=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2005.10.13 16:42:52 =~=~=~=~=~=~=~=~=~=~=~= S6# S6# S6# S6# S6# S6# RACK17AS>4 [Resuming connection 4 to r4 ... ] R4#sh ip int brie Interface IP-Address OK? Method Status Protocol FastEthernet0/0 180.40.7.98 YES manual up up ATM1/0 192.10.32.17 YES manual up up Virtual-Access1 unassigned YES unset up up R4#ping 192.10.32.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.10.32.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R4#sh    config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ntp ser ? Hostname or A.B.C.D IP address of peer vrf VPN Routing/Forwarding Information R4(config)#ntp ser 192.10.32.1 254 ? key Configure peer authentication key prefer Prefer this peer when possible source Interface for source address version Configure NTP version R4(config)#ntp ser 192.10.32.254 R4(config)#do sh clock .23:49:20.076 UTC Thu Oct 13 2005 R4(config)#do sh ntp ass address ref clock st when poll reach delay offset disp *~192.10.32.254 172.16.1.20 4 12 64 377 5.1 -0.36 0.1 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R4(config)# R4(config)# R4(config)# R4(config)# R4(config)# R4(config)# R4(config)#ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp au R4(config)#ntp authenticati R4(config)#ntp authentication-key ? <1-4294967295> Key number R4(config)#ntp authentication-key 1 ? md5 MD5 authentication R4(config)#ntp authentication-key 1 md5 ? WORD Authentication key R4(config)#ntp authentication-key 1 md5 MyTime ? <0-4294967295> Authentication key encryption type R4(config)#ntp authentication-key 1 md5 MyTime   R4(config)#ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp ser >       mast ? <1-15> Stratum number R4(config)#ntp mast 5 ? R4(config)#ntp mast 5 R4(config)# RACK17AS>3 [Resuming connection 3 to r3 ... ] R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ntp auto R3(config)#ntp auto  R3(config)#ntp authenticati R3(config)#ntp authentication-key 1 ? md5 MD5 authentication R3(config)#ntp authentication-key 1 md R3(config)#ntp authentication-key 1 md5 MyTime R3(config)#ntp ser R3(config)#ntp server 180.40.7.98 R3(config)#do sh clock 23:52:04.358 UTC Thu Oct 13 2005 R3(config)#do sh ntp ass address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 5 0 64 377 4.1 0.46 0.1 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3(config)# R3(config)# R3(config)# R3(config)# R3(config)# R3(config)# R3(config)#^Z R3#sh ru Oct 13 23:52:37.039: %SYS-5-CONFIG_I: Configured from console by console R3#sh ruh  un | i ntp ntp authentication-key 1 md5 12341C231B0609 7 ntp server 180.40.7.98 R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#do sh ntp assclock ntp server 180.40.7.98 ? key Configure peer authentication key prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp server 180.40.7.98 key ? <0-4294967295> Peer key number R3(config)#ntp server 180.40.7.98 key 1 ? prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp server 180.40.7.98 key 1 R3(config)#^Z R3# RACK17AS>4 [Resuming connection 4 to r4 ... ] R4(config)#do sh run | b i ntp ntp authentication-key 1 md5 13280E26020101 7 ntp master 5 ntp server 192.10.32.254 R4(config)# R4(config)# R4(config)# R4(config)#do sh run | i ntp ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp mas        RACK17AS>3 4 [Resuming connection 4 to r4 ... ] R4(config)#ntp serv ? Hostname or A.B.C.D IP address of peer vrf VPN Routing/Forwarding Information R4(config)#ntp serv          m n ntp mast ? <1-15> Stratum number R4(config)#ntp mast 5 ? R4(config)#ntp mast 5             RACK17AS>3 [Resuming connection 3 to r3 ... ] Oc R3#sh ntp ass address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 5 4 64 377 4.2 6.63 3.4 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3# R3# R3# R3# R3# R3# R3# RACK17AS>4 [Resuming connection 4 to r4 ... ] R4(config)#so    do sh ntp ass address ref clock st when poll reach delay offset disp +~127.127.7.1 127.127.7.1 4 34 64 377 0.0 0.00 0.0 *~192.10.32.254 172.16.1.20 4 39 64 377 5.1 -6.49 2.3 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R4(config)# R4(config)# R4(config)# RACK17AS>3 [Resuming connection 3 to r3 ... ] R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ntp[    authen R3(config)#ntp authenticate R3(config)#do sh ntp ass address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 5 24 64 377 4.2 8.27 3.3 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3(config)#d exit R3#do Oct 13 23:56:38.121: %SYS-5-CONFIG_I: Configured from console by console R3#do deb nt R3#do deb nt? % Unrecognized command R3#do deb nt         deb nt? ntp R3#deb nt ? adjust NTP clock adjustments authentication NTP authentication events NTP events loopfilter NTP loop filter packets NTP packets params NTP clock parameters refclock NTP reference clocks select NTP clock selection sync NTP clock synchronization validity NTP peer clock validity R3#deb nt ev NTP events debugging is on R3#deb nt ev  authen NTP authentication debugging is on R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#int fa 0/1 R3(config-if)# Oct 13 23:57:07.117: Authentication key 1 R3(config-if)# R3(config-if)#^Z R3# R3# R3# R3# R3# R3# Oct 13 23:57:12.254: %SYS-5-CONFIG_I: Configured from console by console R3#do     RACK17AS>4 [Resuming connection 4 to r4 ... ] R4(config)#sh cloc       do sh clock 23:57:27.384 UTC Thu Oct 13 2005 R4(config)#^Z R4# Oct 13 23:58:12.128: %SYS-5-CONFIG_I: Configured from console by console R4# RACK17AS>3 [Resuming connection 3 to r3 ... ] Oct R3#u all All possible debugging has been turned off R3#sh run | i ntp ntp authentication-key 1 md5 12341C231B0609 7 ntp authenticate ntp clock-period 17208083 ntp server 180.40.7.98 key 1 R3# RACK17AS>4 [Resuming connection 4 to r4 ... ] R4#sh run | i ntp ntp authentication-key 1 md5 13280E26020101 7 ntp master 5 ntp server 192.10.32.254 R4# R4#confi gt ^ % Invalid input detected at '^' marker. R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ntp auth R4(config)#ntp authenticate            ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp     ^Z R4# Oct 14 00:01:08.976: %SYS-5-CONFIG_I: Configured from console by console R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ip in R4(config)#ip inspect ? alert-off Disable alert audit-trail Enable the logging of session information (addresses and bytes) dns-timeout Specify timeout for DNS hashtable-size Specify size of hashtable max-incomplete Specify maximum number of incomplete connections before clamping name Specify