=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2006.04.14 10:04:49 =~=~=~=~=~=~=~=~=~=~=~= RACK14AS>4 [Resuming connection 4 to r4 ... ] R4#ping 192.10.32.253 4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.10.32.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/8 ms R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)# R4(config)#ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp ser R4(config)#ntp server 192.10.32.254                        do sh clock *02:10:37.707 UTC Mon Mar 1 1993 R4(config)#nt[   p ser 192.10.32.24 54 R4(config)#ntp ser 192.10.32.254do sh clock  .17:09:40.131 UTC Fri Apr 14 2006 R4(config)#do sh clock do sh b ntp ass address ref clock st when poll reach delay offset disp *~192.10.32.254 172.16.1.20 4 0 64 377 5.2 0.13 0.1 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R4(config)#ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp ai uthen R4(config)#ntp authenticati R4(config)#ntp authentication-key ? <1-4294967295> Key number R4(config)#ntp authentication-key 1 My  ? md5 MD5 authentication R4(config)#ntp authentication-key 1 md5 ? WORD Authentication key R4(config)#ntp authentication-key 1 md5 MyTime R4(config)#^Z R4# RACK14AS>3 [Resuming connection 3 to r3 ... ] R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#do sh  clock shclock ^ % Invalid input detected at '^' marker. R3(config)#do shclock clock *02:09:16.918 UTC Mon Mar 1 1993 R3(config)#ntp auth R3(config)#ntp authenticati R3(config)#ntp authentication-key 1 md MyTime R3(config)#ntp s ser R3(config)#ntp server 180.40.7.98 ? key Configure peer authentication key prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp server 180.40.7.98 j key ? <0-4294967295> Peer key number R3(config)#ntp server 180.40.7.98 key 1 ? prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp server 180.40.7.98 key 1 R3(config)#^Z R3#sh *Mar 1 02:09:44.728: %SYS-5-CONFIG_I: Configured from console by console R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 192.10.32.254 5 0 64 0 4.1 414082 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 5 0 64 1 4.1 0.01 15875. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 5 0 64 3 4.1 0.01 7875.0 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3# R3# R3#sh ntp ass ? detail Show detail | Output modifiers R3#sh ntp ass deta 180.40.7.98 configured, authenticated, our_master, sane, valid, stratum 5 ref ID 192.10.32.254, time C7EA5622.5B730646 (17:10:58.357 UTC Fri Apr 14 2006) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 157.58 msec, root disp 53.68, reach 377, sync dist 134.613 delay 4.06 msec, offset -0.1074 msec, dispersion 0.12 precision 2**18, version 3 org time C7EA562D.B61652DB (17:11:09.711 UTC Fri Apr 14 2006) rcv time C7EA562D.B6A2BADA (17:11:09.713 UTC Fri Apr 14 2006) xmt time C7EA562D.B57AD61C (17:11:09.708 UTC Fri Apr 14 2006) filtdelay = 4.06 4.06 4.14 5.78 4.17 4.14 4.12 4.07 filtoffset = -0.11 -0.02 0.02 -0.94 0.01 -0.06 0.04 0.01 filterror = 0.02 0.03 0.05 0.06 0.08 0.09 0.11 0.12 R3#sh    sh run | i ntp ntp authentication-key 1 md5 1063102D0C1A17 7 ntp server 180.40.7.98 key 1 R3# RACK14AS>4 [Resuming connection 4 to r4 ... ] A R4#sh run | i ntp ntp authentication-key 1 md5 0722387847041C 7 ntp clock-period 17179870 ntp server 192.10.32.254 R4# R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#do sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 20 permit 17.0.0.0, wildcard bits 0.255.255.255 R4(config)#access-list 100 per udp any any eq ntp R4(config)#access-list 100 den ip any any lo R4(config)#ip ? Global IP configuration subcommands: access-list Named access-list accounting-list Select hosts for which IP accounting information is kept accounting-threshold Sets the maximum number of accounting entries accounting-transits Sets the maximum number of transit entries address-pool Specify default IP address pooling mechanism alias Alias an IP address to a TCP port as-path BGP autonomous system path filter audit Intrusion Detection System auth-proxy Authentication Proxy bgp-community format for BGP community bootp Config BOOTP services casa configure this router to participate in casa cef Cisco Express Forwarding classless Follow classless routing forwarding rules community-list Add a community list entry default-gateway Specify default gateway (if not routing IP) default-network Flags networks as candidates for default routes dhcp Configure DHCP server and relay parameters dhcp-client Configure parameters for DHCP client operation dhcp-server Specify address of DHCP server to use --More--   R4(config)#ip in R4(config)#ip inspect ? alert-off Disable alert audit-trail Enable the logging of session information (addresses and bytes) dns-timeout Specify timeout for DNS hashtable-size Specify size of hashtable max-incomplete Specify maximum number of incomplete connections before clamping name Specify an inspection rule one-minute Specify one-minute-sample watermarks for clamping tcp Config timeout values for tcp connections udp Config timeout values for udp flows R4(config)#ip inspect tcp ? block-non-session Block non-session TCP traffic finwait-time Specify timeout for TCP connections after a FIN idle-time Specify idle timeout for tcp connections max-incomplete Specify max half-open connection per host synwait-time Specify timeout for TCP connections after a SYN and no further data R4(config)#ip inspect tcp     name ? WORD Name of inspection defined R4(config)#ip inspect name Prob2 ? cuseeme CUSeeMe Protocol fragment IP fragment inspection ftp File Transfer Protocol h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone) http HTTP Protocol icmp ICMP Protocol netshow Microsoft NetShow Protocol rcmd R commands (r-exec, r-login, r-sh) realaudio Real Audio Protocol rpc Remote Prodedure Call Protocol rtsp Real Time Streaming Protocol sip SIP Protocol skinny Skinny Client Control Protocol smtp Simple Mail Transfer Protocol sqlnet SQL Net Protocol streamworks StreamWorks Protocol tcp Transmission Control Protocol tftp TFTP Protocol udp User Datagram Protocol vdolive VDOLive Protocol R4(config)#ip inspect name Prob2 h323 ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Prob2 h323 R4(config)#ip inspect name Prob2 h323      tcp ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Prob2 tcp R4(config)#int atm 1`.  /0 R4(config-if)#ip in R4(config-if)#ip ins R4(config-if)#ip inspect ? WORD Name of inspection defined R4(config-if)#ip inspect Prob2 ? in Inbound inspection out Outbound inspection R4(config-if)#ip inspect Prob2 out                      int fa 0/0 R4(config-if)#ip insp R4(config-if)#ip inspect Prob2 in R4(config-if)#int at, 1/     ~m    tm 1/0 R4(config-if)#ipa  accee R4(config-if)#ip accee  R4(config-if)#ip access-group 100 in R4(config-if)#^Z R4# Apr 14 17:22:11.009: %SYS-5-CONFIG_I: Configured from console by console R4# RACK14AS>3 [Resuming connection 3 to r3 ... ] R3#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 17.0.0.0/24 is subnetted, 2 subnets O 17.57.100.0 [110/791] via 180.40.7.34, 02:18:12, Serial1/0 O 17.57.101.0 [110/782] via 180.40.7.2, 02:18:12, Serial1/2 [110/782] via 180.40.7.35, 02:18:12, Serial1/0 O 192.10.32.0/24 [110/3] via 180.40.7.130, 02:18:12, FastEthernet0/1 180.40.0.0/16 is variably subnetted, 6 subnets, 2 masks C 180.40.7.128/27 is directly connected, FastEthernet0/1 C 180.40.7.0/27 is directly connected, Serial1/2 O 180.40.7.35/32 [110/781] via 180.40.7.2, 02:18:13, Serial1/2 [110/781] via 180.40.7.35, 02:18:13, Serial1/0 O 180.40.7.34/32 [110/781] via 180.40.7.34, 02:18:13, Serial1/0 C 180.40.7.32/27 is directly connected, Serial1/0 O 180.40.7.96/27 [110/2] via 