Ok, Im completely lost :(
Everything I had learnt about ip inspect has gone out of the window with the IOS upgrade I have done. It has all been replaced with ip nbar.
I have read loads on ip nbar but I cannot get anything to work correctly :whoops:
Would someone with a little knowledge please post a really basic ip nbar setup for say allowing HTTP traffic on a NAT interface ? I just need to see how a rule set is defined and linked to an interface. It doesnt even need to be a working config just a rough outline !!
Stumbled across this article:
http://www.zdnet.com.au/news/security/soa/Build_a_poor_man_s_firewall_with_the_Cisco_IOS/0,130061744,120263906,00.htm
and now I might be on my way again :)
Ah yes...the joys of Cisco IOS upgrades.
Rule number 1 of Cisco IOS upgrades, never update the IOS if everything already works.
Rule number 2 of Cisco IOS upgrades, NEVER update the IOS if everything already works.
Seriously I have a contact in the European TAC and even Cisco have people dedicated to figuring out with Version of IOS works with different features/modules/interfaces/power supplies/fishing rods/jam buns.....you get the idea.
Good luck on sorting out the nbar mate, sorry I use proper firewalls as a rule.
"proper firewalls"...
Stupidly I thought upgrading from a SMC router to a Cisco Router was moving to a "proper firewall". Turns out that I was wrong and the name of the device gives it away router !
Anyway, Im sure I should be able to get at least as much security out of the 2611 as my consumer SMC Barricade; its just more difficult to configure :)
I have now got traffic flowing in both directions, with some very simple ACLs limiting the traffic. The only thing that does not feel right about this config is that I am relying on NAT to stop most of the unsolicited traffic from getting on my LAN. I had thought that I would be able to deny everything, except where the traffic was a direct response to a NATed connection.
There in lies the question. What is wrong with this config and what should I be doing to stop unsolicited traffic whilst allowing NAT responses ?
To be fair there in lies your problem is exactly right.
Routers with ACLs do not have stateful inspection as such. So on your external interface, if you want to have it ACLd youll block return packets for any traffic. Thats the nature of an ACL vs a Stateful firewall.
You would need to set-up some sort of dynamic ACL on the ingress traffic on the external interface so that it matched your outbound ACL. This cant be done. Thats why Cisco make a packet of cash selling Cisco Pix and ASA boxes.
Change your 103 access list so that its all Established packets only and then add anything else you specifically need, that would be my first step.
Ive put a little request in with Mark to see if there is an IOS version newer than 12.2(28a) for this 2611 w/ CBAC and NBAR. If theres not I will have to try working around my previous issues with 12.2(28a).
In all honesty I am quickly reaching the point of "PCWorld are doing uPNP enabled cable routers for Ã,£40"...
Sorry - been away for a biT!
If you get a bit of RAM in that box you can use one of the FW services IOSs - I will see if I have any RAM in any of my old 2600s - remember - its a multiservice platform so its a router, firewall and whatever else card you can stuff in it.
Ill also send you a config if you send me exactly your setup?
youre too kind :)
Ill knock out a setup diagram and send you my existing (and sort of working) config so that you can have a giggle ;)
Here are the feature sets available for the vanilla 2611 - note a lot need more ram than you have currently
Quick note boys, if youre going to upgrade to FW services make sure you chat about it in PM as its illegal to do so without purchasing the necessary license and therefore against forums rules. Ive also seen CCO accounts revoked for doing precisely this.
But for the record, yes if you get it onto a FW services version it should act like a cut down PIX.
Cheers for the info :)
The 2611 that I have came with an older IP/FW/IDS IOS installed (and supplied on disk). I have to confess to not realising at the time of purchase that you cannot get updates unless you buy your kit from a certified vendor :/
You can only get updates if you have a valid support contract, these you can buy from any vendor.
No wonder Cisco people make so much bloody money ;) :)
Ok, next question :)
Here is my Live config !! Ive dropped back to version 12.2 for the time being...
I am having a problem that I cannot resolve...
The router hooks up to NTL fine and allows everything to access the web as required but after n minutes (variable time) the connection drops out :(
Is there anything obvious in my config causing the problem ? Like the bootps/bootpc ACL entry I had to make in order to get an NTL IP ?
