=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2006.11.17 09:07:34 =~=~=~=~=~=~=~=~=~=~=~= R7 con0 is now available Press RETURN to get started. RACK18AS>disc 7 Closing connection to r7 [confirm] RACK18AS>4 [Resuming connection 4 to r4 ... ] R4#ping 192.10.32.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.10.32.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R4# R4# R4# R4#sh ip nat tra R4#sh ip nat tra             sh run | b nat ip nat inside duplex auto speed auto ! interface ATM1/0 ip address 192.10.32.18 255.255.255.0 ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless ! ! ! --More--   R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp ser ? Hostname or A.B.C.D IP address of peer vrf VPN Routing/Forwarding Information R4(config)#ntp ser 192.            do sh cla ock *01:30:22.207 UTC Mon Mar 1 1993 R4(config)#ntt p serv 192.10.32.254 R4(config)# R4(config)# R4(config)# R4(config)#ntp serv 192.10.32.254do sh clock  18:30:31.635 UTC Fri Nov 17 2006 R4(config)# R4(config)# R4(config)# R4(config)#ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp auth R4(config)#ntp authenticatq  R4(config)#ntp authenticati R4(config)#ntp authentication-key ? <1-4294967295> Key number R4(config)#ntp authentication-key 1 ? md5 MD5 authentication R4(config)#ntp authentication-key 1 m R4(config)#ntp authentication-key 1 md5 ? WORD Authentication key R4(config)#ntp authentication-key 1 md5 MyTime R4(config)# RACK18AS>3 [Resuming connection 3 to r3 ... ] R3#confi gt ^ % Invalid input detected at '^' marker. R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ntp authen R3(config)#ntp authenticati R3(config)#ntp authentication-key 1 m R3(config)#ntp authentication-key 1 md5 MyTime R3(config)#ntp ser 180.40.7.98 ? key Configure peer authentication key prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp ser 180.40.7.98 ke R3(config)#ntp ser 180.40.7.98 key ? <0-4294967295> Peer key number R3(config)#ntp ser 180.40.7.98 key 1 ? prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp ser 180.40.7.98 key 1 R3(config)#^Z R3#sh *Mar 1 01:30:43.234: %SYS-5-CONFIG_I: Configured from console by console R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3# R3# R3#sh clock *01:30:52.044 UTC Mon Mar 1 1993 R3#sh clockntp ass address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 4 0 64 1 4.1 -0.00 15875. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3# R3# R3# R3# R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ntp op  per    er er ? Hostname or A.B.C.D IP address of peer vrf VPN Routing/Forwarding Information R3(config)#ntp peer 1 80  1.1.11   .1 ? key Configure peer authentication key prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp peer 1.1.1.1                  end R3#sh Nov 17 18:33:03.016: %SYS-5-CONFIG_I: Configured from console by console R3#sh config tsh ntp ass address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 4 12 64 377 4.1 0.15 0.1 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3# R3# R3# R3#sh ntp ass ? detail Show detail | Output modifiers R3#sh ntp ass det R3#sh ntp ass detail ? | Output modifiers R3#sh ntp ass detail 180.40.7.98 configured, authenticated, our_master, sane, valid, stratum 4 ref ID 192.10.32.254, time C9087EB2.C1B7B0B9 (18:32:18.756 UTC Fri Nov 17 2006) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 226.50 msec, root disp 47.90, reach 377, sync dist 163.239 delay 4.07 msec, offset 0.1456 msec, dispersion 0.06 precision 2**18, version 3 org time C9087ED5.112BF307 (18:32:53.067 UTC Fri Nov 17 2006) rcv time C9087ED5.11AB74F6 (18:32:53.069 UTC Fri Nov 17 2006) xmt time C9087ED5.107D7EE5 (18:32:53.064 UTC Fri Nov 17 2006) filtdelay = 4.15 4.14 4.07 4.12 4.07 4.03 4.07 4.20 filtoffset = 0.14 0.15 0.15 0.12 0.08 0.08 0.06 0.03 filterror = 0.02 0.03 0.05 0.06 0.08 0.09 0.11 0.12 R3# RACK18AS>4 [Resuming connection 4 to r4 ... ] R4(config)#z ^Z R4#sh Nov 17 18:33:22.967: %SYS-5-CONFIG_I: Configured from console by console R4#sh ntp ass det 192.10.32.254 configured, our_master, sane, valid, stratum 3 ref ID 172.16.1.20, time C9087EB4.BEC88FCA (18:32:20.745 UTC Fri Nov 17 2006) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 221.37 msec, root disp 43.53, reach 377, sync dist 158.859 delay 5.23 msec, offset 4.1085 msec, dispersion 2.03 precision 2**24, version 3 org time C9087EF2.C2407755 (18:33:22.758 UTC Fri Nov 17 2006) rcv time C9087EF2.C1DF2356 (18:33:22.757 UTC Fri Nov 17 2006) xmt time C9087EF2.C083B4C5 (18:33:22.752 UTC Fri Nov 17 2006) filtdelay = 5.23 5.14 5.20 5.19 5.16 5.22 5.25 5.20 filtoffset = 4.11 3.14 1.68 0.27 0.26 0.23 0.20 0.20 filterror = 0.02 0.99 1.97 2.94 2.96 2.98 2.99 3.01 R4# RACK18AS>3 [Resuming connection 3 to r3 ... ] R3#den  b    b     sh ntp ? associations NTP associations status NTP status R3#sh ntp sta ? | Output modifiers R3#sh ntp sta Clock is synchronized, stratum 5, reference is 180.40.7.98 nominal freq is 249.5901 Hz, actual freq is 249.5901 Hz, precision is 2**18 reference time is C9087ED5.11AB74F6 (18:32:53.069 UTC Fri Nov 17 2006) clock offset is 0.1456 msec, root delay is 230.58 msec root dispersion is 48.10 msec, peer dispersion is 0.06 msec R3#sh ntp sta ass detail 180.40.7.98 configured, authenticated, our_master, sane, valid, stratum 4 ref ID 192.10.32.254, time C9087EF2.C1DF2356 (18:33:22.757 UTC Fri Nov 17 2006) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 226.61 msec, root disp 49.68, reach 377, sync dist 165.970 delay 4.14 msec, offset 1.0428 msec, dispersion 0.92 precision 2**18, version 3 org time C9087F15.11A487FC (18:33:57.068 UTC Fri Nov 17 2006) rcv time C9087F15.11E8187F (18:33:57.069 UTC Fri Nov 17 2006) xmt time C9087F15.10BB04D2 (18:33:57.065 UTC Fri Nov 17 2006) filtdelay = 4.14 4.15 4.14 4.07 4.12 4.07 4.03 4.07 filtoffset = 1.04 0.14 0.15 0.15 0.12 0.08 0.08 0.06 filterror = 0.02 0.99 1.01 1.02 1.04 1.05 1.07 1.08 R3#deb ntp ? adjust NTP clock adjustments authentication NTP authentication events NTP events loopfilter NTP loop filter packets NTP packets params NTP clock parameters refclock NTP reference clocks select NTP clock selection sync NTP clock synchronization validity NTP peer clock validity R3#deb ntp auth R3#deb ntp authentication NTP authentication debugging is on R3#confi t Enter configuration commands, one per line. End with CNTL/Z. R3(config)# R3(config)#endntp ser 180.40.7.98 key 1 authentication-key 1 md5 MyTimeser 180.40.7.98 key 1 nntp ser 180.40.7.98 key 1 ontp ser 180.40.7.98 key 1  ntp ser 180.40.7.98 key 1  R3(config)#no ntp ser 180.40.7.98 key 1 end ntp ser 180.40.7.98 key 1 R3(config)#^Z R3# .Nov 17 18:34:24.746: %SYS-5-CONFIG_I: Configured from console by console R3# R3# .Nov 17 18:34:30.071: Authentication key 1 Nov 17 18:34:31.068: Authentication key 1 R3# R3# R3# R3# Nov 17 18:34:32.070: Authentication key 1 Nov 17 18:34:33.068: Authentication key 1 R3#u all All possible debugging has been turned off R3# Nov 17 18:34:34.069: Authentication key 1 R3#u all sh run | b ntp ntp authentication-key 1 md5 112400311E1F0E 7 ntp clock-period 17208080 ntp server 180.40.7.98 key 1 ! end R3# R3# RACK18AS>4 [Resuming connection 4 to r4 ... ] R4#sh run | b ntp ntp authentication-key 1 md5 112400311E1F0E 7 ntp clock-period 17179876 ntp server 192.10.32.254 ! end R4# R4#sh clock 18:39:23.149 UTC Fri Nov 17 2006 R4# R4# R4# R4# R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#tim R4(config)#time-range            cloc R4(config)#clock ? summer-time Configure summer (daylight savings) time timezone Configure time zone R4(config)#clock tim R4(config)#clock timezone ? WORD name of time zone R4(config)#clock timezone EST ? <-23 - 23> Hours offset from UTC R4(config)#clock timezone EST -5 ? <0-59> Minutes offset from UTC R4(config)#clock timezone EST -5 R4(config)#^Z R4# Nov 17 18:39:49.305: %SYS-5-CONFIG_I: Configured from console by console R4#config t config tsh clock 13:39:52.837 EST Fri Nov 17 2006 R4#^Z R4# RACK18AS>3 [Resuming connection 3 to r3 ... ] R3#sh clock 18:39:59.742 UTC Fri Nov 17 2006 R3#i config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#clock tim R3(config)#clock timezone EST -5 R3(config)#^Z R3# Nov 17 18:40:19.010: %SYS-5-CONFIG_I: Configured from console by console R3# R3# R3# R3#sh run | i clock clock timezone EST -5 no network-clock-participate slot 1 no network-clock-participate wic 0 ntp clock-period 17208086 R3# R3# RACK18AS>4 [Resuming connection 4 to r4 ... ] R4#configt Translating "configt" Translating "configt" % Unknown command or computer name, or unable to find computer address R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#access-list             ip access-list ex Prob2 R4(config-ext-nacl)#per udp an  y any ? dscp Match packets with given dscp value eq Match only packets on a given port number fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value range Match only packets in the range of port numbers reflect Create reflexive access list entry time-range Specify a time-range tos Match packets with given TOS value R4(config-ext-nacl)#per udp any any eq nt R4(config-ext-nacl)#per udp any any eq ntp R4(config-ext-nacl)#per icmp any any R4(config-ext-nacl)#den ip any any lg ^ % Invalid input detected at '^' marker. R4(config-ext-nacl)#den ip any any lgog R4(config-ext-nacl)#den ip any any log no 30 R4(config-ext-nacl)#30 icmp any           exit R4(config)#exitno 30den ip any any logg per icmp any any udp any any eq ntp ip access-list ex Prob2clock timezone EST -5 ip access-list ex Prob2 R4(config-ext-nacl)#ip access-list ex Prob2exit no 30den ip any any log R4(config-ext-nacl)#no 20 R4(config-ext-nacl)#do sh run |     access0 -list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list Prob2 10 permit udp any any eq ntp 30 deny ip any any log R4(config-ext-nacl)#exit R4(config)#ip acccess    esss  R4(config)#ip access-list ex R4(config)#ip access-list extended Mine R4(config-ext-nacl)#per ip 180.40.7.0                 end R4# Nov 17 18:46:02.781: %SYS-5-CONFIG_I: Configured from console by console R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ip in R4(config)#ip inspect ? alert-off Disable alert audit-trail Enable the logging of session information (addresses and bytes) dns-timeout Specify timeout for DNS hashtable-size Specify size of hashtable max-incomplete Specify maximum number of incomplete connections before clamping name Specify an inspection rule one-minute Specify one-minute-sample watermarks for clamping tcp Config timeout values for tcp connections udp Config timeout values for udp flows R4(config)#ip inspect name ? WORD Name of inspection defined R4(config)#ip inspect name Prob2 ? cuseeme CUSeeMe Protocol fragment IP fragment inspection ftp File Transfer Protocol h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone) http HTTP Protocol icmp ICMP Protocol netshow Microsoft NetShow Protocol rcmd R commands (r-exec, r-login, r-sh) realaudio Real Audio Protocol rpc Remote Prodedure Call Protocol rtsp Real Time Streaming Protocol sip SIP Protocol skinny Skinny Client Control Protocol smtp Simple Mail Transfer Protocol sqlnet SQL Net Protocol streamworks StreamWorks Protocol tcp Transmission Control Protocol tftp TFTP Protocol udp User Datagram Protocol vdolive VDOLive Protocol R4(config)#ip inspect name Prob2 tcp ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Prob2 tcp R4(config)#ip inspect name Prob2 tcp  ip inspect name Prob2 tcp     udp R4(config)#ip inspect name Prob2 udp   h R4(config)#ip inspect name Prob2 h32 R4(config)#ip inspect name Prob2 h323 ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Prob2 h323 R4(config)#int atm 1/0 R4(config-if)#ip acc R4(config-if)#ip acce R4(config-if)#ip access-group Prob2 in R4(config-if)#ip in R4(config-if)#ip ins R4(config-if)#ip inspect Prob2 ? in Inbound inspection out Outbound inspection R4(config-if)#ip inspect Prob2 iu    out R4(config-if)#^Z R4#sh acces Nov 17 18:47:44.047: %SYS-5-CONFIG_I: Configured from console by console R4#sh access R4#sh access- % Ambiguous command: "sh access-" R4#lsh access-li R4#sh access-lists Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list Mine Extended IP access list Prob2 10 permit udp any any eq ntp 30 deny ip any any log R4#sh access-lists Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list Mine Extended IP access list Prob2 10 permit udp any any eq ntp 30 deny ip any any log R4#^x3 % Unknown command or computer name, or unable to find computer address R4# RACK18AS>3 [Resuming connection 3 to r3 ... ] R3#192.10.32.254 Trying 192.10.32.254 ... Open CR1> CR1> CR1> CR1> RACK18AS>4 [Resuming connection 4 to r4 ... ] R4#^x3sh access-lists Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (1 match) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list Mine Extended IP access list Prob2 permit tcp host 192.10.32.254 eq telnet host 192.10.32.18 eq 55528 (14 matches) 10 permit udp any any eq ntp 30 deny ip any any log R4# R4# R4# Nov 17 18:48:15.959: %SEC-6-IPACCESSLOGP: list Prob2 denied tcp 192.10.32.254(17866) -> 192.10.32.18(179), 1 packet R4# R4# R4#sh ip insp R4#sh ip inspect ? all Inspection all available information config Inspection configuration interfaces Inspection interfaces name Inspection name sessions Inspection sessions R4#sh ip inspect ses R4#sh ip inspect sessions Established Sessions Session 62251694 (180.40.7.129:55528)=>(192.10.32.254:23) tcp SIS_OPEN R4# R4# R4# R4# RACK18AS>3 [Resuming connection 3 to r3 ... ] CR1>q [Connection to 192.10.32.254 closed by foreign host] R3# R3# RACK18AS>4 [Resuming connection 4 to r4 ... ] R4#sh ip inspect sessions R4#sh ip inspect sessions access-lists  Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (1 match) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list Mine Extended IP access list Prob2 permit tcp host 192.10.32.254 eq telnet host 192.10.32.18 eq 55528 (23 matches) 10 permit udp any any eq ntp (3 matches) 30 deny ip any any log (1 match) R4#sh access-lists Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (1 match) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list Mine Extended IP access list Prob2 10 permit udp any any eq ntp (3 matches) 30 deny ip any any log (1 match) R4#sh run | b ip inst  R4#sh run | b ip insp ip inspect name Prob2 tcp ip inspect name Prob2 udp ip inspect name Prob2 h323 ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 180.40.7.98 255.255.255.224 --More--   ip nat inside duplex auto speed auto ! interface ATM1/0 ip address 192.10.32.18 255.255.255.0 ip access-group Prob2 in ip nat outside