=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2006.11.03 13:48:24 =~=~=~=~=~=~=~=~=~=~=~= R7 con0 is now available Press RETURN to get started. RACK98AS>4 [Resuming connection 4 to r4 ... ] R4#sh clock *01:10:37.191 UTC Mon Mar 1 1993 R4#ping 192.10.32.254 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.10.32.254, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp serv ? Hostname or A.B.C.D IP address of peer vrf VPN Routing/Forwarding Information R4(config)#ntp serv 192.10.32.254 R4(config)#do sh clock *01:18:11.515 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:13.035 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:13.983 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:14.391 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:14.723 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:15.047 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:15.331 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:15.635 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:15.931 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:17.855 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:19.151 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:20.579 UTC Mon Mar 1 1993 R4(config)#do sh clock *01:18:22.251 UTC Mon Mar 1 1993 R4(config)#ntp authen R4(config)#ntp authenticatio R4(config)#ntp authentication-key ? <1-4294967295> Key number R4(config)#ntp authentication-key 1 ? md5 MD5 authentication R4(config)#ntp authentication-key 1 m R4(config)#ntp authentication-key 1 md5 ? WORD Authentication key R4(config)#ntp authentication-key 1 md5 MyTime R4(config)#ntp authentication-key 1 md5 MyTimedo sh clock  22:12:52.181 UTC Fri Nov 3 2006 R4(config)#time ? WORD Time range name R4(config)#time      clo ? summer-time Configure summer (daylight savings) time timezone Configure time zone R4(config)#clo time ? WORD name of time zone R4(config)#clo time PST > ? <-23 - 23> Hours offset from UTC R4(config)#clo time PST -8 R4(config)#clo time PST -8do sh clock  14:13:29.729 PST Fri Nov 3 2006 R4(config)# RACK98AS>3 [Resuming connection 3 to r3 ... ] R3#sh clock *01:17:02.108 UTC Mon Mar 1 1993 R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ntp authe R3(config)#ntp authenticatii  R3(config)#ntp authentication-key j k R3(config)#ntp authentication-key k 1 m R3(config)#ntp authentication-key 1 md5 MyKey R3(config)#ntp authentication-key 1 md5 MyKey   Time R3(config)#de  do deb ntp deb ntp % Incomplete command. R3(config)#do deb ntp ev NTP events debugging is on R3(config)#ntp serv 180.40.7.98 ? key Configure peer authentication key prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp serv 180.40.7.98 key ? <0-4294967295> Peer key number R3(config)#ntp serv 180.40.7.98 key 1 R3(config)#log con R3(config)# *Mar 1 01:18:06.040: NTP: 180.40.7.98 reachable *Nov 3 22:14:45.764: NTP: peer stratum change *Nov 3 22:14:45.764: NTP: clock reset .Nov 3 22:14:46.762: NTP: 180.40.7.98 reachable Nov 3 22:14:46.762: NTP: sync change Nov 3 22:14:46.762: NTP: peer stratum change R3(config)#log con ^Z R3#sh Nov 3 22:14:58.757: %SYS-5-CONFIG_I: Configured from console by console R3#sh ntp acc ? % Unrecognized command R3#sh ntp acc     ass ? detail Show detail | Output modifiers R3#sh ntp ass de 180.40.7.98 configured, authenticated, our_master, sane, valid, stratum 4 ref ID 192.10.32.254, time C8F63DE0.7370FC57 (22:14:56.450 UTC Fri Nov 3 2006) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 223.11 msec, root disp 38.89, reach 377, sync dist 152.512 delay 4.03 msec, offset -0.1393 msec, dispersion 0.05 precision 2**18, version 3 org time C8F63DE4.C38E38B7 (22:15:00.763 UTC Fri Nov 3 2006) rcv time C8F63DE4.C41BBA36 (22:15:00.766 UTC Fri Nov 3 2006) xmt time C8F63DE4.C2F59462 (22:15:00.761 UTC Fri Nov 3 2006) filtdelay = 4.03 4.17 4.58 4.17 4.14 4.14 4.20 4.10 filtoffset = -0.14 -0.11 -0.32 -0.06 -0.15 -0.13 -0.03 -0.12 filterror = 0.02 0.03 0.05 0.06 0.08 0.09 0.11 0.12 R3#sh ntp ass de   address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 4 19 64 377 4.0 -0.14 0.0 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh clock 22:15:25.013 UTC Fri Nov 3 2006 R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#tim R3(config)#time-range            l lc  clokc ? % Unrecognized command R3(config)#clokc     ? summer-time Configure summer (daylight savings) time timezone Configure time zone R3(config)#clo tim R3(config)#clo timezone PST -8 R3(config)#^Z R3#config tsh clock 14:15:52.113 PST Fri Nov 3 2006 R3# Nov 3 22:15:50.442: %SYS-5-CONFIG_I: Configured from console by console R3#sh clock 14:15:55.643 PST Fri Nov 3 2006 R3#sh run | i ntp ntp authentication-key 1 md5 062B161545430C 7 ntp server 180.40.7.98 key 1 R3# RACK98AS>4 [Resuming connection 4 to r4 ... ] R4(config)#^Z R4#sh Nov 3 22:17:15.918: %SYS-5-CONFIG_I: Configured from console by console R4#sh run | i ntp ntp authentication-key 1 md5 112400311E1F0E 7 ntp clock-period 17179870 ntp server 192.10.32.254 R4# R4# RACK98AS>3 [Resuming connection 3 to r3 ... ] R3#sh clock 14:18:44.479 PST Fri Nov 3 2006 R3#sh ntp ass address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 4 37 64 377 4.0 -0.07 0.1 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass dat ^ % Invalid input detected at '^' marker. R3#sh ntp ass dat  et 180.40.7.98 configured, authenticated, our_master, sane, valid, stratum 4 ref ID 192.10.32.254, time C8F63EA0.73B6AD38 (14:18:08.452 PST Fri Nov 3 2006) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 223.16 msec, root disp 43.46, reach 377, sync dist 157.120 delay 4.00 msec, offset -0.0710 msec, dispersion 0.09 precision 2**18, version 3 org time C8F63EA4.C33D9111 (14:18:12.762 PST Fri Nov 3 2006) rcv time C8F63EA4.C3C5AFCE (14:18:12.764 PST Fri Nov 3 2006) xmt time C8F63EA4.C29C153D (14:18:12.760 PST Fri Nov 3 2006) filtdelay = 4.00 4.15 4.07 4.03 4.17 4.58 4.17 4.14 filtoffset = -0.07 -0.15 -0.19 -0.14 -0.11 -0.32 -0.06 -0.15 filterror = 0.02 0.99 1.97 2.94 2.96 2.98 2.99 3.01 R3# RACK98AS>4 [Resuming connection 4 to r4 ... ] R4#confi gt ^ % Invalid input detected at '^' marker. R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#do sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 20 permit 17.0.0.0, wildcard bits 0.255.255.255 R4(config)#access-list             ip access-list ex NoOutsi de  ide R4(config-ext-nacl)#per udp any any eq ntp R4(config-ext-nacl)#den any any iany anypany any any anyany any log R4(config-ext-nacl)#exit R4(config)#ip access-list st R4(config)#ip access-list standard Mine R4(config-std-nacl)#per any a    ny R4(config-std-nacl)#exit R4(config)#exitper anyip access-list standard Minenip access-list standard Mineoip access-list standard Mine ip access-list standard Mine R4(config)#no ip access-list standard Mineexit per anyip access-list standard Mine R4(config-std-nacl)#per 180.40.0.0 0.0.0 255.255 R4(config-std-nacl)#per 180.40.0.0 0.0.255.255                     7.57.0.0 0.0.255.255.  