Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About cbkirwan1
Stats
Member since
06-06-2018
20
Posts
0
Helpful
0
Solutions
Certifications
01-14-2020
06:42 AM
Looks like that command is in there. I will be changing routes to finish the configuration tomorrow. I was told by my senior engineer I may run into this problem so we will just see. Thanks for the feedback, I'll message back if it happens.
... View more
01-14-2020
06:25 AM
I'm currently establishing an IPSec VPN between a 2900 router and an ASA 5525. The purpose of this is to be able to get management access to a couple nodes at the remote site which is where the ASA is. The conflict is that I've learned that I can't access the management port of the same firewall where the VPN is terminated. Any suggestions? Trying to get this wrapped up by tomorrow.
... View more
Labels:
10-09-2018
08:30 AM
So you can ignore the alerts by how come the two gateways are showing active? I'm having this same problem. When I do a show hsrp bri on both of them it tells me this:
Interface Grp Prio P State Active addr Standby addr Group addr Vlan3 10 110 P Active local unknown X.X.X.X
It says this for all of my VPC's. I also have those same log messages. Here's the config on my VPC domain:
vpc domain 751 peer-switch role priority 1000 system-priority 4000 peer-keepalive destination X.X.X.X source X.X.X.X no layer3 peer-router syslog peer-gateway ipv6 nd synchronize ip arp synchronize
The other side is the exact same.
... View more
09-21-2018
12:55 PM
I actually just figured it out. I changed the management interfaces of the switches and put them on the vlan for the IPSEC tunnel that matches the ACL. I can ping across and am seeing the ingress and egress packet count go up. Thanks for your help.
... View more
09-21-2018
11:20 AM
So this is where it doesn't make sense to me. From Router A which is 10.2.1.1 I could not ping 10.2.1.3 (the PC). Though from 10.2.2.1 I could ping 10.2.2.2.
_______________________________________________________________________________________________
Router-A#ping 10.2.2.1 source 10.2.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds: Packet sent with a source address of 10.2.1.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms Router-A#sh crypto ipsec sa interface: GigabitEthernet0/1 Crypto map tag: mymap, local addr 10.10.1.1 protected vrf: (none) local ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) current_peer 10.10.1.6 port 500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 111, #pkts encrypt: 111, #pkts digest: 111 #pkts decaps: 262, #pkts decrypt: 262, #pkts verify: 262 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 2, #recv errors 0 local crypto endpt.: 10.10.1.1, remote crypto endpt.: 10.10.1.6 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0x57197F43(1461288771) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xE4F3C728(3841181480) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4436291/3594) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x57197F43(1461288771) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4436291/3594) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas:
__________________________________________________________________________________________
Router-B#sh crypto ipsec sa interface: GigabitEthernet0/1 Crypto map tag: mymap, local addr 10.10.1.6 protected vrf: (none) local ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0) current_peer 10.10.1.1 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262 #pkts decaps: 111, #pkts decrypt: 111, #pkts verify: 111 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 10.10.1.6, remote crypto endpt.: 10.10.1.1 path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 current outbound spi: 0xE4F3C728(3841181480) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x57197F43(1461288771) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2015, flow_id: Onboard VPN:15, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4490813/3557) IV size: 8 bytes replay detection support: Y Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xE4F3C728(3841181480) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } conn id: 2016, flow_id: Onboard VPN:16, sibling_flags 80000046, crypto map: mymap sa timing: remaining key lifetime (k/sec): (4490813/3557) IV size: 8 bytes replay detection support: Y Status: ACTIVE outbound ah sas: outbound pcp sas: Router-B#
... View more
09-21-2018
10:55 AM
I checked all that, no firewalls on the PC's blocking ping, no acl's not seen in the configs I posted, PC's are getting DHCP addresses with the correct gateways. The PC's can ping across the tunnel to the opposite side DHCP default gateway. For exp 10.2.2.2 can ping 10.2.1.1 no problem, but going a step further and pinging the the PC it doesn't make it. The trace always makes it to the opposite side router but it's like it doesn't know to send the packet down it's local gateway to the switch to the PC. It's really strange.
... View more
09-21-2018
10:26 AM
I would ping from my PC on the other side with the source of 10.2.2.2 going to 10.2.1.3 which is the other host. Attached are the logs I pulled.
... View more
09-21-2018
08:22 AM
Hey guys,
I've not done anything really with IPSEC but am looking to dig into it more. I used three routers and two switches in the lab to create an IPSEC tunnel. The tunnel is up and packets are being sent and received but I cannot ping from one host to the other. Something I noticed on router A is that I cannot even ping the host from the local gateway using the gateway as the source. It does have it's MAC in the arp entry. Here's my three routers, won't post the switches because I know they work. Also my visio drawing is attached. Any advice would be appreciated.
Router-A#
version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router-A ! boot-start-marker boot-end-marker ! no aaa new-model ! no ipv6 cef ip source-route ip cef ! ip dhcp excluded-address 10.2.1.1 ! ip dhcp pool DHCP network 10.2.1.0 255.255.255.0 default-router 10.2.1.1 lease infinite ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! license udi pid CISCO2921/K9 sn FTX1552AJ34 license boot module c2900 technology-package securityk9 ! redundancy ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key test address 10.10.1.6 ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto map mymap 1 ipsec-isakmp set peer 10.10.1.6 set transform-set myset match address 100 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1 ip address 10.10.1.1 255.255.255.252 duplex auto speed auto crypto map mymap ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! interface GigabitEthernet0/2.10 description Management encapsulation dot1Q 10 ip address 10.1.1.10 255.255.255.128 ! interface GigabitEthernet0/2.30 description DHCP encapsulation dot1Q 30 ip address 10.2.1.1 255.255.255.0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat log translations syslog ip route 0.0.0.0 0.0.0.0 10.10.1.2 ip route 10.10.1.0 255.255.255.252 10.10.1.2 ! access-list 100 permit ip 10.2.1.0 0.0.0.255 10.2.2.0 0.0.0.255
! control-plane ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input all ! scheduler allocate 20000 1000 end
_______________________________________________________________________________
Router-B#
Current configuration : 2110 bytes ! ! Last configuration change at 13:58:43 UTC Fri Sep 21 2018 ! NVRAM config last updated at 18:08:00 UTC Thu Sep 20 2018 ! NVRAM config last updated at 18:08:00 UTC Thu Sep 20 2018 version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router-B ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! ! no ipv6 cef ip source-route ip cef ! ! ! ip dhcp excluded-address 10.2.2.1 ! ip dhcp pool DHCP network 10.2.2.0 255.255.255.0 default-router 10.2.2.1 ! ! multilink bundle-name authenticated ! ! crypto pki token default removal timeout 0 ! ! license udi pid CISCO2921/K9 sn FTX1722AH7Y license boot module c2900 technology-package securityk9 ! ! ! redundancy ! ! ! ! ! ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key test address 10.10.1.1 ! ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto map mymap 1 ipsec-isakmp set peer 10.10.1.1 set transform-set myset match address 100 ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1 ip address 10.10.1.6 255.255.255.252 duplex auto speed auto crypto map mymap ! interface GigabitEthernet0/2 no ip address duplex auto speed auto ! interface GigabitEthernet0/2.10 description Management encapsulation dot1Q 10 ip address 10.1.1.220 255.255.255.128 ! interface GigabitEthernet0/2.40 description DHCP encapsulation dot1Q 40 ip address 10.2.2.1 255.255.255.0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 0.0.0.0 0.0.0.0 10.10.1.5 ip route 10.10.1.4 255.255.255.252 10.10.1.5 ! access-list 100 permit ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255 ! ! ! ! ! ! control-plane ! ! ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input all ! scheduler allocate 20000 1000 end
Router-B#
______________________________________________________________________________
Router-C#
version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router-C ! boot-start-marker boot-end-marker ! no aaa new-model ! ip cef ! no ipv6 cef ! multilink bundle-name authenticated ! license udi pid CISCO2921/K9 sn FTX1541AHT0 license boot module c2900 technology-package securityk9 ! redundancy ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1 ip address 10.10.1.2 255.255.255.252 duplex auto speed auto ! interface GigabitEthernet0/2 ip address 10.10.1.5 255.255.255.252 duplex auto speed auto ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip route 10.1.1.0 255.255.255.128 10.10.1.1 ip route 10.1.1.128 255.255.255.128 10.10.1.6 ip route 10.2.1.0 255.255.255.0 10.10.1.1 ip route 10.2.2.0 255.255.255.0 10.10.1.6 ip route 10.10.1.0 255.255.255.252 10.10.1.1 ! access-list 100 permit ip any any
! control-plane ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login transport input all ! scheduler allocate 20000 1000 ! end
... View more
Labels:
09-11-2018
06:26 AM
dhcprelay server X.X.X.X inside dhcprelay server X.X.X.X inside dhcprelay enable New_Handhelds dhcprelay enable Laptops dhcprelay enable Voice dhcprelay enable Guest dhcprelay enable Imptob-Corp dhcprelay enable PLTHVAC dhcprelay timeout 60
This is straight off the active firewall. I had to back out so I don't have any captures. The WLC is not acting as the DHCP server, we have dhcp for wireless going to windows servers.