an inspection rule one-minute Specify one-minute-sample watermarks for clamping tcp Config timeout values for tcp connections udp Config timeout values for udp flows R4(config)#ip inspect tcp > ? finwait-time Specify timeout for TCP connections after a FIN idle-time Specify idle timeout for tcp connections max-incomplete Specify max half-open connection per host synwait-time Specify timeout for TCP connections after a SYN and no further data R4(config)#ip inspect tcp     name ? WORD Name of inspection defined R4(config)#ip inspect name Fred ? cuseeme CUSeeMe Protocol fragment IP fragment inspection ftp File Transfer Protocol h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone) http HTTP Protocol icmp ICMP Protocol netshow Microsoft NetShow Protocol rcmd R commands (r-exec, r-login, r-sh) realaudio Real Audio Protocol rpc Remote Prodedure Call Protocol rtsp Real Time Streaming Protocol sip SIP Protocol smtp Simple Mail Transfer Protocol sqlnet SQL Net Protocol streamworks StreamWorks Protocol tcp Transmission Control Protocol tftp TFTP Protocol udp User Datagram Protocol vdolive VDOLive Protocol R4(config)#ip inspect name Fred h323 ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Fred h323 R4(config)#ip inspect name Fred h323        tcp ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Fred tcp R4(config)#ip inspect name Fred tcp     udp ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Fred udp R4(config)#ip inspect name Fred udp                 ? alert-off Disable alert audit-trail Enable the logging of session information (addresses and bytes) dns-timeout Specify timeout for DNS hashtable-size Specify size of hashtable max-incomplete Specify maximum number of incomplete connections before clamping name Specify an inspection rule one-minute Specify one-minute-sample watermarks for clamping tcp Config timeout values for tcp connections udp Config timeout values for udp flows R4(config)#ip inspect au R4(config)#ip inspect audit-trail ? R4(config)#ip inspect audit-trail R4(config)#ip inspect audit-trail                        int atm         so r    do sh run Building configuration... Current configuration : 1331 bytes ! ! Last configuration change at 00:01:08 UTC Fri Oct 14 2005 ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! logging queue-limit 100 ! ip subnet-zero ! ! no ip domain lookup ! ip inspect audit-trail ip inspect name Fred h323 ip inspect name Fred tcp ip inspect name Fred udp --More--  ip audit notify log ip audit po max-events 100 ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 ! ! ! ! interface FastEthernet0/0 ip address 180.40.7.98 255.255.255.224 ip nat inside --More--   duplex auto speed auto ! interface ATM1/0 ip address 192.10.32.17 255.255.255.0 ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 --More--   R4(config)#int atm 1/0 R4(config-if)#exit R4(config)#access-list 100 per ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol R4(config)#access-list 100 per udp any any eq n R4(config)#access-list 100 per udp any any eq ny t R4(config)#access-list 100 per udp any any eq ntp ? dscp Match packets with given dscp value log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value time-range Specify a time-range tos Match packets with given TOS value R4(config)#access-list 100 per udp any any eq ntp R4(config)#access-list 100 per udp any any eq ntp tp                        den ip any any R4(config)#int atm ip ad       1/0 R4(config-if)#ip acces-g R4(config-if)#ip acces-g100    R4(config-if)#ip acces-g  s R4(config-if)#ip access-group ` 100 in R4(config-if)#kip in R4(config-if)#kip ins R4(config-if)#kip insp R4(config-if)#kip insp kip ins ip ins R4(config-if)#ip inspect ? WORD Name of inspection defined R4(config-if)#ip inspect Fred ? in Inbound inspection out Outbound inspection R4(config-if)#ip inspect Fred out ? R4(config-if)#ip inspect Fred out R4(config-if)#^Z R4# Oct 14 00:07:35.272: %SYS-5-CONFIG_I: Configured from console by console R4#telnet        sh nat tran ^ % Invalid input detected at '^' marker. R4#sh nat tran        ip nat tran R4#sh run | ip nat ^ % Invalid input detected at '^' marker. R4#sh run | ip nat nat  no voice hpi capture destination ip nat inside ip nat outside ip nat inside source list IPNAT interface ATM1/0 overload R4# RACK17AS>3 [Resuming connection 3 to r3 ... ] R3#telnet 192.10.32.254 Trying 192.10.32.254 ... Open CR1> RACK17AS>4 [Resuming connection 4 to r4 ... ] R4#sh ip insp R4#sh ip inspect % Incomplete command. R4#sh ip inspect ? all Inspection all available information config Inspection configuration interfaces Inspection interfaces name Inspection name sessions Inspection sessions R4#sh ip inspect all Session audit trail is enabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name Fred h323 alert is on audit-trail is on timeout 3600 tcp alert is on audit-trail is on timeout 3600 udp alert is on audit-trail is on timeout 30 Interface Configuration Interface ATM1/0 Inbound inspection rule is not set Outgoing inspection rule is Fred h323 alert is on audit-trail is on timeout 3600 tcp alert is on audit-trail is on timeout 3600 udp alert is on audit-trail is on timeout 30 Inbound access list is 100 Outgoing access list is not set --More--   Established Sessions Session 62D5E618 (180.40.7.129:11000)=>(192.10.32.254:23) tcp SIS_OPEN R4# R4# R4# R4# R4# R4#sh acces-list ^ % Invalid input detected at '^' marker. R4#sh acces-list s-list  Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (1 match) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list 100 permit tcp host 192.10.32.254 eq telnet host 192.10.32.17 eq 11000 (9 matches) 10 permit udp any any eq ntp (2 matches) 20 deny ip any any (1 match) R4# R4# R4# R4# R4#q sh run | b ip insp ip inspect audit-trail ip inspect name Fred h323 ip inspect name Fred tcp ip inspect name Fred udp ip audit notify log ip audit po max-events 100 ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 ! ! ! --More--  ! interface FastEthernet0/0 ip address 180.40.7.98 255.255.255.224 ip nat inside duplex auto speed auto ! interface ATM1/0 ip address 192.10.32.17 255.255.255.0 ip access-group 100 in ip nat outside ip inspect Fred out no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server --More--   R4#sh run | b ip insp ip inspect audit-trail ip inspect name Fred h323 ip inspect name Fred tcp ip inspect name Fred udp ip audit notify log ip audit po max-events 100 ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 ! ! ! --More--  ! interface