AAA Config question
Hi all, I'm in the process of testing out a AAA config on a router, and if successful I will be rolling this out to my network. The config seems to work very well with CiscoSecure ACS for NT 2.4. However, ther are some quircks that I'm just not sure about. The following is the config that I'm using: hostname Router1 ! aaa new-model aaa authentication login list1 local group tacacs+ aaa authentication ppp list1 local group tacacs+ aaa authorization exec list1 local group tacacs+ aaa authorization network list1 local group tacacs+ aaa accounting exec list1 start-stop group tacacs+ aaa accounting network list1 start-stop group tacacs+ enable password cisco ! username user1 password 0 cisco ! tacacs-server host 172.16.1.211 tacacs-server key 12345 ! line con 0 password cisco transport input none line aux 0 line vty 0 4 password cisco login authentication list1 Questions: 1. When I try and setup the method list (list1) for authentication with tacacs+ first then local, it does not allow local authentication, it wll only look to the tacacs+ server for validation. However, if I list local first, then tacacs+, it'll work as desired. Why is this so? Shouldn't it work the other way around also? 2. I've shosen to implement the authentication on vty sessions only by using the 'login authentication list1' command that I read on CCO. The ACS sotwre suggested that I use the combination 'aaa authen login no_tacacs enable/line con 0/ login authen no_tacas' command. However, when I tried this, it totally bombed. What did I do wrong? Thanks! Robert _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Obligatory I passed BSCN! post
Hi All! I took the Routing 2.0 exam this morning and suprisingly walked away with 908/1000. After completing the exam, I was fairly certain that I would be back for another shot at it in a week or two, but I guess the network gods were with me today. The following is what I used to study from: 1. Courseware from BSCN: Very good. You have top read and understand ALL the routing concepts. I skimmed through the Cisco Press BSCN book and I believe that it is comparable o the courseware. 2. Boson test #1: Good. The Boson test is actually much easier that the real thing. I had about 6 questions on the real test that I saw on Boson. Boson will test your knowledge of the subject and I thnk it is a worthwhile investment. 3. Routing TCP/IP from Jeff Doyle: Very Good. I didn't read through the whole book. I used this book to clarify points that I did not understand on the interior protocols. 4. www.cisco.com: Excellent. But you have to did a little for the info. 5. Study notes from www.routedpacket.com. Great! These are great to read the night before the exam or right before you take it. Overall, I though the exam was about the hardest one that I've ever taken. I used educated guesses on a lot of the questions. The answers are all there in front of you, I just applied the concepts that I knew and used the process of elimination. It was ALL multiple choice. WATCH OUT FOR ERRORS! I had a question that had a blatant error on it. Not that there is anything you can do about it, I chose the 'best' answer that I could. Follow the test outline that Cisco has on their website, the test follows it pretty closely. KNOW the concepts behind the routng protocols!!! I can't emphasize this enough. I had more questions that were analytical than memorization kind. Hope this helps. Robert _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN and NAT
Denao, Have yo tried the NONAT statement in your access lists? I am by no means an expert, but here's a link to a cisco sample configs. There are a bunch nearthe bottom about IPsec, NAT and NONAT. Denao Ruttino wrote: I have set up a router that is doing a router-router VPN as well as VPN clients coming in. The problem that I am having is with NAT. I need to set up 3 or 4 machines on the inside with static NAT translations and when I do, it translates all traffic. Is there a way to set this up where the VPN traffic does not get translated for these address'? I have used the following: ip nat inside source static 192.8.8.150 192.8.8.150 extendable ip nat inside source static 192.8.8.100 200.150.15.22 extendable (not real address') This seems to work except for when I initiate connections from the 192.6.6.100 box. That only works 50% of the time. I do not have this problem on NAT pools as route map statements allow me to deny translations by address. I only have this problem on the ones I want to assign a specific address to. Any suggestions would be appreciated. ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Boson CCDA Test
I took the CCDA exam today. I used the Boson tests as part of my studies. There were many questions on Boson that were VERY similar to the real test. It is a good tool to use. The scenarios are a bit easier than the real thing. I would try and study as many different scenario sources as possible to get the feel for it. Robert "Newton, James A. (AIT)" wrote: Has anyone used this test? Is it reflective of what you will really see on the actual test? Any input would be appreciated. Jim Newton Data Design Engineer CCNA, CCNP SBC Ameritech Wk. 608-259-2454 Pager 608-559-3288 [EMAIL PROTECTED] ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Building Scalable Cisco Networks : Exam 640-503
I would recommend the Hutnik-Satterlee book, CCIE All-In-One Lab Study Guide. The are lab examples of BGP, EIGRP and OSPF. I took the class a few weeks ago and we didn't cover IS-IS exceptto mention it. Most of the class was on BGP (2 1/2) days. Robert kikpasa wrote: Hello Everyone, I am looking for a book for the new BSCN exam, the only book in amazon is not being published till August, and I can't wait that long, any idea. Those that have sat the exam please provide me with the list of book/ URL, etc you used Cheers Kerry ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Any comments on using 2620 for VPN?
Eric, We have 2 remote offices that run VPN to our HQ over DSL. The router that we use are 2611's with 64 MB DRAM and 16 MB flash. We are using 12.1(2)T. Previous to 12.1(2)T, we used another version of IOS (I can't remember which one), but it gave us allsorts of headaches. The SF office has been up for about 1 month w/out a single problem. The NY office goes live this Thursday. I've been testing it here at home for about a week and it has been pretty good. Robert Eric Bishop wrote: Looking to setup a customer with internet connectivity with the requirement of VPN site to site in the scope. I was thinking about putting the IPSEC/3DES IOS on the routers and forgo the use of any additional hardware. Suggestions? Eric ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Reverse Telnet Question
I'm in the process of setting up a reverse telnet on my home lab. I recently got a 2509 and am in the process of hooking it up to my other routers. When I try to telnet to the other router from the terminal server, it either says, "Connection refused by remote host", or it just hangs. Am I missing something in my config? ***Term_Svr Current configuration: ! version 11.2 no service password-encryption no service udp-small-servers no service tcp-small-servers ! hostname TERM_SVR ! ! no ip domain-lookup ip host R1 2001 10.1.1.1 ! interface Loopback1 ip address 10.1.1.1 255.255.255.0 no logging event subif-link-status ! interface Ethernet0 no ip address no logging event subif-link-status shutdown ! interface Serial0 no ip address no logging event subif-link-status shutdown ! interface Serial1 no ip address no logging event subif-link-status shutdown ! no ip classless ! ! line con 0 line 1 8 no exec transport input all line aux 0 line vty 0 4 login ! end **R1* Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname R1 ! enable password cisco ! ip subnet-zero no ip domain-lookup ! ! ! interface Serial0 no ip address no ip directed-broadcast no ip mroute-cache shutdown ! interface Serial1 no ip address no ip directed-broadcast shutdown ! interface TokenRing0 no ip address no ip directed-broadcast shutdown ! interface BRI0 no ip address no ip directed-broadcast shutdown ! ip classless ! ! line con 0 transport input none line aux 0 line vty 0 4 password cisco ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Exam objectives for BCMSN test
Spanning Tree Trunking Etherchannel VLANs VTP MLS Command line (Crescendo and IOS) Trust me. Robert Yee Jeff Walzer wrote: Does anyone have or know where to find the exam objectives for the upcoming BCMSN test (640-504)? Thanks, Jeff ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- ___ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