180.40.7.130, 02:18:13, FastEthernet0/1 R3#192.10.32.254 Trying 192.10.32.254 ... Open CR1> CR1> CR1> CR1> RACK14AS>4 [Resuming connection 4 to r4 ... ] R4#sh ip access Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (1 match) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list 100 permit tcp host 192.10.32.254 eq telnet host 192.10.32.14 eq 53001 (13 matches) 10 permit udp any any eq ntp 20 deny ip any any log R4# R4# R4# Apr 14 17:23:21.142: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.10.32.254(39700) -> 192.10.32.14(179), 1 packet R4# RACK14AS>3 [Resuming connection 3 to r3 ... ] CR1>q [Connection to 192.10.32.254 closed by foreign host] R3#192.10.32.254 Trying 192.10.32.254 ... Open CR1>sh ? % Unrecognized command CR1>sh    q [Connection to 192.10.32.254 closed by foreign host] R3# R3# RACK14AS>4 [Resuming connection 4 to r4 ... ] R4#sh run | i   b ip in ip inspect name Prob2 h323 ip inspect name Prob2 tcp ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 180.40.7.98 255.255.255.224 ip nat inside --More--   ip inspect Prob2 in duplex auto speed auto ! interface ATM1/0 ip address 192.10.32.14 255.255.255.0 ip access-group 100 in ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless ! ! --More--  ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 access-list 100 permit udp any any eq ntp access-list 100 deny ip any any log ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 no login ! ntp authentication-key 1 md5 0722387847041C 7 ntp clock-period 17179881 ntp server 192.10.32.254 --More--   R4# Apr 14 17:25:21.148: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.10.32.254(39710) -> 192.10.32.14(179), 1 packet R4# RACK14AS>1 [Resuming connection 1 to r1 ... ] R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#U User JoeUser ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R1(config)#User JoeUser pri R1(config)#User JoeUser privilege ? <0-15> User privilege level R1(config)#User JoeUser privilege 5 ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R1(config)#User JoeUser privilege 5 R1(config)#pri R1(config)#priv  R1(config)#priv   v R1(config)#privilege           snm R1(config)#snmp? snmp snmp-server R1(config)#snmp- R1(config)#snmp-server ? chassis-id String to uniquely identify this chassis community Enable SNMP; set community string and access privs contact Text for mib object sysContact drop Silently drop SNMP packets enable Enable SNMP Traps or Informs engineID Configure a local or remote SNMPv3 engineID group Define a User Security Model group host Specify hosts to receive SNMP notifications ifindex Enable ifindex persistence inform Configure SNMP Informs options location Text for mib object sysLocation manager Modify SNMP manager parameters packetsize Largest SNMP packet size queue-length Message queue length for each TRAP host source-interface Assign an source interface system-shutdown Enable use of the SNMP reload command tftp-server-list Limit TFTP servers used via SNMP trap SNMP trap options trap-source Assign an interface for the source address of all traps trap-timeout Set timeout for TRAP message retransmissions user Define a user who can access the SNMP engine view Define an SNMPv2 MIB view --More--   R1(config)#snmp-server com R1(config)#snmp-server community ? WORD SNMP community string R1(config)#snmp-server community W test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string ro Read-only access with this community string rw Read-write access with this community string view Restrict this community to a named MIB view R1(config)#snmp-server community test                            privi R1(config)#privilege ? aaa-user AAA user definition accept-dialin VPDN group accept dialin configuration mode accept-dialout VPDN group accept dialout configuration mode address-family Address Family configuration mode aic Alarm Interface Card configuration mode alps-ascu ALPS ASCU configuration mode alps-circuit ALPS circuit configuration mode bba-group BBA Group configuration mode boomerang Boomerang configuration mode cascustom Cas custom configuration mode cause-code-list Voice Cause Code List configuration mode ces-conn CES connection configuration mode ces-vc CES VC configuration mode cgma_agent CGMA Agent Configuration Mode cm-fallback cm-fallback configuration mode cns-connect-config CNS Connect Info Mode cns-connect-intf-config CNS Connect Intf Info Mode cns-tmpl-connect-config CNS Template Connect Info Mode cns_inventory_submode CNS Inventory SubMode config-rtr-http-rr RTR HTTP raw request Configuration configure Global configuration mode congestion Frame Relay congestion configuration mode --More--   R1(config)#privilege exec R1(config)#privilege exec ? all All suboption will be set to the samelevel level Set privilege level of command reset Reset privilege level of command R1(config)#privilege exec level 5 ? LINE Initial keywords of the command to modify R1(config)#privilege exec level 5 config t R1(config)#privilege exec level 5 config t        sh ruin  n R1(config)#privilege exec level 5 sh run                   configure level snmp-server community ? % Unrecognized command R1(config)#privilege configure level snmp-server community ^ % Invalid input detected at '^' marker. R1(config)#privilege configure level snmp-server community n5snmp-server community  snmp-server community  R1(config)# RACK14AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.199  00.1 Trying 17.57.100.1 ... Open R1#q [Connection to 17.57.100.1 closed by foreign host] S5# RACK14AS>1 [Resuming connection 1 to r1 ... ] R1(config)#in  line c vty 90  0 4 R1(config-line)#login local R1(config-line)#do sh run | b line line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login local ! ! end R1(config-line)# RACK14AS>5 [Resuming connection 5 to r5 ... ] 17.57.100.1 Trying 17.57.100.1 ... Open User Access Verification Username: JoeUser Password: R1#sh pricv  vi Current privilege level is 5 R1#sh run Building configuration... Current configuration : 53 bytes ! boot-start-marker boot-end-marker ! ! ! ! ! ! end R1# R1# R1# R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#^Z R1#con R1#config R1#configure ? terminal Configure from the terminal R1#configure t \  Configuring from terminal, memory, or network [terminal]? Enter configuration commands, one per line. End with CNTL/Z. R1(config)#? Configure commands: atm Enable ATM SLM Statistics call Configure Call parameters default Set a command to its defaults end Exit from configure mode exit Exit from configure mode help Description of the interactive help system no Negate a command or set its defaults snmp-server Modify SNMP engine parameters R1(config)#sn R1(config)#snmp-server ? community Enable SNMP; set community string and access privs R1(config)#snmp-server com R1(config)#snmp-server community ? WORD SNMP community string R1(config)#snmp-server community test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string R1(config)#snmp-server community test                            ^Z R1# RACK14AS>5 [Resuming connection 5 to r5 ... ] R1# RACK14AS>1 [Resuming connection 1 to r1 ... ] *M R1(config-line)#do sh run | b line login local ine vty 0 4privilege configure level 5 snmp-server community snmp-server community 5 snmp-server community WORD rw R1(config)# RACK14AS>5 [Resuming connection 5 to r5 ... ] R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#sn R1(config)#snmp-server com R1(config)#snmp-server community test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string rw Read-write access with this community string R1(config)#snmp-server community test                            ^Z R1#q [Connection