct 27, 2011 16:45
|
|
- Zuhzuhzombie!!
- Apr 17, 2008
-
FACTS ARE A CONSPIRACY BY THE CAPITALIST OPRESSOR
|
jwh posted:
I thought the 3750 and 3750-Es had some real restrictions when egress policing- is that not true?
That's what I've read and is the reason I'm going back and looking over our policy maps. These were setup by an admin who is long gone.
I found this thread
https://learningnetwork.cisco.com/thread/12837
But there's not much information beyond the OP.
However, I've read that a rate limit provision on the interface itself is what will not work on 3750s, but an overall policing policy map will.
Zuhzuhzombie!! fucked around with this message at 16:59 on Oct 27, 2011
|
#
?
Oct 27, 2011 16:57
|
|
- Tremblay
- Oct 8, 2002
-
More dog whistles than a Petco
|
ior posted:
Cisco security manager!
Dude!
|
#
?
Oct 27, 2011 17:00
|
|
- tortilla_chip
- Jun 13, 2007
-
k-partite
|
You can give Caprica a try.
http://code.google.com/p/capirca/
|
#
?
Oct 28, 2011 01:53
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
ruro posted:
Haha, seems way too much for what I need. All I need to do is manage ~20 odd ACLs, but the catch is that several of them are on between 500 and 1000 devices and updating them is irritating.
Write a script that automatically updates each device. Also I think Rancid/Cacti can do it too.
|
#
?
Oct 28, 2011 05:46
|
|
- H.R. Paperstacks
- May 1, 2006
-
This is America
My president is black
and my Lambo is blue
|
Powercrazy posted:
Write a script that automatically updates each device. Also I think Rancid/Cacti can do it too.
RANCID will for sure.
|
#
?
Oct 28, 2011 11:53
|
|
- inignot
- Sep 1, 2003
-
WWBCD?
|
NetMRI is a good management platform for a lot of things (not free).
There's some bash command line stuff you can do with the config directory in rancid also.
cat * | grep "access-list 101" | sort | uniq
Something like that will take all the acl 101 lines from all the config files and ultimately output how many occurrences of each line there are. Optimally you would have all lines with the same count if all the configs are the same. More likely then not you'll be able to tell (roughly) what lines aren't conformed across the network or which oddball lines are on a small number of devices based on the counts.
|
#
?
Oct 28, 2011 12:51
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
So I am going to be working on a lot of cool load balancer stuff. Does anyone have any recommendation on books as far as F5 Load Balancers? Or is the Oreilly book on load balancing sort of the only thing out right now?
|
#
?
Nov 1, 2011 16:45
|
|
- workape
- Jul 23, 2002
-
|
Bardlebee posted:
So I am going to be working on a lot of cool load balancer stuff. Does anyone have any recommendation on books as far as F5 Load Balancers? Or is the Oreilly book on load balancing sort of the only thing out right now?
Are you looking for basics of operation or are you looking into some scripting/iRules work?
|
#
?
Nov 1, 2011 17:15
|
|
- Bardlebee
- Feb 24, 2009
-
Im Blind.
|
workape posted:
Are you looking for basics of operation or are you looking into some scripting/iRules work?
Basics, I am just starting out with it. As in I am in training and I want to get ahead of the curve.
|
#
?
Nov 1, 2011 17:18
|
|
- Mierdaan
- Sep 14, 2004
-
-
Pillbug
|
So I'm trying to get a new ESXi host set up correctly for VGT, since we aren't using it at all on our other hosts. AFAIK that means I have to set up a trunk port for the ESXi host and then do the VMware stuff later, which I'm fine with.
My problem right now is that as soon as I set the VLAN ID in the ESXi console for the management network, it drops out. I want the host itself on VLAN 20, but I want it to be able to host VMs that exist on VLANs 5, 10 and 20. Relevant config portions from the 2960G:
code:version 12.2
!
interface GigabitEthernet0/17
switchport trunk native vlan 20
switchport trunk allowed vlan 5,10,20
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet0/18
switchport trunk native vlan 20
switchport trunk allowed vlan 5,10,20
switchport mode trunk
switchport nonegotiate
<snip>
!
interface Vlan1
no ip address
no ip route-cache
shutdown
!
interface Vlan5
ip address 10.10.2.13 255.255.255.0
no ip route-cache
!
interface Vlan10
no ip address
ip helper-address 10.10.1.150
no ip route-cache
!
