Re: PAT AFTER NAT...IS IT POSSIBLE??? [7:66672]
I've found that you cannot do this, at least not when you do nat to a pool of addresses. You have to do static nat, then overload the rest. I tried adding overload to the end of my existing nat statment with the pool, it started PATing the addresses from the beginning. Instead of using the 1:1 from the pool, then pating anything beyond that. Lee Carter wrote in message news:[EMAIL PROTECTED] Yes you can just take your nat statement (ip nat inside source list 1...) and add the word overload on the end of the command. You will use a 1:1 NAT for the first set of users. Once your IP's are used up you will use PAT. It is important to note that some issues arise with PAT versus NAT like IPSEC or DLSW. just an fyi. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=66708t=66672 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Client+IOS [7:59283]
The IP address that your VPN Client gets from the router, are you advertising that route through your network? JM wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello I am trying to run VPN beetwen VPN Client 3.6.2.A and Cisco 2651. On Cisco router I have: Software with 3DES/IP PLus/FW/IDS - Version 12.2(11)T2 Router has 4 interfaces: serial 0/1 - Internet here I gave cryptomap fasteth 0/1 -DMZ fasteth 0/0 -LAN ( here I want to be tgrough VPN) I have the same configuration like in TAC help : http://www.cisco.com/warp/customer/471/ipsecrouter_vpn.html VPN Client can login inside router, and I have ipaddress from router, but I don't see anything. I can't ping. I have question ? Where am Im inside the router ? I am in, but I don't see anything. When I will have : ip access-list out on fast0/0 (LAN) what should I enable ? I have nat inside on fast 0/0 and outside on ser 0/1 Regards JM Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59315t=59283 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: All doors are closed.. [7:59233]
do you have another 1720 router? you can try taking the flash out, putting it in the good 1720, fixing the config and put it back. ciscoGo2002 wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello folks, A friend of mine have a serius problem with a Cisco 1720 router. This router has the console port broken, it doesn't work. He usually get into the router using the aux port in order to configure the device.They tried to download a new config using Cisco Config Maker and downloading it by de aux port. The result is that now the aux port is closed and the Ethernet port doesn't respond anymore. We don't know what happened with Cisco Config Maker, the real important thing is that we need to recover the access to the router. We cannot use the console port because it is broken, the aux port is closed (I guess that Cisco Config Maker closed it by default), and the ethernet is not responding (maybe Cisco Works put it in shut??). All the doors are closed!!! There is no time, we need to install this box this week!!! Help! We have read the cisco cco and the 1720 has a dimm memory and a miniflash memory, (please correct us if we are wrong). We suppose that the miniflash memory stores the config (it works like nvram too?) and if we can open the box and replace this mini-flash with another one maybe it will work again... We really appreciate your help, and my friend will pay one beer if you can send us any idea... Very important: Please send your reply with a copy to these address: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] because we have a problem with our mail... Thanks a lot! ___ Yahoo! Sorteos Consulta si tu nzmero ha sido premiado en Yahoo! Sorteos http://loteria.yahoo.es Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59316t=59233 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: help [7:59112]
You need a default route sending traffic to your ISPs router, if 12.124.201.146 255.255.255.252 is what you are supposed to put on your serial, then you need a ip route 0.0.0.0 0.0.0.0 12.124.201.145. or the ip default-gateway 12.124.201.145. You need to tell your router which next hop to route internet traffic. The default-gateway you initially had, 12.104.49.161, is invalid as its the IP of your Ethernet port. Brian Zeitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... 146 was assigned by the ISP -Original Message- From: Walker, James - Is [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 2:15 PM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: help [7:59112] Try: interface Serial2/0 ip address 12.124.201.145 255.255.255.252 -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 1:50 PM To: [EMAIL PROTECTED] Subject: help [7:59112] Router Setup This may be a very simple question, but I set up my router and I cannot access the internet. Here is the configuration file. I tried the command IP Route 0.0.0.0 0.0.0.0 x.x.x.x as well, with no luck. Sigh Also does anyone have any links for configuration PDF for 3600 routers? version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! enable secret 5 _/ enable password ! ip subnet-zero ! ! ip name-server 12.127.17.72 ! ! ! ! interface Ethernet0/0 ip address 12.104.49.161 255.255.255.224 no ip mroute-cache half-duplex ! interface Ethernet0/1 no ip address no ip mroute-cache shutdown half-duplex ! interface Ethernet0/2 no ip address no ip mroute-cache shutdown half-duplex ! interface Ethernet0/3 no ip address no ip mroute-cache shutdown half-duplex ! interface Serial2/0 bandwidth 1544000 ip address 12.124.201.146 255.255.255.252 encapsulation ppp no ip mroute-cache ! ip default-gateway 12.104.49.161 ip classless ip http server ip pim bidir-enable ! ! line con 0 line aux 0 line vty 0 4 password login ! end Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59127t=59112 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: help [7:59112]
If you do a show interface, is your ethernet port up, up? Brian Zeitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Me = dumb :O OK thanks, I was confused with my default gateway. Another command I forget is dialer-list 1 protocol ip permit I can ping my ISP's DNS now, but I can't ping any websites and I cant ping my LAN interface from the internet. I tried the name-server command with no luck. -Original Message- From: Brian Zeitz Sent: Thursday, December 12, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: RE: help [7:59112] 146 was assigned by the ISP -Original Message- From: Walker, James - Is [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 2:15 PM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: help [7:59112] Try: interface Serial2/0 ip address 12.124.201.145 255.255.255.252 -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 1:50 PM To: [EMAIL PROTECTED] Subject: help [7:59112] Router Setup This may be a very simple question, but I set up my router and I cannot access the internet. Here is the configuration file. I tried the command IP Route 0.0.0.0 0.0.0.0 x.x.x.x as well, with no luck. Sigh Also does anyone have any links for configuration PDF for 3600 routers? version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! enable secret 5 _/ enable password ! ip subnet-zero ! ! ip name-server 12.127.17.72 ! ! ! ! interface Ethernet0/0 ip address 12.104.49.161 255.255.255.224 no ip mroute-cache half-duplex ! interface Ethernet0/1 no ip address no ip mroute-cache shutdown half-duplex ! interface Ethernet0/2 no ip address no ip mroute-cache shutdown half-duplex ! interface Ethernet0/3 no ip address no ip mroute-cache shutdown half-duplex ! interface Serial2/0 bandwidth 1544000 ip address 12.124.201.146 255.255.255.252 encapsulation ppp no ip mroute-cache ! ip default-gateway 12.104.49.161 ip classless ip http server ip pim bidir-enable ! ! line con 0 line aux 0 line vty 0 4 password login ! end Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59129t=59112 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: help [7:59112]
Did you use the ip default-gateway command? I would try using ip route 0.0.0.0 0.0.0.0 12.124.201.145. Brian Zeitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Me = dumb :O OK thanks, I was confused with my default gateway. Another command I forget is dialer-list 1 protocol ip permit I can ping my ISP's DNS now, but I can't ping any websites and I cant ping my LAN interface from the internet. I tried the name-server command with no luck. -Original Message- From: Brian Zeitz Sent: Thursday, December 12, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: RE: help [7:59112] 146 was assigned by the ISP -Original Message- From: Walker, James - Is [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 2:15 PM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: help [7:59112] Try: interface Serial2/0 ip address 12.124.201.145 255.255.255.252 -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 1:50 PM To: [EMAIL PROTECTED] Subject: help [7:59112] Router Setup This may be a very simple question, but I set up my router and I cannot access the internet. Here is the configuration file. I tried the command IP Route 0.0.0.0 0.0.0.0 x.x.x.x as well, with no luck. Sigh Also does anyone have any links for configuration PDF for 3600 routers? version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! enable secret 5 _/ enable password ! ip subnet-zero ! ! ip name-server 12.127.17.72 ! ! ! ! interface Ethernet0/0 ip address 12.104.49.161 255.255.255.224 no ip mroute-cache half-duplex ! interface Ethernet0/1 no ip address no ip mroute-cache shutdown half-duplex ! interface Ethernet0/2 no ip address no ip mroute-cache shutdown half-duplex ! interface Ethernet0/3 no ip address no ip mroute-cache shutdown half-duplex ! interface Serial2/0 bandwidth 1544000 ip address 12.124.201.146 255.255.255.252 encapsulation ppp no ip mroute-cache ! ip default-gateway 12.104.49.161 ip classless ip http server ip pim bidir-enable ! ! line con 0 line aux 0 line vty 0 4 password login ! end Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59131t=59112 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: help [7:59112]
I can't ping your serial interface either, leads me to believe your route table isn't correct. I can ping your providers interface though, .146 Try using the ip route 0.0.0.0 0.0.0.0 12.124.201.145 command. Brian Zeitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Me = dumb :O OK thanks, I was confused with my default gateway. Another command I forget is dialer-list 1 protocol ip permit I can ping my ISP's DNS now, but I can't ping any websites and I cant ping my LAN interface from the internet. I tried the name-server command with no luck. -Original Message- From: Brian Zeitz Sent: Thursday, December 12, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: RE: help [7:59112] 146 was assigned by the ISP -Original Message- From: Walker, James - Is [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 2:15 PM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: help [7:59112] Try: interface Serial2/0 ip address 12.124.201.145 255.255.255.252 -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 1:50 PM To: [EMAIL PROTECTED] Subject: help [7:59112] Router Setup This may be a very simple question, but I set up my router and I cannot access the internet. Here is the configuration file. I tried the command IP Route 0.0.0.0 0.0.0.0 x.x.x.x as well, with no luck. Sigh Also does anyone have any links for configuration PDF for 3600 routers? version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! enable secret 5 _/ enable password ! ip subnet-zero ! ! ip name-server 12.127.17.72 ! ! ! ! interface Ethernet0/0 ip address 12.104.49.161 255.255.255.224 no ip mroute-cache half-duplex ! interface Ethernet0/1 no ip address no ip mroute-cache shutdown half-duplex ! interface Ethernet0/2 no ip address no ip mroute-cache shutdown half-duplex ! interface Ethernet0/3 no ip address no ip mroute-cache shutdown half-duplex ! interface Serial2/0 bandwidth 1544000 ip address 12.124.201.146 255.255.255.252 encapsulation ppp no ip mroute-cache ! ip default-gateway 12.104.49.161 ip classless ip http server ip pim bidir-enable ! ! line con 0 line aux 0 line vty 0 4 password login ! end Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59132t=59112 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Off Topic - Expand Networks [7:56537]
Does anybody have any experience with Expand Networks Acellerator products? Could anybody share with me the results you've seen with them? More specifically, if you've used them over a VPN? -- Ben Woltz [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56537t=56537 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Proper network design? [7:49536]