ip inspect Prob2 out no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless ! --More--  ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 ! ip access-list extended Mine ip access-list extended Prob2 permit udp any any eq ntp deny ip any any log ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 no login --More-- Nov 17 18:50:15.966: %SEC-6-IPACCESSLOGP: list Prob2 denied tcp 192.10.32.254(17877) -> 192.10.32.18(179), 1 packet --More--   R4#192.10.32.254 Trying 192.10.32.254 ... Nov 17 18:50:33.150: %SEC-6-IPACCESSLOGP: list Prob2 denied tcp 192.10.32.254(23) -> 192.10.32.18(33842), 1 packet % Connection reset by user R4#disc % No current connection R4# R4# RACK18AS>4 [Resuming connection 4 to r4 ... ] R4#conf g t Enter configuration commands, one per line. End with CNTL/Z. R4(config)# R4(config)#no ip access-list Mine eMine xMine  Mine  R4(config)#^Z R4# Nov 17 18:52:15.973: %SEC-6-IPACCESSLOGP: list Prob2 denied tcp 192.10.32.254(17888) -> 192.10.32.18(179), 1 packet R4# Nov 17 18:52:17.729: %SYS-5-CONFIG_I: Configured from console by console R4# RACK18AS>1 [Resuming connection 1 to r1 ... ] R1#confi g t Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)#priv R1(config)#privilege ? aaa-user AAA user definition accept-dialin VPDN group accept dialin configuration mode accept-dialout VPDN group accept dialout configuration mode address-family Address Family configuration mode aic Alarm Interface Card configuration mode alps-ascu ALPS ASCU configuration mode alps-circuit ALPS circuit configuration mode bba-group BBA Group configuration mode boomerang Boomerang configuration mode cascustom Cas custom configuration mode cause-code-list Voice Cause Code List configuration mode ces-conn CES connection configuration mode ces-vc CES VC configuration mode cgma_agent CGMA Agent Configuration Mode cm-fallback cm-fallback configuration mode cns-connect-config CNS Connect Info Mode cns-connect-intf-config CNS Connect Intf Info Mode cns-tmpl-connect-config CNS Template Connect Info Mode cns_inventory_submode CNS Inventory SubMode config-rtr-http-rr RTR HTTP raw request Configuration configure Global configuration mode congestion Frame Relay congestion configuration mode --More--   controller Controller configuration mode dhcp DHCP pool configuration mode enum_rule enum configuration mode ephone ephone configuration mode ephone-dn ephone-dn configuration mode exec Exec mode filterserver AAA filter server definitions flow-cache Flow aggregation cache config mode fr-fr FR/FR connection configuration mode frf5 FR/ATM Network IWF configuration mode frf8 FR/ATM Service IWF configuration mode gateway Gateway configuration mode gw-accounting-aaa Gateway accounting aaa configuration mode interface Interface configuration mode interface-dlci Frame Relay dlci configuration mode interface-range Interface range configuration mode ip-explicit-path IP explicit path configuration mode ip-vrf Configure IP VRF parameters ipenacl IP named extended access-list configuration mode ipsnacl IP named simple access-list configuration mode ipv6-router IPv6 router configuration mode ipv6acl IPv6 access-list configuration mode ipx-router IPX router configuration mode --More--   R1(config)#privilege exec R1(config)#privilege exec ? all All suboption will be set to the samelevel level Set privilege level of command reset Reset privilege level of command R1(config)#privilege exec level ? <0-15> Privilege level R1(config)#privilege exec level 7 ? LINE Initial keywords of the command to modify R1(config)#privilege exec level 7 config t R1(config)#do sh run | b privi privilege exec level 7 configure terminal privilege exec level 7 configure ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 no login ! ! end R1(config)#snm R1(config)#snmp? snmp snmp-server R1(config)#snmp- R1(config)#snmp-server ? chassis-id String to uniquely identify this chassis community Enable SNMP; set community string and access privs contact Text for mib object sysContact drop Silently drop SNMP packets enable Enable SNMP Traps or Informs engineID Configure a local or remote SNMPv3 engineID group Define a User Security Model group host Specify hosts to receive SNMP notifications ifindex Enable ifindex persistence inform Configure SNMP Informs options location Text for mib object sysLocation manager Modify SNMP manager parameters packetsize Largest SNMP packet size queue-length Message queue length for each TRAP host source-interface Assign an source interface system-shutdown Enable use of the SNMP reload command tftp-server-list Limit TFTP servers used via SNMP trap SNMP trap options trap-source Assign an interface for the source address of all traps trap-timeout Set timeout for TRAP message retransmissions user Define a user who can access the SNMP engine view Define an SNMPv2 MIB view --More--   R1(config)#snmp-server com R1(config)#snmp-server community ? WORD SNMP community string R1(config)#snmp-server community psnmp-server community rsnmp-server community isnmp-server community vsnmp-server community isnmp-server community  snmp-server community esnmp-server community snmp-server community csnmp-server community osnmp-server community nsnmp-server community fsnmp-server community isnmp-server community gsnmp-server community  snmp-server community lsnmp-server community esnmp-server community vsnmp-server community esnmp-server community lsnmp-server community  snmp-server community 7snmp-server community  snmp-server community  ^ % Invalid input detected at '^' marker. R1(config)#privi config level 7 snmp-server community  level 7 snmp-server community  level 7 snmp-server community   pri R1(config)#privi R1(config)#privilege ? aaa-user AAA user definition accept-dialin VPDN group accept dialin configuration mode accept-dialout VPDN group accept dialout configuration mode address-family Address Family configuration mode aic Alarm Interface Card configuration mode alps-ascu ALPS ASCU configuration mode alps-circuit ALPS circuit configuration mode bba-group BBA Group configuration mode boomerang Boomerang configuration mode cascustom Cas custom configuration mode cause-code-list Voice Cause Code List configuration mode ces-conn CES connection configuration mode ces-vc CES VC configuration mode cgma_agent CGMA Agent Configuration Mode cm-fallback cm-fallback configuration mode cns-connect-config CNS Connect Info Mode cns-connect-intf-config CNS Connect Intf Info Mode cns-tmpl-connect-config CNS Template Connect Info Mode cns_inventory_submode CNS Inventory SubMode config-rtr-http-rr RTR HTTP raw request Configuration configure Global configuration mode congestion Frame Relay congestion configuration mode --More--   R1(config)#privilege config  u R1(config)#privilege configure ? all All suboption will be set to the samelevel level Set privilege level of command reset Reset privilege level of command R1(config)#privilege configure level 7 snmp=servserv -servserv comm R1(config)#prin v R1(config)#privilege exec R1(config)#privilege exec lvel     ee vel 7 sho run R1(config)#user Joee Usewr   er leve R1(config)#user JoeUser leve    pre iv R1(config)#user JoeUser privilege l R1(config)#user JoeUser privilege l ? <0-15> User privilege level R1(config)#user JoeUser privilege 7 ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R1(config)#user JoeUser privilege 7 R1(config)#i user jb privi R1(config)#user jb privilege 15 R1(config)#LINE    line vty 0 4 R1(config-line)#loco  R1(config-line)#loc  og R1(config-line)#login R1(config-line)#login lo R1(config-line)#login local R1(config-line)# RACK18AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open User Access Verification Username: JoeUser Password: R1# R1# R1# R1# R1#sh leve ^ % Invalid input detected at '^' marker. R1#sh privi Current privilege level is 7 R1# R1# R1# R1#con R1#config ? terminal Configure from the terminal R1#config Configuring from terminal, memory, or network [terminal]? t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#? Configure commands: atm Enable ATM SLM Statistics call Configure Call parameters default Set a command to its defaults end Exit from configure mode exit Exit from configure mode help Description of the interactive help system no Negate a command or set its defaults snmp-server Modify SNMP engine parameters R1(config)#snmp-server ? community Enable SNMP; set community string and access privs R1(config)#snmp-server com R1(config)#snmp-server community ? WORD SNMP community string R1(config)#snmp-server community test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string R1(config)#snmp-server community test R1(config)#end R1#sh run Building configuration... Current configuration : 83 bytes ! boot-start-marker boot-end-marker ! ! ! ! ! snmp-server community test RO ! end R1# R1# R1# R1# R1# R1# R1# RACK18AS>1 [Resuming connection 1 to r1 ... ] *Mar R1(config-line)#login local ine vty 0 4user jb privilege 15JoeUser privilege 7 privilege exec level 7 sho runuser JoeUser privilege 7 privilege exec level 7 sho runconfigure level 7 snmp-serv comm WORD wr R1(config)# RACK18AS>5 [Resuming connection 5 to r5 ... ] R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#endsnmp-server community test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string R1(config)#snmp-server community test                             RACK18AS>1 [Resuming connection 1 to r1 ... ] R1(config)#snm R1(config)#snmp- R1(config)#snmp-server com R1(config)#snmp-server community test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string ro Read-only access with this community string rw Read-write access with this community string view Restrict this community to a named MIB view R1(config)#snmp-server community test                            privilege configure level 7 snmp-serv comm WORD wrlogin local privilege configure level 7 snmp-serv comm WORD wr  rw R1(config)# RACK18AS>5 [Resuming connection 5 to r5 ... ] R1(config)#~end~  snm R1(config)#snmp-server com R1(config)#snmp-server community ? WORD SNMP community string R1(config)#snmp-server community test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string rw Read-write access with this community string R1(config)#snmp-server community test e rw ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string R1(config)#snmp-server community test rw                               ^Z R1#q [Connection to 17.57.100.1 closed by foreign host] S5# S5# RACK18AS>1 [Resuming connection 1 to r1 ... ] *Ma R1(config)#^Z R1#sh run | *Mar 1 01:57:56.375: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b privi username JoeUser privilege 7 username jb privilege 15 ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex --More--  ! interface Serial0/1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! no ip http server ip classless ! ! ! ! snmp-server community test RO ! ! ! privilege configure level 7 snmp-server community privilege configure level 7 snmp-server privilege exec level 7 configure terminal privilege exec level 7 configure --More--  privilege exec level 7 show running-config privilege exec level 7 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login local ! ! end R1# R1# RACK18AS>2 [Resuming connection 2 to r2 ... ] R2#sh clock *01:58:33.199 UTC Mon Mar 1 1993 R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#tim R2(config)#time-range ? WORD Time range name R2(config)#time-range Prob4 R2(config-time-range)#? Time range configuration commands: absolute absolute time and date default Set a command to its defaults exit Exit from time-range configuration mode no Negate a command or set its defaults periodic periodic time and date R2(config-time-range)#per R2(config-time-range)#periodic ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday R2(config-time-range)#periodic weeks da R2(config-time-range)#periodic weekdays ? hh:mm Starting time R2(config-time-range)#periodic weekdays 9:00 to 14:00 ? R2(config-time-range)#periodic weekdays 9:00 to 14:00 R2(config-time-range)#exit R2(config)#ip access         line vty 0 4 R2(config-line)#acc R2(config-line)#access-class ? <1-199> IP access list <1300-2699> IP expanded access list WORD Access-list name R2(config-line)#access-class              exit R2(config)#ip accces   ess-list ex Prob3 4 R2(config-ext-nacl)#per ip any any tim R2(config-ext-nacl)#per ip any any time-range ? WORD Time-range entry name R2(config-ext-nacl)#per ip any any time-range Prob4 R2(config-ext-nacl)#do sh access-list Extended IP access list Prob4 10 permit ip any any time-range Prob4 (inactive) R2(config-ext-nacl)# R2(config-ext-nacl)# R2(config-ext-nacl)# R2(config-ext-nacl)#line vty 0 4 R2(config-line)#acc R2(config-line)#access-class Prob4 in R2(config-line)#^Z R2# *Mar 1 02:00:52.195: %SYS-5-CONFIG_I: Configured from console by console R2# RACK18AS>3 [Resuming connection 3 to r3 ... ] R3#180.40.7.2 Trying 180.40.7.2 ... % Connection refused by remote host R3# RACK18AS>2 [Resuming connection 2 to r2 ... ] R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ntp ser 180.40.7.98 R2(config)#clock tim R2(config)#clock timezone EST -5 R2(config)#^Z R2#sh clock *Mar 1 02:01:25.301: %SYS-5-CONFIG_I: Configured from console by console R2#sh clock .14:03:07.301 EST Fri Nov 17 2006 R2# R2# R2#sh access-list Extended IP access list Prob4 10 permit ip any any time-range Prob4 (inactive) R2# R2# R2#sh access-list Extended IP access list Prob4 10 permit ip any any time-range Prob4 (inactive) R2#sh access-listclock  14:03:17.642 EST Fri Nov 17 2006 R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#clock timezone EST -5ntp ser 180.40.7.98 access-class Prob4 inline vty 0 4 do sh access-listper ip any any time-range Prob4ip access-list ex Prob4 exit line vty 0 4exit periodic weekdays 9:00 to 14:00 time-range Prob4  R2(config-time-range)#per R2(config-time-range)#periodic weekda R2(config-time-range)#periodic weekdays 9:00 to 17:00 R2(config-time-range)#^Z R2#config tsh clockaccess-list Nov 17 19:03:42.771: %SYS-5-CONFIG_I: Configured from console by console R2#sh access-list Extended IP access list Prob4 10 permit ip any any time-range Prob4 (active) R2# R2# R2# R2# R2# RACK18AS>3 [Resuming connection 3 to r3 ... ] R3#180.40.7.2 Trying 180.40.7.2 ... Open R2#q [Connection to 180.40.7.2 closed by foreign host] R3# R3# RACK18AS>2 [Resuming connection 2 to r2 ... ] R2#sh run | b t access-l R2#sh run | b access-l ip access-list extended Prob4 permit ip any any time-range Prob4 ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class Prob4 in privilege