to 17.57.100.1 closed by foreign host] S5# RACK14AS>1 [Resuming connection 1 to r1 ... ] *.2) R1(config)# R1(config)#^Z R1#sh run | b *Mar 1 02:31:21.214: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b privi username JoeUser privilege 5 ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex ! --More--  interface Serial0/1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! no ip http server ip classless ! ! ! ! ! ! ! privilege configure level 5 snmp-server community privilege configure level 5 snmp-server privilege exec level 5 configure terminal privilege exec level 5 configure privilege exec level 5 show running-config privilege exec level 5 show --More--  ! --More--  line con 0 --More--   exec-timeout 0 0 --More--   logging synchronous line aux 0 line vty 0 4 privilege level 15 login local ! ! end R1# R1# R1# RACK14AS>2 [Resuming connection 2 to r2 ... ] R2#sh clock *02:33:41.663 UTC Mon Mar 1 1993 R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)# R2(config)#tim R2(config)#time-range ? WORD Time range name R2(config)#time-range prob4 > ? R2(config)#time-range prob4 prob4 Prob4 rob4  R2(config-time-range)#? Time range configuration commands: absolute absolute time and date default Set a command to its defaults exit Exit from time-range configuration mode no Negate a command or set its defaults periodic periodic time and date R2(config-time-range)#per ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday R2(config-time-range)#per dai R2(config-time-range)#per daily ? hh:mm Starting time R2(config-time-range)#per daily 8:00 ? to ending day and time R2(config-time-range)#per daily 8:00 to ? hh:mm Ending time - stays valid until beginning of next minute R2(config-time-range)#per daily 8:00 to 20:30 ? R2(config-time-range)#per daily 8:00 to 20:30 R2(config-time-range)#exit R2(config)#access-list 100 ip any any tim R2(config)#access-list 100 ip any any time R2(config)#access-list 100 ip any any time? % Unrecognized command R2(config)#access-list 100 ip any any time               per R2(config)#access-list 100 permit ip any any tim R2(config)#access-list 100 permit ip any any time-range Prob4 R2(config)#line vty 0 4 R2(config-line)#acc R2(config-line)#access-class ? <1-199> IP access list <1300-2699> IP expanded access list WORD Access-list name R2(config-line)#access-class 100 n ? % Unrecognized command R2(config-line)#access-class 100 n   in ? vrf-also Same access list is applied for all VRFs R2(config-line)#access-class 100 in R2(config-line)#do sh access % Ambiguous command: "sh access" R2(config-line)#do sh access-list Extended IP access list 100 10 permit ip any any time-range Prob4 (inactive) R2(config-line)#exit R2(config)#ntp serv ? Hostname or A.B.C.D IP address of peer vrf VPN Routing/Forwarding Information R2(config)#ntp serv 180.40.7.;9898  R2(config)#tim R2(config)#time-range            clo R2(config)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone R2(config)#clock tim R2(config)#clock timezone ? WORD name of time zone R2(config)#clock timezone  Mine ? <-23 - 23> Hours offset from UTC R2(config)#clock timezone Mine -5 ? <0-59> Minutes offset from UTC R2(config)#clock timezone Mine -5 R2(config)#^Z R2# Apr 14 17:37:29.228: %SYS-5-CONFIG_I: Configured from console by console R2#config t sh clock 12:37:33.383 Mine Fri Apr 14 2006 R2#sh ace cess-list Extended IP access list 100 10 permit ip any any time-range Prob4 (active) R2# RACK14AS>5 [Resuming connection 5 to r5 ... ] S5#15 7.57.199 1.   01.1 Trying 17.57.101.1 ... Open R2#q [Connection to 17.57.101.1 closed by foreign host] S5#sh     RACK14AS>2 [Resuming connection 2 to r2 ... ] R2#sh access-list Extended IP access list 100 10 permit ip any any time-range Prob4 (active) (2 matches) R2#sh run | b access-list access-list 100 permit ip any any time-range Prob4 ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class 100 in privilege level 15 no login ! ntp server 180.40.7.98 time-range Prob4 periodic daily 8:00 to 20:30 ! --More--  ! end R2# R2#^x   RACK14AS>4 [Resuming connection 4 to r4 ... ] Apr R4#conf Apr 14 17:43:21.200: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.10.32.254(39800) -> 192.10.32.14(179), 1 packet R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#a ip access-list ? extended Extended Access List log-update Control access list log updates logging Control access list logging resequence Resequence Access List standard Standard Access List R4(config)#ip access-list ex ? <100-199> Extended IP access-list number <2000-2699> Extended IP access-list number (expanded range) WORD Access-list name R4(config)#ip access-list ex Prob5out R4(config-ext-nacl)#? Ext Access List configuration commands: <1-2147483647> Sequence Number default Set a command to its defaults deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs evaluate Evaluate an access list exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment R4(config-ext-nacl)#per ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol R4(config-ext-nacl)#per tcp     ip any any ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value reflect Create reflexive access list entry time-range Specify a time-range tos Match packets with given TOS value R4(config-ext-nacl)#per ip any any refl R4(config-ext-nacl)#per ip any any reflect Prob5Reflect R4(config-ext-nacl)#per ip any any reflect Prob5Reflectip access-list ex Prob5out    in R4(config-ext-nacl)#per udp any any eq ntp R4(config-ext-nacl)#? Ext Access List configuration commands: <1-2147483647> Sequence Number default Set a command to its defaults deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs evaluate Evaluate an access list exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment R4(config-ext-nacl)#evl Prob5Reflectal Prob5Reflectl Prob5Reflect R4(config-ext-nacl)#den ip any any log R4(config-ext-nacl)#int at, 1/0\      m 1/0 R4(config-if)#ip acces R4(config-if)#ip access-group Prob5in in Apr 14 17:45:21.206: %SEC-6-IPACCESSLOGP: list 100 denied tcp 192.10.32.254(39810) -> 192.10.32.14(179), 1 packet R4(config-if)#ip access-group Prob5in in R4(config-if)#ip access-group Prob5in in in  in o inu int in R4(config-if)#^Z R4# Apr 14 17:45:27.998: %SYS-5-CONFIG_I: Configured from console by console R4# RACK14AS>3 [Resuming connection 3 to r3 ... ] R3#192.10.32.254 Trying 192.10.32.254 ... Open CR1> CR1> CR1> CR1> CR1> CR1> RACK14AS>4 [Resuming connection 4 to r4 ... ] R4#sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (3 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list 100 10 permit udp any any eq ntp (66 matches) 20 deny ip any any log (12 matches) Reflexive IP access list Prob5Reflect Extended IP access list Prob5in 10 permit udp any any eq ntp 20 evaluate Prob5Reflect 30 deny ip any any log Extended IP access list Prob5out permit tcp host 192.10.32.254 eq telnet host 192.10.32.14 eq 15697 (18 matches) 10 permit ip any any reflect Prob5Reflect R4# R4# R4#sh run | b atm no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 ! ip access-list extended Prob5in permit udp any any eq ntp evaluate Prob5Reflect --More--   R4#sh run | b atm   ATM interface ATM1/0 ip address 192.10.32.14 255.255.255.0 ip access-group Prob5out in ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 --More--  ! ip access-list extended Prob5in permit udp any any eq ntp evaluate Prob5Reflect deny ip any any log ip access-list extended Prob5out permit ip any any reflect Prob5Reflect access-list 100 permit udp any any eq ntp access-list 100 deny ip any any log ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 no login ! --More--   R4# R4#confio     onfig t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#int