12-04-2020 11:16 AM - edited 12-04-2020 12:06 PM
Hello Guys,
I have a Cisco C897VAW-E-K9 with 357452K/35763K bytes of memory running c800-universalk9-mz.SPA.155-3.M9.bin ( i tried several ios for this issue.)
In the last days i moved from a ADSL2+ to VDSL i reconfigured the router and the line is working. Today i tryed to reapply the policy map on the external interface and i find out that some "match protocol" previously configured were vanished and if i try to apply them back i get the "error % NBAR Error: operation failed, not enough available memory".
Originally (when ADSL2+ was running) i was on c800-universalk9-mz.SPA.157-3.M7.bin and all was fine, i had no issue with memory.
Actual memory on the router
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b) Processor FA9A69C 149392036 108733236 40658800 37137520 35249944 I/O 15913140 36622016 19204188 17417828 17417828 17417148 Critical 1191EEF8 3368536 52 3368484 3368484 3368484 Critical 169C2840 825772 52 825720 825720 825720
Guys can you have a look at my conf and see if it something that i missed (now the policy map is reduced, i cannot add more items), or can you give me some hints?
I cannot understand why the change to adsl2+ to VDSL caused this issue!?!?!
version 15.5 service nagle no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime localtime service timestamps log datetime localtime show-timezone service password-encryption service internal ! hostname c897 ! boot-start-marker boot system flash:/c800-universalk9-mz.SPA.155-3.M9.bin boot-end-marker ! ! logging buffered 10000 informational enable secret XXXXXXXX ! aaa new-model ! ! aaa authentication login default local aaa authentication login sslvpn local aaa authorization exec default local ! ! ! ! ! ! aaa session-id common ethernet lmi ce clock timezone Rome 1 0 clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 3:00 service-module wlan-ap 0 bootimage autonomous ! crypto pki server IOS-CA database level complete no database archive grant auto ! crypto pki trustpoint IOS-CA revocation-check crl rsakeypair IOS-CA ! crypto pki trustpoint TEST enrollment url http://192.168.1.1:80 serial-number subject-name CN=XXXXXXXX subject-alt-name XXXXXXXX revocation-check none rsakeypair TEST ! ! crypto pki certificate chain IOS-CA certificate ca 01 XXXXXXXX quit crypto pki certificate chain TEST certificate 02 XXXXXXXX quit certificate ca 01 XXXXXXXX quit ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip port-map user-trurconf_tcp port tcp 4307 ip port-map user-teamviewr_udp port udp 5938 ip port-map user-teamviewr_tcp port tcp 5938 ip port-map user-emule_tcp port tcp 85 ip port-map user-emule_udp port udp 90 ! ip dhcp bootp ignore ip dhcp excluded-address 192.168.2.2 192.168.2.4 ip dhcp excluded-address 192.168.1.11 ! ip dhcp pool MAC host 192.168.1.5 255.255.255.0 client-identifier 01c8.2a14.3214.57 client-name MAC-EHT ! ip dhcp pool PS3 host 192.168.1.7 255.255.255.0 client-identifier 0100.1fa7.2737.5d client-name PS3-WIFI ! ip dhcp pool Master import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.1 ! ip dhcp pool WIIU host 192.168.1.8 255.255.255.0 client-identifier 0134.af2c.9d7d.c1 client-name WIIU-WIFI ! ip dhcp pool capsule host 192.168.1.3 255.255.255.0 client-identifier 0160.334b.2ef8.8b client-name capsule ! ip dhcp pool wlan import all network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.2 ! ip dhcp pool Mobile host 192.168.1.9 255.255.255.0 client-identifier 0140.9c28.ca22.fe client-name SabryMobile ! ! ! no ip bootp server ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 208.67.222.222 ip name-server 208.67.220.220 ip name-server 213.205.32.70 ip name-server 213.205.36.70 ip inspect WAAS flush-timeout 10 ip ddns update method ddns HTTP add http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a> remove http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a> interval maximum 28 0 0 0 interval minimum 28 0 0 0 ! no ip cef no ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! cts logging verbose license udi pid C897VAW-E-K9 sn FCZ190494RL license boot module c800 level advipservices ! ! archive log config hidekeys path flash:/archive/ maximum 12 write-memory memory reserve critical 4096 memory reserve console 4096 ! no spanning-tree vlan 1 no spanning-tree vlan 10 no spanning-tree vlan 11 username XXXXXXXX ! ! ! ! controller VDSL 0 operating mode vdsl2 firmware filename flash:VA_A_39d_B_38h3_24h_1.bin no cdp run ! ip tcp selective-ack ip tcp window-size 2144 ip tcp synwait-time 10 ! class-map match-any work match access-group 114 match access-group 117 match access-group 116 match access-group 119 match access-group 120 match application user-teamviewr_tcp match application user-teamviewr_udp match application user-trurconf_tcp match access-group 118 match protocol teamviewer match protocol ssh match protocol outlook-web-service class-map match-any voice match access-group 115 match protocol rtp audio ! policy-map QoS-Out-child-test class voice priority 600 class work bandwidth percent 30 random-detect class class-default bandwidth percent 30 random-detect fair-queue 1024 queue-limit 128 packets policy-map QoS-Out-parent-test class class-default shape average 30000000 service-policy QoS-Out-child-test ! ! ! ! crypto ipsec df-bit clear ! ! bridge irb ! ! ! ! ! interface Loopback1 description ** IP VPN ** ip address 192.168.69.1 255.255.255.0 ! interface ATM0 no ip address no ip route-cache load-interval 60 