level 15 no login ! ntp server 180.40.7.98 time-range Prob4 --More--   periodic weekdays 9:00 to 14:00 periodic weekdays 9:00 to 17:00 ! ! end R2# R2#x  RACK18AS>4 [Resuming connection 4 to r4 ... ] N R4#conmfi g        sh    config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)# R4(config)#int atm 1/.0  0 R4(config-if)#no ip insp R4(config-if)#no ip inspect Prob1   2 in %Inspect name Prob2 is not defined for interface ATM1/0 for the specified direction R4(config-if)#no ip inspect Prob2 in  out R4(config-if)#no ip access-list                 dpo    o sh run int atm 1/0 Building configuration... Current configuration : 180 bytes ! interface ATM1/0 ip address 192.10.32.18 255.255.255.0 ip access-group Prob2 in ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! end R4(config-if)#co  no ip access-group Prob2 in R4(config-if)#exit R4(config)#ip acces- s-list ex Prob5out R4(config-ext-nacl)#per tcp     ip any any ref R4(config-ext-nacl)#per ip any any reflect ? WORD Access-list name R4(config-ext-nacl)#per ip any any reflect Prob5 R4(config-ext-nacl)#exit R4(config)#exitper ip any any reflect Prob5ip access-list ex Prob5out    in R4(config-ext-nacl)#per udp any any eq ntp R4(config-ext-nacl)#per ip any          ev R4(config-ext-nacl)#evaluate Prob5 R4(config-ext-nacl)#den ip any any lo R4(config-ext-nacl)#int at, m 1/0 R4(config-if)#ip access R4(config-if)#ip access-group Prob5out out R4(config-if)#ip access-group Prob5out out       in in R4(config-if)#^Z R4# RACK18AS>3 [Resuming connection 3 to r3 ... ] 180.40.7.292.10.32.254 Trying 192.10.32.254 ... Open CR1> CR1> CR1> CR1> RACK18AS>4 [Resuming connection 4 to r4 ... ] N R4#sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (2 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list Prob2 10 permit udp any any eq ntp (51 matches) 30 deny ip any any log (13 matches) Reflexive IP access list Prob5 permit tcp host 192.10.32.254 eq telnet host 192.10.32.18 eq 19996 (53 matches) (time left 294) Extended IP access list Prob5in 10 permit udp any any eq ntp 20 evaluate Prob5 30 deny ip any any log Extended IP access list Prob5out 10 permit ip any any reflect Prob5 (25 matches) R4# R4# RACK18AS>3 [Resuming connection 3 to r3 ... ] CR1>q [Connection to 192.10.32.254 closed by foreign host] R3# R3# RACK18AS>4 [Resuming connection 4 to r4 ... ] R4#sh run | b 1/0 interface ATM1/0 ip address 192.10.32.18 255.255.255.0 ip access-group Prob5in in ip access-group Prob5out out ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 --More--   permit 17.0.0.0 0.255.255.255 ! ip access-list extended Prob2 permit udp any any eq ntp deny ip any any log ip access-list extended Prob5in permit udp any any eq ntp evaluate Prob5 deny ip any any log ip access-list extended Prob5out permit ip any any reflect Prob5 ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 --More--   R4# Nov 17 19:08:16.019: %SEC-6-IPACCESSLOGP: list Prob5in denied tcp 192.10.32.254(17976) -> 192.10.32.18(179), 1 packet R4# RACK18AS>1 [Resuming connection 1 to r1 ... ] R1#confi t Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)#tac R1(config)#tacacs-server ? administration Start tacacs+ daemon handling administrative messages directed-request Allow user to specify tacacs server to use with `@server' dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers extended Enable extended TACACS host Specify a TACACS server key Set TACACS+ encryption key. last-resort Define TACACS action if no server responds optional-passwords The first TACACS request can be made without password verification packet Modify TACACS+ packet options retransmit Search iterations of the TACACS server list timeout Time to wait for a TACACS server to reply R1(config)#tacacs-server he o R1(config)#tacacs-server host 17.57.100.99 ? R1(config)#tacacs-server host 17.57.100.99 R1(config)#tacacs-server host 17.57.100.99                     ke R1(config)#tacacs-server key ? 0 Specifies an UNENCRYPTED key will follow 7 Specifies HIDDEN key will follow LINE The UNENCRYPTED (cleartext) shared key R1(config)#tacacs-server key 1   MyKey ? LINE R1(config)#tacacs-server key MyKey >   R1(config)#aa R1(config)#aaa R1(config)#aaa new R1(config)#aaa new-model R1(config)#aa R1(config)#aaa R1(config)#aaa authen ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authen login ? WORD Named authentication list. default The default authentication list. R1(config)#aaa authen login default local R1(config)#aaa authen login default local             Prob6 ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authen login Prob6 grou ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)#aaa authen login Prob6 grou ta R1(config)#aaa authen login Prob6 grou tacacs+ ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authen login Prob6 grou tacacs+ local R1(config)#line vty 0 4 R1(config-line)#no privi l  R1(config-line)#no privi   R1(config-line)#no privilege l R1(config-line)#no privilege level 15 R1(config-line)#login authen  R1(config-line)#login authen   R1(config-line)#login authentication Prob6 R1(config-line)#^Z R1# RACK18AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1en 17.57.100.1 Trying 17.57.100.1 ... Open Username: JoeUser Password: R1> R1> R1> R1>q [Connection to 17.57.100.1 closed by foreign host] S5# S5# RACK18AS>1 [Resuming connection 1 to r1 ... ] *Mar R1#sh run | b aaa aaa new-model ! ! aaa authentication login default local aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! ! ! --More--   R1#1sh run | b aaa   user username JoeUser privilege 7 username jb privilege 15 ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex --More--   R1#sh run | b useraaa  aaa new-model ! ! aaa authentication login default local aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! ! ! --More--  username JoeUser privilege 7 username jb privilege 15 ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex --More--  ! interface Serial0/1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! no ip http server ip classless ! ! ! ! tacacs-server host 17.57.100.99 tacacs-server directed-request tacacs-server key MyKey snmp-server community test RO ! ! ! privilege configure level 7 snmp-server community --More--  privilege configure level 7 snmp-server privilege exec level 7 configure terminal privilege exec level 7 configure privilege exec level 7 show running-config privilege exec level 7 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login authentication Prob6 ! ! end R1# R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)#aa R1(config)#aaa R1(config)#aaa authen R1(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authentication pass R1(config)#aaa authentication password-prompt ? WORD Text of prompt R1(config)#aaa authentication password-prompt CCIE    "CCIE Wantabe: " R1(config)#aaa authen   R1(config)#aaa authentication lo R1(config)#aaa authentication login       us R1(config)#aaa authentication username-prompt ? WORD Text of prompt R1(config)#aaa authentication username-prompt "CCIE :  : " R1(config)# RACK18AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open CCIE: JoeUser CCIE Wantabe: R1>q [Connection to 17.57.100.1 closed by foreign host] S5# S5# RACK18AS>1 [Resuming connection 1 to r1 ... ] R1(config)#sh  ^Z R1#sh run | *Mar 