HI team, Im quite confused when using NAT, this might seem a chucky question, but I just want to confirm if Im getting it correct the funcionality of NAT I have the following topology, where PCs on the LAN (on the left) want to reach the WWW server (in this example) , so basically is a communication where on R1 I have to create a Dynamic NAT to translate the private hosts and a static NAT on R2 to translate the WWW server. Since I cannot advertise the public IPs on the routing protocol, is it required or valid to use static route? cause what confused me is that each lan has to reach each other but using public IPs
... View more
Thank you so much Richard, Im truly glad with had the time to assist me, I gave a shot on PT after making the changes and it did not work, However, I remade it on Eve NG, and this time, it worked very well, I did the test and both subnets can reach each other after using the proper static routes, using the tunnel For sure, PT still it not on stable and has soo many limitations, but anyhow, I want to thank you for all your support and the other feedback I got, R3#ping 10.0.4.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.4.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms R3#ping 172.16.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.4, timeout is 2 seconds: !!!!! I tested shutting down one of the uplinks of R3 and the packets always arrive achieving its objective, R3(config)#int e0/0 R3(config-if)#shut R3(config-if)#end *Jan 13 00:02:49.219: %OSPF-5-ADJCHG: Process 1, Nbr 22.214.171.124 on Ethernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached R3(config-if)#end R3#traceroute 10.0.4.1 *Jan 13 00:02:51.195: %SYS-5-CONFIG_I: Configured from console by console *Jan 13 00:02:51.214: %LINK-5-CHANGED: Interface Ethernet0/0, changed state to administratively down *Jan 13 00:02:52.219: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down R3#ping 10.0.4.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.4.1, timeout is 2 seconds: !!!!!
... View more
thanks for your feedback, Im still trying to set it up for the packet tracer, Im just giving my last shot before trying on GNS3 or any other platform, I did what was recommended, the tunnel comes up via the loopbacks, I made the static routes and each LAN is known, but as soon as I shut down the serial 0/0/0 on R3, I get this output like it does not know how to reach it, despite the fact that the loopback is reachable via OSPF when trying to ping the LAN of R3 from R4: R4#ping 10.0.4.129 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.4.129, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) ========================================== this is the config of R3 so far: interface Loopback0 ip address 126.96.36.199 255.255.255.255 ip ospf 1 area 0 ! interface Tunnel0 ip address 172.16.0.4 255.255.255.0 mtu 1476 tunnel source Loopback0 tunnel destination 188.8.131.52 ! ! interface GigabitEthernet0/0 ip address 10.0.4.1 255.255.255.128 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0/0 ip address 184.108.40.206 255.255.255.252 clock rate 2000000 ! interface Serial0/0/1 ip address 220.127.116.11 255.255.255.252 ! interface Vlan1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 18.104.22.168 0.0.0.3 area 0 network 22.214.171.124 0.0.0.3 area 0 ! ip classless ip route 10.0.4.128 255.255.255.224 126.96.36.199 ! ================================BELOW CONFIG OF R3================================== interface Loopback0 ip address 188.8.131.52 255.255.255.255 ip ospf 1 area 0 ! interface Tunnel0 ip address 172.16.0.3 255.255.255.0 mtu 1476 tunnel source Loopback0 tunnel destination 184.108.40.206 ! ! interface GigabitEthernet0/0 ip address 10.0.4.129 255.255.255.224 duplex auto speed auto ! interface GigabitEthernet0/1 no ip address duplex auto speed auto shutdown ! interface Serial0/0/0 ip address 220.127.116.11 255.255.255.252 clock rate 2000000 shutdown ! interface Serial0/0/1 ip address 18.104.22.168 255.255.255.252 clock rate 2000000 ! interface Vlan1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 22.214.171.124 0.0.0.3 area 0 network 126.96.36.199 0.0.0.3 area 0 ! ip classless ip route 10.0.4.0 255.255.255.128 188.8.131.52 ============PERSPECTIVE FROM R3 WHEN SERIAL 0/0/0 IS ACTIVE============= R3#show ip route 10.0.4.0 Routing entry for 10.0.4.0/25 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 184.108.40.206 Route metric is 0, traffic share count is 1 R3#show ip route 220.127.116.11 Routing entry for 18.104.22.168/32 