shutdown no atm ilmi-keepalive ! interface Ethernet0 description ** VDSL2 ** no ip address no ip route-cache tx-ring-limit 4 tx-queue-limit 4 ! interface Ethernet0.835 description ** Tag PPPoE (VDSL 0) ** encapsulation dot1Q 835 ip access-group antispoofing in no ip route-cache ip igmp unidirectional-link pppoe enable group global pppoe-client dial-pool-number 1 service-policy output QoS-Out-parent-test ! interface GigabitEthernet0 description ** RETE INTERNA ** switchport access vlan 10 no ip address ! interface GigabitEthernet1 description ** RETE INTERNA ** switchport access vlan 10 no ip address ! interface GigabitEthernet2 description ** RETE INTERNA ** switchport access vlan 10 no ip address ! interface GigabitEthernet3 description ** RETE INTERNA ** switchport access vlan 10 no ip address ! interface GigabitEthernet4 description ** RETE INTERNA ** switchport access vlan 10 no ip address ! interface GigabitEthernet5 description ** RETE INTERNA ** switchport access vlan 10 no ip address ! interface GigabitEthernet6 description ** RETE INTERNA ** switchport access vlan 10 no ip address ! interface GigabitEthernet7 description ** RETE INTERNA ** switchport access vlan 10 no ip address ! interface GigabitEthernet8 description ** WAN GigabitEthernet ** no ip address shutdown duplex auto speed auto ! interface Virtual-Template1 description ** VPN - Virual Template ** mtu 1406 ip unnumbered Dialer0 ! interface Wlan-GigabitEthernet8 description Internal switch interface connecting to the embedded AP switchport trunk native vlan 11 switchport trunk allowed vlan 1,2,10,11,1002-1005 switchport mode trunk no ip address ! interface wlan-ap0 description Embedded Service module interface to manage the embedded AP ip unnumbered Vlan10 ! interface Vlan1 description ** NOT USED ** no ip address shutdown ! interface Vlan10 description ** VLAN - RETE INTERNA ** ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 ! interface Vlan11 description Internal switch interface connecting to the embedded AP ip address 192.168.2.1 255.255.255.0 ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 ! interface Dialer0 mtu 1492 ip ddns update hostname XXXXXXXX ip ddns update ddns host XXXXXXXX ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 dialer pool 1 no cdp enable no keepalive ppp authentication chap pap callin ppp chap hostname XXXXXXXX ppp chap password 7 XXXXXXXX ppp pap sent-username XXXXXXXX password 7 XXXXXXXX ppp ipcp dns request accept ppp ipcp route default ppp ipcp address accept ! ip local pool VPN-POOL 192.168.69.10 192.168.69.30 ip forward-protocol nd ip http server ip http access-class 81 ip http authentication local ip http secure-server ip http secure-port 1443 ip http timeout-policy idle 180 life 86400 requests 10000 ! ! no ip ftp passive ip tftp blocksize 8192 ip dns server ip nat translation timeout 5 ip nat translation tcp-timeout 120 ip nat translation pptp-timeout 420 ip nat translation udp-timeout 60 ip nat translation finrst-timeout 120 ip nat translation syn-timeout 30 ip nat translation dns-timeout 30 ip nat translation routemap-entry-timeout 120 ip nat translation icmp-timeout 15 ip nat translation port-timeout tcp 85 5 ip nat translation port-timeout udp 90 5 ip nat translation port-timeout tcp 5228 never ip nat translation max-entries 600 ip nat translation arp-ping-timeout 15 no ip nat service nbar ip nat inside source static tcp 192.168.1.11 85 interface Dialer0 85 ip nat inside source list 100 interface Dialer0 overload ip nat inside source static udp 192.168.1.11 90 interface Dialer0 90 ip route 0.0.0.0 0.0.0.0 Dialer0 ip ssh version 2 ! ip access-list extended antispoofing remark ************************************* remark # Regole antispofing - dialer 0 in deny ip 0.0.0.0 0.255.255.255 any log deny ip 10.0.0.0 0.255.255.255 any log deny ip 127.0.0.0 0.255.255.255 any log deny ip 172.16.0.0 0.15.255.255 any log deny ip 169.254.0.0 0.0.255.255 any log deny ip 192.0.2.0 0.0.0.255 any log deny ip 192.168.1.0 0.0.0.255 any log deny ip 239.0.0.0 0.255.255.255 any log deny ip 224.0.0.0 31.255.255.255 any log deny ip host 255.255.255.255 any log permit ip any any remark ************************************* ip access-list extended router-access-web remark ************************************* permit tcp any any eq www permit tcp any any eq 443 remark ************************************* ! logging history size 250 logging source-interface Vlan10 ! access-list 80 remark ************************************* access-list 80 remark # traffico accesso ssh - line vty 0 4 in access-list 80 permit 192.168.1.0 0.0.0.255 log access-list 80 permit 192.168.2.0 0.0.0.255 log access-list 80 permit 192.168.69.0 0.0.0.255 log access-list 80 deny any log access-list 80 remark ************************************* access-list 81 remark ************************************* access-list 81 remark # traffico accesso WEB access-list 81 permit 192.168.1.0 0.0.0.255 log access-list 81 permit 192.168.2.0 0.0.0.255 log access-list 81 permit 192.168.69.0 0.0.0.255 log access-list 81 deny any log access-list 81 remark ************************************* access-list 100 remark ************************************* access-list 100 remark # traffico NAPT - NAT overload access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 100 remark ************************************* access-list 111 remark ************************************* access-list 111 remark # Esclusione VMEmule