ASA multiple VLAN intercommunication and a Dell managed switch

Discussion in 'Cisco' started by justin_ltg@yahoo.com, Oct 6, 2007.

  1. Guest

    Trying to figure this out, and am stumped.

    I have an ASA 5505 with 3 VLANs configured.

    1 - Outside vlan 1 eth0/0 to internet nat'd
    2 - Inside vlan 2 eth0/1 to 10.0.0.x network (ip 10.0.0.1)
    3 - Sungard vlan 3 port eth0/2 to 10.0.0.x network (ip 10.0.4.100)

    For Vlan's 1 and 2 everything is fine as that was the original
    config. I added VLAN3 because I want my clients (pcs) to be able to
    failover to and access High availability servers. The gateway to
    these servers is 10.0.4.25. So my cisco ISR and ASA eth0/2 are
    plugged into the same layer 2 switch, ports 1 and 2(which is managed
    and does support VLAN)

    When I originally set up the ASA to accomplish this task, I was
    sporadically able to ping 10.0.4.25 from the ASA as well as the High
    availability servers in the 10.0.2.x range from the ASA. It would
    ping but packets would drop, and sometimes no replies at all. The
    PC's however were not able to do this.

    I called cisco, the guy looked at my ASA config and said it looked
    good. He said, what I needed to do was setup a seperate VLAN on my
    switch, and plug Vlan3 from the ASA and the eth0/1 ISR port with ip
    10.0.4.25 into those designated switch vlans ports, and then the
    traffic would be routed by the ASA to the appropriate spots if Traffic
    from my PC's (10.0.0.x) range came to their default Gateway of the ASA
    (10.0.0.1) looking for 10.0.4.x traffic.

    So I am like fine, sounds simple enough. So I setup 2 ports on my
    switch in VLAN2 and assigned the VLAN2 an ip of 10.0.4.1.

    My PC's (10.0.0.x) and the ASA (10.0.4.100) and the ISR (10.0.4.25)
    can all ping the VLAN2 IP (10.0.4.1) of the switch.

    Im like great, progress. Well of course one issue is, my 10.0.0.x
    traffic still can't ping 10.0.4.x interfaces. Okay, so this sounds
    like a trunking problem, I can work on that. (either that or the ASA
    isn't routing the traffic whatsoever) I assumed since the Cisco
    engineer said everything was good, that it is good to go.

    HOWEVER, the big question is, and this is the curve ball, My ASA
    (10.0.4.100) cannot ping the ISR (10.0.4.25) which are in the same
    VLAN on the switch! (I know the ISR is setup correctly, because I can
    ping from my servers with static routes set in windowz to the ISR) I
    also have my access list setup correctly on the ASA

    pleassseee any insight would be most appreciated, as like we all are,
    on a time schedule.


