|
jwh posted:Okay, so you'll need to add a route to your "real" gateway to route 192.168.1.0/24 towards the 10.0.0.5 IP address of your 1800. This doesn't make sense to me. It seems to me that my other gateway should have nothing to do with this. When someone connects to our VPN, they are coming in on x.x.x.217 and given a 192.168.1.0/24 address. The internal interface for the VPN server is at 10.0.0.5, which I can ping. But I should also be able to ping 10.0.0.160, for instance, and anything else on 10.0.0.0/24. My other gateway goes to x.x.x.218, which I'm not interested in doing anything with in this scenario. Does that clear it up a little? Or am I being retarded in some way?
|
#
?
Sep 4, 2008 23:27
|
|
|
|
| # ? Apr 26, 2024 18:53 |
|
|
Can you post the router config minus the public IPs and anything else you don't feel comfortable with?
|
|
#
?
Sep 5, 2008 00:47
|
|
|
Hmmm I was doing this and there are hundreds of lines like: access-list 100 deny ip any host 192.168.1.10 one line for each of the addresses for the entire subnet. There are all these NAT Rules, I think from an old setup where we had a server behind the Cisco using it as a gateway and this server had a bunch of stuff forwarded to it. I'm not sure exacly what the prior sysadmin was doing here, but it seems like rules like this would block traffic to anybody who VPN'd in and got a 192.168.1.0/24 address, right? NAT is set up and when I look at the Route MAP, it has the ACL corresponding to all those rules. How can I quickly remove all of these rules, not one by one? I'm guessing I need to get rid of them.
|
|
#
?
Sep 5, 2008 01:36
|
|
|
Eyecannon posted:Hmmm I was doing this and there are hundreds of lines like: The great part about access lists on Cisco IOS is despite the fact you _think_ you can remove one entry, the second it gets the 'no access list <x> [optional trailing garbage here which tricks you into thinking you can delete one entry]' command it will wipe the whole access list. Awesome huh?
|
|
#
?
Sep 5, 2008 01:39
|
|
|
Sounds annoying! Here's my log: LOG There is no host at 10.0.0.200 anymore, so all that poo poo can go! vvvv Yay for inheriting hosed up poo poo, how can I delete them? Eyecannon fucked around with this message at 02:10 on Sep 5, 2008 |
|
#
?
Sep 5, 2008 01:44
|
|
|
Those acls are retarded.
|
|
#
?
Sep 5, 2008 02:03
|
|
|
Wow, just wow.
|
|
#
?
Sep 5, 2008 02:24
|
|
|
It's been a long day, and I hope what I'm about to post is clear, and more importantly, enough information. We turned up a T1 line from a remote site to our NOC. The T1 goes into a 3745, and the remote site is a 2600. Fa 0/0 of the 2600 goes to Fa 0/1 of a 2960. The 2960 uses a dhcp helper address to obtain an IP from a scope at the NOC. The PC obtained: 10.212.1.11 255.255.255.0 (sm) 10.212.1.1 (dg) The PC could ping the default gateway, but not tracert anything for some reason. From the switch or router, seems like we could ping anything we tried. It's all hazy now. Does anything in the following configs look to be a problem? 2600 rtr and 2960 switch to follow: 2600: code:code:
|
|
#
?
Sep 5, 2008 02:25
|
|
|
Eyecannon posted:This doesn't make sense to me. It seems to me that my other gateway should have nothing to do with this. Well, I could be being retarded here too, so let's not rule that out. That said, if you're users are connected to your internal network with 192.168.1.0/24 IP addresses, your machines on the 10.0.0.0 network will need to know how to reach that network. Barring some sort of proxy-arp shenanigans, that would normally entail adding a route on the gateway for that 10.0.0.0 network to point the 192.168.1.0/24 route towards the IP address of your 1800. When a VPN user sources a packet from 192.168.1.0/24, destined for 10.0.0.160, it arrives at 10.0.0.160, and that machines then needs to figure out how to return that packet- it has no more specific route for the 192.168.1.0/24 network, so it'll follow it's default to your firewall gateway, who also doesn't know how to return data to the 1800. I suspect this is your problem.
|
|
#
?
