NAT Config Change [7:57140]

2002-11-08 Thread CTM CTM 
Hi all,

Am trying to change a NAT configuration and it doesn't seem to take.

I do a:

no ip nat inside source 192.168.100.20 a.b.c.d

it asks if I want to delete child dependencies and I've gone with no and yes

I do a:

ip nat inside source 172.29.10.23  a.b.c.d

and I get the message:

already mapped: 192.168.100.20 >> a.b.c.d.

I've also tried the wr mem after first "no ip nat."

but can't seem to eliminate that line

Guess I need to read more than "NAT on a stick"


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57140&t=57140
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Two Interfaces = Extremely Slow Ping [7:53266]

2002-09-19 Thread CTM CTM 

Daniel Cotts wrote:
> 
> You have a static NAT translation for 192.168.100.20 on both
> routers. I'd
> suggest removing it from the Mexican router.
> 
> You haven't said whether or not you are doing standard or
> extended pings.
> Whether you are pinging from a host or the routers.
> Do a traceroute when the pings are fast and when they are slow.
> See where
> the packets are going. You might want to do a "sh ip route" in
> each
> condition.
> Some small housekeeping:
> Mexican router:
> I see no need for the "ip nat inside" on the Serial0/0:0.300
> subinterface.
> Nothing from that interface meets the conditions of access-list
> 101.
> You can remove the "ip policy route-map nonat from
> subinterfaces 0/0:0.300
> and 0/0:0.301 . There is no route-map in the config.
> You have 192.168.100.0 on F0/1 (shutdown) in Mexico. You have
> 192.168.100.0
> on F0/1 in SC-SAN. You still have a NAT static in Mexico for the
> 192.168.100.20 host. Might be good to remove that static
> mapping and remove
> the unused address completely from the interface to avoid
> confusion.
> "ip http server" can be a security hole.
> 
> SC-SAN router:
> VPN connection to 172.29.30.0 uses access list 100 to define
> allowed
> traffic. I don't understand the first line of that list. Does
> it refer to
> the NAT pool of addresses? If so, how do they work inside? If
> not, who are
> they? Who is really allowed access to 172.29.30.0?
> Again the ip policy and route-map statements aren't doing
> anything. There is
> an issue that could use a route-map. The users in 172.29.30.0
> can't reach
> the statically NATed servers 192.168.100.20 & 135 over the VPN.
> There is a
> way to solve that problem (if it is a problem.)
> Keep us posted on your progress. I would like to know the
> solution.
> 
> > -Original Message-
> > From: Sammi Dog [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, September 13, 2002 5:23 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Two Interfaces = Extremely Slow Ping [7:53266]
> > 
> > 
> > I would appreciate any and all comments.
> 
> > > >From: "Chris McNally" > >Hi all, > >We have one router in 
> > the U.S. and
> > > one in Mexico. They are connected to each >other via frame 
> > relay and they
> > > each have their own internet portal. >When the Mexico
> router is
> > > disconnected from its internet interface the ping >returns 
> > between U.S.
> > > are averaging 70ms but when they plug in their internet 
> > >side the ping
> > > returns shoot above 500ms and often hit 800.
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53626&t=53266
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Two Interfaces = Extremely Slow Ping [7:53266]