Any pointers would be great :)
Hours later and I think Ive cracked it :)
my ACL was only permitting bootps/bootpc conversation on the private NTL network; it turns out that whilst the discovery is on that network but the lease server has a "real ip" that the ACL was blocking !
Ok, next question :D
I am getting crappy download throughput on the public interface. I have traced the problem and it is on the public interface, giving large numbers of CRC errors.
I believe this is being caused by a mismatch of the bandwidth and duplex settings on the interface; my problem is that I cannot get them to sync up correctly.
I have an external Cable modem that provides me with around a 4mb link. The CM provides a 10/100mbit Full Duplex CAT5e interface. I am plugging the CM directly into ETH0/0 on the router using a straight through patch cable.
Here are my faults/findings when running the dslguide speedtest through the router:
Eth0/0 Settings: No Bandwidth - full-duplex
Result: 778.2 Kbps download; hundreds of CRC errors
Eth0/0 Settings: Bandwidth = 10240 - full-duplex
Result: ~900kbps download reported; hundreds of CRC errors
Eth0/0 Settings: Bandwidth = 10240 - half-duplex
Result: 1,841.4 Kbps download reported; 0 CRC errors
Eth0/0 Settings: Bandwidth = 4096 - full-duplex
Result: 897.3 Kbps download reported; hundreds of CRC errors
Eth0/0 Settings: Bandwidth = 4096 - half-duplex
Result: 1,772.4 Kbps download reported; 0 CRC errors
Now those results make it look like it has to be half-duplex but if I set to half duplex I lose 50% of my download capacity ?!?! Any ideas ??
I tried running a speedtest with a bandwidth of 8mb / Half-duplex but it came out about the same as 4mb Half-duplex !?
Eth0/0 Settings: Bandwidth = 8192 - half-duplex
Result: 1,608.7 Kbps download reported; 0 CRC errors
If I plug the modem into a SMC router I get speedtest results between 3.8 and 4mb...so it is definatley the router/modem config holding me back.
Ive just done a:
no bandwidth / no duplex and run the test:
Eth0/0 Settings: no bandwidth - no duplex (run shows half-duplex)
Result: 1,760.1 Kbps download reported; 0 CRC errors
Eth0/0 Settings: no bandwidth - full-duplex
Result: 820.5 Kbps download reported; hundreds CRC errors
I am really confused; It seems that when I whack the interface into full-duplex I suddenly get loads of CRC errors and the throughput drops. What does this signify ? (Faulty interface ?)
Full-duplex is supported by modem and router but when engaged I get loads of CRC.
Half duplex works fie but I see, at most, 50% of my expected download capacity.
edit: Tried both a Xover and Patch cable, makes no difference...I think the modem auto-detects...
Ok a little bit more...
I am certain that there is an issue of sorts with the router but I am not sure what it is. I hooked an old lappy up to the modem @ 10mbit half-duplex and it still managed consistant download rates of around 4mbit.
I have been *playing* with the bandwidth settings, mtu, mss, queue sizes and timeouts on ip inspect and nat...
All of these things appear to effect the overall throughput of the interface but I have not been able to get the connection to stablise at anywhere near 100% capacity.
I am still seeing massive flucations between 300kbit and 3mbits; not seen 3mbit+ results yet.
I was advised by NTL to use the following speed test as it is the "only one" they will accept results from:
http://homepage.ntlworld.com/robin.d.h.walker/speedtest.html
These are how the tests havebeen panning out:
QuoteTue, 21 Nov 2006 20:33:39 GMT
1st 128K took 461 ms = 284321 Bytes/sec = approx 2366 kbits/sec
2nd 128K took 440 ms = 297891 Bytes/sec = approx 2478 kbits/sec
3rd 128K took 972 ms = 134848 Bytes/sec = approx 1122 kbits/sec
4th 128K took 370 ms = 354249 Bytes/sec = approx 2947 kbits/sec
and then
QuoteTue, 21 Nov 2006 20:33:53 GMT
1st 128K took 1612 ms = 81310 Bytes/sec = approx 676 kbits/sec
2nd 128K took 982 ms = 133475 Bytes/sec = approx 1111 kbits/sec
3rd 128K took 400 ms = 327680 Bytes/sec = approx 2726 kbits/sec
4th 128K took 1432 ms = 91531 Bytes/sec = approx 762 kbits/sec
Approx. 2mins later from DSLGuide speedtest: 1,328.1 Kbps
Once again, the bandwidth setting does nothing so dont worry about that.
