=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2007.02.02 09:08:04 =~=~=~=~=~=~=~=~=~=~=~= sh clock .22:35:57.135 UTC Sun Mar 7 1993 R4#confi t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#ntp ser 192.10.32.254 R4(config)#do sh ntp ass address ref clock st when poll reach delay offset disp ~192.10.32.254 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R4(config)#do sh ntp ass address ref clock st when poll reach delay offset disp ~192.10.32.254 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R4(config)#do sh ntp ass address ref clock st when poll reach delay offset disp ~192.10.32.254 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R4(config)#do sh ntp ass address ref clock st when poll reach delay offset disp *~192.10.32.254 127.127.7.1 4 0 64 1 5.2 -1.45 15875. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R4(config)# R4(config)# R4(config)# R4(config)#do sh clock 22:36:29.055 UTC Sun Mar 7 1993 R4(config)#ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources R4(config)#ntp au R4(config)#ntp authenticati R4(config)#ntp authentication-key ? <1-4294967295> Key number R4(config)#ntp authentication-key 1 > ? md5 MD5 authentication R4(config)#ntp authentication-key 1 m R4(config)#ntp authentication-key 1 md5 ? WORD Authentication key R4(config)#ntp authentication-key 1 md5 MyTime R4(config)#^Z R4# RACK11AS>3 [Resuming connection 3 to r3 ... ] R3#confi t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ntp auth R3(config)#ntp authenticatio R3(config)#ntp authentication-key 1 m R3(config)#ntp authentication-key 1 md5 MyTime R3(config)#net    top  p saer   er 180.40.7. \                 do sh clock *02:19:25.043 UTC Mon Mar 1 1993 R3(config)#ntp ser 180.40.7.98 ? key Configure peer authentication key prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp ser 180.40.7.98 ke R3(config)#ntp ser 180.40.7.98 key ? <0-4294967295> Peer key number R3(config)#ntp ser 180.40.7.98 key 1 ? prefer Prefer this peer when possible source Interface for source address version Configure NTP version R3(config)#ntp ser 180.40.7.98 key 1 R3(config)#^Z R3#sh *Mar 1 02:19:43.349: %SYS-5-CONFIG_I: Configured from console by console R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp ~180.40.7.98 0.0.0.0 16 - 64 0 0.0 0.00 16000. * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3#sh ntp ass address ref clock st when poll reach delay offset disp *~180.40.7.98 192.10.32.254 5 0 64 7 4.1 -0.01 3875.0 * master (synced), # master (unsynced), + selected, - candidate, ~ configured R3# R3# R3#sh clock 22:38:22.421 UTC Sun Mar 7 1993 R3# R3# R3#sh ntp ass R3#sh ntp associations ? detail Show detail | Output modifiers R3#sh ntp associations de R3#sh ntp associations detail 180.40.7.98 configured, authenticated, our_master, sane, valid, stratum 5 ref ID 192.10.32.254, time AF44F7B3.C5B20136 (22:37:39.772 UTC Sun Mar 7 1993) our mode client, peer mode server, our poll intvl 64, peer poll intvl 64 root delay 5.16 msec, root disp 1.51, reach 377, sync dist 6.271 delay 4.14 msec, offset 0.2511 msec, dispersion 0.12 precision 2**18, version 3 org time AF44F7E0.7F0D3F69 (22:38:24.496 UTC Sun Mar 7 1993) rcv time AF44F7E0.7F84ADB9 (22:38:24.498 UTC Sun Mar 7 1993) xmt time AF44F7E0.7E579484 (22:38:24.493 UTC Sun Mar 7 1993) filtdelay = 4.14 4.15 4.24 4.14 4.04 4.20 4.24 4.23 filtoffset = 0.25 0.12 0.10 0.22 0.14 0.11 -0.06 0.08 filterror = 0.02 0.03 0.05 0.06 0.08 0.09 0.11 0.12 R3#sh ntp associations detail                     ? associations NTP associations status NTP status R3#sh ntp        sh run | i ntp ntp authentication-key 1 md5 143A0B3F05092F 7 ntp server 180.40.7.98 key 1 R3#^x4 % Unknown command or computer name, or unable to find computer address R3# R3# RACK11AS>4 [Resuming connection 4 to r4 ... ] M R4#sh run | i ntp ntp authentication-key 1 md5 0961573D100812 7 ntp clock-period 17179867 ntp server 192.10.32.254 R4#confi t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#access-list 10 0  0 per ip 17.0.0.0 0.255.255.255 % Incomplete command. R4(config)#access-list 100 per ip 17.0.0.0 0.255.255.255  any R4(config)#access-list 100 per ip 17.0.0.0 0.255.255.255 any55.255 any 55.255 any 5.255 any 5.255 any 55.255 any 055.255 any0.55.255 any255.255 any.0.0.0 0.0.255.255 any 8.0.0.0 0.0.255.255 any0.0.0.0 0.0.255.255 any.040.0.0 0.0.255.255 any R4(config)#ip in R4(config)#ip inspect ? alert-off Disable alert audit-trail Enable the logging of session information (addresses and bytes) dns-timeout Specify timeout for DNS hashtable-size Specify size of hashtable max-incomplete Specify maximum number of incomplete connections before clamping name Specify an inspection rule one-minute Specify one-minute-sample watermarks for clamping tcp Config timeout values for tcp connections udp Config timeout values for udp flows R4(config)#ip inspect name Prob2 ? cuseeme CUSeeMe Protocol fragment IP fragment inspection ftp File Transfer Protocol h323 H.323 Protocol (e.g, MS NetMeeting, Intel Video Phone) http HTTP Protocol icmp ICMP Protocol netshow Microsoft NetShow Protocol rcmd R commands (r-exec, r-login, r-sh) realaudio Real Audio Protocol rpc Remote Prodedure Call Protocol rtsp Real Time Streaming Protocol sip SIP Protocol skinny Skinny Client Control Protocol smtp Simple Mail Transfer Protocol sqlnet SQL Net Protocol streamworks StreamWorks Protocol tcp Transmission Control Protocol tftp TFTP Protocol udp User Datagram Protocol vdolive VDOLive Protocol R4(config)#ip inspect name Prob2 tcp ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Prob2 tcp R4(config)#ip inspect name Prob2 tcp     udp ? alert Turn on/off alert audit-trail Turn on/off audit trail timeout Specify the inactivity timeout time R4(config)#ip inspect name Prob2 udp R4(config)#ip inspect name Prob2 udp     he 3 R4(config)#ip inspect name Prob2 h323 R4(config)#ip access-list ex Prov  ob2 R4(config-ext-nacl)#per udp any any eq ntp R4(config-ext-nacl)#den ip any any log R4(config-ext-nacl)#int at,m   m  m 