    Here is the ASA config

    ASA Version 7.2(2)
    !
    hostname rfgasa
    domain-name xxx.com
    enable password gVS2wdA63vY9dM4F encrypted
    names
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    ip address 68.x.x.x 255.255.255.224
    !
    interface Vlan3
    description static route to sungard
    nameif sungard
    security-level 99
    ip address 10.0.4.100 255.255.255.0
    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    description physical sungard static route port
    switchport access vlan 3
    !
    interface Ethernet0/3
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    passwd jtwS04SN/D4dwlvP encrypted
    ftp mode passive
    dns server-group DefaultDNS
    domain-name rfginc.com
    access-list rfg extended permit icmp any any echo-reply
    access-list rfg extended permit icmp any any time-exceeded
    access-list rfg extended permit icmp any any unreachable
    access-list rfg extended permit tcp any host x.x.x.80 eq www
    access-list rfg extended permit tcp any host x.x.x.86 eq www
    access-list rfg extended permit tcp any host x.x.x.88 eq www
    access-list rfg extended permit tcp any host x.x.x.70 eq www
    access-list rfg extended permit tcp any host x.x.x.75 eq www
    access-list rfg extended permit tcp any host x.x.x.69 eq www
    access-list rfg extended permit tcp any host x.x.x.72 eq www
    access-list rfg extended permit tcp any host x.x.x.67 eq https
    access-list rfg extended permit tcp any host x.x.x.80 eq https
    access-list rfg extended permit tcp any host x.x.x.72 eq https
    access-list rfg extended permit tcp any host x.x.x.82 eq https
    access-list rfg extended permit tcp any host x.x.x.68 eq 3389
    access-list rfg extended permit tcp any host x.x.x.71 eq 3389
    access-list rfg extended permit tcp any host x.x.x.77 eq 3389
    access-list rfg extended permit tcp any host x.x.x.78 eq 3389
    access-list rfg extended permit tcp any host x.x.x.76 eq 3389
    access-list rfg extended permit tcp any host x.x.x.81 eq 3389
    access-list rfg extended permit tcp any host x.x.x..67 eq ssh
    access-list rfg extended permit tcp any host x.x.x.79 eq ssh
    access-list rfg extended permit tcp any host x.x.x.73 eq 990
    access-list rfg extended permit tcp any host x.x.x.74 eq 990
    access-list rfg extended permit tcp any host x.x.x.73 eq 10023
    access-list rfg extended permit tcp any host x.x.x.74 eq 10039
    access-list rfg extended permit tcp any host x.x.x.71 eq smtp
    access-list rfg extended permit tcp any host x.x.x.82 eq www
    access-list rfg extended permit tcp any host x.x.x.89 eq 3389
    access-list rfg extended permit tcp any host x.x.x.83 eq 3389
    access-list rfg extended permit tcp any host x.x.x.84 eq 3389
    access-list rfg extended permit tcp any host x.x.x.85 eq 3389
    access-list rfg extended permit tcp host 10.0.4.100 any
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0
    255.255.255.0
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0
    255.255.255.0
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.3.0
    255.255.255.0
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.4.0
    255.255.255.0
    access-list VPN extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0
    255.255.255.0
    access-list sungard extended permit tcp any any
    access-list sungard extended permit icmp any any echo-reply
    access-list sungard extended permit icmp any any time-exceeded
    access-list sungard extended permit icmp any any unreachable
    access-list sungard extended permit icmp any any
    pager lines 24
    logging enable
    logging monitor debugging
    logging trap debugging
    logging asdm informational
    logging host inside 10.0.0.19
    logging debug-trace
