Community,     I have a NAT situation that I am hoping you can help me resolve. We have an internal File Transfer system with IP 10.110.80.51. This system gets NATed to a static public IP address (64.x.x.113) that we own when it is to hit the internet or hop on a VPN tunnel. We have a situation where we need this same system to communicate with another customer (via S2S VPN), but the customer requires us to use a different internal IP provided by them for this system when communicating with them across the tunnel. That is to say, we cannot use the NAT entry that currently exists for this particular situation.   I was hoping I could NAT this internal system to the IP provided by the customer, but only during instances where the traffic is destined to their systems from us. I want all other traffic to get NATed to the existing 64.x.x.113 address when this system is destined anywhere else.   Will this work?   access-list extended CUST_NAT_ACL1 permit ip host 10.110.80.51 1.1.0.0 255.255.0.0 (first public dest subnet belonging to the customer) permit ip host 10.110.80.51 2.2.0.0 255.255.0.0  (2nd public dest subnet belonging to the customer)     route-map CUST_RP1 match address CUST_NAT_ACL1   ip nat inside source static 10.110.80.51 10.201.103.169 (IP address provided by the customer) route-map CUST_RP1 ip nat inside source static 10.110.80.51 64.x.x113 (existing NAT for use in all other situations)   Also, will this NAT apply only to traffic originating from us to them? or is it bidirectional? Meaning if they send traffic on the tunnel to 10.110.80.51, will the NAT rule NAT the traffic to 10.201.103.169? If so, that would be undesirable behavior.   Thanks. ... View more

Community, For VLAN 134 on our network, the Nexus 9396 is the default gateway on SVI 134 (10.134.193.1). The default route is 0.0.0.0 0.0.0.0 10.100.98.4. I would like the next hop interface for default routing for certain IP's in the 134 VLAN to be 10.100.99.4 instead of 10.100.98.4, but not all IP's in that subnet.  Basically I want to force all default routing for only certain IP addresses to use the 10.100.99.4 interface, while all other traffic will use the default route defined in the switch.   Could I use a route map to accomplish this? If so, what would that config look like?   Thanks.     ... View more

Community, I am noticing a partner (50.x.y.30) is sending multiple Phase 1 Requests to our VPN router (64.w.z.111) but cannot figure out why. Any idea what would cause this or how to fix it? All of our other VPN peers only show 1 Phase 1 setup.   I believe they are using a Sophos UTM on their side, we are using a Cisco 2911 on our side.    IPv4 Crypto ISAKMP SA dst                       src                         state                      conn-id status 50.x.y.30       64.w.z.111      MM_NO_STATE       0 ACTIVE 50.x.y.30       64.w.z.111      MM_NO_STATE       0 ACTIVE (deleted) 64.w.z.111     50.x.y.30        MM_NO_STATE        0 ACTIVE (deleted)   Thanks. ... View more

Community,   We are using ACS 5.1 for TACACS+ (Old I know!) authentication on our Cisco devices. Most of the devices are IOS devices but we do have a few NX-OS devices as well. I am able to successfully authenticate to each device via SSH using TACACS+ but I am not sure how to enforce the use of the enable password after successfully authenticating with TACACS+. When I authenticate to the device using my TACACS+ username and password, it dumps me into Global Config mode. How do I enforce the use of the enable password after authenticating via TACACS+ before being allowed into global config mode? Are there changes I need to make in the ACS? Switches? Both?   Thanks. ... View more

Community,   I have in my crypto map entry 2 peers. I can successfully build tunnels between both peers individually. However, when I set both peers using the "set peer" command in the crypto map, if the "active" peer fails, the router never fails over to the other peer. Are there timers associated with this failover action? Is there a config that I am missing? How does this failover work? Thanks.    crypto isakmp policy 10 encr aes authentication pre-share group 5 crypto isakmp key *************** address 156.x.y.245 crypto isakmp key *************** address 156.x.z.245   crypto ipsec transform-set Test-Trans ah-sha-hmac esp-aes esp-sha-hmac ! crypto map atl2client 10 ipsec-isakmp set peer 156.x.z.245 set peer 156.x.y.245 set security-association idle-time 60 set transform-set Test-Trans match address Test_ACL   ip access-list extended Test_ACL permit ip host 64.x.x.89 host 204.x.x.161 permit ip host 10.110.113.177 host 204.x.x.161   interface FastEthernet0/0 ip address 64.x.x.111 255.255.255.0 duplex auto speed auto crypto map atl2client ... View more