2002-09-19 Thread CTM CTM 

Daniel Cotts wrote:
> 
> You have a static NAT translation for 192.168.100.20 on both
> routers. I'd
> suggest removing it from the Mexican router.
> 
> You haven't said whether or not you are doing standard or
> extended pings.
> Whether you are pinging from a host or the routers.
> Do a traceroute when the pings are fast and when they are slow.
> See where
> the packets are going. You might want to do a "sh ip route" in
> each
> condition.
> Some small housekeeping:
> Mexican router:
> I see no need for the "ip nat inside" on the Serial0/0:0.300
> subinterface.
> Nothing from that interface meets the conditions of access-list
> 101.
> You can remove the "ip policy route-map nonat from
> subinterfaces 0/0:0.300
> and 0/0:0.301 . There is no route-map in the config.
> You have 192.168.100.0 on F0/1 (shutdown) in Mexico. You have
> 192.168.100.0
> on F0/1 in SC-SAN. You still have a NAT static in Mexico for the
> 192.168.100.20 host. Might be good to remove that static
> mapping and remove
> the unused address completely from the interface to avoid
> confusion.
> "ip http server" can be a security hole.
> 
> SC-SAN router:
> VPN connection to 172.29.30.0 uses access list 100 to define
> allowed
> traffic. I don't understand the first line of that list. Does
> it refer to
> the NAT pool of addresses? If so, how do they work inside? If
> not, who are
> they? Who is really allowed access to 172.29.30.0?
> Again the ip policy and route-map statements aren't doing
> anything. There is
> an issue that could use a route-map. The users in 172.29.30.0
> can't reach
> the statically NATed servers 192.168.100.20 & 135 over the VPN.
> There is a
> way to solve that problem (if it is a problem.)
> Keep us posted on your progress. I would like to know the
> solution.
> 
> > -Original Message-
> > From: Sammi Dog [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, September 13, 2002 5:23 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Two Interfaces = Extremely Slow Ping [7:53266]
> > 
> > 
> > I would appreciate any and all comments.
> 
> > > >From: "Chris McNally" > >Hi all, > >We have one router in 
> > the U.S. and
> > > one in Mexico. They are connected to each >other via frame 
> > relay and they
> > > each have their own internet portal. >When the Mexico
> router is
> > > disconnected from its internet interface the ping >returns 
> > between U.S.
> > > are averaging 70ms but when they plug in their internet 
> > >side the ping
> > > returns shoot above 500ms and often hit 800.
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53625&t=53266
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Two Interfaces = Extremely Slow Ping [7:53266]

2002-09-19 Thread CTM CTM 

Hi,

I removed the "ip http server" from all routers.
I also removed the "ip nat inside" from the first Mexico router.
So far so good.
But when I did a "no ip route 192.168.100.0 255.255.255.0 Serial0/0:0.300" I
immediatly lost connection to the router and am now trying to reach someone
down there to reboot it
not good, as it should have been issued for 192.168.100.20

So still working on clean up for that box.

In Amsterdam:
I could really, really use a VPN connection between 172.29.30.0 and
172.29.10.0 subnets so will look at that while I wait for the Mexico router
to be rebooted.

(yes, somewhat over my head here, but shall persevere)


Daniel Cotts wrote:
> 
> You have a static NAT translation for 192.168.100.20 on both
> routers. I'd
> suggest removing it from the Mexican router.
> 
> You haven't said whether or not you are doing standard or
> extended pings.
> Whether you are pinging from a host or the routers.
> Do a traceroute when the pings are fast and when they are slow.
> See where
> the packets are going. You might want to do a "sh ip route" in
> each
> condition.
> Some small housekeeping:
> Mexican router:
> I see no need for the "ip nat inside" on the Serial0/0:0.300
> subinterface.
> Nothing from that interface meets the conditions of access-list
> 101.
> You can remove the "ip policy route-map nonat from
> subinterfaces 0/0:0.300
> and 0/0:0.301 . There is no route-map in the config.
> You have 192.168.100.0 on F0/1 (shutdown) in Mexico. You have
> 192.168.100.0
> on F0/1 in SC-SAN. You still have a NAT static in Mexico for the
> 192.168.100.20 host. Might be good to remove that static
> mapping and remove
> the unused address completely from the interface to avoid
> confusion.
> "ip http server" can be a security hole.
> 
> SC-SAN router:
> VPN connection to 172.29.30.0 uses access list 100 to define
> allowed
> traffic. I don't understand the first line of that list. Does
> it refer to
> the NAT pool of addresses? If so, how do they work inside? If
> not, who are
> they? Who is really allowed access to 172.29.30.0?
> Again the ip policy and route-map statements aren't doing
> anything. There is
> an issue that could use a route-map. The users in 172.29.30.0
> can't reach
> the statically NATed servers 192.168.100.20 & 135 over the VPN.
> There is a
> way to solve that problem (if it is a problem.)
> Keep us posted on your progress. I would like to know the
> solution.
> 
> > -Original Message-
> > From: Sammi Dog [mailto:[EMAIL PROTECTED]]
> > Sent: Friday, September 13, 2002 5:23 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Two Interfaces = Extremely Slow Ping [7:53266]
> > 
> > 
> > I would appreciate any and all comments.
> 
> > > >From: "Chris McNally" > >Hi all, > >We have one router in 
> > the U.S. and
> > > one in Mexico. They are connected to each >other via frame 
> > relay and they
> > > each have their own internet portal. >When the Mexico
> router is
> > > disconnected from its internet interface the ping >returns 
> > between U.S.
> > > are averaging 70ms but when they plug in their internet 
> > >side the ping
> > > returns shoot above 500ms and often hit 800.
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53628&t=53266
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Two Interfaces = Extremely Slow Ping [7:53266]