    mtu inside 1500
    mtu outside 1500
    mtu sungard 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-522.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 x.x.x.92-x.x.x.94
    global (outside) 1 interface
    global (outside) 1 x.x.x.90
    global (outside) 1 x.x.x.91
    global (sungard) 1 interface
    nat (inside) 0 access-list VPN
    nat (inside) 1 10.0.0.0 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) tcp x.x.x.80 www 10.0.0.5 www netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.86 www 10.0.0.14 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.88 www 10.0.0.16 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.70 www 10.0.0.18 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.75 www 10.0.0.27 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.69 www 10.0.0.11 www netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.72 www 10.0.0.6 www netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.82 https 10.0.0.7 https netmask
    255.255.25
    static (inside,outside) tcp x.x.x.68 3389 10.0.0.9 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.71 3389 10.0.0.17 3389 netmask
    255.255.255
    static (inside,outside) tcp x.x.x.72 https 10.0.0.6 https netmask
    255.255.25
    static (inside,outside) tcp x.x.x.82 www 10.0.0.7 www netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.77 3389 10.0.0.36 3389 netmask
    255.255.255
    static (inside,outside) tcp x.x.x.78 3389 10.0.0.7 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.76 3389 10.0.0.8 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.81 3389 10.0.0.4 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.79 ssh 10.0.0.7 ssh netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.73 990 10.0.0.23 990 netmask
    255.255.255.2
    static (inside,outside) tcp x.x.x.74 990 10.0.0.5 990 netmask
    255.255.255.25
    static (inside,outside) tcp x.x.x.74 10039 10.0.0.5 10039 netmask
    255.255.25
    static (inside,outside) tcp x.x.x.71 smtp 10.0.0.17 smtp netmask
    255.255.255
    static (inside,outside) tcp x.x.x.73 10023 10.0.0.23 10023 netmask
    255.255.2
    static (inside,outside) tcp x.x.x.89 3389 10.0.0.95 3389 netmask
    255.255.255
    static (inside,outside) tcp x.x.x.83 3389 10.0.0.169 3389 netmask
    255.255.25
    static (inside,outside) tcp x.x.x.84 3389 10.0.0.6 3389 netmask
    255.255.255.
    static (inside,outside) tcp x.x.x.85 3389 10.0.0.41 3389 netmask
    255.255.255
    access-group rfg in interface outside
    access-group sungard in interface sungard
    route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
    route sungard 10.0.2.0 255.255.255.0 10.0.4.25 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    aaa authentication ssh console LOCAL
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set dynes esp-des esp-md5-hmac
    crypto ipsec transform-set cbcco esp-des esp-md5-hmac
    crypto ipsec transform-set blair esp-des esp-md5-hmac
    crypto dynamic-map cisco 1 set transform-set dynes
    crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    crypto map dyn-map interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash md5
    group 1
    lifetime 86400
    crypto isakmp nat-traversal 20
    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *
    isakmp keepalive disable
    tunnel-group x.x.x.2 type ipsec-l2l
    tunnel-group x.x.x.2 ipsec-attributes
    pre-shared-key *
    tunnel-group x.x.x.14 type ipsec-l2l
    tunnel-group x.x.x.14 ipsec-attributes
    pre-shared-key *
    tunnel-group DefaultL2Lgroup type ipsec-l2l
    telnet 10.0.0.0 255.255.255.0 inside
    telnet timeout 1440
    ssh x.x.x.140 255.255.255.255 outside
    ssh 0.0.0.0 0.0.0.0 outside
    ssh timeout 60
    console timeout 0