If the modem auto detects then your best bet is going to be to leave the router on auto detect too. When you force the router to a specific duplex it will stop sending the auto negociate signals and youll see errors.
CRC errors are typically from a duplex mis-match.
Your router only has a 10 Mbit interface so its conceiveable that the modem is trying to auto detect the speed setting also but cant.
When you plug the laptop in directly what speed do you see on the interface (Reported not actual)?
Youre going to like this, not a lot ;)
Youre comment on mis-matched duplexs got me checking the reported connections on the switches, where everything tied up as expected. BUT...as I turned around and out of the corner of my eye I thought I saw all of the connection lights on the switch die and relight, so I sat and watched...
...sure enough the switch was dying !
So I replaced it like for like and went back thinking all was solved but no ! Still the connection was slow.
So I started from the beginning...
Laptop into Modem = fine
Laptop into Router via freshly made XOver = FINE !
Laptop into Switch into Route = problems !
But that was a new switch so it makes no sense.
After some exhaustive throughput testing it turns out that all three of the 8 port Netgear switches I have appear to cause a bottleneck, even when they are only hooked up to the router (10mb) and the laptop (100mb) !
Switching the 8port for a 5port Netgear vastly improves the throughput (almost twice the throughput) ! So for now, I have replaced my 2 * 8 ports with 2 * 5port uplinked and even with the laptop at the bottom of the heirarchy (most switching required) I still see much better network throughput.
Now that I know that the network is stable, I am seeing different results from speed tests. i.e. consistant @ around 4mb :)
I have been using NTLs recommended speedtest so that if I could not solve the problem I could bitch at them :D
http://homepage.ntlworld.com/robin.d.h.walker/speedtest.html
Next up is playing with nbar and QoS so prepare yourself for some grief :D :D :)
(thanks for being my muse on this problem) :)
No worries, as an aside, if you can, get yourself a manageable switch, you may find itll be most stable if you hard code the port connected to the router to 10/full and do likewise on the router side.
I still cannot get the router to modem link to go 10 full, it starts spitting CRCs like theres no tomorrow. I am not that worried now though, as I am getting the throughput at half-duplex.
I do have a 24port 10/100 Cisco switch here; Ive just not managed to get around to plugging it in yet. I thought Id get the router up and running first :)
Well, guess what...
Another day and another problem !
This one has me truely stumped and I dont know where (or how) to start...
I have a machine on a static IP address (192.168.1.1) that can access HTTP, MSN etc but it will not connect to my NNTP server !
I have stuck debuging on and also made a temporary ACL entry that allows all IP traffic from that server w/ log but I only receive (and permit) ICMP packets, I dont get any messages for tcp/udp traffic received (or dropped). Ive also dumped out the NAT translations for the NNTP service and I can see them being created !
Here is my running config:
!
version 12.2
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 7Six2600
!
no logging buffered
no logging console
enable secret 5
enable password
!
clock timezone GMT 0
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp mss 1460
ip name-server 4.2.2.1
ip name-server 4.2.2.2
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.239 192.168.1.244
!
ip dhcp pool 7sixLAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.3
domain-name 7six
dns-server 4.2.2.1 4.2.2.2
netbios-node-type h-node
lease 5
!
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect udp idle-time 600
ip inspect dns-timeout 30
ip inspect tcp finwait-time 300
ip inspect tcp synwait-time 300
ip inspect name Ethernet0_0 realaudio
ip inspect name Ethernet0_0 sqlnet
ip inspect name Ethernet0_0 ftp
ip inspect name Ethernet0_0 fragment maximum 256 timeout 1
ip inspect name Ethernet0_0 tcp
ip inspect name Ethernet0_0 udp
ip audit notify log
ip audit po max-events 100
!
!