Sep 5, 2008 02:56
|
|
|
ObamaisaTerrist posted:
This is not the IP address on the 2600's Fa0/0, and I didn't think the 2960 could act as a layer-3 router. I thought the SVI interfaces on the 2960 were mostly for management purposes. I could be wrong about this.
|
|
#
?
Sep 5, 2008 02:57
|
|
|
jwh posted:This is not the IP address on the 2600's Fa0/0, and I didn't think the 2960 could act as a layer-3 router. I thought the SVI interfaces on the 2960 were mostly for management purposes. I could be wrong about this. I don't think it can either. I might be off with this, but this might be a router on a stick situation. I'd think he wants the gateways to be the router's sub interfaces. Just a question though, why both RIP and EIGRP?
|
|
#
?
Sep 5, 2008 03:56
|
|
|
jwh posted:This is not the IP address on the 2600's Fa0/0, and I didn't think the 2960 could act as a layer-3 router. I thought the SVI interfaces on the 2960 were mostly for management purposes. I could be wrong about this. I'll try that tomorrow. Me and the other IT guy are so use to the L3 stuff... InferiorWang posted:Just a question though, why both RIP and EIGRP? We're all relatively new due to turn over of the prior IT regime. We jumped in during a major forklift overhaul. All the new stuff uses EIGRP, and some of the legacy used both that and RIPv2, or used RIP and the consultant/vendor through EIGRP on to make it all communicate - We don't know. We may have thrown that in on this switch at some point and forgot. All the legacy T1 connections used RIPv2.....Takes forever to converge too. Thanks for all your help.
|
|
#
?
Sep 5, 2008 04:15
|
|
|
jwh posted:This is not the IP address on the 2600's Fa0/0, and I didn't think the 2960 could act as a layer-3 router. I thought the SVI interfaces on the 2960 were mostly for management purposes. I could be wrong about this. You are correct. The 2960 is a simple managed switch, not a layer 3 switch.
|
|
#
?
Sep 5, 2008 04:34
|
|
|
Thanks for the help guys. I realized that I could easily do what I wanted if I just had VPN clients given a sub-subnet of 10.0.0.0/24 that was unused. This way, I am able to speak to (well listen back from) anything on 10.0.0.0/24. Question though, is it considered bad practice to have it like this? It would be nice to have a few hosts accessible from the VPN, but not necessarily all. I can set up the route on the other gateway I suppose instead.
|
|
#
?
Sep 5, 2008 19:15
|
|
|
Two small questions: 1) We just put an ASA 5510 with CSC SSM in at our home office. We have an 1841 in place now doing routing and NAT. Does the ASA have the same capabilities as the 1841 and could I replace the 1841 entirely? 2) If I set up an 1841 as a DNS forwader at a remote site, will it forward dynamic DNS registrations?
|
|
#
?
Sep 5, 2008 21:20
|
|
|
Eyecannon posted:Thanks for the help guys. I realized that I could easily do what I wanted if I just had VPN clients given a sub-subnet of 10.0.0.0/24 that was unused. This way, I am able to speak to (well listen back from) anything on 10.0.0.0/24. It's not ideal from a security perspective -- if I have one of your user's passwords and a VPN certificate, I have your network to play with. If you can lock down specific ports and addresses, that might be better. This might be fine for you; the trick with security is determining the value of what you're protecting and the relative risk vs. the cost/effort of setting it up with more hardened, fine-grained protection.
|
|
#
?
Sep 5, 2008 21:36
|
|
|
I got a Cisco Catalyst 3548 from work with a faulty gbic. I figured I would take it home and start learning how to do the stuff the network admin is always doing for us. I was able to reset the config, and I can now get in the switch. I guess I need to know what I should do next to start learning everything. Is there a specific book that is recommended to start with? Maybe some kind of project setup just to test out things. I guess I could run cat5 from my airport extreme or something. I gave the switch a 192.168.0.x address but I am assuming I have to enable an interface, like Fa0/1 and make it an uplink. I only know so much right now that I have absorbed at work from other people doing things on the network that already has a layout.
|
|
#
?