1/0 R4(config-if)#ip  R4(config-if)#ip acc R4(config-if)#ip access R4(config-if)#ip access-group Prob2 in R4(config-if)#ip access-lit      R4(config-if)#ip access-group 10 ou   0 out R4(config-if)#ip in R4(config-if)#ip insp R4(config-if)#ip inspect Prob2 out R4(config-if)#^Z R4#sh run int Mar 7 22:43:57.137: %SYS-5-CONFIG_I: Configured from console by console R4#sh run int atm 1/0 Building configuration... Current configuration : 227 bytes ! interface ATM1/0 ip address 192.10.32.11 255.255.255.0 ip access-group Prob2 in ip access-group 100 out ip nat outside ip inspect Prob2 out no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! end R4# RACK11AS>3 [Resuming connection 3 to r3 ... ] R3#18 92.10.32.254 Trying 192.10.32.254 ... % Destination unreachable; gateway or host down R3#do sh ip route ^ % Invalid input detected at '^' marker. R3#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 17.0.0.0/24 is subnetted, 2 subnets O 17.57.100.0 [110/791] via 180.40.7.34, 02:24:22, Serial1/0 O 17.57.101.0 [110/782] via 180.40.7.2, 02:24:22, Serial1/2 [110/782] via 180.40.7.35, 02:24:22, Serial1/0 O 192.10.32.0/24 [110/3] via 180.40.7.130, 02:24:22, FastEthernet0/1 180.40.0.0/16 is variably subnetted, 6 subnets, 2 masks C 180.40.7.128/27 is directly connected, FastEthernet0/1 C 180.40.7.0/27 is directly connected, Serial1/2 O 180.40.7.35/32 [110/781] via 180.40.7.2, 02:24:23, Serial1/2 [110/781] via 180.40.7.35, 02:24:23, Serial1/0 O 180.40.7.34/32 [110/781] via 180.40.7.34, 02:24:23, Serial1/0 C 180.40.7.32/27 is directly connected, Serial1/0 O 180.40.7.96/27 [110/2] via 180.40.7.130, 02:24:23, FastEthernet0/1 R3#   RACK11AS>4 [Resuming connection 4 to r4 ... ] R4#192.10.32.254 Trying 192.10.32.254 ... Mar 7 22:44:44.901: %SEC-6-IPACCESSLOGP: list Prob2 denied tcp 192.10.32.254(23) -> 192.10.32.11(56585), 1 packet % Connection reset by user R4#disc % No current connection R4#sh run | ip Mar 7 22:45:08.249: %SEC-6-IPACCESSLOGP: list Prob2 denied tcp 192.10.32.254(52022) -> 192.10.32.11(179), 1 packet R4#sh run | ip ^ % Invalid input detected at '^' marker. R4#sh run | ip bip  ip  ip subnet-zero ! ! ip cef no ip domain lookup ! ip inspect name Prob2 tcp ip inspect name Prob2 udp ip inspect name Prob2 h323 ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! --More--  ! ! ! ! interface FastEthernet0/0 ip address 180.40.7.98 255.255.255.224 ip nat inside duplex auto speed auto ! interface ATM1/0 ip address 192.10.32.11 255.255.255.0 ip access-group Prob2 in ip access-group 100 out ip nat outside ip inspect Prob2 out no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes --More--   network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload ip http server no ip http secure-server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 ! ip access-list extended Prob2 permit udp any any eq ntp deny ip any any log access-list 100 permit ip 17.0.0.0 0.255.255.255 any access-list 100 permit ip 180.40.0.0 0.0.255.255 any ! ! ! ! ! --More--   R4# RACK11AS>3 [Resuming connection 3 to r3 ... ] R3#sh ip routedo sh ip route192.10.32.254  Trying 192.10.32.254 ... % Destination unreachable; gateway or host down R3# RACK11AS>4 [Resuming connection 4 to r4 ... ] R4#confi t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#int atm 1/0 R4(config-if)#no ip acces R4(config-if)#no ip access-group 100 out R4(config-if)# RACK11AS>3 [Resuming connection 3 to r3 ... ] R3#192.10.32.254 Trying 192.10.32.254 ... Open CR1> CR1> CR1> CR1> RACK11AS>4 [Resuming connection 4 to r4 ... ] Mar R4(config-if)#int fa 0/0 R4(config-if)#int fa 0/0no ip access-group 100 out   inno ip access-group 100 in ip access-group 100 in ip access-group 100 in  R4(config-if)#^Z R4#sh Mar 7 22:46:49.789: %SYS-5-CONFIG_I: Configured from console by console R4#sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (3 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list 100 10 permit ip 17.0.0.0 0.255.255.255 any 20 permit ip 180.40.0.0 0.0.255.255 any Extended IP access list Prob2 permit tcp host 192.10.32.254 eq telnet host 192.10.32.11 eq 12656 (14 matches) 10 permit udp any any eq ntp (9 matches) 20 deny ip any any log (5 matches) R4# Mar 7 22:47:08.257: %SEC-6-IPACCESSLOGP: list Prob2 denied tcp 192.10.32.254(52034) -> 192.10.32.11(179), 1 packet R4# R4# R4# R4# RACK11AS>3 [Resuming connection 3 to r3 ... ] CR1> CR1> CR1>q [Connection to 192.10.32.254 closed by foreign host] R3#192.10.32.254 Trying 192.10.32.254 ... Open CR1> CR1> CR1>q [Connection to 192.10.32.254 closed by foreign host] R3# R3# RACK11AS>4 [Resuming connection 4 to r4 ... ] R4#sh run | b ip ip subnet-zero ! ! ip cef no ip domain lookup ! ip inspect name Prob2 tcp ip inspect name Prob2 udp ip inspect name Prob2 h323 ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! --More--  ! ! ! ! interface FastEthernet0/0 ip address 180.40.7.98 255.255.255.224 ip access-group 100 in ip nat inside duplex auto speed auto ! interface ATM1/0 ip address 192.10.32.11 255.255.255.0 ip access-group Prob2 in ip nat outside ip inspect Prob2 out no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes --More--   network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload ip http server no ip http secure-server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 permit 17.0.0.0 0.255.255.255 ! ip access-list extended Prob2 permit udp any any eq ntp deny ip any any log access-list 100 permit ip 17.0.0.0 0.255.255.255 any access-list 100 permit ip 180.40.0.0 0.0.255.255 any ! ! ! ! ! --More--   R4# RACK11AS>1 [Resuming connection 1 to r1 ... ] R1#confi t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#privi R1(config)#privilege ? aaa-user AAA user definition accept-dialin VPDN group accept dialin configuration mode accept-dialout VPDN group accept dialout configuration mode address-family Address Family configuration mode aic Alarm Interface Card configuration mode alps-ascu ALPS ASCU configuration mode alps-circuit ALPS circuit configuration mode bba-group BBA Group