- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Note - I am not knowledgeable in Cisco at all, but I need to start learning fast!
Has anyone set up redundant/backup WAN connections using an ASA 5505 or a PIX? According to this config example, it's certainly possible, but this statement bothers me:
Cisco posted:
This configuration provides a relatively inexpensive way to ensure that outbound Internet access remains available to users behind the security appliance. As described in this document, this setup may not be suitable for inbound access to resources behind the security appliance. Advanced networking skills are required to achieve seamless inbound connections. These skills are not covered in this document.
I need to be able to have inbound access during a failover scenario. I don't know what they mean by "advanced networking skills", but in my mind, having the appropriate DNS entries, ACLs, and static NAT maps bound to the backup interface would provide what I'm looking for. Can anyone confirm/deny?
|
|
#
¿
Oct 22, 2007 16:18
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
dwarftosser posted:
Well that depends, what they mean is when your first connection goes down you need someway to notify the outside world that they need to take a different route to get into your network. To do this seamlessly, you need to have your own ASN and have BGP properly configured.
Assume we just wanted mail - a lower priority MX record pointing to the backup interface would suffice then?
|
|
#
¿
Oct 23, 2007 12:54
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
EoRaptor posted:
Quick non-cisco interjection. Some systems will send to the lower priority MX record no matter what, so it has to be up and accepting data even if the primary is up. This is probably the case, but if you are paying for a standby connection from a datacenter, this isn't always the case (that, or the standby has crazy data rates that will bite you in the rear end)
There will be three MX entries, and look something like this:
10 primaryWAN
20 secondaryWAN
30 offsiteBackup
My understanding is that the configuration I posted above will leave both interfaces up to outside traffic, but inside traffic is routed through the primary interface as long as it's up. It's going to be used in a small business to provide a T1 backup to the cable modem, after Comcast left them without internet service for 3+ weeks.
Richard Noggin fucked around with this message at Oct 24, 2007 around 15:21
|
|
#
¿
Oct 24, 2007 11:02
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
To start - I'm loving green when it comes to Cisco stuff.
I have a client with a PIX 515 and a T1. Something is sucking up all the bandwidth on the T1, and I'm having trouble figuring out what. I have a trial of Fireplotter that's showing the culprit is source 111.111.111.111. I have no idea what this address is, but it's got active connections to the outside world on multiple ports.
edit: Looks like Fireplotter displays 111.111.111.111 if it can't find the name. Fuuuuuuck.
Richard Noggin fucked around with this message at Jul 29, 2008 around 16:20
|
|
#
¿
Jul 29, 2008 16:13
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
The problem was one rogue notebook with some sort of malware - I haven't been able to get my hands on it yet, as the site is about 800 miles away. This is a new site we're in charge of, and I had (have) no Cisco experience whatsoever. I'm getting the hang of it, but have a long, long way to go. Thanks everyone for their help.
|
|
#
¿
Jul 30, 2008 00:26
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Next question:
A PIX-PIX VPN as such:
192.168.0.0/24 --PIX--INTERNET--PIX--192.168.10.0/24
Each PIX is at .1 in its respective subnet.
How do I permit snmp polling from 192.168.0.10 to 192.168.10.1?
