NAT Config Change [7:57140]
Hi all, Am trying to change a NAT configuration and it doesn't seem to take. I do a: no ip nat inside source 192.168.100.20 a.b.c.d it asks if I want to delete child dependencies and I've gone with no and yes I do a: ip nat inside source 172.29.10.23 a.b.c.d and I get the message: already mapped: 192.168.100.20 >> a.b.c.d. I've also tried the wr mem after first "no ip nat." but can't seem to eliminate that line Guess I need to read more than "NAT on a stick" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57140&t=57140 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Two Interfaces = Extremely Slow Ping [7:53266]
Daniel Cotts wrote: > > You have a static NAT translation for 192.168.100.20 on both > routers. I'd > suggest removing it from the Mexican router. > > You haven't said whether or not you are doing standard or > extended pings. > Whether you are pinging from a host or the routers. > Do a traceroute when the pings are fast and when they are slow. > See where > the packets are going. You might want to do a "sh ip route" in > each > condition. > Some small housekeeping: > Mexican router: > I see no need for the "ip nat inside" on the Serial0/0:0.300 > subinterface. > Nothing from that interface meets the conditions of access-list > 101. > You can remove the "ip policy route-map nonat from > subinterfaces 0/0:0.300 > and 0/0:0.301 . There is no route-map in the config. > You have 192.168.100.0 on F0/1 (shutdown) in Mexico. You have > 192.168.100.0 > on F0/1 in SC-SAN. You still have a NAT static in Mexico for the > 192.168.100.20 host. Might be good to remove that static > mapping and remove > the unused address completely from the interface to avoid > confusion. > "ip http server" can be a security hole. > > SC-SAN router: > VPN connection to 172.29.30.0 uses access list 100 to define > allowed > traffic. I don't understand the first line of that list. Does > it refer to > the NAT pool of addresses? If so, how do they work inside? If > not, who are > they? Who is really allowed access to 172.29.30.0? > Again the ip policy and route-map statements aren't doing > anything. There is > an issue that could use a route-map. The users in 172.29.30.0 > can't reach > the statically NATed servers 192.168.100.20 & 135 over the VPN. > There is a > way to solve that problem (if it is a problem.) > Keep us posted on your progress. I would like to know the > solution. > > > -Original Message- > > From: Sammi Dog [mailto:[EMAIL PROTECTED]] > > Sent: Friday, September 13, 2002 5:23 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Two Interfaces = Extremely Slow Ping [7:53266] > > > > > > I would appreciate any and all comments. > > > > >From: "Chris McNally" > >Hi all, > >We have one router in > > the U.S. and > > > one in Mexico. They are connected to each >other via frame > > relay and they > > > each have their own internet portal. >When the Mexico > router is > > > disconnected from its internet interface the ping >returns > > between U.S. > > > are averaging 70ms but when they plug in their internet > > >side the ping > > > returns shoot above 500ms and often hit 800. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53626&t=53266 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Two Interfaces = Extremely Slow Ping [7:53266]
Daniel Cotts wrote: > > You have a static NAT translation for 192.168.100.20 on both > routers. I'd > suggest removing it from the Mexican router. > > You haven't said whether or not you are doing standard or > extended pings. > Whether you are pinging from a host or the routers. > Do a traceroute when the pings are fast and when they are slow. > See where > the packets are going. You might want to do a "sh ip route" in > each > condition. > Some small housekeeping: > Mexican router: > I see no need for the "ip nat inside" on the Serial0/0:0.300 > subinterface. > Nothing from that interface meets the conditions of access-list > 101. > You can remove the "ip policy route-map nonat from > subinterfaces 0/0:0.300 > and 0/0:0.301 . There is no route-map in the config. > You have 192.168.100.0 on F0/1 (shutdown) in Mexico. You have > 192.168.100.0 > on F0/1 in SC-SAN. You still have a NAT static in Mexico for the > 192.168.100.20 host. Might be good to remove that static > mapping and remove > the unused address