Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«430 »
 
  • Post
  • Reply
DeNofa
Aug 25, 2009

WILL AMOUNT TO NOTHING IN LIFE.

less than three posted:

It doesn't really matter anyways, because the subinterface number is just an arbitrary choice and doesn't have to actually match the VLAN specified in encapsulation dot1q

But generally matching them up seems like a best practice so you don't kill yourself :)

* # ? Jul 8, 2015 13:40
  • Quote
Adbot
ADBOT LOVES YOU

# ? Apr 26, 2024 19:07
  • Quote
Moey
Oct 22, 2010

I LIKE TO MOVE IT

less than three posted:

It doesn't really matter anyways, because the subinterface number is just an arbitrary choice and doesn't have to actually match the VLAN specified in encapsulation dot1q

Why would anyone do that though? Just to make glancing at the config confusing?

* # ? Jul 8, 2015 14:52
  • Quote
psydude
Apr 1, 2008

Dr. Arbitrary posted:

Are there other uses for subinterfaces or some other reason to have such a huge range available?

Subinterfaces are used in a lot of VRF configurations. As mentioned, the subinterface number is arbitrary, so they're generally numbered to make understanding the configuration easier.

* # ? Jul 8, 2015 15:25
  • Quote
Dalrain
Nov 13, 2008

Experience joy,
Experience waffle,
Today.

Barracuda Bang! posted:

for just under $800, h

If you're willing to drop 800 anyway, consider the e-learning course from Cisco themselves: https://learningnetworkstore.cisco....ars-v2-0-015705

It has interactive lessons, and they did a little bit of gamification that's helpful for motivation. Try the demo, see if the format is something you like.

* # ? Jul 8, 2015 15:33
  • Quote
FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE
 So how many of y'all had ASAs reboot today?

* # ? Jul 9, 2015 02:21
  • Quote
ragzilla
Sep 9, 2005
don't ask me, i only work here

FatCow posted:

So how many of y'all had ASAs reboot today?

None that I'm aware of, and $JOB[-1] didn't either afaik. Hit a bug?

* # ? Jul 9, 2015 02:42
  • Quote
less than three
Aug 9, 2007



Fallen Rib
Was that why UAL and NYSE went down?

* # ? Jul 9, 2015 02:44
  • Quote
FatCow
Apr 22, 2002
I MAP THE FUCK OUT OF PEOPLE
 There is a rumor that WSJ/UAL/NYSE were hit by the same, but honestly if they have mission critical non-HA ASAs running old code they don't deserve to be in business.

http://mailman.nanog.org/pipermail/nanog/2015-July/077169.html

* # ? Jul 9, 2015 03:56
  • Quote
psydude
Apr 1, 2008

FatCow posted:

There is a rumor that WSJ/UAL/NYSE were hit by the same, but honestly if they have mission critical non-HA ASAs running old code they don't deserve to be in business.

http://mailman.nanog.org/pipermail/nanog/2015-July/077169.html

Hah dude, I routinely see mission critical firewalls running pre-8.4 code. Usually because the owners brought me in to update them to 9.X and migrate their configs in TYOOL 2015.

* # ? Jul 9, 2015 04:09
  • Quote
Slickdrac
Oct 5, 2007

Not allowed to have nice things

psydude posted:

Hah dude, I routinely see mission critical firewalls running pre-8.4 code. Usually because the owners brought me in to update them to 9.X and migrate their configs in TYOOL 2015.

I recently helped a large financial organization everyone is familiar with the name of to migrate off their PIX firewalls at HQ.

* # ? Jul 9, 2015 04:18
  • Quote
Bigass Moth
Mar 6, 2004

I joined the #RXT REVOLUTION.
:boom:
he knows...
What is the most efficient way to roll out firmware updates in bulk, for example multiple 2960s at once? Would it be to upload the firmware to one switch and have the rest of them point there for tftp?

* # ? Jul 9, 2015 08:47
  • Quote
Prescription Combs
Apr 20, 2005
   6
Anyone have any 5506/8-X's running in production yet? If so, how's the performance?