configuration mode boomerang Boomerang configuration mode cascustom Cas custom configuration mode cause-code-list Voice Cause Code List configuration mode ces-conn CES connection configuration mode ces-vc CES VC configuration mode cgma_agent CGMA Agent Configuration Mode cm-fallback cm-fallback configuration mode cns-connect-config CNS Connect Info Mode cns-connect-intf-config CNS Connect Intf Info Mode cns-tmpl-connect-config CNS Template Connect Info Mode cns_inventory_submode CNS Inventory SubMode config-rtr-http-rr RTR HTTP raw request Configuration configure Global configuration mode congestion Frame Relay congestion configuration mode --More--   R1(config)#privilege exec R1(config)#privilege exec ? all All suboption will be set to the samelevel level Set privilege level of command reset Reset privilege level of command R1(config)#privilege exec lvel     evel 1 ? LINE Initial keywords of the command to modify R1(config)#privilege exec level 1 config t R1(config)#privilege exec level 1 config t        sh run R1(config)#privilege exec level 1 sh run      ? LINE Initial keywords of the command to modify R1(config)#privilege exec level 1                        snm R1(config)#snmp? snmp snmp-server R1(config)#snmp- R1(config)#snmp-server ? chassis-id String to uniquely identify this chassis community Enable SNMP; set community string and access privs contact Text for mib object sysContact drop Silently drop SNMP packets enable Enable SNMP Traps or Informs engineID Configure a local or remote SNMPv3 engineID group Define a User Security Model group host Specify hosts to receive SNMP notifications ifindex Enable ifindex persistence inform Configure SNMP Informs options location Text for mib object sysLocation manager Modify SNMP manager parameters packetsize Largest SNMP packet size queue-length Message queue length for each TRAP host source-interface Assign an source interface system-shutdown Enable use of the SNMP reload command tftp-server-list Limit TFTP servers used via SNMP trap SNMP trap options trap-source Assign an interface for the source address of all traps trap-timeout Set timeout for TRAP message retransmissions user Define a user who can access the SNMP engine view Define an SNMPv2 MIB view --More--   R1(config)#snmp-server comm R1(config)#snmp-server community ? WORD SNMP community string R1(config)#snmp-server community % Incomplete command. R1(config)#snmp-server community                       privi R1(config)#privilege configure level 1 snmp-server community R1(config)#user JoeUser pass cisco R1(config)#line vty 0 4 R1(config-line)#login local R1(config-line)# RACK11AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open User Access Verification Username: JoeUser Password: R1>sh run Building configuration... Current configuration : 53 bytes ! boot-start-marker boot-end-marker ! ! ! ! ! ! end R1> R1> R1> R1> R1>confi t Enter configuration commands, one per line. End with CNTL/Z. R1(config)>? Configure commands: atm Enable ATM SLM Statistics call Configure Call parameters default Set a command to its defaults end Exit from configure mode exit Exit from configure mode help Description of the interactive help system no Negate a command or set its defaults snmp-server Modify SNMP engine parameters R1(config)>snmp-server ? community Enable SNMP; set community string and access privs R1(config)>snmp-server com R1(config)>snmp-server community ? WORD SNMP community string R1(config)>snmp-server community test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string R1(config)>snmp-server community test R1(config)>end R1>sh run Building configuration... Current configuration : 83 bytes ! boot-start-marker boot-end-marker ! ! ! ! ! snmp-server community test RO ! end R1>q q [Connection to 17.57.100.1 closed by foreign host] S5# RACK11AS>1 [Resuming connection 1 to r1 ... ] *M R1(config-line)#login localine vty 0 4user JoeUser pass ciscoprivilege configure level 1 snmp-server community WORD rw R1(config)#privilege configure level 1 snmp-server community WORD rw R1(config)# RACK11AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open User Access Verification Username: JoeUser Password: R1>confi t Enter configuration commands, one per line. End with CNTL/Z. R1(config)>snm R1(config)>snmp-server xc  o com R1(config)>snmp-server community test ? <1-99> Std IP accesslist allowing access with this community string <1300-1999> Expanded IP accesslist allowing access with this community string rw Read-write access with this community string R1(config)>snmp-server community test rw R1(config)>end R1>q [Connection to 17.57.100.1 closed by foreign host] S5# S5# RACK11AS>1 [Resuming connection 1 to r1 ... ] *Ma R1(config)#^Z R1#sh run | *Mar 1 02:36:33.618: %SYS-5-CONFIG_I: Configured from console by console R1#sh run | b privi privilege configure level 1 snmp-server community privilege configure level 1 snmp-server privilege exec level 1 configure terminal privilege exec level 1 configure privilege exec level 1 show running-config privilege exec level 1 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login local ! ! end R1#sh run | b user username JoeUser password 0 cisco ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex ! --More--   R1# RACK11AS>2 [Resuming connection 2 to r2 ... ] R2#conbfi t ^ % Invalid input detected at '^' marker. R2#confi t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#tim R2(config)#time-range ? WORD Time range name R2(config)#time-range Prob4 R2(config-time-range)#per R2(config-time-range)#periodic ? Friday Friday Monday Monday Saturday Saturday Sunday Sunday Thursday Thursday Tuesday Tuesday Wednesday Wednesday daily Every day of the week weekdays Monday thru Friday weekend Saturday and Sunday R2(config-time-range)#periodic weekday % Incomplete command. R2(config-time-range)#periodic weekday ? hh:mm Starting time R2(config-time-range)#periodic weekday 8:00 to ? hh:mm Ending time - stays valid until beginning of next minute