R4(config-std-nacl)#int fa 0/0 R4(config-if)#ip acc      a ip acc R4(config-if)#ip access R4(config-if)#ip access-group Mine in R4(config-if)#int atm 1/0 R4(config-if)#ip access R4(config-if)#ip access-group No  Outsi d io se  de in R4(config-if)#exit R4(config)#ip in R4(config)#ip inspect ? alert-off Disable alert audit-trail Enable the logging of session information (addresses and bytes) dns-timeout Specify timeout for DNS hashtable-size Specify size of hashtable max-incomplete Specify maximum number of incomplete connections before clamping name Specify an inspection rule one-minute Specify one-minute-sample watermarks for clamping tcp Config timeout values for tcp connections udp Config timeout values for udp flows R4(config)#ip inspect tf cp ? block-non-session Block non-session TCP traffic finwait-time Specify timeout for TCP connections after a FIN idle-time Specify idle timeout for tcp connections max-incomplete Specify max half-open connection per host synwait-time Specify timeout for TCP connections after a SYN and no further data R4(config)#ip inspect tcp     name Prob2 ? cuseeme CUSeeMe Protocol fragment IP fragment inspection ftp File Transfer Protocol h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone) http HTTP Protocol icmp ICMP Protocol netshow Microsoft NetShow Protocol rcmd R commands (r-exec, r-login, r-sh) realaudio Real Audio Protocol rpc Remote Prodedure Call Protocol rtsp Real Time Streaming Protocol sip SIP Protocol skinny Skinny Client Control Protocol smtp Simple Mail Transfer Protocol sqlnet SQL Net Protocol streamworks StreamWorks Protocol tcp Transmission Control Protocol tftp TFTP Protocol udp User Datagram Protocol vdolive VDOLive Protocol R4(config)#ip inspect name Prob2 Nov 3 22:23:21.673: %SEC-6-IPACCESSLOGP: list NoOutside denied tcp 192.10.32.254(28849) -> 192.10.32.1(179), 1 packet R4(config)#ip inspect name Prob2 tcp ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Prob2 tcp R4(config)#ip inspect name Prob2 tcp     udp R4(config)#ip inspect name Prob2 udp   h2 323 R4(config)#int atm 1/0 R4(config-if)#ip in R4(config-if)#ip inst R4(config-if)#ip inst  R4(config-if)#ip inspect Prob2 out R4(config-if)#^Z R4# RACK98AS>3 [Resuming connection 3 to r3 ... ] R3#192.10.32.254 Trying 192.10.32.254 ... Open CR1>sh ? % Unrecognized command CR1>sh    q [Connection to 192.10.32.254 closed by foreign host] R3# RACK98AS>4 [Resuming connection 4 to r4 ... ] N R4#sh ip insp % Incomplete command. R4#sh ip insp ? all Inspection all available information config Inspection configuration interfaces Inspection interfaces name Inspection name sessions Inspection sessions R4#sh ip insp all Session audit trail is disabled Session alert is enabled one-minute (sampling period) thresholds are [400:500] connections max-incomplete sessions thresholds are [400:500] max-incomplete tcp connections per host is 50. Block-time 0 minute. tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec tcp idle-time is 3600 sec -- udp idle-time is 30 sec dns-timeout is 5 sec Inspection Rule Configuration Inspection name Prob2 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 h323 alert is on audit-trail is off timeout 3600 Interface Configuration Interface ATM1/0 Inbound inspection rule is not set Outgoing inspection rule is Prob2 tcp alert is on audit-trail is off timeout 3600 udp alert is on audit-trail is off timeout 30 h323 alert is on audit-trail is off timeout 3600 Inbound access list is NoOutside Outgoing access list is not set --More--   R4#sh ip insp all     sess R4#sh ip insp sessions ? detail Detail display of sessions | Output modifiers R4#sh ip insp sessions R4# RACK98AS>3 [Resuming connection 3 to r3 ... ] 192.10.32.254 Trying 192.10.32.254 ... Open CR1> RACK98AS>4 [Resuming connection 4 to r4 ... ] R4#sh ip insp sessions Established Sessions Session 622548B0 (180.40.7.129:15537)=>(192.10.32.254:23) tcp SIS_OPEN R4# R4# R4# R4# R4# Nov 3 22:25:21.678: %SEC-6-IPACCESSLOGP: list NoOutside denied tcp 192.10.32.254(28851) -> 192.10.32.1(179), 1 packet R4# RACK98AS>3 [Resuming connection 3 to r3 ... ] CR1>q [Connection to 192.10.32.254 closed by foreign host] R3# R3# RACK98AS>4 [Resuming connection 4 to r4 ... ] R4#sh run | b ip in ip inspect name Prob2 tcp ip inspect name Prob2 udp ip inspect name Prob2 h323 ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address 180.40.7.98 255.255.255.224 --More--   ip access-group Mine in ip nat inside duplex auto speed auto ! interface ATM1/0 ip address 192.10.32.1 255.255.255.0 ip access-group NoOutside in ip nat outside ip inspect Prob2 out no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless --More--  ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 ip access-list standard Mine permit 180.40.0.0 0.0.255.255 permit 17.57.0.0 0.0.255.255 ! ip access-list extended NoOutside permit udp any any eq ntp deny ip any any log ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 --More--   R4# RACK98AS>1 [Resuming connection 1 to r1 ... ] R1#CONFI GT ^ % Invalid input detected at '^' marker. R1#confi gt ^ % Invalid input detected at '^' marker. R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#user j JoeUser pri R1(config)#user JoeUser privilege 5 ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R1(config)#user JoeUser privilege 5 R1(config)#user jb priv 15 R1(config)#priv R1(config)#privilege ? aaa-user AAA user definition accept-dialin VPDN group accept dialin configuration mode accept-dialout VPDN group accept dialout configuration mode address-family Address Family configuration mode aic Alarm Interface Card configuration mode alps-ascu ALPS ASCU configuration mode alps-circuit ALPS circuit configuration mode bba-group BBA Group configuration mode boomerang Boomerang configuration mode cascustom Cas custom configuration mode cause-code-list Voice Cause Code List configuration mode ces-conn CES connection configuration mode ces-vc CES VC configuration mode cgma_agent CGMA Agent Configuration Mode cm-fallback cm-fallback configuration mode cns-connect-config CNS Connect Info Mode cns-connect-intf-config CNS Connect Intf Info Mode cns-tmpl-connect-config CNS Template Connect Info Mode cns_inventory_submode CNS Inventory SubMode config-rtr-http-rr RTR HTTP raw request Configuration configure Global configuration mode congestion Frame Relay congestion configuration mode --More--   controller Controller configuration mode dhcp DHCP pool configuration mode enum_rule enum configuration mode ephone ephone configuration mode ephone-dn ephone-dn configuration mode exec Exec mode filterserver AAA filter server definitions flow-cache Flow aggregation cache config mode fr-fr FR/FR connection configuration mode frf5 FR/ATM Network IWF configuration mode frf8 FR/ATM Service IWF configuration mode gateway Gateway configuration mode gw-accounting-aaa Gateway accounting aaa configuration mode interface Interface configuration mode interface-dlci Frame Relay dlci configuration mode interface-range Interface range configuration mode ip-explicit-path IP explicit path configuration mode ip-vrf Configure IP VRF parameters ipenacl IP named extended access-list configuration mode ipsnacl IP named simple access-list configuration mode ipv6-router IPv6 router configuration mode ipv6acl IPv6 access-list configuration mode ipx-router IPX router configuration mode --More--   R1(config)#privilege exec R1(config)#privilege exec ? all All suboption will be set to the samelevel level Set privilege level of command reset Reset privilege level of command R1(config)#privilege exec le R1(config)#privilege exec level 5 ? LINE Initial keywords of the command to modify R1(config)#privilege exec level 5 config t R1(config)#privilege exec level 5 config t          show run R1(config)#privilege exec level 5 show run\                      con R1(config)#privilege confi R1(config)#privilege configu R1(config)#privilege configure ? all All suboption will be set to the samelevel level Set privilege level of command reset Reset privilege level of command