Skip to content

CCIE23050.com CCIE Network blog HTTP://1806971003

CCIE23050.com

  • Home
  • About Me
  • Contact Me

Category: Cisco

post 8.3 ASA l2l VPN config

Posted on November 1, 2016 by admin

name 77.77.77.77 farend_Peer

name 10.77.1.1 farend_Host1

name 10.77.1.2 farend_Host2

name 10.77.1.3 farend_Host3

object-group network FAR_END_HOSTS

description FAR_END_HOSTS

network-object 10.77.1.1 255.255.255.255

network-object 10.77.1.2 255.255.255.255

network-object 10.77.1.3 255.255.255.255

object-group network LOCAL-END_HOSTS

description LOCAL-END_HOSTS

network-object 172.16.77.0 255.255.255.0

network-object 172.20.77.0 255.255.255.0

access-list 105 extended permit ip object-group LOCAL-END_HOSTS object-group FAR_END_HOSTS

Tunnel Group Config

tunnel-group 77.77.77.77 type ipsec-l2l

tunnel-group 77.77.77.77 ipsec-attributes

ikev1 pre-shared-key xxxxx

Crypto Config

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map OUTSIDE_map 20 match address 105

crypto map OUTSIDE_map 20 set pfs

crypto map OUTSIDE_map 20 set peer 77.77.77.77

crypto map OUTSIDE_map 20 set ikev1 transform-set ESP-AES-256-SHA

crypto map OUTSIDE_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 3

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

NAT Config

object-group network obj-remote-NAT

network-object 10.77.1.0 255.255.255.0

object-group network obj-local-NAT

network-object 172.16.77.0 255.255.255.0

network-object 172.20.77.0 255.255.255.0

nat (INSIDE,OUTSIDE) source static obj-local-NAT obj-local-NAT destination static obj-remote-NAT obj-remote-NAT

Posted in CiscoTagged VPN

snmp-server traps for ipsec-isakmp

Posted on November 1, 2016 by admin

snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 1.1.1.1 community1 ipsec isakmp

Posted in CiscoTagged Cisco

How to see open ports on a IOS router.

Posted on November 1, 2016 by admin

show ip sockets details or show socket detail – will give you a list of open ports.

If that command is not supported you can look at the pid and do a show sockets (pid) detail

Rack01R1#sh processes | i DHCP
42 Mwe 61554938 72 4486 16 5496/6000 0 DHCPD Timer
132 Mwe 61D37488 780188 1074772 72510568/12000 0 DHCPD Receive
151 Msi 6155CC30 464 8975 51 5124/6000 0 DHCPD Database
248 Mwe 6153E90C 93604 537591 174 6424/9000 0 DHCP Client

Rack01R1#show sockets 132 detail
FD LPort FPort Proto Type TransID

0 67 0 UDP DGRAM 0x672F5140
State: SS_ISBOUND
Options: SO_BROADCAST
Total open sockets – TCP:0, UDP:1, SCTP:0

You can also get some information for the control-plane host.

Rack01R1#sh control-plane host open-ports
Active internet connections (servers and established)
Prot Local Address Foreign Address Service State
tcp *:23 *:0 Telnet LISTEN
tcp *:80 *:0 HTTP CORE LISTEN
udp *:67 *:0 DHCPD Receive LISTEN
udp *:68 *:0 BootP client LISTEN

Posted in CiscoTagged Cisco

Generate and test simulated traffic on IOS.