R2(config-time-range)#periodic weekday 8:00 to 17:00 ? R2(config-time-range)#periodic weekday 8:00 to 17:00 R2(config-time-range)#exit R2(config)#ip access-list ex Prob4 R2(config-ext-nacl)#per ip any any tim R2(config-ext-nacl)#per ip any any time-range Prob4 R2(config-ext-nacl)#exit R2(config)#line vty 0 4 R2(config-line)#acc R2(config-line)#access-class ? <1-199> IP access list <1300-2699> IP expanded access list WORD Access-list name R2(config-line)#access-class Prob4 in R2(config-line)#^Z R2#sh acces *Mar 1 02:39:40.672: %SYS-5-CONFIG_I: Configured from console by console R2#sh access-list Extended IP access list Prob4 10 permit ip any any time-range Prob4 (inactive) R2# RACK11AS>3 [Resuming connection 3 to r3 ... ] R3#180.40.7.2 Trying 180.40.7.2 ... % Connection refused by remote host R3# RACK11AS>2 [Resuming connection 2 to r2 ... ] R2#clock set 12 3:24:00 ? <1-31> Day of the month MONTH Month of the year R2#clock set 13:24:00 2 feb 2007 R2#clock set 13:24:00 2 feb 2007sh access-list  Extended IP access list Prob4 10 permit ip any any time-range Prob4 (active) R2# RACK11AS>3 [Resuming connection 3 to r3 ... ] R3#180.40.7.2 Trying 180.40.7.2 ... Open R2#q [Connection to 180.40.7.2 closed by foreign host] R3# R3# RACK11AS>2 [Resuming connection 2 to r2 ... ] R2#sg ru n      h run | b ip access ip access-list extended Prob4 permit ip any any time-range Prob4 ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class Prob4 in privilege level 15 no login ! time-range Prob4 periodic weekdays 8:00 to 17:00 --More--  ! ! end R2#^x4 % Unknown command or computer name, or unable to find computer address R2# R2# RACK11AS>4 [Resuming connection 4 to r4 ... ] Ma R4#confi t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#int at,   m 1/0 R4(config-if)#do sh run int atm 1/0 Building configuration... Current configuration : 202 bytes ! interface ATM1/0 ip address 192.10.32.11 255.255.255.0 ip access-group Prob2 in ip nat outside ip inspect Prob2 out no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! end R4(config-if)#no ip access-group Prob2 in R4(config-if)#m no ip inspect Prob2 out R4(config-if)#exit R4(config)#ip access-l list ex out % % Invalid access list name. R4(config)#ip access-list ex out   Prob5  out R4(config-ext-nacl)#per ip any any ref R4(config-ext-nacl)#per ip any any reflect Prob5 R4(config-ext-nacl)#ei xit R4(config)#exitper ip any any reflect Prob5ip access-list ex Prob5out    in R4(config-ext-nacl)#per udp n anyt    any eq ntp R4(config-ext-nacl)#ev R4(config-ext-nacl)#evaluate ? WORD IP reflexive access list name R4(config-ext-nacl)#evaluate P Prob5 R4(config-ext-nacl)#den ip any any log R4(config-ext-nacl)#int atm 1/0 R4(config-if)#ip acces R4(config-if)#ip access-group Prob5out out R4(config-if)#ip access-group Prob5out out   in R4(config-if)#^Z R4# RACK11AS>3 [Resuming connection 3 to r3 ... ] R3#180.40.7.292.10.32.25480.40.7.2 92.10.32.254 Trying 192.10.32.254 ... Open CR1> CR1> CR1> CR1> RACK11AS>4 [Resuming connection 4 to r4 ... ] Ma R4#sh access-list Standard IP access list IPNAT 10 permit 180.40.7.0, wildcard bits 0.0.0.255 (5 matches) 20 permit 17.0.0.0, wildcard bits 0.255.255.255 Extended IP access list 100 10 permit ip 17.0.0.0 0.255.255.255 any 20 permit ip 180.40.0.0 0.0.255.255 any (185 matches) Extended IP access list Prob2 10 permit udp any any eq ntp (48 matches) 20 deny ip any any log (12 matches) Reflexive IP access list Prob5 permit udp host 192.10.32.11 eq ntp host 192.10.32.254 eq ntp (1 match) (time left 299) permit tcp host 192.10.32.11 eq 44779 host 192.10.32.254 eq telnet (27 matches) (time left 294) permit tcp host 192.10.32.254 eq telnet host 192.10.32.11 eq 44779 (25 matches) (time left 294) Extended IP access list Prob5in 10 permit udp any any eq ntp 20 evaluate Prob5 30 deny ip any any log Extended IP access list Prob5out 10 permit ip any any reflect Prob5 (53 matches) R4#sh run | b 1/0 interface ATM1/0 ip address 192.10.32.11 255.255.255.0 ip access-group Prob5out in ip access-group Prob5out out ip nat outside no atm ilmi-keepalive pvc 0/72 protocol ip 192.10.32.254 broadcast ! ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip nat inside source list IPNAT interface ATM1/0 overload ip http server no ip http secure-server ip classless ! ! ! ip access-list standard IPNAT permit 180.40.7.0 0.0.0.255 --More--   permit 17.0.0.0 0.255.255.255 ! ip access-list extended Prob2 permit udp any any eq ntp deny ip any any log ip access-list extended Prob5in permit udp any any eq ntp evaluate Prob5 deny ip any any log ip access-list extended Prob5out permit ip any any reflect Prob5 access-list 100 permit ip 17.0.0.0 0.255.255.255 any access-list 100 permit ip 180.40.0.0 0.0.255.255 any ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 --More--   R4# RACK11AS>1 [Resuming connection 1 to r1 ... ] R1#confi t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#tac R1(config)#tacacs-server ? administration Start tacacs+ daemon handling administrative messages directed-request Allow user to specify tacacs server to use with `@server' dns-alias-lookup Enable IP Domain Name System Alias lookup for TACACS servers extended Enable extended TACACS host Specify a TACACS server key Set TACACS+ encryption key. last-resort Define TACACS action if no server responds optional-passwords The first TACACS request can be made without password verification packet Modify TACACS+ packet options retransmit Search iterations of the TACACS server list timeout Time to wait for a TACACS server to reply R1(config)#tacacs-server q host ? Hostname or A.B.C.D IP address of TACACS server R1(config)#tacacs-server host 17.57.100.99 ? R1(config)#tacacs-server host 17.57.100.99 R1(config)#tacacs-server host 17.57.100.99                   key ? 