at, 1   m 1/0 R4(config-if)#int atm 1/0p access-group Prob5out in  ouy t R4(config-if)#ip access-group Prob5out outnt atm 1/0 p access-group Prob5out in in  in  in i inn in R4(config-if)#^Z R4# Apr 14 17:48:07.473: %SYS-5-CONFIG_I: Configured from console by console R4# RACK14AS>3 [Resuming connection 3 to r3 ... ] CR1> CR1> CR1> CR1> CR1> CR1> RACK14AS>4 [Resuming connection 4 to r4 ... ] R4#config tsh run | b ATMatmaccess-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (3 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list 100 10 permit udp any any eq ntp (66 matches) 20 deny ip any any log (12 matches) Reflexive IP access list Prob5Reflect permit tcp host 192.10.32.254 eq telnet host 192.10.32.14 eq 15697 (39 matches) (time left 295) permit tcp host 192.10.32.14 eq bgp host 192.10.32.254 eq 39820 (1 match) (time left 245) permit udp host 192.10.32.14 eq ntp host 192.10.32.254 eq ntp (4 matches) (time left 238) Extended IP access list Prob5in 10 permit udp any any eq ntp 20 evaluate Prob5Reflect 30 deny ip any any log Extended IP access list Prob5out permit tcp host 192.10.32.254 eq telnet host 192.10.32.14 eq 15697 (18 matches) 10 permit ip any any reflect Prob5Reflect (20 matches) R4#sh access-listconfig t sh run | b ATM interface ATM1/0 ip address 192.10.32.14 255.255.255.0 ip access-group Prob5in in ip access-group Prob5out out ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 --More--   permit 17.0.0.0 0.255.255.255 ! ip access-list extended Prob5in permit udp any any eq ntp evaluate Prob5Reflect deny ip any any log ip access-list extended Prob5out permit ip any any reflect Prob5Reflect access-list 100 permit udp any any eq ntp access-list 100 deny ip any any log ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 no login --More--   R4# Apr 14 17:49:21.214: %SEC-6-IPACCESSLOGP: list Prob5in denied tcp 192.10.32.254(39830) -> 192.10.32.14(179), 1 packet R4# RACK14AS>1 [Resuming connection 1 to r1 ... ] R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#tac R1(config)#tacacs-server ? administration Start tacacs+ daemon handling administrative messages directed-request Allow user to specify tacacs server to use with `@server' dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers extended Enable extended TACACS host Specify a TACACS server key Set TACACS+ encryption key. last-resort Define TACACS action if no server responds optional-passwords The first TACACS request can be made without password verification packet Modify TACACS+ packet options retransmit Search iterations of the TACACS server list timeout Time to wait for a TACACS server to reply R1(config)#tacacs-server host ? Hostname or A.B.C.D IP address of TACACS server R1(config)#tacacs-server host 17.57.100.99 >? % Unrecognized command R1(config)#tacacs-server host 17.57.100.99 > ? R1(config)#tacacs-server host 17.57.100.99 R1(config)#tac R1(config)#tacacs-server k R1(config)#tacacs-server key ? 0 Specifies an UNENCRYPTED key will follow 7 Specifies HIDDEN key will follow LINE The UNENCRYPTED (cleartext) shared key R1(config)#tacacs-server key MyKey R1(config)#aaa ne R1(config)#aaa new-model R1(config)#aaa R1(config)#aaa auth R1(config)#aaa authen R1(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authentication login defa R1(config)#aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login default local R1(config)#aaa authen login Prob6 ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authen login Prob6 grou ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)#aaa authen login Prob6 grou ta R1(config)#aaa authen login Prob6 grou tacacs+ ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authen login Prob6 grou tacacs+ local R1(config)#line vty 0 4 R1(config-line)#login authen ? WORD Use an authentication list with this name. default Use the default authentication list. R1(config-line)#login authen Prob6 R1(config-line)# R1(config-line)# R1(config-line)# R1(config-line)#exit R1(config)#exitlogin authen Prob6ine vty 0 4 ogin authen Prob6exit  do sh a run | b   i user username JoeUser privilege 5 R1(config)#username JoeUser privilege 5 ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R1(config)#username JoeUser privilege 5 pass cisco R1(config)#^Z R1# *Mar 1 02:51:35.809: %SYS-5-CONFIG_I: Configured from c RACK14AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.101.1 Trying 17.57.101.1 ... Open R2#q [Connection to 17.57.101.1 closed by foreign host] S5#17.57.101.10.1 Trying 17.57.100.1 ... Open Username: Jop eUser Password: R1#p sh privi Current privilege level is 15 R1#q [Connection to 17.57.100.1 closed by foreign host] S5# RACK14AS>1 [Resuming connection 1 to r1 ... ] console R1# R1#sh run | i aaa aaa new-model aaa authentication login default local aaa authentication login Prob6 group tacacs+ local aaa session-id common R1# R1# R1# R1# R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aaa authentication login Prob6 group tacacs+ local R1(config)#aaa authentication login Prob6 group tacacs+ local~     ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. line Use line password for authentication. none NO authentication. R1(config)#aaa authentication login Prob6 group tacacs+ loca                                                   ^Z R1#sh *Mar 1 02:53:09.614: %SYS-5-CONFIG_I: Configured from console by console R1#sh ru |    n | b user username JoeUser privilege 5 password 0 cisco ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex ! --More--  interface Serial0/1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! no ip http server ip classless ! ! ! ! tacacs-server host 17.57.100.99 tacacs-server directed-request tacacs-server key MyKey ! ! ! privilege configure level 5 snmp-server community privilege configure level 5 snmp-server privilege exec level 5 configure terminal --More--  privilege exec level 5 configure privilege exec level 5 show running-config privilege exec level 5 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login authentication Prob6 ! ! end R1# R1# R1# RACK14AS>4 [Resuming connection 4 to r4 ... ] Apr R4#sh run | b ATM interface ATM1/0 ip address 192.10.32.14 255.255.255.0 ip access-group Prob5in in ip access-group Prob5out out ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 --More--   permit 17.0.0.0 0.255.255.255 ! ip access-list extended Prob5in permit udp any any eq ntp evaluate Prob5Reflect deny ip any any log ip access-list extended Prob5out permit ip any any reflect Prob5Reflect access-list 100 permit udp any any eq ntp access-list 100 deny ip any any log ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 no login --More--   R4# Apr 14 17:55:21.232: %SEC-6-IPACCESSLOGP: list Prob5in denied tcp 192.10.32.254(39860) -> 192.10.32.14(179), 1 packet R4# RACK14AS>1 [Resuming connection 1 to r1 ... ] R1#sh run | b user username JoeUser privilege 5 password 0 cisco ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex ! --More--   R1#sh run | b user    aaa aaa new-model ! ! aaa authentication login default local aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! ! ! --More--  username JoeUser privilege 5 password 0 cisco ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex ! --More--  interface Serial0/1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! no ip http server ip classless ! ! ! ! tacacs-server host 17.57.100.99 tacacs-server directed-request tacacs-server key MyKey ! ! ! privilege configure level 5 snmp-server community privilege configure level 5 snmp-server privilege exec level 5 configure terminal --More--  privilege exec level 5 configure privilege exec level 5 show running-config privilege exec level 5 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login authentication Prob6 ! ! end R1# R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aaa R1(config)#aaa ? accounting Accounting configurations parameters. authentication Authentication configurations parameters. authorization Authorization configurations parameters. cache AAA cache definitions configuration Authorization configuration parameters. dnis Associate certain AAA parameters to a specific DNIS number group AAA group definitions nas NAS specific configuration new-model Enable NEW access control commands and functions.