2002-09-19 Thread CTM CTM 

Thank you, moving to the other subnet allowed me to get back in to the
router.
Ok, now for another crack at it ;-)

Very much appreciated!


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=53639&t=53266
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Two Interfaces = Extremely Slow Ping [7:53266]

2002-09-19 Thread CTM CTM 

I have closed the security and done some clean up. I'm investigating the
performance to Mexico but pings have been well today. Coincedence? Probably
but they've never been consistently low as they have been today. Tomorrow I
have some available to pull the suspected trouble connection and I'll log
some performances.
Meanwhile I need to investigate the Europe - U.S. connection. The connection
is terribly slow, and in fact I currently have Europe using VPN through
their outside IP, into our network via our outside IP, then retrieve email
through a Citrix connection. Terribly cumbersome and, seeing as we have a
frame relay connection, shouldn't be necessary. If I could get them talking
reliably through our dedicated connection it would make many people happy.


I have done some housekeeping on the Mexico router thusly:

int S0/0.300 – no ip nat inside

 

#no ip nat inside source static 192.168.100.20 x.x.x.x

Static entry in use, do you want to delete child entries? [no]: y   <-
wasn't sure about this one, was tempted to take default "no"

 

Int f0/1 - #no ip address 192.168.100.21 255.255.255.0

 

