Hello @Cristian Matei  As I stated a previously I thought a mixture of nvi and hairpining should work regards the OP request - Anyway since @mustafa.chapal @confirmed the request i have managed to lab this up got a working solution ( in my last post) ... View more

Hello When you perform redistribution between different routing domains the prefixes that are redistributed need to be understood by that routing process own metrics they won’t be accepted ohterwise, In your configuration eigrp is redistribuitng ospf without any eigrp metric value appended and ospf is redistributing only eigrp classful subnets, try the following example: router ospf LAB redistribute eigrp 1 subnets match internal router eigrp 1 address-family ipv4 router-id 6.6.6.6 redistribute ospf LAB metric 1 1 1 1 1 ... View more

Hello Not so sure why you want to access the host via the public natted address and its internal address internally however depending on you ios software i think its applicable. Below is a possible solution using NVI nat, however depending on you IOS version you myabe  able to do this with domain nat  also. Example: no route-map 1 no access-list 1 no access-list 2 access-list 1 permit 10.0.0.0 0.0.0.255 access-list 2 remark CCP_ACL Category=2 access-list 2 permit 192.168.0.0 0.0.0.255 no ip nat source route-map 1 interface GigabitEthernet8 overload int loopback 100 ip address 169.254.1.1 255.255.255.255 ip nat enable interface GigabitEthernet8 ip address 99.80.10.233 255.255.255.248 no ip redirects no ip nat outside ip nat enable interface Vlan10 ip address 10.0.0.1 255.255.255.0 ip redirects ip nat enable interface Vlan20 ip address 192.168.0.1 255.255.255.0 ip redirects ip nat enable   ip access-list extended NAT permit ip 10.0.0.0 0.0.0.255 any permit ip 192.168.0.0 0.0.0.255 any ip access-list extended NAT-PIN permit ip 192.168.1.0 0.0.0.255 host 10.0.0.2   ip nat source static tcp 10.0.0.2 22 interface GigabitEthernet8 22 ip nat source list NAT interface GigabitEthernet8 ip nat source list NAT-PIN interface loopback 100 ip route 0.0.0.0 0.0.0.0 GigabitEthernet8 99.80.10.xxxx ... View more

Hello You can use snmp groups with ver3 also, However with v3 you have option for authentication and encryption to allow specify snmp views to specific OIDs  (create from here) within the SNMP MIB tree. Below is an example of using snmpv3 with read access to the configuration on the device using a snmp view/group/user with md5/3des authentication and encryption ( assumption your device and NMS supports this)   ip access-list extended SNMP_ACL permit ip host 172.168.12.x any snmp-server view CONFIG cisco.5.1.31.2.61 included snmp-server group SNMP-GRP v3 priv read CONFIG access SNMP_ACL snmp-server user Fred SNMP_GRP v3 auth md5 snmppassword priv 3des sharedkey123 ... View more

Hello   @mustafa.chapal wrote: Please tell me a way how can I SSH 99.80.10.233 from IP 192.168.0.10 in Vlan 20 as outside to inside does not seem to work So you wish to access internally, other internal hosts via their natted public address if so then youll need to nat hairpin for those internal subnets- please confirm? ... View more

Hello @Cristian Matei  Thanks for the feedback and I do understand but as I have stated mate if the OP confirmed he wants to access a host via external and internal then NVI/ or domain nat I do think there is a possible way incorporating either domain ( depending of ios version) or NVI nat either with some Hari pining ( I’ll probably need to lab it)  - However if it isn’t then as you stated (domain nat) is the correct solution. ... View more

Hello @ezel14 wrote: Hello Paul, why would it be placed on R2  interface e0/0 inbound? As i have stated you would want to negate that traffic before it leaves rtr2 so not to traverse the network then only be to dropped by the destination rtr/host, applying the filter ingress r2 e0/0 would negate this traffic even reaching its e1/0 interface. ... View more

Hello For standard acl then these only filter of the source address as such these should be place as close to the destination address as possible, on the other hand using an extended acl which can filter on source and destination addressing these can be placed as close to the source as possible, thus it will negate unwarranted router processes and network bandwidth. In relation your topology I would suggest you apply that extended acl on R2  on e0/0 interface inbound. Example: R2 ip access-list extended SEVER-ACCESS deny tcp 192.168.2.0 0.0.0.255 host 192.168.3.2 permit ip any any interface e0/1 no ip access-group SEVER-ACCESS in interface e0/0 ip access-group SEVER-ACCESS in ... View more

Hello Just to confirm you used that extended acl with the route-map running NVI nat and you say you cannot establish an internal host -host communication via ssh? The reason why it works via Domain based nat as suggst by @Cristian Matei  is the original NAT order of preference is performed as however it should work via NVI nat even with its dual route lookup with the above acl applied unless i am missing something fundamental here.   Can you post your configuration as it is now please, also confirm on what you are trying to accomplish, And if that is you wish for a host to be reached via ssh either via its external natted and its internal address.   ... View more

Hello You show a pim rp address of 10.1.1.1 and tha RP host looks like it residing via your egress wan interface, You also show to  have NAT enabled but no nat statements applied so if nat isnt working then your upstream rtr needs to know how to reach your lan subnet and that means via either static or dyanmic routing but so first of all can you reach the RP 10.1.1.1. Does the upstream rtrs have Multicast enabled? ping 10.1.1.1 sh ip pimt interface count sh ip pim interface sh ip pim niegbour Lasty try applying sparse-dense mode pim on your interface instead. int x/x ip pim sparse-dense-mode ... View more

Hello Do those FW's reside locally to each other, Is it applicable to introduce an addtional interconnect between them? ... View more

Hello I dont think you need to change the NAT, you just need to amend the nat access-list to deny nat between the two lan subnets.   Example no access-list 1 ip access-list extended NAT deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255 deny ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255 permit ip 10.0.0.0 0.0.0.255 any permit ip 192.168.0.0 0.0.0.255  any route-map 1 permit 10 no match ip address 1 2 match ip address NAT   ... View more

Hello Do you have ssh enabled on the switch, make sure you have to allow ssh! At present I can see you have created a tacacs server group but you are not calling upon, Anyway as you have enable AAA authorization the switch won’t allow you access until your authenticated so append the following and you should gain access, providing you have setup an enable password and created a local user account with privilege access. aaa authorization exec default group tacacs+ local if-authenticated ... View more

Hello You could also use groups for snmp which is much granular and can even be used to restrict certain parts of the switch/router mib tree to negate malious access. Example: ip access-list extended SNMP_ACL permit ip host 172.168.12.x any snmp-server group SNMP-GRP v2c access SNMP_ACL snmp-server user Fred SNMP-GRP v2c ... View more