- Cisco Community
- Technology and Support
- Networking
- Routing
- c897 "% NBAR Error: operation failed, not enough available memory" after VDSL migration
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2020 11:16 AM - edited 12-04-2020 12:06 PM
Hello Guys,
I have a Cisco C897VAW-E-K9 with 357452K/35763K bytes of memory running c800-universalk9-mz.SPA.155-3.M9.bin ( i tried several ios for this issue.)
In the last days i moved from a ADSL2+ to VDSL i reconfigured the router and the line is working. Today i tryed to reapply the policy map on the external interface and i find out that some "match protocol" previously configured were vanished and if i try to apply them back i get the "error % NBAR Error: operation failed, not enough available memory".
Originally (when ADSL2+ was running) i was on c800-universalk9-mz.SPA.157-3.M7.bin and all was fine, i had no issue with memory.
Actual memory on the router
Head Total(b) Used(b) Free(b) Lowest(b) Largest(b)
Processor FA9A69C 149392036 108733236 40658800 37137520 35249944
I/O 15913140 36622016 19204188 17417828 17417828 17417148
Critical 1191EEF8 3368536 52 3368484 3368484 3368484
Critical 169C2840 825772 52 825720 825720 825720
Guys can you have a look at my conf and see if it something that i missed (now the policy map is reduced, i cannot add more items), or can you give me some hints?
I cannot understand why the change to adsl2+ to VDSL caused this issue!?!?!
version 15.5
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
service internal
!
hostname c897
!
boot-start-marker
boot system flash:/c800-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
!
logging buffered 10000 informational
enable secret XXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sslvpn local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
clock timezone Rome 1 0
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki server IOS-CA
database level complete
no database archive
grant auto
!
crypto pki trustpoint IOS-CA
revocation-check crl
rsakeypair IOS-CA
!
crypto pki trustpoint TEST
enrollment url http://192.168.1.1:80
serial-number
subject-name CN=XXXXXXXX
subject-alt-name XXXXXXXX
revocation-check none
rsakeypair TEST
!
!
crypto pki certificate chain IOS-CA
certificate ca 01
XXXXXXXX
quit
crypto pki certificate chain TEST
certificate 02
XXXXXXXX
quit
certificate ca 01
XXXXXXXX
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip port-map user-trurconf_tcp port tcp 4307
ip port-map user-teamviewr_udp port udp 5938
ip port-map user-teamviewr_tcp port tcp 5938
ip port-map user-emule_tcp port tcp 85
ip port-map user-emule_udp port udp 90
!
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.2.2 192.168.2.4
ip dhcp excluded-address 192.168.1.11
!
ip dhcp pool MAC
host 192.168.1.5 255.255.255.0
client-identifier 01c8.2a14.3214.57
client-name MAC-EHT
!
ip dhcp pool PS3
host 192.168.1.7 255.255.255.0
client-identifier 0100.1fa7.2737.5d
client-name PS3-WIFI
!
ip dhcp pool Master
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.1
!
ip dhcp pool WIIU
host 192.168.1.8 255.255.255.0
client-identifier 0134.af2c.9d7d.c1
client-name WIIU-WIFI
!
ip dhcp pool capsule
host 192.168.1.3 255.255.255.0
client-identifier 0160.334b.2ef8.8b
client-name capsule
!
ip dhcp pool wlan
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.2
!
ip dhcp pool Mobile
host 192.168.1.9 255.255.255.0
client-identifier 0140.9c28.ca22.fe
client-name SabryMobile
!
!
!
no ip bootp server
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 213.205.32.70
ip name-server 213.205.36.70
ip inspect WAAS flush-timeout 10
ip ddns update method ddns
HTTP
add http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
no ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
cts logging verbose
license udi pid C897VAW-E-K9 sn FCZ190494RL
license boot module c800 level advipservices
!
!
archive
log config
hidekeys
path flash:/archive/
maximum 12
write-memory
memory reserve critical 4096
memory reserve console 4096
!
no spanning-tree vlan 1
no spanning-tree vlan 10
no spanning-tree vlan 11
username XXXXXXXX
!
!
!
!
controller VDSL 0
operating mode vdsl2
firmware filename flash:VA_A_39d_B_38h3_24h_1.bin
no cdp run
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!
class-map match-any work
match access-group 114
match access-group 117
match access-group 116
match access-group 119
match access-group 120
match application user-teamviewr_tcp
match application user-teamviewr_udp
match application user-trurconf_tcp
match access-group 118
match protocol teamviewer
match protocol ssh
match protocol outlook-web-service
class-map match-any voice
match access-group 115
match protocol rtp audio
!
policy-map QoS-Out-child-test
class voice
priority 600
class work
bandwidth percent 30
random-detect
class class-default
bandwidth percent 30
random-detect
fair-queue 1024
queue-limit 128 packets
policy-map QoS-Out-parent-test
class class-default
shape average 30000000
service-policy QoS-Out-child-test
!
!
!
!
crypto ipsec df-bit clear
!
!
bridge irb
!
!
!
!