Inspect access-list 111 deny ip host 192.168.1.11 any access-list 111 permit tcp any any access-list 111 permit udp any any access-list 111 permit icmp any any access-list 111 remark ************************************* access-list 112 remark ************************************* access-list 112 remark # Inclusione VMEmule Inspect access-list 112 permit tcp host 192.168.1.11 any access-list 112 permit udp host 192.168.1.11 any access-list 112 permit icmp host 192.168.1.11 any access-list 112 remark ************************************* access-list 113 remark ************************************* access-list 113 remark # Inclusione PPTP access-list 113 permit tcp any eq 1723 any access-list 113 permit gre any any access-list 113 remark ************************************* access-list 114 remark ************************************* access-list 114 remark # VPN access-list 114 permit ip any host 147.124.5.159 access-list 114 permit ip any host 147.123.5.159 access-list 114 permit ip any host 147.123.5.69 access-list 114 permit ip any host 147.123.5.62 access-list 114 remark ************************************* access-list 115 remark ************************************* access-list 115 remark # TEAMS AUDIO access-list 115 permit tcp any range 50000 50019 any access-list 115 permit udp any range 50000 50019 any access-list 115 remark *********************************** access-list 116 remark ************************************* access-list 116 remark # TEAMS VIDEO access-list 116 permit tcp any range 50020 50039 any access-list 116 permit udp any range 50020 50039 any access-list 116 remark *********************************** access-list 117 remark ************************************* access-list 117 remark # TEAMS SCREEN SHARING access-list 117 permit tcp any range 50040 50059 any access-list 117 permit udp any range 50040 50059 any access-list 117 remark *********************************** access-list 118 remark ************************************* access-list 118 remark # WHATSAPP + FACETIME access-list 118 permit tcp any any eq 5223 access-list 118 permit udp any any range 3478 3947 access-list 118 permit udp any any range 16384 16387 access-list 118 permit udp any any range 16393 16402 access-list 118 remark *********************************** access-list 119 remark ************************************* access-list 119 remark # WHAZZUP TEXT access-list 119 permit tcp any any eq 5222 access-list 119 remark *********************************** access-list 120 remark ************************************* access-list 120 remark # WHAZZUP TO CHECK access-list 120 permit tcp any any eq 4244 access-list 120 permit tcp any any eq 5228 access-list 120 permit tcp any any eq 5242 access-list 120 permit tcp any any eq 59234 access-list 120 permit tcp any any eq 50318 access-list 120 permit udp any any eq 45395 access-list 120 permit udp any any eq 59234 access-list 120 permit udp any any eq 50318 access-list 120 remark *********************************** ! ! ! control-plane ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! alias exec bw show interface | include protocol|BW alias exec natstat show ip nat statistics alias exec cpu show proc cpu his alias exec memory show mem stat alias exec natstatver show ip nat tra ver alias exec process show process cpu alias exec ip show ip int brief alias exec ntp show ntp associations alias exec vdsl sh controller vdsl 0 alias exec dot11radio service-module wlan-ap 0 session alias exec speed show controller vdSL 0 alias exec qos show policy-map interface ethernet 0.835 ! line con 0 no modem enable stopbits 1 line aux 0 line 2 access-class 80 in no activation-character no exec transport preferred ssh transport input all transport output telnet ssh stopbits 1 line vty 0 4 access-class 80 in exec-timeout 30 0 transport preferred ssh transport input ssh transport output telnet ! exception memory ignore overflow processor exception memory ignore overflow io exception crashinfo maximum files 3 no scheduler max-task-time no scheduler max-sched-time no scheduler allocate scheduler interval 500 ntp source Dialer0 ntp server 193.204.114.232 ntp server 193.204.114.233 ntp server 193.204.114.105 ntp server pool.ntp.org prefer ! ! webvpn gateway XXXXXXXX ip interface Virtual-Template1 port 443 ssl trustpoint TEST logging enable inservice ! webvpn context XXXXXXXX title "Private VPN" color #004080 secondary-color #0062ee title-color #002f80 ! acl "webvpn-acl" permit ip 192.168.69.1 255.255.255.0 192.168.1.0 255.255.255.0 permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0 deny ip any any syslog login-message "Unauthorized Access Is Prohibited" virtual-template 1 tunnel aaa authentication list sslvpn gateway XXXXXXXX domain XXXXXXXX logging enable ! nbns-list "NETBIOS Server" nbns-server 192.168.1.1 ssl authenticate verify all inservice ! policy group XXXXXXXX functions file-access functions file-browse functions file-entry functions svc-enabled timeout idle 6000 timeout session 10800 filter tunnel webvpn-acl svc address-pool "VPN-POOL" netmask 255.255.0.0 svc default-domain XXXXXXXX svc keep-client-installed svc dpd-interval client 30 svc dpd-interval gateway 40 svc keepalive 300 svc rekey method new-tunnel svc split include 192.168.69.0 255.255.255.0 svc split include 192.168.1.0 255.255.255.0 svc dns-server primary 192.168.1.1 nbns-list "NETBIOS Server" default-group-policy XXXXXXXX ! end
Thank you for your time
Solved! Go to Solution.
