theterranaut

Forum Replies Created

Viewing 21 posts - 91 through 111 (of 111 total)
  • Author
    Posts
  • Avatar
    theterranaut
    Member
    in reply to: Broadcast listener #285805

    Re: Broadcast listener

    Jeremy, David-

    of course, quite correct.

    Apologies for any confusion caused, I was thinking of a (very) broad example.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: changing metric in RIP #285804

    Re: changing metric in RIP

    Hello Ahmer;

    any chance you could post your configs and a ‘sh ip route’ from each device?

    If the routers are only one hop from each other then no, I don’t think you can do this. RIP’s only metric value is hop count, and as the routers are only one hop from each other then the metric will be calculated as 1.

    And also: what are you trying to achieve from this? Is it a lab environment with a goal you need to reach? If you give us some more info then we can probably help further.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Re-route data to another device on the LAN #285803

    Re: Re-route data to another device on the LAN

    Hi JD, David;

    I think (IMHO) putting the 827 in the DMZ would involve unnecessary hassle, (I’m thinking about the potential rulebase here) and, if you don’t mind me saying so, a bit odd: the 827 is already on your local LAN, and, if it was going to be compromised, is in a prime place to be ‘got at’. As long as the 827 is only ‘listening’ for vpn traffic on its WAN side and dropping everything else then it should be safe enough

    I would seriously consider the following:
    Option 1:
    consider setting up the 827 as default gateway for all devices. It is a router, after all, and will happily route packets all the live long day. The 5510, while its a capable device, is a firewall, and every additoional load on its CPU diverts it from what its designed to do. This could be as easy as setting up static routes to the remote ‘vpn-connected’ LANs via the 827’s next hop, and a default route to the ASA. This should cover your routing needs nicely.

    Option 2:
    Isn’t there the possibility of ditching the 827 completely as a vpn gateway? The ASA can cope with this kind of thing with ease. Admittedly you’ve got what I think from your diagram is point-to-point wireless connecting some of your remote sites,
    (I’m a bit fuzzy on your WAN on that side- does it then come in to you on SDSL??) but a single device with a single public IP terminating on it, such as the ASA, will run any number of tunnels as long as the cryptomap is set up correctly.

    Sorry I’ve not been able to be a bit more positive. The feedback I got for the “same-security-traffic permit intra-interface” command told me that the ASA should reroute traffic back into the LAN when needed. I think this part works okay, but gets borked somewhere else a bit further along. End result is the same: device doesn’t see packet. :(

    David- good shout re: routing protocols. I wonder, though, that with an environment as static as JD’s you would significantly benefit from the overhead in configuring them? I guess if JD needed some redundancy a bit later on then this could definitely help.

    cheers all-

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Re-route data to another device on the LAN #285802

    Re: Re-route data to another device on the LAN

    Hi JD,

    I’ve just checked this out.

    PIX os 6.x would not allow traffic to enter, then leave the same interface.
    PIX/ASA 7.x can, by issuing the ‘same-security-traffic permit intra-interface’ command.
    I’ve tried this on a chopped-down version of your environment. Unfortunately, it did not work, even after adding the appropriate routes on the ASA. This could be a misconfiguration by me; I’ve posted a message on the Cisco Netpro forum asking for a sense-check on this.

    Anyway:
    This definitely feels like routing. If you think of it, even if the ASA is redirecting traffic to a different gateway on the LAN (your 827), the local device is still using the ASA as gateway and is expecting the traffic to return from it. Unless the ASA somehow ‘proxies’ this traffic back, I can’t get it to return.

    As you’ve noted, adding explicit routes to the LAN device works fine; the host can now see the remote device without problem.

    I’m still thinking about this one, but my gut feeling is that the 827 could be a better bet as gateway.

    Anyone else have any ideas?

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: interface resets and CRC errors #285801

    Re: interface resets and CRC errors

    Hi Florin,

    there’s a lot of collisions on this interface. An awful lot. I would expect a few (it is a small collision domain, after all), but not this many. I think this is where your resets are coming from. I’ve seen this where the interface is on the customers side and on auto.

    Just make sure that, on your side, the interface is definitely set to 10/half and not auto. Other things to try are (as stated by Lior_S) swapping out the cable for a known, good cable.