(Disables OLD commands.) pod POD processing route Static route downloading session-id AAA Session ID session-mib AAA session MIB options traceback Traceback recording user AAA user definitions R1(config)#aaa a authen R1(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authentication Pass R1(config)#aaa authentication Password-prompt ? WORD Text of prompt R1(config)#aaa authentication Password-prompt CCIE_Pasword  _: R1(config)#aaa authentication Password-prompt CCIE_Pasword_:                              us R1(config)#aaa authentication username-prompt CCIE_Usre   sername_: R1(config)#^Z R1# *Mar 1 02:57:30.073: %SYS-5-CONFIG_I: Configured from console by console R1# RACK14AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open CCIE_Username_:JoeUser CCIE_Pasword_: R1#q [Connection to 17.57.100.1 closed by foreign host] S5# S5# RACK14AS>1 [Resuming connection 1 to r1 ... ] R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aaa authentication username-prompt CCIE_Username_:           CIE USer   sername : ^ % Invalid input detected at '^' marker. R1(config)#aaa authentication username-prompt CCIE Username :" "CCIE Username :" R1(config)# RACK14AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open CCIE Username : CCIE Username : CCIE Username : RACK14AS>1 [Resuming connection 1 to r1 ... ] R1(config)#aaa authentication username-prompt "CCIE Username :"" " :" " R1(config)#aaa authentication username-prompt "CCIE Username: " :"CCIE Username : _Username_:Password-prompt CCIE_Pasword_: : : "Pasword: "  Pasword: ""CCIE Pasword: " R1(config)#aaa authentication Password-prompt "CCIE Pasword: "sword: " R1(config)# RACK14AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open CCIE Username: JoeUser CCIE Password: R1#q~  [Connection to 17.57.100.1 closed by foreign host] S5# S5#^x1 % Unknown command or computer name, or unable to find computer address S5# S5# RACK14AS>1 [Resuming connection 1 to r1 ... ] R1(config)#^Z R1#sh run | *Mar 1 03:00:49.224: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b aaa aaa new-model ! ! aaa authentication password-prompt "CCIE Password: " aaa authentication username-prompt "CCIE Username: " aaa authentication login default local aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! --More--   R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aaa ? accounting Accounting configurations parameters. authentication Authentication configurations parameters. authorization Authorization configurations parameters. cache AAA cache definitions configuration Authorization configuration parameters. dnis Associate certain AAA parameters to a specific DNIS number group AAA group definitions nas NAS specific configuration new-model Enable NEW access control commands and functions.(Disables OLD commands.) pod POD processing route Static route downloading session-id AAA Session ID session-mib AAA session MIB options traceback Traceback recording user AAA user definitions R1(config)#aaa authen R1(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authentication ban R1(config)#aaa authentication banner ? LINE c message-text c, where 'c' is a delimiting character R1(config)#aaa authentication banner                           banner motd # Enter TEXT message. End with the character '#'. Keep out # R1(config)#end R1# RACK14AS>5 [Resuming connection 5 to r5 ... ] S5#^x1 % Unknown command or computer name, or unable to find computer address S5#^x117.57.100.1 Trying 17.57.100.1 ... Open Keep out RACK14AS>1 [Resuming connection 1 to r1 ... ] * R1#sh ru n  n | b banner banner motd ^C Keep out ^C privilege configure level 5 snmp-server community privilege configure level 5 snmp-server privilege exec level 5 configure terminal privilege exec level 5 configure privilege exec level 5 show running-config privilege exec level 5 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login authentication Prob6 ! ! --More--   R1# R1# R1# R1# RACK14AS>3 [Resuming connection 3 to r3 ... ] [Connection to 192.10.32.254 closed by foreign host] R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#user George pass boscop \  R3(config)#line vty 0 4 R3(config-line)#autocom R3(config-line)#autocommand access-enable time 2 R3(config-line)#login local R3(config-line)#login local exit R3(config)#exitlogin localautocommand access-enable time 2 line vty 0 4 user George pass bosco ? LINE R3(config)#user George pass bosco            ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R3(config)#user George autoeh   R3(config)#user George autocommand ? LINE Command to be automatically issued after the user logs in R3(config)#user George autocommand access-n enable timeout 2 R3(config)#int   line vty 0 4 R3(config-line)#line vty 0 4user George autocommand access-enable timeout 2exit login localautocommand access-enable time 2nautocommand access-enable time 2oautocommand access-enable time 2 autocommand access-enable time 2 R3(config-line)#exit R3(config)#do sh run i | b line line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login local ! ntp authentication-key 1 md5 1063102D0C1A17 7 ntp clock-period 17208138 ntp server 180.40.7.98 key 1 ! end R3(config)#access-list 100                 do sh run | i access username George autocommand access-enable timeout 2 R3(config)#access-list 100 per tcp any any         180.40.7.0 0.0.0.31 an  180.40.7.2 129 0.0.0.31 180.40.7.129 1 0.0.0.31 180.40.7.1292 0.0.0.31 180.40.7.1298 0.0.0.31 180.40.7.129 0.0.0.31 180.40.7.129 eq teln$ 100 per tcp 180.40.7.128 0.0.0.31 180.40.7.129 eq telne t ^ % Invalid input detected at '^' marker. R3(config)#$ 100 per tcp 180.40.7.128 0.0.0.31 180.40.7.129 eq telnet  ^ % Invalid input detected at '^' marker. R3(config)#$ 100 per tcp 180.40.7.128 0.0.0.31 180.40.7.129 eq telne     ? % Unrecognized command R3(config)#access-list 100 per tcp 180.40.7.128 0.0.0.31 180.40.7.129 eq access-list 100 per tcp 180.40.7.128 0.0.0.31 180.40.7.129 h180.40.7.129 eq o180.40.7.129 eq s180.40.7.129 eq t180.40.7.129 eq  180.40.7.129 eq 180.40.7.129 eq$ 100 per tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq tel R3(config)#$ 100 per tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq tel                                                  ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol R3(config)#access-list 100 per ip ? A.B.C.D Source address any Any source host host A single source host R3(config)#access-list 100 per ip        >? % Unrecognized command R3(config)#access-list 100 > ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward remark Access list entry comment R3(config)#access-list 100 dyn ? WORD Name of a Dynamic list R3(config)#access-list 100 dyn Prob9 ? deny Specify packets to reject permit Specify packets to forward timeout Maximum time for dynamic ACL to live R3(config)#access-list 100 dyn Prob9 per ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ip Any Internet Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol R3(config)#access-list 100 dyn Prob9 per any     ip any any R3(config)#access-l;ist      ist 100 den ip any     180.0.  