FastEthernet0/0 ip address 180.40.7.98 255.255.255.224 ip nat inside duplex auto speed auto ! interface ATM1/0 ip address 192.10.32.17 255.255.255.0 ip access-group 100 in ip nat outside ip inspect Fred out no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server --More--  ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 ! access-list 100 permit udp any any eq ntp access-list 100 deny ip any any ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! line con 0 exec-timeout 0 0 --More--   R4# RACK17AS>z 1 [Resuming connection 1 to r1 ... ] R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#pri R1(config)#priv R1(config)#privilege ? aaa-user AAA user definition accept-dialin VPDN group accept dialin configuration mode accept-dialout VPDN group accept dialout configuration mode address-family Address Family configuration mode aic Alarm Interface Card configuration mode alps-ascu ALPS ASCU configuration mode alps-circuit ALPS circuit configuration mode bba-group BBA Group configuration mode boomerang Boomerang configuration mode cascustom Cas custom configuration mode cause-code-list Voice Cause Code List configuration mode ces-conn CES connection configuration mode ces-vc CES VC configuration mode cgma_agent CGMA Agent Configuration Mode cm-fallback cm-fallback configuration mode cns-connect-intf-config CNS Connect Intf Info Mode config-rtr-http-rr RTR HTTP raw request Configuration configure Global configuration mode congestion Frame Relay congestion configuration mode controller Controller configuration mode dhcp DHCP pool configuration mode enum_rule enum configuration mode --More--   ephone ephone configuration mode ephone-dn ephone-dn configuration mode exec Exec mode filterserver AAA filter server definitions flow-cache Flow aggregation cache config mode fr-fr FR/FR connection configuration mode frf5 FR/ATM Network IWF configuration mode frf8 FR/ATM Service IWF configuration mode gateway Gateway configuration mode gw-accounting-aaa Gateway accounting aaa configuration mode interface Interface configuration mode interface Interface range configuration mode interface-dlci Frame Relay dlci configuration mode ip-explicit-path IP explicit path configuration mode ip-vrf Configure IP VRF parameters ipenacl IP named extended access-list configuration mode ipsnacl IP named simple access-list configuration mode ipv6-router IPv6 router configuration mode ipv6acl IPv6 access-list configuration mode ipx-router IPX router configuration mode ipxenacl IPX named extended access-list configuration mode ipxsapnacl IPX named SAP access-list configuration mode ipxsnacl IPX named standard access-list configuration mode --More--   ipxsumnacl IPX named Summary access-list configuration mode line Line configuration mode map-class Map class configuration mode map-list Map list configuration mode mgcpprofile MGCP Profile configuration mode mgcpprofile MGCP Profile configuration mode null-interface Null interface configuration mode policy-list IP Policy List configuration mode preauth AAA Preauth definitions radius-attrl Radius Attribute-List Definition regex-translation-rule voip translation-rule configuration mode request-dialin VPDN group request dialin configuration mode request-dialout VPDN group request dialout configuration mode roles Role configuration mode route-map Route map config mode router Router configuration mode rsvp-local-policy RSVP local policy configuration mode rtr SAA entry configuration saa-dhcp SAA dhcp configuration saa-dlsw SAA dlsw configuration saa-dns SAA dns configuration saa-echo SAA echo configuration saa-frameRelay SAA FrameRelay configuration --More--   R1(config)#privilege con R1(config)#privilege confi R1(config)#privilege configure R1(config)#privilege configure ? all All suboption will be set to the samelevel level Set privilege level of command reset Reset privilege level of command R1(config)#privilege configure level > ? <0-15> Privilege level R1(config)#privilege configure level 13 ? LINE Initial keywords of the command to modify R1(config)#privilege configure level 13 snmp  -server          community R1(config)#prive R1(config)#prive il R1(config)#privilege configure level 12 3 sb nmpo -server community R1(config)#privi R1(config)#privilege exec R1(config)#privilege exec level configuy   R1(config)#privilege exec level config ^ % Invalid input detected at '^' marker. R1(config)#privilege exec level config      13 config R1(config)#priviledge   ge exec level 13 show run R1(config)#privilege exec level 13 show run    R1(config)#privil R1(config)#privilege exec e level 13 ping R1(config)#en R1(config)#ena   user R1(config)#username JoeUser elvel R1(config)#username JoeUser elvel     leve R1(config)#username JoeUser level R1(config)#username JoeUser level       pri R1(config)#username JoeUser privilege ? <0-15> User privilege level R1(config)#username JoeUser privilege 13 ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R1(config)#username JoeUser privilege 13 no R1(config)#username JoeUser privilege 13 nop R1(config)#username JoeUser privilege 13 nopassword ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R1(config)#username JoeUser privilege 13 nopassword R1(config)#user ccie pri R1(config)#user ccie privilege 15 R1(config)#line vty 0 4 R1(config-line)#login local R1(config-line)# RACK17AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open User Access Verification Username: JoeUser R1# R1# R1# R1#ping Protocol [ip]: Target IP address: % Bad IP address R1# R1# R1# R1#te ra R1#traceroute % Incomplete command. R1#sh run Building configuration... Current configuration : 17 bytes ! ! ! ! ! ! end R1#config t ^ % Invalid input detected at '^' marker. R1#config Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CNTL/Z. R1(config)#? Configure commands: atm Enable ATM SLM Statistics call Configure Call parameters default Set a command to its defaults end Exit from configure mode exit Exit from configure mode help Description of the interactive help system no Negate a command or set its defaults snmp Modify non engine SNMP parameters snmp-server Modify SNMP engine parameters R1(config)#snmp R1(config)#snmp ? % Unrecognized command R1(config)#snmp    mp cu ommunity ? % Unrecognized command R1(config)#snmp community             R1(config)#snmp- R1(config)#snmp-server ? community Enable SNMP; set community string and access privs R1(config)#snmp-server community ? WORD SNMP community string R1(config)#snmp-server community