* # ? Jul 9, 2015 16:07
  • Quote
Ahdinko
Oct 27, 2007

WHAT A LOVELY DAY
I'll know in a week, just sold our first one and waiting for it to come in so I can get it on a customer site. I've got a 5506x thats been on my desk for 2 weeks and I've put myself behind it and natted myself into our LAN to test it out, the firepower stuff seems decent but the management gui for firepower is slow as hell on the 5506

* # ? Jul 9, 2015 19:20
  • Quote
pctD
Aug 25, 2009



Pillbug
I'm currently redesigning our data center network into a L3 Clos fabric but I wanted to get something clarified. I'm migrating from a traditional tree network with two MLAG cores handling all of the L2/L3 endpoints. This will be accomplished with mostly Arista L3 switches.

In the new config, the L3 leaves are at each ToR and will be the L3 endpoint for the VLAN in that rack. Those will route to the 4 spines with ECMP. This is a fairly easy conversion because we are already segregating each rack into its own VLAN in the current architecture.

The part I'm stuck on is where to put the external L2 VLAN that houses our public address space, since the spines are not going to be connected to each other. In the previous architecture we would just tag that VLAN down to the TOR switches that needed it, but this won't be possible in the new architecture. Do I need to aggregate up to an edge layer or create another leaf and treat that VLAN as any other?

* # ? Jul 10, 2015 22:21
  • Quote
adorai
Nov 2, 2002

10/27/04 Never forget
Grimey Drawer
I have a 60+ branch network. I am considering installing two internet services at each branch and cancelling my mpls and metro ethernet services. We use voip.

1) am i crazy?
2) if yes, how crazy?

Most of my branches have about 4-8 users and are all in one state. Every remote user accesses their applications via VDI, and have no local apps.

* # ? Jul 11, 2015 00:55
  • Quote
funk_mata
Nov 1, 2005

I'm hot for you and you're hot for me--ooka dooka dicka dee.
Clapping Larry

adorai posted:

I have a 60+ branch network. I am considering installing two internet services at each branch and cancelling my mpls and metro ethernet services. We use voip.

1) am i crazy?
2) if yes, how crazy?

Most of my branches have about 4-8 users and are all in one state. Every remote user accesses their applications via VDI, and have no local apps.

This is the cool thing to do nowadays. I think it's okay as long as VoIP is dedicated to one of the circuits and data to the other, the branches are okay with a "best effort" approach to VoIP quality troubleshooting, and you are okay with the nightmare of working with multiple ISPs for the various outages you experience. If you can't tell, the last point was the pain point when I was part of managing a similar environment.

* # ? Jul 11, 2015 02:15
  • Quote
1000101
May 14, 2003

BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY BIRTHDAY FRUITCAKE!

pctD posted:

I'm currently redesigning our data center network into a L3 Clos fabric but I wanted to get something clarified. I'm migrating from a traditional tree network with two MLAG cores handling all of the L2/L3 endpoints. This will be accomplished with mostly Arista L3 switches.

In the new config, the L3 leaves are at each ToR and will be the L3 endpoint for the VLAN in that rack. Those will route to the 4 spines with ECMP. This is a fairly easy conversion because we are already segregating each rack into its own VLAN in the current architecture.

The part I'm stuck on is where to put the external L2 VLAN that houses our public address space, since the spines are not going to be connected to each other. In the previous architecture we would just tag that VLAN down to the TOR switches that needed it, but this won't be possible in the new architecture. Do I need to aggregate up to an edge layer or create another leaf and treat that VLAN as any other?

You might dedicate a set of leaf nodes to act as your network edge where your outside IP range lives. If your public facing networks are in multiple racks, consider looking at VXLAN to get the traffic to your edge rack.

I believe Arista supports taking VLANs and bridging them into VXLAN for the purposes of making a broadcast domain live "anywhere" regardless of the l3 topology. Basically in the top of rack switch it would be vlan 99; but when the switch needs to forward it it'll wrap it in VXLAN (basically ethernet in UDP) then treat it like any other l3 traffic.