    I’m not sure what your router is plugged into. I’m assuming a switch of some description, but if not, its worthwhile getting your hands on a small, unmanaged workgroup switch (an 8 port model is very cheap these days) and inserting this between your router and whatever device its connected to.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Re-route data to another device on the LAN #285800

    Re: Re-route data to another device on the LAN

    Thanks JD. Interesting. If adding routes to the servers cures the problem then it must be a routing issue (obviously!).
    There is/was a limitation by design on the PIX that I think still pertains to ASA- you cannot send traffic back ‘out’ of an interface its just arrived from. I think this applies to all interfaces, regardless of security levels- but I believe there’s a way of overriding this in 7.x.x, which is what your ASA will be running. I’d have to check and see if this is whats killing things- is the ASA dropping packets coming in from the inside that are re-emerging on the inside?

    (A simple alternative, of course, if the above is the problem, would be to set the 871 as default gateway and add the routes to other destinations in there- a router will definitely not perform any kind of ‘drop’ as a PIX/ASA might.)

    If not, as all the devices on your LAN have the ASA as their gateway, it should just be a case of adding in the correct routes on the ASA to get this to work.

    If this has not been done yet (not totally clear from your answers, sorry) can you find a method of entering CLI commands into the ASA or just do the following: I recommend just connecting a console cable to the device and to a PC in the standard way and running Hyperterminal with the correct settings (if your stuck on this let us know and we’ll give you a blow by blow.) Apologies if you know all of this stuff already.

    From the console:
    -enter the login password (if set), then return
    -and then type show route

    The ASA should then spit out the routes it knows about- can you cut, paste and post them here please?

    Thanks

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Re-route data to another device on the LAN #285799

    Re: Re-route data to another device on the LAN

    Hi JD,
    I might be missing something very straightforward here from the descriptions you’ve given- apologies for that.

    Is your topology is like this diagram I’ve knocked together?

    If so,

    -can you attach your ASA config? (sanitised please!)
    -is your ‘core’ lan network a private network?
    -are your remote offices also private networks?
    -“When I try to ping 192.168.2.180 in my satellite office, I think the data is going to the 5510 and stopping there.” How have you determined this?
    -can you reach any device in the satellite office on any other protocols, or is it just not being seen at all within your network?

    Thanks-

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Broadcast listener #285798

    Re: Broadcast listener

    I haven’t Ethereal on this machine, but anything with a destination of 255.255.255.255 (or all FF’s) is what you would be looking for.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Restrict access to Cisco Aironet 1200 by MAC address #285797

    Re: Restrict access to Cisco Aironet 1200 by MAC address

    Tony, this is easy to do if you have ACS. No other way I know of if you are running disparate access points. I know this means £££ but ACS dovetails so neatly with ACS.

    Alternately- what about some higher security such as one of the flavours of 802.1x? Even WPA2, using a Windows box as a a certificate server? More involved, but easier to centrally manage when its all set up. There’s an excellent guide here: http://www.ifm.net.nz/cookbooks/wpa_sbs2003/index.html

    on running this on SBS, but easily extrapolates to Win Server 2003.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Class A IP address with a Class C Mask #285796

    Re: Class A IP address with a Class C Mask

    EDIT
    Hi David,

    Of course, you are right-

    Just labbed this up.

    I changed the config-register from a ‘normal’ one to 0x2100. This put the device into rommon mode. Sure enough, typing ‘boot’ from this
    took me into an IOS with a prompt of “testname#(boot)”

    Sh ver shows:

    sh ver
    Cisco Internetwork Operating System Software
    IOS ™ 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-1995 by cisco Systems, Inc.
    Compiled Tue 24-Oct-95 15:46 by mkamson
    Image text-base: 0x01020000, data-base: 0x00001000

    ROM: System Bootstrap, Version 5.2(8a), RELEASE SOFTWARE

    testname uptime is 11 minutes
    System restarted by reload
    Running default software

    cisco 2500 (68030) processor (revision N) with 2044K/2048K bytes of memory.
    Processor board serial number 06097177 with hardware revision 00000000
    X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
    1 Ethernet/IEEE 802.3 interface.
    2 Serial network interfaces.
    32K bytes of non-volatile configuration memory.
    8192K bytes of processor board System flash partition 1 (Read/Write)
    8192K bytes of processor board System flash partition 2 (Read/Write)

    Configuration register is 0x2100

    This section:

    IOS ™ 3000 Bootstrap Software (IGS-RXBOOT), Version 10.2(8a), RELEASE SOFTWARE (fc1)
    Copyright (c) 1986-1995 by cisco Systems, Inc.
    Compiled Tue 24-Oct-95 15:46 by mkamson
    Image text-base: 0x01020000, data-base: 0x00001000

    shows I’m in the limited IOS stored in ROM.