R1(config)#privilege configure level 1 5 ? LINE Initial keywords of the command to modify R1(config)#privilege configure level 5                             sn, R1(config)#sn,  R1(config)#snm R1(config)#snmp? snmp snmp-server R1(config)#snmp-s R1(config)#snmp-server ? chassis-id String to uniquely identify this chassis community Enable SNMP; set community string and access privs contact Text for mib object sysContact drop Silently drop SNMP packets enable Enable SNMP Traps or Informs engineID Configure a local or remote SNMPv3 engineID group Define a User Security Model group host Specify hosts to receive SNMP notifications ifindex Enable ifindex persistence inform Configure SNMP Informs options location Text for mib object sysLocation manager Modify SNMP manager parameters packetsize Largest SNMP packet size queue-length Message queue length for each TRAP host source-interface Assign an source interface system-shutdown Enable use of the SNMP reload command tftp-server-list Limit TFTP servers used via SNMP trap SNMP trap options trap-source Assign an interface for the source address of all traps trap-timeout Set timeout for TRAP message retransmissions user Define a user who can access the SNMP engine view Define an SNMPv2 MIB view --More--   R1(config)#snmp-server om  com ? WORD SNMP community string R1(config)#snmp-server com WORD / ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string ro Read-only access with this community string rw Read-write access with this community string view Restrict this community to a named MIB view R1(config)#snmp-server com WORD                      privilege exec level 5 config tuser jb priv 15 privilege exec level 5 config t                     configu level 5 snmp-server com R1(config)# RACK98AS>5 [Resuming connection 5 to r5 ... ] S5#^x   RACK98AS>1 [Resuming connection 1 to r1 ... ] R1(config)#int     line vty 0 4 R1(config-line)#login local R1(config-line)# RACK98AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open User Access Verification Username: JoeUser Password: R1# R1# R1# R1# R1#sh run Building configuration... Current configuration : 53 bytes ! boot-start-marker boot-end-marker ! ! ! ! ! ! end R1# R1# R1# R1#conf R1#configure ? terminal Configure from the terminal R1#configure Configuring from terminal, memory, or network [terminal]? n Invalid privileges R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#sn R1(config)#snmp-server ? community Enable SNMP; set community string and access privs R1(config)#snmp-server com ? WORD SNMP community string R1(config)#snmp-server com test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string R1(config)#snmp-server com test R1(config)# [Special telnet escape help] ^^B sends telnet BREAK ^^C sends telnet IP ^^H sends telnet EC ^^O sends telnet AO ^^T sends telnet AYT ^^U sends telnet EL  R1(config)# R1(config)# R1(config)# R1(config)# RACK98AS> [Resuming connection 5 to r5 ... ] R1(config)# R1(config)#^Z R1#sh run Building configuration... Current configuration : 83 bytes ! boot-start-marker boot-end-marker ! ! ! ! ! snmp-server community test RO ! end R1# R1# R1# RACK98AS>1 [Resuming connection 1 to r1 ... ] * R1(config-line)#login localine vty 0 4privilege configu level 5 snmp-server com WORD rw  rw ? % Unrecognized command R1(config-line)#privilege configu level 5 snmp-server com WORD rw    rw R1(config)# RACK98AS>5 [Resuming connection 5 to r5 ... ] R1#sh run config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#snmp-server com test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string rw Read-write access with this community string R1(config)#snmp-server com test                      ^Z R1# RACK98AS>1 [Resuming connection 1 to r1 ... ] *Mar 1 01:35:30.204: %SYS-5-CONFIG_I: Configured from console by JoeUser on vty0 (17.57.100.2) R1(config)# R1(config)#^Z R1#sh run | b *Mar 1 01:35:33.406: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b priv    snmp-ser snmp-server community test RO ! ! ! privilege configure level 5 snmp-server community privilege configure level 5 snmp-server privilege exec level 5 configure terminal privilege exec level 5 configure privilege exec level 5 show running-config privilege exec level 5 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login local ! ! end R1# R1#sh run| b  | b | b user username JoeUser privilege 5 username jb privilege 15 ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex --More--   R1# RACK98AS>5 [Resuming connection 5 to r5 ... ] R1#q [Connection to 17.57.100.1 closed by foreign host] S5# S5#17.57.100.1 Trying 17.57.100.1 ... Open User Access Verification Username: jb Password: R1#sh level ^ % Invalid input detected at '^' marker. R1#sh level     priv Current privilege level is 15 R1# R1# R1# R1#q [Connection to 17.57.100.1 closed by foreign host] S5# RACK98AS>2 [Resuming connection 2 to r2 ... ] R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#do sh clock *01:36:49.214 UTC Mon Mar 1 1993 R2(config)#tim R2(config)#time-range ? WORD Time range name R2(config)#time-range Prob4 R2(config-time-range)#? Time range configuration commands: absolute absolute time and date default Set a command to its defaults exit Exit from time-range configuration mode no Negate a command or set its defaults periodic periodic time and date R2(config-time-range)#per R2(config-time-range)#periodic ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday R2(config-time-range)#periodic weekda R2(config-time-range)#periodic weekdays ? hh:mm Starting time R2(config-time-range)#periodic weekdays 11:00         7:00 to ? hh:mm Ending time - stays valid until beginning of next minute R2(config-time-range)#periodic weekdays 7:00 to  22:00 R2(config-time-range)#exit R2(config)#access-list 100               do sh run | b access-list R2(config)#access-list 100 per any iany pany  any any any tim R2(config)#access-list 100 per ip any any time-range Prob2 R2(config)#access-list 100 per ip any any time-range Prob2 4 R2(config)#access-list 100 per ip any any time-range Prob4naccess-list 100 per ip any any time-range Prob4oaccess-list 100 per ip any any time-range Prob4 access-list 100 per ip any any time-range Prob4 R2(config)#no access-list 100 per ip any any time-range Prob4access-list 100 per ip any any time-range Prob4  R2(config)#line vty 0 4 R2(config-line)#access R2(config-line)#access-class ? <1-199> IP access list <1300-2699> IP expanded access list WORD Access-list name R2(config-line)#access-class 100 ui  in ? vrf-also Same access list is applied for all VRFs R2(config-line)#access-class 100 in R2(config-line)#do sh access-list Extended IP access list 100 10 permit ip any any time-range Prob4 (inactive) R2(config-line)# RACK98AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1.1 1.1 Trying 17.57.101.1 ... % Connection refused by remote host S5# RACK98AS>2 [Resuming connection 2 to r2 ... ] R2(config-line)#exit R2(config)#net server 180.40.7.98 ^ % Invalid input detected at '^' marker. R2(config)#net server 180.40.7.98 server 180.40.7.98  server 180.40.7.98 t server 180.40.7.98p server 180.40.7.98 R2(config)#clock tim R2(config)#clock timezone PST 0 -8 R2(config)#^Z R2#sh clock 14:36:16.891 PST Fri Nov 3 2006 R2# Nov 3 22:36:15.213: %SYS-5-CONFIG_I: Configured from console by console R2#sh access-list Extended IP access list 100 10 permit ip any any time-range Prob4 (active) R2# RACK98AS>5 [Resuming connection 5 to r5 ... ] 17.57.101.1 Trying 17.57.101.1 ... Open R2# R2# R2# R2#q [Connection to 17.57.101.1 closed by foreign host] S5# S5# RACK98AS>2 [Resuming connection 2 to r2 ... ] R2#sh run | b access-l access-list 100 permit ip any any time-range Prob4 ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class 100 in privilege level 15 no login ! ntp server 180.40.7.98 time-range Prob4 periodic weekdays 7:00 to 22:00 ! --More--   R2# RACK98AS>4 [Resuming connection 4 to r4 ... ] No R4#confi gt ^ % Invalid input detected at '^' marker. R4#config t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#int atm 1/0 R4(config-if)#no ip insp R4(config-if)#no ip inspect Prob2 out R4(config-if)#no access-l gr R4(config-if)#no access-gr  iaccess-paccess- access-access-gr 100 in R4(config-if)#do sh run int atm 1/0/ sh run int atm 1/0/ ^ % Invalid input detected at '^' marker. R4(config-if)#do sh run int atm 1/0/  Building configuration... Current configuration : 153 bytes ! interface ATM1/0 ip address 192.10.32.1 255.255.255.0 ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! end R4(config-if)#exit R4(config)#ip access-list ex Prob5out R4(config-ext-nacl)#per ip any any ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value reflect Create reflexive access list entry time-range Specify a time-range tos Match packets with given TOS value R4(config-ext-nacl)#per ip any any refl R4(config-ext-nacl)#per ip any any reflect ? WORD Access-list name R4(config-ext-nacl)#per ip any any reflect Prob5 R4(config-ext-nacl)#per ip any any reflect Prob5ip access-list ex Prob5out    in R4(config-ext-nacl)#per udp any any nt  eq ntp R4(config-ext-nacl)#evl R4(config-ext-nacl)#evl  R4(config-ext-nacl)#evaluate ? WORD IP reflexive access list name R4(config-ext-nacl)#evaluate Prob5 ? R4(config-ext-nacl)#evaluate Prob5   R4(config-ext-nacl)#den ip any any log R4(config-ext-nacl)#int atm 1/0 R4(config-if)#ip access R4(config-if)#ip access-group Prob5out out R4(config-if)#ip access-group Prob5out out       in in R4(config-if)#^Z R4#sh acce Nov 3 22:39:55.029: %SYS-5-CONFIG_I: Configured from console by console R4#sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (2 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Standard IP access list Mine 10 permit 180.40.0.0, wildcard bits 0.0.255.255 (208 matches) 20 permit 17.57.0.0, wildcard bits 0.0.255.255 (57 matches) Extended IP access list NoOutside 10 permit udp any any eq ntp (42 matches) 20 deny ip any any log (8 matches) Reflexive IP access list Prob5 Extended IP access list Prob5in 10 permit udp any any eq ntp 20 evaluate Prob5 30 deny ip any any log Extended IP access list Prob5out 10 permit ip any any reflect Prob5 R4#^x3 % Unknown command or computer name, or unable to find computer address R4# RACK98AS>3 [Resuming connection 3 to r3 ... ] R3#192.10.32.254 Trying 192.10.32.254 ... Open CR1> CR1> CR1> CR1> CR1> CR1> CR1> CR1>^x   RACK98AS>4 [Resuming connection 4 to r4 ... ] R4#^x3 % Unknown command or computer name, or unable to find computer address R4#^x3sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (3 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Standard IP access list Mine 10 permit 180.40.0.0, wildcard bits 0.0.255.255 (237 matches) 20 permit 17.57.0.0, wildcard bits 0.0.255.255 (57 matches) Extended IP access list NoOutside 10 permit udp any any eq ntp (42 matches) 20 deny ip any any log (8 matches) Reflexive IP access list Prob5 permit tcp host 192.10.32.254 eq telnet host 192.10.32.1 eq 28400 (101 matches) (time left 296) Extended IP access list Prob5in 10 permit udp any any eq ntp 20 evaluate Prob5 30 deny ip any any log Extended IP access list Prob5out 10 permit ip any any reflect Prob5 (47 matches) R4# R4# R4# R4#^x3    RACK98AS>3 [Resuming connection 3 to r3 ... ] CR1>q [Connection to 192.10.32.254 closed by foreign host] R3# R3# R3# RACK98AS>4 [Resuming connection 4 to r4 ... ] R4#sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (3 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Standard IP access list Mine 10 permit 180.40.0.0, wildcard bits 0.0.255.255 (251 matches) 20 permit 17.57.0.0, wildcard bits 0.0.255.255 (60 matches) Extended IP access list NoOutside 10 permit udp any any eq ntp (42 matches) 20 deny ip any any log (8 matches) Reflexive IP access list Prob5 permit tcp host 192.10.32.254 eq telnet host 192.10.32.1 eq 28400 (127 matches) (time left 2) Extended IP access list Prob5in 10 permit udp any any eq ntp (3 matches) 20 evaluate Prob5 30 deny ip any any log Extended IP access list Prob5out 10 permit ip any any reflect Prob5 (58 matches) R4#sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (3 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Standard IP access list Mine 10 permit 180.40.0.0, wildcard bits 0.0.255.255 (251 matches) 20 permit 17.57.0.0, wildcard bits 0.0.255.255 (60 matches) Extended IP access list NoOutside 10 permit udp any any eq ntp (42 matches) 20 deny ip any any log (8 matches) Reflexive IP access list Prob5 Extended IP access list Prob5in 10 permit udp any any eq ntp (3 matches) 20 evaluate Prob5 30 deny ip any any log Extended IP access list Prob5out 10 permit ip any any reflect Prob5 (58 matches) R4#  ash     sh erun      run | b 1/0 interface ATM1/0 ip address 192.10.32.1 255.255.255.0 ip access-group Prob5in in ip access-group Prob5out out ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload no ip http server no ip http secure-server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 --More-- Nov 3 22:41:21.770: %SEC-6-IPACCESSLOGP: list Prob5in denied tcp 192.10.32.254(28867) -> 192.10.32.1(179), 1 packet --More--   permit 17.0.0.0 0.255.255.255 ip access-list standard Mine permit 180.40.0.0 0.0.255.255 permit 17.57.0.0 0.0.255.255 ! ip access-list extended NoOutside permit udp any any eq ntp deny ip any any log ip access-list extended Prob5in permit udp any any eq ntp evaluate Prob5 deny ip any any log ip access-list extended Prob5out permit ip any any reflect Prob5 ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous --More--   R4#^x1 % Unknown command or computer name, or unable to find computer address R4# R4# RACK98AS>1 [Resuming connection 1 to r1 ... ] R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aaa R1(config)#aaa new R1(config)#aaa new-model ? R1(config)#aaa new-model R1(config)#aa R1(config)#aa  tac R1(config)#tacacs-server ? administration Start tacacs+ daemon handling administrative messages directed-request Allow user to specify tacacs server to use with `@server' dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers host Specify a TACACS server key Set TACACS+ encryption key. packet Modify TACACS+ packet options timeout Time to wait for a TACACS server to reply R1(config)#tacacs-server host ? Hostname or A.B.C.D IP address of TACACS server R1(config)#tacacs-server host 17.57.100.99 ? key per-server encryption key (overrides default) nat To send client's post NAT address to tacacs+ server port TCP port for TACACS+ server (default is 49) single-connection Multiplex all packets over a single tcp connection to server (for CiscoSecure) timeout Time to wait for this TACACS server to reply (overrides default) R1(config)#tacacs-server host 17.57.100.99 key ? 