!
interface Loopback1
description ** IP VPN **
ip address 192.168.69.1 255.255.255.0
!
interface ATM0
no ip address
no ip route-cache
load-interval 60
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description ** VDSL2 **
no ip address
no ip route-cache
tx-ring-limit 4
tx-queue-limit 4
!
interface Ethernet0.835
description ** Tag PPPoE (VDSL 0) **
encapsulation dot1Q 835
ip access-group antispoofing in
no ip route-cache
ip igmp unidirectional-link
pppoe enable group global
pppoe-client dial-pool-number 1
service-policy output QoS-Out-parent-test
!
interface GigabitEthernet0
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet1
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet2
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet3
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet4
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet5
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet6
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet7
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet8
description ** WAN GigabitEthernet **
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
description ** VPN - Virual Template **
mtu 1406
ip unnumbered Dialer0
!
interface Wlan-GigabitEthernet8
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 11
switchport trunk allowed vlan 1,2,10,11,1002-1005
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan10
!
interface Vlan1
description ** NOT USED **
no ip address
shutdown
!
interface Vlan10
description ** VLAN - RETE INTERNA **
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan11
description Internal switch interface connecting to the embedded AP
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
mtu 1492
ip ddns update hostname XXXXXXXX
ip ddns update ddns host XXXXXXXX
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
no keepalive
ppp authentication chap pap callin
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXXXXX
ppp pap sent-username XXXXXXXX password 7 XXXXXXXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip local pool VPN-POOL 192.168.69.10 192.168.69.30
ip forward-protocol nd
ip http server
ip http access-class 81
ip http authentication local
ip http secure-server
ip http secure-port 1443
ip http timeout-policy idle 180 life 86400 requests 10000
!
!
no ip ftp passive
ip tftp blocksize 8192
ip dns server
ip nat translation timeout 5
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 120
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation routemap-entry-timeout 120
ip nat translation icmp-timeout 15
ip nat translation port-timeout tcp 85 5
ip nat translation port-timeout udp 90 5
ip nat translation port-timeout tcp 5228 never
ip nat translation max-entries 600
ip nat translation arp-ping-timeout 15
no ip nat service nbar
ip nat inside source static tcp 192.168.1.11 85 interface Dialer0 85
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static udp 192.168.1.11 90 interface Dialer0 90
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh version 2
!
ip access-list extended antispoofing
remark *************************************
remark # Regole antispofing - dialer 0 in
deny ip 0.0.0.0 0.255.255.255 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 192.0.2.0 0.0.0.255 any log
deny ip 192.168.1.0 0.0.0.255 any log
deny ip 239.0.0.0 0.255.255.255 any log
deny ip 224.0.0.0 31.255.255.255 any log
deny ip host 255.255.255.255 any log
permit ip any any
remark *************************************
ip access-list extended router-access-web
remark *************************************
permit tcp any any eq www
permit tcp any any eq 443
remark *************************************
!
logging history size 250
logging source-interface Vlan10
!
access-list 80 remark *************************************
access-list 80 remark # traffico accesso ssh - line vty 0 4 in
access-list 80 permit 192.168.1.0 0.0.0.255 log
access-list 80 permit 192.168.2.0 0.0.0.255 log
access-list 80 permit 192.168.69.0 0.0.0.255 log
access-list 80 deny any log
access-list 80 remark *************************************
access-list 81 remark *************************************
access-list 81 remark # traffico accesso WEB
access-list 81 permit 192.168.1.0 0.0.0.255 log
access-list 81 permit 192.168.2.0 0.0.0.255 log
access-list 81 permit 192.168.69.0 0.0.0.255 log
access-list 81 deny any log
access-list 81 remark *************************************
access-list 100 remark *************************************
access-list 100 remark # traffico NAPT - NAT overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 remark *************************************
access-list 111 remark *************************************
access-list 111 remark # Esclusione VMEmule Inspect
access-list 111 deny ip host 192.168.1.11 any
access-list 111 permit tcp any any
access-list 111 permit udp any any
access-list 111 permit icmp any any
access-list 111 remark *************************************
access-list 112 remark *************************************
access-list 112 remark # Inclusione VMEmule Inspect
access-list 112 permit tcp host 192.168.1.11 any
access-list 112 permit udp host 192.168.1.11 any
access-list 112 permit icmp host 192.168.1.11 any
access-list 112 remark *************************************
access-list 113 remark *************************************
access-list 113 remark # Inclusione PPTP
access-list 113 permit tcp any eq 1723 any
access-list 113 permit gre any any
access-list 113 remark *************************************
access-list 114 remark *************************************
access-list 114 remark # VPN
access-list 114 permit ip any host 147.124.5.159
access-list 114 permit ip any host 147.123.5.159
access-list 114 permit ip any host 147.123.5.69