Sep 6, 2008 07:48
|
|
|
jwh posted:This is not the IP address on the 2600's Fa0/0, and I didn't think the 2960 could act as a layer-3 router. I thought the SVI interfaces on the 2960 were mostly for management purposes. I could be wrong about this. I'm going to head out of town tomorrow, but wanted to drop in this thread again and thank you and InferiorWang. After changing the dg in the scope, everything is working now. Thanks for your help.
|
|
#
?
Sep 6, 2008 21:01
|
|
|
OK, I've tried this a few times before with no luck, want to resolve this. I've got an ASA5505 running 8.0.3, ASDM 6.1.3. the outside interface is hooked up to a comcast cable modem that gives my ASA a DHCP address. This address is dynamic but it does not change that often. I am trying to do NAT/port forwarding for various services such as http, bit torrent, etc. I've just run the device through the ASDM startup wizard for a quick reset to defaults/quick setup and enable telnet management. I realize that ASDM sucks. I'm familiar enough with cisco CLI to get into it, run commands that are given to me and understand basically what they are doing, that's about it. Could someone please help me out (list of commands to run/etc. would be most helpful) based on the information below? ----------- Internal IP: 10.0.1.22 ports: 80 (HTTP); 51413; I can figure the rest out from that running config: -- : Saved : ASA Version 8.0(3) ! hostname ciscoasa domain-name coronabeach.local enable password LOLPASSWORD encrypted names ! interface Vlan1 nameif inside security-level 100 ip address 10.0.1.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address dhcp setroute ! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Ethernet0/2 ! interface Ethernet0/3 ! interface Ethernet0/4 ! interface Ethernet0/5 ! interface Ethernet0/6 ! interface Ethernet0/7 ! passwd LOLPASSWORD encrypted ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS domain-name coronabeach.local pager lines 24 logging asdm informational mtu outside 1500 mtu inside 1500 icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-522.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute dynamic-access-policy-record DfltAccessPolicy http server enable http 10.0.1.0 255.255.255.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart no crypto isakmp nat-traversal telnet 10.0.1.0 255.255.255.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd auto_config outside ! dhcpd address 10.0.1.2-10.0.1.33 inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics access-list ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global prompt hostname context Cryptochecksum: : end asdm image disk0:/asdm-522.bin no asdm history enable ---------- Thanks in advance. After I get this working, I'll set up VPN aagain.
|
|
#
?
Sep 6, 2008 22:40
|
|
|
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& Internal IP: 10.0.1.22 ports: 80 (HTTP); 51413; I can figure the rest out from that &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& access-list outside_access_in extended permit tcp any host PUBLIC_IP eq 80 access-list outside_access_in extended permit tcp any host PUBLIC_IP eq 51413 access-group outside_access_in in int outside static (inside,outside) PUBLIC_IP 10.0.1.22 netmask 255.255.255.255
|
|
#
?
Sep 7, 2008 08:53
|
|
|
Eyecannon posted:Sounds annoying! lol! those ACLs....
|
|
#
?
Sep 7, 2008 10:37
|
|
|
What's the best way to go about getting certified? My initial idea is to get a bunch of older Cisco routers, make my own lab, get a few books and take up a bootcamp for a week that'll allow me to play with the newer equipment before I take the test. I'm assuming this will take a 3-4 months of studying? What is the starting salary? I'm assuming 18-20/h of someone with limited IT experience (setting up small linksys routers, small servers, etc) Thanks! Gucci Loafers fucked around with this message at 07:15 on Sep 8, 2008 |
|
#
?
Sep 8, 2008 03:24
|
|
|
The CCNA isn't a hard test. If you have access to equipment and you actually focus on studying, you'll be fine. If you just sort of skim over the material and don't actually try to apply what you learn to some routers, then you never will. If you can get two 2600's that have a serial port and can do ospf/eigrp then that is all you need for the CCNA. Oh and a book of course. A friend of mine who had zero experience was able to pass the test in a month.
|
|
#
?