0 Specifies an UNENCRYPTED key will follow 7 Specifies HIDDEN key will follow LINE The UNENCRYPTED (cleartext) shared key R1(config)#tacacs-server host 17.57.100.99 key MyKey ? LINE R1(config)#tacacs-server host 17.57.100.99 key MyKey   R1(config)#aaa R1(config)#aaa authen R1(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authentication lo R1(config)#aaa authentication login ? WORD Named authentication list. default The default authentication list. R1(config)#aaa authentication login def R1(config)#aaa authentication login default         prob    Prob5     default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login default none R1(config)#aaa ai uthen R1(config)#aaa authentication logio n Prob6 ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login Prob6 grou > ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)#aaa authentication login Prob6 grou tac R1(config)#aaa authentication login Prob6 grou tacacs+ ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login Prob6 grou tacacs+ local ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. line Use line password for authentication. none NO authentication. R1(config)#aaa authentication login Prob6 grou tacacs+ local R1(config)#i line vty 0 4 R1(config-line)#login authen Prob6 R1(config-line)#^Z R1#sh run | *Mar 1 01:48:13.383: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b aaa aaa new-model ! ! aaa authentication login default none aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! ! ! --More--   R1#[Ash run | b aaa   user username JoeUser privilege 5 username jb privilege 15 ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex --More--   R1#[Ash run | b useraaa  aaa new-model ! ! aaa authentication login default none aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! ! ! --More--  username JoeUser privilege 5 username jb privilege 15 ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex --More--  ! interface Serial0/1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! no ip http server ip classless ! ! ! ! tacacs-server host 17.57.100.99 key MyKey tacacs-server directed-request snmp-server community test RO ! ! ! privilege configure level 5 snmp-server community privilege configure level 5 snmp-server --More--  privilege exec level 5 configure terminal privilege exec level 5 configure privilege exec level 5 show running-config privilege exec level 5 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login authentication Prob6 ! ! end R1# R1# RACK98AS>5 [Resuming connection 5 to r5 ... ] 17.57.101.10.1 Trying 17.57.100.1 ... Open Username: jb Password: R1#sh priv Current privilege level is 15 R1#sh priv sh priv q [Connection to 17.57.100.1 closed by foreign host] S5# S5#17.57.100.1 Trying 17.57.100.1 ... Open Username: JoeUser Password: R1#sh priv Current privilege level is 15 R1# R1# R1# R1# R1# RACK98AS>1 [Resuming connection 1 to r1 ... ] R1#sh run | b line line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login authentication Prob6 ! ! end R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int     k line vty 0 4 R1(config-line)#no privilege level 15 R1(config-line)#^Z R1# RACK98AS>5 [Resuming connection 5 to r5 ... ] R1#q [Connection to 17.57.100.1 closed by foreign host] S5#17.57.100.1 Trying 17.57.100.1 ... Open Username: JoeUser Password: R1>q [Connection to 17.57.100.1 closed by foreign host] S5# S5# RACK98AS>1 [Resuming connection 1 to r1 ... ] *Mar 1 01:50:27.796: %SYS-5-CONFIG_ R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aaa authen  R1(config)#aaa authen ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authen user R1(config)#aaa authen username-prompt ? WORD Text of prompt R1(config)#aaa authen username-prompt CCIEWantabe: "CCIEWantabe: CCIEWantabe: " R1(config)#aaa authen pass R1(config)#aaa authen password-prompt ""CCIEToBe  : " ^ % Invalid input detected at '^' marker. R1(config)#aaa authen password-prompt ""CCIEToBe: ""CCIEToBe: "  R1(config)# RACK98AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open CCIEWantabe: JoeUser CCIEToBe: R1>q [Connection to 17.57.100.1 closed by foreign host] S5# RACK98AS>1 [Resuming connection 1 to r1 ... ] R1(config)#^Z R1#sh run *Mar 1 01:52:18.000: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b aaa aaa new-model ! ! aaa authentication password-prompt "CCIEToBe: " aaa authentication username-prompt "CCIEWantabe: " aaa authentication login default none aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! --More--   R1#c onfig t % Ambiguous command: "c onfig t" R1#config t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aaaq    authen ban R1(config)#aaa authen banner ? LINE c message-text c, where 'c' is a delimiting character R1(config)#aaa authen banner                   na  bann R1(config)#banner ? LINE c banner-text c, where 'c' is a delimiting character exec Set EXEC process creation banner incoming Set incoming terminal line banner login Set login banner motd Set Message of the Day banner prompt-timeout Set Message for login authentication timeout slip-ppp Set Message for SLIP/PPP R1(config)#banner motd ? LINE c banner-text c, where 'c' is a delimiting character R1(config)#banner motd             aaa authen ban R1(config)#aaa authen banner ? LINE c message-text c, where 'c' is a delimiting character R1(config)#aaa authen banner                   ban R1(config)#banner motd ? LINE c banner-text c, where 'c' is a delimiting character R1(config)#banner motd % Enter TEXT message. End with the character '%'. Keep out % R1(config)#^Z R1#sh *Mar 1 01:53:55.781: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b bann banner motd ^C Keep out ^C privilege configure level 5 snmp-server community privilege configure level 5 snmp-server privilege exec level 5 configure terminal privilege exec level 5 configure privilege exec level 5 show running-config privilege exec level 5 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 login authentication Prob6 ! ! end R1# R1# RACK98AS>5 [Resuming connection 5 to r5 ... ] 17.57.100.1 Trying 17.57.100.1 ... Open Keep out CCIEWantabe: CCIEWantabe: CCIEWantabe: [Connection to 17.57.100.1 closed by foreign host] S5# RACK98AS>3 [Resuming connection 3 to r3 ... ] R3#configt Translating "configt" Translating "configt" % Unknown command or computer name, or unable to find computer address R3#confi g t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#user Geogre pass boscoe pass bosco e pass bosco re pass boscoge pass boscoe pass bosco R3(config)#do sh access-list R3(config)#ip access-list e  x Prob9 R3(config-ext-nacl)#? Ext Access List configuration commands: <1-2147483647> Sequence Number default Set a command to its defaults deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs evaluate Evaluate an access list exit Exit from access-list configuration mode no Negate a command or set its defaults permit Specify packets to forward remark Access list entry comment R3(config-ext-nacl)#ex R3(config)#access-list 100 ? deny Specify packets to reject dynamic Specify a DYNAMIC list of PERMITs or DENYs permit Specify packets to forward remark Access list entry comment R3(config)#access-list 100 ex ip access-list ex Prob9 R3(config-ext-nacl)#per 180   tcp 180.40.7.128 0.0.0.31 ? A.B.C.D Destination address any Any destination host eq Match only packets on a given port number gt Match only packets with a greater port number host A single destination host lt Match only packets with a lower port number neq Match only packets not on a given port number range Match only packets in the range of port numbers R3(config-ext-nacl)#per tcp 180.40.7.128 0.0.0.31 180.    