access-list 114 permit ip any host 147.123.5.62
access-list 114 remark *************************************
access-list 115 remark *************************************
access-list 115 remark # TEAMS AUDIO
access-list 115 permit tcp any range 50000 50019 any
access-list 115 permit udp any range 50000 50019 any
access-list 115 remark ***********************************
access-list 116 remark *************************************
access-list 116 remark # TEAMS VIDEO
access-list 116 permit tcp any range 50020 50039 any
access-list 116 permit udp any range 50020 50039 any
access-list 116 remark ***********************************
access-list 117 remark *************************************
access-list 117 remark # TEAMS SCREEN SHARING
access-list 117 permit tcp any range 50040 50059 any
access-list 117 permit udp any range 50040 50059 any
access-list 117 remark ***********************************
access-list 118 remark *************************************
access-list 118 remark # WHATSAPP + FACETIME
access-list 118 permit tcp any any eq 5223
access-list 118 permit udp any any range 3478 3947
access-list 118 permit udp any any range 16384 16387
access-list 118 permit udp any any range 16393 16402
access-list 118 remark ***********************************
access-list 119 remark *************************************
access-list 119 remark # WHAZZUP TEXT
access-list 119 permit tcp any any eq 5222
access-list 119 remark ***********************************
access-list 120 remark *************************************
access-list 120 remark # WHAZZUP TO CHECK
access-list 120 permit tcp any any eq 4244
access-list 120 permit tcp any any eq 5228
access-list 120 permit tcp any any eq 5242
access-list 120 permit tcp any any eq 59234
access-list 120 permit tcp any any eq 50318
access-list 120 permit udp any any eq 45395
access-list 120 permit udp any any eq 59234
access-list 120 permit udp any any eq 50318
access-list 120 remark ***********************************
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
alias exec bw show interface | include protocol|BW
alias exec natstat show ip nat statistics
alias exec cpu show proc cpu his
alias exec memory show mem stat
alias exec natstatver show ip nat tra ver
alias exec process show process cpu
alias exec ip show ip int brief
alias exec ntp show ntp associations
alias exec vdsl sh controller vdsl 0
alias exec dot11radio service-module wlan-ap 0 session
alias exec speed show controller vdSL 0
alias exec qos show policy-map interface ethernet 0.835
!
line con 0
no modem enable
stopbits 1
line aux 0
line 2
access-class 80 in
no activation-character
no exec
transport preferred ssh
transport input all
transport output telnet ssh
stopbits 1
line vty 0 4
access-class 80 in
exec-timeout 30 0
transport preferred ssh
transport input ssh
transport output telnet
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 3
no scheduler max-task-time
no scheduler max-sched-time
no scheduler allocate
scheduler interval 500
ntp source Dialer0
ntp server 193.204.114.232
ntp server 193.204.114.233
ntp server 193.204.114.105
ntp server pool.ntp.org prefer
!
!
webvpn gateway XXXXXXXX
ip interface Virtual-Template1 port 443
ssl trustpoint TEST
logging enable
inservice
!
webvpn context XXXXXXXX
title "Private VPN"
color #004080
secondary-color #0062ee
title-color #002f80
!
acl "webvpn-acl"
permit ip 192.168.69.1 255.255.255.0 192.168.1.0 255.255.255.0
permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0
deny ip any any syslog
login-message "Unauthorized Access Is Prohibited"
virtual-template 1 tunnel
aaa authentication list sslvpn
gateway XXXXXXXX domain XXXXXXXX
logging enable
!
nbns-list "NETBIOS Server"
nbns-server 192.168.1.1
ssl authenticate verify all
inservice
!
policy group XXXXXXXX
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
timeout idle 6000
timeout session 10800
filter tunnel webvpn-acl
svc address-pool "VPN-POOL" netmask 255.255.0.0
svc default-domain XXXXXXXX
svc keep-client-installed
svc dpd-interval client 30
svc dpd-interval gateway 40
svc keepalive 300
svc rekey method new-tunnel
svc split include 192.168.69.0 255.255.255.0
svc split include 192.168.1.0 255.255.255.0
svc dns-server primary 192.168.1.1
nbns-list "NETBIOS Server"
default-group-policy XXXXXXXX
!
endThank you for your time
Solved! Go to Solution.
- Labels:
-
ISR G2
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2020 01:15 PM
Hello,
enable 'ip cef' and remove all 'log' keywords from the access list statements. Also, remove 'bridge irb'.
Lines in question are marked in bold:
version 15.5
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
service internal
!
hostname c897
!
boot-start-marker
boot system flash:/c800-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
logging buffered 10000 informational
enable secret XXXXXXXX
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sslvpn local
aaa authorization exec default local
!
aaa session-id common
ethernet lmi ce
clock timezone Rome 1 0
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki server IOS-CA
database level complete
no database archive
grant auto
!
crypto pki trustpoint IOS-CA
revocation-check crl
rsakeypair IOS-CA
!
crypto pki trustpoint TEST
enrollment url http://192.168.1.1:80
serial-number
subject-name CN=XXXXXXXX
subject-alt-name XXXXXXXX
revocation-check none
rsakeypair TEST
!
crypto pki certificate chain IOS-CA
certificate ca 01
XXXXXXXX
quit
crypto pki certificate chain TEST
certificate 02
XXXXXXXX
quit
certificate ca 01
XXXXXXXX
quit
!
ip port-map user-trurconf_tcp port tcp 4307
ip port-map user-teamviewr_udp port udp 5938
ip port-map user-teamviewr_tcp port tcp 5938
ip port-map user-emule_tcp port tcp 85
ip port-map user-emule_udp port udp 90
!