    !
    class-map class_sip_tcp
    match port tcp eq sip
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect sunrpc
    inspect xdmcp
    inspect netbios
    class class_sip_tcp
    inspect sip
    !
    service-policy global_policy global
    tftp-server inside 10.0.0.176 TFTP
    prompt hostname context
    Cryptochecksum:ddcf0bb2275e5337b7edca35fad99809
    : end
    rfgasa#

    thank you for any help.
    , Oct 6, 2007
    #1
    1. Advertising

  2. Guest

    On Oct 6, 11:56 am, wrote:
    > Trying to figure this out, and am stumped.
    >
    > I have an ASA 5505 with 3 VLANs configured.
    >
    > 1 - Outside vlan 1 eth0/0 to internet nat'd
    > 2 - Inside vlan 2 eth0/1 to 10.0.0.x network (ip 10.0.0.1)
    > 3 - Sungard vlan 3 port eth0/2 to 10.0.0.x network (ip 10.0.4.100)
    >
    > For Vlan's 1 and 2 everything is fine as that was the original
    > config. I added VLAN3 because I want my clients (pcs) to be able to
    > failover to and access High availability servers. The gateway to
    > these servers is 10.0.4.25. So my cisco ISR and ASA eth0/2 are
    > plugged into the same layer 2 switch, ports 1 and 2(which is managed
    > and does support VLAN)
    >
    > When I originally set up the ASA to accomplish this task, I was
    > sporadically able to ping 10.0.4.25 from the ASA as well as the High
    > availability servers in the 10.0.2.x range from the ASA. It would
    > ping but packets would drop, and sometimes no replies at all. The
    > PC's however were not able to do this.
    >
    > I called cisco, the guy looked at my ASA config and said it looked
    > good. He said, what I needed to do was setup a seperate VLAN on my
    > switch, and plug Vlan3 from the ASA and the eth0/1 ISR port with ip
    > 10.0.4.25 into those designated switch vlans ports, and then the
    > traffic would be routed by the ASA to the appropriate spots if Traffic
    > from my PC's (10.0.0.x) range came to their default Gateway of the ASA
    > (10.0.0.1) looking for 10.0.4.x traffic.
    >
    > So I am like fine, sounds simple enough. So I setup 2 ports on my
    > switch in VLAN2 and assigned the VLAN2 an ip of 10.0.4.1.
    >
    > My PC's (10.0.0.x) and the ASA (10.0.4.100) and the ISR (10.0.4.25)
    > can all ping the VLAN2 IP (10.0.4.1) of the switch.
    >
    > Im like great, progress. Well of course one issue is, my 10.0.0.x
    > traffic still can't ping 10.0.4.x interfaces. Okay, so this sounds
    > like a trunking problem, I can work on that. (either that or the ASA
    > isn't routing the traffic whatsoever) I assumed since the Cisco
    > engineer said everything was good, that it is good to go.
    >
    > HOWEVER, the big question is, and this is the curve ball, My ASA
    > (10.0.4.100) cannot ping the ISR (10.0.4.25) which are in the same
    > VLAN on the switch! (I know the ISR is setup correctly, because I can
    > ping from my servers with static routes set in windowz to the ISR) I
    > also have my access list setup correctly on the ASA
    >
    > pleassseee any insight would be most appreciated, as like we all are,
    > on a time schedule.
    >
    > Here is the ASA config
    >
    > ASA Version 7.2(2)
    > !
    > hostname rfgasa
    > domain-name xxx.com
    > enable password gVS2wdA63vY9dM4F encrypted
    > names
    > !
    > interface Vlan1
    > nameif inside
    > security-level 100
    > ip address 10.0.0.1 255.255.255.0
    > !
    > interface Vlan2
    > nameif outside
    > security-level 0
    > ip address 68.x.x.x 255.255.255.224
    > !
    > interface Vlan3
    > description static route to sungard
    > nameif sungard
    > security-level 99
    > ip address 10.0.4.100 255.255.255.0
    > !
    > interface Ethernet0/0
    > switchport access vlan 2
    > !
    > interface Ethernet0/1
    > !
    > interface Ethernet0/2
    > description physical sungard static route port
    > switchport access vlan 3
    > !
    > interface Ethernet0/3
    > !
    > interface Ethernet0/4
    > !
    > interface Ethernet0/5
    > !
    > interface Ethernet0/6
    > !
    > interface Ethernet0/7
    > !
    > passwd jtwS04SN/D4dwlvP encrypted
    > ftp mode passive
    > dns server-group DefaultDNS
    > domain-name rfginc.com
    > access-list rfg extended permit icmp any any echo-reply
    > access-list rfg extended permit icmp any any time-exceeded
    > access-list rfg extended permit icmp any any unreachable
    > access-list rfg extended permit tcp any host x.x.x.80 eq www
    > access-list rfg extended permit tcp any host x.x.x.86 eq www