ii-nau-rtr-01(config)#int s0/0:0.300

ii-nau-rtr-01(config-subif)#no ip policy route-map nonat

ii-nau-rtr-01(config-subif)#end

ii-nau-rtr-01(config)#int s0/0:0.301

ii-nau-rtr-01(config-subif)#no ip policy route-map nonat

ii-nau-rtr-01(config-subif)#end

ii-nau-rtr-01#wr mem



~~~





Here is the current config:




ii-nau-rtr-01#sh config
Using 2515 out of 29688 bytes
!
version 12.2
no parser cache
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ii-nau-rtr-01
!
boot system flash 1:c2600-ik9o3s-mz.122-2.T.bin
logging rate-limit console 10 except errors
enable password 
!
!
!
memory-size iomem 10
ip subnet-zero
!
!
ip name-server x.x.x.x
ip name-server x.x.x.x
ip name-server x.x.x.x
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
no ip dhcp-client network-discovery
!
isdn voice-call-failure 0
call rsvp-sync

!
controller E1 0/0
 framing NO-CRC4 
 channel-group 0 timeslots 1-31
!
!
interface FastEthernet0/0
ip address 172.29.20.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
interface Serial0/0:0
 no ip address
 encapsulation frame-relay IETF
 no ip route-cache
 frame-relay lmi-type ansi
!
interface Serial0/0:0.1 point-to-point
 description Connection to Internet
 ip address x.x.x.x x.x.x.x
 ip nat outside
 no ip route-cache
 no arp frame-relay
 frame-relay interface-dlci 500 IETF   
!
interface Serial0/0:0.300 point-to-point
 description Connection to San Diego - DLCI 300
 ip unnumbered FastEthernet0/0
 no ip route-cache
frame-relay interface-dlci 300   
!
interface Serial0/0:0.301 point-to-point
 description connect to lerma ' dlci 301
 ip unnumbered FastEthernet0/0
 ip nat inside
 no ip route-cache
 frame-relay interface-dlci 301   
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip nat pool IINAU-natpool-1 x.x.x.x x.x.x.x netmask 255.255.255.240
ip nat inside source list 101 pool IINAU-natpool-1 overload
ip nat inside source static 172.29.20.20 200.33.155.23
ip nat inside source static 172.29.20.24 200.33.155.24
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0:0.1
ip route 172.29.10.0 255.255.255.0 Serial0/0:0.300
ip route 172.29.30.0 255.255.255.0 Serial0/0:0.300
ip route 172.29.40.0 255.255.255.0 Serial0/0:0.301
ip route 192.168.100.0 255.255.255.0 Serial0/0:0.300
no ip http server
!
access-list 101 permit ip 172.29.20.0 0.0.0.255 any
access-list 101 permit ip 172.29.40.0 0.0.0.255 any
!
!
snmp-server community naucalpan RW
snmp-server community public RO
snmp-server location Industrias Ideal, Naucalpan, Mexico
snmp-server manager
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 --More--  password xx
 login
line vty 5 15
 login
!
!
end


ii-nau-rtr-01#sh int
FastEthernet0/0 is up, line protocol is up 
  Hardware is AmdFE, address is 0007.0e84.f540 (bia 0007.0e84.f540)
  Internet address is 172.29.20.1/24
  MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 215507 drops
  5 minute input rate 26000 bits/sec, 33 packets/sec
  5 minute output rate 172000 bits/sec, 35 packets/sec
 3645866 packets input, 447007005 bytes
 Received 62805 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog
 0 input packets with dribble condition detected
 3626239 packets output, 1487065

Remote Serial # Retrieval [7:54120]

2002-09-25 Thread CTM CTM 

Hello all,

Have inherited 4 routers with no documentation as to vendors, maintenance
agreements etc. I have established a maintenance agreement is in place for
at least one router and now need to establish for the other boxes. I only
have physical access to one of the routers, the other three are out of
country. I have full telnet access and am hoping I can retrieve the serial
numbers that way. I tried a "sh ver" (just hoping for dumb luck) but no go.

Is it possible to extract the router's serial from the command line?

Thank you.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54120&t=54120
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Messing up Access Lists [7:54268]

2002-09-26 Thread CTM CTM 

I've been trying to optimize communications between two distant routers. So
far I've managed to lock myself out of the far router three times, folks
over there are getting weary of my mistakes ;-)

I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter
is physically the same devices multihomed as 192.168.100.0/24.

I realize my NAT is messed up and I'm wrapping my head around the literature
pulled from Cisco (led to by links provided by you generous folks).
Looks like I also need to look in depth at access lists. I'm taking baby
steps but am slowly making progress.

Would love to solicit comments/advice on the following:

ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask
255.255.255.224
ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
ip nat inside source static 172.29.10.20 64.172.228.154
ip nat inside source static 192.168.100.20 64.172.228.132
ip nat inside source static 192.168.100.135 64.172.228.135