I may not have been clear so feel free to ask clarifying questions.

* # ? Jul 11, 2015 03:11
  • Quote
wolrah
May 8, 2006
what?

funk_mata posted:

This is the cool thing to do nowadays. I think it's okay as long as VoIP is dedicated to one of the circuits and data to the other, the branches are okay with a "best effort" approach to VoIP quality troubleshooting, and you are okay with the nightmare of working with multiple ISPs for the various outages you experience. If you can't tell, the last point was the pain point when I was part of managing a similar environment.

Been doing hosted VoIP via SMB-class internet connections for 10 years now and you pretty much hit the pain points right on the nose. Most of my customers don't even have two connections and it usually works out, but I think they're nuts for doing that if they consider their phones important.

* # ? Jul 11, 2015 03:39
  • Quote
single-mode fiber
Dec 30, 2012

 If call quality is exceedingly important to you, for calls from one office to another, then I would stick with your MPLS VPN for take the sake of getting to maintain your DSCP/CoS tags. However, I'll also say that, even in an MPLS VPN, where troubleshooting call quality can theoretically be done end to end, it can quickly become a total nightmare to try to pull this off, especially if you have centralized border controllers in an offsite data center. If the cost differential between commercial broadband and MPLS is pretty large, then I'd say go for it, especially if you can dump the trouble of maintaining and troubleshooting all those different telco circuits onto a chump-rear end MSP like the one funk_mata is describing. Cell phones, and their attendant call quality, are so ubiquitous now that, as long as your VoIP calls don't sound any worse than a cell phone, users aren't really going to complain.

* # ? Jul 11, 2015 18:33
  • Quote
Ahdinko
Oct 27, 2007

WHAT A LOVELY DAY

adorai posted:

I have a 60+ branch network. I am considering installing two internet services at each branch and cancelling my mpls and metro ethernet services. We use voip.

1) am i crazy?
2) if yes, how crazy?

Most of my branches have about 4-8 users and are all in one state. Every remote user accesses their applications via VDI, and have no local apps.

Done this a few months ago for a 20 branch customer. Each site had MPLS and it was getting silly expensive, and pretty much most places in the UK now at least have FTTC. Had to get an EFM circuit for one site and the rest all have FTTC now. They have a couple of core sites in all one road that are all fibered up, so I bought a three 4451-X's and some nice lines for the sites there and am running virtual templates on them with PKI for the VPN's with the branches. We've had one or two issues with the lines but otherwise its going really well and the customer is happy because its saving them 6 figures a year on MPLS lines.

For another customer we are doing what funk_mata described. Two lines, voice goes on one, anything else on the other

* # ? Jul 13, 2015 13:48
  • Quote
Thanks Ants
May 21, 2004

#essereFerrari


 Do you find the performance of the VPNs over "the Internet" and contended links is acceptable in terms of latency/jitter etc? Or are your FTTC lines generally from the same providers as the other circuits so you don't have to deal with peering congestion?

* # ? Jul 13, 2015 20:56
  • Quote
Richard Noggin
Jun 6, 2005
Redneck By Default
 I have a seemingly simple DMVPN config that just won't work. I've tried making the hub the spoke and the spoke the hub, and it has the same problem - NHRP registration never completes, and sometimes the hub doesn't even see the request. This persists across a 1941, 2 892s, and an 870; as well as five different circuits from several vendors. I've managed to stump TAC so far. Any ideas? 1.2.3.4 is the IP of gi8 on the hub.

code:
Hub:
interface Tunnel0
 description dmvpn
 ip address 172.16.54.1 255.255.255.240
 no ip redirects
 ip nhrp authentication ###
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 tunnel source GigabitEthernet8
 tunnel mode gre multipoint

Spoke:
interface Tunnel0
 description dmvpn
 ip address 172.16.54.2 255.255.255.240
 no ip redirects
 ip nhrp authentication ###
 ip nhrp map multicast dynamic
 ip nhrp map 172.16.54.1 1.2.3.4
 ip nhrp map multicast 1.2.3.4
 ip nhrp network-id 1
 ip nhrp nhs 1.2.3.4
 tunnel source Dialer1
 tunnel mode gre multipoint
 