Here's output of sh run on 192.168.10.1:
code:PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password ***** encrypted
passwd ***** encrypted
hostname pix-cottage
domain-name ***.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list nonat permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list 101 permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list acl_out permit tcp host *.*.*.* host 64.65.198.153 eq 8080
access-list split_tunnel permit ip 192.168.1.0 255.255.255.0 192.168.150.0 255.255.255.0
access-list split_tunnel permit ip 192.168.10.0 255.255.255.0 192.168.150.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside *.*.*.* 255.255.255.0
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.150.1-192.168.150.254
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp *.*.*.* 8080 192.168.10.30 8080 netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 64.65.198.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
ntp server 132.236.56.250 source outside
ntp server 128.59.59.127 source outside
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
snmp-server host inside 192.168.0.10 poll
snmp-server location Cottage
snmp-server contact *
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set standard esp-aes esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set standard
crypto map cottage-map 20 ipsec-isakmp dynamic dynmap
crypto map cottage-map 30 ipsec-isakmp
crypto map cottage-map 30 match address 101
crypto map cottage-map 30 set peer *.*.*.*
crypto map cottage-map 30 set transform-set standard
crypto map cottage-map client authentication LOCAL
crypto map cottage-map interface outside
isakmp enable outside
isakmp key ******** address *.*.*.* netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpnadmin address-pool vpnpool
vpngroup vpnadmin dns-server 192.168.0.10
vpngroup vpnadmin wins-server 192.168.0.10
vpngroup vpnadmin default-domain *.lan
vpngroup vpnadmin split-tunnel split_tunnel
vpngroup vpnadmin idle-time 1800
vpngroup vpnadmin password ********
telnet 192.168.1.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 5
ssh *.*.*.* 255.255.255.255 outside
ssh *.*.*.* 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd address 192.168.10.2-192.168.10.20 inside
dhcpd dns 192.168.0.10 64.65.196.6
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:585ddf53b40917a9bba26dfc19e206ea
: end
Richard Noggin fucked around with this message at Jul 30, 2008 around 20:44
|
|
#
¿
Jul 30, 2008 16:41
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Can anyone tell me about the 2960 switches with the LAN Lite image? We normally use Catalyst Express 500s, but these are comparable in price and at first glance, seem to have a better feature set. Our clients can't afford to shell out for a full blown 2960.
|
|
#
¿
Dec 24, 2008 16:38
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Argh. Nobody at Cisco seems to be able to answer this simple question. I have a customer that wants an ASA 5505. They'd like to be able to have VPN access through a software client. They don't want to spend the extra money for the SSL VPN license, but Cisco's site states
quote:
The Cisco VPN Client is included with all models of Cisco ASA 5500 Series Security Appliances(excluding ASA 5505). Customers with Cisco SMARTnet® support contracts and encryption entitlement may download the Cisco VPN Client from the Cisco Software Center at no additional cost. For customers without Cisco SMARTnet support contracts, a media CD containing the client software is available for purchase. This CD does not provide access to the most current patch releases.
What I'm trying to figure out is does 'not included' mean it doesn't come in the box, but is available for download with a SMARTnet contract, or does it mean 'not supported on the 5505'?
|
|
#
¿
May 14, 2009 17:36
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
jbusbysack posted:
Remote access VPN is built into all ASA models. What they mean is that you're not entitled to download the client software.
Connect the dots.
But,
quote:
Customers with Cisco SMARTnet® support contracts and encryption entitlement may download the Cisco VPN Client from the Cisco Software Center at no additional cost.
We have a SMARTnet contract and we have the encryption entitlement. I just got off the phone with Cisco for the third time, and they assured me that I would be able to download and use the VPN client software.
|
|
#
¿
May 14, 2009 19:48
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
For what it's worth, this is an ASA 5505, unlimited users, with the Security Plus license.
|
|
#
¿
May 14, 2009 20:10
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
This is my first time setting up an ASA from scratch. I have a /29 block of WAN addresses, but only want the ASA to deal with one of them (let's say 10.1.1.37). I want to forward all SMTP traffic to an inside host (192.168.1.2). I've set up the ACLs and bound it to the outside interface, but the packet trace always shows that the traffic is dropped. If I try to set up a static NAT map like
static (inside,outside) 10.1.1.37 192.168.1.2 netmask 255.255.255.255 0 0
I get
ERROR: Static PAT using the interface requires the use of the 'interface' keyword instead of the interface IP address
When I replace the IP with the 'interface' keyword
static (inside,outside) interface 192.168.1.2 netmask 255.255.255.255 0 0[/fixed]
I get
WARNING: static redirecting all traffics at outside interface;
WARNING: all services terminating at outside interface are disabled.