ip nat inside source static 172.29.20.20 64.172.228.133
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 172.29.20.0 255.255.255.0 Serial0/1.474
ip route 172.29.40.0 255.255.255.0 Serial0/1.474
!
logging history size 250
logging history errors
logging facility syslog
access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 172.29.10.0 0.0.0.255 any
route-map nonat permit 10


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54268&t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Messing up Access Lists [7:54268]

2002-09-26 Thread CTM CTM 

Hi,

You did indeed send me comments, and most appreciated. You even bailed me
out when I misapplied the advice, and again much appreciated.
I'm taking baby steps with the wisdom offered, and seem to get deeper than
intended, ultimately confused, then reach out for a breather.

Thanks, as always, for your generous help, I will digest the latest.

Daniel Cotts wrote:
> 
> I sent you some comments on this last Fri.
> First look up the reload in xx min command. There is a way to
> have the
> router reboot in a given time interval unless you rescind the
> command. So if
> you lock yourself out of the router it reboots and restores the
> startup
> config which allows you back in. If your changes are not fatal
> then cancel
> the reload command. Then do a copy run start.
> My guess is that you are killing your VPN by removing the
> access list at the
> far end. You are most likely telnetting to that router from
> your local PC.
> Its traffic traverses the VPN. Instead bring up a console
> connection on your
> local router and telnet to the remote router. That won't use
> the VPN. I
> don't see an access list that would block that connection.
> There is an issue if you have statically NATed addresses.
> People out on the
> Internet can reach your local servers but folks on the far end
> of the VPN
> cannot. There is a solution on CCO. Last time I looked you had
> to start on
> the Documentation page and work towards it. The solution is not
> on the 707?
> page. I don't have time to look it up. Sort of goes like: 
> interface Loopback0
>  ip address 2.2.2.1 255.255.255.0
> interface FastEthernet0
> (This is the interface where your servers are located.)
>  ip route-cache policy
>  ip policy route-map StaticNAT
> 
> ip access-list extended StaticNAT
>  remark Allows statically mapped NAT addresses through IPSec
> tunnel
>  permit ip host 192.168.250.19 172.16.1.0 0.0.0.255
> (USE YOUR OWN IP ADDRESSES)
> 
> route-map StaticNAT permit 10
>  match ip address StaticNAT
>  set ip next-hop 2.2.2.2
> (Note the address is not the address of the loopback.)
> 
> To use a basketball analogy - a direct pass won't work because
> a blocker is
> in the way. Instead use a bounce pass.
> 
> > -Original Message-
> > From: CTM CTM [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, September 26, 2002 2:54 PM
> > To: [EMAIL PROTECTED]
> > Subject: Messing up Access Lists [7:54268]
> > 
> > 
> > I've been trying to optimize communications between two 
> > distant routers. So
> > far I've managed to lock myself out of the far router three 
> > times, folks
> > over there are getting weary of my mistakes ;-)
> > 
> > I have a subnet of 172.29.30.0/24 and a subnet of 
> > 172.29.10.0/24, the latter
> > is physically the same devices multihomed as 192.168.100.0/24.
> > 
> > I realize my NAT is messed up and I'm wrapping my head around 
> > the literature
> > pulled from Cisco (led to by links provided by you generous
> folks).
> > Looks like I also need to look in depth at access lists. I'm 
> > taking baby
> > steps but am slowly making progress.
> > 
> > Would love to solicit comments/advice on the following:
> > 
> > ip nat pool SCISANRTR001-natpool-1 64.172.228.155 
> > 64.172.228.158 netmask
> > 255.255.255.224
> > ip nat inside source list 101 pool SCISANRTR001-natpool-1
> overload
> > ip nat inside source static 172.29.10.20 64.172.228.154
> > ip nat inside source static 192.168.100.20 64.172.228.132
> > ip nat inside source static 192.168.100.135 64.172.228.135
> > ip nat inside source static 172.29.20.20 64.172.228.133
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 Serial0/0.1
> > ip route 172.29.20.0 255.255.255.0 Serial0/1.474
> > ip route 172.29.40.0 255.255.255.0 Serial0/1.474
> > !
> > logging history size 250
> > logging history errors
> > logging facility syslog
> > access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 
> > 0.0.0.255
> > access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 
> > 0.0.0.255
> > access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 
> > 0.0.0.255
> > access-list 101 permit ip 192.168.100.0 0.0.0.255 any
> > access-list 101 permit ip 172.29.10.0 0.0.0.255 any
> > route-map nonat permit 10
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54277&t=54268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Messing up Access Lists [7:54268]