host 180.40.7.129 ? ack Match on the ACK bit dscp Match packets with given dscp value eq Match only packets on a given port number established Match established connections fin Match on the FIN bit fragments Check non-initial fragments gt Match only packets with a greater port number log Log matches against this entry log-input Log matches against this entry, including input interface lt Match only packets with a lower port number neq Match only packets not on a given port number precedence Match packets with given precedence value psh Match on the PSH bit range Match only packets in the range of port numbers reflect Create reflexive access list entry rst Match on the RST bit syn Match on the SYN bit time-range Specify a time-range tos Match packets with given TOS value urg Match on the URG bit R3(config-ext-nacl)#per tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet R3(config-ext-nacl)#den ip        dy R3(config-ext-nacl)#dynamic ? WORD Name of a Dynamic list R3(config-ext-nacl)#dynamic Prob9 ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward timeout Maximum time for dynamic ACL to live R3(config-ext-nacl)#dynamic Prob9 per ip any any % An access list with this name already exists R3(config-ext-nacl)#dynamic Prob9 per ip any any9a per ip any any R3(config-ext-nacl)#den ip 180.40.7.128 0.0.0.21  31 any R3(config-ext-nacl)#per ip any any R3(config-ext-nacl)#exit R3(config)#exitper ip any anyden ip 180.40.7.128 0.0.0.31 anyynamic Prob9a per ip any any  per ip any any per tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnetip access-list ex Prob9 ex ip access-list ex Prob9do sh access-list user George pass bosco ? LINE R3(config)#user George pass bosco            ? access-class Restrict access by access-class autocommand Automatically issue a command after the user logs in callback-dialstring Callback dialstring callback-line Associate a specific line with this callback callback-rotary Associate a rotary group with this callback dnis Do not require password when obtained via DNIS nocallback-verify Do not require authentication after callback noescape Prevent the user from using an escape character nohangup Do not disconnect after an automatic command nopassword No password is required for the user to log in password Specify the password for the user privilege Set user privilege level secret Specify the secret for the user user-maxlinks Limit the user's number of inbound links R3(config)#user George auto R3(config)#user George autocommand ? LINE Command to be automatically issued after the user logs in R3(config)#user George autocommand acess   cess-enable ? LINE R3(config)#user George autocommand access-enable tiom   imeout 2 R3(config)#user George autocommand access-enable timeout 2exit per ip any anyden ip 180.40.7.128 0.0.0.31 anyynamic Prob9a per ip any any  per ip any any per tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnetip access-list ex Prob9 ex ip access-list ex Prob9ex ip access-list ex Prob9 R3(config-ext-nacl)#do sh access-list Extended IP access list Prob9 10 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet 20 Dynamic Prob9a permit ip any any 30 deny ip 180.40.7.128 0.0.0.31 any 40 permit ip any any R3(config-ext-nacl)#no 20 R3(config-ext-nacl)#20 Dynamic Prob9a permit ip any any ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value time-range Specify a time-range tos Match packets with given TOS value R3(config-ext-nacl)#20 Dynamic Prob9a permit ip any any                           Prob9a ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward timeout Maximum time for dynamic ACL to live R3(config-ext-nacl)#20 Dynamic Prob9a tim R3(config-ext-nacl)#20 Dynamic Prob9a timeout ? <1-9999> Maximum time to live R3(config-ext-nacl)#20 Dynamic Prob9a timeout 60 per ip any any R3(config-ext-nacl)#^Z R3# Nov 3 22:56:30.627: %SYS-5-CONFIG_I: Configured from RACK98AS>2 [Resuming connection 2 to r2 ... ] R2# RACK98AS>6 [Resuming connection 6 to r6 ... ] S6#180.40.7.2 Trying 180.40.7.2 ... Open R2#q [Connection to 180.40.7.2 closed by foreign host] S6# S6# RACK98AS>3 [Resuming connection 3 to r3 ... ] R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#int fa 0/1 R3(config-if)#ip access R3(config-if)#ip access-group Prob9 in R3(config-if)#^Z R3# RACK98AS>6 [Resuming connection 6 to r6 ... ] S6#180.40.7.2 Trying 180.40.7.2 ... % Destination unreachable; gateway or host down S6#180.40.7.2 129 Trying 180.40.7.129 ... Open R3# RACK98AS> [Resuming connection 6 to r6 ... ] R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#line vty 0 4 R3(config-line)#login local R3(config-line)#exut ^ % Invalid input detected at '^' marker. R3(config-line)#exit R3(config)#user jb R3(config)#^Z R3#q [Connection to 180.40.7.129 closed by foreign host] S6# S6#180.40.7.129 Trying 180.40.7.129 ... Open User Access Verification Username: Ger orge Password: [Connection to 180.40.7.129 closed by foreign host] S6#180.40.7.1292  Trying 180.40.7.2 ... % Destination unreachable; gateway or host down S6#180.40.7.2 Trying 180.40.7.2 ... % Destination unreachable; gateway or host down S6# RACK98AS>3 [Resuming connection 3 to r3 ... ] Nov 3 22:57:04 R3#sh Nov 3 22:57:54.169: %OSPF-5-ADJCHG: Process 1, Nbr 180.40.7.130 on FastEthernet0/1 from LOADING to FULL, Loading Done R3#sh run     ip access-list Extended IP access list Prob9 10 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet (357 matches) 20 Dynamic Prob9a permit ip any any permit ip any any (10 matches) (time left 118) 30 deny ip 180.40.7.128 0.0.0.31 any (8 matches) 40 permit ip any any R3#sh ip access-list Extended IP access list Prob9 10 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet (357 matches) 20 Dynamic Prob9a permit ip any any permit ip any any (13 matches) (time left 114) 30 deny ip 180.40.7.128 0.0.0.31 any (8 matches) 40 permit ip any any R3# RACK98AS>6 [Resuming connection 6 to r6 ... ] 02:0180.40.7.2 Trying 180.40.7.2 ... Open R2# R2# R2# R2#q [Connection to 180.40.7.2 closed by foreign host] S6# S6# RACK98AS>3 [Resuming connection 3 to r3 ... ] R3#sh run | b user username George password 0 bosco username George autocommand access-enable timeout 2 username jb ! ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 ip address 180.40.7.129 255.255.255.224 --More--   ip access-group Prob9 in duplex auto speed auto ! interface Serial1/0 ip address 180.40.7.33 255.255.255.224 encapsulation frame-relay ip ospf network point-to-multipoint frame-relay map ip 180.40.7.34 301 broadcast frame-relay map ip 180.40.7.35 302 broadcast ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.3 255.255.255.224 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 --More--   no ip address shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! no ip http server no ip http secure-server --More--  ! ip access-list extended Prob9 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet dynamic Prob9a timeout 60 permit ip any any deny ip 180.40.7.128 0.0.0.31 any permit ip any any ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login local --More--  ! ntp authentication-key 1 md5 062B161545430C 7 ntp clock-period 17208100 ntp server 180.40.7.98 key 1 ! end R3# R3# RACK98AS>2 [Resuming connection 2 to r2 ... ] R2#conf    sh access-list Extended IP access list 100 10 permit ip any any time-range Prob4 (active) (6 matches) R2#configt  t Enter configuration commands, one per line. End with CNTL/Z. R2(config)# R2(config)#access-list 101 tcp     per tcp any 17.57.101.0 0.0.0.255 R2(config)#ip tcp ? async-mobility Configure async-mobility chunk-size TCP chunk size intercept Enable TCP intercepting mss TCP initial maximum segment size path-mtu-discovery Enable path-MTU discovery on new TCP connections