test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string R1(config)#snmp-server community test R1(config)#^Z R1#sh run Building configuration... Current configuration : 47 bytes ! ! ! ! ! snmp-server community test RO ! end R1#q [Connection to 17.57.100.1 closed by foreign host] S5# S5# S5# S5# S5# RACK17AS>1 [Resuming connection 1 to r1 ... ] *M R1(config-line)#^Z R1#sh run *Mar 1 04:01:29.063: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b user username JoeUser privilege 13 nopassword username ccie privilege 15 memory-size iomem 10 ip subnet-zero ! ! no ip domain lookup ! mpls ldp logging neighbor-changes ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 --More--  ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex ! interface Serial0/1 --More--   no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! no ip http server ip classless ! ! ! ! ! snmp-server community test RO snmp-server enable traps tty call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! --More--  ! ! privilege configure level 13 snmp privilege configure level 13 snmp-server community privilege configure level 13 snmp-server privilege exec level 13 ping privilege exec level 13 configure privilege exec level 13 show running-config privilege exec level 13 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login local ! ! end R1#q  R1# RACK17AS>2 [Resuming connection 2 to r2 ... ] R2#sh clock *04:01:19.159 UTC Mon Mar 1 1993 R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ntp server 180.               access-list 100 per a iu p any any                                tim R2(config)#time-range ? WORD Time range name R2(config)#time-range Prob4 ? R2(config)#time-range Prob4 R2(config-time-range)#? Time range configuration commands: absolute absolute time and date default Set a command to its defaults exit Exit from time-range configuration mode no Negate a command or set its defaults periodic periodic time and date R2(config-time-range)#oer R2(config-time-range)#oer   Per ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday R2(config-time-range)#Per dail R2(config-time-range)#Per daily ? hh:mm Starting time R2(config-time-range)#Per daily 07:00 to   ? hh:mm Ending time - stays valid until beginning of next minute R2(config-time-range)#Per daily 07:00 to 19:00     20; :00 ? R2(config-time-range)#Per daily 07:00 to 20:00 R2(config-time-range)#i exit R2(config)#access-list 100 per ip any any tim R2(config)#access-list 100 per ip any any time-range Prob4 ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value tos Match packets with given TOS value R2(config)#access-list 100 per ip any any time-range Prob4 log R2(config)#line vt 0 4 R2(config-line)#acces R2(config-line)#access-class 100 in R2(config-line)#^Z R2# RACK17AS> [Resuming connection 2 to r2 ... ] *Ma R2# R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#logg buff R2(config)#^Z R2# RACK17AS>3 [Resuming connection 3 to r3 ... ] [ R3#180.40.7.2 Trying 180.40.7.2 ... % Connection refused by remote host R3# RACK17AS>2 [Resuming connection 2 to r2 ... ] *Ma R2#sh log Syslog logging: enabled (0 messages dropped, 12 messages rate-limited, 0 flushes, 0 overruns, xml disabled) Console logging: level debugging, 39 messages logged, xml disabled Monitor logging: level debugging, 0 messages logged, xml disabled Buffer logging: level debugging, 1 messages logged, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 55 message lines logged --More--   Log Buffer (4096 bytes): *Mar 1 04:03:36.292: %SYS-5-CONFIG_I: Configured from console by console R2#sh access % Ambiguous command: "sh access" R2#sh access-l Extended IP access list 100 10 permit ip any any log time-range Prob4 (inactive) R2# R2# R2# R2# RACK17AS>3 [Resuming connection 3 to r3 ... ] R3#sh clock .00:20:26.849 UTC Fri Oct 14 2005 R3# RACK17AS>2 [Resuming connection 2 to r2 ... ] R2#clock set ? hh:mm:ss Current Time R2#clock set 5:00:00 ? <1-31> Day of the month MONTH Month of the year R2#clock set 5:00:00 13 ? MONTH Month of the year R2#clock set 5:00:00 13            12:00:00 13 oct 2005 R2#clock set 12:00:00 13 oct 2005sh access-l  Extended IP access list 100 10 permit ip any any log time-range Prob4 (active) R2# RACK17AS>3 [Resuming connection 3 to r3 ... ] R3#sh clock180.40.7.2 Trying 180.40.7.2 ... Open R2#exn   lo [Connection to 180.40.7.2 closed by foreign host] R3# RACK17AS>2 [Resuming connection 2 to r2 ... ] Oct R2#sh run | b access- access-list 100 permit ip any any log time-range Prob4 ! ! call rsvp-sync ! ! mgcp profile default ! ! ! dial-peer cor custom ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class 100 in privilege level 15 --More--   no login ! time-range Prob4 periodic daily 7:00 to 20:00 ! ! end R2# R2# RACK17AS>4 [Resuming connection 4 to r4 ... ] Oct R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ip inspect Fred out access-group 100 innip access-group 100 inoip access-group 100 in ip access-group 100 in ^ % Invalid input detected at '^' marker. R4(config)#int atm 1/0 R4(config-if)#int atm 1/0no ip access-group 100 in R4(config-if)#no ip access-group 100 inint atm 1/0 no ip access-group 100 inip inspect Fred out nip inspect Fred out oip inspect Fred out  ip inspect Fred out  R4(config-if)#exit R4(config)#access-list 101 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward remark Access list entry comment R4(config)#access-list 101 per ip any any ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value time-range Specify a time-range tos Match packets with given TOS value R4(config)#access-list 101 per ip any any   R4(config)#naccess-list 101 per ip any anynaccess-list 101 per ip any anyoaccess-list 101 per ip any any access-list 101 per ip any any R4(config)#ip access-list ex Prob5 out    Out R4(config-ext-nacl)#per any a     ip any any ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value reflect Create reflexive access list entry time-range Specify a time-range tos Match packets with given TOS value R4(config-ext-nacl)#per ip any any re R4(config-ext-nacl)#per ip any any reflect ? WORD Access-list name R4(config-ext-nacl)#per ip any any reflect Prob5 ? timeout Maximum time for Reflexive ACL to live R4(config-ext-nacl)#per ip any any reflect Prob5   R4(config-ext-nacl)#exit R4(config)#exitper ip any any reflect Prob5 ip access-list ex Prob5Out    In R4(config-ext-nacl)#per udp any any eq ntp R4(config-ext-nacl)#dy R4(config-ext-nacl)#dynamic ? WORD Name of a Dynamic list R4(config-ext-nacl)#dynamic Prob5 ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward timeout Maximum time for dynamic ACL to live R4(config-ext-nacl)#dynamic Prob5 per ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol R4(config-ext-nacl)#dynamic Prob5 per                     ev R4(config-ext-nacl)#evaluate ? WORD IP reflexive access list name R4(config-ext-nacl)#evaluate Prob5 ? R4(config-ext-nacl)#evaluate Prob5 R4(config-ext-nacl)#den ip any any log R4(config-ext-nacl)#exit R4(config)#do sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (1 match) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list 100 10 permit udp any any eq ntp (10 matches) 20 deny ip any any (8 matches) Reflexive IP access list Prob5 Extended IP access list Prob5In 10 permit udp any any eq ntp 20 evaluate Prob5 30 deny ip any any log Extended IP access list Prob5Out 10 permit ip any any reflect Prob5 R4(config)#do sh access-listexit den ip any any logevaluate Prob5 per udp any any eq ntpip access-list ex Prob5Inexit ip access-list ex Prob5In R4(config-ext-nacl)#no 30 R4(config-ext-nacl)#15 deny ip any any log R4(config-ext-nacl)#exit R4(config)#int atm 1/0 R4(config-if)#ip add  ccess R4(config-if)#ip access-group Prob5Out out R4(config-if)#ip access-group Prob5Out out       In in R4(config-if)#^Z R4# Oct 14 00:27:04.996: %SYS-5-CONFIG_I: Configured from console by console R4# R4# R4# RACK17AS>3 [Resuming connection 3 to r3 ... ] R3#180.40.7.2sh clock 180.40.7.2telnet 192.10.32.254sh run | i ntp telnet 192.10.32.254 Trying 192.10.32.254 ... RACK17AS>4 [Resuming connection 4 to r4 ... ] Oct 14 R4#sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (2 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list 100 10 permit udp any any eq ntp (10 matches) 20 deny ip any any (8 matches) Reflexive IP access list Prob5 permit tcp host 192.10.32.254 eq telnet host 192.10.32.17 eq 11003 (4 matches) (time left 291) Extended IP access list Prob5In 10 permit udp any any eq ntp 15 deny ip any any log (4 matches) 20 evaluate Prob5 Extended IP access list Prob5Out 10 permit ip any any reflect Prob5 R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ip access-group Prob5In inOut outnt atm 1/0 exit 15 deny ip any any logno 30 ip access-list ex Prob5In R4(config-ext-nacl)#no 15 R4(config-ext-nacl)# Oct 14 00:28:07.884: %SEC-6-IPACCESSLOGP: list Prob5In denied tcp 192.10.32.254(23) -> 192.10.32.17(11003), 3 packets R4(config-ext-nacl)#30 deny ip any any log R4(config-ext-nacl)#^Z R4# Oct 14 00:28:15.048: %SYS-5-CONFIG_I: Configured from console by console R4# RACK17AS>3 [Resuming connection 3 to r3 ... ] % R3#telnet 192.10.32.254 Trying 192.10.32.254 ... Open CR1> RACK17AS>4 [Resuming connection 4 to r4 ... ] R4#sh ip access Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (3 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list 100 10 permit udp any any eq ntp (10 matches) 20 deny ip any any (8 matches) Reflexive IP access list Prob5 permit tcp host 192.10.32.254 eq telnet host 192.10.32.17 eq 11004 (18 matches) (time left 293) permit tcp host 192.10.32.254 eq telnet host 192.10.32.17 eq 11003 (4 matches) (time left 251) Extended IP access list Prob5In 10 permit udp any any eq ntp 20 evaluate Prob5 30 deny ip any any log Extended IP access list Prob5Out 10 permit ip any any reflect Prob5 R4# Oct 14 00:28:44.912: %SEC-6-IPACCESSLOGP: list Prob5In denied tcp 192.10.32.254(53120) -> 192.10.32.17(179), 1 packet R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#iop    p 30 deny ip any any log no 15 ip access-list ex Prob5In  Out R4(config-ext-nacl)#10 permit ip any any reflect Prob5 ? timeout Maximum time for Reflexive ACL to live R4(config-ext-nacl)#10 permit ip any any reflect Prob5               log ? dscp Match packets with given dscp value fragments Check non-initial fragments precedence Match packets with given precedence value reflect Create reflexive access list entry time-range Specify a time-range tos Match packets with given TOS value R4(config-ext-nacl)#10 permit ip any any log ref R4(config-ext-nacl)#10 permit ip any any log reflect ? WORD Access-list name R4(config-ext-nacl)#10 permit ip any any log reflect Prob5 Duplicate sequence number. R4(config-ext-nacl)#no 109  R4(config-ext-nacl)#no 1010 permit ip any any log reflect Prob5 R4(config-ext-nacl)#^Z R4# Oct 14 00:30:25.368: %SYS-5-CONFIG_I: Configured from console by console R4# RACK17AS>34 % 34 is not an open connection RACK17AS> [Resuming connection 4 to r4 ... ] R4# RACK17AS>3 [Resuming connection 3 to r3 ... ] CR1> CR1> CR1> CR1> CR1> CR1> RACK17AS>4 [Resuming connection 4 to r4 ... ] Oct R4# R4# R4#sh log Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled) Console logging: level debugging, 28 messages logged, xml disabled Monitor logging: level debugging, 0 messages logged, xml disabled Buffer logging: disabled, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 33 message lines logged R4# config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#logg buf R4(config)# R4(config)# RACK17AS>3 [Resuming connection 3 to r3 ... ]  CR1> CR1> CR1> CR1> CR1> CR1> RACK17AS>4 [Resuming connection 4 to r4 ... ] Oct 1 R4(config)#do sh log Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled) Console logging: level debugging, 29 messages logged, xml disabled Monitor logging: level debugging, 0 messages logged, xml disabled Buffer logging: level debugging, 1 messages logged, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 34 message lines logged --More--   Log Buffer (4096 bytes): Oct 14 00:30:44.956: %SEC-6-IPACCESSLOGP: list Prob5In denied tcp 192.10.32.254(53129) -> 192.10.32.17(179), 1 packet R4(config)#exit R4#c Oct 14 00:31:01.268: %SYS-5-CONFIG_I: Configured from console by console R4#clea ip acc R4#clea ip acc? access-list access-template accounting R4#clea ip access  -l ? counters Clear access list counters R4#clea ip access-l            ? access-list Clear access list statistical information access-template Access-template accounting Clear IP accounting database arp IP ARP table audit Clear IDS information auth-proxy Clear the auth-proxy info bgp Clear BGP connections cache Delete cache table entries casa Clear casa information cef Cisco Express Forwarding info cgmp Cisco Group Management Protocol (CGMP) dhcp Delete items from the DHCP database drp Clear director responder counters dvmrp DVMRP eigrp Clear IP-EIGRP flow Clear flow information http Clear HTTP parameters igmp IGMP clear commands mobile IP Mobility mrm IP Multicast Routing Monitor clear commands mroute Delete multicast