    > access-list rfg extended permit tcp any host x.x.x.88 eq www
    > access-list rfg extended permit tcp any host x.x.x.70 eq www
    > access-list rfg extended permit tcp any host x.x.x.75 eq www
    > access-list rfg extended permit tcp any host x.x.x.69 eq www
    > access-list rfg extended permit tcp any host x.x.x.72 eq www
    > access-list rfg extended permit tcp any host x.x.x.67 eq https
    > access-list rfg extended permit tcp any host x.x.x.80 eq https
    > access-list rfg extended permit tcp any host x.x.x.72 eq https
    > access-list rfg extended permit tcp any host x.x.x.82 eq https
    > access-list rfg extended permit tcp any host x.x.x.68 eq 3389
    > access-list rfg extended permit tcp any host x.x.x.71 eq 3389
    > access-list rfg extended permit tcp any host x.x.x.77 eq 3389
    > access-list rfg extended permit tcp any host x.x.x.78 eq 3389
    > access-list rfg extended permit tcp any host x.x.x.76 eq 3389
    > access-list rfg extended permit tcp any host x.x.x.81 eq 3389
    > access-list rfg extended permit tcp any host x.x.x..67 eq ssh
    > access-list rfg extended permit tcp any host x.x.x.79 eq ssh
    > access-list rfg extended permit tcp any host x.x.x.73 eq 990
    > access-list rfg extended permit tcp any host x.x.x.74 eq 990
    > access-list rfg extended permit tcp any host x.x.x.73 eq 10023
    > access-list rfg extended permit tcp any host x.x.x.74 eq 10039
    > access-list rfg extended permit tcp any host x.x.x.71 eq smtp
    > access-list rfg extended permit tcp any host x.x.x.82 eq www
    > access-list rfg extended permit tcp any host x.x.x.89 eq 3389
    > access-list rfg extended permit tcp any host x.x.x.83 eq 3389
    > access-list rfg extended permit tcp any host x.x.x.84 eq 3389
    > access-list rfg extended permit tcp any host x.x.x.85 eq 3389
    > access-list rfg extended permit tcp host 10.0.4.100 any
    > access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0
    > 255.255.255.0
    > access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.2.0
    > 255.255.255.0
    > access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.3.0
    > 255.255.255.0
    > access-list VPN extended permit ip 10.0.0.0 255.0.0.0 192.168.4.0
    > 255.255.255.0
    > access-list VPN extended permit ip 10.0.0.0 255.0.0.0 10.0.1.0
    > 255.255.255.0
    > access-list sungard extended permit tcp any any
    > access-list sungard extended permit icmp any any echo-reply
    > access-list sungard extended permit icmp any any time-exceeded
    > access-list sungard extended permit icmp any any unreachable
    > access-list sungard extended permit icmp any any
    > pager lines 24
    > logging enable
    > logging monitor debugging
    > logging trap debugging
    > logging asdm informational
    > logging host inside 10.0.0.19
    > logging debug-trace
    > mtu inside 1500
    > mtu outside 1500
    > mtu sungard 1500
    > no failover
    > icmp unreachable rate-limit 1 burst-size 1
    > asdm image disk0:/asdm-522.bin
    > no asdm history enable
    > arp timeout 14400
    > global (outside) 1 x.x.x.92-x.x.x.94
    > global (outside) 1 interface
    > global (outside) 1 x.x.x.90
    > global (outside) 1 x.x.x.91
    > global (sungard) 1 interface
    > nat (inside) 0 access-list VPN
    > nat (inside) 1 10.0.0.0 255.255.255.0
    > nat (inside) 1 0.0.0.0 0.0.0.0
    > static (inside,outside) tcp x.x.x.80 www 10.0.0.5 www netmask
    > 255.255.255.25
    > static (inside,outside) tcp x.x.x.86 www 10.0.0.14 www netmask
    > 255.255.255.2
    > static (inside,outside) tcp x.x.x.88 www 10.0.0.16 www netmask
    > 255.255.255.2
    > static (inside,outside) tcp x.x.x.70 www 10.0.0.18 www netmask
    > 255.255.255.2
    > static (inside,outside) tcp x.x.x.75 www 10.0.0.27 www netmask
    > 255.255.255.2
    > static (inside,outside) tcp x.x.x.69 www 10.0.0.11 www netmask
    > 255.255.255.2
    > static (inside,outside) tcp x.x.x.72 www 10.0.0.6 www netmask
    > 255.255.255.25
    > static (inside,outside) tcp x.x.x.82 https 10.0.0.7 https netmask
    > 255.255.25
    > static (inside,outside) tcp x.x.x.68 3389 10.0.0.9 3389 netmask
    > 255.255.255.
    > static (inside,outside) tcp x.x.x.71 3389 10.0.0.17 3389 netmask
    > 255.255.255
    > static (inside,outside) tcp x.x.x.72 https 10.0.0.6 https netmask
    > 255.255.25
    > static (inside,outside) tcp x.x.x.82 www 10.0.0.7 www netmask
    > 255.255.255.25
    > static (inside,outside) tcp x.x.x.77 3389 10.0.0.36 3389 netmask
    > 255.255.255
    > static (inside,outside) tcp x.x.x.78 3389 10.0.0.7 3389 netmask
    > 255.255.255.