2002-09-27 Thread CTM CTM 

I have 5 subnets:
172.29.10.x/24 in the U.S.
192.168.100.x/24 in the U.S.

I would like to eliminate the 192.x.x.x subnet as it is mostly redundant,
machines multihomed.

172.29.20.x/24 in Mexico
172.29.30.x/24 in Europe
172.29.40.x/24 in Mexico

Europe office has a 1720 router and E1 connection.
U.S. has 2621 and a T1 connection

Europe needs to pull email and files from servers in U.S., but connection is
terribly, terribly slow. At present I have them VPN out to the internet and
into our VPN that way. Would like them to VPN or direct connect directly
through internal subnets. Once that is fixed the learning experience should
allow me to tweak the Mexico routes.

The Europe "sh int" is as follows:

sh int
Ethernet0 is up, line protocol is up 
  Hardware is PQUICC Ethernet, address is 0004.dd0b.dcbf (bia 0004.dd0b.dcbf)
  Description: connected to Internet
  Internet address is 217.117.229.138/29
  MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 10BaseT
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 1d19h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 1000 bits/sec, 1 packets/sec
  5 minute output rate 1000 bits/sec, 1 packets/sec
 778610 packets input, 355003767 bytes, 0 no buffer
 Received 2967 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 input packets with dribble condition detected
 676292 packets output, 134749411 bytes, 0 underruns(0/0/0)
 0 output errors, 0 collisions, 0 interface resets
 0 babbles, 0 late collision, 0 deferred
 --More--  0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out
 --More-- FastEthernet0 is up, line protocol is up 
  Hardware is PQUICC_FEC, address is 0002.1761.7d8a (bia 0002.1761.7d8a)
  Description: connected to EthernetLAN_1
  Internet address is 172.29.30.1/24
  MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:00, output hang never
  Last clearing of "show interface" counters 1d19h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
 683511 packets input, 104715200 bytes
 Received 10511 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog
 0 input packets with dribble condition detected
 800932 packets output, 317811070 bytes, 0 underruns(63/415/0)
 165 output errors, 478 collisions, 0 interface resets
 --More--  0 babbles, 0 late collision, 0
deferred
 0 lost carrier, 0 no carrier
 0 output buffer failures, 0 output buffers swapped out
sc-ams-rtr-01>enable
Password: 
sc-ams-rtr-01#sh config
Using 2357 out of 29688 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log datetime localtime
no service password-encryption
!
hostname sc-ams-rtr-01
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable password 
!
memory-size iomem 25
clock timezone MET 1
clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
no ip finger
ip name-server 217.117.224.93
ip name-server 217.117.224.94
!
 --More-- ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key  address x.171.120.11
!
!
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac 
no crypto engine accelerator
!
crypto map cm-cryptomap local-address Ethernet0
crypto map cm-cryptomap 1 ipsec-isakmp   
 set peer x.171.120.11
 set transform-set cm-transformset-1 
 match address 100
!
!
!
!
interface Ethernet0
 --More--  description connected to Internet
 ip address  255.255.255.248
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 crypto map cm-cryptomap
!
interface FastEthernet0
 description connected to EthernetLAN_1
 ip address 172.29.30.1 255.255.255.0
 ip nat inside
 no ip route-cache
 no ip mroute-cache
 speed auto
!
router rip
 version 2
 passive-interface Ethernet0
 network 172.29.0.0
 no auto-summary
!
ip nat inside source list 101 interface Ethernet0 overload
 --More-- ip kerberos source-interface any
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 217.117.229.137
ip route 172.29.10.0 255.255.

How are they talking? [7:54577]

2002-09-30 Thread CTM CTM 

I think if the following situation is explained, it would go a long way to
my sorting out other issues.
Given the config files pasted at the bottom of this message:

NetworkA  = 172.29.10.0
NetworkB  = 192.168.100.0
NetworkC  = 172.29.30.0

RouterA hosts 172.29.10.0 and 192.168.100.0 
RouterB hosts 172.29.30.0

192.168.100.0 can ping 172.29.30.0
172.29.10.0 cannot ping 172.29.30.0
172.29.30.0 cannot ping NetworkA or NetworkB

What configuration is allowing NetworkB to ping NetworkC? And why no
communication back?


NetworkA:

sh config
Using 3589 out of 29688 bytes
!
version 12.1
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SC-SAN-RTR-01
!
logging buffered 4096 informational
logging rate-limit console 10 except errors
enable password 
!
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
ip name-server 207.67.236.5
ip name-server 207.67.247.4
 --More--   !
no ip bootp server