!
interface Ethernet0/0
description WAN Connection (NTL)
mac-address 0004.e22a.99f9
bandwidth 10240
ip address dhcp
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect Ethernet0_0 out
half-duplex
no cdp enable
hold-queue 16 in
hold-queue 4 out
!
interface Ethernet0/1
description LAN Connection
bandwidth 10240
ip address 192.168.1.3 255.255.255.0
ip access-group 102 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
full-duplex
no cdp enable
hold-queue 0 in
!
ip nat translation timeout 3600
ip nat translation tcp-timeout 3600
ip nat translation udp-timeout 600
ip nat translation finrst-timeout 300
ip nat translation syn-timeout 300
ip nat translation dns-timeout 30
ip nat translation icmp-timeout 30
ip nat inside source list 1 interface Ethernet0/0 overload
ip nat inside source static udp 192.168.1.10 3074 interface Ethernet0/0 3074
ip nat inside source static tcp 192.168.1.10 3074 interface Ethernet0/0 3074
ip nat inside source static tcp 192.168.1.10 88 interface Ethernet0/0 88
ip classless
no ip http server
!
logging trap debugging
logging source-interface Ethernet0/0
logging 192.168.1.11
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark permit anything from NNTP server and display it
access-list 101 permit ip 216.196.109.144 0.0.0.0 any log
access-list 101 permit udp 10.0.0.0 0.255.255.255 eq bootps any eq bootpc log
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any log
access-list 101 permit udp host 62.253.96.20 eq bootps any eq bootpc log
access-list 101 permit icmp host 62.253.96.20 any log
access-list 101 permit tcp any any established
access-list 101 permit udp any eq domain any gt 1023
access-list 101 permit tcp any any eq 88
access-list 101 permit tcp any any eq 3074
access-list 101 permit udp any any eq 3074
access-list 101 permit tcp any eq 88 any
access-list 101 permit tcp any eq 3074 any
access-list 101 permit udp any eq 3074 any
access-list 101 permit ip any 192.168.1.0 0.0.0.255
access-list 101 permit gre any any
access-list 101 deny icmp any any echo
access-list 101 deny icmp any any information-request log
access-list 101 permit icmp any any
access-list 101 deny ip any 0.0.0.0 0.255.255.255 log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 169.0.0.0 0.255.255.255 any log
access-list 101 deny ip 192.0.2.0 0.0.0.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 224.0.0.0 31.255.255.255 any log
access-list 101 deny ip any any log
access-list 102 permit tcp any any established
access-list 102 permit ip any 192.168.1.0 0.0.0.255
access-list 102 permit icmp any 192.168.1.0 0.0.0.255
access-list 102 permit gre any 192.168.1.0 0.0.0.255
access-list 102 deny ip any any log
no cdp run
!
line con 0
line aux 0
line vty 0 4
session-timeout 15
access-class 1 in
password
login
!
ntp server 207.46.232.189
end
Here is the NAT dump
7Six2600#show ip nat trans | inc 119
tcp 82.19.70.78:2321 192.168.1.1:2321 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2322 192.168.1.1:2322 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2324 192.168.1.1:2324 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2329 192.168.1.1:2329 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2330 192.168.1.1:2330 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2331 192.168.1.1:2331 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2333 192.168.1.1:2333 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2334 192.168.1.1:2334 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2336 192.168.1.1:2336 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2337 192.168.1.1:2337 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2341 192.168.1.1:2341 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2342 192.168.1.1:2342 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2344 192.168.1.1:2344 216.196.109.144:119 216.196.109.144:119
tcp 82.19.70.78:2347 192.168.1.1:2347 216.196.109.144:119 216.196.109.144:119
Here is a dump of the active CBAC rules for the machine with the static IP. There is nothing for port 119 (nntp) ?