Debug logs - hub

Jul 14 00:18:29.000: NHRP-ERROR: Packet Recved with unsupported Address Family Number.
Jul 14 00:18:29.000: NHRP-ERROR: Incorrect NBMA Network length = 200 on Vlan1
Jul 14 00:18:29.000: NHRP-ERROR: Unable to get fun for protocol 2
Jul 14 00:18:31.000: NHRP-ERROR: Packet Recved with unsupported Address Family Number.
Jul 14 00:18:31.000: NHRP-ERROR: Incorrect NBMA Network length = 59 on Vlan1
Jul 14 00:18:31.000: NHRP-ERROR: Unable to get fun for protocol 2
Jul 14 00:18:31.524: NHRP-ERROR: Packet Recved with unsupported Address Family Number.
Jul 14 00:18:31.524: NHRP-ERROR: Incorrect NBMA Network length = 246 on Vlan1
Jul 14 00:18:31.524: NHRP-ERROR: Unable to get fun for protocol 2

Spoke:

*Aug  8 22:01:18.458: %LINK-5-CHANGED: Interface Tunnel0, changed state to administratively down
*Aug  8 22:01:18.462: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
*Aug  8 22:01:30.877: NHRP: if_up: Tunnel0 proto 0
*Aug  8 22:01:30.881: NHRP: Tunnel0: Cache add for target 172.16.54.1/32 next-hop 172.16.54.1
*Aug  8 22:01:30.881:            1.2.3.4
*Aug  8 22:01:30.881: NHRP: Adding Tunnel Endpoints (VPN: 172.16.54.1, NBMA: 1.2.3.4)
*Aug  8 22:01:30.885: NHRP: Successfully attached NHRP subblock for Tunnel Endpoints         (VPN: 172.16.54.1, NBMA: 1.2.3.4)
*Aug  8 22:01:30.885: NHRP: Inserted subblock node for cache: Target Inserted subblock node for cache: Target 172.16.54.1/32nhop 172.16.54.1
*Aug  8 22:01:30.885: NHRP: Converted internal static cache entry for 172.16.54.1/32 interface Tunnel0 to external
*Aug  8 22:01:30.885: NHRP: Adding multicast map entry to multicast list1.2.3.4
*Aug  8 22:01:32.805: NHRP: Setting retrans delay to 2 for nhs  dst 1.2.3.4
*Aug  8 22:01:32.877: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
*Aug  8 22:01:32.877: NHRP: if_up: Tunnel0 proto 0
*Aug  8 22:01:32.877: NHRP: Tunnel0: Cache update for target 172.16.54.1/32 next-hop 172.16.54.1
*Aug  8 22:01:32.877:            1.2.3.4
*Aug  8 22:01:32.877: NHRP: Adding Tunnel Endpoints (VPN: 172.16.54.1, NBMA: 1.2.3.4)
*Aug  8 22:01:32.877: NHRP: NHRP subblock already exists for Tunnel Endpoints         (VPN: 172.16.54.1, NBMA: 1.2.3.4)
*Aug  8 22:01:32.881: NHRP: Cache already has a subblock node attached for                       Tunnel Endpoints (VPN: 172.16.54.1, NBMA: 1.2.3.4)
*Aug  8 22:01:32.881: NHRP: Adding multicast map entry to multicast list1.2.3.4
*Aug  8 22:01:32.881: NHRP: Resetting retransmit due to hold-timer for 1.2.3.4
*Aug  8 22:01:32.881: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Aug  8 22:01:34.466: NHRP: Setting retrans delay to 4 for nhs  dst 1.2.3.4
*Aug  8 22:01:37.615: NHRP: NHS-DOWN: 1.2.3.4
*Aug  8 22:01:37.615: NHRP: Already pending Registration Request for NHS: 1.2.3.4
*Aug  8 22:01:37.615: NHRP: Setting retrans delay to 8 for nhs  dst 1.2.3.4
*Aug  8 22:01:45.572: NHRP: Setting retrans delay to 16 for nhs  dst 1.2.3.4
*Aug  8 22:01:58.799: NHRP: Setting retrans delay to 32 for nhs  dst 1.2.3.4
*Aug  8 22:02:24.477: NHRP: Setting retrans delay to 64 for nhs  dst 1.2.3.4

* # ? Jul 14, 2015 01:29
  • Quote
DeNofa
Aug 25, 2009

WILL AMOUNT TO NOTHING IN LIFE.