12-04-2020 01:15 PM
Hello,
enable 'ip cef' and remove all 'log' keywords from the access list statements. Also, remove 'bridge irb'.
Lines in question are marked in bold:
version 15.5
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
service internal
!
hostname c897
!
boot-start-marker
boot system flash:/c800-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
logging buffered 10000 informational
enable secret XXXXXXXX
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sslvpn local
aaa authorization exec default local
!
aaa session-id common
ethernet lmi ce
clock timezone Rome 1 0
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki server IOS-CA
database level complete
no database archive
grant auto
!
crypto pki trustpoint IOS-CA
revocation-check crl
rsakeypair IOS-CA
!
crypto pki trustpoint TEST
enrollment url http://192.168.1.1:80
serial-number
subject-name CN=XXXXXXXX
subject-alt-name XXXXXXXX
revocation-check none
rsakeypair TEST
!
crypto pki certificate chain IOS-CA
certificate ca 01
XXXXXXXX
quit
crypto pki certificate chain TEST
certificate 02
XXXXXXXX
quit
certificate ca 01
XXXXXXXX
quit
!
ip port-map user-trurconf_tcp port tcp 4307
ip port-map user-teamviewr_udp port udp 5938
ip port-map user-teamviewr_tcp port tcp 5938
ip port-map user-emule_tcp port tcp 85
ip port-map user-emule_udp port udp 90
!
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.2.2 192.168.2.4
ip dhcp excluded-address 192.168.1.11
!
ip dhcp pool MAC
host 192.168.1.5 255.255.255.0
client-identifier 01c8.2a14.3214.57
client-name MAC-EHT
!
ip dhcp pool PS3
host 192.168.1.7 255.255.255.0
client-identifier 0100.1fa7.2737.5d
client-name PS3-WIFI
!
ip dhcp pool Master
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.1
!
ip dhcp pool WIIU
host 192.168.1.8 255.255.255.0
client-identifier 0134.af2c.9d7d.c1
client-name WIIU-WIFI
!
ip dhcp pool capsule
host 192.168.1.3 255.255.255.0
client-identifier 0160.334b.2ef8.8b
client-name capsule
!
ip dhcp pool wlan
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.2
!
ip dhcp pool Mobile
host 192.168.1.9 255.255.255.0
client-identifier 0140.9c28.ca22.fe
client-name SabryMobile
!
no ip bootp server
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 213.205.32.70
ip name-server 213.205.36.70
ip inspect WAAS flush-timeout 10
ip ddns update method ddns
HTTP
add http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
--> ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
license udi pid C897VAW-E-K9 sn FCZ190494RL
license boot module c800 level advipservices
!
archive
log config
hidekeys
path flash:/archive/
maximum 12
write-memory
memory reserve critical 4096
memory reserve console 4096
!
no spanning-tree vlan 1
no spanning-tree vlan 10
no spanning-tree vlan 11
username XXXXXXXX
!
controller VDSL 0
operating mode vdsl2
firmware filename flash:VA_A_39d_B_38h3_24h_1.bin
no cdp run
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!
class-map match-any work
match access-group 114
match access-group 117
match access-group 116
match access-group 119
match access-group 120
match application user-teamviewr_tcp
match application user-teamviewr_udp
match application user-trurconf_tcp
match access-group 118
match protocol teamviewer
match protocol ssh
match protocol outlook-web-service
class-map match-any voice
match access-group 115
match protocol rtp audio
!
policy-map QoS-Out-child-test
class voice
priority 600
class work
bandwidth percent 30
random-detect
class class-default
bandwidth percent 30
random-detect
fair-queue 1024
queue-limit 128 packets
policy-map QoS-Out-parent-test
class class-default
shape average 30000000
service-policy QoS-Out-child-test
!
crypto ipsec df-bit clear
!
--> no bridge irb
!
interface Loopback1
description ** IP VPN **
ip address 192.168.69.1 255.255.255.0
!
interface ATM0
no ip address
no ip route-cache
load-interval 60
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description ** VDSL2 **
no ip address
no ip route-cache
tx-ring-limit 4
tx-queue-limit 4
!
interface Ethernet0.835
description ** Tag PPPoE (VDSL 0) **
encapsulation dot1Q 835
ip access-group antispoofing in
no ip route-cache
ip igmp unidirectional-link
pppoe enable group global
pppoe-client dial-pool-number 1
service-policy output QoS-Out-parent-test
!
interface GigabitEthernet0
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet1
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet2
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet3
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet4
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet5
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet6
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet7
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet8
description ** WAN GigabitEthernet **
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
description ** VPN - Virual Template **
mtu 1406
ip unnumbered Dialer0
!
interface Wlan-GigabitEthernet8
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 11
switchport trunk allowed vlan 1,2,10,11,1002-1005
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan10
!
interface Vlan1
description ** NOT USED **
no ip address
shutdown
!