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.2.2 192.168.2.4
ip dhcp excluded-address 192.168.1.11
!
ip dhcp pool MAC
host 192.168.1.5 255.255.255.0
client-identifier 01c8.2a14.3214.57
client-name MAC-EHT
!
ip dhcp pool PS3
host 192.168.1.7 255.255.255.0
client-identifier 0100.1fa7.2737.5d
client-name PS3-WIFI
!
ip dhcp pool Master
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.1
!
ip dhcp pool WIIU
host 192.168.1.8 255.255.255.0
client-identifier 0134.af2c.9d7d.c1
client-name WIIU-WIFI
!
ip dhcp pool capsule
host 192.168.1.3 255.255.255.0
client-identifier 0160.334b.2ef8.8b
client-name capsule
!
ip dhcp pool wlan
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.2
!
ip dhcp pool Mobile
host 192.168.1.9 255.255.255.0
client-identifier 0140.9c28.ca22.fe
client-name SabryMobile
!
no ip bootp server
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 213.205.32.70
ip name-server 213.205.36.70
ip inspect WAAS flush-timeout 10
ip ddns update method ddns
HTTP
add http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
--> ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
license udi pid C897VAW-E-K9 sn FCZ190494RL
license boot module c800 level advipservices
!
archive
log config
hidekeys
path flash:/archive/
maximum 12
write-memory
memory reserve critical 4096
memory reserve console 4096
!
no spanning-tree vlan 1
no spanning-tree vlan 10
no spanning-tree vlan 11
username XXXXXXXX
!
controller VDSL 0
operating mode vdsl2
firmware filename flash:VA_A_39d_B_38h3_24h_1.bin
no cdp run
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!
class-map match-any work
match access-group 114
match access-group 117
match access-group 116
match access-group 119
match access-group 120
match application user-teamviewr_tcp
match application user-teamviewr_udp
match application user-trurconf_tcp
match access-group 118
match protocol teamviewer
match protocol ssh
match protocol outlook-web-service
class-map match-any voice
match access-group 115
match protocol rtp audio
!
policy-map QoS-Out-child-test
class voice
priority 600
class work
bandwidth percent 30
random-detect
class class-default
bandwidth percent 30
random-detect
fair-queue 1024
queue-limit 128 packets
policy-map QoS-Out-parent-test
class class-default
shape average 30000000
service-policy QoS-Out-child-test
!
crypto ipsec df-bit clear
!
--> no bridge irb
!
interface Loopback1
description ** IP VPN **
ip address 192.168.69.1 255.255.255.0
!
interface ATM0
no ip address
no ip route-cache
load-interval 60
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description ** VDSL2 **
no ip address
no ip route-cache
tx-ring-limit 4
tx-queue-limit 4
!
interface Ethernet0.835
description ** Tag PPPoE (VDSL 0) **
encapsulation dot1Q 835
ip access-group antispoofing in
no ip route-cache
ip igmp unidirectional-link
pppoe enable group global
pppoe-client dial-pool-number 1
service-policy output QoS-Out-parent-test
!
interface GigabitEthernet0
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet1
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet2
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet3
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet4
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet5
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet6
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet7
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet8
description ** WAN GigabitEthernet **
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
description ** VPN - Virual Template **
mtu 1406
ip unnumbered Dialer0
!
interface Wlan-GigabitEthernet8
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 11
switchport trunk allowed vlan 1,2,10,11,1002-1005
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan10
!
interface Vlan1
description ** NOT USED **
no ip address
shutdown
!
interface Vlan10
description ** VLAN - RETE INTERNA **
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan11
description Internal switch interface connecting to the embedded AP
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
mtu 1492
ip ddns update hostname XXXXXXXX
ip ddns update ddns host XXXXXXXX
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
no keepalive
ppp authentication chap pap callin
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXXXXX
ppp pap sent-username XXXXXXXX password 7 XXXXXXXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip local pool VPN-POOL 192.168.69.10 192.168.69.30
ip forward-protocol nd
ip http server
ip http access-class 81
ip http authentication local
ip http secure-server
ip http secure-port 1443
ip http timeout-policy idle 180 life 86400 requests 10000
!
no ip ftp passive
ip tftp blocksize 8192
ip dns server
ip nat translation timeout 5
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 120
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation routemap-entry-timeout 120
ip nat translation icmp-timeout 15
ip nat translation port-timeout tcp 85 5
ip nat translation port-timeout udp 90 5
ip nat translation port-timeout tcp 5228 never
ip nat translation max-entries 600
ip nat translation arp-ping-timeout 15
no ip nat service nbar
ip nat inside source static tcp 192.168.1.11 85 interface Dialer0 85
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static udp 192.168.1.11 90 interface Dialer0 90
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh version 2
!
ip access-list extended antispoofing
remark *************************************
remark # Regole antispofing - dialer 0 in
--> deny ip 0.0.0.0 0.255.255.255 any log
--> deny ip 10.0.0.0 0.255.255.255 any log
--> deny ip 127.0.0.0 0.255.255.255 any log
--> deny ip 172.16.0.0 0.15.255.255 any log
--> deny ip 169.254.0.0 0.0.255.255 any log
--> deny ip 192.0.2.0 0.0.0.255 any log
--> deny ip 192.168.1.0 0.0.0.255 any log
--> deny ip 239.0.0.0 0.255.255.255 any log
--> deny ip 224.0.0.0 31.255.255.255 any log
--> deny ip host 255.255.255.255 any log
permit ip any any
remark *************************************
ip access-list extended router-access-web
remark *************************************
permit tcp any any eq www
permit tcp any any eq 443
remark *************************************
!