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key  address xxx
!
!
crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac 
!
crypto map cm-cryptomap local-address Serial0/0.1
crypto map cm-cryptomap 1 ipsec-isakmp   
 set peer xxx
 set transform-set cm-transformset-1 
 match address 100
!
call rsvp-sync
!
!
 --More--   !
!
!
!
!
!
interface FastEthernet0/0
 description connected to San Diego Outside
 ip address 172.29.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip policy route-map nonat
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 no ip redirects
 no ip unreachables
 encapsulation frame-relay
 no ip route-cache
 no ip mroute-cache
 --More--service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description connected to Internet
 ip address x.x.x.x 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 no arp frame-relay
 frame-relay interface-dlci 16   
 crypto map cm-cryptomap
!
interface FastEthernet0/1
 description connected to EthernetLAN_2
 ip address 192.168.100.15 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip policy route-map nonat
 duplex auto
 --More--speed auto
!
interface Serial0/1
 no ip address
 no ip redirects
 no ip unreachables
 encapsulation frame-relay IETF
 no ip route-cache
 no ip mroute-cache
 no fair-queue
 frame-relay traffic-shaping
 frame-relay lmi-type ansi
!
interface Serial0/1.474 point-to-point
 description Frame-Relay Connection to II-NAU-RTR-01 DLC 474
 ip unnumbered FastEthernet0/1
 no ip redirects
 no ip unreachables
 no ip route-cache
 no ip mroute-cache
 no arp frame-relay
 frame-relay interface-dlci 474   
!
 --More--   ip nat pool SCISANRTR001-natpool-1
xx netmask 255.255.255.224
ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload
ip nat inside source static 172.29.20.20 
ip nat inside source static 192.168.100.135 
ip nat inside source static 192.168.100.20 
ip nat inside source static 172.29.10.20 x
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
ip route 172.29.20.0 255.255.255.0 Serial0/1.474
ip route 172.29.40.0 255.255.255.0 Serial0/1.474
no ip http server
ip http port 7850
!
logging history size 250
logging history errors
logging facility syslog
access-list 100 permit ip x 0.0.0.31 172.29.30.0 0.0.0.255
access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 deny   ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit ip 172.29.10.0 0.0.0.255 any
no cdp run
 --More--   route-map nonat permit 10
!
snmp-server engineID local 000902049AEB2DE0
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
 password x
 login
 transport input none
line aux 0
line vty 0 4
 password 7 0100070A0959545A294D400A16061C
 login
!
scheduler allocate 4000 1000
end

x
SC-SAN-RTR-01>sh int
FastEthernet0/0 is up, line protocol is up 
  Hardware is AmdFE, address is 0004.9aeb.2de0 (bia 0004.9aeb.2de0)
  Description: connected to  Outside
  Internet address is 172.29.10.1/24
  MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, 
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters 4d22h
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 1/75, 782 drops
  5 minute input rate 5000 bits/sec, 8 packets/sec
  5 minute output rate 5000 bits/sec, 6

Access List Change [7:54901]

2002-10-04 Thread CTM CTM 

Hello all,

Continuing my quest to unravel that which was left behind, I am now at the
following conclusion:

Europe is on subnet 172.29.30.0
U.S. is on subnet 192.168.100.0

Europe office has a 512k portal to the internet, public IP gateway being
1.2.3.4 (made up of course, is in 217.x.x.x range)
U.S. public IP is 6.7.8.9
However, it has been configured for all Europe internet traffic to be routed
through U.S. office (for purposes of going through a firewall, which wasn't
in place anyways). This has left Europe office with effective internet
speeds of <50k.

Now I want them to use their own internet portal and I believe I need to
reconfigure access lists to allow it.

Here are my lists:

ip nat inside source list 101 interface Ethernet0 overload
ip kerberos source-interface any
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 1.2.3.4
ip route 172.29.40.0 255.255.255.0 192.168.100.15
ip http server
!
access-list 100 permit ip 172.29.30.0 0.0.0.255 6.7.8.9 0.0.0.31
access-list 100 permit ip 172.29.30.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny   ip 172.29.30.0 0.0.0.255 6.7.8.9 0.0.0.31
access-list 101 deny   ip 172.29.30.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 172.29.30.0 0.0.0.255 any

interface Ethernet0
 description connected to Internet
 ip address 1.2.3.5 255.255.255.248<--- IP is one number above public
gateway
 ip nat outside
 no ip route-cache
 no ip mroute-cache
 half-duplex
 crypto map cm-cryptomap

And here's what I *think* I need to do:

no ip route 0.0.0.0 0.0.0.0 1.2.3.4
ip route 172.29.30.0 255.255.255.0 1.2.3.4
access-list 100 permit ip 172.29.30.0 0.0.0.255 1.2.3.4

For the last line I would actually need to clear all access lists ( no
access-list 100. is the command?) and then reenter to preserve the
order?

Does it sound like I'm close to what I need to do?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54901&t=54901
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access List Change [7:54901]

2002-10-04 Thread CTM CTM 

Hi,

The router was purchased along with the Cisco firewall software license. I
figured to implement that? Otherwise I could put ISA on the server out there.

The security concerns are duly noted, and I won't leave the office on public
until addressed. That being said; to get them to use their own internet
portal direct I would do a:

ip route 172.29.30.0 255.255.255.0 1.2.3.4

and do a:

no ip route  0.0.0.0 0.0.0.0

is that correct?

BTW, and don't laugh, I put in that last route chasing down a CPU
utilization issue. The router was typically at 34% utilization. Doing some
research and I found that maybe packets to unclaimed addressed were looping
between internal network and ISP, and that line would throw them in the bit
bucket. So that was way out in left field wasn't it. I did solve the
utilization issue; there was an unused ADSL module, when I had that pulled
it went down to normal.

Chuck's Long Road wrote:
> 
> just a quick comment or two.
> 
> you are writing as if you need to do something on your routers
> other than
> change the gateway of last resort.
> 
> ip route 0.0.0.0 0.0.0.0 goes where?
> 
> without getting into the intricacies, if you are introducing a
> new firewall
> into the "europe" domain, your router should have a default
> route pointing
> to the inside address of the firewall. no other configuration
> is required.
> the firewall does all the filtering. no access lists. etc. at
> least not as
> related to firewall stuff.
> 
> your router would redistribute the default route information,
> or not, as
> needed.
> 
> your hosts would use the particular router as their default
> gateway.
> 
> if you are using your router as the firewall, then I have to
> ask - what
> happens if that device is compromised - do you really want some
> hacker to
> then be in the middle of your network?
> 
> --
> 
> www.chuckslongroad.info
> like my web site?
> take the survey!
> 
> 
> 
> ""CTM CTM""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hello all,
> >
> > Continuing my quest to unravel that which was left behind, I
> am now at the
> > following conclusion:
> >
> > Europe is on subnet 172.29.30.0
> > U.S. is on subnet 192.168.100.0
> >
> > Europe office has a 512k portal to the internet, public IP
> gateway being
> > 1.2.3.4 (made up of course, is in 217.x.x.x range)
> > U.S. public IP is 6.7.8.9
> > However, it has been configured for all Europe internet
> traffic to be
> routed
> > through U.S. office (for purposes of going through a
> firewall, which
> wasn't
> > in place anyways). This has left Europe office with effective
> internet
> > speeds of  >
> > Now I want them to use their own internet portal and I
> believe I need to
> > reconfigure access lists to allow it.
> >
> > Here are my lists:
> >
> > ip nat inside source list 101 interface Ethernet0 overload
> > ip kerberos source-interface any
> > ip classless
> > ip route profile
> > ip route 0.0.0.0 0.0.0.0 1.2.3.4
> > ip route 172.29.40.0 255.255.255.0 192.168.100.15
> > ip http server
> > !
> > access-list 100 permit ip 172.29.30.0 0.0.0.255 6.7.8.9
> 0.0.0.31
> > access-list 100 permit ip 172.29.30.0 0.0.0.255 192.168.100.0
> 0.0.0.255
> > access-list 101 deny   ip 172.29.30.0 0.0.0.255 6.7.8.9
> 0.0.0.31
> > access-list 101 deny   ip 172.29.30.0 0.0.0.255 192.168.100.0
> 0.0.0.255
> > access-list 101 permit ip 172.29.30.0 0.0.0.255 any
> >
> > interface Ethernet0
> >  description connected to Internet
> >  ip address 1.2.3.5 255.255.255.248 above public
> > gateway
> >  ip nat outside
> >  no ip route-cache
> >  no ip mroute-cache
> >  half-duplex
> >  crypto map cm-cryptomap
> >
> > And here's what I *think* I need to do:
> >
> > no ip route 0.0.0.0 0.0.0.0 1.2.3.4
> > ip route 172.29.30.0 255.255.255.0 1.2.3.4
> > access-list 100 permit ip 172.29.30.0 0.0.0.255 1.2.3.4
> >
> > For the last line I would actually need to clear all access
> lists ( no
> > access-list 100. is the command?) and then reenter to
> preserve the
> > order?
> >
> > Does it sound like I'm close to what I need to do?
> 
> 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54914&t=54901
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reverse DNS [7:55627]

2002-10-15 Thread CTM CTM 

Is it possible to block reverse DNS queries at the router?
If so, I may inadvertently done so, but can't seem to find a setting that
would have blocked.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=55627&t=55627
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]