queuemax Maximum queue of outgoing TCP packets selective-ack Enable TCP selective-ACK synwait-time Set time to wait on new TCP connections timestamp Enable TCP timestamp option window-size TCP window size R2(config)#ip tcp int R2(config)#ip tcp intercept ? connection-timeout Specify timeout for connection info drop-mode Specify incomplete connection drop mode finrst-timeout Specify timeout for FIN/RST list Specify access-list to use max-incomplete Specify maximum number of incomplete connections before clamping mode Specify intercepting mode one-minute Specify one-minute-sample watermarks for clamping watch-timeout Specify timeout for incomplete connections in watch mode R2(config)#ip tcp intercept list ? <100-199> Extended access list number for intercept WORD Access list name for intercept R2(config)#ip tcp intercept list 101 ? R2(config)#ip tcp intercept list 101 R2(config)#sh run |        ^Z R2# sh ru Nov 3 23:01:15.100: %SYS-5-CONFIG_I: Configured from console by console R2# sh run |           confi g t Enter configuration commands, one per line. End with CNTL/Z. R2(config)# R2(config)#ip tcp in R2(config)#ip tcp intercept ? connection-timeout Specify timeout for connection info drop-mode Specify incomplete connection drop mode finrst-timeout Specify timeout for FIN/RST list Specify access-list to use max-incomplete Specify maximum number of incomplete connections before clamping mode Specify intercepting mode one-minute Specify one-minute-sample watermarks for clamping watch-timeout Specify timeout for incomplete connections in watch mode R2(config)#ip tcp intercept mode ? intercept Intercept connections watch Watch connections R2(config)#ip tcp intercept mode in R2(config)#ip tcp intercept mode intercept ? R2(config)#ip tcp intercept mode intercept R2(config)#^Z R2#sh Nov 3 23:02:12.334: %SYS-5-CONFIG_I: Configured from console by console R2#sh run | b   i ip      ip tcp ip tcp intercept list 101 R2#sh run | b     i access-list 101 access-list 101 permit tcp any 17.57.101.0 0.0.0.255 R2# R2#confi gt ^ % Invalid input detected at '^' marker. R2#config t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto is R2(config)#crypto isakmp ? aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP identity Set the identity which ISAKMP will use keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles xauth Set Extended Authentication values R2(config)#crypto isakmp pol R2(config)#crypto isakmp policy ? <1-10000> Priority of protection suite R2(config)#crypto isakmp policy 10 R2(config-isakmp)#? ISAKMP commands: authentication Set authentication method for protection suite default Set a command to its defaults encryption Set encryption algorithm for protection suite exit Exit from ISAKMP protection suite configuration mode group Set the Diffie-Hellman group hash Set hash algorithm for protection suite lifetime Set lifetime for ISAKMP security association no Negate a command or set its defaults R2(config-isakmp)#authe R2(config-isakmp)#authentication ? pre-share Pre-Shared Key rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature R2(config-isakmp)#authentication pr R2(config-isakmp)#authentication pre-share ? R2(config-isakmp)#authentication pre-share R2(config-isakmp)#eixt ^ % Invalid input detected at '^' marker. R2(config-isakmp)#exit R2(config)#cy R2(config)#cyr R2(config)#cyr  ry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto key ? generate Generate new keys pubkey-chain Peer public key chain management zeroize Remove keys R2(config)#crypto key     is R2(config)#crypto isakmp ? aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP identity Set the identity which ISAKMP will use keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles xauth Set Extended Authentication values R2(config)#crypto isakmp key ? WORD pre-shared key R2(config)#crypto isakmp key cisco ? address define shared key with IP address hostname define shared key with hostname R2(config)#crypto isakmp key cisco add ? A.B.C.D Peer IP address R2(config)#crypto isakmp key cisco add 180.40.7.3 ? A.B.C.D Peer IP subnet mask no-xauth Bypasses XAuth for this peer R2(config)#crypto isakmp key cisco add 180.40.7.3   R2(config)#exi   do sh access-list Extended IP access list 100 10 permit ip any any time-range Prob4 (active) (6 matches) Extended IP access list 101 10 permit tcp any 17.57.101.0 0.0.0.255 R2(config)#access-list 1202   02 e den ospf any any R2(config)#access-list 102 den ospf any any                udp any any eq ne tp ^ % Invalid input detected at '^' marker. R2(config)#access-list 102 udp any any eq ntpdudp any any eq ntpeudp any any eq ntpnudp any any eq ntp udp any any eq ntp R2(config)#access-list 102 pwer     er ip any any R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto ip R2(config)#crypto ipsec ? client Configure a client df-bit Handling of encapsulated DF bit. fragmentation Handling of fragmentation of near-MTU sized packets nat-transparency IPsec NAT transparency model optional Enable optional encryption for IPSec profile Configure an ipsec policy profile security-association Security association parameters transform-set Define transform and settings R2(config)#crypto ipsec tra R2(config)#crypto ipsec transform-set ? WORD Transform set tag R2(config)#crypto ipsec transform-set Prob11 % Incomplete command. R2(config)#crypto ipsec transform-set Prob11 ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-sha-hmac ESP transform using HMAC-SHA auth R2(config)#crypto ipsec transform-set Prob11 ah R2(config)#crypto ipsec transform-set Prob11 ah-m R2(config)#crypto ipsec transform-set Prob11 ah-md5-hmac R2(cfg-crypto-trans)#exit R2(config)#cry map     ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#cry map ? WORD Crypto map tag R2(config)#cry map Prob11 % Incomplete command. R2(config)#cry map Prob11 ? <1-65535> Sequence to insert into crypto map entry client Specify client configuration settings isakmp Specify isakmp configuration settings isakmp-profile Specify isakmp profile to use local-address Interface to use for local address for this crypto map R2(config)#cry map Prob11 is R2(config)#cry map Prob11 isakmp ? authorization Authorization parameters. R2(config)#cry map Prob11 isakmp        10 ? ipsec-isakmp IPSEC w/ISAKMP ipsec-manual IPSEC w/manual keying R2(config)#cry map Prob11 10 ip R2(config)#cry map Prob11 10 ipsec-i R2(config)#cry map Prob11 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)#match ? address Match address of packets to encrypt. R2(config-crypto-map)#match add ? <100-199> IP access-list number <2000-2699> IP access-list number (expanded range) WORD Access-list name R2(config-crypto-map)#match add 102 R2(config-crypto-map)#set peer 180.40.7.3 R2(config-crypto-map)#set ? identity Identity restriction. isakmp-profile Specify isakmp Profile peer Allowed Encryption/Decryption peer. pfs Specify pfs settings security-association Security association parameters transform-set Specify list of transform sets in priority order R2(config-crypto-map)#set tra R2(config-crypto-map)#set transform-set Prob11 R2(config-crypto-map)#int s 1/2 R2(config-if)#cr R2(config-if)#crypto m R2(config-if)#crypto map Prob11 R2(config-if)# Nov 3 23:07:16.444: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)#^Z R2# RACK98AS>3 [Resuming connection 3 to r3 ... ] R3#confi gt ^ % Invalid input detected at '^' marker. R3#confi gt ^ % Invalid input detected at '^' marker. R3#config t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#cry