interface Vlan10
description ** VLAN - RETE INTERNA **
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan11
description Internal switch interface connecting to the embedded AP
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
mtu 1492
ip ddns update hostname XXXXXXXX
ip ddns update ddns host XXXXXXXX
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
no keepalive
ppp authentication chap pap callin
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXXXXX
ppp pap sent-username XXXXXXXX password 7 XXXXXXXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip local pool VPN-POOL 192.168.69.10 192.168.69.30
ip forward-protocol nd
ip http server
ip http access-class 81
ip http authentication local
ip http secure-server
ip http secure-port 1443
ip http timeout-policy idle 180 life 86400 requests 10000
!
no ip ftp passive
ip tftp blocksize 8192
ip dns server
ip nat translation timeout 5
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 120
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation routemap-entry-timeout 120
ip nat translation icmp-timeout 15
ip nat translation port-timeout tcp 85 5
ip nat translation port-timeout udp 90 5
ip nat translation port-timeout tcp 5228 never
ip nat translation max-entries 600
ip nat translation arp-ping-timeout 15
no ip nat service nbar
ip nat inside source static tcp 192.168.1.11 85 interface Dialer0 85
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static udp 192.168.1.11 90 interface Dialer0 90
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh version 2
!
ip access-list extended antispoofing
remark *************************************
remark # Regole antispofing - dialer 0 in
--> deny ip 0.0.0.0 0.255.255.255 any log
--> deny ip 10.0.0.0 0.255.255.255 any log
--> deny ip 127.0.0.0 0.255.255.255 any log
--> deny ip 172.16.0.0 0.15.255.255 any log
--> deny ip 169.254.0.0 0.0.255.255 any log
--> deny ip 192.0.2.0 0.0.0.255 any log
--> deny ip 192.168.1.0 0.0.0.255 any log
--> deny ip 239.0.0.0 0.255.255.255 any log
--> deny ip 224.0.0.0 31.255.255.255 any log
--> deny ip host 255.255.255.255 any log
permit ip any any
remark *************************************
ip access-list extended router-access-web
remark *************************************
permit tcp any any eq www
permit tcp any any eq 443
remark *************************************
!
logging history size 250
logging source-interface Vlan10
!
access-list 80 remark *************************************
access-list 80 remark # traffico accesso ssh - line vty 0 4 in
--> access-list 80 permit 192.168.1.0 0.0.0.255 log
--> access-list 80 permit 192.168.2.0 0.0.0.255 log
-->access-list 80 permit 192.168.69.0 0.0.0.255 log
--> access-list 80 deny any log
access-list 80 remark *************************************
access-list 81 remark *************************************
access-list 81 remark # traffico accesso WEB
--> access-list 81 permit 192.168.1.0 0.0.0.255 log
--> access-list 81 permit 192.168.2.0 0.0.0.255 log
--> access-list 81 permit 192.168.69.0 0.0.0.255 log
--> access-list 81 deny any log
access-list 81 remark *************************************
access-list 100 remark *************************************
access-list 100 remark # traffico NAPT - NAT overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 remark *************************************
access-list 111 remark *************************************
access-list 111 remark # Esclusione VMEmule Inspect
access-list 111 deny ip host 192.168.1.11 any
access-list 111 permit tcp any any
access-list 111 permit udp any any
access-list 111 permit icmp any any
access-list 111 remark *************************************
access-list 112 remark *************************************
access-list 112 remark # Inclusione VMEmule Inspect
access-list 112 permit tcp host 192.168.1.11 any
access-list 112 permit udp host 192.168.1.11 any
access-list 112 permit icmp host 192.168.1.11 any
access-list 112 remark *************************************
access-list 113 remark *************************************
access-list 113 remark # Inclusione PPTP
access-list 113 permit tcp any eq 1723 any
access-list 113 permit gre any any
access-list 113 remark *************************************
access-list 114 remark *************************************
access-list 114 remark # VPN
access-list 114 permit ip any host 147.124.5.159
access-list 114 permit ip any host 147.123.5.159
access-list 114 permit ip any host 147.123.5.69
access-list 114 permit ip any host 147.123.5.62
access-list 114 remark *************************************
access-list 115 remark *************************************
access-list 115 remark # TEAMS AUDIO
access-list 115 permit tcp any range 50000 50019 any
access-list 115 permit udp any range 50000 50019 any
access-list 115 remark ***********************************
access-list 116 remark *************************************
access-list 116 remark # TEAMS VIDEO
access-list 116 permit tcp any range 50020 50039 any
access-list 116 permit udp any range 50020 50039 any
access-list 116 remark ***********************************
access-list 117 remark *************************************
access-list 117 remark # TEAMS SCREEN SHARING
access-list 117 permit tcp any range 50040 50059 any
access-list 117 permit udp any range 50040 50059 any
access-list 117 remark ***********************************
access-list 118 remark *************************************
access-list 118 remark # WHATSAPP + FACETIME
access-list 118 permit tcp any any eq 5223
access-list 118 permit udp any any range 3478 3947
access-list 118 permit udp any any range 16384 16387
access-list 118 permit udp any any range 16393 16402
access-list 118 remark ***********************************
access-list 119 remark *************************************
access-list 119 remark # WHAZZUP TEXT
access-list 119 permit tcp any any eq 5222
access-list 119 remark ***********************************
access-list 120 remark *************************************
access-list 120 remark # WHAZZUP TO CHECK
access-list 120 permit tcp any any eq 4244
access-list 120 permit tcp any any eq 5228
access-list 120 permit tcp any any eq 5242
access-list 120 permit tcp any any eq 59234
access-list 120 permit tcp any any eq 50318
access-list 120 permit udp any any eq 45395
access-list 120 permit udp any any eq 59234
access-list 120 permit udp any any eq 50318
access-list 120 remark ***********************************
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
alias exec bw show interface | include protocol|BW
alias exec natstat show ip nat statistics
alias exec cpu show proc cpu his
alias exec memory show mem stat
alias exec natstatver show ip nat tra ver
alias exec process show process cpu
alias exec ip show ip int brief
alias exec ntp show ntp associations
alias exec vdsl sh controller vdsl 0
alias exec dot11radio service-module wlan-ap 0 session
alias exec speed show controller vdSL 0
alias exec qos show policy-map interface ethernet 0.835
!