    > static (inside,outside) tcp x.x.x.76 3389 10.0.0.8 3389 netmask
    > 255.255.255.
    > static (inside,outside) tcp x.x.x.81 3389 10.0.0.4 3389 netmask
    > 255.255.255.
    > static (inside,outside) tcp x.x.x.79 ssh 10.0.0.7 ssh netmask
    > 255.255.255.25
    > static (inside,outside) tcp x.x.x.73 990 10.0.0.23 990 netmask
    > 255.255.255.2
    > static (inside,outside) tcp x.x.x.74 990 10.0.0.5 990 netmask
    > 255.255.255.25
    > static (inside,outside) tcp x.x.x.74 10039 10.0.0.5 10039 netmask
    > 255.255.25
    > static (inside,outside) tcp x.x.x.71 smtp 10.0.0.17 smtp netmask
    > 255.255.255
    > static (inside,outside) tcp x.x.x.73 10023 10.0.0.23 10023 netmask
    > 255.255.2
    > static (inside,outside) tcp x.x.x.89 3389 10.0.0.95 3389 netmask
    > 255.255.255
    > static (inside,outside) tcp x.x.x.83 3389 10.0.0.169 3389 netmask
    > 255.255.25
    > static (inside,outside) tcp x.x.x.84 3389 10.0.0.6 3389 netmask
    > 255.255.255.
    > static (inside,outside) tcp x.x.x.85 3389 10.0.0.41 3389 netmask
    > 255.255.255
    > access-group rfg in interface outside
    > access-group sungard in interface sungard
    > route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
    > route sungard 10.0.2.0 255.255.255.0 10.0.4.25 1
    > timeout xlate 3:00:00
    > timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    > timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
    > 0:05:00
    > timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-
    > disconnect 0:02:00
    > timeout uauth 0:05:00 absolute
    > username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
    > aaa authentication ssh console LOCAL
    > no snmp-server location
    > no snmp-server contact
    > snmp-server enable traps snmp authentication linkup linkdown coldstart
    > crypto ipsec transform-set dynes esp-des esp-md5-hmac
    > crypto ipsec transform-set cbcco esp-des esp-md5-hmac
    > crypto ipsec transform-set blair esp-des esp-md5-hmac
    > crypto dynamic-map cisco 1 set transform-set dynes
    > crypto map dyn-map 20 ipsec-isakmp dynamic cisco
    > crypto map dyn-map interface outside
    > crypto isakmp identity address
    > crypto isakmp enable outside
    > crypto isakmp policy 10
    > authentication pre-share
    > encryption des
    > hash md5
    > group 1
    > lifetime 86400
    > crypto isakmp nat-traversal 20
    > tunnel-group DefaultL2LGroup ipsec-attributes
    > pre-shared-key *
    > isakmp keepalive disable
    > tunnel-group x.x.x.2 type ipsec-l2l
    > tunnel-group x.x.x.2 ipsec-attributes
    > pre-shared-key *
    > tunnel-group x.x.x.14 type ipsec-l2l
    > tunnel-group x.x.x.14 ipsec-attributes
    > pre-shared-key *
    > tunnel-group DefaultL2Lgroup type ipsec-l2l
    > telnet 10.0.0.0 255.255.255.0 inside
    > telnet timeout 1440
    > ssh x.x.x.140 255.255.255.255 outside
    > ssh 0.0.0.0 0.0.0.0 outside
    > ssh timeout 60
    > console timeout 0
    >
    > !
    > class-map class_sip_tcp
    > match port tcp eq sip
    > class-map inspection_default
    > match default-inspection-traffic
    > !
    > !
    > policy-map type inspect dns preset_dns_map
    > parameters
    > message-length maximum 512
    > policy-map global_policy
    > class inspection_default
    > inspect dns preset_dns_map
    > inspect ftp
    > inspect rsh
    > inspect rtsp
    > inspect sqlnet
    > inspect sunrpc
    > inspect xdmcp
    > inspect netbios
    > class class_sip_tcp
    > inspect sip
    > !
    > service-policy global_policy global
    > tftp-server inside 10.0.0.176 TFTP
    > prompt hostname context
    > Cryptochecksum:ddcf0bb2275e5337b7edca35fad99809
    > : end
    > rfgasa#
    >
    > thank you for any help.


    nevermind. im a monkey.

    first mistake. um, switchport counts go vertical, top to bottom to
    the right.

    second mistake. made switchport 1 a trunk port (plugged into ASA)
    made switchport 3!!!!!!!! an access port (plugged into the ISR)!!!

    its miller time
    , Oct 6, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. bosco
    Replies:
    5
    Views:
    2,970
    bosco
    Feb 23, 2005
  2. Christian Neuner

    Assign static IPs to port of a managed switch

    Christian Neuner, Jun 24, 2005, in forum: Cisco
    Replies:
    1
    Views:
    1,027
    Walter Roberson
    Jun 24, 2005
  3. yash
    Replies:
    0
    Views:
    632
  4. Matt
    Replies:
    1
    Views:
    922
    Walter Roberson
    Aug 22, 2006
  5. Mag
    Replies:
    2
    Views:
    1,926
    alexd
    Jan 31, 2009
Loading...

Share This Page