... View more
09-11-2018
05:33 AM
Hey guys, so last weekend I had a problem when implementing 2 Cisco 5508X ASA's. I had the routes correct, the VLANs being trunked, mac addresses on the interfaces and even thousands of hit counts on my rule sets. Only problem was that I was not getting an address. This firewall is used to segment our wireless traffic. My wireless network's were not getting addresses and in the packet capture I wasn't seeing any DHCP requests coming through. This firewall is identical to the old 5520's I'm pulling out. The only thing different is now with the 5508's I have this DHCP Relay Interface Servers option. Also there we're not hit's on my ACL rules for the DHCP either. Any suggestions? Places to look?
... View more
- Tags:
- 5508X
- asa
- DHCP relay
Labels:
08-07-2018
10:21 AM
I run a pretty big Solarwinds shop in my infrastructure. We use NPM, UDT, and NCM that poll for configs, port details, and network health etc. Recently I started getting log messages all of the network for SNMP authentication failures. Here's the message: %SNMP-3-AUTHFAIL: Authentication failure for SNMP request from host X.X.X.X. I've looked far and wide on the internet for a similar situation but I've not found one. Solarwinds support has never given me good fixes for any of my problems. Has anyone dealt with anything similar?
... View more
- Tags:
- snmp
- solarwinds
- syslog
Labels:
08-07-2018
10:11 AM
Great feedback guys. Unfortunately we dont come in contact with the company running these audits only my LCON does. I'm going to implement these fixes and also let him know that the servers need some work as well. Thanks everyone.
... View more
08-07-2018
05:57 AM
Very cool, we use straight command line here so there shouldn't be any impact. Then disabling those will clear that security vulnerability?
... View more
01-14-2020
Looks like that command is in there. I will be changing routes to finish
the configuration tomorrow....
01-14-2020
I'm currently establishing an IPSec VPN between a 2900 router and an ASA
5525. The purpose of this i...
10-09-2018
So you can ignore the alerts by how come the two gateways are showing
active? I'm having this same p...
09-21-2018
I actually just figured it out. I changed the management interfaces of
the switches and put them on ...
09-21-2018
So this is where it doesn't make sense to me. From Router A which is
10.2.1.1 I could not ping 10.2....
09-21-2018
I checked all that, no firewalls on the PC's blocking ping, no acl's not
seen in the configs I poste...
09-21-2018
I would ping from my PC on the other side with the source of 10.2.2.2
going to 10.2.1.3 which is the...
09-21-2018
Hey guys, I've not done anything really with IPSEC but am looking to dig
into it more. I used three ...
09-11-2018
dhcprelay server X.X.X.X insidedhcprelay server X.X.X.X insidedhcprelay
enable New_Handheldsdhcprela...
09-11-2018
Hey guys, so last weekend I had a problem when implementing 2 Cisco
5508X ASA's. I had the routes co...
08-07-2018
I run a pretty big Solarwinds shop in my infrastructure. We use NPM,
UDT, and NCM that poll for conf...
08-07-2018
Great feedback guys. Unfortunately we dont come in contact with the
company running these audits onl...
Public Statistics
| Date Registered | 06-06-2018 05:38 AM |
| Date Last Visited | 01-17-2020 12:04 AM |
| Total Messages Posted | 20 |
.jpg "VIP Mentor"){kind=icon}