1 02:14:38.742: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b   aaa aaa new-model ! ! aaa authentication password-prompt "CCIE Wantabe: " aaa authentication username-prompt "CCIE: " aaa authentication login default local aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! --More--   R1#confi t Enter configuration commands, one per line. End with CNTL/Z. R1(config)# R1(config)#banner ? LINE c banner-text c, where 'c' is a delimiting character exec Set EXEC process creation banner incoming Set incoming terminal line banner login Set login banner motd Set Message of the Day banner prompt-timeout Set Message for login authentication timeout slip-ppp Set Message for SLIP/PPP R1(config)#banner        aaa R1(config)#aaa l authen ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authen            bann R1(config)#banner login ? LINE c banner-text c, where 'c' is a delimiting character R1(config)#banner login # Enter TEXT message. End with the character '#'. Keep out!!!! What are you new???? Yo momma # R1(config)##Yo mommaWhat are you new????Keep out!!!! banner login #aaa authentication username-prompt "CCIE: "password-prompt "CCIE Wantabe: "username-prompt "CCIE: " banner login #  ^C  R1# *Mar 1 02:16:55.334: %SYS-5-CONFIG_I: Configured from console by console R1#confi t Enter configuration commands, one per line. End with CNTL/Z. R1(config)## BANN    baa nnn login ? ? % Unrecognized command R1(config)#bannn login ? ^C             ^Z R1# RACK18AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open Keep out!!!! What are you new???? Yo momma CCIE: CCIE: CCIE: RACK18AS>1 [Resuming connection 1 to r1 ... ] *Ma R1#sh run | vb  b banner banner login ^C Keep out!!!! What are you new???? Yo momma ^C privilege configure level 7 snmp-server community privilege configure level 7 snmp-server privilege exec level 7 configure terminal privilege exec level 7 configure privilege exec level 7 show running-config privilege exec level 7 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 --More--   R1#sh run | b bannerconfi t sh run | b aaaconfig t sh run | b aaa aaa new-model ! ! aaa authentication password-prompt "CCIE Wantabe: " aaa authentication username-prompt "CCIE: " aaa authentication login default local aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! --More--   R1# RACK18AS>3 [Resuming connection 3 to r3 ... ] R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#access-list 100 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward remark Access list entry comment R3(config)#access-list 100 per udp any any ntp ^ % Invalid input detected at '^' marker. R3(config)#access-list 100 per udp any any ntp any any entpqntp ntp R3(config)#access-list 100 per udp any any eq ntp                  ospf nay an      any any R3(config)#access-list 100 per ospf any any              r tcp 180.40.7.128 0.0.0.31 180.40.7.129h180.40.7.129o180.40.7.129s180.40.7.129t180.40.7.129 180.40.7.129180.40.7.129 eq$ 100 per tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq tel R3(config)#access-list 100 dyn R3(config)#access-list 100 dynamic ? WORD Name of a Dynamic list R3(config)#access-list 100 dynamic Prob9 ? deny Specify packets to reject permit Specify packets to forward timeout Maximum time for dynamic ACL to live R3(config)#access-list 100 dynamic Prob9 per ip any any R3(config)#access-list 100 deny ip any   180.40.7.128 0.0.0.31 any R3(config)#access-list 100 per ip any any R3(config)#int fa 0/1 R3(config-if)#ip access R3(config-if)#ip access-group 100 in R3(config-if)#exit R3(config)#user Gero  orge pass bosco R3(config)#user George pass bosco   ? LINE R3(config)#user George pass bos          ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R3(config)#user George autocom R3(config)#user George autocommand ? LINE Command to be automatically issued after the user logs in R3(config)#user George autocommand access-enable timeout 2 2 R3(config)#do ace cess-list access-list ^ % Invalid input detected at '^' marker. R3(config)#do access-listsaccess-listhaccess-list access-list Extended IP access list 100 10 permit udp any any eq ntp (8 matches) 20 permit ospf any any (8 matches) 30 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet 40 Dynamic Prob9 permit ip any any 50 deny ip 180.40.7.128 0.0.0.31 any 60 permit ip any any R3(config)#co  a ip a access-list exec 100 ^ % Invalid input detected at '^' marker. R3(config)#ip access-list exec 100 1 100 100 100 1 100100 R3(config-ext-nacl)#no 40 R3(config-ext-nacl)#40     40 Dynamic Prob9 permit ip any any ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value time-range Specify a time-range tos Match packets with given TOS value R3(config-ext-nacl)# 40 Dynamic Prob9 permit ip any any                   ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward timeout Maximum time for dynamic ACL to live R3(config-ext-nacl)# 40 Dynamic Prob9 tim R3(config-ext-nacl)# 40 Dynamic Prob9 timeout out     ? <1-9999> Maximum time to live R3(config-ext-nacl)# 40 Dynamic Prob9 timeout 60 ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward R3(config-ext-nacl)# 40 Dynamic Prob9 timeout 60 per ip any any R3(config-ext-nacl)#line vty 0 4 R3(config-line)#login local R3(config-line)#exit R3(config)#user jb privi 14 5 R3(config)#^Z R3# Nov 17 19:25:22.360: %SYS-5-CONFIG_I: Configured from console by console R3# RACK18AS>6 [Resuming connection 6 to r6 ... ] S6#ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) S6#180.40.7.129 Trying 180.40.7.129 ... Open User Access Verification Username: George Password: [Connection to 180.40.7.129 closed by foreign host] S6#180.40.7.129ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/44 ms S6# S6# S6# S6# RACK18AS>3 [Resuming connection 3 to r3 ... ] R3#sh run | b user username George password 0 bosco username George autocommand access-enable timeout 2 username jb privilege 15 ! ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 ip address 180.40.7.129 255.255.255.224 --More--   ip access-group 100 in duplex auto speed auto ! interface Serial1/0 ip address 180.40.7.33 255.255.255.224 encapsulation frame-relay ip ospf network point-to-multipoint frame-relay map ip 180.40.7.34 301 broadcast frame-relay map ip 180.40.7.35 302 broadcast ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.3 255.255.255.224 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 --More--   no ip address shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! no ip http server no ip http secure-server --More--  ! access-list 100 permit udp any any eq ntp access-list 100 permit ospf any any access-list 100 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet access-list 100 dynamic Prob9 timeout 60 permit ip any any access-list 100 deny ip 180.40.7.128 0.0.0.31 any access-list 100 permit ip any any ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login local --More--  ! ntp authentication-key 1 md5 112400311E1F0E 7 ntp clock-period 17208190 ntp server 180.40.7.98 key 1 ! end R3# R3# RACK18AS>2 [Resuming connection 2 to r2 ... ] R2#c sh access-list Extended IP access list Prob4 10 permit ip any any time-range Prob4 (active) (2 matches) R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)# R2(config)#ip tcp ? async-mobility Configure async-mobility