Richard Noggin posted:

I have a seemingly simple DMVPN config that just won't work. I've tried making the hub the spoke and the spoke the hub, and it has the same problem - NHRP registration never completes, and sometimes the hub doesn't even see the request. This persists across a 1941, 2 892s, and an 870; as well as five different circuits from several vendors. I've managed to stump TAC so far. Any ideas? 1.2.3.4 is the IP of gi8 on the hub.

[code]
Hub:
interface Tunnel0
description dmvpn
ip address 172.16.54.1 255.255.255.240
no ip redirects
ip nhrp authentication ###
ip nhrp map multicast dynamic
ip nhrp network-id 1
tunnel source GigabitEthernet8
tunnel mode gre multipoint

Spoke:
interface Tunnel0
description dmvpn
ip address 172.16.54.2 255.255.255.240
no ip redirects
ip nhrp authentication ###
ip nhrp map multicast dynamic
ip nhrp map 172.16.54.1 1.2.3.4
ip nhrp map multicast 1.2.3.4
ip nhrp network-id 1
ip nhrp nhs 1.2.3.4
tunnel source Dialer1
tunnel mode gre multipoint


For your Spoke's NHRP configuration, the NHS should be the protocol (tunnel) address, not the NBMA address. From the Hub debugs it looks like it's decap'ing the GRE packet and throwing the NHRP frame packet on the vlan. Other than that it looks like everything should come right up.

* # ? Jul 14, 2015 01:32
  • Quote
Richard Noggin
Jun 6, 2005
Redneck By Default
 Whoops, sorry - that was my typo while sanitizing the config. The actual config has the correct values. Here's what I see on the spoke:

code:
spoke-rtr(config-if)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

Interface: Tunnel0, IPv4 NHRP Details
Type:Spoke, NHRP Peers:1,

 # Ent  Peer NBMA Addr Peer Tunnel Add State  UpDn Tm Attrb
 ----- --------------- --------------- ----- -------- -----
     1    1.2.3.4     172.16.54.1  NHRP 00:00:01     S
and the hub:

code:
hub-rtr(config-if)#do sh dmvpn
Legend: Attrb --> S - Static, D - Dynamic, I - Incomplete
        N - NATed, L - Local, X - No Socket
        # Ent --> Number of NHRP entries with same NBMA peer
        NHS Status: E --> Expecting Replies, R --> Responding, W --> Waiting
        UpDn Time --> Up or Down Time for a Tunnel
==========================================================================

* # ? Jul 14, 2015 01:44
  • Quote
Ahdinko
Oct 27, 2007

WHAT A LOVELY DAY

Thanks Ants posted:

Do you find the performance of the VPNs over "the Internet" and contended links is acceptable in terms of latency/jitter etc? Or are your FTTC lines generally from the same providers as the other circuits so you don't have to deal with peering congestion?

They are all from the same provider except from the EFM, because apparently they bought that office in the rear end end of nowhere. latency and jitter are very good, usually sub 15-20ms latency between any site and HQ.
Keep in mind this is the UK though, and the longest road distance between sites is 340 miles. I guess YMMV for big ol american stuff going all over the place.

* # ? Jul 14, 2015 16:59
  • Quote
Richard Noggin
Jun 6, 2005
Redneck By Default
 Strangeness. I was able to get the DMVPN going today by nuking the tunnel interface config from all routers, then reapplying it first to the hub, and then the spokes. If I didn't remove it from all, the tunnel never comes up.