logging history size 250
logging source-interface Vlan10
!
access-list 80 remark *************************************
access-list 80 remark # traffico accesso ssh - line vty 0 4 in
--> access-list 80 permit 192.168.1.0 0.0.0.255 log
--> access-list 80 permit 192.168.2.0 0.0.0.255 log
-->access-list 80 permit 192.168.69.0 0.0.0.255 log
--> access-list 80 deny any log
access-list 80 remark *************************************
access-list 81 remark *************************************
access-list 81 remark # traffico accesso WEB
--> access-list 81 permit 192.168.1.0 0.0.0.255 log
--> access-list 81 permit 192.168.2.0 0.0.0.255 log
--> access-list 81 permit 192.168.69.0 0.0.0.255 log
--> access-list 81 deny any log
access-list 81 remark *************************************
access-list 100 remark *************************************
access-list 100 remark # traffico NAPT - NAT overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 remark *************************************
access-list 111 remark *************************************
access-list 111 remark # Esclusione VMEmule Inspect
access-list 111 deny ip host 192.168.1.11 any
access-list 111 permit tcp any any
access-list 111 permit udp any any
access-list 111 permit icmp any any
access-list 111 remark *************************************
access-list 112 remark *************************************
access-list 112 remark # Inclusione VMEmule Inspect
access-list 112 permit tcp host 192.168.1.11 any
access-list 112 permit udp host 192.168.1.11 any
access-list 112 permit icmp host 192.168.1.11 any
access-list 112 remark *************************************
access-list 113 remark *************************************
access-list 113 remark # Inclusione PPTP
access-list 113 permit tcp any eq 1723 any
access-list 113 permit gre any any
access-list 113 remark *************************************
access-list 114 remark *************************************
access-list 114 remark # VPN
access-list 114 permit ip any host 147.124.5.159
access-list 114 permit ip any host 147.123.5.159
access-list 114 permit ip any host 147.123.5.69
access-list 114 permit ip any host 147.123.5.62
access-list 114 remark *************************************
access-list 115 remark *************************************
access-list 115 remark # TEAMS AUDIO
access-list 115 permit tcp any range 50000 50019 any
access-list 115 permit udp any range 50000 50019 any
access-list 115 remark ***********************************
access-list 116 remark *************************************
access-list 116 remark # TEAMS VIDEO
access-list 116 permit tcp any range 50020 50039 any
access-list 116 permit udp any range 50020 50039 any
access-list 116 remark ***********************************
access-list 117 remark *************************************
access-list 117 remark # TEAMS SCREEN SHARING
access-list 117 permit tcp any range 50040 50059 any
access-list 117 permit udp any range 50040 50059 any
access-list 117 remark ***********************************
access-list 118 remark *************************************
access-list 118 remark # WHATSAPP + FACETIME
access-list 118 permit tcp any any eq 5223
access-list 118 permit udp any any range 3478 3947
access-list 118 permit udp any any range 16384 16387
access-list 118 permit udp any any range 16393 16402
access-list 118 remark ***********************************
access-list 119 remark *************************************
access-list 119 remark # WHAZZUP TEXT
access-list 119 permit tcp any any eq 5222
access-list 119 remark ***********************************
access-list 120 remark *************************************
access-list 120 remark # WHAZZUP TO CHECK
access-list 120 permit tcp any any eq 4244
access-list 120 permit tcp any any eq 5228
access-list 120 permit tcp any any eq 5242
access-list 120 permit tcp any any eq 59234
access-list 120 permit tcp any any eq 50318
access-list 120 permit udp any any eq 45395
access-list 120 permit udp any any eq 59234
access-list 120 permit udp any any eq 50318
access-list 120 remark ***********************************
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
alias exec bw show interface | include protocol|BW
alias exec natstat show ip nat statistics
alias exec cpu show proc cpu his
alias exec memory show mem stat
alias exec natstatver show ip nat tra ver
alias exec process show process cpu
alias exec ip show ip int brief
alias exec ntp show ntp associations
alias exec vdsl sh controller vdsl 0
alias exec dot11radio service-module wlan-ap 0 session
alias exec speed show controller vdSL 0
alias exec qos show policy-map interface ethernet 0.835
!
line con 0
no modem enable
stopbits 1
line aux 0
line 2
access-class 80 in
no activation-character
no exec
transport preferred ssh
transport input all
transport output telnet ssh
stopbits 1
line vty 0 4
access-class 80 in
exec-timeout 30 0
transport preferred ssh
transport input ssh
transport output telnet
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 3
no scheduler max-task-time
no scheduler max-sched-time
no scheduler allocate
scheduler interval 500
ntp source Dialer0
ntp server 193.204.114.232
ntp server 193.204.114.233
ntp server 193.204.114.105
ntp server pool.ntp.org prefer
!