Again, if I don't assign a VLAN in the ESXi management console, works fine, so I assume I'm retarded and have done something stupid with the cisco config above.
|
#
?
Nov 1, 2011 18:40
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
I assume you are setting the ESXi Host vlan id to 20? Thus it is expected Vlan 20 to be tagged. However you have set 20 as the native(untagged) vlan and thus the host is recieving an untagged vlan, but expecting a tagged vlan 20. Set your native vlan to 1 and give it a try.
Alternatively make sure that you are forming a dot1q trunk with the switch trunk, sh int tru, and debug that way.
Oh also you have two SVIs on a 2960G, a layer 2 switch. Both of those IPs will not be active at the same time.
|
#
?
Nov 1, 2011 18:45
|
|
- Mierdaan
- Sep 14, 2004
-
-
Pillbug
|
Powercrazy posted:
I assume you are setting the ESXi Host vlan id to 20? Thus it is expected Vlan 20 to be tagged. However you have set 20 as the native(untagged) vlan and thus the host is recieving an untagged vlan, but expecting a tagged vlan 20. Set your native vlan to 1 and give it a try.
Alternatively make sure that you are forming a dot1q trunk with the switch trunk, sh int tru, and debug that way.
Oh also you have two SVIs on a 2960G, a layer 2 switch. Both of those IPs will not be active at the same time.
Thanks, that works great. I guess I was thinking of the ESXi management console's VLAN ID as the native vlan of a trunk.
As far as the SVI, yeah that second one was only created to try and get an ip-helper address onto that vlan for wireless clients, which I think I ended up doing later in our 4402WLC's config, so it can probably just be removed.
|
#
?
Nov 1, 2011 19:51
|
|
- Mierdaan
- Sep 14, 2004
-
-
Pillbug
|
Not strictly a Cisco question, but:
For a long time we've just had one VLAN with DHCP clients on it, so we put an ip-helper address in that VLAN and DHCPDISCOVER messages make it to our Microsoft DHCP server just fine.
Now we add another VLAN and want to centralize the DHCP service. So we can use the same ip-helper address in the new VLAN, and the DHCP server should be able to recognize that they game from different relay agents but I'm not sure how you can associate a DHCP scope with a given relay agent. I must be missing something stupid, this has to be the most common issue ever.
|
#
?
Nov 3, 2011 21:34
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
If you have two networks say 10.0.1.0/24 and 10.0.2.0/24 then the DHCP server will have two scopes. The router of the two networks will be the source of the unicasted DHCP request, then based on the source of that request, say 10.0.1.1 vs 10.0.2.1 the DHCP server will know which scope to assign.
|
#
?
Nov 3, 2011 21:42
|
|
- Tremblay
- Oct 8, 2002
-
More dog whistles than a Petco
|
Mierdaan posted:
Not strictly a Cisco question, but:
For a long time we've just had one VLAN with DHCP clients on it, so we put an ip-helper address in that VLAN and DHCPDISCOVER messages make it to our Microsoft DHCP server just fine.
Now we add another VLAN and want to centralize the DHCP service. So we can use the same ip-helper address in the new VLAN, and the DHCP server should be able to recognize that they game from different relay agents but I'm not sure how you can associate a DHCP scope with a given relay agent. I must be missing something stupid, this has to be the most common issue ever.
IIRC, the DHCP server will allocate an address out of the scope that contains the IP address located in the giaddr field of the DHCP message. The giaddr field is populated with the IP address of the relay agent. Since DHCP relay agents are configured on a per VLAN basis, that IP should match the IP address of the SVI.
Edit: thats what I get for watching Southpark, cooking lunch and posting at the same time.
Edit2: by contains I mean within the same subnet.
Tremblay fucked around with this message at 22:06 on Nov 3, 2011
|
#
?
Nov 3, 2011 22:03
|
|
- Mierdaan
- Sep 14, 2004
-
-
Pillbug
|
Oh okay, I thought you had to match up the giaddr and the scope manually. Figures that I would try to make something harder than it is. Thanks dudes.
|
#
?