line con 0
no modem enable
stopbits 1
line aux 0
line 2
access-class 80 in
no activation-character
no exec
transport preferred ssh
transport input all
transport output telnet ssh
stopbits 1
line vty 0 4
access-class 80 in
exec-timeout 30 0
transport preferred ssh
transport input ssh
transport output telnet
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 3
no scheduler max-task-time
no scheduler max-sched-time
no scheduler allocate
scheduler interval 500
ntp source Dialer0
ntp server 193.204.114.232
ntp server 193.204.114.233
ntp server 193.204.114.105
ntp server pool.ntp.org prefer
!
!
webvpn gateway XXXXXXXX
ip interface Virtual-Template1 port 443
ssl trustpoint TEST
logging enable
inservice
!
webvpn context XXXXXXXX
title "Private VPN"
color #004080
secondary-color #0062ee
title-color #002f80
!
acl "webvpn-acl"
permit ip 192.168.69.1 255.255.255.0 192.168.1.0 255.255.255.0
permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0
--> deny ip any any syslog
login-message "Unauthorized Access Is Prohibited"
virtual-template 1 tunnel
aaa authentication list sslvpn
gateway XXXXXXXX domain XXXXXXXX
logging enable
!
nbns-list "NETBIOS Server"
nbns-server 192.168.1.1
ssl authenticate verify all
inservice
!
policy group XXXXXXXX
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
timeout idle 6000
timeout session 10800
filter tunnel webvpn-acl
svc address-pool "VPN-POOL" netmask 255.255.0.0
svc default-domain XXXXXXXX
svc keep-client-installed
svc dpd-interval client 30
svc dpd-interval gateway 40
svc keepalive 300
svc rekey method new-tunnel
svc split include 192.168.69.0 255.255.255.0
svc split include 192.168.1.0 255.255.255.0
svc dns-server primary 192.168.1.1
nbns-list "NETBIOS Server"
default-group-policy XXXXXXXX
!
end
12-04-2020 01:15 PM
Hello,
enable 'ip cef' and remove all 'log' keywords from the access list statements. Also, remove 'bridge irb'.
Lines in question are marked in bold:
version 15.5
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
service internal
!
hostname c897
!
boot-start-marker
boot system flash:/c800-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
logging buffered 10000 informational
enable secret XXXXXXXX
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sslvpn local
aaa authorization exec default local
!
aaa session-id common
ethernet lmi ce
clock timezone Rome 1 0
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki server IOS-CA
database level complete
no database archive
grant auto
!
crypto pki trustpoint IOS-CA
revocation-check crl
rsakeypair IOS-CA
!
crypto pki trustpoint TEST
enrollment url http://192.168.1.1:80
serial-number
subject-name CN=XXXXXXXX
subject-alt-name XXXXXXXX
revocation-check none
rsakeypair TEST
!
crypto pki certificate chain IOS-CA
certificate ca 01
XXXXXXXX
quit
crypto pki certificate chain TEST
certificate 02
XXXXXXXX
quit
certificate ca 01
XXXXXXXX
quit
!
ip port-map user-trurconf_tcp port tcp 4307
ip port-map user-teamviewr_udp port udp 5938
ip port-map user-teamviewr_tcp port tcp 5938
ip port-map user-emule_tcp port tcp 85
ip port-map user-emule_udp port udp 90
!
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.2.2 192.168.2.4
ip dhcp excluded-address 192.168.1.11
!
ip dhcp pool MAC
host 192.168.1.5 255.255.255.0
client-identifier 01c8.2a14.3214.57
client-name MAC-EHT
!
ip dhcp pool PS3
host 192.168.1.7 255.255.255.0
client-identifier 0100.1fa7.2737.5d
client-name PS3-WIFI
!
ip dhcp pool Master
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.1
!
ip dhcp pool WIIU
host 192.168.1.8 255.255.255.0
client-identifier 0134.af2c.9d7d.c1
client-name WIIU-WIFI
!
ip dhcp pool capsule
host 192.168.1.3 255.255.255.0
client-identifier 0160.334b.2ef8.8b
client-name capsule
!
ip dhcp pool wlan
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.2
!
ip dhcp pool Mobile
host 192.168.1.9 255.255.255.0
client-identifier 0140.9c28.ca22.fe
client-name SabryMobile
!
no ip bootp server
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 213.205.32.70
ip name-server 213.205.36.70
ip inspect WAAS flush-timeout 10
ip ddns update method ddns
HTTP
add http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
--> ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
license udi pid C897VAW-E-K9 sn FCZ190494RL
license boot module c800 level advipservices
!