Community, I set up an ASA 5510 and when I connect to the VPN via Anyconnect, it connects, I get an IP (10.100.1.5 from the Mars_VPN pool) but then I cannot access other subnets. All of the subnets live on the firewall (all the arp entries) so I know the FW has routes to each subnet because theyre locally connected. Ive tried everything I can think of to get it to work but am at a loss. I disabled the incoming ACL for the Group Policy im connected to and allowed the traffic in the firewall ACLs. Ive configued the NAT so that any return traffic isnt getting NAT'ed to the outside IP (it remains as an internal IP). the downstream switch is not routing, its only passing layer 2 traffic. Ill post the config. Can anyone see why Im unable to connect to any other subnets when Im connected to VPN? Thanks.   MarsASA# show run : Saved : ASA Version 9.1(2) ! hostname MarsASA enable password 8Ry2YjIyt7RRXU24 encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain passwd 2KFQnbNIdI.2KYOU encrypted names ip local pool Mgmt_Pool 10.100.0.10-10.100.0.20 mask 255.255.255.0 ip local pool Mars_Pool 10.100.1.5-10.100.1.10 mask 255.255.255.0 ! interface Ethernet0/0 description Outside nameif Outside security-level 0 ip address dhcp setroute ! interface Ethernet0/1 speed 100 channel-group 1 mode active no nameif no security-level no ip address ! interface Ethernet0/2 speed 100 channel-group 1 mode active no nameif no security-level no ip address ! interface Ethernet0/3 speed 100 channel-group 1 mode active no nameif no security-level no ip address ! interface Management0/0 nameif Management security-level 50 ip address 10.0.0.1 255.255.255.0 ! interface Port-channel1 description Inside speed 100 nameif Inside security-level 100 ip address 10.1.0.1 255.255.255.248 ! interface Port-channel1.11 description Mars Mining Default Gateway vlan 11 nameif MarsMining security-level 50 ip address 10.10.1.1 255.255.255.0 ! interface Port-channel1.999 vlan 999 nameif Wireless security-level 50 ip address 192.168.1.2 255.255.255.0 ! boot system disk0:/asa912-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring same-security-traffic permit inter-interface object network net_mars-mining subnet 10.10.1.0 255.255.255.0 object network net_customer2 subnet 10.10.2.0 255.255.255.0 object network net_management subnet 10.0.0.0 255.255.255.0 object network net_mars-vpn subnet 10.100.1.0 255.255.255.0 object network 96.39.182.129 host 96.39.182.129 object network obj_outside host 71.89.218.144 object network net_wireless subnet 192.168.1.0 255.255.255.0 object network net_vpn-nets subnet 10.100.0.0 255.255.0.0 object-group service DM_INLINE_UDP_1 udp port-object eq bootpc port-object eq bootps access-list Inside_access_in extended permit ip any any access-list Management_access_in extended permit ip object net_management object net_management access-list MarsMining_access_in extended permit ip any any access-list MarsMining_access_in extended permit icmp any any access-list Outside_access_in extended permit icmp any any access-list Outside_access_in extended permit udp any any object-group DM_INLINE_UDP_1 access-list DataNetworks standard permit 10.10.1.0 255.255.255.0 access-list DataNetworks standard permit 10.0.0.0 255.255.255.0 access-list MarsVPN_access_in extended permit ip any any access-list MarsVPN_access_in extended permit icmp any any access-list net_mgmt-vpn extended permit ip object net_management object net_management access-list net_mgmt-vpn extended permit icmp any any access-list Wireless_access_in extended deny ip object net_wireless object net_mars-mining access-list Wireless_access_in extended deny ip object net_wireless object net_management access-list Wireless_access_in extended permit ip any any access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 access-list AnyConnect_Client_Local_Print remark Windows' printing port access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns pager lines 24 mtu Outside 1500 mtu Management 