    Issuing:
    conf t
    config-register 0x2102
    reload

    and I’m back into a normal IOS: sh ver shows

    testname#sh ver
    Cisco Internetwork Operating System Software
    IOS ™ 2500 Software (C2500-I-L), Version 12.1(22), RELEASE SOFTWARE (fc4)
    Copyright (c) 1986-2003 by cisco Systems, Inc.

    I’d forgotten that the rom IOS contains enough functionality to be able to read configs, if not make sense of all the commands.

    Thanks!

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: DHCP relay #285795

    Re: DHCP relay

    Hiya,

    further to David’s answer:

    -you would also have to set up another DHCP scope to fulfil the
    requests of the devices on your other subnet. All the Windows
    flavours can so this easily, as can many routers, if required.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: help vpn #285794

    Re: help vpn

    Hi Mario,
    you say you cannot ping a PC on the protected LAN.

    -is this PC pingable from the the ‘inside’?

    And, can you check what IP you get from the VPN? (ipconfig /all if you are on Windows)

    I also see you’ve used part of your internal network as your address pool for the vpn. (10.100.100.28 10.100.100.30,
    from your config). As a quick start, it might be worthwhile changing this for something completely different, such as
    10.100.200.0/24. On occasion I’ve had to do this, as routing seems to fail sometimes when you use a portion of your
    internal net. (I haven’t worked out why yet, but I think its to do with gateways).

    cheers,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Class A IP address with a Class C Mask #285793

    Re: Class A IP address with a Class C Mask

    Hiya,

    I’m not too sure- normally, seeing ‘boot’ anywhere means you are in rommon mode- but as you’ve set a hostname for the device you must be booting into an IOS of some shape.

    I would check a couple of things:

    -have you issued a ‘boot system flash:(your IOS name here)” command in config mode? This makes sure the router is getting to the right file to boot, rather than into the ROM.

    -your config-register is definitely still at 0x2102? (use sh ver to check)

    -when you write any kind of config and reload, is your config staying put? ie, not going back into setup mode?

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Class A IP address with a Class C Mask #285792

    Re: Class A IP address with a Class C Mask

    Tons- sorry, I led you down the garden path with this one! It was early in the morning and I hadn’t had any coffee! I’ve just noticed my mistake-

    This is, in fact, (at least in the general case anyway) the wrong mask for the IP you are using.

    The IP is given as: 10.0.0.100.

    Because the middle two octets are zero, this can only be a ‘classful’ address; ie, an 8 bit mask, so 255.0.0.0- UNLESS, of course, the router has been issued the command

    ip subnet zero

    in configure mode.

    This allows the use of the specialised 0 address, normally denoting a network, to act as an ordinary address.

    Try that, should work, I think your IOS is modern enough.

    regards,

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Basic Cisco PIX and Catalyst VLAN question #285791

    Re: Basic Cisco PIX and Catalyst VLAN question

    Yes, mostly. Remember that in general (gross oversimplification alert):

    -L2 devices (switches) “switch”- not much decision making there, so are generally very fast
    -L3 devices (routers) “route”- some more decision need made, so are generally quite fast BUT slower than switches
    -L3/4/5/6/7 devices (firewalls) need to make complex decisions, so are slower.

    The 506 has a total of 100Mbps of TCP throughput, so if you are going to do this then design very carefully. Keep things like file servers that need to talk to each other constantly on the same LAN, for example. Think of placement and throughput and how to minimise traffic.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: seeking similar sample pix 501 running config #285790

    Re: seeking similar sample pix 501 running config

    This should work for you. I’ve built a site to site using 3 pix’s:

    One on 172.16.1.0/24
    One on 10.1.1.0/24
    One on 10.1.2.0/24

    172.16.1.0(LAN1) is the ‘hub’- other 2 are spokes.
    LAN1 is also receiving inbound traffic on tcp 25 and forwarding it to 172.16.1.10

    All PIXes are permitting all traffic originating on the inside outside, without restriction.

    This is built using the following topology (ascii, use yr imagination):::

    LAN1
    (PIX INSIDE= .1)


    >(PIX OUTSIDE=.1)


    (LOCAL ROUTER=.2)


    >TO LANs 2 & 3

    172.16.1.0/24


    >80.80.80.0.30


    >80.80.80.0/30



    LAN2
    (REMOTE ROUTER= .2)


    >(PIX OUTSIDE=.1)


    (PIX INSIDE=.1)

    90.90.90.0/24


    >90.90.90.0/24


    >10.1.1.0/24


    LAN3
    (REMOTE ROUTER= .2)


    >(PIX OUTSIDE=.1)


    (PIX INSIDE=.1)

    10.100.100.0/24


    >100.100.100.0/24


    >10.1.2.0/24



    CONFIG FOR LAN1 PIX::-NB, all PIXEN ARE 6.3(5)

    PIX Version 6.3(3)

    interface ethernet0 auto

    interface ethernet1 100full

    nameif ethernet0 outside security0

    nameif ethernet1 inside security100

    enable password cisco

    passwd cisco

    hostname lan1pix

    domain-name inside.co.uk

    fixup protocol dns maximum-length 512

    fixup protocol ftp 21

    fixup protocol h323 h225 1720

    fixup protocol h323 ras 1718-1719

    fixup protocol http 80

    fixup protocol rsh 514

    fixup protocol rtsp 554

    fixup protocol sip 5060

    fixup protocol sip udp 5060

    fixup protocol skinny 2000

    no fixup protocol smtp 25

    fixup protocol sqlnet 1521

    fixup protocol tftp 69

    names

    access-list lan1_to_lan2_vpn permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

    access-list outside_access_in permit tcp any interface outside eq smtp

    access-list lan1_to_lan3_vpn permit ip 172.16.1.0 255.255.255.0 10.1.2.0 255.255.255.0

    access-list lan_to_lan_vpn permit ip 172.16.1.0 255.255.255.0 10.1.1.0 255.255.255.0

    access-list lan_to_lan_vpn permit ip 172.16.1.0 255.255.255.0 10.1.2.0 255.255.255.0

    pager lines 100

    mtu outside 1500

    mtu inside 1500

    ip address outside 80.80.80.1 255.255.255.252

    ip address inside 172.16.1.1 255.255.255.0

    ip audit info action alarm

    ip audit attack action alarm

    pdm history enable

    arp timeout 14400

    global (outside) 1 interface

    nat (inside) 0 access-list lan_to_lan_vpn

    nat (inside) 1 172.16.1.0 255.255.255.0 0 0

    static (inside,outside) tcp interface smtp 172.16.1.10 smtp netmask 255.255.255.255 0 0

    access-group outside_access_in in interface outside

    route outside 0.0.0.0 0.0.0.0 80.80.80.2 1

    timeout xlate 3:00:00

    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

    timeout uauth 0:05:00 absolute

    aaa-server TACACS+ protocol tacacs+

    aaa-server RADIUS protocol radius

    aaa-server LOCAL protocol local

    http server enable

    http 172.16.1.0 255.255.255.0 inside

    no snmp-server location

    no snmp-server contact

    snmp-server community public

    no snmp-server enable traps

    floodguard enable

    sysopt connection permit-ipsec

    crypto ipsec transform-set secure esp-3des esp-md5-hmac

    crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

    crypto map lan_to_lan 10 ipsec-isakmp

    crypto map lan_to_lan 10 match address lan1_to_lan2_vpn

    crypto map lan_to_lan 10 set peer 90.90.90.1

    crypto map lan_to_lan 10 set transform-set secure

    crypto map lan_to_lan 20 ipsec-isakmp

    crypto map lan_to_lan 20 match address lan1_to_lan3_vpn

    crypto map lan_to_lan 20 set peer 100.100.100.1

    crypto map lan_to_lan 20 set transform-set secure

    crypto map lan_to_lan interface outside

    isakmp enable outside

    isakmp key asdfghjkl address 90.90.90.1 netmask 255.255.255.255

    isakmp key qwertyuiop address 100.100.100.1 netmask 255.255.255.255

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption 3des

    isakmp policy 10 hash md5

    isakmp policy 10 group 2

    isakmp policy 10 lifetime 86400

    telnet timeout 5

    ssh timeout 5

    console timeout 0

    terminal width 80


    CONFIG FOR LAN2 PIX (truncated)

    access-list lan1_to_lan2_vpn permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.0

    ip address outside 90.90.90.1 255.255.255.0

    ip address inside 10.1.1.1 255.255.255.0

    global (outside) 1 interface

    nat (inside) 0 access-list lan1_to_lan2_vpn

    nat (inside) 1 10.1.1.0 255.255.255.0 0 0

    route outside 0.0.0.0 0.0.0.0 90.90.90.2 1

    sysopt connection permit-ipsec

    crypto ipsec transform-set secure esp-3des esp-md5-hmac

    crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

    crypto map lan_to_lan 10 ipsec-isakmp

    crypto map lan_to_lan 10 match address lan1_to_lan2_vpn

    crypto map lan_to_lan 10 set peer 80.80.80.1

    crypto map lan_to_lan 10 set transform-set secure

    crypto map lan_to_lan interface outside

    isakmp enable outside

    isakmp key asdfghjkl address 80.80.80.1 netmask 255.255.255.255

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption 3des

    isakmp policy 10 hash md5

    isakmp policy 10 group 2

    isakmp policy 10 lifetime 86400


    CONFIG FOR LAN3 PIX (truncated)

    hostname lan3pix

    domain-name lan2.co.uk

    access-list lan3_to_lan1_vpn permit ip 10.1.2.0 255.255.255.0 172.16.1.0 255.255.255.0

    ip address outside 100.100.100.1 255.255.255.0

    ip address inside 10.1.2.1 255.255.255.0

    global (outside) 1 interface

    nat (inside) 0 access-list lan3_to_lan1_vpn

    nat (inside) 1 10.1.2.0 255.255.255.0 0 0

    route outside 0.0.0.0 0.0.0.0 100.100.100.2 1

    sysopt connection permit-ipsec

    crypto ipsec transform-set secure esp-3des esp-md5-hmac

    crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

    crypto map lan_to_lan 10 ipsec-isakmp

    crypto map lan_to_lan 10 match address lan3_to_lan1_vpn

    crypto map lan_to_lan 10 set peer 80.80.80.1

    crypto map lan_to_lan 10 set transform-set secure

    crypto map lan_to_lan interface outside

    isakmp enable outside

    isakmp key qwertyuiop address 80.80.80.1 netmask 255.255.255.255

    isakmp policy 10 authentication pre-share

    isakmp policy 10 encryption 3des

    isakmp policy 10 hash md5

    isakmp policy 10 group 2

    isakmp policy 10 lifetime 86400

    Avatar
    theterranaut
    Member
    in reply to: Basic Cisco PIX and Catalyst VLAN question #285789

    Re: Basic Cisco PIX and Catalyst VLAN question

    You are correct: a vlan separates frames at layer 2, a router separates packets at layer 3. So, creating a number of L3 nets means you need to route between them.

    You dont need another router, though.

    What you can do is use your 506 as an ‘intervlan router’.

    So yes, you could divide up your network into separate logical networks
    (192.168.1.0/24, 192.168.2.0/24, 192.168.3.0/24, for example)

    Then, you could set the physical interface where they all connect to the PIX
    as a number of logical interfaces, all on separate vlans. The code depends on
    what FOS you run. Here’s an example:

    http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113411

    The link to the PIX from the switch now becomes a ‘trunked’ interface. From there, you’ll need to:

    -set up a corresponding trunk on the switch
    -configure the appropriate vlans and ports on the switch
    -set up the right access rules for the various networks on the pix.

    Sounds good eh? This way, you get to really put some control between your internal nets. A big limitation is, of course, the throughput of your pix.

    However, this could definitely work for you.

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Subnet masking #285788

    Re: Subnet masking

    Thanks again Ozgur.
    CCNP 1: Advanced Routing Companion Guide sure is a great book, eh?

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: IPv4 Addressing #285787

    Re: IPv4 Addressing

    I can thoroughly recommend the book this quote was taken from:

    CCNP 1: Advanced Routing Companion Guide (Cisco Networking Academy Program), 2nd Edition.

    Here’s an extract from the web-
    http://www.ciscopress.com/articles/article.asp?p=330807&seqNum=2&rl=1

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: ACL Problems #285786

    Re: ACL Problems

    Your config looks pretty good- did you use SDM to generate this, btw?

    Have you checked things such as:
    -is the next hop live and responding to pings? (208.165.199.93 in your config)
    -have you got correct dns resolution for the internet host you want to access?

    What exactly do you get or fail to get? Web browser ‘times out’?

    theterranaut

    Avatar
    theterranaut
    Member
    in reply to: Class A IP address with a Class C Mask #285785

    Re: Class A IP address with a Class C Mask

    Hiya,

    Danny, thats an acl ip/mask combination: ip address 10.0.0.100 0.255.255.255.

    Tons of fun, you are correct in your syntax for this command, so thats not the problem here. It could be your version of IOS. Can you do two things please:

    -type ‘show version’ at the console and post the output
    -in configure mode, type ‘ip classless’

    It sounds like either the router has an elderly IOS that can only do classful addressing or it has a later IOS thats set to only do classful.

    Let us know-

    theterranaut

Viewing 21 posts - 91 through 111 (of 111 total)