Posted on November 1, 2016 by admin

Generate HTTP traffic
Rack07R1#copy http://33.33.6.3/File1 null:
%Error opening http://33.33.6.3/File1 (No such file or directory)

Generate FTP traffic
Rack07R1#copy ftp://33.33.6.3/File1 null:
Accessing ftp://33.33.6.3/File1…
%Error opening ftp://33.33.6.3/File1 (Undefined error)
Test http or gernerate traffic on any port with telnet

Rack07R1#telnet 33.33.6.3 80
Trying 33.33.6.3, 80 … Open

get
HTTP/1.1 400 Bad Request
Date: Fri, 15 Mar 2002 21:45:45 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 33.33.6.3 closed by foreign host]

ICMP

Rack07R1#debug ip icmp
ICMP packet debugging is on

Rack07R1#ping 33.33.6.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 33.33.6.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/7/16 ms
Rack07R1#
Jan 13 19:51:50.812: ICMP: echo reply sent, src 33.33.6.3, dst 33.33.6.3
Jan 13 19:51:50.816: ICMP: echo reply rcvd, src 33.33.6.3, dst 33.33.6.3
Jan 13 19:51:50.828: ICMP: echo reply sent, src 33.33.6.3, dst 33.33.6.3
Jan 13 19:51:50.836: ICMP: echo reply rcvd, src 33.33.6.3, dst 33.33.6.3

other traffic – debug ip packet detail

Test Radius and Tacacs
Rack07R1#test aaa group tacacs+ cisco cisco new-code
Rack07R1#test aaa group radius cisco cisco new-code

Posted in Cisco, IPTagged Cisco

ASA Failover

Posted on November 1, 2016 by admin

Using two interfaces:Configure primary first.

On the primary

failover
failover lan unit primary
failover lan interface LFAIL GigabitEthernet0/6
failover key cisco1
failover replication http
failover link LSTATE GigabitEthernet0/7
failover interface ip LFAIL 172.20.248.17 255.255.255.252 standby 172.20.248.18
failover interface ip LSTATE 172.20.248.21 255.255.255.252 standby 172.20.248.22
monitor-interface INSIDE <- if not physical on the secondary failover lan unit secondary failover lan interface LFAIL GigabitEthernet0/6 failover key cisco1 failover interface ip LFAIL 172.20.248.17 255.255.255.252 standby 172.20.248.18 failover Using management interface with Vlans. interface Management0/0 ! interface Management0/0.303 description LAN Failover Interface vlan 303 ! interface Management0/0.304 description STATE Failover Interface vlan 304 failover failover lan unit primary failover lan interface LAN-FO Management0/0.303 failover key cisco1 failover link STATE-FO Management0/0.304 failover interface ip LAN-FO 192.168.2.37 255.255.255.252 standby 192.168.2.38 failover interface ip STATE-FO 192.168.2.41 255.255.255.252 standby 192.168.2.42 On the secondary unit. failover lan unit secondary failover lan interface LAN-FO Management0/0.303 failover key cisco1 failover interface ip LAN-FO 192.168.2.37 255.255.255.252 standby 192.168.2.38 failover

Posted in CiscoTagged Cisco

6500 TDR

Posted on November 1, 2016 by admin

6509#test cable-diagnostics tdr interface gi8/26

TDR test started on interface Gi8/26

A TDR test can take a few seconds to run on an interface

Use ‘show cable-diagnostics tdr’ to read the TDR results.

6509#show cab

6509#show cable-diagnostics td

6509#show cable-diagnostics tdr ?

interface Specify an interface for TDR
result

module Specify module for
TDR result

6509#show cable-diagnostics tdr interface gi8/26

TDR test last run on: October 13 10:02:06

Interface Speed Pair Cable
length Distance to fault
Channel Pair status

——— —– —- ——————- ——————- ——- ————

Gi8/26 auto 1-2
N/A
51 +/- 3 m Invalid
Open

3-4
N/A
48 +/- 3 m Invalid
Open

5-6
N/A
49 +/- 3 m Invalid
Open

7-8
N/A
52 +/- 3 m Invalid Open

Posted in CiscoTagged 6500

6500 VSS – ISSU – notes

Posted on November 1, 2016 by admin

Make sure the old version is set in bootvar

Re: ISSU loadversion on VSS ? Make sure that the current image is
configured on the switch

boot system flash sup-bootdisk:s72033-ipbase-mz.122-33.SXI2a.bin

look at this post.

https://supportforums.cisco.com/message/606688

issu loadversion 1/5
sup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXI4a.bin 2/5
slavesup-bootdisk:s72033-adventerprisek9_wan-mz.122-33.SXI4a.bin

C6506VSS#issu runversion

This command will reload the Active unit. Proceed ?
[confirm]

C6506VSS# issu acceptversion

% Rollback timer stopped. Please issue the commitversion command.

C6506VSS#issu commitversion

Building configuration…

[OK]

%issu commitversion executed successfully

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/issu_efsu.html#wp1042706

issu loadversion
sup-bootdisk:/newsys/s72033/base/s72033-advipservicesk9_wan-vm

2.copy
tftp sup-bootdisk:s72033-advipservicesk9-mz.122-33.SXI2a.bin

copy tftp slavesup-bootdisk:s72033-advipservicesk9-mz.122-33.SXI2a.bin

3.show version | inc image

show bootvar

show redundancy

show issu state detail

4. issu loadversion sup-bootdisk:s72033-advipservicesk9-mz.122-33.SXI2a.bin

5. show issu outage slot all

6 issu-runversion

7. issu acceptversion

8. issu commitversion

9. show redundancy

show issu state detail

At the end

redundancy force-switchover

to get on the right switch

Posted in CiscoTagged 6500

IPSEC VPN cert trustpoint notes

Posted on November 1, 2016 by admin

on the router this makes the identifier the dn

crypto isakmp identity dn

On the ASA

tunnel-group 200.0.23.3 type ipsec-l2l

tunnel-group 200.0.23.3 ipsec-attributes

pre-shared-key cisco

trust-point ROUTER2

peer-id-validate nocheck

trust point needs to be set two different places.

tunnel-group for receiving

tunnel-group 200.0.23.3 type ipsec-l2l

tunnel-group 200.0.23.3 ipsec-attributes

pre-shared-key cisco

trust-point ROUTER2

crypto map for initiating it.

crypto map CRYPTO 10 set trustpoint ROUTER2

Posted in CiscoTagged Cisco

ASA EZVPN

Posted on November 1, 2016 by admin

crypto ipsec transform-set FirstSet esp-aes esp-sha-hmac

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map CMAP 1 ipsec-isakmp dynamic dyn1

crypto map CMAP interface outside

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

access-list 100 extended permit ip 10.0.0.0 255.0.0.0 any

group-policy tgroup1gp internal

group-policy tgroup1gp attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value 100

username cisco password cisco

ip local pool TESTPOOL 192.168.0.1-192.168.0.254

tunnel-group tgroup1 type remote-access

tunnel-group tgroup1 general-attributes

address-pool TESTPOOL

default-group-policy tgroup1gp

tunnel-group tgroup1 ipsec-attributes

pre-shared-key cisco

on client

tgroup1 password cisco

then username cisco password cisco

Posted in CiscoTagged VPN

ping with tos – dscp

Posted on November 1, 2016 by admin

dscp 1 (000001) = tos (00000100) = tos decimal 4

Router(config)#access-list 105 deny ip any any dscp 1
Router(config)#access-list 105 permit ip any any
Router(config)#interface ethernet 0/1
Router(config-if)#ip access-group 105 out
Router#show access-list 105

Rack9SW2#ping 200.0.12.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.12.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/58/60 ms
Rack9SW2#ping
Protocol [ip]:
Target IP address: 200.0.12.2
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: Vlan118
Type of service [0]: 4
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.0.12.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.118.8
U.U.U
Success rate is 0 percent (0/5)
Rack9SW2#

Posted in Cisco, IPTagged IP

Posts navigation

Older posts
Newer posts

Follow Me

  • YouTube
  • LinkedIn

Location

  • 10809 Executive Center Dr, Little Rock, AR 72211
Proudly powered by WordPress | Theme: micro, developed by DevriX.