Re: IP unnumbered and CBAC [7:48721]
From the config I see, here's what I'm interpreting: Router instructed to start monitoring packets coming in s0.1 as defined in the CBAC statement corp. Then there's an ACL 100 on the e0/0, going in the router, but if that's for CBAC, then it's on the wrong interface. CBAC needs an ACL to block traffic before it can monitor traffic and allow it to pass back out. So if you want to monitor the traffic going back out with CBAC, you'd need an ACL on the s0.1 out. So I'd permit the inside networks to go out, and block all other traffic, and then CBAC will let the traffic that came in s0.1 to go back out. Dennis Cooper wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname firewall ! boot system flash c3620-io-mz.120-3.T3.bin logging buffered 10 debugging enable secret 5 $1$hqZ4$k9Mvt5yfvbpipYmFGbTSS/ ! username Brisbane password 7 x username Adelaide password 7 username Perth password 7 xxx clock timezone EST 10 ip subnet-zero ip host Perth 125.1.100.24 ip domain-name corp.com.au ip name-server 125.1.10.3 ! ip inspect name corp tcp ip inspect name corp udp ip inspect name corp http ip inspect name corp ftp ip inspect name corp smtp frame-relay de-list 1 protocol ip frame-relay switching isdn switch-type basic-net3 ! ! ! interface BRI0/0 description 64K ISDN On-Ramp Backup Service to Brisbane Adelaide no ip address no ip directed-broadcast encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ppp authentication chap ! interface Ethernet0/0 description Sydney Local Ethernet Segment ip address 172.25.201.1 255.255.0.0 no ip directed-broadcast no keepalive ! interface Ethernet1/0 desc Sydney untrusted segment ip address 192.168.3.3 255.255.255.0 ip access-group 100 in no ip directed-broadcast ! interface Serial1/0 description 192K CIR - 576K ACCESS to Perth mtu 800 no ip address no ip directed-broadcast encapsulation frame-relay no ip mroute-cache priority-group 1 frame-relay lmi-type ansi frame-relay route 16 interface Serial1/1 16 frame-relay route 20 interface Serial1/1 20 frame-relay route 22 interface Serial1/1 22 ! interface Serial1/0.1 point-to-point description 192K CIR PVC to Perth mtu 800 bandwidth 192 ip unnumbered Ethernet0/0 ip inspect corp in no ip directed-broadcast backup delay 5 10 backup interface Dialer0 frame-relay de-group 1 17 frame-relay interface-dlci 17 frame-relay payload-compression packet-by-packet ! interface Serial1/0.2 point-to-point description 16K PVC to Adelaide mtu 800 ip unnumbered Ethernet0/0 no ip directed-broadcast backup delay 5 10 backup interface Dialer1 frame-relay de-group 1 21 frame-relay interface-dlci 21 frame-relay payload-compression packet-by-packet ! interface Serial1/0.3 point-to-point description 16K PVC to Brisbane mtu 800 ip unnumbered Ethernet0/0 no ip directed-broadcast backup delay 5 10 backup interface Dialer2 frame-relay de-group 1 23 frame-relay interface-dlci 23 frame-relay payload-compression packet-by-packet ! interface Serial1/1 description Frame Relay Voice Service to Micom Marathon mtu 800 no ip address no ip directed-broadcast encapsulation frame-relay shutdown clockrate 50 frame-relay lmi-type ansi frame-relay intf-type dce frame-relay route 16 interface Serial1/0 16 frame-relay route 20 interface Serial1/0 20 frame-relay route 22 interface Serial1/0 22 ! interface Dialer0 description 64K ISDN Backup Service to Perth ip unnumbered Ethernet0/0 no ip directed-broadcast encapsulation ppp dialer remote-name Perth dialer pool 1 dialer-group 1 ppp authentication chap ! interface Dialer1 description 64K ISDN Backup Service to Adelaide ip unnumbered Ethernet0/0 no