Sep 8, 2008 03:34
|
|
|
Multicast & Bonjour routing, I have a HP ProCurve 2848 which I think mistakenly I thought could allow multicast between VLANs. It does have multicast support but only with an external multicast router, can anyone suggest the easiest method to upgrade so that I can do this? Is a Cisco router the only way forward? How much is it going to cost getting to get one full source port, i.e. 1 gb/s multicast routing? Basic routing would be nice for DAAP, mDNS, multicast-NTP, but I'm really after getting PGM working cross VLAN.
|
|
#
?
Sep 8, 2008 05:14
|
|
|
I had a weird crash with one our core 3750G-24TS stacks, running 12.2(20)SE4. Wondering if anybody may have some thoughts on this. The second (slave) switch in the stack stopped passing traffic, all of the interface lights went dark. 'show switch' showed it in a Provisioned state with all 0's for the MAC. Reset the switch and the odd thing is then the problem moved to the third switch in the stack which had previously been working. Same issues the second one had. Killing the power to the whole stack fixed it, but it's rather unsettling when a major piece of kit fails in a rather odd way. Our Symmetra doesn't show any power hits or oddities, the only thing I can think of is a failing stack cable. Edit: Logs help things. Looks like memory fragmentation/leaks killed it after 3-4 years uptime. SYS-2-MALLOCFAIL: Memory allocation of 35856 bytes failed from 0x7DEE38, alignment 8 Pool: Processor Free: 2093976 Cause: Memory fragmentation Alternate Pool: None Free: 0 Cause: No Alternate pool Nukelear v.2 fucked around with this message at 15:20 on Sep 8, 2008 |
|
#
?
Sep 8, 2008 14:50
|
|
|
Is it possible to assign two IPs to the same interface on an ASA 5510?
|
|
#
?
Sep 9, 2008 21:44
|
|
|
JHVH-1 posted:I was able to reset the config, and I can now get in the switch. I guess I need to know what I should do next to start learning everything. Is there a specific book that is recommended to start with? Maybe some kind of project setup just to test out things. Not a whole lot to a 3548, but here's pretty much everything: http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc3/swg/Swgover.html
|
|
#
?
Sep 9, 2008 22:34
|
|
|
Syano posted:Is it possible to assign two IPs to the same interface on an ASA 5510? I'd imagine that you can do sub-interfaces. But I'd have to ask what you are trying to do.
|
|
#
?
Sep 10, 2008 00:00
|
|
|
Syano posted:Is it possible to assign two IPs to the same interface on an ASA 5510? No you can't do secondary addresses in PIXOS *sigh* When we have to do that, we usually hang a 3550-24 off the back to do the multiple IP addresses / routing between multiple internal subnets then set up a /30 between the PIX/ASA and the 3550.
|
|
#
?
Sep 10, 2008 00:06
|
|
|
I'm having some trouble with a remote access VPN using the Cisco VPN Client to a 3825. When I attempt to connect, the VPN client spits out this in the logs:code:Nothing seems to work! I'd appreciate any ideas you guys might have. Here's the router configuration: code:
|
|
#
?
Sep 10, 2008 01:40
|
|
|
Powercrazy posted:I'd imagine that you can do sub-interfaces. But I'd have to ask what you are trying to do.
|
|
#
?
Sep 10, 2008 01:41
|
|
|
Syano posted:Trying to figure out a way to integrate the device with least amount of effort. I want the 5510 to become the new default gateway for this network and it sure would be easy to tag on an additional address to eth0 instead of changing default gateways on tons of statically configured devices Keep in mind that an ASA is not a router; it's a security device. It'd be much easier to stick a layer 3 switch or a basic router with two FastEthernet ports in between it and your network like Girdle Wax posted above. Sub-interfaces are really only useful if you have multiple VLANs that need to connect up to the ASA.
|
|
#
?
Sep 10, 2008 01:46
|
|
|
What kind of device do you guys recommend for routing at gigabit speeds? We're using 7206VXR's right now, and were looking at their layer 3 switches like the catalyst 3750 switches.
|
|
#
?