40.7.128 0.0.0.31 any R3(config)#ip access-list ex 100 R3(config-ext-nacl)#do sh access-list Extended IP access list 100 10 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet 20 Dynamic Prob9 permit ip any any 30 deny ip 180.40.7.128 0.0.0.31 any R3(config-ext-nacl)#15 per udp any any eq ntp R3(config-ext-nacl)#^Z R3# Apr 14 18:09:43.004: %SYS-5-CONFIG_I: Configured from console by console R3# RACK14AS>6 [Resuming connection 6 to r6 ... ] S6#pin 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/44 ms S6# RACK14AS>3 [Resuming connection 3 to r3 ... ] R3#i config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#int fa 0/1 R3(config-if)#ip access R3(config-if)#ip access-group 100 in R3(config-if)#^Z R3# RACK14AS>6 [Resuming connection 6 to r6 ... ] pin 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) S6#^x3 % Unknown command or computer name, or unable to find computer address S6# S6# RACK14AS>3 [Resuming connection 3 to r3 ... ] Apr 14 18:10:16.840: R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ip access-group 100 innt fa 0/1 15 per udp any any eq ntpdo sh access-list ip access-list ex 100 R3(config-ext-nacl)#do sh ip proto Routing Protocol is "ospf 1" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Router ID 180.40.7.129 Number of areas in this router is 1. 1 normal 0 stub 0 nssa Maximum path: 4 Routing for Networks: 0.0.0.0 255.255.255.255 area 0 Routing Information Sources: Gateway Distance Last Update 17.57.101.2 110 03:06:27 180.40.7.35 110 03:06:27 180.40.7.34 110 03:06:27 192.10.32.14 110 03:06:27 Distance: (default is 110) R3(config-ext-nacl)#q 18 per ospf any any R3(config-ext-nacl)#^Z R3# Apr 14 18:10:47.907: %SYS-5-CONFIG_I: Configured from console by console R3# RACK14AS>6 [Resuming connection 6 to r6 ... ] S6#^x3pin 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: U 03:12:52: %OSPF-5-ADJCHG: Process 1, Nbr 180.40.7.129 on FastEthernet0/3 from LOADING to FULL, Loading Done.U.U Success rate is 0 percent (0/5) S6#pin 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) S6#180.40.7.129 Trying 180.40.7.129 ... Open User Access Verification Username: George Password: [Connection to 180.40.7.129 closed by foreign host] S6#180.40.7.129pin 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/44 ms S6# RACK14AS>3 [Resuming connection 3 to r3 ... ] Apr R3#sh access-lk o iust ^ % Invalid input detected at '^' marker. R3#sh access-liustst  Extended IP access list 100 10 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet (87 matches) 15 permit udp any any eq ntp (4 matches) 18 permit ospf any any (7 matches) 20 Dynamic Prob9 permit ip any any permit ip any any (5 matches) (time left 107) 30 deny ip 180.40.7.128 0.0.0.31 any (36 matches) R3#sh access-list Extended IP access list 100 10 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet (87 matches) 15 permit udp any any eq ntp (5 matches) 18 permit ospf any any (10 matches) 20 Dynamic Prob9 permit ip any any permit ip any any (5 matches) (time left 80) 30 deny ip 180.40.7.128 0.0.0.31 any (36 matches) R3#sh access-list  RACK14AS>6 [Resuming connection 6 to r6 ... ] S6#pin 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/44 ms S6# RACK14AS>3 [Resuming connection 3 to r3 ... ] R3#sh access-list Extended IP access list 100 10 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet (87 matches) 15 permit udp any any eq ntp (9 matches) 18 permit ospf any any (16 matches) 20 Dynamic Prob9 permit ip any any permit ip any any (10 matches) (time left 114) 30 deny ip 180.40.7.128 0.0.0.31 any (36 matches) R3#sh run | b 0/1 interface FastEthernet0/1 ip address 180.40.7.129 255.255.255.224 ip access-group 100 in duplex auto speed auto ! interface Serial1/0 ip address 180.40.7.33 255.255.255.224 encapsulation frame-relay ip ospf network point-to-multipoint frame-relay map ip 180.40.7.34 301 broadcast frame-relay map ip 180.40.7.35 302 broadcast ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.3 255.255.255.224 ! interface Serial1/3 no ip address shutdown --More--  ! interface Serial1/4 no ip address shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! --More--  no ip http server no ip http secure-server ! access-list 100 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet access-list 100 permit udp any any eq ntp access-list 100 permit ospf any any access-list 100 dynamic Prob9 permit ip any any access-list 100 deny ip 180.40.7.128 0.0.0.31 any ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 --More--   login local ! ntp authentication-key 1 md5 1063102D0C1A17 7 ntp clock-period 17208149 ntp server 180.40.7.98 key 1 ! end R3# R3#sh run | b user username George password 0 bosco username George autocommand access-enable timeout 2 ! ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 ip address 180.40.7.129 255.255.255.224 ip access-group 100 in --More--   R3#^x2 % Unknown command or computer name, or unable to find computer address R3# R3# RACK14AS>2 [Resuming connection 2 to r2 ... ] R2#sh access-list Extended IP access list 100 10 permit ip any any time-range Prob4 (active) (4 matches) R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#access-list 101 per tcp any 17.57.101.0 0.0.0.0 255 ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value urg Match on the URG bit R2(config)#access-list 101 per tcp any 17.57.101.0 0.0.0.255 R2(config)#ip tcp ? async-mobility Configure async-mobility chunk-size TCP chunk size intercept Enable TCP intercepting mss TCP initial maximum segment size path-mtu-discovery Enable path-MTU discovery on new TCP connections queuemax Maximum queue of outgoing TCP packets selective-ack Enable TCP selective-ACK synwait-time Set time to wait on new TCP connections timestamp Enable TCP timestamp option window-size TCP window size R2(config)#ip tcp int R2(config)#ip tcp intercept ? connection-timeout Specify timeout for connection info drop-mode Specify incomplete connection drop mode finrst-timeout Specify timeout for FIN/RST list Specify access-list to use max-incomplete Specify maximum number of incomplete connections before clamping mode Specify intercepting mode one-minute Specify one-minute-sample watermarks for clamping watch-timeout Specify timeout for incomplete connections in watch mode R2(config)#ip tcp intercept list ? <100-199> Extended access list number for intercept WORD Access list name for intercept R2(config)#ip tcp intercept list 101 ? R2(config)#ip tcp intercept list 101 R2(config)#^Z R2# Apr 14 18:16:40.567: %SYS-5-CONFIG_I: Configured from console by console R2#sh run | b ip tcp ip tcp intercept list 101 ! ip cef no ip domain lookup ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! --More--  ! ! interface FastEthernet0/0 ip address 17.57.101.1 255.255.255.0 duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 no ip address encapsulation frame-relay ! interface Serial1/0.1 multipoint ip address 180.40.7.35 255.255.255.224 --More--   ip ospf network point-to-multipoint frame-relay interface-dlci 203 ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.2 255.255.255.224 clock rate 64000 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown ! interface Serial1/5 no ip address shutdown ! --More--  interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! no ip http server no ip http secure-server ! access-list 100 permit ip any any time-range Prob4 access-list 101 permit tcp any 17.57.101.0 0.0.0.255 ! ! ! ! --More--  ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class 100 in privilege level 15 no login ! ntp clock-period 17208133 ntp server 180.40.7.98 time-range Prob4 periodic daily 8:00 to 20:30 ! ! end