1500 mtu Inside 1500 mtu MarsMining 1500 mtu Wireless 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-762-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected nat (any,Outside) source dynamic any interface nat (any,Outside) source static any any destination static net_vpn-nets net_vpn-nets unidirectional access-group Outside_access_in in interface Outside access-group Management_access_in in interface Management access-group Inside_access_in in interface Inside access-group MarsMining_access_in in interface MarsMining access-group Wireless_access_in in interface Wireless route Outside 0.0.0.0 0.0.0.0 71.x.x.144 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL http server enable http 0.0.0.0 0.0.0.0 Management http 0.0.0.0 0.0.0.0 Inside no snmp-server location no snmp-server contact crypto ipsec ikev2 ipsec-proposal DES protocol esp encryption des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal 3DES protocol esp encryption 3des protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES protocol esp encryption aes protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES192 protocol esp encryption aes-192 protocol esp integrity sha-1 md5 crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 crypto ipsec security-association pmtu-aging infinite crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Inside_map interface Inside crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside_map interface Outside crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0 enrollment self fqdn none subject-name CN=10.0.0.1,CN=ciscoasa keypair ASDM_LAUNCHER crl configure crypto ca trustpoint ASDM_TrustPoint0 enrollment self subject-name CN=ciscoasa keypair ASDM_LAUNCHER crl configure crypto ca trustpool policy crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0 certificate ba24ac5a 308201c3 3082012c a0030201 020204ba 24ac5a30 0d06092a 864886f7 0d010105 05003026 3111300f 06035504 03130863 6973636f 61736131 11300f06 03550403 13083130 2e302e30 2e31301e 170d3138 30333136 32313233 33375a17 0d323830 33313332 31323333 375a3026 3111300f 06035504 03130863 6973636f 61736131 11300f06 03550403 13083130 2e302e30 2e313081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100ae d6b59564 6e819149 320f65d2 58efbc9c 930e4373 d239faea 39908a89 b2317a7d 53ac69be 7a742031 3401111a 3b25ca4e 9e9e99e5 332fea41 888d5259 8206aace 3b856a6d 2fafdf75 e8ed36c8 5578af86 4844bdea ff296bdc ebec4b0c f1b4824b 607bd52a 2fa1577b 425af247 4de3d7e7 1ca04f75 b280ae7e 846e404e c43fef02 03010001 300d0609 2a864886 f70d0101 05050003 81810015 0911189e 78323fbd 7936085a 4bd6ae6a 8d964f6e 596441a3 7e7c72fb 5c6b0ef5 0ba82662 16482903 3ec6fbda 19a6d47e f608a027 adea5bf4 1e11ce34 914060d9 bfc8918f 14af7784 cc698c7e 5c3f7a07 4d397bbd 454a0424 ec8b12e0 a24b7186 6f6b033c f7245188 ea34fca4 ee2def0a 6a34c0c3 e64931bd db216859 5e13d8 quit crypto ca certificate chain ASDM_TrustPoint0 certificate bb24ac5a 308201cf 30820138 a0030201 020204bb 24ac5a30 0d06092a 864886f7 0d010105 0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648 86f70d01 09021608 63697363 6f617361 301e170d 31383033 31363231 32353033 5a170d32 38303331 33323132 3530335a 302c3111 300f0603 55040313 08636973 636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100ae d6b59564 6e819149 320f65d2 58efbc9c 930e4373 d239faea 39908a89 b2317a7d 53ac69be 7a742031 3401111a 3b25ca4e 9e9e99e5 332fea41 888d5259 8206aace 3b856a6d 2fafdf75 e8ed36c8 5578af86 4844bdea ff296bdc ebec4b0c f1b4824b 607bd52a 2fa1577b 425af247 4de3d7e7 1ca04f75 b280ae7e 846e404e c43fef02 03010001 300d0609 2a864886 f70d0101 05050003 8181004a 80dfdb34 a0b7a13d 1128ec50 07902ff2 fee09806 690e2c97 29f4c8fc c1d54b9b f843670f 66ebf841 69179f65 1a3d3ef7 6717f7b3 c16ddb8a 0fb99fe7 d16c6a9e 7e395fe0 061b96bd 75f36d6d ce185241 34c76650 21938e73 6ff8bc57 41fcdfce ab37a792 9d39b521 4c1e0cf7 407644d4 b5aeaa88 2e09be31 d5362144 98d519 quit crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 40 encryption des integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 enable Outside crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0 telnet timeout 5 ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcp-client client-id interface Outside dhcpd address 10.10.1.5-10.10.1.250 MarsMining dhcpd dns 8.8.8.8 8.8.4.4 interface MarsMining dhcpd lease 604800 interface MarsMining dhcpd enable MarsMining ! dhcpd