archive
log config
hidekeys
path flash:/archive/
maximum 12
write-memory
memory reserve critical 4096
memory reserve console 4096
!
no spanning-tree vlan 1
no spanning-tree vlan 10
no spanning-tree vlan 11
username XXXXXXXX
!
controller VDSL 0
operating mode vdsl2
firmware filename flash:VA_A_39d_B_38h3_24h_1.bin
no cdp run
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!
class-map match-any work
match access-group 114
match access-group 117
match access-group 116
match access-group 119
match access-group 120
match application user-teamviewr_tcp
match application user-teamviewr_udp
match application user-trurconf_tcp
match access-group 118
match protocol teamviewer
match protocol ssh
match protocol outlook-web-service
class-map match-any voice
match access-group 115
match protocol rtp audio
!
policy-map QoS-Out-child-test
class voice
priority 600
class work
bandwidth percent 30
random-detect
class class-default
bandwidth percent 30
random-detect
fair-queue 1024
queue-limit 128 packets
policy-map QoS-Out-parent-test
class class-default
shape average 30000000
service-policy QoS-Out-child-test
!
crypto ipsec df-bit clear
!
--> no bridge irb
!
interface Loopback1
description ** IP VPN **
ip address 192.168.69.1 255.255.255.0
!
interface ATM0
no ip address
no ip route-cache
load-interval 60
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description ** VDSL2 **
no ip address
no ip route-cache
tx-ring-limit 4
tx-queue-limit 4
!
interface Ethernet0.835
description ** Tag PPPoE (VDSL 0) **
encapsulation dot1Q 835
ip access-group antispoofing in
no ip route-cache
ip igmp unidirectional-link
pppoe enable group global
pppoe-client dial-pool-number 1
service-policy output QoS-Out-parent-test
!
interface GigabitEthernet0
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet1
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet2
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet3
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet4
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet5
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet6
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet7
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet8
description ** WAN GigabitEthernet **
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
description ** VPN - Virual Template **
mtu 1406
ip unnumbered Dialer0
!
interface Wlan-GigabitEthernet8
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 11
switchport trunk allowed vlan 1,2,10,11,1002-1005
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan10
!
interface Vlan1
description ** NOT USED **
no ip address
shutdown
!
interface Vlan10
description ** VLAN - RETE INTERNA **
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan11
description Internal switch interface connecting to the embedded AP
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
mtu 1492
ip ddns update hostname XXXXXXXX
ip ddns update ddns host XXXXXXXX
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
no keepalive
ppp authentication chap pap callin
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXXXXX
ppp pap sent-username XXXXXXXX password 7 XXXXXXXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip local pool VPN-POOL 192.168.69.10 192.168.69.30
ip forward-protocol nd
ip http server
ip http access-class 81
ip http authentication local
ip http secure-server
ip http secure-port 1443
ip http timeout-policy idle 180 life 86400 requests 10000
!
no ip ftp passive
ip tftp blocksize 8192
ip dns server
ip nat translation timeout 5
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 120
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation routemap-entry-timeout 120
ip nat translation icmp-timeout 15
ip nat translation port-timeout tcp 85 5
ip nat translation port-timeout udp 90 5
ip nat translation port-timeout tcp 5228 never
ip nat translation max-entries 600
ip nat translation arp-ping-timeout 15
no ip nat service nbar
ip nat inside source static tcp 192.168.1.11 85 interface Dialer0 85
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static udp 192.168.1.11 90 interface Dialer0 90
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh version 2
!
ip access-list extended antispoofing
remark *************************************
remark # Regole antispofing - dialer 0 in
--> deny ip 0.0.0.0 0.255.255.255 any log
--> deny ip 10.0.0.0 0.255.255.255 any log
--> deny ip 127.0.0.0 0.255.255.255 any log
--> deny ip 172.16.0.0 0.15.255.255 any log
--> deny ip 169.254.0.0 0.0.255.255 any log
--> deny ip 192.0.2.0 0.0.0.255 any log
--> deny ip 192.168.1.0 0.0.0.255 any log
--> deny ip 239.0.0.0 0.255.255.255 any log
--> deny ip 224.0.0.0 31.255.255.255 any log
--> deny ip host 255.255.255.255 any log
permit ip any any
remark *************************************
ip access-list extended router-access-web
remark *************************************
permit tcp any any eq www
permit tcp any any eq 443
remark *************************************
!
logging history size 250
logging source-interface Vlan10
!