* # ? Jul 14, 2015 17:32
  • Quote
Methanar
Sep 26, 2013

by the sex ghost
So I've got a new ASA 5506-X to replace an ASA 5505.

I wanted to just copy/paste the running config from old to new, but it turns out that the 5506 doesn't have switching capabilities.

How do I do vlans?

* # ? Jul 14, 2015 22:11
  • Quote
psydude
Apr 1, 2008

Methanar posted:

So I've got a new ASA 5506-X to replace an ASA 5505.

I wanted to just copy/paste the running config from old to new, but it turns out that the 5506 doesn't have switching capabilities.

How do I do vlans?

Are you trying to do router on a stick down to a layer 2 switch? In that case, it's as simple as creating a subinterface and then issuing the vlan configuration command to set the appropriate vlan tag. Make sure you assign an IP address as well and that the port on the L2 switch is configured as a trunk.

* # ? Jul 14, 2015 23:33
  • Quote
Methanar
Sep 26, 2013

by the sex ghost

psydude posted:

Are you trying to do router on a stick down to a layer 2 switch? In that case, it's as simple as creating a subinterface and then issuing the vlan configuration command to set the appropriate vlan tag. Make sure you assign an IP address as well and that the port on the L2 switch is configured as a trunk.

The firewall is doing NAT and traffic filtering. In the configs the interfaces have OSPF costs associated with them, but the firewall doesn't seem to have any real routing going on. We have a 2911 router doing something but nobody knows the password for it and I'm not allowed to recover the password.



I don't know anything about firewalls, routers and switches I'm pretty good at though. I'm ridiculously unqualified for this but I'm trying to be a hero.

The current 5505 has three interfaces and each interface is assigned a vlan. I can't check but I very strongly doubt any of the other devices actually use vlans.

Inside= f0/1 and f0/3 = vlan 1

outside = f0/0 and f0/4 = vlan 2

dmz = f0/2 = vlan 12

I've got something resembling this on the 5505 right now, so whats equivalent of this without switchport functionality?

quote:

interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

I was thinking I could, for example, assign Inside to g1/8 and resuse the current IP address that the 5505 has set for Inside on the 5506 for Inside. I move everything currently plugged into a 5505 vlan 1 port into a switch that's plugged into the 5506's single Inside. To me the picture below makes sense, except the barracuda device is part of the Outside vlan, but it doesn't have an real public IP. I don't remember it having any special ACL rules either. Honestly it might not even be doing anything.
* # ? Jul 15, 2015 01:53
  • Quote
Richard Noggin
Jun 6, 2005
Redneck By Default
 Pretending 10.1.1.1/30 is your outside IP, and 172.16.1.1/24 is your inside...

int gi0/0
nameif outside
security-level 0
ip address 10.1.1.1 255.255.255.252

int gi0/1
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0


You don't need the ospf statements, IIRC they're put there when someone configures the interface with ASDM.

* # ? Jul 15, 2015 02:40
  • Quote
Methanar
Sep 26, 2013

by the sex ghost
Okay I think I've figured that out.


It turns out the way NAT works has changed though. Right now all my live NAT rules are being called exemptions in the ASDM, but in the new one I don't even see the choice to create something called an exemption. Lots of my ACLs have incorrect syntax too. I don't suppose there's an easy way of fixing this, is there?

quote:

global (inside) 13 interface
global (outside) 13 interface
global (dmz) 13 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 13 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
static (inside,outside) MLP_LN2 MLP_LN1 netmask 255.255.255.255
static (inside,dmz) 129.129.30.0 129.129.30.0 netmask 255.255.255.0
static (inside,dmz) 172.16.25.0 172.16.25.0 netmask 255.255.255.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group dmz_access_in_1 in interface dmz
access-list inside_nat0_outbound extended permit ip object-group MeadowNetwork S
erpong_HQ 255.255.0.0
access-list outside_1_cryptomap extended permit ip object-group MeadowNetwork Se
rpong_HQ 255.255.0.0

quote:

mlpasafirewall(config)# global (inside) 13 interface
ERROR: This syntax of nat command has been deprecated.
Please refer to "help nat" command for more details.
* # ? Jul 15, 2015 18:06
  • Quote
Tremblay
Oct 8, 2002
More dog whistles than a Petco
Read this:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/upgrading/migrating.html

You were running super old code on that 5505 I gather.