!
webvpn gateway XXXXXXXX
ip interface Virtual-Template1 port 443
ssl trustpoint TEST
logging enable
inservice
!
webvpn context XXXXXXXX
title "Private VPN"
color #004080
secondary-color #0062ee
title-color #002f80
!
acl "webvpn-acl"
permit ip 192.168.69.1 255.255.255.0 192.168.1.0 255.255.255.0
permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0
--> deny ip any any syslog
login-message "Unauthorized Access Is Prohibited"
virtual-template 1 tunnel
aaa authentication list sslvpn
gateway XXXXXXXX domain XXXXXXXX
logging enable
!
nbns-list "NETBIOS Server"
nbns-server 192.168.1.1
ssl authenticate verify all
inservice
!
policy group XXXXXXXX
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
timeout idle 6000
timeout session 10800
filter tunnel webvpn-acl
svc address-pool "VPN-POOL" netmask 255.255.0.0
svc default-domain XXXXXXXX
svc keep-client-installed
svc dpd-interval client 30
svc dpd-interval gateway 40
svc keepalive 300
svc rekey method new-tunnel
svc split include 192.168.69.0 255.255.255.0
svc split include 192.168.1.0 255.255.255.0
svc dns-server primary 192.168.1.1
nbns-list "NETBIOS Server"
default-group-policy XXXXXXXX
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2020 01:15 PM
Hello,
enable 'ip cef' and remove all 'log' keywords from the access list statements. Also, remove 'bridge irb'.
Lines in question are marked in bold:
version 15.5
service nagle
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
service internal
!
hostname c897
!
boot-start-marker
boot system flash:/c800-universalk9-mz.SPA.155-3.M9.bin
boot-end-marker
!
logging buffered 10000 informational
enable secret XXXXXXXX
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sslvpn local
aaa authorization exec default local
!
aaa session-id common
ethernet lmi ce
clock timezone Rome 1 0
clock summer-time DST recurring last Sun Mar 2:00 last Sun Oct 3:00
service-module wlan-ap 0 bootimage autonomous
!
crypto pki server IOS-CA
database level complete
no database archive
grant auto
!
crypto pki trustpoint IOS-CA
revocation-check crl
rsakeypair IOS-CA
!
crypto pki trustpoint TEST
enrollment url http://192.168.1.1:80
serial-number
subject-name CN=XXXXXXXX
subject-alt-name XXXXXXXX
revocation-check none
rsakeypair TEST
!
crypto pki certificate chain IOS-CA
certificate ca 01
XXXXXXXX
quit
crypto pki certificate chain TEST
certificate 02
XXXXXXXX
quit
certificate ca 01
XXXXXXXX
quit
!
ip port-map user-trurconf_tcp port tcp 4307
ip port-map user-teamviewr_udp port udp 5938
ip port-map user-teamviewr_tcp port tcp 5938
ip port-map user-emule_tcp port tcp 85
ip port-map user-emule_udp port udp 90
!
ip dhcp bootp ignore
ip dhcp excluded-address 192.168.2.2 192.168.2.4
ip dhcp excluded-address 192.168.1.11
!
ip dhcp pool MAC
host 192.168.1.5 255.255.255.0
client-identifier 01c8.2a14.3214.57
client-name MAC-EHT
!
ip dhcp pool PS3
host 192.168.1.7 255.255.255.0
client-identifier 0100.1fa7.2737.5d
client-name PS3-WIFI
!
ip dhcp pool Master
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.1
!
ip dhcp pool WIIU
host 192.168.1.8 255.255.255.0
client-identifier 0134.af2c.9d7d.c1
client-name WIIU-WIFI
!
ip dhcp pool capsule
host 192.168.1.3 255.255.255.0
client-identifier 0160.334b.2ef8.8b
client-name capsule
!
ip dhcp pool wlan
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 192.168.1.2
!
ip dhcp pool Mobile
host 192.168.1.9 255.255.255.0
client-identifier 0140.9c28.ca22.fe
client-name SabryMobile
!
no ip bootp server
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 213.205.32.70
ip name-server 213.205.36.70
ip inspect WAAS flush-timeout 10
ip ddns update method ddns
HTTP
add http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://XXXXXXXX/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
--> ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
cts logging verbose
license udi pid C897VAW-E-K9 sn FCZ190494RL
license boot module c800 level advipservices
!
archive
log config
hidekeys
path flash:/archive/
maximum 12
write-memory
memory reserve critical 4096
memory reserve console 4096
!
no spanning-tree vlan 1
no spanning-tree vlan 10
no spanning-tree vlan 11
username XXXXXXXX
!
controller VDSL 0
operating mode vdsl2
firmware filename flash:VA_A_39d_B_38h3_24h_1.bin
no cdp run
!
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!
class-map match-any work
match access-group 114
match access-group 117
match access-group 116
match access-group 119
match access-group 120
match application user-teamviewr_tcp
match application user-teamviewr_udp
match application user-trurconf_tcp
match access-group 118
match protocol teamviewer
match protocol ssh
match protocol outlook-web-service
class-map match-any voice
match access-group 115
match protocol rtp audio
!
policy-map QoS-Out-child-test
class voice
priority 600
class work
bandwidth percent 30
random-detect
class class-default
bandwidth percent 30
random-detect
fair-queue 1024
queue-limit 128 packets
policy-map QoS-Out-parent-test
class class-default
shape average 30000000
service-policy QoS-Out-child-test
!
crypto ipsec df-bit clear
!