7Six2600#show ip inspect sess | inc 192.168.1.1:
Session 8135B0D8 (192.168.1.1:1964)=>(207.46.110.44:1863) tcp SIS_OPEN
Session 81246140 (192.168.1.1:2201)=>(66.225.235.36:80) tcp SIS_OPEN
Session 81302228 (192.168.1.1:2320)=>(66.225.235.36:80) tcp SIS_OPEN
Session 812334E4 (192.168.1.1:2254)=>(216.196.100.135:80) tcp SIS_OPEN
Session 81090FF4 (192.168.1.1:2240)=>(216.196.100.135:80) tcp SIS_OPEN
Session 81291F28 (192.168.1.1:2217)=>(213.220.100.1:80) tcp SIS_CLOSING
Session 810964BC (192.168.1.1:2218)=>(213.220.100.1:80) tcp SIS_CLOSING
Finally, here are the stats from Eth0/0 (the WAN connection):
7Six2600#show int eth0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0004.e22a.99f9 (bia 0002.b912.fb20)
Description: WAN Connection (NTL)
Internet address is 82.19.70.78/22
MTU 1500 bytes, BW 10240 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:08, output 00:00:01, output hang never
Last clearing of "show interface" counters 00:10:40
Input queue: 0/16/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/4 (size/max)
5 minute input rate 12000 bits/sec, 8 packets/sec
5 minute output rate 2000 bits/sec, 14 packets/sec
11526 packets input, 2463125 bytes, 0 no buffer
Received 13 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
13237 packets output, 1099205 bytes, 0 underruns
0 output errors, 8 collisions, 0 interface resets
0 babbles, 0 late collision, 138 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
7Six2600#
Any ideas ??
Hi,
Would you not get away with
access-list 101 permit tcp host 216.196.109.144 host 192.168.1.1 eq nntp ?
Sorry for the slow reply - am in the midst of setting up a new call centre!
Yeah I think that would be a more secure ACL entry than the one I am using. Ive just tried it and it makes no difference...
Ive been debugging CBAC and I see loads of segment retransmissions and rejections due to 0byte ack packets. I think CBAC is stopping the traffic passing to the ACL.
Ive done some searching and I think I might be suffering from the known CBAC fragmentation bug; fixed later with the introduction of ip virtual fragmentation assembly.
Ive ordered some more memory for my router, so I will hopefully be able to get a newer IOS on there at some point ;)
Setting up a call centre !! Certainly makes the problems I am having setting up my home look stupid !
/me dons n00b hat :D
Were all noobs when it comes to new toys ;)
indeed ;)
I cannot believe this though...
It was the NNTP client application that was causing the problem; even though it *worked* with my previous router, the Cisco was blocking the conversation as the application was generating malformed / wrong ordered tcp packets !
Ive changed client and its working fine !!
Sometimes debugging networking issues is a bit like shooting in the dark ;)
At least on my checkpoint cluster I can quickly diagnose issues like that - its a tad more frustrating in the IOS!
Quote from: Nimrodindeed ;)
Sometimes debugging networking issues is a bit like shooting in the dark ;)
This is why all the cool kids do apps, not infrastructure :P;)
The majority of which wont work without a network!
Hey, if my data gets where its going by carrier pigeon, smoke-signal, super-duper-ninja-lasers, phone, speech, net, whatever, Im happy :)
lol, doesnt say a lot for people like me who write network based software :o
*mutter*
Still its a learning curve and maybe one day Ill save someone from the perils of Cisco by saying "No, dont be a tool...get a DG834" :D lol
Unfortunately its one of the problems that the logging on the Ciscos (unless you know the intricacies of the hidden debugs) arent as help ful as they could be. Still, better than a DG834 (but then you do need to use them more)
Right, Im off to re-engineer my datacentre for 4Gb internet load balancing...wish me luck.
Ciscos debugging is fun in general.
* Take 1 Cisco Router
* Make it talk BGP to somewhere else (e.g. tier 1 ISP)
* Stuff a reasonable amount of traffic through it
* Turn on debug
Now your task is to turn off debug in 30seconds or less ;)
Good luck !
Cornet
tell me about it :)
I had trouble switching off debug on the WAN interface when it was just dealing with a pretty low amount of standard web traffic :o
The last command you type in before running any debug is undebug all
That way as soon as you hit enter on your debug you hit ctrl-P then hit enter.
And roberts your fathers brother
That is a quality tip :)
Quote from: Porch MonkeyThe last command you type in before running any debug is undebug all
That way as soon as you hit enter on your debug you hit ctrl-P then hit enter.
And roberts your fathers brother
Or use buffered logging and disable terminal/console monitor?
un a is usually sufficient if in a pickle :)
Anyone up for some advice on setting up QoS policing ?
I cannot determine whether I need to use NBAR or whether a plan ACL will do to identify the traffic. My other problem is that I am not at all sure how to mark the traffic once it is identified so that I can treat it properly.