* # ? Jul 15, 2015 18:16
  • Quote
Methanar
Sep 26, 2013

by the sex ghost


Ultimately all I want to do is replace the 5505 (left) with 5506 and have it still work. I don't have the option to create rule exemptions for the 5506.

I've already gone through that cisco link, but it's pretty far over my head right now.

* # ? Jul 15, 2015 19:43
  • Quote
Sheep
Jul 24, 2003
 Your old NAT configuration is indicative of a really old IOS version so it doesn't surprise me at a glance that just pasting the old config into the new ASA wouldn't work.

For example this is relevant to your migration. If this sort of thing is over your head then I'd suggest getting a local IT support company to come in and help you migrate.

Edit: alternatively you could see if the old IOS image is compatible with the new ASA but that's some kinda wacky territory to be getting into.

Sheep fucked around with this message at 02:24 on Jul 16, 2015

* # ? Jul 16, 2015 02:17
  • Quote
Prescription Combs
Apr 20, 2005
   6

Methanar posted:



Ultimately all I want to do is replace the 5505 (left) with 5506 and have it still work. I don't have the option to create rule exemptions for the 5506.

I've already gone through that cisco link, but it's pretty far over my head right now.

Some interesting NATs you have going on the old firewall.


Based on what tidbits of info you gave:


code:
object-group network DMZ-NAT0-LOCAL-NETS
 network-object X
object-group network DMZ-NAT0-REMOTE-NETS
 network-object X
!
object-group network Serpong_HQ
 network-object X 255.255.0.0
!
nat (dmz,outside) source static DMZ-NAT0-LOCAL-NETS DMZ-NAT0-LOCAL-NETS destination static DMZ-NAT0-REMOTE-NETS DMZ-NAT0-REMOTE-NETS
!
nat (inside,outside) source static MeadowNetwork MeadowNetwork destination static Serpong_HQ Serpong_HQ
!
object network MLP_LN1
 host <MLP_LN1 IP>
 nat (inside,outside) static <MLP_LN2 IP>
!
object network obj-129.129.30.0
 subnet 129.129.30.0 255.255.255.0
 nat (inside,dmz) static 129.129.30.0
!
object network obj-172.16.25.0
 subnet 172.16.25.0 255.255.255.0 
 nat (inside,dmz) static 172.16.25.0
!
object network obj-INSIDE
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface
!
Edit: Alternatively you could upgrade the 5505 to a more modern code and let it auto-convert the existing configuration. Just be sure to disable 'nat-control' and add 'no names' to the config before upgrading. Otherwise the auto-convert shits the bed.

:greenangel:

Prescription Combs fucked around with this message at 02:58 on Jul 16, 2015

* # ? Jul 16, 2015 02:47
  • Quote
Contingency
Jun 2, 2007

MURDERER

Sheep posted:

Edit: alternatively you could see if the old IOS image is compatible with the new ASA but that's some kinda wacky territory to be getting into.

Wouldn't be an option--at best, his 5505 is on 8.2 which isn't supported by the -X series. Since the ASA 5505 supports up to 9.2, you could work your way up the upgrades to convert to 9.2 to transplant the config, but that'd leave an awful mess. Better to recreate all the NAT rules. There's only like 20 something of them, most of which are NoNAT rules.