R2# R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto    R2(config)#crypto is R2(config)#crypto isakmp ? aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP identity Set the identity which ISAKMP will use keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles xauth Set Extended Authentication values R2(config)#crypto isakmp key R2(config)#crypto isakmp key ? WORD pre-shared key R2(config)#crypto isakmp key cisco ? address define shared key with IP address hostname define shared key with hostname R2(config)#crypto isakmp key cisco h address ? A.B.C.D Peer IP address R2(config)#crypto isakmp key cisco address 180.40.7.3 ? A.B.C.D Peer IP subnet mask no-xauth Bypasses XAuth for this peer R2(config)#crypto isakmp key cisco address 180.40.7.3 R2(config)#cry is R2(config)#cry isakmp ? aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP identity Set the identity which ISAKMP will use keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles xauth Set Extended Authentication values R2(config)#cry isakmp pol ? <1-10000> Priority of protection suite R2(config)#cry isakmp pol 10 ? R2(config)#cry isakmp pol 10 R2(config-isakmp)#? ISAKMP commands: authentication Set authentication method for protection suite default Set a command to its defaults encryption Set encryption algorithm for protection suite exit Exit from ISAKMP protection suite configuration mode group Set the Diffie-Hellman group hash Set hash algorithm for protection suite lifetime Set lifetime for ISAKMP security association no Negate a command or set its defaults R2(config-isakmp)#authen ? pre-share Pre-Shared Key rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature R2(config-isakmp)#authen pre R2(config-isakmp)#authen pre-share ? R2(config-isakmp)#authen pre-share R2(config-isakmp)#exit R2(config)#access-list 150 per icmp any any R2(config)#cry ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#cry ip ? client Configure a client df-bit Handling of encapsulated DF bit. fragmentation Handling of fragmentation of near-MTU sized packets nat-transparency IPsec NAT transparency model optional Enable optional encryption for IPSec profile Configure an ipsec policy profile security-association Security association parameters transform-set Define transform and settings R2(config)#cry ip tr R2(config)#cry ip transform-set ? WORD Transform set tag R2(config)#cry ip transform-set prob11 ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-sha-hmac ESP transform using HMAC-SHA auth R2(config)#cry ip transform-set prob11 ah R2(config)#cry ip transform-set prob11 ah-sh R2(config)#cry ip transform-set prob11 ah-sha-hmac ? comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-sha-hmac ESP transform using HMAC-SHA auth R2(config)#cry ip transform-set prob11 ah-sha-hmac R2(cfg-crypto-trans)#? Crypto transform configuration commands: default Set a command to its defaults exit Exit from crypto transform configuration mode mode encapsulation mode (transport/tunnel) no Negate a command or set its defaults R2(cfg-crypto-trans)#mode ? transport transport (payload encapsulation) mode tunnel tunnel (datagram encapsulation) mode R2(cfg-crypto-trans)#mode      exit R2(config)#cry R2(config)#crypto m R2(config)#crypto map R2(config)#crypto map ? WORD Crypto map tag R2(config)#crypto map Prob11 ? <1-65535> Sequence to insert into crypto map entry client Specify client configuration settings isakmp Specify isakmp configuration settings isakmp-profile Specify isakmp profile to use local-address Interface to use for local address for this crypto map R2(config)#crypto map Prob11 is R2(config)#crypto map Prob11 isakmp ? authorization Authorization parameters. R2(config)#crypto map Prob11 isakmp        10 ? ipsec-isakmp IPSEC w/ISAKMP ipsec-manual IPSEC w/manual keying R2(config)#crypto map Prob11 10 ip R2(config)#crypto map Prob11 10 ipsec-i R2(config)#crypto map Prob11 10 ipsec-isakmp ? dynamic Enable dynamic crypto map support profile Enable crypto map as a crypto-profile R2(config)#crypto map Prob11 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)#match ? address Match address of packets to encrypt. R2(config-crypto-map)#match add ? <100-199> IP access-list number <2000-2699> IP access-list number (expanded range) WORD Access-list name R2(config-crypto-map)#match add  150 ? R2(config-crypto-map)#match add 150 R2(config-crypto-map)#set per er ? Hostname or A.B.C.D IP address/hostname of peer R2(config-crypto-map)#set peer 180- .40.7.3 ? R2(config-crypto-map)#set peer 180.40.7.3 R2(config-crypto-map)#set tra R2(config-crypto-map)#set transform-set ? WORD Proposal tag R2(config-crypto-map)#set transform-set prob11 R2(config-crypto-map)#int s 1/2 R2(config-if)#cry R2(config-if)#crypto map Prob11 R2(config-if)#crypto map Prob11int s 1/2  Apr 14 18:21:45.877: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)#int s 1/2 0.1 R2(config-subif)#int s 1/0.1crypto map Prob11 R2(config-subif)#^Z R2# Apr 14 18:21:54.291: %SYS-5-CONFIG_I: Configured from console by console R2# RACK14AS>3 [Resuming connection 3 to r3 ... ] R3#sh run int s 1/2 Building configuration... Current configuration : 66 bytes ! interface Serial1/2 ip address 180.40.7.3 255.255.255.224 end R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#cry key R3(config)#cry key   is R3(config)#cry isakmp key cisco ? address define shared key with IP address hostname define shared key with hostname R3(config)#cry isakmp key cisco add 180.40.7.2 R3(config)#cry is R3(config)#cry isakmp po R3(config)#cry isakmp policy 10 R3(config-isakmp)#authen R3(config-isakmp)#authentication pre R3(config-isakmp)#exit R3(config)#access-list 150 per icmp any any R3(config)#ry    cry ip tr R3(config)#cry ip transform-set Prob11 % Incomplete command. R3(config)#cry ip transform-set Prob11 ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-sha-hmac ESP transform using HMAC-SHA auth R3(config)#cry ip transform-set Prob11 ah R3(config)#cry ip transform-set Prob11 ah-sh R3(config)#cry ip transform-set Prob11 ah-sha-hmac R3(cfg-crypto-trans)#exit R3(config)#cry map ? WORD Crypto map tag R3(config)#cry map Prob11 10 ip R3(config)#cry map Prob11 10 ipsec-i R3(config)#cry map Prob11 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R3(config-crypto-map)#match add 150 R3(config-crypto-map)#do sh run \ sh run \ ^ % Invalid input detected at '^' marker. R3(config-crypto-map)#do sh run \  Building configuration... Current configuration : 2211 bytes ! ! Last configuration change at 18:10:47 UTC Fri Apr 14 2006 ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-model ip subnet-zero ! ! ! --More--  ip cef no ip domain lookup ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! username George password 0 bosco username George autocommand access-enable timeout 2 ! ! ! ! ! crypto isakmp policy 10 --More--   authentication pre-share --More--  crypto isakmp key cisco address 180.40.7.2 --More--  ! --More--  ! --More--  crypto ipsec transform-set Prob11 ah-sha-hmac --More--  ! --More--  crypto map Prob11 10 ipsec-isakmp --More--   ! Incomplete --More--   match address 150 --More--  ! --More--  ! --More--  ! --More--  ! --More--  interface FastEthernet0/0 --More--   R3(config-crypto-map)#set peer 180.40.7.2 R3(config-crypto-map)#set tra R3(config-crypto-map)#set transform-set prob11 ERROR: transform set with tag "prob11" does not exist. R3(config-crypto-map)#set transform-set prob11rob11 Prob11 R3(config-crypto-map)#do sh run | b cry no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-model ip subnet-zero ! ! ! ip cef no ip domain lookup ip audit po max-events 100 ! ! ! ! ! --More--  ! ! ! ! ! ! ! username George password 0 bosco username George autocommand access-enable timeout 2 ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 180.40.7.2 ! ! crypto ipsec transform-set Prob11 ah-sha-hmac ! crypto map Prob11 10 ipsec-isakmp set peer 180.40.7.2 --More--   set transform-set Prob11 --More--   match address 150 --More--  ! --More--  ! --More--  ! --More--  ! --More--  interface FastEthernet0/0 --More--   R3(config-crypto-map)#int s 1/2 R3(config-if)#cry map Prob11 R3(config-if)#int Apr 14 18:24:19.503: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config-if)#int s 1/2 0 R3(config-if)#int s 1/0cry map Prob11 R3(config-if)#^Z R3# Apr 14 18:24:25.297: %SYS-5-CONFIG_I: Configured from console by console R3#ping 180 4  .40  .7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 44/45/48 ms R3#ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms R3#sh cry ip R3#sh cry ipsec sa interface: Serial1/2 Crypto map tag: Prob11, local addr. 180.40.7.3 protected vrf: local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/1/0) current_peer: 180.40.7.2:500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 9, #pkts encrypt: 0, #pkts digest 9 #pkts decaps: 9, #pkts decrypt: 0, #pkts verify 9 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 180.40.7.3, remote crypto endpt.: 180.40.7.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2 current outbound spi: 181BD01D inbound esp sas: inbound ah sas: --More--   R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#dom R3(config)#dom   ip dom R3(config)#ip domain? domain domain-list domain-lookup domain-name R3(config)#ip domain-name ccie.com R3(config)#cry keuy y  y ? generate Generate new keys pubkey-chain Peer public key chain management zeroize Remove keys R3(config)#cry key gen R3(config)#cry key generate ? rsa Generate RSA keys R3(config)#cry key generate rsa ? general-keys Generate a general purpose RSA key pair for signing and encryption usage-keys Generate separate RSA key pairs for signing and encryption R3(config)#cry key generate rsa The name for the keys will be: R3.ccie.com Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: % Generating 512 bit RSA keys ...[OK] R3(config)# Apr 14 18:28:23.391: %SSH-5-ENABLED: SSH 1.5 has been enabled R3(config)#^Z R3#sh c Apr 14 18:28:27.582: %SYS-5-CONFIG_I: Configured from console by console R3#sh cry ? ca Show certification authority policy dynamic-map Crypto map templates engine Show crypto engine info identity Show crypto identity list ipsec Show IPSEC policy isakmp Show ISAKMP Security Associations key Show long term public keys map Crypto maps mib Show Crypto-related MIB Parameters optional Optional Encryption Status sockets Secure Socket Information R3#sh cry leu ? % Unrecognized command R3#sh cry leu     key ? mypubkey Show public keys associated with this router pubkey-chain Show peer public keys R3#sh cry key pi R3#sh cry key pi u R3#sh cry key pubkey-chain ? rsa Show peer RSA public keys R3#sh cry key pubkey-chain rsa ? address Select key by address name Select key by name | Output modifiers R3#sh cry key pubkey-chain rsa Codes: M - Manually configured, C - Extracted from certificate Code Usage IP-Address/VRF Keyring Name R3#sh cry key pubkey-chain rsa                  kmy   my R3#sh cry key mypubkey ? rsa Show RSA public keys R3#sh cry key mypubkey rsa ? | Output modifiers R3#sh cry key mypubkey rsa % Key pair was generated at: 18:28:23 UTC Apr 14 2006 Key name: R3.ccie.com Usage: General Purpose Key Key is not exportable. Key Data: 305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D2EEB1 65C235DA 2101EEC9 5DC9D372 58BF1ADD 3FF7911A 2AB3D1A4 FEDF12D2 9E191C38 7D1811F9 CA5EF85C A4C8A9F9 B07BA640 F3D37A0E 56192604 0A44A69A 37020301 0001 % Key pair was generated at: 18:28:27 UTC Apr 14 2006 Key name: R3.ccie.com.server Usage: Encryption Key Key is not exportable. Key Data: 307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00CB6910 DD16C186 FEFDCA37 90FC6EC6 4597BDDC E5BC3780 0E7B20A2 9E01DE7E F11CAC53 B69C0616 E61FF7B5 220A3302 D3F0243E A732B56A 5CBFBEE6 D6952DF6 CBB6E7AB C37C5C29 E36B5A77 04CAE041 125932BB 48069908 EDA1BFE7 35B28059 85020301 0001 R3# R3#305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00D2EEB1 65C235DA ^ % Invalid input detected at '^' marker. R3# 2101EEC9 5DC9D372 58BF1ADD 3FF7911A 2AB3D1A4 FEDF12D2 9E191C38 7D1811F9 ^ % Invalid input detected at '^' marker. R3# CA5EF85C A4C8A9F9 B07BA640 F3D37A0E 56192604 0A44A69A 37020301 0001 ^ % Invalid input detected at '^' marker. R3# RACK14AS>2 [Resuming connection 2 to r2 ... ] R2#sh run | b cry no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! memory-size iomem 10 clock timezone Mine -5 no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-model ip subnet-zero ! ! ip tcp intercept list 101 ! ip cef no ip domain lookup ip audit po max-events 100 ! ! --More--  ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 180.40.7.3 ! ! crypto ipsec transform-set prob11 ah-sha-hmac ! crypto map Prob11 10 ipsec-isakmp --More--   set peer 180.40.7.3 set transform-set prob11 match address 150 ! ! ! ! interface FastEthernet0/0 ip address 17.57.101.1 255.255.255.0 duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 --More--   no ip address encapsulation frame-relay ! interface Serial1/0.1 multipoint ip address 180.40.7.35 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 203 crypto map Prob11 ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.2 255.255.255.224 clock rate 64000 crypto map Prob11 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 --More--   no ip address shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! no ip http server no ip http secure-server --More--  ! access-list 100 permit ip any any time-range Prob4 access-list 101 permit tcp any 17.57.101.0 0.0.0.255 access-list 150 permit icmp any any ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class 100 in privilege level 15 no login ! ntp clock-period 17208154 --More--   R2# RACK14AS>3 [Resuming connection 3 to r3 ... ] R3#sh run | cyptobcypto cypto R3#sh run | b cypto  R3#sh run | b cyptrypt no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-model ip subnet-zero ! ! ! ip cef no ip domain lookup ip domain name ccie.com ip audit po max-events 100 ! ! ! ! --More--  ! ! ! ! ! ! ! ! username George password 0 bosco username George autocommand access-enable timeout 2 ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 180.40.7.2 ! ! crypto ipsec transform-set Prob11 ah-sha-hmac ! crypto map Prob11 10 ipsec-isakmp --More--   set peer 180.40.7.2 set transform-set Prob11 match address 150 ! ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 ip address 180.40.7.129 255.255.255.224 ip access-group 100 in duplex auto speed auto ! --More--  interface Serial1/0 ip address 180.40.7.33 255.255.255.224 encapsulation frame-relay ip ospf network point-to-multipoint frame-relay map ip 180.40.7.34 301 broadcast frame-relay map ip 180.40.7.35 302 broadcast crypto map Prob11 ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.3 255.255.255.224 crypto map Prob11 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown --More--  ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! no ip http server no ip http secure-server ! access-list 100 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet --More--  access-list 100 permit udp any any eq ntp access-list 100 permit ospf any any access-list 100 dynamic Prob9 permit ip any any access-list 100 deny ip 180.40.7.128 0.0.0.31 any access-list 150 permit icmp any any ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login local ! ntp authentication-key 1 md5 1063102D0C1A17 7 --More--   R3#