edit: figured it out. The ACL entry was wrong. I had:
access-list acl_out extended permit tcp any host 192.168.1.2 eq smtp
access-group acl_out in interface outside
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
It should have been:
access-list acl_out extended permit tcp any host 10.1.1.37 eq smtp
access-group acl_out in interface outside
static (inside,outside) tcp interface smtp 192.168.1.2 smtp netmask 255.255.255.255
Richard Noggin fucked around with this message at May 22, 2009 around 18:02
|
|
#
¿
May 22, 2009 15:37
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Yup, I just want a simple port forward, but I've been banging my head for several hours. I can't even get the loving thing working through the web GUI.
|
|
#
¿
May 22, 2009 15:58
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
PIX VPN help needed! I have a site-to-site IPSEC VPN set up between 2 PIX 501s running 6.3(3). I wanted to add a remote access VPN so that a user could work from home. I got the remote access VPN working fine, but it broke the site-to-site  . Here's what I have:
PIX1 Original Config
code:: Saved
: Written by enable_15 at 18:03:04.224 UTC Tue Jun 30 2009
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password MbQ4Ka5HFmU/LdDE encrypted
passwd MbQ4Ka5HFmU/LdDE encrypted
hostname depot-pix
domain-name xxx.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxx.xxx.124.57 cottage-pix
name 192.168.0.10 flash2
access-list vpn permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.124.65 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 xxx.xxx.124.70 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toCottage 20 ipsec-isakmp
crypto map toCottage 20 match address vpn
crypto map toCottage 20 set peer cottage-pix
crypto map toCottage 20 set transform-set strong
crypto map toCottage interface outside
isakmp enable outside
isakmp key secretkey address cottage-pix netmask 255.255.255.255
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.0.24 255.255.255.255 inside
ssh timeout 5
management-access inside
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:44b79e3b358335229a265546fc231e01
: end
code:: Saved
: Written by enable_15 at 18:00:00.939 UTC Tue Jun 30 2009
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password MbQ4Ka5HFmU/LdDE encrypted
passwd MbQ4Ka5HFmU/LdDE encrypted
hostname cottage-pix
domain-name xxx.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxx.xxx.124.65 depot-pix
access-list vpn permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list vpn permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.124.57 255.255.255.248
ip address inside 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 75.150.124.62 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto map toDepot 10 ipsec-isakmp
crypto map toDepot 10 match address vpn
crypto map toDepot 10 set peer depot-pix
crypto map toDepot 10 set transform-set strong
crypto map toDepot interface outside
isakmp enable outside
isakmp key secretkey address depot-pix netmask 255.255.255.255
isakmp policy 8 authentication pre-share
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.10.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd address 192.168.10.2-192.168.10.20 inside
dhcpd dns 192.168.0.10 208.67.222.222
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Cryptochecksum:fda4cb2bed47b9409ca414ca918bf9f4
: end
PIX1 Config with working RA VPN, but broken site-to-site VPN:
code:: Saved
: Written by enable_15 at 16:55:04.861 UTC Thu Jul 2 2009
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password MbQ4Ka5HFmU/LdDE encrypted
passwd MbQ4Ka5HFmU/LdDE encrypted
hostname depot-pix
domain-name flashpoint.local
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name xxx.xxx.124.57 cottage-pix
name 192.168.0.10 flash2
access-list vpn permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list vpn permit icmp any any
access-list vpn permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
access-list split-tunnel permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.124.65 255.255.255.248
ip address inside 192.168.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool raPool 192.168.20.10-192.168.20.20
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list vpn
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 75.150.124.70 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server raAuth protocol radius
aaa-server raAuth (inside) host flash2 secretkey timeout 5
aaa-server local protocol radius
http server enable