* # ? Jul 16, 2015 02:55
  • Quote
Methanar
Sep 26, 2013

by the sex ghost

Prescription Combs posted:

Based on what tidbits of info you gave:


code:
object-group network DMZ-NAT0-LOCAL-NETS
 network-object X
object-group network DMZ-NAT0-REMOTE-NETS
 network-object X
!
object-group network Serpong_HQ
 network-object X 255.255.0.0
!
nat (dmz,outside) source static DMZ-NAT0-LOCAL-NETS DMZ-NAT0-LOCAL-NETS destination static DMZ-NAT0-REMOTE-NETS DMZ-NAT0-REMOTE-NETS
!
nat (inside,outside) source static MeadowNetwork MeadowNetwork destination static Serpong_HQ Serpong_HQ
!
object network MLP_LN1
 host <MLP_LN1 IP>
 nat (inside,outside) static <MLP_LN2 IP>
!
object network obj-129.129.30.0
 subnet 129.129.30.0 255.255.255.0
 nat (inside,dmz) static 129.129.30.0
!
object network obj-172.16.25.0
 subnet 172.16.25.0 255.255.255.0 
 nat (inside,dmz) static 172.16.25.0
!
object network obj-INSIDE
 subnet 0.0.0.0 0.0.0.0
 nat (inside,outside) dynamic interface
!
:greenangel:

Okay this is very helpful.

quote:

object-group network DMZ-NAT0-LOCAL-NETS
network-object X
object-group network DMZ-NAT0-REMOTE-NETS
network-object X

I don't quite understand these though. Are the capitals and the X placeholders, if so for what?

nat (dmz,outside) source static DMZ-NAT0-LOCAL-NETS DMZ-NAT0-LOCAL-NETS destination static DMZ-NAT0-REMOTE-NETS DMZ-NAT0-REMOTE-NETS
!
nat (inside,outside) source static MeadowNetwork MeadowNetwork destination static Serpong_HQ Serpong_HQ
!

Kind of the same thing here, what are the capitals. Why is MeadowNetwork written twice in a row and what exactly is being sent to/from Serpong.

Sheep posted:

a local IT support company


lol

* # ? Jul 16, 2015 03:27
  • Quote
Prescription Combs
Apr 20, 2005
   6

Methanar posted:

Okay this is very helpful.


I don't quite understand these though. Are the capitals and the X placeholders, if so for what?
The X's are placeholders for whatever those networks are as they are defined on your access-list "dmz_nat0_outbound".

'MeadowNetwork' looks to already be defined in an object-group.

'Serpong_HQ' is an unknown from the config snippet you gave since it's a named IP.

Methanar posted:

nat (dmz,outside) source static DMZ-NAT0-LOCAL-NETS DMZ-NAT0-LOCAL-NETS destination static DMZ-NAT0-REMOTE-NETS DMZ-NAT0-REMOTE-NETS
!
nat (inside,outside) source static MeadowNetwork MeadowNetwork destination static Serpong_HQ Serpong_HQ
!

This is how the syntax is to keep the network 'identity' from changing. You can do some serious network masking with it.

nat (real interface,mapped interface) source static <real network or IP> <mapped network or IP> destination static <real remote network or IP> <mapped remote network or IP>

So, you can map your 'real' IP(s) as something else before it is sent to the destination network. Either for VPN or separate interface segment. In your case, you need to keep the network identity of 'dmz local' network when being sent across the VPN? to whatever destination subnet is defined on the NAT0 access-lists.

Methanar posted:

Kind of the same thing here, what are the capitals. Why is MeadowNetwork written twice in a row and what exactly is being sent to/from Serpong.
See previous explanation.

Prescription Combs fucked around with this message at 07:40 on Jul 16, 2015

* # ? Jul 16, 2015 07:35
  • Quote
Bigass Moth
Mar 6, 2004

I joined the #RXT REVOLUTION.
:boom:
he knows...
I've got a uc500 that seems to have been affected by a lightning storm. Users are reporting static on their end of the phone. Would that be a damaged Fxo port and if so is it fixable?

* # ? Jul 16, 2015 21:02
  • Quote
Adbot
ADBOT LOVES YOU

# ? Apr 26, 2024 19:07
  • Quote
Partycat
Oct 25, 2004

 Plug the line into another phone of some sort and be sure if it is the source of the trouble or not.

Lightning storms tend to mean rain, and rain means static.

* # ? Jul 16, 2015 21:16
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cisco Short Questions Thread v12.4.9(WTF)
«430 »