R3(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R3(config)#crypto i R3(config)#crypto is R3(config)#crypto isakmp po R3(config)#crypto isakmp policy 10 R3(config-isakmp)#authe R3(config-isakmp)#authentication pr R3(config-isakmp)#authentication pre-share R3(config-isakmp)#exit R3(config)#i cry is R3(config)#cry isakmp ke R3(config)#cry isakmp ke  ? aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP identity Set the identity which ISAKMP will use keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles xauth Set Extended Authentication values R3(config)#cry isakmp kee y ? WORD pre-shared key R3(config)#cry isakmp key cisco ? address define shared key with IP address hostname define shared key with hostname R3(config)#cry isakmp key cisco add 180.40.7.2 R3(config)#access-list 102 den ospf na  any any R3(config)#access-list 102 den ospf any any            udp any anby  y eq ntp R3(config)#access-list 102 den udp any any eq ntp                      per ip any any R3(config)#cry ips R3(config)#cry ipsec tr R3(config)#cry ipsec transform-set ? WORD Transform set tag R3(config)#cry ipsec transform-set Prob9 ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-sha-hmac ESP transform using HMAC-SHA auth R3(config)#cry ipsec transform-set Prob9 ah R3(config)#cry ipsec transform-set Prob9 ah-m R3(config)#cry ipsec transform-set Prob9 ah-md5-hmac R3(cfg-crypto-trans)#exit R3(config)#cry R3(config)#crypto m R3(config)#crypto mp ap R3(config)#crypto map ? WORD Crypto map tag R3(config)#crypto map Prob9 > ? <1-65535> Sequence to insert into crypto map entry client Specify client configuration settings isakmp Specify isakmp configuration settings isakmp-profile Specify isakmp profile to use local-address Interface to use for local address for this crypto map R3(config)#crypto map Prob9 10 ? ipsec-isakmp IPSEC w/ISAKMP ipsec-manual IPSEC w/manual keying R3(config)#crypto map Prob9 10 ip R3(config)#crypto map Prob9 10 ipsec-s i R3(config)#crypto map Prob9 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R3(config-crypto-map)#match add 102 R3(config-crypto-map)#set peer 180.40.7.2 R3(config-crypto-map)#set tra R3(config-crypto-map)#set transform-set Prob9 R3(config-crypto-map)#int s 1/2 R3(config-if)#cry R3(config-if)#crypto m R3(config-if)#crypto map Prob9 R3(config-if)# Nov 3 23:09:37.047: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config-if)#crypto map Prob9 R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)# R3(config-if)#^Z R3# R3# R3# R3# R3# Nov 3 23:09:40.950: %SYS-5-CONFIG_I: Configured from console by console R3#sh ip    cry R3#sh crypto ip R3#sh crypto ipsec sa interface: Serial1/2 Crypto map tag: Prob9, local addr. 180.40.7.3 protected vrf: local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 180.40.7.2:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 180.40.7.3, remote crypto endpt.: 180.40.7.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2 current outbound spi: 0 inbound esp sas: inbound ah sas: --More--   inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: R3# ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 44/44/45 ms R3# R3# R3# R3# R3# ping 180.40.7.2sh crypto ipsec sa interface: Serial1/2 Crypto map tag: Prob9, local addr. 180.40.7.3 protected vrf: local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 180.40.7.2:500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 4, #pkts encrypt: 0, #pkts digest 4 #pkts decaps: 4, #pkts decrypt: 0, #pkts verify 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 180.40.7.3, remote crypto endpt.: 180.40.7.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2 current outbound spi: BDCE0E5 inbound esp sas: inbound ah sas: --More--   R3#sh crypto ipsec sa interface: Serial1/2 Crypto map tag: Prob9, local addr. 180.40.7.3 protected vrf: local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 180.40.7.2:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 4, #pkts encrypt: 0, #pkts digest 4 #pkts decaps: 4, #pkts decrypt: 0, #pkts verify 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 180.40.7.3, remote crypto endpt.: 180.40.7.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2 current outbound spi: BDCE0E5 inbound esp sas: inbound ah sas: --More--   R3#[Ash crypto ipsec sa ping 180.40.7.2  Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/44 ms R3#^x   RACK98AS>2 [Resuming connection 2 to r2 ... ] No R2#sh run | b cry no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! clock timezone PST -8 no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-model ip subnet-zero ! ! ip tcp intercept list 101 ! ip cef no ip domain lookup ip audit po max-events 100 ! ! ! --More--   R2#sh run | b cryp no service password-encryption ! hostname R2 ! boot-start-marker boot-end-marker ! ! clock timezone PST -8 no network-clock-participate slot 1 no network-clock-participate wic 0 no aaa new-model ip subnet-zero ! ! ip tcp intercept list 101 ! ip cef no ip domain lookup ip audit po max-events 100 ! ! ! --More--  ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 180.40.7.3 ! ! crypto ipsec transform-set Prob11 ah-md5-hmac ! crypto map Prob11 10 ipsec-isakmp set peer 180.40.7.3 --More--   set transform-set Prob11 match address 102 ! ! ! ! interface FastEthernet0/0 ip address 17.57.101.1 255.255.255.0 duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 no ip address --More--   encapsulation frame-relay ! interface Serial1/0.1 multipoint ip address 180.40.7.35 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 203 ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.2 255.255.255.224 clock rate 64000 crypto map Prob11 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown --More--  ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! no ip http server no ip http secure-server ! access-list 100 permit ip any any time-range Prob4 --More--  access-list 101 permit tcp any 17.57.101.0 0.0.0.255 access-list 102 deny ospf any any access-list 102 deny udp any any eq ntp access-list 102 permit ip any any ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class 100 in privilege level 15 no login ! ntp clock-period 17208072 --More--   R2#^x3 % Unknown command or computer name, or unable to find computer address R2# R2# RACK98AS>3 [Resuming connection 3 to r3 ... ] R3#sh run | b crypto crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 180.40.7.2 ! ! crypto ipsec transform-set Prob9 ah-md5-hmac ! crypto map Prob9 10 ipsec-isakmp set peer 180.40.7.2 set transform-set Prob9 match address 102 ! ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface BRI0/0 no ip address --More--   shutdown ! interface FastEthernet0/1 ip address 180.40.7.129 255.255.255.224 ip access-group Prob9 in duplex auto speed auto ! interface Serial1/0 ip address 180.40.7.33 255.255.255.224 encapsulation frame-relay ip ospf network point-to-multipoint frame-relay map ip 180.40.7.34 301 broadcast frame-relay map ip 180.40.7.35 302 broadcast ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.3 255.255.255.224 crypto map Prob9 ! --More--  interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 --More--  ! ip classless ! no ip http server no ip http secure-server ! ip access-list extended Prob9 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet dynamic Prob9a timeout 60 permit ip any any deny ip 180.40.7.128 0.0.0.31 any permit ip any any ! access-list 102 deny ospf any any access-list 102 deny udp any any eq ntp access-list 102 permit ip any any ! ! ! ! ! ! ! ! --More--   R3#