--> no bridge irb
!
interface Loopback1
description ** IP VPN **
ip address 192.168.69.1 255.255.255.0
!
interface ATM0
no ip address
no ip route-cache
load-interval 60
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description ** VDSL2 **
no ip address
no ip route-cache
tx-ring-limit 4
tx-queue-limit 4
!
interface Ethernet0.835
description ** Tag PPPoE (VDSL 0) **
encapsulation dot1Q 835
ip access-group antispoofing in
no ip route-cache
ip igmp unidirectional-link
pppoe enable group global
pppoe-client dial-pool-number 1
service-policy output QoS-Out-parent-test
!
interface GigabitEthernet0
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet1
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet2
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet3
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet4
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet5
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet6
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet7
description ** RETE INTERNA **
switchport access vlan 10
no ip address
!
interface GigabitEthernet8
description ** WAN GigabitEthernet **
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1
description ** VPN - Virual Template **
mtu 1406
ip unnumbered Dialer0
!
interface Wlan-GigabitEthernet8
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 11
switchport trunk allowed vlan 1,2,10,11,1002-1005
switchport mode trunk
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan10
!
interface Vlan1
description ** NOT USED **
no ip address
shutdown
!
interface Vlan10
description ** VLAN - RETE INTERNA **
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan11
description Internal switch interface connecting to the embedded AP
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
mtu 1492
ip ddns update hostname XXXXXXXX
ip ddns update ddns host XXXXXXXX
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
no cdp enable
no keepalive
ppp authentication chap pap callin
ppp chap hostname XXXXXXXX
ppp chap password 7 XXXXXXXX
ppp pap sent-username XXXXXXXX password 7 XXXXXXXX
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip local pool VPN-POOL 192.168.69.10 192.168.69.30
ip forward-protocol nd
ip http server
ip http access-class 81
ip http authentication local
ip http secure-server
ip http secure-port 1443
ip http timeout-policy idle 180 life 86400 requests 10000
!
no ip ftp passive
ip tftp blocksize 8192
ip dns server
ip nat translation timeout 5
ip nat translation tcp-timeout 120
ip nat translation pptp-timeout 420
ip nat translation udp-timeout 60
ip nat translation finrst-timeout 120
ip nat translation syn-timeout 30
ip nat translation dns-timeout 30
ip nat translation routemap-entry-timeout 120
ip nat translation icmp-timeout 15
ip nat translation port-timeout tcp 85 5
ip nat translation port-timeout udp 90 5
ip nat translation port-timeout tcp 5228 never
ip nat translation max-entries 600
ip nat translation arp-ping-timeout 15
no ip nat service nbar
ip nat inside source static tcp 192.168.1.11 85 interface Dialer0 85
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static udp 192.168.1.11 90 interface Dialer0 90
ip route 0.0.0.0 0.0.0.0 Dialer0
ip ssh version 2
!
ip access-list extended antispoofing
remark *************************************
remark # Regole antispofing - dialer 0 in
--> deny ip 0.0.0.0 0.255.255.255 any log
--> deny ip 10.0.0.0 0.255.255.255 any log
--> deny ip 127.0.0.0 0.255.255.255 any log
--> deny ip 172.16.0.0 0.15.255.255 any log
--> deny ip 169.254.0.0 0.0.255.255 any log
--> deny ip 192.0.2.0 0.0.0.255 any log
--> deny ip 192.168.1.0 0.0.0.255 any log
--> deny ip 239.0.0.0 0.255.255.255 any log
--> deny ip 224.0.0.0 31.255.255.255 any log
--> deny ip host 255.255.255.255 any log
permit ip any any
remark *************************************
ip access-list extended router-access-web
remark *************************************
permit tcp any any eq www
permit tcp any any eq 443
remark *************************************
!
logging history size 250
logging source-interface Vlan10
!