0 Specifies an UNENCRYPTED key will follow 7 Specifies HIDDEN key will follow LINE The UNENCRYPTED (cleartext) shared key R1(config)#tacacs-server key MyKey R1(config)#aa R1(config)#aaa R1(config)#aaa n R1(config)#aaa new-model R1(config)#aaa authen R1(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authentication login ? WORD Named authentication list. default The default authentication list. R1(config)#aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login default none R1(config)#aaa R1(config)#aaa authen R1(config)#aaa authentication login Prob6 ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication login Prob6 gr R1(config)#aaa authentication login Prob6 group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)#aaa authentication login Prob6 group ta R1(config)#aaa authentication login Prob6 group tacacs+ lo R1(config)#aaa authentication login Prob6 group tacacs+ local? local local-case R1(config)#aaa authentication login Prob6 group tacacs+ local ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. line Use line password for authentication. none NO authentication. R1(config)#aaa authentication login Prob6 group tacacs+ local R1(config)#line vty 0 4 R1(config-line)#login authen R1(config-line)#login authentication Prob6 R1(config-line)#^Z R1# RACK11AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open Username: JoeUser Password: R1# R1# R1# R1#sh privi Current privilege level is 15 R1#q [Connection to 17.57.100.1 closed by foreign host] S5# S5# RACK11AS>1 [Resuming connection 1 to r1 ... ] *Ma R1#sh run | b aaa aaa new-model ! ! aaa authentication login default none aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! ! ! --More--  username JoeUser password 0 cisco ! ! ! ! interface Ethernet0/0 ip address 17.57.100.1 255.255.255.0 half-duplex ! interface Serial0/0 no ip address encapsulation frame-relay ! interface Serial0/0.1 point-to-point ip address 180.40.7.34 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 103 ! interface Ethernet0/1 no ip address shutdown half-duplex ! --More--  interface Serial0/1 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip http server ip classless ! ! ! ! tacacs-server host 17.57.100.99 tacacs-server directed-request tacacs-server key MyKey snmp-server community test RW ! ! ! privilege configure level 1 snmp-server community privilege configure level 1 snmp-server --More--  privilege exec level 1 configure terminal privilege exec level 1 configure privilege exec level 1 show running-config privilege exec level 1 show ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 login authentication Prob6 ! ! end R1#confi t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aa  a R1(config)#aaa authe R1(config)#aaa authentication ? arap Set authentication lists for arap. attempts Set the maximum number of authentication attempts banner Message to use when starting login/authentication. enable Set authentication list for enable. fail-message Message to use for failed login/authentication. login Set authentication lists for logins. password-prompt Text to use when prompting for a password ppp Set authentication lists for ppp. sgbp Set authentication lists for sgbp. username-prompt Text to use when prompting for a username R1(config)#aaa authentication pass R1(config)#aaa authentication password-prompt CCIE Wantabe: "CCIE Wantabe: CCIE Wantabe: " R1(config)#aaa authentication password-prompt "CCIE Wantabe: "                                u R1(config)#aaa authentication username-prompt "CCIE Who? Warning: Assumed end-quote for quoted string WORD R1(config)#aaa authentication username-prompt "CCIE Who:   ?: " R1(config)#^C ? Configure commands: aaa Authentication, Authorization and Accounting. aal2-profile Configure AAL2 profile access-list Add an access list entry alarm-interface Configure a specific Alarm Interface Card alias Create command alias alps Configure Airline Protocol Support arp Set a static ARP entry async-bootp Modify system bootp parameters atm Enable ATM SLM Statistics backhaul-session-manager Configure Backhaul Session Manager banner Define a login banner bba-group Configure BBA Group boot Modify system boot parameters bridge Bridge Group. bstun BSTUN global configuration commands buffers Adjust system buffer pool parameters busy-message Display message when connection to host fails call Configure Call parameters call-history-mib Define call history mib parameters call-manager-fallback support call-manager fallback carrier-id Name of the carrier associated with this trunk --More--   R1(config)#? ^Z R1# RACK11AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open CCIE Who?: JoeUser CCIE Wantabe: R1#q [Connection to 17.57.100.1 closed by foreign host] S5# RACK11AS>1 [Resuming connection 1 to r1 ... ] *Ma R1#sh run | b aaa aaa new-model ! ! aaa authentication password-prompt "CCIE Wantabe: " aaa authentication username-prompt "CCIE Who?: " aaa authentication login default none aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! --More--   R1#confi t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#aaa authen R1(config)#aaa authentication b R1(config)#aaa authentication banner ? LINE c message-text c, where 'c' is a delimiting character R1(config)#aaa authentication banner                           ban R1(config)#banner motd ? LINE c banner-text c, where 'c' is a delimiting character R1(config)#banner motd # Enter TEXT message. End with the character '#'. Kep ep out You want what???/ Yo momma!!!! # R1(config)#^Z R1# RACK11AS>5 [Resuming connection 5 to r5 ... ] S5#17.57.100.1 Trying 17.57.100.1 ... Open Keep out You want what???/ Yo momma!!!! CCIE Who?: JoeUser CCIE Wantabe: R1#q [Connection to 17.57.100.1 closed by foreign host] S5# RACK11AS>1 [Resuming connection 1 to r1 ... ] *Ma R1#sh run | b banner banner motd ^C Keep out You want what???