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec transform-set raVPN esp-des esp-md5-hmac
crypto dynamic-map raDynMap 10 set transform-set raVPN
crypto map toCottage 20 ipsec-isakmp
crypto map toCottage 20 match address vpn
crypto map toCottage 20 set peer cottage-pix
crypto map toCottage 20 set transform-set strong
crypto map raMap 10 ipsec-isakmp dynamic raDynMap
crypto map raMap client authentication raAuth
crypto map raMap interface outside
isakmp enable outside
isakmp key secretkey address cottage-pix netmask 255.255.255.255
isakmp identity address
isakmp policy 9 authentication pre-share
isakmp policy 9 encryption 3des
isakmp policy 9 hash sha
isakmp policy 9 group 1
isakmp policy 9 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup raGroup address-pool raPool
vpngroup raGroup dns-server flash2
vpngroup raGroup wins-server flash2
vpngroup raGroup default-domain xxx.lan
vpngroup raGroup split-tunnel split-tunnel
vpngroup raGroup idle-time 1800
vpngroup raGroup password secretpassword
telnet 192.168.0.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 192.168.0.24 255.255.255.255 inside
ssh timeout 60
management-access inside
console timeout 0
dhcpd auto_config outside
terminal width 80
Cryptochecksum:2360b6a171f52b936f8277485dd843a4
: end
code:ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
ISAKMP (0): retransmitting phase 2 (1/1)... mess_id 0x7fc9c9ce
crypto_isakmp_process_block:src:cottage-pix, dest:xxx.xxx.124.65 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
crypto_isakmp_process_block:src:cottage-pix, dest:xxx.xxx.124.65 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (2/2)... mess_id 0x7fc9c9ce
crypto_isakmp_process_block:src:cottage-pix, dest:xxx.xxx.124.65 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last responseno debug
ISAKMP (0): retransmitting phase 2 (0/3)... mess_id 0x1a0bcc12 cryp
crypto_isakmp_process_block:src:cottage-pix, dest:xxx.xxx.124.65 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 1161442472, spi size = 16
ISAKMP (0): deleting SA: src cottage-pix, dst 75.150.124.65
return status is IKMP_NO_ERR_NO_TRANSto isa
ISADB: reaper checking SA 0xb03334, conn_id = 0 DELETE IT!
Richard Noggin fucked around with this message at Jul 3, 2009 around 14:16
|
|
#
¿
Jul 2, 2009 20:08
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Herv posted:
words of wisdom
Awesome, thanks. I'll give it a shot on Monday!
edit: Here's the text from the command reference that deals with the crypto map command:
quote:A crypto map set is a collection of crypto map entries each with a different seq-num but the same map-name. Therefore, for a given interface, you could have certain traffic forwarded to one peer with specified security applied to that traffic, and other traffic forwarded to the same or a different peer with different IPSec security applied. To accomplish this you would create two crypto map entries, each with the same map-name, but each with a different seq-num.
The number you assign to the seq-num argument should not be arbitrary. This number is used to rank multiple crypto map entries within a crypto map set. Within a crypto map set, a crypto map entry with a lower seq-num is evaluated before a map entry with a higher seq-num; that is, the map entry with the lower number has a higher priority. Richard Noggin fucked around with this message at Jul 6, 2009 around 13:05
|
|
#
¿
Jul 2, 2009 20:47
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Herv posted:
RANCID should do what you want. For hand storing multiple copies of documents you can use Visual Source Safe or CVS or some other version control system.
RANCID's Clogin is next to godly.
I just installed this, and it's pretty sweet. Thanks!
|
|
#
¿
Jul 7, 2009 19:48
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Herv posted:
crypto map help
Thanks for this, it works perfectly now.
|
|
#
¿
Jul 9, 2009 01:09
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Anyone familiar with SLAs on an ASA 5505? My SLA is working (somewhat), but the debug sla monitor trace command does not produce any results whatsoever. I'm waiting on the SmartNET info from the customer so I can call TAC, but wanted to see if anyone else has seen this.
|
|
#
¿
Jul 9, 2009 13:33
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
jwh posted:
Are you confusing the memory size of the BGP RIB with the installed FIB? On hardware forwarding platforms, it's the installed FIB which often teetered on the edge of 256k entries, which was the TCAM limit on a number of platforms such as Sup32 or non XL 720s (I think).