access-list 80 remark *************************************
access-list 80 remark # traffico accesso ssh - line vty 0 4 in
--> access-list 80 permit 192.168.1.0 0.0.0.255 log
--> access-list 80 permit 192.168.2.0 0.0.0.255 log
-->access-list 80 permit 192.168.69.0 0.0.0.255 log
--> access-list 80 deny any log
access-list 80 remark *************************************
access-list 81 remark *************************************
access-list 81 remark # traffico accesso WEB
--> access-list 81 permit 192.168.1.0 0.0.0.255 log
--> access-list 81 permit 192.168.2.0 0.0.0.255 log
--> access-list 81 permit 192.168.69.0 0.0.0.255 log
--> access-list 81 deny any log
access-list 81 remark *************************************
access-list 100 remark *************************************
access-list 100 remark # traffico NAPT - NAT overload
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 remark *************************************
access-list 111 remark *************************************
access-list 111 remark # Esclusione VMEmule Inspect
access-list 111 deny ip host 192.168.1.11 any
access-list 111 permit tcp any any
access-list 111 permit udp any any
access-list 111 permit icmp any any
access-list 111 remark *************************************
access-list 112 remark *************************************
access-list 112 remark # Inclusione VMEmule Inspect
access-list 112 permit tcp host 192.168.1.11 any
access-list 112 permit udp host 192.168.1.11 any
access-list 112 permit icmp host 192.168.1.11 any
access-list 112 remark *************************************
access-list 113 remark *************************************
access-list 113 remark # Inclusione PPTP
access-list 113 permit tcp any eq 1723 any
access-list 113 permit gre any any
access-list 113 remark *************************************
access-list 114 remark *************************************
access-list 114 remark # VPN
access-list 114 permit ip any host 147.124.5.159
access-list 114 permit ip any host 147.123.5.159
access-list 114 permit ip any host 147.123.5.69
access-list 114 permit ip any host 147.123.5.62
access-list 114 remark *************************************
access-list 115 remark *************************************
access-list 115 remark # TEAMS AUDIO
access-list 115 permit tcp any range 50000 50019 any
access-list 115 permit udp any range 50000 50019 any
access-list 115 remark ***********************************
access-list 116 remark *************************************
access-list 116 remark # TEAMS VIDEO
access-list 116 permit tcp any range 50020 50039 any
access-list 116 permit udp any range 50020 50039 any
access-list 116 remark ***********************************
access-list 117 remark *************************************
access-list 117 remark # TEAMS SCREEN SHARING
access-list 117 permit tcp any range 50040 50059 any
access-list 117 permit udp any range 50040 50059 any
access-list 117 remark ***********************************
access-list 118 remark *************************************
access-list 118 remark # WHATSAPP + FACETIME
access-list 118 permit tcp any any eq 5223
access-list 118 permit udp any any range 3478 3947
access-list 118 permit udp any any range 16384 16387
access-list 118 permit udp any any range 16393 16402
access-list 118 remark ***********************************
access-list 119 remark *************************************
access-list 119 remark # WHAZZUP TEXT
access-list 119 permit tcp any any eq 5222
access-list 119 remark ***********************************
access-list 120 remark *************************************
access-list 120 remark # WHAZZUP TO CHECK
access-list 120 permit tcp any any eq 4244
access-list 120 permit tcp any any eq 5228
access-list 120 permit tcp any any eq 5242
access-list 120 permit tcp any any eq 59234
access-list 120 permit tcp any any eq 50318
access-list 120 permit udp any any eq 45395
access-list 120 permit udp any any eq 59234
access-list 120 permit udp any any eq 50318
access-list 120 remark ***********************************
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
alias exec bw show interface | include protocol|BW
alias exec natstat show ip nat statistics
alias exec cpu show proc cpu his
alias exec memory show mem stat
alias exec natstatver show ip nat tra ver
alias exec process show process cpu
alias exec ip show ip int brief
alias exec ntp show ntp associations
alias exec vdsl sh controller vdsl 0
alias exec dot11radio service-module wlan-ap 0 session
alias exec speed show controller vdSL 0
alias exec qos show policy-map interface ethernet 0.835
!
line con 0
no modem enable
stopbits 1
line aux 0
line 2
access-class 80 in
no activation-character
no exec
transport preferred ssh
transport input all
transport output telnet ssh
stopbits 1
line vty 0 4
access-class 80 in
exec-timeout 30 0
transport preferred ssh
transport input ssh
transport output telnet
!
exception memory ignore overflow processor
exception memory ignore overflow io
exception crashinfo maximum files 3
no scheduler max-task-time
no scheduler max-sched-time
no scheduler allocate
scheduler interval 500
ntp source Dialer0
ntp server 193.204.114.232
ntp server 193.204.114.233
ntp server 193.204.114.105
ntp server pool.ntp.org prefer
!
!
webvpn gateway XXXXXXXX
ip interface Virtual-Template1 port 443
ssl trustpoint TEST
logging enable
inservice
!
webvpn context XXXXXXXX
title "Private VPN"
color #004080
secondary-color #0062ee
title-color #002f80
!
acl "webvpn-acl"
permit ip 192.168.69.1 255.255.255.0 192.168.1.0 255.255.255.0
permit ip 192.168.1.0 255.255.255.0 192.168.69.0 255.255.255.0
--> deny ip any any syslog
login-message "Unauthorized Access Is Prohibited"
virtual-template 1 tunnel
aaa authentication list sslvpn
gateway XXXXXXXX domain XXXXXXXX
logging enable
!
nbns-list "NETBIOS Server"
nbns-server 192.168.1.1
ssl authenticate verify all
inservice
!
policy group XXXXXXXX
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
timeout idle 6000
timeout session 10800
filter tunnel webvpn-acl
svc address-pool "VPN-POOL" netmask 255.255.0.0
svc default-domain XXXXXXXX
svc keep-client-installed
svc dpd-interval client 30
svc dpd-interval gateway 40
svc keepalive 300
svc rekey method new-tunnel
svc split include 192.168.69.0 255.255.255.0
svc split include 192.168.1.0 255.255.255.0
svc dns-server primary 192.168.1.1
nbns-list "NETBIOS Server"
default-group-policy XXXXXXXX
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2020 02:40 PM
Thank you Georg,
To be sure i esared the nvram and applyed back the config with your suggestions, and YES the router is fully operative.
Thank you very much!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-04-2020 11:40 PM
Good stuff, glad that it worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide