|
bort posted:What's to not understand? Wow, I guess that is one way to put it. e: Meh. Herv fucked around with this message at 20:04 on Feb 12, 2009 |
# ¿ Feb 12, 2009 19:50 |
|
|
# ¿ May 14, 2024 21:55 |
|
Hrm, does this look like a memory misconfiguration, bad system (packet) memory, or one of the interfaces has bad memory? I am voting for bad system memory but does anyone else have an idea here?Router Burn Victim posted:
The unit has 256mb of memory, with 20 percent to packet memory. Here's the show mem: Router Burn Victim posted:
History of this 3660 was a serious building cooling system failure. Was 130 F in the telco room we were told. I told the boss all bets are off on this unit 6 months ago when it happened. The unit was put together from spare parts 6 years ago and had uptimes of over a year here and there. What a way to die for the old soldier. I already started hoarding the parts for a new one, but hey there might not be anything wrong with the existing router and I am just a dumbass.
|
# ¿ Feb 16, 2009 03:47 |
|
routenull0 posted:I wouldn't hold a door open with a 3660 router. We deployed so many that went bad, that Cisco ended up buying them back from us when they admitted the platform was terrible. Its running a pretty recent version of 12.4 3660-3#sh ver Cisco IOS Software, 3600 Software (C3660-JK9O3S-M), Version 12.4(15)T8, RELEASE SOFTWARE (fc3) Now I really want to dump that sucker. Thanks Oh do you have a link to that documentation in case i have to poke around some more?
|
# ¿ Feb 16, 2009 05:08 |
|
routenull0 posted:I just dumped your error out put in the tool on cisco's site, just login with your CCO. Cool thanks, I am missing a good amount of things like that. Gotta try to get onboard again. Thinking about it, I guess the only way you will get a good 3660 is if you use all known good parts hehe.
|
# ¿ Feb 16, 2009 05:15 |
|
jwh posted:Have you seen similar behavior outside the T train? T train is the pain train. You know I haven't seen this with another image. I think it's been in for a few months though. The problems have shown up rather recently. I looked in the tftp server and this was up there, looks to be recent. I slapped it into the poor thing, let's see how the week goes! 3660-3#sh ver Cisco IOS Software, 3600 Software (C3660-JK9O3S-M), Version 12.4(23), RELEASE SOFTWARE (fc1) Compiled Sun 09-Nov-08 00:28 by prod_rel_team In the area of memory management here's the split: Cisco 3660 (R527x) processor (revision 1.0) with 209920K/52224K bytes of memory. Processor board ID JAB042088J1 R527x CPU at 225MHz, Implementation 40, Rev 10.0, 2048KB L2 Cache The image calls for 128mb, and theres just under 52mb for packet memory so I would think I am not blowing out the router queues. Thanks for the suggestion, I was figuring it was hardware related considering the serious cooking it took, but hey who knows! Stay tuned packet slinging fans.
|
# ¿ Feb 16, 2009 08:41 |
|
jwh posted:Have you seen similar behavior outside the T train? T train is the pain train. Well, its been a few days and the error message isn't showing up in the logs. It was quite frequent so would have shown up by now. What is somewhat confusing is that there are three of these routers, all with the same hardware build and IOS image. Only 1 is giving the error, and it was the one that got cooked. Oh well, we got our RoI on that sucker. Over 6 years it was only rebooted for new IOS images. Still going to replace all three of the 3660's, maybe snag one for the home study. Thanks for suggesting to zap in another image, I had thought this was all hardware. Cheers
|
# ¿ Feb 18, 2009 15:03 |
|
Haydez posted:I have a bunch of equipment I'd like to stop having to micro-manage login and passwords on. I ended up finding some walkthroughs online getting it to work with the Microsoft IAS (Radius) implementation in my test environment. Unfortunately I can't get this to work with any setting besides PAP which is unencrypted. The bosses wont stand for that even if it is on a secured network. Did you try to sniff that PAP login? The secret keys you use are to make an md5 hash of the credentials. Granted it's not aes256 encryption, but if this is on private lans I wouldn't (and don't) worry about it. quote:The RADIUS protocol does not transmit passwords in cleartext between the NAS and RADIUS server (not even with PAP protocol). Rather, a shared secret is used along with the MD5 hashing algorithm to obfuscate passwords. Because MD5 is not considered to be a very strong protection of the user's credentials, additional protection - such as IPsec tunnels - should be used to further encrypt the RADIUS traffic. The user's credentials are the only part protected by RADIUS itself, but other user-specific attributes passed by RADIUS may be considered sensitive or private information as well. Please refer to the references for more details on this subject. http://en.wikipedia.org/wiki/RADIUS I use IAS for nas and network authentication, looks great in audits because they are used to a windows format. Tac_plus is great for accounting info. E: Anyone ever experience auth-proxy timers not working when you set them to over 8 hours? Cheers Herv fucked around with this message at 10:48 on Feb 25, 2009 |
# ¿ Feb 25, 2009 10:37 |
|
jwh posted:Be aware of the IOS requirements for dot1q fast ethernet subinterfaces. I have a boatload of 2621s that don't have the RAM to support it, and that came as a big and disappointing surprise. XM is a more capable processor and I think they'll take more RAM, overall, but they're still expensive, as you've noticed. For what it's worth, I get my memory from this place. $28 plus 7$ shipping isn't that much of a crusher. It's hopefully the same shipping charge if you grab a few sets. 3rd Party Memory for 2600's I have had no issues using the 3rd party with the 2621's, I use them at homes that have rack's in the basements for dmvpn, they run like a top. I hope you get the same mileage. jwh posted:Also, have you considered a 3640? They can run 12.4 code, so they're good bang for the buck, despite the higher cost. I got one of those from the junk pile. The NVRAM is bad so it has to boot and grab it's config from tftp. Still glad to have it.
|
# ¿ Mar 12, 2009 04:02 |
|
inignot posted:I'm currently sitting in a colo cage exploring the dark heart of the sup2. I need a particular IOS version to support the FWSM. I have it on a 64M flash card in the Sup. However there is a minimum rommon version required to boot from the 64M flash card. This is awful. Does the module support tftp boot? Just thinking of another way to get at the file on the flash card without directly mounting the file system for a boot. Edit: This is the closest thing I could find about the internal loopback addresses of the modules in 5 mins before coffee. But it would look more like: Loading myimage.bin from 127.0.0.7 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! OK Just in the interest of cisco product prosperity, of course. This is talking about adding ACL's to deny access to these loopback addresses/devices. Not what address sup-slot0 uses at the moment. http://www.cisco.com/en/US/products/products_security_response09186a00808ca009.html In case I read it wrong, and it's just getting a better image on the sup, you will need a boot-image loaded from bootflash to get up enough to do the internal tftp download on the sup2. Pretty sure I used this to get out of a squeeze (not a flash card pun) in the past. Herv fucked around with this message at 12:48 on Mar 19, 2009 |
# ¿ Mar 19, 2009 06:19 |
|
Powercrazy posted:Is it a CatOS or Hybrid sup? Because if it is, hooboy, are you in for a world of poo poo. If it's a hybrid, wouldn't the boot sequence be: Boot COS from sup-bootflash. Boot Skinny IOS from msfc's bootflash: (boot bootldr) Download full featured IOS from sup-slot0's EOBC addy: (boot system tftp) Or there's 32mb flash on the MSFC2 you can skip the skinny boot I am pretty sure. Boot full featured IOS. I got raked over the coals converting a sup2/msfc2 to native when the sup had a PFC1 processor instead of a PFC2 (suprise!). Pretty sure it worked after it reset the PFC1 and reloaded, been a while and I am prone to forgetting some nightmares, sorry. If it's native shouldn't it be: Boot IOS from sup-slot0: Transfer control to MSFC. Boot Skinny IOS from msfc-bootflash: Download and boot Full IOS from sup-slot0's internal EOBC IP address. Hybrid is a lot easier if you have 32mb bootflash on the MSFC2. If the first native boot from the sup-slot0:is where the rommon limitation resides I would try a skinny boot from the bootflash: and see if I could access the sup-slot0: from its loopback address.
|
# ¿ Mar 19, 2009 14:25 |
|
Well, I normally don't put policies inbound on a nat outside interface, but in the interest of trying to help out here's a quick and dirty policy routing example: interface FastEthernet1/0.3 encapsulation dot1Q 3 ip address 151.xxx.xx.xxx 255.255.255.0 ip policy route-map foo.bar.com Apply the policy on the interface (fa4) you want it active on. In the interest of cleanliness I would try to get both policy routes into a class/policy map. To be honest I haven't tried to do this with NAT and what not. Try it out and see what you get if you can test safely. class-map match-all foo.com match protocol http url "foo.com" class-map match-all bar.com match protocol http url "bar.com" policy-map foo.com class foo.com policy-map bar.com class bar.com route-map foo.bar.com permit 10 match policy-list foo.com set ip next-hop 192.168.1.100 ! route-map foo.bar.com permit 20 match policy-list bar.com set ip next-hop 192.168.1.200 Send me beer if it works.
|
# ¿ Mar 27, 2009 00:21 |
|
SqueakovaPeep posted:I have a really quick question. I have looked everywhere, and it has to be something simple. Hrm, worst case set up a reverse pat/nat statement that takes all udp 53 (clients) tcp 53 (servers) on the inside interface and forward them to a public dns server? Only seen the inside ip address of the broadband interface listed as the dns server in home networking products. edit: wasn't sure if he had dns resolvers only or some server action Herv fucked around with this message at 07:03 on Mar 29, 2009 |
# ¿ Mar 29, 2009 06:59 |
|
I definitely used the QoS features on my voice traffic through the PIX with the 7.x OS came out, and since thereafter. I would bet 5 bucks it still exists in the ASA's, if unlocked. I remember it being a class map and policy type of approach. Shouldn't get too nasty especially if you come here with something specific. I only have a couple asa 5505's that are probably crippled for this feature.
|
# ¿ Apr 2, 2009 21:41 |
|
Oops, missed the part where it was coming down. Sorry for skimming. I normally policy route web traffic off to a cheap broadband circuit these days (Cable, FiOS, DSL worst case). If getting more bandwidth on the primary pipe is too expensive, its an option at least. Jwh is on with the caching as well.
|
# ¿ Apr 2, 2009 22:07 |
|
Agrikk posted:"Extendable" is added automatically to the end of the statement. I tried removing a line and then readding it without the extendable at the end, but the line appeared in my running config with it added. Hrm this just doesn't seem to add up. If you can, remove all the nat configuration and start over with this. I wonder if as soon as one static nat statement is extendable, all have to be as well. access-list 110 deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 access-list 110 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255 access-list 110 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 access-list 110 permit ip 10.1.0.0 0.0.0.255 any access-list 110 permit ip 10.2.0.0 0.0.0.255 any ip nat inside source list 110 interface Ethernet0/0 overload ip nat inside source static tcp 10.1.0.10 22 Interface Ethernet 0/0 22 ip nat inside source static udp 10.1.0.10 27900 Interface Ethernet0/0 27900 ip nat inside source static udp 10.1.0.10 27910 Interface Ethernet0/0 27910 ip nat inside source static udp 10.1.0.10 27901 Interface Ethernet0/0 27901 ip nat inside source static udp 10.1.0.10 27902 Interface Ethernet0/0 27902 ip nat inside source static udp 10.1.0.10 27903 Interface Ethernet0/0 27903 ip nat inside source static udp 10.1.0.10 27904 Interface Ethernet0/0 27904 ip nat inside source static udp 10.1.0.10 27905 Interface Ethernet0/0 27905 ip nat inside source static udp 10.1.0.10 27906 Interface Ethernet0/0 27906 ip nat inside source static udp 10.1.0.10 27907 Interface Ethernet0/0 27907 ip nat inside source static udp 10.1.0.10 27908 Interface Ethernet0/0 27908 ip nat inside source static udp 10.1.0.10 27909 Interface Ethernet0/0 27909 Unless you have to have outbound ip's come from the 33 just leave it if it works. The one thing that doesn't look good to me is the inside global and local ports aren't matching up. The first two columns. Although badly named they should show the mapping of ports on the outside interface to the inside host. Your outside port is wack. Here's some of my active translations, UDP and TCP. Mine are symmetrical, what's on the outside is on the inside. Thank goodness for find and replace. code:
Herv fucked around with this message at 05:35 on Apr 17, 2009 |
# ¿ Apr 17, 2009 04:39 |
|
Agrikk posted:Thanks Herv! If you are lazy and adventurous, and don't have much to lose just erase your startup config and zap the modified config over using tftp. e.g. wr net (to a tftp server on your PC) <modify config for NAT, save file> erase start copy tftp start Reload!
|
# ¿ Apr 20, 2009 20:05 |
|
oversteer posted:My network experience with Cisco consists of managing 3548/2950 etc switches. Yep, the simple answer is a PIX, ASA or IOS Firewall enabled router. One VPN tunnel capable device must function as an endpoint at each site. (e.g. PIX to IOS FW, or ASA to Checkpoint) At first glance it looks like the 3548XL wont do it. Pretty sure a 3750 would. PIX is end of life'd, not sure what that means for your management. I have to get rid of mine at some point in the next year or so.
|
# ¿ May 7, 2009 11:06 |
|
tortilla_chip posted:This sounds more like someone doing ARP spoofing on your management net. For most places, I can use static ARP entries on the important stuff so this doesn't happen. Worst case, when a gateway has to be replaced due to a failure, you just slap the old mac on the new gateway interface. My is on just a dupe IP assignment, not poison arp. Comparing the mac addresses (console cable on the switch I guess) to what's in your arp table sounds like where the trail will start. I am sure we have all been fooled by less at one time or another. Public Humiliation it is!
|
# ¿ Jun 3, 2009 20:29 |
|
jwh posted:Plug the first 3 bytes into the MAC OUI database lookup: http://standards.ieee.org/regauth/oui/index.shtml Another on the card is a Broadcomm, Intel, or maybe 3com. Oh and 'the trail will start' part meant checking where that mac address is connected to your network/switchport.
|
# ¿ Jun 3, 2009 21:04 |
|
falz posted:That's a linux kernel version, which has nothing to do with FreeBSD. You sure someone didn't just modify the banner to confuse people or be funny? God that would be a dick move and I would be out my . Here's one that will secure anything, the bats do it. code:
|
# ¿ Jun 4, 2009 04:32 |
|
I would say all bets are off until the config is bypassed, as stated before. Before the xmodem download at least. Someone is definitely a funny guy. No one took my bet, would have pay pal'd it too!
|
# ¿ Jun 4, 2009 19:04 |
|
Hey there. You used to have: crypto map toCottage interface outside Now you have: crypto map raMap interface outside One crypto map per interface, at least that's how it used to work. What you want to do is make sure the same crypto map is used, but with separate sequence numbers. I always put a higher number than what is in use, to keep my assburgers at bay. Hope this helps. Edit: a loose example. crypto dynamic-map raDynMap 30 set transform-set raVPN crypto map OutsideMap 20 ipsec-isakmp crypto map OutsideMap 20 match address vpn crypto map OutsideMap 20 set peer cottage-pix crypto map OutsideMap 20 set transform-set strong crypto map OutsideMap 30 ipsec-isakmp dynamic raDynMap Since crypto maps are applied to interfaces, I name them after the interface, then put descriptions in each of the separate crypto maps themselves. Former 'PIX Classic' survivor here, I can taste the pain and bewilderment! Herv fucked around with this message at 21:45 on Jul 2, 2009 |
# ¿ Jul 2, 2009 21:42 |
|
GerbilNut posted:Anyone have any clue what i'm doing wrong? Hrm, on the surface things look good. Someone would have pointed something out by now I would think. Just curious, what source IP addresses are the mail servers using? Is that their only IP? 192.168.111.240 and .250, when they send email to each other (do a telnet SMTP session) what shows up in the server SMTP logs? (You might have to enable logging) I am wondering if the ASA is seeing a different IP address than the one you are listing. I have had that issue plenty of times before if the server/switch has multiple IP's. You can also look at it from the other end and see what the ASA logs say (might have to enable logging for the rules you are setting, check the GUI if you have to and read the logs there). See what is getting denied outbound on 25 when you apply that access list. I think your problem may be with the traffic flow, not the config on the FW. Just a hunch.
|
# ¿ Jul 7, 2009 11:53 |
|
GerbilNut posted:I finally tracked it down and it looks like the mail server was not sending out on the .250 address like it was supposed to. The SMTP server was configured to do so, but it was coming from another address on the nic, .254 which screwed up everything. Yep, the public IP address will be what the 5505 is NAT'ing the .250 on (not the base outside ip address). To keep things simple, start with a one to one static nat for the SMTP server. Just get things going with the 250 on SMTP before you PAT stuff out to multiple hosts and whatnot. That may be blowing things up, I haven't tried to PAT out to multiple hosts in a long time, but that's what inbound rotary NAT used to do when you needed a poor mans load balancer so meh, just start with the single NAT 1 to 1 for your .250.
|
# ¿ Jul 7, 2009 14:41 |
|
reborn posted:Completely out of left field but... RANCID should do what you want. For hand storing multiple copies of documents you can use Visual Source Safe or CVS or some other version control system. RANCID's Clogin is next to godly.
|
# ¿ Jul 7, 2009 15:50 |
|
jwh posted:Ugh. On-box licensing here we come. What could possibly go wrong? Looks like 'Party over Wayne'. I wish they left this to their firewalls.
|
# ¿ Jul 7, 2009 21:34 |
|
Tony Montana posted:I Am I going to try and leave my current job with my new CCNA and the experience I've got, to find most employers looking at me weird when I say 'oh no, I've never used UNIX/Linux'. Most of the ISP Cisco guys I talk to don't even have Windows workstations if they wanted them, it's all UNIX. To be honest it does sound a bit weird to me, but not crazy. Especially if you naturally don't like being confused and befuddled and prefer a comfort zone. Even with a woman to keep happy I have lost many a weekend deep diving into something new. One of the main draws for me is the challenge of 'I bet I can get this to do everything that <x> did, it's just a little different'. I have lost many a weekend on unix/linux, sys-v/bsd adventure. In truth I lost nothing, gained a lot! Maybe I am a 'dented can' but I will not lie, I love immersing myself in things, and unix fits the bill sometimes. http://admin.com/ The LSAH and USAH are probably worth their weight in gold to you right now. Read them like the holy books they are.
|
# ¿ Jul 8, 2009 14:18 |
|
Cisco short question: For those with full routes, how much memory are you currently using? What does your "BGP using <21603220> total bytes of memory" say? Just curious, thanks. Richard Noggin posted:Thanks for this, it works perfectly now. The thread never loses. The thread always wins!
|
# ¿ Jul 9, 2009 16:17 |
|
ragzilla posted:
Interesting. If my math is correct (doubtful) ASH is using 82 MB memory and CHI is using just under 81 MB for BGP. I was expecting closer to 256 MB, although I haven't looked at a full table in 9 years or so. Thanks for the numbers.
|
# ¿ Jul 9, 2009 17:42 |
|
jwh posted:Are you confusing the memory size of the BGP RIB with the installed FIB? On hardware forwarding platforms, it's the installed FIB which often teetered on the edge of 256k entries, which was the TCAM limit on a number of platforms such as Sup32 or non XL 720s (I think). I confuse easily for sure, but yes I was asking about the Active BGP Entries (FIB). In short, how much memory was taken up by the actual routing table. Do you know how to check the size of the RIB? Show ip cef <something?> When I compare my active BGP routing memory allocation to the global process, the memory overhead is certainly more globally (as you would expect). Just an example: code:
code:
What dark things are going on inside the BGP process? Cheers e: jwh posted:Eh, I do okay. I'm pretty much right in the middle of the pay-scale bell curve for a tier 3 network engineer living in a tertiary market. If I went and got a CCNA or CCNP I could probably rake more dollars. Or if I moved to a city. You are not alone on that one, (no certs) my CCNA was based on the Introduction to Cisco Router Configuration curriculum, and my CCNP was based on the ACRC (1998-1999). Your average CCNA today would probably light me up with new facts and information, and remembering stuff I had forgotten from lack of use. One of these days... I might just dust off that horse again. Screw the city though. Herv fucked around with this message at 20:14 on Jul 9, 2009 |
# ¿ Jul 9, 2009 20:02 |
|
jwh posted:Well, on a hardware forwarding platform (ie. 6500) you can use 'show mls cef summary' to show how many routes and of what type are installed into CEF (ie., FIB). The show ip route summary is what threw me off the trail actually. I was expecting to see a much larger metric for the RIB. Either that or I am reading this incorrectly. Was going to post it in the last one but the numbers didn't help me. code:
Ragz, if you have a chance could you give us a 'show proc mem | inc BGP' please? Thanks folks.
|
# ¿ Jul 9, 2009 21:07 |
|
TheBoohi posted:Does anyone have a good reference for Cisco ASA configurations? The samples in the Cisco guide are good, but I am going to be setting up a 5520 without using private addressing on the inside. We have a whole class B space and will have 100.100.10.x on the outside with 100.100.x.x on the inside (for example). The routes and NAT statements are all different enough that their examples end up being confusing. Sorry I don't have anything like config references, but you just want to do a NAT 0 (0 means do NOT NAT, well it used to*) Sub netting should be the same, if you are going to bust out some of your class B for use in front of the FW. Anything specific should get answered here within a workday. *NAT 0 is way over 10 years old so not sure if something new came along.
|
# ¿ Jul 13, 2009 15:03 |
|
Clogin from the RANCID tool will do it pretty easy. Just need to put the host commands and login info into some easy to make config files. Pretty sure the tool is just a package now for a lotta distros. It was a package in FreeBSD, started getting some really stupid problems compiling the dependencies so just said gently caress it and pkg_add'd my way to a coffee break. Came back, edited the files, and I can clear my auth proxy at the end of the night since the timeouts don't work in my current IOS version. (Upgrading the sups this Friday) For SNMP I believe it's Net SNMP With this thing you can get all sorts of real time bandwidth, cpu, anything, on a color graph. Oh yeah, will send all sorts of SNMP traps too. Clogin (and expect I'm sure) will be the short path, cron it out if you want or invoke as needed.
|
# ¿ Jul 16, 2009 03:01 |
|
Jwh was very close with the ip nat statement. Everything else was absolutely correct. ip nat inside source list 100 interface FastEthernet4 overload Looks like you have an 871w. I am assuming you want the wireless to be on the same lan as the 4 inside ports and all (10.0.0.1-253). To get that going you will need to bridge the wireless and vlan 1 interfaces. global config commands: bridge irb bridge 1 route ip interface config commands: interface Dot11Radio0 no ip address bridge-group 1 interface vlan1 no ip address bridge-group 1 When you get the 2 interfaces bridged you should see a new BVI1 interface pop up (if not just make one by entering the below). Thats the Bridge-Group Virtual Interface that will be your 'inside' 10.0.0.254 address. interface BVI1 ip address 10.0.0.254 255.255.255.0 ip nat inside ip virtual-reassembly I had shipped out an 871w without setting up the wireless, only to find out I had to bridge the backside out once it came up in Boca FL on dmvpn. Luckily the Tunnel and Outside interface didn't have to get mucked with so it wasn't a show stopper. Ahh, mediocre remote victories. Hope this gets you up and running.
|
# ¿ Jul 18, 2009 08:07 |
|
Mackieman posted:
OK for one, you just need the single 'ip nat inside source list <mylist> interface fas4 overload' statement. Once this is up do a 'show ip nat translation' and you will see it working. Second, Falz already got you on. Third, you have it correct. The inside is your private, think of a fort. Outside is public. Good luck, maybe your next post is through your 871. P.S. Powercrazy posted a WPA1-PSK setup for you. ------- On an unrelated note, had some fun with a sup720 not wanting to boot off its disk1 this morning. Invalid magic number, after new SP and RP rommon's still no dice. Then I reformatted... hadn't since the rommon upgrades, and bing! As long as I can work from home now.
|
# ¿ Jul 18, 2009 18:02 |
|
When in doubt, wr erase, reload and start over. I just had to literally do a 'no ip nat inside source static <local> <global>' and then paste 'ip nat inside source static <local> <global>' for my static translations to work. You aren't the only one having nat issues today. My xlates are working though! /snarky
|
# ¿ Jul 18, 2009 22:30 |
|
Try this for a starting point Mackie.code:
Cheers (e: typo) Herv fucked around with this message at 16:29 on Jul 20, 2009 |
# ¿ Jul 20, 2009 15:57 |
|
OK, you want to make a single access-list (e.g. ip access-list extended <MyOutsideList>) and then apply it to an interface (or logic statement, like your 'IP nat inside source list'). Access list entries are processed from top to bottom, within the single access list. The router won't call another access list on inbound public traffic other than the one bound to its outside interface, for this example. If you see the example in the one I gave you, the access-list is applied to your outside interface, on inbound traffic. Ok so now you want to pass some traffic inside. That's going to require some more static nat statements: ip nat inside source static tcp 10.0.0.250 80 interface FastEthernet4 80 ip nat inside source static tcp 10.0.0.250 9500 interface FastEthernet4 9500 ip nat inside source static tcp 10.0.0.250 9501 interface FastEthernet4 9501 If you are running an access-list on your outside interface (like the one I posted) then add the following lines: code:
You can get by without an outside access list, just relying on NAT to govern what gets back inside the router, but I use access lists for good habits. e: typo like a champ Herv fucked around with this message at 19:31 on Jul 20, 2009 |
# ¿ Jul 20, 2009 19:01 |
|
Mackieman posted:Only if I was running a DNS server inside my LAN, which I am not. DNS is handled via DHCP on the router for me. Nope they are correct, you are going to have to pass UDP traffic for DNS and anything else like skype. No static nat statements, this is just to get into the public interface where you are getting nat'd at.
|
# ¿ Jul 21, 2009 00:20 |
|
|
# ¿ May 14, 2024 21:55 |
|
Well if it helps, this is what happens on my home router (3660 from work junk room) when there is no UDP traffic allowed in this ACL:code:
*July 20 18:23:04.578: %SEC-6-IPACCESSLOGP: list IN-FASTETHERNET0 denied udp 4.2.2.1(53) -> 96.235.180.xxx(54437), 1 packet DNS request timed out. timeout was 2 seconds. Sequence number 12 back in and there you go, I can resolve https://www.cnn.com. *July 20 18:23:56.138: %SEC-6-IPACCESSLOGP: list IN-FASTETHERNET0 permitted udp 4.2.2.1(53) -> 96.235.180.xxx(54438), 1 packet Non-authoritative answer: Name: https://www.cnn.com Addresses: 157.166.255.19 157.166.224.25 157.166.224.26 157.166.226.25 157.166.226.26 157.166.255.18 Not sure if this is an ISR vs regular router thing or what to be honest. Someone else might be able to shed some light on this little mystery. Herv fucked around with this message at 03:44 on Jul 21, 2009 |
# ¿ Jul 21, 2009 03:41 |