route table entries msdp Multicast Source Discovery Protocol (MSDP) --More--   mtag Clear multicast TIB entries nat Clear NAT nbar NBAR: Network-Based Application Recognition nhrp NHRP cache ospf OSPF clear commands pim PIM prefix-list Prefix-list redirect Redirect cache route Delete route table entries rsvp RSVP rtp RTP/UDP/IP header-compression statistics sap Session Announcement Protocol cache snat Clear SNAT tcp TCP/UDP/IP header-compression statistics translation Clear translation trigger-authentication Clear trigger-authentication host table urlfilter Clear the urlfilter info wccp Reset wccp information R4#clea ip          RACK17AS>3 [Resuming connection 3 to r3 ... ] CR1>q [Connection to 192.10.32.254 closed by foreign host] R3#telnet 192.10.32.254 Trying 192.10.32.254 ... Open CR1> RACK17AS>4 [Resuming connection 4 to r4 ... ] Oct R4# config tsh log  Syslog logging: enabled (0 messages dropped, 1 messages rate-limited, 0 flushes, 0 overruns, xml disabled) Console logging: level debugging, 31 messages logged, xml disabled Monitor logging: level debugging, 0 messages logged, xml disabled Buffer logging: level debugging, 3 messages logged, xml disabled Logging Exception size (4096 bytes) Count and timestamp logging messages: disabled Trap logging: level informational, 36 message lines logged --More--   Log Buffer (4096 bytes): Oct 14 00:30:44.956: %SEC-6-IPACCESSLOGP: list Prob5In denied tcp 192.10.32.254(53129) -> 192.10.32.17(179), 1 packet Oct 14 00:31:01.268: %SYS-5-CONFIG_I: Configured from console by console Oct 14 00:31:34.680: %SEC-6-IPACCESSLOGP: list Prob5Out permitted tcp 192.10.32.17(11005) -> 192.10.32.254(23), 1 packet R4# R4# R4# R4# R4# R4#sh ru n  n | b interface ATM interface ATM1/0 ip address 192.10.32.17 255.255.255.0 ip access-group Prob5In in ip access-group Prob5Out out ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 --More--  ! ip access-list extended Prob5In permit udp any any eq ntp evaluate Prob5 deny ip any any log ip access-list extended Prob5Out permit ip any any log reflect Prob5 ! access-list 100 permit udp any any eq ntp access-list 100 deny ip any any ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! line con 0 exec-timeout 0 0 --More--   R4# R4# Oct 14 00:32:45.000: %SEC-6-IPACCESSLOGP: list Prob5In denied tcp 192.10.32.254(53138) -> 192.10.32.17(179), 1 packet R4# RACK17AS>1 [Resuming connection 1 to r1 ... ] R1# R1#co  config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#tac R1(config)#tacacs-server ? administration Start tacacs+ deamon handling administrative messages directed-request Allow user to specify tacacs server to use with `@server' dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers extended Enable extended TACACS host Specify a TACACS server key Set TACACS+ encryption key. last-resort Define TACACS action if no server responds optional-passwords The first TACACS request can be made without password verification packet Modify TACACS+ packet options retransmit Search iterations of the TACACS server list timeout Time to wait for a TACACS server to reply R1(config)#tacacs-server host ? Hostname or A.B.C.D IP address of TACACS server R1(config)#tacacs-server host 17.57.100.99 ? R1(config)#tacacs-server host 17.57.100.99 R1(config)#tac R1(config)#tacacs-server ky  R1(config)#tacacs-server key ? LINE Encryption key string R1(config)#tacacs-server key MyKey ? LINE R1(config)#tacacs-server key MyKey   R1(config)#tac R1(config)#tacacs-server ? administration Start tacacs+ deamon handling administrative messages directed-request Allow user to specify tacacs server to use with `@server' dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers extended Enable extended TACACS host Specify a TACACS server key Set TACACS+ encryption key. last-resort Define TACACS action if no server responds optional-passwords The first TACACS request can be made without password verification packet Modify TACACS+ packet options retransmit Search iterations of the TACACS server list timeout Time to wait for a TACACS server to reply R1(config)#tacacs-server               aaa  R1(config)#aaa new R1(config)#aaa new-model R1(config)#aaa user    authen R1(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. username-prompt Text to use when prompting for a username R1(config)#aaa authentication login ? WORD Named authentication list. default The default authentication list. R1(config)#aaa authentication login Prob6 ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login Prob6 grou ? radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)#aaa authentication login Prob6 grou tac ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login Prob6 grou tac local ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. line Use line password for authentication. none NO authentication. R1(config)#aaa authentication login Prob6 grou tac local R1(config)#aaa authen login default none R1(config)#lio ne    user Bar   bob ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R1(config)#user bob priv R1(config)#user bob privilege 15 ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R1(config)#user bob privilege 15 R1(config)#line vty 0 4 R1(config-line)#log R1(config-line)#logi R1(config-line)#login auth R1(config-line)#login authentication ? WORD Use an authentication list with this name. default Use the default authentication list. R1(config-line)#login authentication Prob6 ? R1(config-line)#login authentication Prob6   R1(config-line)# RACK17AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open Username: Username: bob Password: R1# R1# R1# R1#q [Connection to 17.57.100.1 closed by foreign host] S5# RACK17AS>1 [Resuming connection 1 to r1 ... ] *Ma R1(config-line)#end R1#sh run *Mar 1 04:21:37.163: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b aaa aaa new-model ! ! aaa authentication login default none aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! mpls ldp logging neighbor-changes ! ! ! ! ! ! ! ! ! no voice hpi capture buffer no voice hpi capture destination --More--   R1#sh run | b aaa   user username JoeUser privilege 13 nopassword username ccie privilege 15 username bob privilege 15 memory-size iomem 10 aaa new-model ! ! aaa authentication login default none aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! mpls ldp logging neighbor-changes ! ! ! ! ! ! ! --More--  ! ! no voice hpi capture buffer no voice hpi capture destination ! ! mta receive maximum-recipients 0 ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 --More--  ! interface Ethernet0/1 no ip address shutdown half-duplex ! interface Serial0/1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! no ip http server ip classless ! ! ! ! ! tacacs-server host 17.57.100.99 tacacs-server directed-request --More--  tacacs-server key MyKey snmp-server community test RO snmp-server enable traps tty radius-server authorization permit missing Service-Type call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! privilege configure level 13 snmp privilege configure level 13 snmp-server community privilege configure level 13 snmp-server privilege exec level 13 ping privilege exec level 13 configure privilege exec level 13 show running-config privilege exec level 13 show ! line con 0 exec-timeout 0 0 --More--   logging synchronous line aux 0 line vty 0 4 privilege level 15 login authentication Prob6 ! ! end R1# R1# RACK17AS>4 [Resuming connection 4 to r4 ... ] O R4#sh run | b interface ATM interface ATM1/0 ip address 192.10.32.17 255.255.255.0 ip access-group Prob5In in ip access-group Prob5Out out ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 --More--  ! ip access-list extended Prob5In permit udp any any eq ntp evaluate Prob5 deny ip any any log ip access-list extended Prob5Out permit ip any any log reflect Prob5 ! access-list 100 permit udp any any eq ntp access-list 100 deny ip any any ! call rsvp-sync ! ! mgcp profile default ! dial-peer cor custom ! ! ! ! line con 0 exec-timeout 0 0 --More--   R4# Oct 14 00:38:45.136: %SEC-6-IPACCESSLOGP: list Prob5In denied tcp 192.10.32.254(53165) -> 192.10.32.17(179), 1 packet R4# RACK17AS>1 [Resuming connection 1 to r1 ... ] R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aaa authen > ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. username-prompt Text to use when prompting for a username R1(config)#aaa authen pass R1(config)#aaa authen password-prompt CCIEpassword" : R1(config)#aaa authen usefr  r R1(config)#aaa authen username-prompt yomomma: R1(config)#^Z R1# RACK17AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open yomomma:ccie CCIEpassword: R1# RACK17AS>1 [Resuming connection 1 to r1 ... ] *Mar R1#sh run | i aaa aaa new-model aaa authentication password-prompt CCIEpassword: aaa authentication username-prompt yomomma: aaa authentication login default none aaa authentication login Prob6 group tacacs+ local aaa session-id common R1# R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#banner motd 3 # Enter TEXT message. End with the character '#'. Leave me alo            go    Goi    q away butt head          #Go away # R1(config)#^Z R1# RACK17AS>5 [Resuming connection 5 to r5 ... ] R1#q [Connection to 17.57.100.1 closed by foreign host] S5#17.57.100.1 Trying 17.57.100.1 ... Open Go away Go away yomomma: yomomma:ccie CCIEpassword: R1#q [Connection to 17.57.100.1 closed by foreign host] S5# S5# RACK17AS>1 [Resuming connection 1 to r1 ... ] *Ma R1#sh run | b banner banner motd ^C Go away Go away --More--  ^C privilege configure level 13 snmp privilege configure level 13 snmp-server community privilege configure level 13 snmp-server privilege exec level 13 ping privilege exec level 13 configure privilege exec level 13 show running-config privilege exec level 13 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login authentication Prob6 ! ! end R1# R1# RACK17AS>3 [Resuming connection 3 to r3 ... ] [Connection to 192.10.32.254 closed by foreign host] R3#confi t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ip access-lk ist ex Prob9 R3(config-ext-nacl)#p exit R3(config)#user George pass bosco R3(config)#user George pass boscoexit ip access-list ex Prob9 R3(config-ext-nacl)#do sh ip o proto Routing Protocol is "ospf 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 180.40.7.129 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 0.0.0.0 255.255.255.255 area 0 Routing Information Sources: Gateway Distance Last Update 180.40.7.130 110 04:26:18 180.40.7.129 110 04:26:18 17.57.101.2 110 04:26:18 180.40.7.35 110 04:26:18 180.40.7.34 110 04:26:18 192.10.32.17 110 04:26:18 Distance: (default is 110) R3(config-ext-nacl)#per ospf any any R3(config-ext-nacl)#per udp any any eq ntp R3(config-ext-nacl)#per tcp 180.40.7.128 0.0.0.31 180.40.7.129 h180.40.7.129180.40.7.129 h180.40.7.129o180.40.7.129s180.40.7.129t180.40.7.129 180.40.7.129180.40.7.129 eq telnet R3(config-ext-nacl)#du yn R3(config-ext-nacl)#dynamic ? WORD Name of a Dynamic list R3(config-ext-nacl)#dynamic prob9 ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward timeout Maximum time for dynamic ACL to live R3(config-ext-nacl)#dynamic prob9       Prob9 tim R3(config-ext-nacl)#dynamic Prob9 timeout ? <1-9999> Maximum time to live R3(config-ext-nacl)#dynamic Prob9 timeout 60 ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward R3(config-ext-nacl)#dynamic Prob9 timeout 60 per > ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol R3(config-ext-nacl)#dynamic Prob9 timeout 60 per ip any any ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value time-range Specify a time-range tos Match packets with given TOS value R3(config-ext-nacl)#dynamic Prob9 timeout 60 per ip any any % An access list with this name already exists R3(config-ext-nacl)#dynamic Prob9 timeout 60 per ip any any a timeout 60 per ip any any  R3(config-ext-nacl)#int atm     fa 0/1 R3(config-if)#ip acces R3(config-if)#ip access-group P R3# .Oct 14 00:51:09.703: %SYS-5-CONFIG_I: Configured from console by console R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#int fa 0/1dynamic Prob9a timeout 60 per ip any any  timeout 60 per ip any any a timeout 60 per ip any any int fa 0/1  R3(config-if)#ip access- R3(config-if)#ip access-group Prob9 in R3(config-if)#line vty 0 4 R3(config-line)#au R3(config-line)#autoco R3(config-line)#autocommand  R3(config-line)#autocommand ? LINE Appropriate EXEC command no-suppress-linenumber Display service linenumber message R3(config-line)#autocommand access-enable ? LINE R3(config-line)#autocommand access-enable host ? LINE R3(config-line)#autocommand access-enable host timeout 2 R3(config-line)#^Z R3# .Oct 14 00:52:20.815: %SYS-5-CONFIG_I: Configured from console by console R3# RACK17AS>6 [Resuming connection 6 to r6 ... ] S6#pint g 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) S6#sh ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 17.0.0.0/24 is subnetted, 2 subnets O 17.57.100.0 [110/792] via 180.40.7.129, 04:34:31, FastEthernet0/3 O 17.57.101.0 [110/783] via 180.40.7.129, 04:34:31, FastEthernet0/3 O 192.10.32.0/24 [110/2] via 180.40.7.98, 04:34:31, FastEthernet0/4 180.40.0.0/16 is variably subnetted, 6 subnets, 2 masks C 180.40.7.128/27 is directly connected, FastEthernet0/3 O 180.40.7.0/27 [110/782] via 180.40.7.129, 04:34:31, FastEthernet0/3 O 180.40.7.35/32 [110/782] via 180.40.7.129, 04:34:31, FastEthernet0/3 O 180.40.7.34/32 [110/782] via 180.40.7.129, 04:34:31, FastEthernet0/3 O 180.40.7.33/32 [110/1] via 180.40.7.129, 04:34:31, FastEthernet0/3 C 180.40.7.96/27 is directly connected, FastEthernet0/4 S6#te  18-0  0.40.7.129 Trying 180.40.7.129 ... Open [Connection to 180.40.7.129 closed by foreign host] S6#180.40.7.129sh ip route ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms S6# RACK17AS>1 [Resuming connection 1 to r1 ... ] R1#ah run        sh run | b interface D Fastethernet                                 sh run int fa 0/1 ^ % Invalid input detected at '^' marker. R1#sh run int fa 0/1/1                 x3 % Incomplete command. R1# R1# RACK17AS>3 [Resuming connection 3 to r3 ... ] R3#sh run int fa 0/1 Building configuration... Current configuration : 125 bytes ! interface FastEthernet0/1 ip address 180.40.7.129 255.255.255.224 ip access-group Prob9 in duplex auto speed auto end R3#sh run | b interface FastEthernet0/1 interface FastEthernet0/1 ip address 180.40.7.129 255.255.255.224 ip access-group Prob9 in duplex auto speed auto ! interface Serial1/0 ip address 180.40.7.33 255.255.255.224 encapsulation frame-relay ip ospf network point-to-multipoint frame-relay map ip 180.40.7.34 301 broadcast frame-relay map ip 180.40.7.35 302 broadcast ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.3 255.255.255.224 ! interface Serial1/3 no ip address shutdown --More--  ! interface Serial1/4 no ip address shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! no ip http server no ip http secure-server --More--  ip classless ! ! ! ip access-list extended Prob9 permit ospf any any permit udp any any eq ntp permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet dynamic Prob9a timeout 60 permit ip any any ! ! ! call rsvp-sync ! ! mgcp profile default ! ! ! dial-peer cor custom ! ! ! --More--   R3#sh run | b interface FastEthernet0/1                         lin line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 no login autocommand access-enable host timeout 2 ! ntp authentication-key 1 md5 12341C231B0609 7 ntp authenticate ntp clock-period 17208083 ntp server 180.40.7.98 key 1 ! end R3# R3# RACK17AS>2 [Resuming connection 2 to r2 ... ] O R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#tcp R2(config)#tcp? % Unrecognized command R2(config)#tcp ? % Unrecognized command R2(config)#tcp     ip tcp ? async-mobility Configure async-mobility chunk-size TCP chunk size intercept Enable TCP intercepting mss TCP initial maximum segment size path-mtu-discovery Enable path-MTU discovery on new TCP connections queuemax Maximum queue of outgoing TCP packets selective-ack Enable TCP selective-ACK synwait-time Set time to wait on new TCP connections timestamp Enable TCP timestamp option window-size TCP window size R2(config)#ip tcp inty  R2(config)#ip tcp intercept ? connection-timeout Specify timeout for connection info drop-mode Specify incomplete connection drop mode finrst-timeout Specify timeout for FIN/RST list Specify access-list to use max-incomplete Specify maximum number of incomplete connections before clamping mode Specify intercepting mode one-minute Specify one-minute-sample watermarks for clamping watch-timeout Specify timeout for incomplete connections in watch mode R2(config)#ip tcp intercept                  do sh access-list Extended IP access list 100 10 permit ip any any log time-range Prob4 (active) (2 matches) R2(config)#access-list 101 tcp any any ^ % Invalid input detected at '^' marker. R2(config)#access-list 101 tcp any anyptcp any anyetcp any anyrtcp any any tcp any any R2(config)#t ip tcp ? async-mobility Configure async-mobility chunk-size TCP chunk size intercept Enable TCP intercepting mss TCP initial maximum segment size path-mtu-discovery Enable path-MTU discovery on new TCP connections queuemax Maximum queue of outgoing TCP packets selective-ack Enable TCP selective-ACK synwait-time Set time to wait on new TCP connections timestamp Enable TCP timestamp option window-size TCP window size R2(config)#ip tcp in R2(config)#ip tcp intercept ? connection-timeout Specify timeout for connection info drop-mode Specify incomplete connection drop mode finrst-timeout Specify timeout for FIN/RST list Specify access-list to use max-incomplete Specify maximum number of incomplete connections before clamping mode Specify intercepting mode one-minute Specify one-minute-sample watermarks for clamping watch-timeout Specify timeout for incomplete connections in watch mode R2(config)#ip tcp intercept mode ? intercept Intercept connections watch Watch connections R2(config)#ip tcp intercept mode in R2(config)#ip tcp intercept mode intercept ? R2(config)#ip tcp intercept mode intercept R2(config)#ip tcp intercept mode intercept                lisd s R2(config)#ip tcp intercept liss  R2(config)#ip tcp intercept list ? <100-199> Extended access list number for intercept WORD Access list name for intercept R2(config)#ip tcp intercept list 101 ? R2(config)#ip tcp intercept list 101 R2(config)#no access-list 101 R2(config)#access-li 101 per tcp 17.57.100.0     1.0 0.0.0.255 % Incomplete command. R2(config)#access-li 101 per tcp 17.57.101.0 0.0.0.255 any~~   R2(config)#in  t e 0/0 ^ % Invalid input detected at '^' marker. R2(config)#fa 0    int fa0 0/0 R2(config-if)#iptcp ? % Unrecognized command R2(config-if)#iptcp      tcp ? adjust-mss Adjust the mss of transit packets compression-connections Maximum number of compressed connections header-compression Enable TCP header compression R2(config-if)#ip tcp R2# Oct 13 12:38:36.493: %SYS-5-CONFIG_I: Configured from console by console R2#sh run |m    i ip tcp ip tcp intercept list 101 R2#sh run | i ip tcp                 config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#int fa0/0e 0/0access-li 101 per tcp 17.57.101.0 0.0.0.255 any no access-list 101 ip tcp intercept list 101 mode intercept R2(config)#do sh run | i ip tcp ip tcp intercept list 101 R2(config)#^Z R2#sh run Oct 13 12:40:41.794: %SYS-5-CONFIG_I: Configured from console by console R2#sh run }|      | i access-list 101 access-list 101 permit tcp 17.57.101.0 0.0.0.255 any R2# R2# R2# [Connection to r2 closed by foreign host] RACK17AS>