access-list 80 remark *************************************
access-list 80 remark # traffico accesso ssh - line vty 0 4 in
--> access-list 80 permit 192.168.1.0 0.0.0.255 log
--> access-list 80 permit 192.168.2.0 0.0.0.255 log
-->access-list 80 permit 192.168.69.0 0.0.0.255 log
--> access-list 80 deny any log
access-list 80 remark *************************************
access-list 81 remark *************************************
access-list 81 remark # traffico accesso WEB
--> access-list 81 permit 192.168.1.0 0.0.0.255 log
--> access-list 81 permit 192.168.2.0 0.0.0.255 log
--> access-list 81 permit 192.168.69.0 0.0.0.255 log
--> access-list 81 deny any log
access-list 81 remark *************************************
access-list 100 remark *************************************
access-list 100 remark # traffico NAPT - NAT overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 remark *************************************
access-list 111 remark *************************************
access-list 111 remark # Esclusione VMEmule Inspect
access-list 111 deny ip host 192.168.1.11 any
access-list 111 permit tcp any any
access-list 111 permit udp any any
access-list 111 permit icmp any any
access-list 111 remark *************************************
access-list 112 remark *************************************
access-list 112 remark # Inclusione VMEmule Inspect
access-list 112 permit tcp host 192.168.1.11 any
access-list 112 permit udp host 192.168.1.11 any
access-list 112 permit icmp host 192.168.1.11 any
access-list 112 remark *************************************
access-list 113 remark *************************************
access-list 113 remark # Inclusione PPTP
access-list 113 permit tcp any eq 1723 any
access-list 113 permit gre any any
access-list 113 remark *************************************
access-list 114 remark *************************************
access-list 114 remark # VPN
access-list 114 permit ip any host 147.124.5.159
access-list 114 permit ip any host 147.123.5.159
access-list 114 permit ip any host 147.123.5.69
access-list 114 permit ip any host 147.123.5.62
access-list 114 remark *************************************
access-list 115 remark *************************************
access-list 115 remark # TEAMS AUDIO
access-list 115 permit tcp any range 50000 50019 any
access-list 115 permit udp any range 50000 50019 any
access-list 115 remark ***********************************
access-list 116 remark *************************************
access-list 116 remark # TEAMS VIDEO
access-list 116 permit tcp any range 50020 50039 any
access-list 116 permit udp any range 50020 50039 any
access-list 116 remark ***********************************
access-list 117 remark *************************************
access-list 117 remark # TEAMS SCREEN SHARING
access-list 117 permit tcp any range 50040 50059 any
access-list 117 permit udp any range 50040 50059 any
access-list 117 remark ***********************************
access-list 118 remark *************************************
access-list 118 remark # WHATSAPP + FACETIME
access-list 118 permit tcp any any eq 5223
access-list 118 permit udp any any range 3478 3947
access-list 118 permit udp any any range 16384 16387
access-list 118 permit udp any any range 16393 16402
access-list 118 remark ***********************************
access-list 119 remark *************************************
access-list 119 remark # WHAZZUP TEXT
access-list 119 permit tcp any any eq 5222
access-list 119 remark ***********************************
access-list 120 remark *************************************
access-list 120 remark # WHAZZUP TO CHECK
access-list 120 permit tcp any any eq 4244
access-list 120 permit tcp any any eq 5228
access-list 120 permit tcp any any eq 5242
access-list 120 permit tcp any any eq 59234
access-list 120 permit tcp any any eq 50318
access-list 120 permit udp any any eq 45395
access-list 120 permit udp any any eq 59234
access-list 120 permit udp any any eq 50318
access-list 120 remark ***********************************
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
alias exec bw show interface | include protocol|BW
alias exec natstat show ip nat statistics
alias exec cpu show proc cpu his
alias exec memory show mem stat
alias exec natstatver show ip nat tra ver
alias exec process show process cpu
alias exec ip show ip int brief
alias exec ntp show ntp associations
alias exec vdsl sh controller vdsl 0
alias exec dot11radio service-module wlan-ap 0 session
alias exec speed show controller vdSL 0
alias exec qos show policy-map interface ethernet 0.835
!
line con 0
no modem enable
stopbits 1
line aux 0
line 2
access-class 80 in
no activation-character
no exec
transport preferred ssh
transport input all
transport output telnet ssh
stopbits 1
line vty 0 4
access-class 80 in
exec-timeout 30 0
transport preferred ssh
transport input ssh
transport output telnet
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 3
no scheduler max-task-time
no scheduler max-sched-time
no scheduler allocate
scheduler interval 500
ntp source Dialer0
ntp server 193.204.114.232
ntp server 193.204.114.233
ntp server 193.204.114.105
ntp server pool.ntp.org prefer
!
!
webvpn gateway XXXXXXXX
ip interface Virtual-Template1 port 443
ssl trustpoint TEST
logging enable
inservice
!
webvpn context XXXXXXXX
title "Private VPN"
color #004080
secondary-color #0062ee
title-color #002f80
!
acl "webvpn-acl"
permit ip 192.168.69.1 255.255.255.0 192.168.1.0 255.255.255.0
permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0
--> deny ip any any syslog
login-message "Unauthorized Access Is Prohibited"
virtual-template 1 tunnel
aaa authentication list sslvpn
gateway XXXXXXXX domain XXXXXXXX
logging enable
!
nbns-list "NETBIOS Server"
nbns-server 192.168.1.1
ssl authenticate verify all
inservice
!
policy group XXXXXXXX
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
timeout idle 6000
timeout session 10800
filter tunnel webvpn-acl
svc address-pool "VPN-POOL" netmask 255.255.0.0
svc default-domain XXXXXXXX
svc keep-client-installed
svc dpd-interval client 30
svc dpd-interval gateway 40
svc keepalive 300
svc rekey method new-tunnel
svc split include 192.168.69.0 255.255.255.0
svc split include 192.168.1.0 255.255.255.0
svc dns-server primary 192.168.1.1
nbns-list "NETBIOS Server"
default-group-policy XXXXXXXX
!
end
12-04-2020 02:40 PM
Thank you Georg,
To be sure i esared the nvram and applyed back the config with your suggestions, and YES the router is fully operative.
Thank you very much!
12-04-2020 11:40 PM
Good stuff, glad that it worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide