If you’re running Cisco IOS on all you devices then you can use CDP to see what’s directly connected, (unless you are on a Cisco firewall, but I did say IOS devices).
[box]
Petes-Switch#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
Petes-CPE.petenetlive.com
Gig 1/0/19 148 R S I CISCO2901 Gig 0/0
Petes-Switch#
[/box]
But just about every other vendor uses LLDP (Link Layer Discovery Protocol,) to do the same job. So how do you discover what ports you are plugged into on them, or what they are?
Solution
Well in most cases, (depending on your code) your devices also support LLDP, it’s just disabled by default. You simply turn it on with an ‘lldp run’ command.
[box]
Petes-Switch(config)#lldp run
Petes-Switch(config)#exit
Petes-Switch#show lldp ?
entry Information for specific neighbor entry
errors LLDP computational errors and overflows
interface LLDP interface status and configuration
neighbors LLDP neighbor entries
traffic LLDP statistics
| Output modifiers
[/box]
Now I see my neighbours, (yes that is how it’s spelt I’m English!) In my example below the neighbour is a Dell Switch.
Last week I was having problems getting a VPN up from a client’s Cisco ASA into Azure. This was because the Azure estate was using ‘route-based‘ or a ‘dynamic routing VPN‘. See the following article;
So the firewall was a non-starter, but Cisco ISR routers are supported, and they can handle virtual tunnel interfaces (VTI’s). So I used a Cisco ISR 1921 router, sat that beside the firewall, and gave that a public IP. Note: I did have to route the traffic to Azure, to use this router instead of the firewall but that’s easy.
Now we just need to get the VPN Tunnel up.
Solution
OK, before you get started your router needs to be able to support crypto/VPN’s. That means you should be running a ‘security’ license (show license should say you have a securityk9 licence installed and running, or K8 if you live in North Korea, or 1986). If you don’t, the router will not recognise any of the crypto commands.
To establish ‘Phase 1‘ of the VPN tunnel we need an IKE proposal. Note I’m using IKEv2, that is a requirement for route-based, or dynamic routing from Azure.
[box]
Petes-ISR#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-ISR(config)#crypto ikev2 proposal IKE-PROP-AZURE
IKEv2 proposal should have atleast an encryption algorithm, an integrity algorithm and a dh group configured
Petes-ISR(config-ikev2-proposal)# encryption aes-cbc-256 aes-cbc-128 3des
Petes-ISR(config-ikev2-proposal)# integrity sha1
Petes-ISR(config-ikev2-proposal)# group 2
Petes-ISR(config-ikev2-proposal)# exit
[/box]
Then add the proposal we created above to an IKEv2 Policy, (Note: a policy can have multiple proposals).
[box]
Petes-ISR(config)#crypto ikev2 policy IKE-POLICY-AZURE
IKEv2 policy should have atleast one complete proposal attached
Petes-ISR(config-ikev2-policy)# proposal IKE-PROP-AZURE
Petes-ISR(config-ikev2-policy)# exit
[/box]
Create a keyring, (in IKEv2 you can have multiple keys), and specify your VPN pre shared key, (PSK or shared secret).
Now all the ‘Phase 1‘ settings get tied together in a Phase 1 profile. (Note: GigabitEthernet0/0 is the public facing port, yours may be different).
[box]
Petes-ISR(config)#crypto ikev2 profile PROFILE-PH1-AZURE
% IKEv2 profile MUST have match identity or match certificate statements
Petes-ISR(config-ikev2-profile)# match address local interface GigabitEthernet0/0
Petes-ISR(config-ikev2-profile)# match identity remote address 40.113.16.195 255.255.255.255
Petes-ISR(config-ikev2-profile)# authentication remote pre-share
Petes-ISR(config-ikev2-profile)# authentication local pre-share
Petes-ISR(config-ikev2-profile)# keyring KEYRING-AZURE
Petes-ISR(config-ikev2-profile)# exit
[/box]
For ‘Phase 2‘ (IPSEC) you create a ‘transform set’.
No, (even if you are doing NAT Overload). Unlike an IPSEC VPN on a firewall you do not need to exempt the traffic for the VPN, from NAT translation. That’s because it leaves the router through the tunnel interface and not the public facing interface.
Below are all the commands you can copy and paste and change accordingly;
[box]
Assumptions
192.168.100.0/24 is behind the router
10.0.0.0/16 is the Azure network
40.113.16.195 is the Azure Gateway IP
1234567890asdfg is the pre shared key
GigabitEthernet0/0 is the ‘public facing interface on the router’
!
access-list 101 permit ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255
!
crypto ikev2 proposal IKE-PROP-AZURE
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
exit
!
crypto ikev2 policy IKE-POLICY-AZURE
proposal IKE-PROP-AZURE
exit
!
crypto ikev2 keyring KEYRING-AZURE
peer 40.113.16.195
address 40.113.16.195
pre-shared-key 1234567890asdfg
exit
exit
!
crypto ikev2 profile PROFILE-PH1-AZURE
match address local interface GigabitEthernet0/0
match identity remote address 40.113.16.195 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring KEYRING-AZURE
exit
!
crypto ipsec transform-set TRANSFORM-AZURE esp-aes 256 esp-sha-hmac
mode tunnel
exit
!
crypto ipsec profile PROFILE-PH2-AZURE
set transform-set TRANSFORM-AZURE
set ikev2-profile PROFILE-PH1-AZURE
exit
!
int tunnel 1
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 40.113.16.195
tunnel protection ipsec profile PROFILE-PH2-AZURE
exit
!
ip route 10.0.0.0 255.255.255.0 tunnel 1
[/box]
Related Articles, References, Credits, or External Links
I was asked yesterday, “When you get five minutes, I need split tunneling setup, when I VPN into a network I lose Internet connectivity”. On inspection he was using the Microsoft VPN client, I jumped on the VPN device to discover it was a Cisco IOS router.
What I discovered was, unlike the firewall VPN’s I’m used to, you DONT set split tunneling up on the VPN device, you set it up on the client, (and its a bit clunky – sorry!)
Solution
1. Windows Key + R > ncpa.cpl {Enter} > Locate the VPN connection > Right Click > Properties > Networking > Internet Protocol Version 4 (TCP/IPv4) > Properties > Advanced.
2. Untick “Use default gateway on remote network” > OK > OK > OK.
BE AWARE: There is a downside to doing this, as site visitor Clayton Webb points out;
“Unchecking that default gateway is a godsend, until end users use their laptops for torrents, malware, etc. If you have the time I’d recommend a direct access setup for company equipment. VPN w/ NPS health validators for non-company equipment.”
I agree, I would only ever see this as a temporary solution for the ‘technically savvy’.
3. WARNING: At this point you may find you can connect to the VPN, and your Internet now works, (hooray!) But you can no longer talk to any servers or systems on the site you are VPN’d into. This is a Windows routing problem, lets take a look at what IP address I’m getting from the VPN Device.
Above you can see Ive got an IP address of 192.168.2.207, and in my case I don’t have a default gateway (this is not unusual, yours may be the same or you may have a default gateway as well).
4. If you open a command window and issue a ‘route print’ command, you can see the reason I don’t have a default gateway is my gateway is may actual IP address (again this is not unusual, In my case I need to remember 192.168.2.207, if you have a different gateway listed thats the one you need to take notice of).
Note: -P Adds the route persistently (will remain after a reboot). The network you are trying to get to will probably be a different network, to the network IP you are being leased to you by the VPN device. If you have multiple networks you will need a ‘route add’ for each one.
6. To demonstrate; below I can’t get to 192.168.1.1, I then enter the ‘route add’ command, and after that I can get to 192.168.1.1.
Note: I’m not adding my route as persistent!
Related Articles, References, Credits, or External Links
While doing a quick lab in GNS3, I tried to add NAT to a router, and it fell over with the following error;
[box]
R3(config-if)#ip nat outside
% NBAR ERROR: parsing stopped
% NBAR Error : Activation failed due to insufficient dynamic memory
% NBAR Error: Stile could not add protocol node
%NAT: Error activating CNBAR on the interface FastEthernet0/0
R3(config-if)#
*Mar 1 00:01:11.655: %SYS-2-MALLOCFAIL: Memory allocation of 10260 bytes failed
from 0x62915CD4, alignment 0
Pool: Processor Free: 28660 Cause: Memory fragmentation
Alternate Pool: None Free: 0 Cause: No Alternate pool
-Process= "Exec", ipl= 0, pid= 93, -Traceback= 0x6148BFF8 0x60016604 0x6001C564 0x6001CBBC 0x636756E4 0x62915CDC 0x628F468C 0x628F9DA0 0x628F5968 0x628FA474 0x628F5968 0x628F8344 0x628F5968 0x628F5B2C 0x62928FBC 0x62933A20
*Mar 1 00:01:11.659: %NBAR-2-NOMEMORY: No memory available for StILE lmalloc, -Traceback= 0x6148BFF8 0x62915CF8 0x628F468C 0x628F9DA0 0x628F5968 0x628FA474 0x628F5968 0x628F8344 0x628F5968 0x628F5B2C 0x62928FBC 0x62933A20 0x62920BD0 0x6293DF70 0x6293E2F0 0x61C77C70
R3(config-if)#
*Mar 1 00:01:12.231: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
R3(config-if)#
[/box]
A quick Google told me, this was because I didn’t have enough memory assigned to the router, and I was supposed to change this, save the new setting, and reload the router. But as soon as I did that, this happened. (Note: Seen in GNS3, I could not console to the router).
[box]
GNS3 management console. Running GNS3 version 0.8.6.
Copyright (c) 2006-2013GNS3 Project.
=> *** Warning: ghostsize is to small for device R3. Increase it with the ghostsize option.
[/box]
Solution
1. Locate the filename.net file for your project, and open it.
Note: Usually in C:Users{user-name}GNS3Projects
2. Locate the section that contains your router settings, (you should see the IOS image name). Below that change the RAM value, here I changed it from 128 to 256, then save the file and reopen your GNS3 project.
3. To stop this happening again, whilst in GNS3 > Edit > IOS Images and Hypervisors > Locate the router image, and set the default RAM figure here > Save > Click Test settings to make sure.
Related Articles, References, Credits, or External Links
I’ve done thousands of firewall VPN’s but not many that terminate on Cisco Routers. It’s been a few years since I did one, and then I think I was a wuss and used the SDM. So when I was asked to do one last week thankfully I had the configs ready to go.
I’m going to use the IP addresses above, and my tunnel will use the following settings;
3. Create a ‘Crypto map’ that is used to apply the phase 2 settings to an interface.
[box]
R1(config)#crypto map VPN-C-MAP 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
R1(config-crypto-map)#set peer 1.1.1.2
R1(config-crypto-map)#set transform-set VPN-TS
R1(config-crypto-map)#match address VPN-ACL
[/box]
4. Apply that crypto map to an interface, (usually the Internet facing one).
[box]
R1(config-crypto-map)#interface Serial0/1/0
R1(config-if)#crypto map VPN-C-MAP
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)#exit
R1(config)#
[/box]
5. In most cases your router will be doing NAT, if so you will need to change the ACL that is looking after the NAT for you, look in your running config for something that looks like the following;
[box]
R1#show run
Building configuration...
Current configuration : 1249 bytes
------------output removed for the sake of space------------
!
ip nat inside source list 100 interface Serial0/1/0 overload
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
!
------------output removed for the sake of space------------
!
line aux 0
!
[/box]
6. To stop our VPN traffic getting NATTED, we need to put a deny in that ACL, and put it before that permit statement. Remember:
Permit=Perform NAT
Deny=Don’t perform NAT
On this router (unlike the ASA‘s that I’m more used to), there is no option to define an ACL line number. So its easier to remove the existing one, add the new line then put the original one back. Finally save the changes.