ip directed-broadcast encapsulation ppp dialer remote-name Adelaide dialer string X dialer pool 1 dialer-group 1 ppp authentication chap ! interface Dialer2 description 64K ISDN Backup Service to Brisbane ip unnumbered Ethernet0/0 no ip directed-broadcast encapsulation ppp dialer remote-name Brisbane dialer string dialer pool 1 dialer-group 1 ppp authentication chap ! router eigrp 69 redistribute static route-map static2eigrp network 172.25.0.0 network 192.168.3.0 default-metric 1000 1000 254 1 1500 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 125.1.100.24 ip route 172.16.10.0 255.255.255.0 192.168.3.1 ip route 172.16.15.0 255.255.255.0 192.168.3.1 ip route 172.16.20.0 255.255.255.0 192.168.3.1 ip route 192.168.4.0 255.255.255.0 192.168.3.1 ip route 192.168.7.0 255.255.255.0 192.168.3.1 ip route 192.168.10.0 255.255.255.0 192.168.3.1 ip route 192.168.52.0 255.255.255.0 172.25.201.3 ip
Re: IP unnumbered and CBAC [7:48721]
Hi Steve Here is an extract from the config - access-list 100 controls traffic from the untrusted section of the company being migrated. firewall is the name of the ip inspect policy interface Ethernet0/0 description Sydney Local Ethernet Segment ip address 172.25.201.1 255.255.0.0 no keepalive ! interface Ethernet1/0 ip address 192.168.3.3 255.255.255.0 ip access-group 100 in ! interface Serial1/0 description 192K CIR - 576K ACCESS to Head Office mtu 800 no ip address encapsulation frame-relay no ip mroute-cache priority-group 1 frame-relay lmi-type ansi frame-relay route 16 interface Serial1/1 16 frame-relay route 20 interface Serial1/1 20 frame-relay route 22 interface Serial1/1 22 ! interface Serial1/0.1 point-to-point description 192K CIR PVC to Head Office mtu 800 backup delay 5 10 backup interface Dialer0 ip unnumbered Ethernet0/0 ip inspect firewall in bandwidth 192 frame-relay de-group 1 17 frame-relay interface-dlci 17 frame-relay payload-compression packet-by-packet Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... show me the configs Dennis Cooper wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi guys The scenario is two customer networks merging in the same building and we have a Cisco 3620 in between the two LAN networks. (E0/0 and E1/0) S0/0 ---3620---E0/0 172.25.0.0/16 ---E1/0192.168.3.0 There is a Frame Relay service to head office on interface Serial 0/0 and is currently ip unnmbered to the E0/0 interface. Using CBAC I cannot get the ip inspect stuff to work and I suspect either 1. the code 12.0(3)T FFS 2. IP unnumbered Q. Any one done this before? Regards Dennis Cooper Lab date 13/08/2002 (but who's counting) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48796t=48721 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP unnumbered and CBAC [7:48721]
not enough info to tell Need more of the config. Dennis Cooper wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Steve Here is an extract from the config - access-list 100 controls traffic from the untrusted section of the company being migrated. firewall is the name of the ip inspect policy interface Ethernet0/0 description Sydney Local Ethernet Segment ip address 172.25.201.1 255.255.0.0 no keepalive ! interface Ethernet1/0 ip address 192.168.3.3 255.255.255.0 ip access-group 100 in ! interface Serial1/0 description 192K CIR - 576K ACCESS to Head Office mtu 800 no ip address encapsulation frame-relay no ip mroute-cache priority-group 1 frame-relay lmi-type ansi frame-relay route 16 interface Serial1/1 16 frame-relay route 20 interface Serial1/1 20 frame-relay route 22 interface Serial1/1 22 ! interface Serial1/0.1 point-to-point description 