address 192.168.1.10-192.168.1.20 Wireless dhcpd dns 8.8.8.8 interface Wireless dhcpd enable Wireless ! threat-detection basic-threat no threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Outside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Inside ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management vpnlb-ip ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management webvpn enable Outside anyconnect image disk0:/anyconnect-win-4.4.02039-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.4.02039-webdeploy-k9.pkg 2 anyconnect enable group-policy DfltGrpPolicy attributes dns-server value 8.8.8.8 8.8.4.4 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client group-policy MarsMiningGP internal group-policy MarsMiningGP attributes vpn-filter none vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless split-tunnel-policy tunnelspecified split-tunnel-network-list value DataNetworks address-pools value Mars_Pool group-policy ManagementGP internal group-policy ManagementGP attributes vpn-filter value net_mgmt-vpn vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless split-tunnel-policy excludespecified split-tunnel-network-list value net_mgmt-vpn address-pools value Mgmt_Pool username admin password IidV0SWHsmTMyxaS encrypted privilege 15 username admin attributes vpn-group-policy ManagementGP username MarsAdmin password jlvAqDkai3L/3Zw0 encrypted username MarsAdmin attributes vpn-group-policy MarsMiningGP ! ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily Cryptochecksum:71ae3ff739a9932f207acb9894f96a6c : end MarsASA#   ... View more

Community,   I have a pair of 9396PX's running NX OS version 7.0(3)I4(6) that have two port channels between them. Po1 is the vPC peer link that carries most of the traffic between the two switches in vPC domain 1. Po2 is a "routing backbone" links that carries OSPF routing protocol traffic. The issue I am seeing is that when I implement the peer-switch feature on both switches in the "vpc domain 1"sub menu, the Po2 interface on one of the switches (PHX-AGG-1A) goes into a spanning tree Backup interface role and Blocking state. The vPC peer link (Po1) however does not. This obviously is causing the OSPF neighborship to go down.   My assumption is that since both switches are using the same exact Spanning Tree BID (0023.04ee.be01) when the peer-switch feature is implemented , the affected switch believes that it is receiving BPDUs from itself and moves the Po2 interface into a Backup role. Is this normal? I've never seen this before. I've attached a topology and some output to illustrate the issue.    PHX-AGG-1A(config)# vpc domain 1 PHX-AGG-1A(config-vpc-domain)# peer-switch PHX-AGG-1A(config-vpc-domain)# end PHX-AGG-1A# show spanning-tree interface po2 Vlan Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- VLAN0200 Back BLK 250 128.4097 P2p VLAN0201 Back BLK 250 128.4097 P2p VLAN0202 Back BLK 250 128.4097 P2p VLAN0203 Back BLK 250 128.4097 P2p PHX-AGG-1A# conf t Enter configuration commands, one per line. End with CNTL/Z. PHX-AGG-1A(config)# vpc domain 1 PHX-AGG-1A(config-vpc-domain)# no peer-switch PHX-AGG-1A(config-vpc-domain)# end PHX-AGG-1A# show spanning-tree int po2 Vlan Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- VLAN0200 Root FWD 250 128.4097 P2p VLAN0201 Root FWD 250 128.4097 P2p VLAN0202 Root FWD 250 128.4097 P2p VLAN0203 Root FWD 250 128.4097 P2p PHX-AGG-1A#   PHX-AGG-1A# show spanning-tree vlan 200 VLAN0200 Spanning tree enabled protocol rstp Root ID Priority 4296 Address 0023.04ee.be01 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 4296 (priority 4096 sys-id-ext 200) Address 0023.04ee.be01 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Po2 Back BLK 250 128.4097 P2p     PHX-AGG-1B# show spanning-tree vlan 200 VLAN0200 Spanning tree enabled protocol rstp Root ID Priority 4296 Address 0023.04ee.be01 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 4296 (priority 4096 sys-id-ext 200) Address 0023.04ee.be01 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Po2 Desg FWD 250 128.4097 P2p   Am I misconfiguring something here? I am not entirely sure as why when these were set up that 2 separate port channels were created to carry different traffic. Is this a design best practice or should I just go ahead and migrate the Po2 traffic onto Po1 and remove Po2?   Thanks. ... View more