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#access-list 100 deny ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
R1(config)#access-list 100 permit ip 10.10.10.0 0.0.0.255 any
R1(config)#exit
R1#
%SYS-5-CONFIG_I: Configured from console by console
R1#write mem
Building configuration...
[OK]
[/box]
7. Now at the other site, the config should be a mirror image. I will post it in its entirety, so you can copy and paste it into the router, I will highlight the bits you need to check and change in red.
[box]
crypto isakmp policy 1
encr aes
hash sha
authentication pre-share
group 2
lifetime 86400
crypto isakmp key SecretK3y address 1.1.1.1
ip access-list extended VPN-ACL
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
crypto ipsec transform-set VPN-TS esp-aes esp-sha-hmac
crypto map VPN-C-MAP 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set VPN-TS
match address VPN-ACL
interface Serial0/1/0
crypto map VPN-C-MAP
no access-list 100 permit ip 20.20.20.0 0.0.0.255anyaccess-list 100 deny ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255access-list 100 permit ip 10.10.10.0 0.0.0.255 any
[/box]
8. Test your VPN with the following commands. Note: you need to send some traffic over the VPN before it will establish!
[box]
show crypto isakmp sa
show crypto ipsec sa
[/box]
WARNING: If you have an ACL applied to the routers outside interface, you will need to allow in the Peer IP, like so;
[box]
ip access-list extended outside-in
permit esp host 1.1.1.1 any
permit udp host 1.1.1.1 any eq isakmp
permit udp host 1.1.1.1 any eq non500-isakmp
[/box]
If you do not, the other end will fail Phase 1 with a WAIT_MSG_3 Error!
Related Articles, References, Credits, or External Links
Having the ability to remotely administer network devices, means I don’t have to get my lazy carcass out of my chair and start fishing console cables out of my bag, also it saves on shoe leather, and travelling time.
Solution
Cisco Router / Switch – Setup Telnet Access
These days people frown at Telnet. It’s an insecure protocol so your password is sent in clear text over the wire, and can be seen by anyone sniffing traffic. For that reason SSH is preferred, but for completeness I’ll start with Telnet.
1. Log in the the device > Go to enable mode > Go to configuration mode > Enable Telnet and set a password.
[box]
Router0>enable
Router0#conf terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router0(config)#line vty 0 4
Router0(config-line)#transport input telnet
Router0(config-line)# password P@ssword123
[/box]
2. Save the changes and test.
[box]
Router0(config)#exit
Router0#write mem
Building configuration...
[OK]
Router0#
[/box]
Cisco Router / Switch – Setup SSH Access
1. SSH is a little more involved, before you can connect via SSH, you need a certificate, and before you can generate a certificate, you need a host name and a domain name.
[box]
Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)
Petes-Router(config)#
[/box]
2. Another prerequisite is you need usernames and passwords, these can be managed by a separate AAA solution like RADIUS, TACACS+, or Active Directory. But for this example I’ll simply set them up on the device, and use local authentication.
Note: I set myself up with privilege 15, this means when I log on, I automatically log on at enable mode, the other user account does not, and needs to know the enable password to make any changes.
3. Finally allow remote management via SSH, and save the changes.
[box]
Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input ssh
Petes-Router(config-line)#exit
Petes-Router(config)#exit
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router#
[/box]
4.Finally you need to enable AAA Authentication to use the local database;
[box]
Petes-Router(config)#aaa new-model
Petes-Router(config)#aaa authentication login default local
Petes-Router(config)#aaa authorization exec default local
[/box]
WARNING
This also will enable username/password authentication for ‘console‘ (rollover cable) access. I dont like that, so I remove that with the following commands;
Cisco Router – Restricting Telnet and SSH Access via Access List
You can lock down access further to remote management, by allowing or denying access from an ACL.
WARNING: If doing this remotely, and just using SSH remember to generate the key and create users FIRST, or you may lock yourself out. If you are worried schedule a reload in twenty minutes, do the work, if it works cancel the reload, if it all explodes, go have a coffee, when you come back it will have reverted back!
Schedule a Router Reload
[box]
Petes-Router#reload in 20
Reload scheduled in 20 minutes by petelong on vty0 (123.123.123.123)
Reload reason: Reload Command
Proceed with reload? [confirm] {Enter}
Petes-Router#
---CARRY OUT THE CHANGES---
Petes-Router#reload cancel
Petes-Router#
***
*** --- SHUTDOWN ABORTED ---
***
[/box]
1. From the top let’s create a user, and setup the RSA key, (skip this step if you have already done this).
[box]
Router0>enable
Router0#conf terminal
Router0(config)#hostname Petes-Router
Petes-Router(config)#ip domain-name petenetlive.com
Petes-Router(config)#crypto key generate rsa modulus 2048
The name for the keys will be: Petes-Router@petenetlive.com
% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 17 seconds)
Petes-Router(config)#
[/box]
2. Now create an access-list to allow and deny access, (usual ACL rules apply).
Petes-Router(config)#ip access-list extended VTY_ACCESS
Petes-Router(config-ext-nacl)#10 permit tcp 123.123.123.123 0.0.0.0 any eq 23
Petes-Router(config-ext-nacl)#20 permit tcp 123.123.123.123 0.0.0.0 any eq 22
Petes-Router(config-ext-nacl)#30 permit tcp 10.1.1.0 0.0.0.255 any eq 23
Petes-Router(config-ext-nacl)#100 deny ip any any
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#
[/box]
2. In this example I will set the transport input to all (that’s TelnetANDSSH), then lock access down the the ACL we have just created.
[box]
Petes-Router(config)#line vty 0 4
Petes-Router(config-line)#transport input all
Petes-Router(config-line)#login local
Petes-Router(config-line)#access-class VTY_ACCESS in
Petes-Router(config-line)#exit
Petes-Router(config)#exit
[/box]
3. Save your changes and test.
[box]
Petes-Router#write mem
Building configuration...
[OK]
Petes-Router#
[/box]
Related Articles, References, Credits, or External Links
IOS 11.2 gave us CBAC, and IOS 12.4(6)T gave us the Zone Based Firewall. You can still use either, (providing you are running the correct IOS, or in the case of version 15 and upwards, added the correct license, ‘securityK9’). For older IOS versions usually you want the advipservices version of the IOS).
Solution
Run the following command to see if you have the correct license installed.
[box]
Petes-Router#show license features
[/box]
Cisco IOS Setup CBAC (IOS Firewall Classic)
1. Declare the protocols you want to inspect.
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#ip inspect name IOS-FW tcp
Petes-Router(config)#ip inspect name IOS-FW udp
Petes-Router(config)#ip inspect name IOS-FW icmp
[/box]
2. Apply that inspection inbound on the inside interface (that’s traffic going out).
[box]
Petes-Router(config)#interface FastEthernet 0/1
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#
[/box]
4. Apply the inspection inbound on the outside interface (for traffic coming in). And then save the changes.
Note: If you have VPN traffic this will NOT break it.
[box]
Petes-Router(config)#interface Dialer0
Petes-Router(config-if)#ip inspect IOS-FW in
Petes-Router(config-if)#exit
Petes-Router(config)#exit
*Mar 1 00:05:29.875: %SYS-5-CONFIG_I: Configured from console by console
Petes-Router#wr mem
Building configuration...
[OK]
Petes-Router#
[/box]
Cisco Zone Based Firewall Setup
The config on ZBF can get quite complicated, I’m simply going to allow traffic out, and block all traffic coming in (apart from traffic that will be coming in over VPN).
Note: CBAC Settings (if used), must be removed before configuring ZBF.
1. The first thing to do is setup the zones, I only have a LAN an WAN to worry about.
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Petes-Router(config)#zone security SZ-INSIDE
Petes-Router(config-sec-zone)#description Local Area Network
Petes-Router(config-sec-zone)#zone security SZ-OUTSIDE
Petes-Router(config-sec-zone)#description Wide Area Network (Internet)
Petes-Router(config-sec-zone)#exit
[/box]
2. Create two ACLs to decide which traffic you want to allow in and out. Note: I’ve also added the subnets for my remote VPN network. I will allow out www (TCP 80), https (TCP 443), and DNS (TCP 53). Inbound everything is blocked apart from my VPN traffic.
Note: I’m not covering setting up the VPN, if you want to know how to do that, see the following article;
Then for each ACL I’m creating a class-map, it’s the class-map that decides what traffic will be inspected, (by inspected, in ZBF terms we mean allowed).
[box]
Petes-Router(config)#ip access-list extended ACL-OUTBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq www
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 443
Petes-Router(config-ext-nacl)#permit tcp 192.168.1.0 0.0.0.255 any eq 53
Petes-Router(config-ext-nacl)#class-map type inspect match-all CM-OUTBOUND
Petes-Router(config-cmap)#match access-group name ACL-OUTBOUND
Petes-Router(config-ext-nacl)#exit
Petes-Router(config)#ip access-list extended ACL-INBOUND
Petes-Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
[/box]
3. Define what to do with the (matched) traffic with a policy-map, this can be set to inspect, log , or drop. We set it to inspect our traffic, and drop, then log everything else.
[box]
Petes-Router(config)#policy-map type inspect PM-OUTBOUND
Petes-Router(config-pmap)#class type inspect CM-OUTBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-OUTBOUND for inspection. All protocols will be inspected
Note: The Above is not really true - we have defined the port in the ACL
Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
Petes-Router(config)#policy-map type inspect PM-INBOUND
Petes-Router(config-pmap)#class type inspect CM-INBOUND
Petes-Router(config-pmap-c)#inspect
%No specific protocol configured in class CM-INBOUND for inspection. All protocols will be inspected
Note: The Above is fine, it drops everything that's not VPN traffic anyway.
Petes-Router(config-pmap-c)#class class-default
Petes-Router(config-pmap-c)#drop log
Petes-Router(config-pmap-c)#exit
Petes-Router(config-pmap)#exit
[/box]
4. The last task is to create zone-pairs for the outbound and inbound traffic, then apply our policy-map to them with a service-policy.
NAT is the process of taking one or more IP adresses and tranlsating it/them into differnet IP addreses. You may require your router to translate all your internal IP addresses to your public (ISP allocated) IP address. To do that we use a process called NAT Overload.
Solution
1. Connect to the router, and got to enable mode, then global configuration mode.
[box]
PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#
While setting up a simple site to site to site VPN, I was unable to get ISAKMP phase 1 to establish. When I had a look on the device at the far end. I saw this error logged in the console, every time I tried to bring up the tunnel.
[box]
*Mar 1 00:21:42.811: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.2.3, src_addr= 192.168.1.2, prot= 1
[/box]
Solution
After about 40 minutes of staring at the configs, I realised I’d applied the crypto-map (on the router I was trying to bring the tunnel up from), to the inside interface and not the outside one – Doh!
Related Articles, References, Credits, or External Links
A friend was rolling out some PC’s for a client and wanted me to give him a network with the same subnet etc so he could build everything on the bench.
I grabbed a router and set it up for DHCP, and to NAT all traffic for him, but annoyingly it kept doing this;
%SYS-4-CONFIG_RESOLVE_FAILIURE: System config parse from (tftp://255.255.255.255/cisconet.cfg) failed
Solution
Quite a simple one to fix, whilst connected via console/SSH do the following;
[box]
Petes-Router#configure terminal
Enter configuration commands, one per line.
Petes-Router(config)#no service config
Petes-Router(config)#exit
Petes-Router#copy running-config startup-config [/box]
Related Articles, References, Credits, or External Links