192K CIR PVC to Head Office mtu 800 backup delay 5 10 backup interface Dialer0 ip unnumbered Ethernet0/0 ip inspect firewall in bandwidth 192 frame-relay de-group 1 17 frame-relay interface-dlci 17 frame-relay payload-compression packet-by-packet Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... show me the configs Dennis Cooper wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi guys The scenario is two customer networks merging in the same building and we have a Cisco 3620 in between the two LAN networks. (E0/0 and E1/0) S0/0 ---3620---E0/0 172.25.0.0/16 ---E1/0192.168.3.0 There is a Frame Relay service to head office on interface Serial 0/0 and is currently ip unnmbered to the E0/0 interface. Using CBAC I cannot get the ip inspect stuff to work and I suspect either 1. the code 12.0(3)T FFS 2. IP unnumbered Q. Any one done this before? Regards Dennis Cooper Lab date 13/08/2002 (but who's counting) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48797t=48721 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP unnumbered and CBAC [7:48721]
service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname firewall ! boot system flash c3620-io-mz.120-3.T3.bin logging buffered 10 debugging enable secret 5 $1$hqZ4$k9Mvt5yfvbpipYmFGbTSS/ ! username Brisbane password 7 x username Adelaide password 7 username Perth password 7 xxx clock timezone EST 10 ip subnet-zero ip host Perth 125.1.100.24 ip domain-name corp.com.au ip name-server 125.1.10.3 ! ip inspect name corp tcp ip inspect name corp udp ip inspect name corp http ip inspect name corp ftp ip inspect name corp smtp frame-relay de-list 1 protocol ip frame-relay switching isdn switch-type basic-net3 ! ! ! interface BRI0/0 description 64K ISDN On-Ramp Backup Service to Brisbane Adelaide no ip address no ip directed-broadcast encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ppp authentication chap ! interface Ethernet0/0 description Sydney Local Ethernet Segment ip address 172.25.201.1 255.255.0.0 no ip directed-broadcast no keepalive ! interface Ethernet1/0 desc Sydney untrusted segment ip address 192.168.3.3 255.255.255.0 ip access-group 100 in no ip directed-broadcast ! interface Serial1/0 description 192K CIR - 576K ACCESS to Perth mtu 800 no ip address no ip directed-broadcast encapsulation frame-relay no ip mroute-cache priority-group 1 frame-relay lmi-type ansi frame-relay route 16 interface Serial1/1 16 frame-relay route 20 interface Serial1/1 20 frame-relay route 22 interface Serial1/1 22 ! interface Serial1/0.1 point-to-point description 192K CIR PVC to Perth mtu 800 bandwidth 192 ip unnumbered Ethernet0/0 ip inspect corp in no ip directed-broadcast backup delay 5 10 backup interface Dialer0 frame-relay de-group 1 17 frame-relay interface-dlci 17 frame-relay payload-compression packet-by-packet ! interface Serial1/0.2 point-to-point description 16K PVC to Adelaide mtu 800 ip unnumbered Ethernet0/0 no ip directed-broadcast backup delay 5 10 backup interface Dialer1 frame-relay de-group 1 21 frame-relay interface-dlci 21 frame-relay payload-compression packet-by-packet ! interface Serial1/0.3 point-to-point description 16K PVC to Brisbane mtu 800 ip unnumbered Ethernet0/0 no ip directed-broadcast backup delay 5 10 backup interface Dialer2 frame-relay de-group 1 23 frame-relay interface-dlci 23 frame-relay payload-compression packet-by-packet ! interface Serial1/1 description Frame Relay Voice Service to Micom Marathon mtu 800 no ip address no ip directed-broadcast encapsulation frame-relay shutdown clockrate 50 frame-relay lmi-type ansi frame-relay intf-type dce frame-relay route 16 interface Serial1/0 16 frame-relay route 20 interface Serial1/0 20 frame-relay route 22 interface Serial1/0 22 ! interface Dialer0 description 64K ISDN Backup Service to Perth ip unnumbered Ethernet0/0 no ip directed-broadcast encapsulation ppp dialer remote-name Perth dialer pool 1 dialer-group 1 ppp authentication chap ! interface Dialer1 description 64K ISDN Backup Service to Adelaide ip unnumbered Ethernet0/0 no ip directed-broadcast encapsulation ppp dialer remote-name Adelaide dialer string X dialer pool 1 dialer-group 1 ppp authentication chap ! interface Dialer2 description 64K ISDN Backup Service to Brisbane ip unnumbered Ethernet0/0 no ip directed-broadcast encapsulation ppp dialer remote-name Brisbane dialer string dialer pool 1 dialer-group 1 ppp authentication chap ! router eigrp 69 redistribute static route-map static2eigrp network 172.25.0.0 network 192.168.3.0 default-metric 1000 1000 254 1 1500 no auto-summary ! ip classless ip route 0.0.0.0 0.0.0.0 125.1.100.24 ip route 172.16.10.0 255.255.255.0 192.168.3.1 ip route 172.16.15.0 255.255.255.0 192.168.3.1 ip route 172.16.20.0 255.255.255.0 192.168.3.1 ip route 192.168.4.0 255.255.255.0 192.168.3.1 ip route 192.168.7.0 255.255.255.0 192.168.3.1 ip route 192.168.10.0 255.255.255.0 192.168.3.1 ip route 192.168.52.0 255.255.255.0 172.25.201.3 ip route 192.168.144.0 255.255.255.0 192.168.3.1 no ip http server ! ! map-class frame-relay cir64k frame-relay traffic-rate 192000 50 frame-relay adaptive-shaping becn ! map-class frame-relay cir32k frame-relay traffic-rate 32000 4 frame-relay adaptive-shaping becn ! map-class frame-relay cir16k frame-relay traffic-rate 16000 24000 frame-relay adaptive-shaping becn access-list 1 permit 192.168.4.0 0.0.0.255 access-list 1 permit 192.168.7.0 0.0.0.255 access-list 1 permit 192.168.10.0 0.0.0.255 access-list 1 permit 192.168.144.0 0.0.0.255 access-list 1 permit 172.16.10.0 0.0.0.255 access-list 1 permit 172.16.15.0 0.0.0.255 access-list 1 permit 172.16.20.0 0.0.0.255 access-list 100 permit icmp any any access-list 100 permit ip 192.168.3.0 0.0.0.255 172.25.0.0 0.0.255.255 access-list 100 permit tcp any 203.19.170.0 0.0.0.31 eq 3389
IP unnumbered and CBAC [7:48721]
Hi guys The scenario is two customer networks merging in the same building and we have a Cisco 3620 in between the two LAN networks. (E0/0 and E1/0) S0/0 ---3620---E0/0 172.25.0.0/16 ---E1/0192.168.3.0 There is a Frame Relay service to head office on interface Serial 0/0 and is currently ip unnmbered to the E0/0 interface. Using CBAC I cannot get the ip inspect stuff to work and I suspect either 1. the code 12.0(3)T FFS 2. IP unnumbered Q. Any one done this before? Regards Dennis Cooper Lab date 13/08/2002 (but who's counting) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48721t=48721 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IP unnumbered and CBAC [7:48721]
show me the configs Dennis Cooper wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi guys The scenario is two customer networks merging in the same building and we have a Cisco 3620 in between the two LAN networks. (E0/0 and E1/0) S0/0 ---3620---E0/0 172.25.0.0/16 ---E1/0192.168.3.0 There is a Frame Relay service to head office on interface Serial 0/0 and is currently ip unnmbered to the E0/0 interface. Using CBAC I cannot get the ip inspect stuff to work and I suspect either 1. the code 12.0(3)T FFS 2. IP unnumbered Q. Any one done this before? Regards Dennis Cooper Lab date 13/08/2002 (but who's counting) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48723t=48721 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