You know jwh, I hope you make a fuckton of money. Your knowledge of this stuff is insane.
|
|
#
¿
Jul 9, 2009 17:50
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Richard Noggin posted:
Anyone familiar with SLAs on an ASA 5505? My SLA is working (somewhat), but the debug sla monitor trace command does not produce any results whatsoever. I'm waiting on the SmartNET info from the customer so I can call TAC, but wanted to see if anyone else has seen this.
Just heard back from TAC - there's a yet-unresolved bug that requires you to first enter 'sh console-output':
Cisco posted:
CSCse57114 Bug Details
'debug sla monitor trace' only outputs data to console port
Symptom:
When enabling the firewall debug 'debug sla monitor trace' the debug output will only be displayed on the console port, and not within a ssh or telnet session.
Conditions:
The command 'debug sla monitor trace' must be entered on the firewall
Workaround:
Observe the debugs with the command 'show console-output'
Figured I'd throw this out there for anyone with the same problem.
|
|
#
¿
Jul 21, 2009 20:23
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Anyone have any experience configuring SSH access to an 1130AG? The documentation is pretty confusing. I just want to authenticate locally.
|
|
#
¿
Nov 18, 2009 17:20
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Can you elaborate on how to turn on login on vtys? Here's what I have:
code:Building configuration...
Current configuration : 2492 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ap-guest-1
!
enable secret 5 xxxxxxxxxx
enable password 7 xxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local none
!
aaa session-id common
ip domain name domain.name
!
!
dot11 ssid Guest
vlan 3
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxx
!
power inline negotiation prestandard source
!
!
username Cisco privilege 7 password 7 xxxxxxxxxxxxxxxx
username test privilege 15 password 7 xxxxxxxxxxxxxxxxxx
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
encryption vlan 3 mode ciphers tkip
!
ssid Guest
!
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
no dfs band block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
!
interface BVI1
ip address 192.168.1.2 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.1.1
ip http server
no ip http secure-server
ip http help-path [url]http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag[/url]
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
rotary 1
no exec
transport input all
!
end
Richard Noggin fucked around with this message at Nov 18, 2009 around 18:54
|
|
#
¿
Nov 18, 2009 17:43
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
ragzilla posted:
also you may want to turn off 'no exec' on the vtys if you want people to be able to ssh/telnet in.
Ah, removing 'no exec' did the trick. Thanks!
|
|
#
¿
Nov 18, 2009 18:54
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Strange. I installed Solarwinds TFTP server on my Win 7 system, put an ASA image in the tftp-root directory and used an XP client to pull the files. Using md5sum, I confirmed that both files were identical. I then tried to transfer the same image to an ASA. It failed very early in the copy process.
What happens if you run verify against that image?
edit: this is the error message I get on the ASA:
WARNING: TFTP download incomplete!
!
%Error reading tftp://x.x.x.x/asa821-k8-1.bin (Unspecified Error)
Richard Noggin fucked around with this message at Dec 7, 2009 around 19:45
|
|
#
¿
Dec 7, 2009 19:38
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
nex posted:
So my trusty field-laptop is starting to give up its ghost and I need a new one. I've been looking at getting a lightweight netbook with good battery life and it looks like the Asus UL30A is a good choice.
Whats troubling me is the last of native serial ports on new laptops because USB dongles has been pretty hit and miss for me in the past. Having to fiddle with your USB-serial dongle is not something you want to focus on when a CR has poo poo the bed or you are on the other side of the country installing some new gear.
So tell me, what are your favorite USB-serial kits? Or if USB is crap, favorite laptop with native serial interface? Cost is pretty much a non issue.
I'm running an IOGear GUC232A. Works flawlessly with Win 7 and XP (and presumably Vista as well), although you do need to install the drivers for it. Tested on a ASA 5505 and a 3560G.
|
|
#
¿
Jan 11, 2010 13:49
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Doesn't the gigabit standard dictate autonegotiation?
|
|
#
¿
Jan 12, 2010 13:27
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Tremblay posted:
You can't set duplex, but hard setting speed is allowed IIRC.
I looked it up to be sure - I was definitely wrong when I thought that using autonegotiation was mandatory in GigE environments. The implementation of autonegotiation is a requirement of being standards-compliant, but I think you have it backwards. According to this (Wiki citation):
quote:
Duplex configuration during 1000BASE-X operation can be handled either through
Auto-Negotiation or through manual selection using the defined registers in clause 22. If
manual configuration is used by disabling Auto-Negotiation in MII register 0.12, the
duplex operation mode would be selected by bit 0.8. If Auto-Negotiation is enabled
duplex configuration is controlled by the exchange of /C/ ordered sets. By definition
speed selection is not possible through Auto-negotiation in 1000BASE-X operation.
...
This indicates that although operating speed is allowed to be manually selected by
disabling Auto-Negotiation in Control Register 0, selecting 1000BASE-T mode of
operation still requires that Auto-Negotiation be used. This can be accomplished by
continuing to use Auto-Negotiation while limiting the advertising to 1000BASE-T
capabilities.
|
|
#
¿
Jan 12, 2010 17:04
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Tremblay posted:
The last paragraph in your quote. Hard setting speed is allowed but auto still happens to setup M/S, flow control, etc. Interesting that they mention half duplex Gig. I always thought it was full only. :moreyouknow:
EDIT: sorry for the double, meant to paste this in the above post.
That would be correct for 10/100 speeds, but according to the standard the only way to force negotiation at GigE speed is to use autonegotiation with 1000BASE-T as the only option. Unless I'm really retarded and don't understand what that paragraph is saying, which is entirely possible  .
|
|
#
¿
Jan 13, 2010 15:32
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
I'm having some trouble with ACLs on a 3560. I have the following:
code:interface Vlan10
ip address 192.168.16.1 255.255.255.224
ip access-group server_in in
!
interface Vlan30
ip address 192.168.17.1 255.255.255.0
!
ip access-list extended server_in
!
|
|
#
¿
Jan 20, 2010 14:00
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
I put in "deny icmp any any", and can still ping from Vlan30 to Vlan10. 
Richard Noggin fucked around with this message at Jan 20, 2010 around 16:08
|
|
#
¿
Jan 20, 2010 16:06
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
jbusbysack posted:
Also since it's device local (the identity of both L3 gateways), it's not technically going in or out the interface and the ACL doesn't apply.
I am obviously no expert, but I see no way that this is true.
|
|
#
¿
Jan 20, 2010 17:14
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
I am really baffled now. I can't even get the examples listed here to work. I think it's TAC time.
|
|
#
¿
Jan 20, 2010 19:35
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
jwh posted:
You have ip routing enabled, yes? I'm assuming you have. Otherwise you can create multiple SVIs but they don't work as you might expect.
Yup, ip routing is enabled. Trying a new image now (edit: no luck). And I just found out that we haven't ordered smartnet on this thing yet, so now I've got to wait a couple days. Fuuuuuuck. I really wish I was a lot better at this stuff.
Richard Noggin fucked around with this message at Jan 20, 2010 around 20:42
|
|
#
¿
Jan 20, 2010 20:30
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
jwh posted:
Can you paste a sanitized version of your config and describe your test procedure again?
http://pastebin.com/m213bdd08
Test procedure - pinging from my laptop (192.168.17.38, VLAN 30) to the configured L3 IP of VLAN 10 (192.168.16.1). You'll see I tried to block ICMP exiting 30 and entering 10.
|
|
#
¿
Jan 20, 2010 21:05
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Casimirus posted:
101 doesn't apply because the traffic doesn't originate from that Vlan.
102 doesn't apply because, as jbusbysack said, ACLs don't apply to traffic originating from the switch, and also the source and destination are backwards for the response.
If you were pinging a device on Vlan10 and you applied 101 outbound instead of inbound, it would match.
I hate to sound stupid here, but I just don't get this. Can you explain a bit more in-depth as to why 101 doesn't apply? Is the ACL format not permit|deny protocol source mask destination mask? Also, on 102, the traffic is originating from my laptop. Regarding your third point, to which interface should I apply it as outbound?
|
|
#
¿
Jan 20, 2010 23:47
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
jwh posted:
Right, you have the flow backwards.
Traffic enters the switch on VLAN 30. It exits the switch on VLAN 10.
Consider the ACL was being written from the point of view of the switch.
And the light goes on. I was thinking in terms of the interface. Thanks 
|
|
#
¿
Jan 21, 2010 00:18
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Casimirus posted:
Your laptop 192.168.17.38 Vlan30 pinging a hypothetical device 192.168.16.2 on Vlan10. You have four places to stop it:
access-list 103 deny icmp 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.31
access-list 104 deny icmp 192.168.16.0 0.0.0.31 192.168.17.0 0.0.0.255
interface Vlan10
ip address 192.168.16.1 255.255.255.224
ip access-group 104 in <-- #3 this stops the ICMP echo reply as it enters the switch on Vlan10 if #1 and #2 don't exist
ip access-group 103 out <-- #2 this stops the ICMP echo request as it exits the switch on Vlan10 if #1 doesn't exist
interface Vlan30
ip address 192.168.17.1 255.255.255.0
ip access-group 103 in <-- #1 this stops the ICMP echo request as it enters the switch on Vlan30
ip access-group 104 out <-- #4 this stops the ICMP echo reply from exiting the switch on Vlan30 if #1,2,3 don't exist
In your case, you're pinging an SVI on the switch, there's only one way to stop it:
access-list 103 deny icmp 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.31
interface Vlan30
ip address 192.168.17.1 255.255.255.0
ip access-group 103 in
Because the SVI is inside the switch, it never enters Vlan10, and the reply can't be stopped because the ACL doesn't apply to traffic originating from the switch.
This works perfectly, thank you. Thanks also to jwh for clearing up the traffic flow confusion.
|
|
#
¿
Jan 21, 2010 16:50
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Sojourner posted:
But over twice the cost of a cisco RV042.
I have heard nothing but horror stories about the RV042. In fact, we yanked one out of a customer's site because the VPN client wouldn't work, and Linksys support was unable to resolve the problem.
Richard Noggin fucked around with this message at Jan 21, 2010 around 19:17
|
|
#
¿
Jan 21, 2010 19:15
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
inignot posted:
Looks like a Linksys toy with "Cisco" written on it, not an IOS based device.
That's exactly what it is.
|
|
#
¿
Jan 21, 2010 21:41
|
|
- Richard Noggin
- Jun 6, 2005
-
Redneck By Default
|
Isn't the FWSM really running the PIX OS? From PIX 6.3:
code:pix(config)# no access-list ?
Usage: [no] access-list compiled
[no] access-list deny-flow-max <n>
[no] access-list alert-interval <secs>
[no] access-list <id> compiled
[no] access-list <id> [line <line-num>] remark <text>
[no] access-list <id> [line <line-num>] deny|permit
<protocol>|object-group <protocol_obj_grp_id>
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<operator> <port> [<port>] | object-group <service_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
[no] access-list <id> [line <line-num>] deny|permit icmp
<sip> <smask> | interface <if_name> | object-group <network_obj_grp_id>
<dip> <dmask> | interface <if_name> | object-group <network_obj_grp_id>
[<icmp_type> | object-group <icmp_type_obj_grp_id>]
[log [disable|default] | [<level>] [interval <secs>]]
Restricted ACLs for route-map use:
[no] access-list <id> deny|permit {any | <prefix> <mask> | host <address>}
|
|
#
¿
Jan 25, 2010 18:56
|
|