Nov 3, 2011 22:57
|
|
- bizwank
- Oct 4, 2002
-
|
We have an ASA5505 that's supposed to be hosting a ipsec point-to-point tunnel but it isn't coming up (trying to connect from a remote Windows server); a consultant set this up Friday but couldn't test it at the time, and I can't get a hold of him. I know nothing about Ciscos except what I've learned over the last 12 hours; does anyone see any obvious issues in our config? aa.aa.aa.aa is the Cisco, bb.bb.bb.bb is the Windows server.
code:
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name foo.com
enable password xxxxxxx encrypted
passwd xxxxxx encrypted
names
name bb.bb.bb.bb Win2008Server
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address aa.aa.aa.aa 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.5.20
domain-name foo.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host Win2008Server
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 host Win2008Server
access-list outside_access_in extended permit udp any interface outside eq 6114
access-list outside_access_in extended permit udp any interface outside eq 6112
access-list outside_access_in extended permit udp any interface outside eq 6110
access-list outside_access_in extended permit udp any interface outside eq 6108
access-list outside_access_in extended permit udp any interface outside eq 6106
access-list outside_access_in extended permit udp any interface outside eq 6104
access-list outside_access_in extended permit udp any interface outside eq 6102
access-list outside_access_in extended permit udp any interface outside eq 6100
access-list outside_access_in extended permit udp any interface outside eq sip
access-list outside_access_in extended permit tcp any interface outside eq 2222
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2222 192.168.5.20 2222 netmask 255.255.255.255
static (inside,outside) udp interface sip 192.168.5.10 sip netmask 255.255.255.255
static (inside,outside) udp interface 6100 192.168.5.10 6100 netmask 255.255.255.255
static (inside,outside) udp interface 6102 192.168.5.10 6102 netmask 255.255.255.255
static (inside,outside) udp interface 6104 192.168.5.10 6104 netmask 255.255.255.255
static (inside,outside) udp interface 6106 192.168.5.10 6106 netmask 255.255.255.255
static (inside,outside) udp interface 6108 192.168.5.10 6108 netmask 255.255.255.255
static (inside,outside) udp interface 6110 192.168.5.10 6110 netmask 255.255.255.255
static (inside,outside) udp interface 6112 192.168.5.10 6112 netmask 255.255.255.255
static (inside,outside) udp interface 6114 192.168.5.10 6114 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 aa.aa.aa.aa 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer Win2008Server
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
quit
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
tunnel-group bb.bb.bb.bb type ipsec-l2l
tunnel-group bb.bb.bb.bb ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email]bizwank@foo.com[/email]
profile CiscoTAC-1
destination address http [url]https://tools.cisco.com/its/service/oddce/services/DDCEService[/url]
destination address email [email]callhome@cisco.com[/email]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
asdm location Win2008Server 255.255.255.255 inside
no asdm history enable
|
#
?
Nov 5, 2011 21:58
|
|
- falz
- Jan 29, 2005
-
01100110 01100001 01101100 01111010
|
Believe it or not, there are plenty of 6.3x PIX in production still. I'd use it to learn, then get something that can run 8.x so you can see the config differences. Also I recall reading that you can actually install 8.x on it by ripping some crap out of the image, like ASDM. Don't remember the exact details, sorry.
|
#
?
Nov 6, 2011 17:18
|
|
- Tremblay
- Oct 8, 2002
-
More dog whistles than a Petco
|
bizwank posted:
We have an ASA5505 that's supposed to be hosting a ipsec point-to-point tunnel but it isn't coming up (trying to connect from a remote Windows server); a consultant set this up Friday but couldn't test it at the time, and I can't get a hold of him. I know nothing about Ciscos except what I've learned over the last 12 hours; does anyone see any obvious issues in our config? aa.aa.aa.aa is the Cisco, bb.bb.bb.bb is the Windows server.
code:
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
domain-name foo.com
enable password xxxxxxx encrypted
passwd xxxxxx encrypted
names
name bb.bb.bb.bb Win2008Server
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address aa.aa.aa.aa 255.255.255.0
!
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.5.20
domain-name foo.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RDP tcp
port-object eq 3389
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 host Win2008Server
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 host Win2008Server
access-list outside_access_in extended permit udp any interface outside eq 6114
access-list outside_access_in extended permit udp any interface outside eq 6112
access-list outside_access_in extended permit udp any interface outside eq 6110
access-list outside_access_in extended permit udp any interface outside eq 6108
access-list outside_access_in extended permit udp any interface outside eq 6106
access-list outside_access_in extended permit udp any interface outside eq 6104
access-list outside_access_in extended permit udp any interface outside eq 6102
access-list outside_access_in extended permit udp any interface outside eq 6100
access-list outside_access_in extended permit udp any interface outside eq sip
access-list outside_access_in extended permit tcp any interface outside eq 2222
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 2222 192.168.5.20 2222 netmask 255.255.255.255
static (inside,outside) udp interface sip 192.168.5.10 sip netmask 255.255.255.255
static (inside,outside) udp interface 6100 192.168.5.10 6100 netmask 255.255.255.255
static (inside,outside) udp interface 6102 192.168.5.10 6102 netmask 255.255.255.255
static (inside,outside) udp interface 6104 192.168.5.10 6104 netmask 255.255.255.255
static (inside,outside) udp interface 6106 192.168.5.10 6106 netmask 255.255.255.255
static (inside,outside) udp interface 6108 192.168.5.10 6108 netmask 255.255.255.255
static (inside,outside) udp interface 6110 192.168.5.10 6110 netmask 255.255.255.255
static (inside,outside) udp interface 6112 192.168.5.10 6112 netmask 255.255.255.255
static (inside,outside) udp interface 6114 192.168.5.10 6114 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 aa.aa.aa.aa 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer Win2008Server
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca
quit
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 192.168.5.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 10
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
tunnel-group bb.bb.bb.bb type ipsec-l2l
tunnel-group bb.bb.bb.bb ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
service call-home
call-home reporting anonymous
call-home
contact-email-addr [email]bizwank@foo.com[/email]
profile CiscoTAC-1
destination address http [url]https://tools.cisco.com/its/service/oddce/services/DDCEService[/url]
destination address email [email]callhome@cisco.com[/email]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:
: end
asdm location Win2008Server 255.255.255.255 inside
no asdm history enable
Any logs on the windows server? In the log window in ASDM do you see any messages that sound related to VPN? On the ASA if you do a "show isakmp sa" are there any entries?
|
#
?
Nov 6, 2011 18:07
|
|
- Harry Totterbottom
- Dec 19, 2008
-
|
bizwank posted:
We have an ASA5505 that's supposed to be hosting a ipsec point-to-point tunnel but it isn't coming up (trying to connect from a remote Windows server); a consultant set this up Friday but couldn't test it at the time, and I can't get a hold of him. I know nothing about Ciscos except what I've learned over the last 12 hours; does anyone see any obvious issues in our config? aa.aa.aa.aa is the Cisco, bb.bb.bb.bb is the Windows server.
go to the cli and do the following
code:ping inside <ip address of windows server>
show isakmp sa
If the tunnel is being established you should see it listed here. If it's not being established the issue is most likely going to be something is messed up with the cryptomap isakmp encryption selection, or the certificate. This would require using debug to further isolate and identify the problem in negotiation.
Are you using the ASDM at all or just CLI? If you're in the ASDM you can pull up the site to site settings and verify them with the settings on the other end pretty easy.
One other thing to also make sure is that the subnet that you're trying to start the tunnel from is listed in your protected tunnels. From glancing at your config it appears that the subnet that the ASA interface is on is included in the crypto map, but if say you've got additional segmentation (ie 192.168.15.0/24) that you're trying to run across the tunnel, you're not going to get across because the only protected network is the 192.168.5.0.
If segmentation isn't the issue, and you've got all of your isakmp transform sets configured correctly, I'd double check your certificate to make sure that it's being trusted on both ends.
edit: And follow any advice Tremblay gives you over me, my knowledge is from hacking stuff together until it works, he really knows his poo poo.
|
#
?
Nov 6, 2011 18:21
|
|
- bizwank
- Oct 4, 2002
-
|
A ping and a show isakmp sa from the CLI got me nothing, but a ping from the Windows side resulted in this:
code:5 Nov 06 2011 13:27:45 713904 Group = bb.bb.bb.bb, IP = bb.bb.bb.bb, Received encrypted Oakley Main Mode packet with invalid payloads, MessID = 0
4 Nov 06 2011 13:27:45 713903 Group = bb.bb.bb.bb, IP = bb.bb.bb.bb, ERROR, had problems decrypting packet, probably due to mismatched pre-shared key. Aborting
So that's pretty self-explanitory, but I just double-checked the keys and they do match. Here's the log from the Windows side:
code:During main mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
Local Network Address: bb.bb.bb.bb
Remote Network Address: aa.aa.aa.aa
Keying Module Name: IKEv1
An IPsec main mode negotiation failed.
Local Endpoint:
Local Principal Name: -
Network Address: bb.bb.bb.bb
Keying Module Port: 500
Remote Endpoint:
Principal Name: -
Network Address: aa.aa.aa.aa
Keying Module Port: 500
Additional Information:
Keying Module Name: IKEv1
Authentication Method: Preshared key
Role: Initiator
Impersonation State: Not enabled
Main Mode Filter ID: 145817
Failure Information:
Failure Point: Local computer
Failure Reason: Negotiation timed out
State: Sent third (ID) payload
Initiator Cookie: f854c085317ffc03
Responder Cookie: 827306ad5196ca13
We're only using the one class-c; through poking through the ASDM I think I found most of the VPN settings but it appears there's many different ways to set it up on the Windows side and I have no documentation about what exactly was done there.
|
#
?
Nov 6, 2011 21:55
|
|
- Tremblay
- Oct 8, 2002
-
More dog whistles than a Petco
|
What version of Windows Server 2003 or 2008?
If you got to Start -> Run -> MMC <enter>
Add/Remove Snap-in -> IP Security Policies
Click on the policy and then edit
On the Authentication Methods Tab is there only Preshared Key or multiple listings?
On the Security Methods Tab, what are the methods (in order)
Is the "Use session key perfect forwarding secrecy (PFS)" box checked?
|
#
?
Nov 6, 2011 22:18
|
|
- ate shit on live tv
- Feb 15, 2004
-
by Azathoth
|
Is the window box being natted going out from wherever it is, thus the source address/port is different then what you think it is? Also what do the logs on the ASA look like?
|
#
?
Nov 6, 2011 23:29
|
|
- bizwank
- Oct 4, 2002
-
|
Tremblay posted:What version of Windows Server 2003 or 2008?
If you got to Start -> Run -> MMC <enter>
Add/Remove Snap-in -> IP Security Policies
Click on the policy and then edit
On the Authentication Methods Tab is there only Preshared Key or multiple listings?
On the Security Methods Tab, what are the methods (in order)
Is the "Use session key perfect forwarding secrecy (PFS)" box checked?
2008 R2, preshared key only, and I don't see a Security Methods tab nor that check box.
Powercrazy posted:Is the window box being natted going out from wherever it is, thus the source address/port is different then what you think it is? Also what do the logs on the ASA look like?
The Windows box has a single public IP, no NAT or filtering. When I try to ping the LAN side of the Cisco from the Windows box I get the errors in my previous post; is there something else I should be looking for in the ASA logs?
|
#
?
Nov 7, 2011 00:40
|
|
- ruro
- Apr 30, 2003
-
|
WhatIsLife posted:
I think this would be the place to ask...
I just purchased a Linksys WRT150N wireless router. I set it up and everything is working fine, I can connect to the wireless network from my laptop. However, if I try to connect to the wireless network with my Xbox 360, it instantly disconnects my computer. I've tried unplugging and replugging everything. It's almost like it just doesn't have the power to handle my computer using the internet AND Xbox Live. This isn't the case, is it?
Please help, I'm really hoping I didn't waste fourty dollars on this router.
Not really the right place to ask this, this is more a Cisco enterprise thread (Linksys is completely different, Cisco just bought them out and slapped their logo on). Having said that, does the WRT150N have any kind of activity logs that might indicate why your laptop is being disconnected? You didn't clone your laptop's MAC address onto your Xbox 360 or anything out of the ordinary like that did you?
|
#
?
Nov 7, 2011 02:11
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
?
Jun 8, 2024 14:07
|
|
- Tremblay
- Oct 8, 2002
-
More dog whistles than a Petco
|
bizwank posted:
2008 R2, preshared key only, and I don't see a Security Methods tab nor that check box.
The Windows box has a single public IP, no NAT or filtering. When I try to ping the LAN side of the Cisco from the Windows box I get the errors in my previous post; is there something else I should be looking for in the ASA logs?
I suspect the issue is with phase 1, not the PSK but the diffie or encryption setting. I'm sorry I've never tried to do this with 2k8 and don't have a box handy. Are you east coast or west?
|
#
?
Nov 7, 2011 18:53
|
|