What I am trying to do (OTT no doubt) is prioritise both in and out (as much as possible with in) so that I get something similar to this:
Xbox Live [Highest - upto 2mbit if needed]
Skype [All just below Live!, again upto 1mbit if needed]
PPTP / GRE
Everything else [Standard, as it happens]
NNTP [Lowest, takes what it can when it can]
Any pointers ? I think my main problem is that I cannot figure out how to uniquiely identify the traffic that falls into the different classes.
Ok, Ive come up with this and so far I think its ok. Is there anything painfully obvious that I could be doing better ?
...updated below...
Ok; Ive updated to this but I am getting an error that I dont fully understand:
! Skype Port(s) Maybe ?
ip nbar port-map custom-01 tcp 39183
ip nbar port-map custom-01 udp 39183
! Windows RDP
ip nbar port-map custom-02 tcp 3389
ip nbar port-map custom-02 udp 3389
! Customised PCAnywhere - Remove 5634 from Gnutella range
ip nbar port-map gnutella tcp 6346 6347 6348 6349 6455
ip nbar port-map pcanywhere tcp 5631 5632 5633 5634 5635 5636 65301
ip nbar port-map pcanywhere udp 22 5631 5632 5633 5634 5635 5636 65301
!
!
ip access-list extended VPNout
permit ip any host 81.149.1.165
permit gre any host 81.149.1.165
!
!
ip access-list extended IMSkype
permit tcp any eq 1863 any
permit udp any eq 1863 any
!
!
ip access-list extended gaming
remark Counter-Strike
permit tcp any any range 27030 27039
permit tcp any any range 27015 27020
permit udp any any range 27000 27015
permit udp any any eq 1200
remark Xbox Live
permit tcp any any eq 3074
permit udp any any eq 3074
permit tcp any any eq 88
!
!
class-map match-any vpnconx
match access-group name VPNout
!
!
class-map match-any VIPIM
match access-group name IMSkype
match protocol custom-01
!
!
class-map match-any RDProtocols
match protocol pcanywhere
match protocol custom-02
!
!
class-map match-any onlinegames
match access-group name gaming
!
!
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol smtp
match protocol pop3
match protocol imap
!
!
no policy-map 7sixQoS
policy-map 7sixQoS
class VIPIM
bandwidth percent 16
set dscp ef
!
class vpnconx
bandwidth percent 32
!
class RDProtocols
bandwidth remaining percent 50
!
class onlinegames
bandwidth remaining percent 70
set dscp ef
!
class WebEmail
bandwidth remaining percent 75
!
class class-default
fair-queue
random-detect
!
!
interface Ethernet0/0
bandwidth 400
ip nbar protocol-discovery
service-policy output 7sixQoS
!
!
Is giving me the error(s):
QuoteAll classes with bandwidth should have consistent units
All classes with bandwidth should have consistent units
All classes with bandwidth should have consistent units
I did want to specify actual kbits values for VIPIM and vpnconx but from that error msg I guessed that everything has to be in % or nothing ??
class VIPIM
bandwidth percent 16
set dscp ef
!
class vpnconx
bandwidth percent 32
!
class RDProtocols
bandwidth remaining percent 50
!
class onlinegames
bandwidth remaining percent 70
set dscp ef
!
class WebEmail
bandwidth remaining percent 75
!
class class-default
fair-queue
random-detect
You are mixing types - explicit percentage with remaining - you cant do that !
Quote from: NimrodOk; Ive updated to this but I am getting an error that I dont fully understand:
! Skype Port(s) Maybe ?
ip nbar port-map custom-01 tcp 39183
ip nbar port-map custom-01 udp 39183
! Windows RDP
ip nbar port-map custom-02 tcp 3389
ip nbar port-map custom-02 udp 3389
! Customised PCAnywhere - Remove 5634 from Gnutella range
ip nbar port-map gnutella tcp 6346 6347 6348 6349 6455
ip nbar port-map pcanywhere tcp 5631 5632 5633 5634 5635 5636 65301
ip nbar port-map pcanywhere udp 22 5631 5632 5633 5634 5635 5636 65301
!