Known via "ospf 1", distance 110, metric 65, type intra area Last update from 22.214.171.124 on Serial0/0/0, 00:00:20 ago Routing Descriptor Blocks: * 126.96.36.199, from 188.8.131.52, 00:00:20 ago, via Serial0/0/0 Route metric is 65, traffic share count is 1 R3# R3#show ip int brief Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 10.0.4.129 YES manual up up GigabitEthernet0/1 unassigned YES unset administratively down down Serial0/0/0 184.108.40.206 YES manual up up Serial0/0/1 220.127.116.11 YES manual up up Loopback0 18.104.22.168 YES manual up up Tunnel0 172.16.0.3 YES manual up up ===================PERSPECTIVE WHEN SERIAL IS SHUTDOWN FROM R3========================== R3#show ip route 22.214.171.124 Routing entry for 126.96.36.199/32 Known via "ospf 1", distance 110, metric 193, type intra area Last update from 188.8.131.52 on Serial0/0/1, 00:00:06 ago Routing Descriptor Blocks: * 184.108.40.206, from 220.127.116.11, 00:00:06 ago, via Serial0/0/1 Route metric is 193, traffic share count is 1 R3#show ip route 10.0.4.0 Routing entry for 10.0.4.0/25 Known via "static", distance 1, metric 0 Routing Descriptor Blocks: * 18.104.22.168 Route metric is 0, traffic share count is 1 R3# but still I cannot reach the other ends LAN R3#ping 10.0.4.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.4.1, timeout is 2 seconds: U.U any ideas on what I might be missing as far as the config is related to? thanks so much
... View more
I see, intersting, let me give it a shot, using loopbacks, I did not see the fact that serial0/0/0 if I shutdown, like no failover will occur, but the requirement confused when it said, use only static routes for GRE LAN :/ super thanks for your feedback,
... View more
Hi team, Im having a hard time to make this topology work, the requirement is the following: 1- use ospf for the entire topology 2- make static routes for the GRE tunnel for LAN31 and LAN41 only 3- LAN31 and LAN41 should NOT be appearing in the R1 and R2 routing table 4- GRE tunnel should be active for LAN31 and LAN41 regardless of which of the two interfaces are active in R3 and R4, for instance, if I shutdown serial 0/0/0 on R3, the tunnel should be active Can someone help me with the packet tracer file, I have tried using static routes and each of the tunnel is up but cant reach each other, not sure if Im doing something wrong, any feedback since most of the topologies I have seen just involved 3 routers, but in this case, based on the requirement, I have 4 routers I have attached the files of R3 and R4 and the topology I will highly appreciate it your assistance, Regards,
... View more
Hi, Im trying to set up a VPN site to site from a source subnet /24 to be translated (PAT) using a single public IP so the local subnet can reach the destination subnet site B is not using PAT, instead, they are using static nat the tunnel is up when I generate traffic from the source LAN, but I cannot ping to the other site could you please help me to identify what could be the culprit cause surely Im missing something in my access list or NAT statement from the other end Im going to put the config of the objects and access list cause the tunnel is up, so its irrelevant I think SITE A config from ASA object-group network PRIVATE-NETWORK Description Local Networks network-object 192.168.10.0 255.255.255.0 exit ! object network VPN-PAT host 203.0.113.30 exit ! object-group network DESTINATION-NETWORK Description Destination NETWORKS network-object 192.168.20.0 255.255.255.0 exit ! -======= nat (INSIDE,OUTSIDE) source dynamic PRIVATE-NETWORK VPN-PAT destination static DESTINATION-NETWORK DESTINATION-NETWORK CRYPTO ACL ON ASA1: access-list crypto-acl-lan1 extended permit ip object VPN-PAT object-group DESTINATION-NETWORK ACCESS-LIST ON ASA1 access-list INSIDE_access_in_1 line 1 extended permit ip object-group PRIVATE-NETWORK object-group DESTINATION-NETWORK ============================================ SITE B: object-group network LOCAL-DATA Description DATA Networks network-object 192.168.20.0 255.255.255.0 exit ! object network REMOTE-PUBLIC-PAT-IP host 203.0.113.30 exit ! object-group network DESTINATION_NETWORK Description Destination NETWORKS network-object 192.168.10.0 255.255.255.0 exit ! -======= nat (INSIDE,OUTSIDE) source static LOCAL-DATA LOCAL-DATA destination static DESTINATION_NETWORK REMOTE-PUBLIC-PAT-IP CRYPTO ACL ON SITE B: access-list crypto-acl-lan extended permit ip object-group LOCAL-DATA object REMOTE-PUBLIC-PAT-IP ACCESS-LIST ON SITE B: access-list INSIDE_access_in_1 line 1 extended permit ip object-group LOCAL-DATA object-group DESTINATION_NETWORK =============================================================== TUNNEL IS UP AS YOU CAN SEE on site A, same is true on site B ASA1# show crypto isakmp sa IKEv1 SAs: Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE There are no IKEv2 SAs ASA1# show crypto ipsec sa on site A as well as site B #pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 SITE B: #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3 DEBUG ICMP ON ASA1 ICMP echo request translating INSIDE:192.168.20 to OUTSIDE:203.0.113.30 ICMP echo request from INSIDE:192.168.10.20 to OUTSIDE:10.238.45.160 ID=1 seq=6 len=32 ICMP echo request translating INSIDE:192.168.10.20 to OUTSIDE:203.0.113.30 ICMP echo request from INSIDE:192.168.10.20 to OUTSIDE:10.238.45.160 ID=1 seq=7 len=32 ICMP echo request translating INSIDE:192.168.10.20 to OUTSIDE:203.0.113.30 ICMP echo request from INSIDE:192.168.10.20 to OUTSIDE:10.238.45.160 ID=1 seq=8 len=32 ICMP echo request translating INSIDE:192.168.10.20 to OUTSIDE:203.0.113.30 PACKET TRACERT INPUT ON ASA 1 SITE A: Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow PACKET TRACERT INPUT ON SITE B: Result: output-interface: OUTSIDE output-status: up output-line-status: up Action: allow ASA2# could you please help me to tell me what is happening and if Im missing something on the access list or NAT on site B? what would be the correct statement command Regards,
... View more
Hi, I probably exagerating, but I just want to confirm
we have 2 6500 boxes (one SUP each) not in VSS just independent boxes with firewall service modules on each box
we have only updagraded the secondary box and we verified asa failover is in place,however, we did not upgrade the primary box due to the lack of time of the window, we will proceed in another rescheduled window,
however, what will happen in case of a failure either at the harwarre level or fwsm, will it work automatic failover? just because they have different IOS versions?
they dont share control plane info suchs as the VPCs in nexus, and we are not running any VSS but just want to confirm if the primary box fails (with the old IOS version for now), will the secondary box with newer IOS version will take place normally with no problem assuming all config is the same?
or is there any consideration I can take ?
... View more
Hi Wireless experts,
I have a question on my WLC 8510, I have seen somewhere in the connection summary a link/option that opens a new window that says connection score.
I was wondering if anyone in simple and plain english can explain whats the meaning if its in red color vs green color,
Obviously, if its red, it means something wrong happens, but I want to know if its something related and associated to the AP itself that cannot handle the client connection, interference, etc,
or if its related to the end client that is not compatible with the radio, performance, etc
We have been having some reports of a particular user that is experiencing random disconnections and Im trying to tshot this scenario to find the root cause and check all possible scenarios
and I have not been able to find any documentation that explain in details other than the fancy words embedded in the pop up window, which I dont understand (meaning I have to read a lot of wifi tech for sure)
under this pop up there are some blue squares dots that say something but whats with that, I know cisco is trying to do their best with the GUI interface, but may be im so silly and the only one I dont understand cause its far way beyond my experience in this area, which I admit it and acept it, but if anyone can assist me in explaining to me in clear text whats the purposes of this, I would really appreciate it,
... View more
First I apologize for not finding the right topic answered, I have been doing a research and could not find the right way at least in Cisco web site or any valid source documentation or tutorial,
ISE: 2.0.306 in the environment.
AD for group and users
Is there any official document on where to find the right or at least lights to the steps on how to set up the following?
External users using Anyconnect client should be able to login and authenticate with the credentials from the AD domain.
The ISE is already connected to the AD and I also have added the groups
is there any extra steps on the ISE that has to be completed or just a regular cisco anyconnect vpn config on the ASA?
... View more