completely from the interface to avoid > confusion. > "ip http server" can be a security hole. > > SC-SAN router: > VPN connection to 172.29.30.0 uses access list 100 to define > allowed > traffic. I don't understand the first line of that list. Does > it refer to > the NAT pool of addresses? If so, how do they work inside? If > not, who are > they? Who is really allowed access to 172.29.30.0? > Again the ip policy and route-map statements aren't doing > anything. There is > an issue that could use a route-map. The users in 172.29.30.0 > can't reach > the statically NATed servers 192.168.100.20 & 135 over the VPN. > There is a > way to solve that problem (if it is a problem.) > Keep us posted on your progress. I would like to know the > solution. > > > -Original Message- > > From: Sammi Dog [mailto:[EMAIL PROTECTED]] > > Sent: Friday, September 13, 2002 5:23 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Two Interfaces = Extremely Slow Ping [7:53266] > > > > > > I would appreciate any and all comments. > > > > >From: "Chris McNally" > >Hi all, > >We have one router in > > the U.S. and > > > one in Mexico. They are connected to each >other via frame > > relay and they > > > each have their own internet portal. >When the Mexico > router is > > > disconnected from its internet interface the ping >returns > > between U.S. > > > are averaging 70ms but when they plug in their internet > > >side the ping > > > returns shoot above 500ms and often hit 800. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53625&t=53266 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Two Interfaces = Extremely Slow Ping [7:53266]
Hi, I removed the "ip http server" from all routers. I also removed the "ip nat inside" from the first Mexico router. So far so good. But when I did a "no ip route 192.168.100.0 255.255.255.0 Serial0/0:0.300" I immediatly lost connection to the router and am now trying to reach someone down there to reboot it not good, as it should have been issued for 192.168.100.20 So still working on clean up for that box. In Amsterdam: I could really, really use a VPN connection between 172.29.30.0 and 172.29.10.0 subnets so will look at that while I wait for the Mexico router to be rebooted. (yes, somewhat over my head here, but shall persevere) Daniel Cotts wrote: > > You have a static NAT translation for 192.168.100.20 on both > routers. I'd > suggest removing it from the Mexican router. > > You haven't said whether or not you are doing standard or > extended pings. > Whether you are pinging from a host or the routers. > Do a traceroute when the pings are fast and when they are slow. > See where > the packets are going. You might want to do a "sh ip route" in > each > condition. > Some small housekeeping: > Mexican router: > I see no need for the "ip nat inside" on the Serial0/0:0.300 > subinterface. > Nothing from that interface meets the conditions of access-list > 101. > You can remove the "ip policy route-map nonat from > subinterfaces 0/0:0.300 > and 0/0:0.301 . There is no route-map in the config. > You have 192.168.100.0 on F0/1 (shutdown) in Mexico. You have > 192.168.100.0 > on F0/1 in SC-SAN. You still have a NAT static in Mexico for the > 192.168.100.20 host. Might be good to remove that static > mapping and remove > the unused address completely from the interface to avoid > confusion. > "ip http server" can be a security hole. > > SC-SAN router: > VPN connection to 172.29.30.0 uses access list 100 to define > allowed > traffic. I don't understand the first line of that list. Does > it refer to > the NAT pool of addresses? If so, how do they work inside? If > not, who are > they? Who is really allowed access to 172.29.30.0? > Again the ip policy and route-map statements aren't doing > anything. There is > an issue that could use a route-map. The users in 172.29.30.0 > can't reach > the statically NATed servers 192.168.100.20 & 135 over the VPN. > There is a > way to solve that problem (if it is a problem.) > Keep us posted on your progress. I would like to know the > solution. > > > -Original Message- > > From: Sammi Dog [mailto:[EMAIL PROTECTED]] > > Sent: Friday, September 13, 2002 5:23 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Two Interfaces = Extremely Slow Ping [7:53266] > > > > > > I would appreciate any and all comments. > > > > >From: "Chris McNally" > >Hi all, > >We have one router in > > the U.S. and > > > one in Mexico. They are connected to each >other via frame > > relay and they > > > each have their own internet portal. >When the Mexico > router is > > > disconnected from its internet interface the ping >returns > > between U.S. > > > are averaging 70ms but when they plug in their internet > > >side the ping > > > returns shoot above 500ms and often hit 800. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53628&t=53266 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Two Interfaces = Extremely Slow Ping [7:53266]
Thank you, moving to the other subnet allowed me to get back in to the router. Ok, now for another crack at it ;-) Very much appreciated! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53639&t=53266 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Two Interfaces = Extremely Slow Ping [7:53266]
I have closed the security and done some clean up. I'm investigating the performance to Mexico but pings have been well today. Coincedence? Probably but they've never been consistently low as they have been today. Tomorrow I have some available to pull the suspected trouble connection and I'll log some performances. Meanwhile I need to investigate the Europe - U.S. connection. The connection is terribly slow, and in fact I currently have Europe using VPN through their outside IP, into our network via our outside IP, then retrieve email through a Citrix connection. Terribly cumbersome and, seeing as we have a frame relay connection, shouldn't be necessary. If I could get them talking reliably through our dedicated connection it would make many people happy. I have done some housekeeping on the Mexico router thusly: int S0/0.300 no ip nat inside #no ip nat inside source static 192.168.100.20 x.x.x.x Static entry in use, do you want to delete child entries? [no]: y <- wasn't sure about this one, was tempted to take default "no" Int f0/1 - #no ip address 192.168.100.21 255.255.255.0 ii-nau-rtr-01(config)#int s0/0:0.300 ii-nau-rtr-01(config-subif)#no ip policy route-map nonat ii-nau-rtr-01(config-subif)#end ii-nau-rtr-01(config)#int s0/0:0.301 ii-nau-rtr-01(config-subif)#no ip policy route-map nonat ii-nau-rtr-01(config-subif)#end ii-nau-rtr-01#wr mem ~~~ Here is the current config: ii-nau-rtr-01#sh config Using 2515 out of 29688 bytes ! version 12.2 no parser cache no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname ii-nau-rtr-01 ! boot system flash 1:c2600-ik9o3s-mz.122-2.T.bin logging rate-limit console 10 except errors enable password ! ! ! memory-size iomem 10 ip subnet-zero ! ! ip name-server x.x.x.x ip name-server x.x.x.x ip name-server x.x.x.x ! ip audit notify log ip audit po max-events 100 ip ssh time-out 120 ip ssh authentication-retries 3 no ip dhcp-client network-discovery ! isdn voice-call-failure 0 call rsvp-sync ! controller E1 0/0 framing NO-CRC4 channel-group 0 timeslots 1-31 ! ! interface FastEthernet0/0 ip address 172.29.20.1 255.255.255.0 ip nat inside duplex auto speed auto ! interface Serial0/0:0 no ip address encapsulation frame-relay IETF no ip route-cache frame-relay lmi-type ansi ! interface Serial0/0:0.1 point-to-point description Connection to Internet ip address x.x.x.x x.x.x.x ip nat outside no ip route-cache no arp frame-relay frame-relay interface-dlci 500 IETF ! interface Serial0/0:0.300 point-to-point description Connection to San Diego - DLCI 300 ip unnumbered FastEthernet0/0 no ip route-cache frame-relay interface-dlci 300 ! interface Serial0/0:0.301 point-to-point description connect to lerma ' dlci 301 ip unnumbered FastEthernet0/0 ip nat inside no ip route-cache frame-relay interface-dlci 301 ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ip nat pool IINAU-natpool-1 x.x.x.x x.x.x.x netmask 255.255.255.240 ip nat inside source list 101 pool IINAU-natpool-1 overload ip nat inside source static 172.29.20.20 200.33.155.23 ip nat inside source static 172.29.20.24 200.33.155.24 ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0:0.1 ip route 172.29.10.0 255.255.255.0 Serial0/0:0.300 ip route 172.29.30.0 255.255.255.0 Serial0/0:0.300 ip route 172.29.40.0 255.255.255.0 Serial0/0:0.301 ip route 192.168.100.0 255.255.255.0 Serial0/0:0.300 no ip http server ! access-list 101 permit ip 172.29.20.0 0.0.0.255 any access-list 101 permit ip 172.29.40.0 0.0.0.255 any ! ! snmp-server community naucalpan RW snmp-server community public RO snmp-server location Industrias Ideal, Naucalpan, Mexico snmp-server manager ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 --More-- password xx login line vty 5 15 login ! ! end ii-nau-rtr-01#sh int FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 0007.0e84.f540 (bia 0007.0e84.f540) Internet address is 172.29.20.1/24 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 215507 drops 5 minute input rate 26000 bits/sec, 33 packets/sec 5 minute output rate 172000 bits/sec, 35 packets/sec 3645866 packets input, 447007005 bytes Received 62805 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 3626239 packets output, 1487065
Remote Serial # Retrieval [7:54120]
Hello all, Have inherited 4 routers with no documentation as to vendors, maintenance agreements etc. I have established a maintenance agreement is in place for at least one router and now need to establish for the other boxes. I only have physical access to one of the routers, the other three are out of country. I have full telnet access and am hoping I can retrieve the serial numbers that way. I tried a "sh ver" (just hoping for dumb luck) but no go. Is it possible to extract the router's serial from the command line? Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54120&t=54120 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Messing up Access Lists [7:54268]
I've been trying to optimize communications between two distant routers. So far I've managed to lock myself out of the far router three times, folks over there are getting weary of my mistakes ;-) I have a subnet of 172.29.30.0/24 and a subnet of 172.29.10.0/24, the latter is physically the same devices multihomed as 192.168.100.0/24. I realize my NAT is messed up and I'm wrapping my head around the literature pulled from Cisco (led to by links provided by you generous folks). Looks like I also need to look in depth at access lists. I'm taking baby steps but am slowly making progress. Would love to solicit comments/advice on the following: ip nat pool SCISANRTR001-natpool-1 64.172.228.155 64.172.228.158 netmask 255.255.255.224 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload ip nat inside source static 172.29.10.20 64.172.228.154 ip nat inside source static 192.168.100.20 64.172.228.132 ip nat inside source static 192.168.100.135 64.172.228.135 ip nat inside source static 172.29.20.20 64.172.228.133 ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ip route 172.29.20.0 255.255.255.0 Serial0/1.474 ip route 172.29.40.0 255.255.255.0 Serial0/1.474 ! logging history size 250 logging history errors logging facility syslog access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 0.0.0.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 permit ip 192.168.100.0 0.0.0.255 any access-list 101 permit ip 172.29.10.0 0.0.0.255 any route-map nonat permit 10 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54268&t=54268 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Messing up Access Lists [7:54268]
Hi, You did indeed send me comments, and most appreciated. You even bailed me out when I misapplied the advice, and again much appreciated. I'm taking baby steps with the wisdom offered, and seem to get deeper than intended, ultimately confused, then reach out for a breather. Thanks, as always, for your generous help, I will digest the latest. Daniel Cotts wrote: > > I sent you some comments on this last Fri. > First look up the reload in xx min command. There is a way to > have the > router reboot in a given time interval unless you rescind the > command. So if > you lock yourself out of the router it reboots and restores the > startup > config which allows you back in. If your changes are not fatal > then cancel > the reload command. Then do a copy run start. > My guess is that you are killing your VPN by removing the > access list at the > far end. You are most likely telnetting to that router from > your local PC. > Its traffic traverses the VPN. Instead bring up a console > connection on your > local router and telnet to the remote router. That won't use > the VPN. I > don't see an access list that would block that connection. > There is an issue if you have statically NATed addresses. > People out on the > Internet can reach your local servers but folks on the far end > of the VPN > cannot. There is a solution on CCO. Last time I looked you had > to start on > the Documentation page and work towards it. The solution is not > on the 707? > page. I don't have time to look it up. Sort of goes like: > interface Loopback0 > ip address 2.2.2.1 255.255.255.0 > interface FastEthernet0 > (This is the interface where your servers are located.) > ip route-cache policy > ip policy route-map StaticNAT > > ip access-list extended StaticNAT > remark Allows statically mapped NAT addresses through IPSec > tunnel > permit ip host 192.168.250.19 172.16.1.0 0.0.0.255 > (USE YOUR OWN IP ADDRESSES) > > route-map StaticNAT permit 10 > match ip address StaticNAT > set ip next-hop 2.2.2.2 > (Note the address is not the address of the loopback.) > > To use a basketball analogy - a direct pass won't work because > a blocker is > in the way. Instead use a bounce pass. > > > -Original Message- > > From: CTM CTM [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, September 26, 2002 2:54 PM > > To: [EMAIL PROTECTED] > > Subject: Messing up Access Lists [7:54268] > > > > > > I've been trying to optimize communications between two > > distant routers. So > > far I've managed to lock myself out of the far router three > > times, folks > > over there are getting weary of my mistakes ;-) > > > > I have a subnet of 172.29.30.0/24 and a subnet of > > 172.29.10.0/24, the latter > > is physically the same devices multihomed as 192.168.100.0/24. > > > > I realize my NAT is messed up and I'm wrapping my head around > > the literature > > pulled from Cisco (led to by links provided by you generous > folks). > > Looks like I also need to look in depth at access lists. I'm > > taking baby > > steps but am slowly making progress. > > > > Would love to solicit comments/advice on the following: > > > > ip nat pool SCISANRTR001-natpool-1 64.172.228.155 > > 64.172.228.158 netmask > > 255.255.255.224 > > ip nat inside source list 101 pool SCISANRTR001-natpool-1 > overload > > ip nat inside source static 172.29.10.20 64.172.228.154 > > ip nat inside source static 192.168.100.20 64.172.228.132 > > ip nat inside source static 192.168.100.135 64.172.228.135 > > ip nat inside source static 172.29.20.20 64.172.228.133 > > ip classless > > ip route 0.0.0.0 0.0.0.0 Serial0/0.1 > > ip route 172.29.20.0 255.255.255.0 Serial0/1.474 > > ip route 172.29.40.0 255.255.255.0 Serial0/1.474 > > ! > > logging history size 250 > > logging history errors > > logging facility syslog > > access-list 100 permit ip 64.172.228.128 0.0.0.31 172.29.30.0 > > 0.0.0.255 > > access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 > > 0.0.0.255 > > access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 > > 0.0.0.255 > > access-list 101 permit ip 192.168.100.0 0.0.0.255 any > > access-list 101 permit ip 172.29.10.0 0.0.0.255 any > > route-map nonat permit 10 > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54277&t=54268 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Messing up Access Lists [7:54268]
I have 5 subnets: 172.29.10.x/24 in the U.S. 192.168.100.x/24 in the U.S. I would like to eliminate the 192.x.x.x subnet as it is mostly redundant, machines multihomed. 172.29.20.x/24 in Mexico 172.29.30.x/24 in Europe 172.29.40.x/24 in Mexico Europe office has a 1720 router and E1 connection. U.S. has 2621 and a T1 connection Europe needs to pull email and files from servers in U.S., but connection is terribly, terribly slow. At present I have them VPN out to the internet and into our VPN that way. Would like them to VPN or direct connect directly through internal subnets. Once that is fixed the learning experience should allow me to tweak the Mexico routes. The Europe "sh int" is as follows: sh int Ethernet0 is up, line protocol is up Hardware is PQUICC Ethernet, address is 0004.dd0b.dcbf (bia 0004.dd0b.dcbf) Description: connected to Internet Internet address is 217.117.229.138/29 MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 10BaseT ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 1d19h Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 1000 bits/sec, 1 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 778610 packets input, 355003767 bytes, 0 no buffer Received 2967 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 input packets with dribble condition detected 676292 packets output, 134749411 bytes, 0 underruns(0/0/0) 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred --More-- 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out --More-- FastEthernet0 is up, line protocol is up Hardware is PQUICC_FEC, address is 0002.1761.7d8a (bia 0002.1761.7d8a) Description: connected to EthernetLAN_1 Internet address is 172.29.30.1/24 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:01, output 00:00:00, output hang never Last clearing of "show interface" counters 1d19h Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 683511 packets input, 104715200 bytes Received 10511 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 800932 packets output, 317811070 bytes, 0 underruns(63/415/0) 165 output errors, 478 collisions, 0 interface resets --More-- 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out sc-ams-rtr-01>enable Password: sc-ams-rtr-01#sh config Using 2357 out of 29688 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log datetime localtime no service password-encryption ! hostname sc-ams-rtr-01 ! no logging buffered no logging buffered logging rate-limit console 10 except errors enable password ! memory-size iomem 25 clock timezone MET 1 clock summer-time METDST recurring last Sun Mar 2:00 last Sun Oct 3:00 ip subnet-zero no ip finger ip name-server 217.117.224.93 ip name-server 217.117.224.94 ! --More-- ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key address x.171.120.11 ! ! crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac no crypto engine accelerator ! crypto map cm-cryptomap local-address Ethernet0 crypto map cm-cryptomap 1 ipsec-isakmp set peer x.171.120.11 set transform-set cm-transformset-1 match address 100 ! ! ! ! interface Ethernet0 --More-- description connected to Internet ip address 255.255.255.248 ip nat outside no ip route-cache no ip mroute-cache half-duplex crypto map cm-cryptomap ! interface FastEthernet0 description connected to EthernetLAN_1 ip address 172.29.30.1 255.255.255.0 ip nat inside no ip route-cache no ip mroute-cache speed auto ! router rip version 2 passive-interface Ethernet0 network 172.29.0.0 no auto-summary ! ip nat inside source list 101 interface Ethernet0 overload --More-- ip kerberos source-interface any ip classless ip route profile ip route 0.0.0.0 0.0.0.0 217.117.229.137 ip route 172.29.10.0 255.255.
How are they talking? [7:54577]
I think if the following situation is explained, it would go a long way to my sorting out other issues. Given the config files pasted at the bottom of this message: NetworkA = 172.29.10.0 NetworkB = 192.168.100.0 NetworkC = 172.29.30.0 RouterA hosts 172.29.10.0 and 192.168.100.0 RouterB hosts 172.29.30.0 192.168.100.0 can ping 172.29.30.0 172.29.10.0 cannot ping 172.29.30.0 172.29.30.0 cannot ping NetworkA or NetworkB What configuration is allowing NetworkB to ping NetworkC? And why no communication back? NetworkA: sh config Using 3589 out of 29688 bytes ! version 12.1 no parser cache no service single-slot-reload-enable no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname SC-SAN-RTR-01 ! logging buffered 4096 informational logging rate-limit console 10 except errors enable password ! ip subnet-zero ! ! no ip finger no ip domain-lookup ip name-server 207.67.236.5 ip name-server 207.67.247.4 --More-- ! no ip bootp server ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key address xxx ! ! crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac ! crypto map cm-cryptomap local-address Serial0/0.1 crypto map cm-cryptomap 1 ipsec-isakmp set peer xxx set transform-set cm-transformset-1 match address 100 ! call rsvp-sync ! ! --More-- ! ! ! ! ! ! interface FastEthernet0/0 description connected to San Diego Outside ip address 172.29.10.1 255.255.255.0 no ip redirects no ip unreachables ip nat inside ip policy route-map nonat duplex auto speed auto ! interface Serial0/0 no ip address no ip redirects no ip unreachables encapsulation frame-relay no ip route-cache no ip mroute-cache --More--service-module t1 remote-alarm-enable frame-relay lmi-type ansi ! interface Serial0/0.1 point-to-point description connected to Internet ip address x.x.x.x 255.255.255.0 no ip redirects no ip unreachables ip nat outside no ip route-cache no ip mroute-cache no arp frame-relay frame-relay interface-dlci 16 crypto map cm-cryptomap ! interface FastEthernet0/1 description connected to EthernetLAN_2 ip address 192.168.100.15 255.255.255.0 no ip redirects no ip unreachables ip nat inside ip policy route-map nonat duplex auto --More--speed auto ! interface Serial0/1 no ip address no ip redirects no ip unreachables encapsulation frame-relay IETF no ip route-cache no ip mroute-cache no fair-queue frame-relay traffic-shaping frame-relay lmi-type ansi ! interface Serial0/1.474 point-to-point description Frame-Relay Connection to II-NAU-RTR-01 DLC 474 ip unnumbered FastEthernet0/1 no ip redirects no ip unreachables no ip route-cache no ip mroute-cache no arp frame-relay frame-relay interface-dlci 474 ! --More-- ip nat pool SCISANRTR001-natpool-1 xx netmask 255.255.255.224 ip nat inside source list 101 pool SCISANRTR001-natpool-1 overload ip nat inside source static 172.29.20.20 ip nat inside source static 192.168.100.135 ip nat inside source static 192.168.100.20 ip nat inside source static 172.29.10.20 x ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0.1 ip route 172.29.20.0 255.255.255.0 Serial0/1.474 ip route 172.29.40.0 255.255.255.0 Serial0/1.474 no ip http server ip http port 7850 ! logging history size 250 logging history errors logging facility syslog access-list 100 permit ip x 0.0.0.31 172.29.30.0 0.0.0.255 access-list 100 permit ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 deny ip 192.168.100.0 0.0.0.255 172.29.30.0 0.0.0.255 access-list 101 permit ip 192.168.100.0 0.0.0.255 any access-list 101 permit ip 172.29.10.0 0.0.0.255 any no cdp run --More-- route-map nonat permit 10 ! snmp-server engineID local 000902049AEB2DE0 ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 password x login transport input none line aux 0 line vty 0 4 password 7 0100070A0959545A294D400A16061C login ! scheduler allocate 4000 1000 end x SC-SAN-RTR-01>sh int FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 0004.9aeb.2de0 (bia 0004.9aeb.2de0) Description: connected to Outside Internet address is 172.29.10.1/24 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 4d22h Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 1/75, 782 drops 5 minute input rate 5000 bits/sec, 8 packets/sec 5 minute output rate 5000 bits/sec, 6
Access List Change [7:54901]
Hello all, Continuing my quest to unravel that which was left behind, I am now at the following conclusion: Europe is on subnet 172.29.30.0 U.S. is on subnet 192.168.100.0 Europe office has a 512k portal to the internet, public IP gateway being 1.2.3.4 (made up of course, is in 217.x.x.x range) U.S. public IP is 6.7.8.9 However, it has been configured for all Europe internet traffic to be routed through U.S. office (for purposes of going through a firewall, which wasn't in place anyways). This has left Europe office with effective internet speeds of <50k. Now I want them to use their own internet portal and I believe I need to reconfigure access lists to allow it. Here are my lists: ip nat inside source list 101 interface Ethernet0 overload ip kerberos source-interface any ip classless ip route profile ip route 0.0.0.0 0.0.0.0 1.2.3.4 ip route 172.29.40.0 255.255.255.0 192.168.100.15 ip http server ! access-list 100 permit ip 172.29.30.0 0.0.0.255 6.7.8.9 0.0.0.31 access-list 100 permit ip 172.29.30.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 101 deny ip 172.29.30.0 0.0.0.255 6.7.8.9 0.0.0.31 access-list 101 deny ip 172.29.30.0 0.0.0.255 192.168.100.0 0.0.0.255 access-list 101 permit ip 172.29.30.0 0.0.0.255 any interface Ethernet0 description connected to Internet ip address 1.2.3.5 255.255.255.248<--- IP is one number above public gateway ip nat outside no ip route-cache no ip mroute-cache half-duplex crypto map cm-cryptomap And here's what I *think* I need to do: no ip route 0.0.0.0 0.0.0.0 1.2.3.4 ip route 172.29.30.0 255.255.255.0 1.2.3.4 access-list 100 permit ip 172.29.30.0 0.0.0.255 1.2.3.4 For the last line I would actually need to clear all access lists ( no access-list 100. is the command?) and then reenter to preserve the order? Does it sound like I'm close to what I need to do? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54901&t=54901 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access List Change [7:54901]
Hi, The router was purchased along with the Cisco firewall software license. I figured to implement that? Otherwise I could put ISA on the server out there. The security concerns are duly noted, and I won't leave the office on public until addressed. That being said; to get them to use their own internet portal direct I would do a: ip route 172.29.30.0 255.255.255.0 1.2.3.4 and do a: no ip route 0.0.0.0 0.0.0.0 is that correct? BTW, and don't laugh, I put in that last route chasing down a CPU utilization issue. The router was typically at 34% utilization. Doing some research and I found that maybe packets to unclaimed addressed were looping between internal network and ISP, and that line would throw them in the bit bucket. So that was way out in left field wasn't it. I did solve the utilization issue; there was an unused ADSL module, when I had that pulled it went down to normal. Chuck's Long Road wrote: > > just a quick comment or two. > > you are writing as if you need to do something on your routers > other than > change the gateway of last resort. > > ip route 0.0.0.0 0.0.0.0 goes where? > > without getting into the intricacies, if you are introducing a > new firewall > into the "europe" domain, your router should have a default > route pointing > to the inside address of the firewall. no other configuration > is required. > the firewall does all the filtering. no access lists. etc. at > least not as > related to firewall stuff. > > your router would redistribute the default route information, > or not, as > needed. > > your hosts would use the particular router as their default > gateway. > > if you are using your router as the firewall, then I have to > ask - what > happens if that device is compromised - do you really want some > hacker to > then be in the middle of your network? > > -- > > www.chuckslongroad.info > like my web site? > take the survey! > > > > ""CTM CTM"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Hello all, > > > > Continuing my quest to unravel that which was left behind, I > am now at the > > following conclusion: > > > > Europe is on subnet 172.29.30.0 > > U.S. is on subnet 192.168.100.0 > > > > Europe office has a 512k portal to the internet, public IP > gateway being > > 1.2.3.4 (made up of course, is in 217.x.x.x range) > > U.S. public IP is 6.7.8.9 > > However, it has been configured for all Europe internet > traffic to be > routed > > through U.S. office (for purposes of going through a > firewall, which > wasn't > > in place anyways). This has left Europe office with effective > internet > > speeds of > > > Now I want them to use their own internet portal and I > believe I need to > > reconfigure access lists to allow it. > > > > Here are my lists: > > > > ip nat inside source list 101 interface Ethernet0 overload > > ip kerberos source-interface any > > ip classless > > ip route profile > > ip route 0.0.0.0 0.0.0.0 1.2.3.4 > > ip route 172.29.40.0 255.255.255.0 192.168.100.15 > > ip http server > > ! > > access-list 100 permit ip 172.29.30.0 0.0.0.255 6.7.8.9 > 0.0.0.31 > > access-list 100 permit ip 172.29.30.0 0.0.0.255 192.168.100.0 > 0.0.0.255 > > access-list 101 deny ip 172.29.30.0 0.0.0.255 6.7.8.9 > 0.0.0.31 > > access-list 101 deny ip 172.29.30.0 0.0.0.255 192.168.100.0 > 0.0.0.255 > > access-list 101 permit ip 172.29.30.0 0.0.0.255 any > > > > interface Ethernet0 > > description connected to Internet > > ip address 1.2.3.5 255.255.255.248 above public > > gateway > > ip nat outside > > no ip route-cache > > no ip mroute-cache > > half-duplex > > crypto map cm-cryptomap > > > > And here's what I *think* I need to do: > > > > no ip route 0.0.0.0 0.0.0.0 1.2.3.4 > > ip route 172.29.30.0 255.255.255.0 1.2.3.4 > > access-list 100 permit ip 172.29.30.0 0.0.0.255 1.2.3.4 > > > > For the last line I would actually need to clear all access > lists ( no > > access-list 100. is the command?) and then reenter to > preserve the > > order? > > > > Does it sound like I'm close to what I need to do? > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=54914&t=54901 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Reverse DNS [7:55627]
Is it possible to block reverse DNS queries at the router? If so, I may inadvertently done so, but can't seem to find a setting that would have blocked. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=55627&t=55627 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]