!
ip access-list extended VPNout
permit ip any host 81.149.1.165
permit gre any host 81.149.1.165
!
!
ip access-list extended IMSkype
permit tcp any eq 1863 any
permit udp any eq 1863 any
!
!
ip access-list extended gaming
remark Counter-Strike
permit tcp any any range 27030 27039
permit tcp any any range 27015 27020
permit udp any any range 27000 27015
permit udp any any eq 1200
remark Xbox Live
permit tcp any any eq 3074
permit udp any any eq 3074
permit tcp any any eq 88
!
!
class-map match-any vpnconx
match access-group name VPNout
!
!
class-map match-any VIPIM
match access-group name IMSkype
match protocol custom-01
!
!
class-map match-any RDProtocols
match protocol pcanywhere
match protocol custom-02
!
!
class-map match-any onlinegames
match access-group name gaming
!
!
class-map match-any WebEmail
match protocol http
match protocol secure-http
match protocol smtp
match protocol pop3
match protocol imap
!
!
no policy-map 7sixQoS
policy-map 7sixQoS
class VIPIM
bandwidth percent 16
set dscp ef
!
class vpnconx
bandwidth percent 32
!
class RDProtocols
bandwidth remaining percent 50
!
class onlinegames
bandwidth remaining percent 70
set dscp ef
!
class WebEmail
bandwidth remaining percent 75
!
class class-default
fair-queue
random-detect
!
!
interface Ethernet0/0
bandwidth 400
ip nbar protocol-discovery
service-policy output 7sixQoS
!
!
Is giving me the error(s):
QuoteAll classes with bandwidth should have consistent units
All classes with bandwidth should have consistent units
All classes with bandwidth should have consistent units
I did want to specify actual kbits values for VIPIM and vpnconx but from that error msg I guessed that everything has to be in % or nothing ??
youve two different percents...
your using remaining percent, and percent.
At least thats my guess.
Cheers Mark and spot on Meta ;)
I am an ass-hat :)
lol didnt even notice mark posting :D lol :D
Ok, got a new challenge that I think I might be able to do but rather than spend hours learning that its not possible I thought I would ask :)
At present I connect to the main office using a XP Pro initiaited PPTP VPN connection. I setup a linux box that sits in the office (behind a netgear router) that hosts incoming VPN connections. The linux box does its job and even supports proxy/forwarding netBIOS traffic which is perfect.
Unfortunately the hardware of the Linux box is starting to fail and I was wondering whether I could replace the PC with a Cisco router that I have sitting around ?
I am using a 26xx to connect the internet and I have a spare 26xx that was going to the dump. Would it be possible to configure the spare to sit at the main site and service incoming VPN connections ?
Could I then configure my 26xx rather than my PC to establish the tunnel ?
Would I be able to route netBios/broadcasts between the two network segements ?
My ideal solution is to use the two routers as end-points so that both my LAN and the office LAN are fully browsable from either side of the network.
Do you need more information ?
edit: Looks like I need a different IOS to do VPN (c2600-ik9o3s3-mz), so I might have to go begging again :whoops:
Yes, you do indeed need the IOS with the VPN feature set.
Do you have enough RAM? Setting up a Crypto VPN is piss easy.
Ive maxed out the RAM in the routers, it was cheap to do from eBay :)
I havent found any examples online of configuring and bringing up/handling VPN connections from an ethernet interface. All of the examples I have seen are built around DSL WICs; is there any problem with using eth ?
Should be fine. I use basic tunnels all over the place in the network here... GRE FTW!
ok, next step in the evolution of the overly complicated home network :D
Ive finally got my ADSL line activated. The purpose this line is purely for backup/redundancy when my cable line is down.
Remembering that I got my hands on a PIX520 at some point ;) ;) I was wondering whether I can replace my router with the PIX and use 2 of the ethernet NICs on the PIX to provide the redundancy ?
If someone could just say yes/no itd save me spending hours just find out its not possible :) Im not expecting anyone to tell me how to do it (yet).
So basically I want to use a PIX to provide NAT routing. With the PIX determining which one of two connections to route over based on the state of 1 of the connections.
Id also, ideally, like to be able to provide QoS and VPN functions but these are secondary.
Cant remember what version OS was on that Pix but this is the link I think you want. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
Have fun...