/ Yo momma!!!! ^C privilege configure level 1 snmp-server community privilege configure level 1 snmp-server privilege exec level 1 configure terminal privilege exec level 1 configure privilege exec level 1 show running-config privilege exec level 1 show ! line con 0 exec-timeout 0 0 --More--   R1#sh ruhn    n | b aaa aaa new-model ! ! aaa authentication password-prompt "CCIE Wantabe: " aaa authentication username-prompt "CCIE Who?: " aaa authentication login default none aaa authentication login Prob6 group tacacs+ local aaa session-id common ip subnet-zero ! ! no ip domain lookup ! ip cef ! ! ! ! ! ! ! ! ! --More--   R1# R1# RACK11AS>3 [Resuming connection 3 to r3 ... ] [C R3#confi t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ip access-list ex Prob9 R3(config-ext-nacl)#d? default deny dynamic R3(config-ext-nacl)#d per ospf any any R3(config-ext-nacl)#per udp any any eq ntp R3(config-ext-nacl)#per tcp 1780   80.40.7.128 0.0.0.31 180.40.7.129 h180.40.7.129o180.40.7.129s180.40.7.129t180.40.7.129 180.40.7.129180.40.7.129 eq telnet R3(config-ext-nacl)#per   du y R3(config-ext-nacl)#dynamic ? WORD Name of a Dynamic list R3(config-ext-nacl)#dynamic Prob9 ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward timeout Maximum time for dynamic ACL to live R3(config-ext-nacl)#dynamic Prob9 tim R3(config-ext-nacl)#dynamic Prob9 timeout ? <1-9999> Maximum time to live R3(config-ext-nacl)#dynamic Prob9 timeout 2 ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward R3(config-ext-nacl)#dynamic Prob9 timeout 2   ? <1-9999> Maximum time to live R3(config-ext-nacl)#dynamic Prob9 timeout 60 ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward R3(config-ext-nacl)#dynamic Prob9 timeout 60 per ip any any ? dscp Match packets with given dscp value fragments Check non-initial fragments log Log matches against this entry log-input Log matches against this entry, including input interface precedence Match packets with given precedence value time-range Specify a time-range tos Match packets with given TOS value R3(config-ext-nacl)#dynamic Prob9 timeout 60 per ip any any % An access list with this name already exists R3(config-ext-nacl)#dynamic Prob9 timeout 60 per ip any any a timeout 60 per ip any any  R3(config-ext-nacl)#deny ip 180.40.7.128 0.0.0.31 any R3(config-ext-nacl)#per ip any any R3(config-ext-nacl)#exit R3(config)#user George pass v bosco R3(config)#user George pass bosco          auto R3(config)#user George autocommand ? LINE Command to be automatically issued after the user logs in R3(config)#user George autocommand access-enable time 2 R3(config)#line vty 0 4 R3(config-line)#loging    local R3(config-line)#exut ^ % Invalid input detected at '^' marker. R3(config-line)#exit R3(config)#^Z R3# RACK11AS>4 [Resuming connection 4 to r4 ... ] R4#p 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/46/48 ms R4# RACK11AS>6 [Resuming connection 6 to r6 ... ] S6#p 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/44 ms S6# RACK11AS>3 [Resuming connection 3 to r3 ... ] Mar R3#confi t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#int fa 0/0 R3(config-if)#int fa 0/0 1 R3(config-if)#ip access R3(config-if)#ip access-group Prob9 in R3(config-if)#^Z R3# RACK11AS>4 [Resuming connection 4 to r4 ... ] R4#p 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/47/48 ms R4# RACK11AS>6 [Resuming connection 6 to r6 ... ] S6#p 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: U.U.U Success rate is 0 percent (0/5) S6#180.40.7.129 Trying 180.40.7.129 ... Open User Access Verification Username: George Password: [Connection to 180.40.7.129 closed by foreign host] S6#180.40.7.129p 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/44 ms S6# RACK11AS>3 [Resuming connection 3 to r3 ... ] Mar R3#sh access-list Extended IP access list Prob9 10 permit ospf any any (3 matches) 20 permit udp any any eq ntp (3 matches) 30 permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet (90 matches) 40 Dynamic Prob9a permit ip any any permit ip any any (5 matches) (time left 112) 50 deny ip 180.40.7.128 0.0.0.31 any (11 matches) 60 permit ip any any (5 matches) R3#confi t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#ip access-li ex Prob9 R3(config-ext-nacl)#no 40 R3(config-ext-nacl)#40 du yan R3(config-ext-nacl)#40 dyan  na R3(config-ext-nacl)#40 dynamic ? WORD Name of a Dynamic list R3(config-ext-nacl)#40 dynamic Prob9a ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward timeout Maximum time for dynamic ACL to live R3(config-ext-nacl)#40 dynamic Prob9a tim 60 ? deny Specify packets to reject exit Exit from access-list configuration mode permit Specify packets to forward R3(config-ext-nacl)#40 dynamic Prob9a tim 60 per 180.40.7.128 0.0.0.31 i180.40.7.128 0.0.0.31p180.40.7.128 0.0.0.31 180.40.7.128 0.0.0.31180.40.7.128 0.0.0.31 any R3(config-ext-nacl)#^Z R3#sh run Mar 7 23:21:05.154: %SYS-5-CONFIG_I: Configured from console by console R3#sh run | b user username George password 0 bosco username George autocommand access-enable time 2 ! ! ! ! ! ! ! ! interface FastEthernet0/0 no ip address shutdown duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 ip address 180.40.7.129 255.255.255.224 ip access-group Prob9 in --More--   duplex auto speed auto ! interface Serial1/0 ip address 180.40.7.33 255.255.255.224 encapsulation frame-relay ip ospf network point-to-multipoint frame-relay map ip 180.40.7.34 301 broadcast frame-relay map ip 180.40.7.35 302 broadcast ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.3 255.255.255.224 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address --More--   shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! ip http server no ip http secure-server ! --More--  ip access-list extended Prob9 permit ospf any any permit udp any any eq ntp permit tcp 180.40.7.128 0.0.0.31 host 180.40.7.129 eq telnet dynamic Prob9a timeout 60 permit ip 180.40.7.128 0.0.0.31 any deny ip 180.40.7.128 0.0.0.31 any permit ip any any ! ! ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 --More--   login local ! ntp authentication-key 1 md5 143A0B3F05092F 7 ntp clock-period 17208153 ntp server 180.40.7.98 key 1 ! end R3# RACK11AS>2 [Resuming connection 2 to r2 ... ] R2#coni fig t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#ip tcp ? async-mobility Configure async-mobility chunk-size TCP chunk size intercept Enable TCP intercepting mss TCP initial maximum segment size path-mtu-discovery Enable path-MTU discovery on new TCP connections queuemax Maximum queue of outgoing TCP packets selective-ack Enable TCP selective-ACK synwait-time Set time to wait on new TCP connections timestamp Enable TCP timestamp option window-size TCP window size R2(config)#ip tcp in R2(config)#ip tcp intercept ? connection-timeout Specify timeout for connection info drop-mode Specify incomplete connection drop mode finrst-timeout Specify timeout for FIN/RST list Specify access-list to use max-incomplete Specify maximum number of incomplete connections before clamping mode Specify intercepting mode one-minute Specify one-minute-sample watermarks for clamping watch-timeout Specify timeout for incomplete connections in watch mode R2(config)#ip tcp intercept l R2(config)#ip tcp intercept list ? <100-199> Extended access list number for intercept WORD Access list name for intercept R2(config)#ip tcp intercept list                       ip access-list ex Prob10 R2(config-ext-nacl)#per tcp any 17.57.101.0 0.0.0.255 R2(config-ext-nacl)#exit R2(config)#ip tcp in R2(config)#ip tcp intercept ? connection-timeout Specify timeout for connection info drop-mode Specify incomplete connection drop mode finrst-timeout Specify timeout for FIN/RST list Specify access-list to use max-incomplete Specify maximum number of incomplete connections before clamping mode Specify intercepting mode one-minute Specify one-minute-sample watermarks for clamping watch-timeout Specify timeout for incomplete connections in watch mode R2(config)#ip tcp intercept li R2(config)#ip tcp intercept list ? <100-199> Extended access list number for intercept WORD Access list name for intercept R2(config)#ip tcp intercept list Prob10 ? R2(config)#ip tcp intercept list Prob10 R2(config)#^Z R2# Feb 2 13:48:36.296: %SYS-5-CONFIG_I: Configured from console by console RACK11AS>3 [Resuming connection 3 to r3 ... ] R3#17.57.101.2 Trying 17.57.101.2 ... Open S5# RACK11AS>2 [Resuming connection 2 to r2 ... ] R2#sh tcp in R2#sh tcp intercept com R2#sh tcp intercept com\  R2#sh tcp intercept com  R2#sh tcp intercept connections Incomplete: Client Server State Create Timeout Mode Established: Client Server State Create Timeout Mode 180.40.7.3:36941 17.57.101.2:23 ESTAB 00:00:09 23:59:50 I R2# R2# R2# R2#sh run | b tcp ip tcp intercept list Prob10 ! ip cef no ip domain lookup ip audit po max-events 100 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! --More--  ! ! interface FastEthernet0/0 ip address 17.57.101.1 255.255.255.0 duplex auto speed auto ! interface BRI0/0 no ip address shutdown ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 no ip address encapsulation frame-relay ! interface Serial1/0.1 multipoint ip address 180.40.7.35 255.255.255.224 --More--   ip ospf network point-to-multipoint frame-relay interface-dlci 203 ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.2 255.255.255.224 clock rate 64000 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown ! interface Serial1/5 no ip address shutdown ! --More--  interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! ip http server no ip http secure-server ! ip access-list extended Prob10 permit tcp any 17.57.101.0 0.0.0.255 ip access-list extended Prob4 permit ip any any time-range Prob4 ! ! --More--  ! ! ! ! ! ! ! ! line con 0 exec-timeout 0 0 logging synchronous line aux 0 line vty 0 4 access-class Prob4 in privilege level 15 no login ! time-range Prob4 periodic weekdays 8:00 to 17:00 ! ! end R2# R2# R2# R2#o confi t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto i R2(config)#crypto isa R2(config)#crypto isakmp po R2(config)#crypto isakmp policy 10 R2(config-isakmp)#? ISAKMP commands: authentication Set authentication method for protection suite default Set a command to its defaults encryption Set encryption algorithm for protection suite exit Exit from ISAKMP protection suite configuration mode group Set the Diffie-Hellman group hash Set hash algorithm for protection suite lifetime Set lifetime for ISAKMP security association no Negate a command or set its defaults R2(config-isakmp)#aut R2(config-isakmp)#authentication ? pre-share Pre-Shared Key rsa-encr Rivest-Shamir-Adleman Encryption rsa-sig Rivest-Shamir-Adleman Signature R2(config-isakmp)#authentication pre R2(config-isakmp)#authentication pre-share R2(config-isakmp)#exit R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto ids R2(config)#crypto ids  sa R2(config)#crypto isakmp ? aggressive-mode Disable ISAKMP aggressive mode client Set client configuration policy enable Enable ISAKMP identity Set the identity which ISAKMP will use keepalive Set a keepalive interval for use with IOS peers key Set pre-shared key for remote peer nat Set a nat keepalive interval for use with IOS peers peer Set Peer Policy policy Set policy for an ISAKMP protection suite profile Define ISAKMP Profiles xauth Set Extended Authentication values R2(config)#crypto isakmp key R2(config)#crypto isakmp key ? WORD pre-shared key R2(config)#crypto isakmp key cisco ? address define shared key with IP address hostname define shared key with hostname R2(config)#crypto isakmp key cisco add  R2(config)#crypto isakmp key cisco add / ? A.B.C.D Peer IP address R2(config)#crypto isakmp key cisco add 180.40.7.3 ? A.B.C.D Peer IP subnet mask no-xauth Bypasses XAuth for this peer R2(config)#crypto isakmp key cisco add 180.40.7.3   R2(config)#cr  acc   ip access-list ex Prob11 R2(config-ext-nacl)#den tcp any any R2(config-ext-nacl)#den udp any any R2(config-ext-nacl)#den ospf nay     amn  my    ny any R2(config-ext-nacl)#per ip any any R2(config-ext-nacl)#exit R2(config)#cry R2(config)#crypto tr R2(config)#crypto tr   i   is   ui  is p R2(config)#crypto ipsec ? client Configure a client df-bit Handling of encapsulated DF bit. fragmentation Handling of fragmentation of near-MTU sized packets nat-transparency IPsec NAT transparency model optional Enable optional encryption for IPSec profile