Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«430 »
 
  • Post
  • Reply
karttoon
Apr 11, 2006
-?-
Ok so I have my CCNA, making good progress on my CCNP but do not work at all with Cisco gear. I don't even do networking for that matter. So what I want to know is, while I'm on the hunt for a networking job (hopefully at where I currently work) what would you guys recommend as the best way to 'practice' to keep the skills and knowledge relatively fresh in my head?

Ideally I'd like to buy a poo poo ton of equipment (right now I have a 2924xl, 2610xm, 1231ga that I have my home network setup with) and just setup random different networks. Would also like to find some kind of Cisco forum where people ask for help and I could try to help/research/figure out real problems. Anyone know of such a forum or have any other suggestions?

* # ? May 27, 2007 15:30
  • Quote
Adbot
ADBOT LOVES YOU

# ? Apr 24, 2024 21:11
  • Quote
Brinx
Aug 1, 2005
mouse is a biscuit
Grimey Drawer
Goons,

A shiney plat or archives if anyone can solve this as it's rapidly driving me insane.

I'm trying to set up a PIX 515 to PIX 506e IPSEC VPN. The first PIX (vpn-01) is sat in our collocated data centre (which has access to our entire 10.0.0.0 network) and the second (vpn-02) is in a remote office. The aim of the VPN is to allow the users in the remote office access to 10.0.0.0/255.0.0.0 and visa-versa.

Currently it looks like this:

[vpn-02]
attached network 10.160.0.0
inside 10.160.2.8
outside 82.*.*.37

<-- Internet -->

[vpn-01]
attached network 10.0.0.0
inside 10.10.2.90
outside 192.168.10.90 (NATed from 85.*.*.72)


I've been toiling with it on and off for about a week now but am pretty much stuck. I've managed to get phase 1 to complete but phase 2 stops with:

"IPSEC(validate_transform_proposal): proxy identities not supported"

Everything I've found related to this error points to a mismatch in the ACLs between the hub and spoke PIX's. However as it's an EasyVPN setup, as far as understand from my Cisco book and Cisco website docs, you don't set a ACL on the spoke PIX as it's unneccessary.

The configs that I have are as follows:

vpn-01 (collocation hub):

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password GRePyfvSUgEmkwRU encrypted
passwd GRePyfvSUgEmkwRU encrypted
hostname vpn-01
domain-name hoarelea.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list remoteofficeAllowAllInternal permit ip 10.0.0.0 255.0.0.0 10.160.0.0 255.255.0.0
access-list remoteofficeAllowSplitTunnel permit ip 10.0.0.0 255.0.0.0 10.160.0.0 255.255.0.0
pager lines 24
logging on
logging timestamp
logging standby
logging buffered informational
logging trap errors
logging facility 19
logging host inside *.*.*.*
icmp permit any echo outside
icmp permit any echo-reply outside
mtu outside 1500
mtu inside 1500
ip address outside 192.168.10.90 255.255.255.0
ip address inside 10.10.2.90 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.10.8 2
route inside 10.0.0.0 255.0.0.0 10.10.2.8 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 10.0.0.0 255.0.0.0 inside
snmp-server host inside 10.10.2.26
snmp-server location collocation
no snmp-server contact
snmp-server community *******
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set remoteofficetrmset1 esp-aes-256 esp-sha-hmac
crypto map map1 10 ipsec-isakmp
crypto map map1 10 match address remoteofficeAllowSplitTunnel
crypto map map1 10 set peer 82.*.*.37
crypto map map1 10 set transform-set remoteofficetrmset1
crypto map map1 client authentication LOCAL
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup remoteofficegroup dns-server 10.10.2.3
vpngroup remoteofficegroup wins-server 10.10.2.3
vpngroup remoteofficegroup default-domain ******.local
vpngroup remoteofficegroup idle-time 1800
vpngroup remoteofficegroup password ********
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 10
ssh timeout 5
console timeout 15
username remoteoffice password DjuV6qUmVH8HCPlZ encrypted privilege 2
terminal width 80

and the remote office PIX (vpn-02 spoke):

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password GRePyfvSUgEmkwRU encrypted
passwd GRePyfvSUgEmkwRU encrypted
hostname vpn-02
domain-name *******.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside 82.*.*.37 255.255.255.240
ip address inside 10.160.2.8 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
conduit permit icmp any any echo-reply
route outside 0.0.0.0 0.0.0.0 82.*.*.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http 10.160.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 15
ssh timeout 5
console timeout 15
username remoteoffice password DjuV6qUmVH8HCPlZ encrypted privilege 2
vpnclient server 85.*.*.72
vpnclient mode network-extension-mode
vpnclient vpngroup remoteofficegroup password ********
vpnclient username remoteoffice password ********
vpnclient enable
terminal width 80

As mentioned, phase 1 is ok:

vpn-01# sh cry isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.10.90 82.*.*.37 QM_IDLE 0 0


but phase two debug output is this:

IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 192.168.10.90, src= 82.211.81.37,
dest_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
src_proxy= 10.160.0.0/255.255.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) dest= 192.168.10.90, src= 82.211.81.37,
dest_proxy= 10.160.0.0/255.255.0.0/0/0 (type=4),
src_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes-256 esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x400
IPSEC(validate_transform_proposal): proxy identities not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 2) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 12, hmac_alg 1) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 2) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 1) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 2, hmac_alg 1) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 11, hmac_alg 1) not supported
IPSEC(validate_proposal): transform proposal (prot 3, trans 11, hmac_alg 2) not supported

Apologies for all the text. I thought it best to include everything. The only thing I can think of that might be causing a problem is the fact that the outside address on vpn-01 is NATed and that the NATed address is shown in the 'sh crypto isakmp sa' output rather than the real public IP. I thought nat-traversal would take care of that though. Or perhaps it's something to do with the hub PIX being on a 10.0.0.0 /8 network which the 10.160.0.0 subnet is essentially part of. I've not been able to find any examples of people doing this - only people creating VPN tunnels between clearly defined /24's but I'd think it would work...

All this is fairly new to me as I've recently been promoted in my job and had to teach myself from a Cisco book in a hurry, so any help would be greatly appreciated. I did try abandoning EasyVPN and following a LAN2LAN example but got even less far with that.

Brinx fucked around with this message at 13:49 on May 29, 2007

* # ? May 29, 2007 13:43
  • Quote
jwh
Jun 12, 2002

karttoon posted:

what would you guys recommend as the best way to 'practice' to keep the skills and knowledge relatively fresh in my head?

I would recommend buying a used 3640 with a 12.4 IOS. Then you can steal the IOS image and use it with Dynamips/Dynagen to emulate a handful of 3640's.

* # ? May 29, 2007 15:05
  • Quote
atticus
Nov 7, 2002

this is how u post~
:madmax::hf::riker:

karttoon posted:

Ok so I have my CCNA, making good progress on my CCNP but do not work at all with Cisco gear. I don't even do networking for that matter. So what I want to know is, while I'm on the hunt for a networking job (hopefully at where I currently work) what would you guys recommend as the best way to 'practice' to keep the skills and knowledge relatively fresh in my head?

Ideally I'd like to buy a poo poo ton of equipment (right now I have a 2924xl, 2610xm, 1231ga that I have my home network setup with) and just setup random different networks. Would also like to find some kind of Cisco forum where people ask for help and I could try to help/research/figure out real problems. Anyone know of such a forum or have any other suggestions?

You've probably got a slightly better chance at moving up to a neteng position at your current job than leaving your position and trying to get one of those with just a CCNP and no hands-on experience with production equipment.

groupstudy.com has a lot of CCIE's that are studying for their lab exam - if you want ideas/scenarios to blow your mind, that's probably a decent place to start.

* # ? May 29, 2007 19:01
  • Quote
atticus
Nov 7, 2002

this is how u post~
:madmax::hf::riker:
Sorry for the double post but I am sad I missed the beginnings of this thread. :(

* # ? May 29, 2007 19:02
  • Quote
Herv
Mar 24, 2005

Soiled Meat

Brinx posted:

IPSEC Stuff with overlapping IP4 subnets.
I didn't post my NAT configs, so I don't know if my VPN traffic is shooting out to the internet instead of my peer fw.

I do not think it would be possible to create a phase 2 sa when network 1 is a subnet of network 2. (e.g. 10.10.1.0/24 to a 10.0.0.0/8)

You want to get more specific on your 10.0.0.0/8 classification at the colo/hq/hub fw.

You also want to exclude any network that will traverse the VPN tunnel from NAT. Or just restrict all of RFC 1918 from nating.

The reason being is that NAT is processed before IPSEC, even if you get the tunnel up by fixing the overlapping subnets, the source IP of all that traffic will be the public IP they are NAT'd behind.

At least that's how it used to work...
Hope this helps.

Herv fucked around with this message at 21:14 on May 29, 2007

* # ? May 29, 2007 21:03
  • Quote
atticus
Nov 7, 2002

this is how u post~
:madmax::hf::riker:
I've got a question. Here's a short disclaimer:

I recently completed my CCNP, and I should really be punched in the face for not understanding this by now.

Now that that's out the way, here's the question:

So this has ALWAYS confused me, and I can't seem to find a clear answer on my own. I have a 3750 here, which I've added 5 loopbacks to:

int lo0
ip address 10.1.1.1 255.255.255.0
int lo1
ip address 10.1.2.1 255.255.255.0
int lo2
ip address 10.1.3.1 255.255.255.0
int lo3
ip address 10.1.4.1 255.255.255.0
int lo4
ip address 10.1.5.1 255.255.255.0

Each with a /24 mask. Here's the output of "show ip route"

code:
SW1#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     [b]10.0.0.0/24 is subnetted, 5 subnets[/b]
C       10.1.3.0 is directly connected, Loopback2
C       10.1.2.0 is directly connected, Loopback1
C       10.1.1.0 is directly connected, Loopback0
C       10.1.5.0 is directly connected, Loopback4
C       10.1.4.0 is directly connected, Loopback3
What I NEVER understood was this line:

code:
10.0.0.0/24 is subnetted, 5 subnets
It just never made sense to me. To me, 10.0.0.0/24 always meant 10.0.0.0 - 10.0.0.255! So from that point of view, how can you get 10.1.1.0 out of a 10.0.0.0/24 subnet?!? Furthermore, if I change the mask on each of the loopbacks to a /32 - I get this for "show ip route" :

code:
SW1#sh ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     [b]10.0.0.0/32 is subnetted, 5 subnets[/b]
C       10.1.2.1 is directly connected, Loopback1
C       10.1.3.1 is directly connected, Loopback2
C       10.1.1.1 is directly connected, Loopback0
C       10.1.4.1 is directly connected, Loopback3
C       10.1.5.1 is directly connected, Loopback4
Now you can clearly see how even further I get confused, using my logic: how can you possibly "subnet" a /32?!? Can you guys shed some light as to WHY Cisco does this? I sure would appreciate it.

Thanks

atticus fucked around with this message at 15:53 on May 30, 2007

* # ? May 30, 2007 15:49
  • Quote
jwh
Jun 12, 2002

atticus posted:

Now you can clearly see how even further I get confused, using my logic: how can you possibly "subnet" a /32?!? Can you guys shed some light as to WHY Cisco does this? I sure would appreciate it.

It's a bit of a historical hold-over from the days before VLSM.

For instance:

code:
sanitized#sh ip ro | i sub
     168.173.0.0/16 is variably subnetted, 5 subnets, 3 masks
     66.0.0.0/24 is subnetted, 1 subnets
     192.168.78.0/32 is subnetted, 1 subnets
     172.20.0.0/24 is subnetted, 1 subnets
     172.23.0.0/24 is subnetted, 2 subnets
     10.0.0.0/8 is variably subnetted, 432 subnets, 8 masks
If you subnet into classful space, ie., 10.0.0.0/8, but all of your subnets are /24's, then IOS likes to report "10.0.0.0/24 is subnetted, X subnets".

If you subnet variably within the same space, ie., 10.0.1.0/24, 10.1.0.0/16, then IOS reports the natural classful mask, and says "10.0.0.0/8 is variably subnetted, X subnets, Y masks"

You're good to pick up on it in the first place, since most people don't even notice.

I hope that sort of explains what's going on.

* # ? May 30, 2007 16:06
  • Quote
atticus
Nov 7, 2002

this is how u post~
:madmax::hf::riker:
jwh, as always, is welcome to have my cisco babies.

* # ? May 30, 2007 16:13
  • Quote
Brinx
Aug 1, 2005
mouse is a biscuit
Grimey Drawer

Herv posted:

I do not think it would be possible to create a phase 2 sa when network 1 is a subnet of network 2. (e.g. 10.10.1.0/24 to a 10.0.0.0/8)

Great, thanks. That's set me in the right direction. Phase 2 completes now so hopefully just a bit of fiddling with the routing at the far end and it'll be up and running.

Appreciate the help.

* # ? May 30, 2007 20:35
  • Quote
Boner Buffet
Feb 16, 2006
 I'm not quite following the difference between SNMP Inform and SNMP Trap in the context of a CAT 2950. What is the difference?

* # ? Jun 1, 2007 20:22
  • Quote
xdice
Feb 15, 2006

InferiorWang posted:

I'm not quite following the difference between SNMP Inform and SNMP Trap in the context of a CAT 2950. What is the difference?

Short answer:

SNMP trap simply sends a trap on an event to the host config'd to recieve.

SNMP inform sends an inform the the host config'd to recieve, which then sends back an ack with an SNMP response PDU. These are generally more reliable than traps, but are only supported with devices that support SNMP v2c.


Cat 2950 config docs where this is covered: http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea2/configuration/guide/swsnmp.html

* # ? Jun 1, 2007 22:36
  • Quote
Manc Hill
Jul 19, 2001




^^this is u ^^this is me
We came into possession of a new Catalyst 2950 switch and not having anything better to do we decided to use it for our build network to replace a tiny netgear soho switch. We just took it out of the box and plugged it in, not knowing anything about these things particularly.

Anyway, it works ok, the only slight issue I've noticed is that when I network boot a PC with RIS, it takes quite a long time to pick up a DHCP address and boot into RIS, certainly much slower than on the old netgear.

I'm sure this is some simple config issue, since like I say we didn't touch it in any way out of the box apart from plug it in. Is this a simple fix or shall I just put up with it, not exactly a show stopper adding like 30 seconds wait time before I can press enter to set off the ghosting.

* # ? Jun 1, 2007 23:07
  • Quote
inignot
Sep 1, 2003

WWBCD?
^^^^

Blah blah blah spanning-tree blah blah enable portfast.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml

* # ? Jun 1, 2007 23:55
  • Quote
Manc Hill
Jul 19, 2001




^^this is u ^^this is me

inignot posted:

^^^^

Blah blah blah spanning-tree blah blah enable portfast.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a00800b1500.shtml

Tremendous, I'll give that a whirl on Monday.

* # ? Jun 2, 2007 00:15
  • Quote
Recluse
Mar 5, 2004

Yeah, I did that.
A client of ours has two computers running some proprietary software connected over an IPSEC VPN using PIX 501s. He claims that every 15 minutes, if someone isn't doing something on the computer, the connection will drop. using a sh isakmp sa shows:

Total : 1
Embryonic : 0
dst src state pending created
xx.xxx.xxx.xxx yy.yyy.yyy.yyy QM_IDLE 0 1

which I believe show's that it's up and running.

This is the configuration file, and while I think it looks like it shouldn't idle out for a day, I was wondering if there was anyone who could tell me what I may be doing wrong? I've had very little experience with these so any help at all would be greatly appreciated. I'm not totally convinced its the VPN that's disconnecting either.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password notreal encrypted
passwd notreal encrypted
hostname thisisdifferent
domain-name zzzz.zzz
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 90 permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list 50 permit tcp xx.xxx.xxx.x 255.255.255.128 any
access-list 50 permit tcp host xx.xxx.xxx.xxx any
access-list 50 permit tcp any any eq ssh
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
access-list no-nat permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list inmap permit tcp any host yy.yyy.yyy.yyy eq 5613
access-list inmap permit tcp any host yy.yyy.yyy.yyy eq telnet
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside yy.yyy.yyy.yyy 255.255.255.192
ip address inside 10.0.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.0.1.0 255.255.255.0 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location 10.0.2.0 255.255.255.0 outside
pdm location xx.xxx.xxx.xxx 255.255.255.255 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list no-nat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface telnet 10.0.1.10 telnet netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 5613 10.0.1.10 5613 netmask 255.255.255.255 0 0
access-group inmap in interface outside
route outside 0.0.0.0 0.0.0.0 gg.ggg.ggg.ggg 1
timeout xlate 1:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 10.0.1.0 255.255.255.0 inside
snmp-server host outside zz.zzz.zzz.zz
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set idaville esp-des esp-md5-hmac
crypto map otherplace 1 ipsec-isakmp
crypto map otherplace 1 match address 90
crypto map otherplace 1 set peer xx.xxx.xxx.xxx
crypto map otherplace 1 set transform-set idaville
crypto map otherplace 1 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map idaville interface outside
isakmp enable outside
isakmp key ******** address xx.xxx.xxx.xxx netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption des
isakmp policy 1 hash md5
isakmp policy 1 group 1
isakmp policy 1 lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh zz.zz.zzz.z 255.255.255.255 outside
ssh 10.0.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
username admin password VQLdnwypBeKc65uW encrypted privilege 15
terminal width 80
Cryptochecksum:cc6428afd782ea604c007237f38292f9
: end

* # ? Jun 7, 2007 13:34
  • Quote
Herv
Mar 24, 2005

Soiled Meat

quote:

sh isakmp sa shows:

That just shows the Main Mode/ Phase 1 SA. You want to check the Quick Mode/ Phase 2 SA with a 'sh cry ip sa'. If that is dropping then it will jibe with what they are seeing.

Do the phase 1 and 2 SA lifetimes match up on both firewalls?

Worst case make a startup script that runs silently, pinging across constantly. :shobon:

* # ? Jun 7, 2007 16:37
  • Quote
jwh
Jun 12, 2002

 Does "connection drop" mean the client suspects the tunnel is failing, or his application socket is failing? The latter seems more likely.

* # ? Jun 7, 2007 16:57
  • Quote
jwh
Jun 12, 2002

 I'm looking for some feedback on a current project.

We're migrating our user vpn to a pair of ASA5540's, and we intend to terminate users into separate pools, which will correspond to separate 802.1q vlan subinterfaces. I think that will work at least.

However, I'm confused about whether the client gateway is the ASA, and if that's set via tunnel-group parameters, or if the client gateway is the next-hop from the ASA on that specific 802.1q subinterface.

I'm trying to figure out if this is going to work at all, because the ASA is sitting on a heavily segregated VRF-lite environment, and the ASA isn't like an IOS device with multiple routing tables. Contexts would maybe solve this, except for the fact that apparently you can't run multiple contexts and terminate remote access VPN on the same ASA. Or run OSPF. Boo.

I can't even just turn up OSPF in single-context mode because there's identical routes in each VRF that would collide, and I don't even want to think about what kind of unlivable hell that would cause.

Long story short, I want per-tunnel group default routes, or something like that I guess.

* # ? Jun 8, 2007 22:15
  • Quote
Weiz
Dec 12, 2003
Fishman is not just an understanding financial organisation.
OK here are 2 questions:

1) Is it somehow possible to enter a question mark into the router and not have it interpret that as me querying what commands are available (lets say for a complex password)

2) We have this 1811W at the office, I've managed to fumble my way around setting up Wi-Fi with WPA-PSK using TKIP however I didnt manage to find anything referencing the use of AES/CCMP. Am I missing something or is the feature simply not there?

code:
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(9)T, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Sat 17-Jun-06 01:48 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YH5, RELEASE SOFTWARE (fc1)

HQ-gos uptime is 1 week, 2 days, 8 hours, 41 minutes
System returned to ROM by error - a SIGTRAP exception, PC 0x800C7B2C at 14:44:51 AEST Wed Jun 6 2007
System restarted at 14:45:24 AEST Wed Jun 6 2007
System image file is "flash:c181x-advipservicesk9-mz.124-9.T.bin"
* # ? Jun 15, 2007 14:26
  • Quote
jwh
Jun 12, 2002

 Try going to 12.4(11)XJ or newer. It looks like that's when AES CCMP showed up on the 1800s.

* # ? Jun 15, 2007 14:37
  • Quote
inignot
Sep 1, 2003

WWBCD?

Weiz posted:

OK here are 2 questions:

2) We have this 1811W at the office, I've managed to fumble my way around setting up Wi-Fi with WPA-PSK using TKIP however I didnt manage to find anything referencing the use of AES/CCMP. Am I missing something or is the feature simply not there?

There's a hardware dependency on support for AES/CCMP. When I messed around with that a year ago it was only supported in the access points. The integrated wireless in the 800/1800 and the wireless WIC didn't support it. Cisco dances around mentioning this in their documentation. If you look on the 1800 data sheet page; WPA2 is mentioned several times, but AES/CCMP isn't listed in the Wireless LAN Security Features table.

http://www.cisco.com/en/US/products/ps5853/products_data_sheet0900aecd8028a95f.html

inignot fucked around with this message at 17:09 on Jun 15, 2007

* # ? Jun 15, 2007 15:54
  • Quote
jwh
Jun 12, 2002

 ASA 8.0(2) up on cco as of today.

Looks like lots of SSL VPN enchancements, and the thing I had been waiting for:

Platform Enhancements

VLAN support for remote access VPN connections

Provides support for mapping (tagging) of client traffic at the group or user level. This feature is compatible with clientless as well as IPsec and SSL tunnel-based connections.

* # ? Jun 19, 2007 18:31
  • Quote
Fart.Bleed.Repeat.
Sep 29, 2001

 Ive got a 1720 Router connected via E0 to a lovely DSL modem. I configured DHCP client on the relevant interface (IP addr dhcp) and it works fine. Problem is when the ISP changes addresses, the cisco just kinda freaks out, unassigns it's ip address and then nothing.
"fixing" it is nothing more than going on-site, powercycling the modem, and shut/no shut of E0..

Shouldn't it retry to get a DHCP address after some point? Is there anyway to detect this condition(losing its address) and force it to reconnect? Is there any DHCP renew command that I'm just not seeing?


VVVV Will do next time I'm out there. Thanks!

Fart.Bleed.Repeat. fucked around with this message at 20:58 on Jun 19, 2007

* # ? Jun 19, 2007 19:17
  • Quote
Herv
Mar 24, 2005

Soiled Meat

buspAss posted:

Shouldn't it retry to get a DHCP address after some point? Is there anyway to detect this condition(losing its address) and force it to reconnect? Is there any DHCP renew command that I'm just not seeing?

Check out these commands:

show ip dhcp binding

and in global config:

ip dhcp binding cleanup interval <n seconds>

You should be able to glean the lease information in the show command, and perhaps have it check for cleanups and re-binding at that interval.

Might help, might not.

Cheers

* # ? Jun 19, 2007 20:13
  • Quote
Biggz
Dec 27, 2005

 Hi goons,

I've recently purchased an 871 router to use with my cable internet. The WAN port is Ethernet and grabs ip via DHCP from the cable modem. I've got a CCNA so I can set it up as far as that knowledge goes.

However i'm wanting to implement QoS, which was not covered in CCNA as far as I remember. I'm wanting to set up a list of ports to prioritise over everything else. Can anyone point me in the right direction? Hell, helping me navigate the cisco documentation website would be a great start as i'm sure the information is buried away in there somewhere :)

If it's relevent i've got fa0 through to fa3 in vlan1 acting as a 4port switch, and fa4 is the WAN port.

thanks for your help.

* # ? Jun 19, 2007 22:35
  • Quote
jwh
Jun 12, 2002

Biggz posted:

However i'm wanting to implement QoS

One of the challenges with shaping on consumer broadband is that your router doesn't generally know what kind of bandwidth is actually available, versus the reported link speed. For instance, I'm willing to bet the 871's wan interface isn't really sitting on 10, or 100mbps upstream.

You could artificially shape to a predetermined rate, and then implement a queuing scheme within that, but my recommendation would be to not bother with QoS unless you feel you really need it.

The 'interface-time' of outbound packets leaving the 871 is really short, so there's little chance of a queue building, as opposed to a T1, for instance. If you really want to do it anyway, I'd look at nested hierarchical policy-maps (CBWFQ inside GTS): http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fqos_c/fqcprt4/qcfcbshp.htm

I'm not even sure if that's supported on an 871, someone correct me if I'm wrong.

* # ? Jun 19, 2007 23:54
  • Quote
Biggz
Dec 27, 2005

Cisco.com posted:

Q. What QoS features are supported on the Cisco 870 platforms?
A. The Cisco 870 Series supports advanced QoS features on the WAN interface to strictly prioritize different types of traffic, especially voice traffic. These advanced QoS features include Class-Based Weighted Fair Queuing (CBWFQ), Low Latency Queuing (LLQ), class-based marking, policing, Class-Based Weighted Random Early Detection (CBWRED), Network-Based Address Recognition (NBAR), QoS preclassify, prefragmentation, Resource Reservation Protocol (RSVP), Priority and Custom queuing, and LFI. Starting with Cisco IOS Software Releases 12.4(9)T2 and 12.4(11)T, DSCP and IP precedence marking are also supported on the LAN using the switched virtual interface (SVI).

Thanks for the suggestion JWF, i'll have a better read of that in the morning when i'm more awake, but from my initial read of your link I cant see how I would classify the traffic for prioritization.

I should have read the router spec before because I can at least search cisco documentation on the different types of QoS and specifically your suggestion.

* # ? Jun 20, 2007 00:18
  • Quote
XakEp
Dec 20, 2002
Amor est vitae essentia

 Seconding CBWFQ. It'll give you some serious granularity in your control.

* # ? Jun 20, 2007 01:21
  • Quote
StabbinHobo
Oct 18, 2002

by Jeffrey of YOSPOS

jwh posted:

Provides support for mapping (tagging) of client traffic at the group or user level.
ooooooohhhh. Now I have to go re-think my plan. I had talked myself out of needing this, but it was half sour grapes.

edit: this is dot1q tagging right?

* # ? Jun 20, 2007 01:46
  • Quote
jwh
Jun 12, 2002

StabbinHobo posted:

ooooooohhhh. Now I have to go re-think my plan. I had talked myself out of needing this, but it was half sour grapes.

edit: this is dot1q tagging right?

Yeah, dot1q tags, but there's a problem- I was really close to posting on c-nsp about it, but I thought I better open a TAC case tomorrow before I go shooting my mouth off.

What I can't figure out is this: 8.0(2) offers support for trapping remote access users in 802.1q vlans, but the ASA still only has one tunnel default gateway / routing table. So, unless I'm seeing this wrong, "vlan mapping" doesn't buy you much at second glance. In other words, you can trap people to vlans on the inside, but the ASA still only knows how to route users with a single routing table. This might be fine if your network lines up right (ie., vlans correspond correctly to customer networks), but I need more routing flexibility. Mostly, I need to drop users in vlans, and then supply them with specific routes.

So I dunno, TAC case tomorrow to find out whether this will work, or if I'm going to instead use ipsec DVTI's with ivrf/fvrf on an IOS based platform.

jwh fucked around with this message at 03:55 on Jun 20, 2007

* # ? Jun 20, 2007 03:46
  • Quote
Godfrey
May 29, 2004

Excellent!
Alright is not really a short question but.... I am retarded when it comes to VPNs I've only set one or two up correctly but this does not stop me from thinking my boss is doing it completely backasswards. :saddowns:

I was wondering if one of you would give me a good example of a properly set up VPN between two Ciscos and just so you know we run our operations on 7100s and 7200s running Version 12.2

I know this really isn't specifically a Cisco question but the people that watch this thread are the kind of peeps I would like to hear from.

* # ? Jun 20, 2007 17:57
  • Quote
CrazyLittle
Sep 11, 2001





Clapping Larry

jwh posted:

(CBWFQ inside GTS):
I'm not even sure if that's supported on an 871, someone correct me if I'm wrong.

Yeah CBWFQ is supported on the 87x routers. Just to try to apply it to a ADSL interface... you'll run into the multiple deadends I am right now.

I've got a customer that was provisioned a 1720 (IOS 12.3.9a, 32d+8f) w/ ADSL-WIC with a PIX 501. The key ingredients to this setup is that they want the pix, and they want to run VOIP over the DSL, and therefore they need QoS on the DSL so that calls don't drop.

The problem? I can't get the loving ADSL connection to work properly. Normally when I configure ADSL wics, I'm using IRB and bonding the connection to a BVI... Except CBWFQ is not supported over IRB.

So how do I configure a ADSL connection without subinterfaces or IRB or a BVI interface? Here's what I've got so far, and the error that trickled up:

quote:

*Mar 1 15:55:04.376: %IP-4-ZERO_ADDR: Zero MAC address for <WAN IP> in ARP cache

code:
class-map match-all voice
  match access-group 101
!
!
policy-map voice
  class voice
   bandwidth percent 30
  class class-default
   fair-queue
!
!
interface ATM0
 ip address <WAN IP> 255.255.255.252
 no ip mroute-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 0/35
  protocol ip <WAN GATEWAY>
  cbr 384
  encapsulation aal5snap
  service-policy output voice
 !
!
!
access-list 101 permit ip <VOIP SERVER> 0.0.0.255 any
Any of you guys know what's missing/wrong? Cisco TAC isn't getting back to me, and all google results are real vague responses about bridging.


Oh, and Biggz - in the example above, here's the parts which configure CBWFQ:

code:
class-map match-all <POLICY-NAME>
  match access-group 101
!
!
policy-map <POLICY-NAME>
  class <CLASS-NAME>
   bandwidth <kbps | percent ##%>
  class <CLASS-NAME-2>
   bandwidth <kbps | percent ##%>
  class class-default
   fair-queue
!
!
interface XYZ
  service-policy output <POLICY-NAME>

CrazyLittle fucked around with this message at 18:10 on Jun 20, 2007

* # ? Jun 20, 2007 18:02
  • Quote
Herv
Mar 24, 2005

Soiled Meat
Well, IRB was superceded by RBE (route bridge encapsulation) but I still use a sub-interface. Try it on the main interface though.

http://www.cisco.com/warp/public/121/atm_bridging.html

Here's an RBE example. I do not believe I can enter an 'atm route-bridged ip' without being in a sub interface.

code:
interface ATM0/1
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0/1.1 point-to-point
 ip address 151.204.xxx.xxx 255.255.255.0
 ip nat outside
 [b]atm route-bridged ip[/b]
 pvc 0/35
  encapsulation aal5snap
CBWFQ will not work on an ATM interface. Fair Queuing can though, too busy to find the articles though.

The PIX will strip off any qos tags set by the phone, so I hope the voip can be classified by IP if possible (e.g. not going over a vpn with a bunch of other traffic).

Edit: I have done a combo with Priority Queuing on the IOS-FW so the DSL router gets the important traffic first.

PIX 501's suck rear end for voip compared to a 2600 with IOS-FW.

Herv fucked around with this message at 18:29 on Jun 20, 2007

* # ? Jun 20, 2007 18:13
  • Quote
CrazyLittle
Sep 11, 2001





Clapping Larry

Herv posted:

The PIX will strip off any qos tags set by the phone, so I hope the voip can be classified by IP if possible (e.g. not going over a vpn with a bunch of other traffic).

Edit: I have done a combo with Priority Queuing on the IOS-FW so the DSL router gets the important traffic first.

PIX 501's suck rear end for voip compared to a 2600 with IOS-FW.

Believe me, if I could I would have reconfigured the entire package, because the hardware in this is all wrong. These guys don't even need cisco gear really as it all could be performed by a Adtran DSL router or even these wacky little "Draytek" ones we have which work surprisingly well. It was a customer demand to supply a PIX.

* # ? Jun 20, 2007 18:34
  • Quote
jwh
Jun 12, 2002

Godfrey posted:

Alright is not really a short question but.... I am retarded when it comes to VPNs I've only set one or two up correctly but this does not stop me from thinking my boss is doing it completely backasswards. :saddowns:
What do you mean? What is he doing?

I like to use ipsec protected GRE tunnels. It's super easy to configure, and they configure up like actual routed interfaces. None of this dynamic crypto map wacky nonsense.

http://www.cisco.com/univercd/cc/td/doc/solution/p2pgre_x.pdf

* # ? Jun 20, 2007 19:10
  • Quote
Godfrey
May 29, 2004

Excellent!

jwh posted:

What do you mean? What is he doing?

I like to use ipsec protected GRE tunnels. It's super easy to configure, and they configure up like actual routed interfaces. None of this dynamic crypto map wacky nonsense.

http://www.cisco.com/univercd/cc/td/doc/solution/p2pgre_x.pdf

Thank you I will read this (well most of it, I also have a Cisco VPN book coming to me in the mail) but he is using crypto maps and it just seems unnecessarily messy especially with five of them.

* # ? Jun 20, 2007 20:29
  • Quote
Biggz
Dec 27, 2005

 Thanks for the help guys, I was reading more in work today, amongst other things so I couldnt really go through it that well. Here is my scenario.

It's in a house setup with three people total. Ideally, i'd like to be able to set three ACLs, one for each person. I'd reserve IPs for each device and put them in their respective owners ACL. Then, set each ACL with a minimum of 33% outgoing bandwidth. Would this let each user use all of upload if it isnt in use and 33% minimum if everyone is using it?

Then, if its possible, prioritise by protocol/port. Voip first, HTTP second etc...

Or if that isnt possible I can just handle QoS based on protocol/port.

Another question which I'm not sure if its possible. Is it possible to do UPnP on cisco routers? Or anything similar which would enable MSN to send files? I've been looking and not found anything apart from this which was posted back in 2003.

Cisco posted:

We will definitely be implementing "full" support for Messenger (and other popular IM's) however it's not obvious that UPnP is the best way to do it. We are VERY concerned about security aspects or lack there of in UPnP

To tell you the truth i've not tested the 871 with MSN as I just figured it wouldnt work without UPnP.

* # ? Jun 20, 2007 21:14
  • Quote
Biggz
Dec 27, 2005

 So in theory should this prioritize web traffic (or whatever matches in the 102 ACL) above everything else

code:
class-map match-all TheseGoFirst
 match access-group 102

access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any any eq www

policy-map WAN
  class TheseGoFirst
  priority 512


interface FastEthernet4
 service-policy output WAN
I'm still trying to get my head around this, but in the following example should it "share" the WAN connection, upstream at least, between the three ACLs?

code:
class-map match-all Biggz
 match access-group 102

class-map match-all Housemate1
 match access-group 103

class-map match-all Housemate2
 match access-group 104

access-list 102 permit ip host 192.168.0.2 any

access-list 103 permit ip host 192.168.0.3 any

access-list 104 permit ip host 192.168.0.4 any

policy-map WAN
  class Biggz
  priority percent 33
  class Housemate1
  priority percent 33
  class Housemate2
  priority percent 33
Thanks for looking this over.

* # ? Jun 23, 2007 17:57
  • Quote
Adbot
ADBOT LOVES YOU

# ? Apr 24, 2024 21:11
  • Quote
ior
Nov 21, 2003

What's a fuckass?

inignot posted:

There's a hardware dependency on support for AES/CCMP. When I messed around with that a year ago it was only supported in the access points. The integrated wireless in the 800/1800 and the wireless WIC didn't support it. Cisco dances around mentioning this in their documentation. If you look on the 1800 data sheet page; WPA2 is mentioned several times, but AES/CCMP isn't listed in the Wireless LAN Security Features table.
It is supported, its just cisco that are been assholes when it comes to turning it on / off in different software releases. Im running 12.4.11XJ3 right now with AES support. However if I upgrade to latest greatest (12.4.11T2) IŽll just have TKIP. (also the oldschool ssid setup).

* # ? Jun 24, 2007 17:20
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«430 »