Sep 10, 2008 01:59
|
|
|
CrazyLittle posted:What kind of device do you guys recommend for routing at gigabit speeds? We're using 7206VXR's right now, and were looking at their layer 3 switches like the catalyst 3750 switches. I suspect the answer will depend heavily on what kind of features you need- what kind of features do you need? Also, what kind of interfaces are you terminating?
|
|
#
?
Sep 10, 2008 02:57
|
|
|
Studying for the CCNA, came across something that is confusing me. Basically, how do you connect 2 routers using a serial link, without assigning ip addresses to either serial interface? There are examples of this everywhere in the odom book and the sample tests. I've tried simply using something like "ip route 192.168.0.0 255.255.255.0 ser0" which does not return any sort of error, but the static route isn't appearing in "show ip route". Reading through cisco sites I understand how to do this using the "ip unnumbered" command but that's not covered on the INCD1 exam and not anywhere in the odom book so that's not the answer that I'm looking for. Any help? EDIT : Related Question The Odom practice exam loves giving you network diagrams that look like this:  I am a little confused what's going on with R1<->R3. What exactly is going on when you have a serial network connection, i.e. literally only 2 devices possible on that network segment, that has a network name assigned, but neither serial interface actually has an ip assigned? Where is that network name used? How does IOS know that this serial link is assigned a network name? Chuu fucked around with this message at 04:11 on Sep 10, 2008 |
|
#
?
Sep 10, 2008 03:56
|
|
|
Both interfaces would need to have an IP address assigned within that subnet for that network to really exist. It seems to me like it just isn't specified in the diagram, probably just to confuse you since the actual addresses probably aren't needed for the excercise. The concept of a network name (such as 192.168.6.0/24) in IOS only really comes from the assigned IP/netmask, without which it doesn't have a clue. No idea about the first question though. I've only ever done stuff like that by using ip unnumbered, and that never outside the course labs...
|
|
#
?
Sep 10, 2008 07:39
|
|
|
ionn posted:It seems to me like it just isn't specified in the diagram, probably just to confuse you since the actual addresses probably aren't needed for the excercise. It's doing a really good job at confusing me then. The question is basically asking how many zero subnets a packet from PC2 to PC3 is going through. In the answer explanation is just says "The R1-R3 serial link is not using subnetting." I just can't really wrap my head around what they're really trying to say here. 196.168.6.0/24, if there were ip addresses assigned to the serial links, would imply subnetting. If they leave out the ip addresses in the diagram then it's still subnetted. If they're not, the fact this segment is named and assigned a subnet mask to me says it's still subnetted, even though that information is useless. Either the question sucks or I'm missing something. The fact I'm having so much trouble dealing with serial links without IP addresses assigned, which are all over the ICND1 official book, and I just can't get my 2501's to actually do this without using a command that's not on the exam, tells me it's probably the latter. I might just be making this a lot harder than it really is based on what my routers are actually doing. Chuu fucked around with this message at 08:45 on Sep 10, 2008 |
|
#
?
Sep 10, 2008 08:42
|
|
|
Chuu posted:In the answer explanation is just says "The R1-R3 serial link is not using subnetting." I just can't really wrap my head around what they're really trying to say here. It's probably some obtuse way of saying the serial link is using a classfull network.
|
|
#
?
Sep 10, 2008 12:21
|
|
|
CrazyLittle posted:What kind of device do you guys recommend for routing at gigabit speeds? We're using 7206VXR's right now, and were looking at their layer 3 switches like the catalyst 3750 switches. Like jwh said, do you need full table BGP or anything like that? If so your step up from the 7206 is probably going to be to a 7600/GSR 12k/ASR1k. If you only need a bunch of GbE ports, and not a whole lot of prefixes (ie not full table BGP) you can look at stuff like the 3550/3560/3750/4500.
|
|
#
?
Sep 10, 2008 12:34
|
|
|
|
| # ? Apr 26, 2024 18:53 |
|
|
riske posted:I'm having some trouble with a remote access VPN using the Cisco VPN Client to a 3825. When I attempt to connect, the VPN client spits out this in the logs: I figured this out in case anyone was wondering. My RADIUS server wasn't handing out authorization information properly. When I changed this line: code:code:
|
|
#
?
Sep 11, 2008 19:43
|
|