Can you post the config of the router? Does the Ethernet interface have sub-interfaces? One for each subnet? The answer is probably in the configuration of the interface on the router. What IP and Subnet mask does it have? Could be that the subnet mask of the router Ethernet is 255.255.240.0 or something less than a /24, therefore the router Ethernet network contains both 192.168.0.0/24 and 192.168.2.0/24. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49537t=49536 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Proper network design? [7:49536]
192.168.0.100 is what is doing the real routing then for 192.168.2.0/24. If you follow the path, from a 192.168.0.20 machine to 192.168.2.20 say, it goes from 192.168.0.20, to the default gateway, 192.168.0.1 which checks the route table and sends it to 192.168.0.100 (which is on the same network as E0 so you're right about routers routing between networks.), then 192.168.0.100 must know where 192.168.2.0/24 is. All the router is doing is routing 192.168.2.0/24 traffic to the Linux box first. Its not that the router knows where 192.168.2.0/24 is, its just sayin 192.168.0.100 knows so go there first. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49543t=49536 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst Switches and CDP [7:48603]
You tried show cdp neighbors detail command? Shows you more detail information about the neighbors and might include hostname. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48629t=48603 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS Questions [7:46639]
Shunning refers to the functionality of the IDS sensor to dynamically create and ACL that denies the attacker access and apply it to a specific interface. For example, you would have it setup that when the sensor sees an attack from 65.65.65.65 it would create and ACL denying 65.65.65.65 access and apply it to the outside interface of a router. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46683t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: vpn client [7:46159]
Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46200t=46159 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSPM for Cisco IDS [7:46206]
You just need to make sure there is a network in the topology for the subnet that your smtp server is on. Then, within that network in the topology you need to add a server there that is the smtp server. Then you point the email notifications to that server. Basically, CSPM needs to know where to send the smtp messages to. So you need to tell it what network and what server on that network it is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46212t=46206 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Boson PIX Test [7:45963]
Can anyone recommend one of the Boson PIX tests that is good? I am now scared to get Boson test because I got one for the IDSPM test and it was horrible. Didn't prepare me at all for the exam. Seems like they are not consistent. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45963t=45963 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Design ? [7:45927]
I'm not sure if this is exactly what you are referring to Craig, but it might help. We also have had problems doing VPN Client connections behind PAT. Its only in places where the DSL/Cable router cannot support PAT on unknown ports, like UDP 1 which is default for VPN 3000 connections. Linksys routers are an example. The workaround is in 3000 concentrator version 3.5 where you can do IPSec via TCP. So you can setup PAT on known ports, like TCP port 80. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45960t=45927 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Checksum failure [7:45856]
You could also try copying the file via FTP. Since FTP is a TCP protocol it has some reliable built into it. I've copied images via TFTP where it told me it was successful, but when I reloaded it came up in rommon and dir flash: said bad checksum. Command is copy ftp flash: Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45862t=45856 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security hazard?? [7:45731]
I've seen some of Cisco's private VLAN setup. The way I've seen it implemented is on a DMZ switch. Say you have 3 servers on your DMZ, web, mail, and ftp. If each of those servers is plugged into a different port on the same switch and on the same network, you can configure each of them to be on a private vlan. Reason being if somebody compromises or hacks into your web server, they will not be able to get access to the other two servers. Because to get there, they'd have to go through the firewall first. If the servers were not on a private vlan, the attacker could access the other 2 servers via the switch. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45776t=45731 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: passing scores for CCNP [7:45455]
All 4 passing scores are right around 700. Give or take 10. Mine were 690 for Routing, 699 for Switching, 703 for Remote Access, and 692 for Support. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45460t=45455 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VTP Concentrator - client to client [7:44276]
I think you can do this with Reverse Route Injection. I haven't done it before but from what I gather you inject a route for the Client's network into the concentrator's route table. Therefore other client's would have a route to that client's network. Look into it. You configure it under Configuration - System - IP Routing - Reverse Route Injection Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44301t=44276 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN help please [7:43746]
I am having a similar problem. We have users with iPaq handhelds connecting to 3000 series with Movian client. Movian client 1.0 works, but the newest Movian does not work. Version 2.0 I believe. But, version 2.0 does work if the username/password is internal user to the concentrator. We do our authentication via Radius server to NT accounts and if they user their NT accounts, it won't log them in. But if I create a user on the 3030, they connect. I am currently working with Certicom on this issue but nothing yet. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43782t=43746 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]