chunk-size TCP chunk size intercept Enable TCP intercepting mss TCP initial maximum segment size path-mtu-discovery Enable path-MTU discovery on new TCP connections queuemax Maximum queue of outgoing TCP packets selective-ack Enable TCP selective-ACK synwait-time Set time to wait on new TCP connections timestamp Enable TCP timestamp option window-size TCP window size R2(config)#ip tcp in R2(config)#ip tcp intercept ? connection-timeout Specify timeout for connection info drop-mode Specify incomplete connection drop mode finrst-timeout Specify timeout for FIN/RST list Specify access-list to use max-incomplete Specify maximum number of incomplete connections before clamping mode Specify intercepting mode one-minute Specify one-minute-sample watermarks for clamping watch-timeout Specify timeout for incomplete connections in watch mode R2(config)#ip tcp intercept li ? <100-199> Extended access list number for intercept WORD Access list name for intercept R2(config)#ip tcp intercept li                  access-list ex Prob10 R2(config-ext-nacl)#per ip  tcp any 17.57.101.0 0.0.0.255 R2(config-ext-nacl)#exit R2(config)#ip tcp in R2(config)#ip tcp intercept li R2(config)#ip tcp intercept list Prob10 ? R2(config)#ip tcp intercept list Prob10 R2(config)#do sh ip tcp int sh ip tcp int ^ % Invalid input detected at '^' marker. R2(config)#do sh ip tcp int    sh ip tcp % Incomplete command. R2(config)#^Z R2#sh ip tcp Nov 17 19:28:37.301: %SYS-5-CONFIG_I: Configured from console by console R2#sh ip tcp ? header-compression TCP/IP header-compression statistics R2#sh ip tcp          tcp int R2#sh tcp intercept ? connections Connection information statistics Statistics R2#sh tcp intercept sta R2#sh tcp intercept statistics Intercepting new connections using access-list Prob10 0 incomplete, 0 established connections (total 0) 0 connection requests per minute R2#sh tcp intercept statistics            config t sh access-listconfig t sh tcp intercept statistics  sh tcp intercept statistics ? | Output modifiers R2#sh tcp intercept statistics             con R2#sh tcp intercept connections ? | Output modifiers R2#sh tcp intercept connections Incomplete: Client Server State Create Timeout Mode Established: Client Server State Create Timeout Mode R2#sh ip    access-list Extended IP access list Prob10 10 permit tcp any 17.57.101.0 0.0.0.255 Extended IP access list Prob4 10 permit ip any any time-range Prob4 (active) (2 matches) R2#sh run | b ip tcp ip tcp intercept list Prob10 ! ip cef no ip domain lookup ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! --More--  ! ! interface FastEthernet0/0 ip address 17.57.101.1 255.255.255.0 duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 no ip address encapsulation frame-relay ! interface Serial1/0.1 multipoint ip address 180.40.7.35 255.255.255.224 --More--   ip ospf network point-to-multipoint frame-relay interface-dlci 203 ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.2 255.255.255.224 clock rate 64000 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown ! interface Serial1/5 no ip address shutdown ! --More--  interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! no ip http server no ip http secure-server ! ip access-list extended Prob10 permit tcp any 17.57.101.0 0.0.0.255 ip access-list extended Prob4 permit ip any any time-range Prob4 ! ! --More--   R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto is R2(config)#crypto isakmp ? aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP identity Set the identity which ISAKMP will use keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles xauth Set Extended Authentication values R2(config)#crypto isakmp pol R2(config)#crypto isakmp policy ? <1-10000> Priority of protection suite R2(config)#crypto isakmp policy 10 ? R2(config)#crypto isakmp policy 10 R2(config-isakmp)#? ISAKMP commands: authentication Set authentication method for protection suite default Set a command to its defaults encryption Set encryption algorithm for protection suite exit Exit from ISAKMP protection suite configuration mode group Set the Diffie-Hellman group hash Set hash algorithm for protection suite lifetime Set lifetime for ISAKMP security association no Negate a command or set its defaults R2(config-isakmp)#authen R2(config-isakmp)#authentication ? pre-share Pre-Shared Key rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature R2(config-isakmp)#authentication pre R2(config-isakmp)#authentication pre-share ? R2(config-isakmp)#authentication pre-share R2(config-isakmp)#exit R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto ke R2(config)#crypto key? key keyring R2(config)#crypto key    y   ey ? generate Generate new keys pubkey-chain Peer public key chain management zeroize Remove keys R2(config)#crypto key     is R2(config)#crypto isakmp ? aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP identity Set the identity which ISAKMP will use keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles xauth Set Extended Authentication values R2(config)#crypto isakmp        ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto i key ? generate Generate new keys pubkey-chain Peer public key chain management zeroize Remove keys R2(config)#crypto key     is R2(config)#crypto isakmp ? aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP identity Set the identity which ISAKMP will use keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles xauth Set Extended Authentication values R2(config)#crypto isakmp key ? WORD pre-shared key R2(config)#crypto isakmp key cisco ? address define shared key with IP address hostname define shared key with hostname R2(config)#crypto isakmp key cisco add ? A.B.C.D Peer IP address R2(config)#crypto isakmp key cisco add 180.40.7.3 ? A.B.C.D Peer IP subnet mask no-xauth Bypasses XAuth for this peer R2(config)#crypto isakmp key cisco add 180.40.7.3 R2(config)#ip access-list ex Prob11 R2(config-ext-nacl)#den tcp any an              den ospf any any R2(config-ext-nacl)#den tcp any any R2(config-ext-nacl)#den udp any any R2(config-ext-nacl)#per ip any nay   any R2(config-ext-nacl)#exit R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto ip R2(config)#crypto ipsec ? client Configure a client df-bit Handling of encapsulated DF bit. fragmentation Handling of fragmentation of near-MTU sized packets nat-transparency IPsec NAT transparency model optional Enable optional encryption for IPSec profile Configure an ipsec policy profile security-association Security association parameters transform-set Define transform and settings R2(config)#crypto ipsec tra R2(config)#crypto ipsec transform-set ? WORD Transform set tag R2(config)#crypto ipsec transform-set Prob10 ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-sha-hmac ESP transform using HMAC-SHA auth R2(config)#crypto ipsec transform-set Prob10 as h R2(config)#crypto ipsec transform-set Prob10 ah-sh R2(config)#crypto ipsec transform-set Prob10 ah-sha-hmac ? comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-sha-hmac ESP transform using HMAC-SHA auth R2(config)#crypto ipsec transform-set Prob10 ah-sha-hmac R2(cfg-crypto-trans)#eix  xit R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto map ? WORD Crypto map tag R2(config)#crypto map Prob10 ? <1-65535> Sequence to insert into crypto map entry client Specify client configuration settings isakmp Specify isakmp configuration settings isakmp-profile Specify isakmp profile to use local-address Interface to use for local address for this crypto map R2(config)#crypto map Prob10   1 ? <1-65535> Sequence to insert into crypto map entry client Specify client configuration settings isakmp Specify isakmp configuration settings isakmp-profile Specify isakmp profile to use local-address Interface to use for local address for this crypto map R2(config)#crypto map Prob11 is R2(config)#crypto map Prob11 isakmp      10 ? ipsec-isakmp IPSEC w/ISAKMP ipsec-manual IPSEC w/manual keying R2(config)#crypto map Prob11 10 ip R2(config)#crypto map Prob11 10 ipsec-i R2(config)#crypto map Prob11 10 ipsec-isakmp ? dynamic Enable dynamic crypto map support profile Enable crypto map as a crypto-profile R2(config)#crypto map Prob11 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)# R2(config-crypto-map)# R2(config-crypto-map)# R2(config-crypto-map)#match ? address Match address of packets to encrypt. R2(config-crypto-map)#match add ? <100-199> IP access-list number <2000-2699> IP access-list number (expanded range) WORD Access-list name R2(config-crypto-map)#match add Prob10                do sh run | b access-list ip access-list extended Prob10 permit tcp any 17.57.101.0 0.0.0.255 ip access-list extended Prob11 deny ospf any any deny tcp any any deny udp any any permit ip any any ip access-list extended Prob4 permit ip any any time-range Prob4 ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 --More--   R2(config-crypto-map)#match add Prob11 R2(config-crypto-map)#set peer 180.40.7.3 R2(config-crypto-map)#set     do sh ru n|   n | i trans crypto ipsec transform-set Prob10 ah-sha-hmac R2(config-crypto-map)#set tra R2(config-crypto-map)#set transform-set Prob10 R2(config-crypto-map)#int s 1/2 R2(config-if)#cry R2(config-if)#crypto mp a R2(config-if)#crypto map Prob11 R2(config-if)# Nov 17 19:35:24.154: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)#^Z R2#sh run | b Nov 17 19:35:25.669: %SYS-5-CONFIG_I: Configured from console by console R2#sh run | b cry no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! clock timezone EST -5 no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-model ip subnet-zero ! ! ip tcp intercept list Prob10 ! ip cef no ip domain lookup ip audit po max-events 100 ! ! ! --More--  ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 180.40.7.3 ! ! crypto ipsec transform-set Prob10 ah-sha-hmac ! crypto map Prob11 10 ipsec-isakmp set peer 180.40.7.3 --More--   set transform-set Prob10 match address Prob11 ! ! ! ! interface FastEthernet0/0 ip address 17.57.101.1 255.255.255.0 duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 no ip address --More--   encapsulation frame-relay ! interface Serial1/0.1 multipoint ip address 180.40.7.35 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 203 ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.2 255.255.255.224 clock rate 64000 crypto map Prob11 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown --More--  ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! no ip http server no ip http secure-server ! ip access-list extended Prob10 --More--   permit tcp any 17.57.101.0 0.0.0.255 ip access-list extended Prob11 deny ospf any any deny tcp any any deny udp any any permit ip any any ip access-list extended Prob4 permit ip any any time-range Prob4 ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 --More--   R2# RACK18AS>3 [Resuming connection 3 to r3 ... ] R3#confi t Enter configuration commands, one per line. End with CNTL/Z. R3(config)# R3(config)# R3(config)#crypto isakmp policy 10 R3(config-isakmp)# authentication pre-share R3(config-isakmp)#crypto isakmp key cisco address 180.40.7.2 R3(config)#! R3(config)#! R3(config)#crypto ipsec transform-set Prob10 ah-sha-hmac R3(cfg-crypto-trans)#! R3(cfg-crypto-trans)#! R3(cfg-crypto-trans)#! R3(cfg-crypto-trans)# R3(cfg-crypto-trans)#ip access-list extended Prob11 R3(config-ext-nacl)# deny ospf any any R3(config-ext-nacl)# deny tcp any any R3(config-ext-nacl)# deny udp any any R3(config-ext-nacl)# permit ip any any R3(config-ext-nacl)# R3(config-ext-nacl)#crypto map Prob11 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R3(config-crypto-map)# set peer 180.40.7.2 R3(config-crypto-map)# set transform-set Prob10 R3(config-crypto-map)# match address Prob11 R3(config-crypto-map)# R3(config-crypto-map)#interface Serial1/2 R3(config-if)# crypto map Prob11 R3(config-if)#! Nov 17 19:37:17.613: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config-if)#! R3(config-if)# R3(config-if)# R3(config-if)#^Z R3#sh Nov 17 19:37:23.487: %SYS-5-CONFIG_I: Configured from console by console R3#sh cry ips R3#sh cry ipsec      s R3#sh cry isakmp ? key Show ISAKMP preshared keys policy Show ISAKMP protection suite policy profile Show ISAKMP profiles sa Show ISAKMP Security Associations R3#sh cry isakmp sa dst src state conn-id slot R3#sh cry isakmp sa\   pol R3#sh cry isakmp policy Global IKE policy Protection suite of priority 10 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit R3#ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 44/44/44 ms R3# R3# R3# R3#ping 180.40.7.2sh cry isakmp policy sa  dst src state conn-id slot 180.40.7.2 180.40.7.3 QM_IDLE 1 0 R3# R3# R3# R3#sh cry isakmp sa        p R3#sh cry ipsec sa interface: Serial1/2 Crypto map tag: Prob11, local addr. 180.40.7.3 protected vrf: local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 180.40.7.2:500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 4, #pkts encrypt: 0, #pkts digest 4 #pkts decaps: 4, #pkts decrypt: 0, #pkts verify 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 180.40.7.3, remote crypto endpt.: 180.40.7.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2 current outbound spi: 308F0BDD inbound esp sas: inbound ah sas: --More--   spi: 0xFD574085(4250353797) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: Prob11 sa timing: remaining key lifetime (k/sec): (4410972/3586) replay detection support: Y inbound pcp sas: outbound esp sas: outbound ah sas: spi: 0x308F0BDD(814681053) transform: ah-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: Prob11 sa timing: remaining key lifetime (k/sec): (4410972/3574) replay detection support: Y outbound pcp sas: R3#sh cry ipsec sasakmp saping 180.40.7.2  Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/49 ms R3#ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms R3#ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms R3# R3#ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/45/48 ms R3#ping 180.40.7.2sh cry ipsec sa interface: Serial1/2 Crypto map tag: Prob11, local addr. 180.40.7.3 protected vrf: local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 180.40.7.2:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 24, #pkts encrypt: 0, #pkts digest 24 #pkts decaps: 24, #pkts decrypt: 0, #pkts verify 24 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 180.40.7.3, remote crypto endpt.: 180.40.7.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2 current outbound spi: 308F0BDD inbound esp sas: inbound ah sas: --More--   R3#sh run | b