Configure an ipsec policy profile security-association Security association parameters transform-set Define transform and settings R2(config)#crypto ipsec tra R2(config)#crypto ipsec transform-set ? WORD Transform set tag R2(config)#crypto ipsec transform-set Prob11 ? ah-md5-hmac AH-HMAC-MD5 transform ah-sha-hmac AH-HMAC-SHA transform comp-lzs IP Compression using the LZS compression algorithm esp-3des ESP transform using 3DES(EDE) cipher (168 bits) esp-aes ESP transform using AES cipher esp-des ESP transform using DES cipher (56 bits) esp-md5-hmac ESP transform using HMAC-MD5 auth esp-null ESP transform w/o cipher esp-sha-hmac ESP transform using HMAC-SHA auth R2(config)#crypto ipsec transform-set Prob11 af R2(config)#crypto ipsec transform-set Prob11 af h R2(config)#crypto ipsec transform-set Prob11 ah-sh R2(config)#crypto ipsec transform-set Prob11 ah-sha-hmac R2(cfg-crypto-trans)#exit R2(config)#cry R2(config)#crypto ? ca Certification authority dynamic-map Specify a dynamic crypto map template identity Enter a crypto identity list ipsec Configure IPSEC policy isakmp Configure ISAKMP policy key Long term key operations keyring Key ring commands map Enter a crypto map mib Configure Crypto-related MIB Parameters xauth X-Auth parameters R2(config)#crypto map ? WORD Crypto map tag R2(config)#crypto map Prob11 ? <1-65535> Sequence to insert into crypto map entry client Specify client configuration settings isakmp Specify isakmp configuration settings isakmp-profile Specify isakmp profile to use local-address Interface to use for local address for this crypto map R2(config)#crypto map Prob11 10 ? ipsec-isakmp IPSEC w/ISAKMP ipsec-manual IPSEC w/manual keying R2(config)#crypto map Prob11 10 ip R2(config)#crypto map Prob11 10 ipsec-i R2(config)#crypto map Prob11 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R2(config-crypto-map)# R2(config-crypto-map)# R2(config-crypto-map)#match ? address Match address of packets to encrypt. R2(config-crypto-map)#match add ? <100-199> IP access-list number <2000-2699> IP access-list number (expanded range) WORD Access-list name R2(config-crypto-map)#match add Prob11 R2(config-crypto-map)#set peer 180.40.7.3 R2(config-crypto-map)#set traf R2(config-crypto-map)#set traf  R2(config-crypto-map)#set transform-set Prob11 R2(config-crypto-map)#int s 1/2 R2(config-if)#cry R2(config-if)#crypto m R2(config-if)#crypto map Prob11 R2(config-if)# Feb 2 13:53:42.097: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R2(config-if)#^Z R2#sh run | Feb 2 13:53:43.896: %SYS-5-CONFIG_I: Configured from console by console R2#sh run | | b crypto crypto isakmp policy 10 authentication pre-share crypto isakmp key cisco address 180.40.7.3 ! ! crypto ipsec transform-set Prob11 ah-sha-hmac ! crypto map Prob11 10 ipsec-isakmp set peer 180.40.7.3 set transform-set Prob11 match address Prob11 ! ! ! ! interface FastEthernet0/0 ip address 17.57.101.1 255.255.255.0 duplex auto speed auto ! interface BRI0/0 no ip address shutdown --More--  ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface Serial1/0 no ip address encapsulation frame-relay ! interface Serial1/0.1 multipoint ip address 180.40.7.35 255.255.255.224 ip ospf network point-to-multipoint frame-relay interface-dlci 203 ! interface Serial1/1 no ip address shutdown ! interface Serial1/2 ip address 180.40.7.2 255.255.255.224 clock rate 64000 --More--   crypto map Prob11 ! interface Serial1/3 no ip address shutdown ! interface Serial1/4 no ip address shutdown ! interface Serial1/5 no ip address shutdown ! interface Serial1/6 no ip address shutdown ! interface Serial1/7 no ip address shutdown ! router ospf 1 --More--   log-adjacency-changes network 0.0.0.0 255.255.255.255 area 0 ! ip classless ! ip http server no ip http secure-server ! ip access-list extended Prob10 permit tcp any 17.57.101.0 0.0.0.255 ip access-list extended Prob11 deny tcp any any deny udp any any deny ospf any any permit ip any any ip access-list extended Prob4 permit ip any any time-range Prob4 ! ! ! ! ! ! --More--   R2# RACK11AS>3 [Resuming connection 3 to r3 ... ] S5# S5#q q [Connection to 17.57.101.2 closed by foreign host] R3# R3#confi t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#crypto isakmp policy 10 R3(config-isakmp)# authentication pre-share R3(config-isakmp)#crypto isakmp key cisco address 180.40.7.2 R3(config)#! R3(config)#! R3(config)#crypto ipsec transform-set Prob11 ah-sha-hmac R3(cfg-crypto-trans)#! R3(cfg-crypto-trans)#crypto map Prob11 10 ipsec-isakmp % NOTE: This new crypto map will remain disabled until a peer and a valid access list have been configured. R3(config-crypto-map)# set peer 180.40.7.2 R3(config-crypto-map)# set transform-set Prob11 R3(config-crypto-map)# match address Prob11 R3(config-crypto-map)#! R3(config-crypto-map)#interface Serial1/2 R3(config-if)# crypto map Prob11 R3(config-if)#! R3(config-if)#ip access-list extended Prob11 R3(config-ext-nacl)# deny tcp any any R3(config-ext-nacl)# deny udp any any R3(config-ext-nacl)# deny ospf any any R3(config-ext-nacl)# permit ip any any R3(config-ext-nacl)# Mar 7 23:29:42.382: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON R3(config-ext-nacl)#end R3# Mar 7 23:29:54.911: %SYS-5-CONFIG_I: Configured from console by console R3#ping 180.40.7.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 180.40.7.2, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 44/45/48 ms R3# R3# R3# R3# R3#sh cry ip R3#sh cry ipsec sa interface: Serial1/2 Crypto map tag: Prob11, local addr. 180.40.7.3 protected vrf: local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer: 180.40.7.2:500 PERMIT, flags={origin_is_acl,ipsec_sa_request_sent} #pkts encaps: 4, #pkts encrypt: 0, #pkts digest 4 #pkts decaps: 4, #pkts decrypt: 0, #pkts verify 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 180.40.7.3, remote crypto endpt.: 180.40.7.2 path mtu 1500, ip mtu 1500, ip mtu idb Serial1/2 current outbound spi: 509D6D1A inbound esp sas: inbound ah sas: --More--   R3# R3#sh run |