Had a small glitch today in a Cisco router config that I had to figure out. The main router had a couple static translations of public IP’s to privates for incoming connections to go directly to internal servers, as well as for outgoing connections from those servers to be translated as well.
Problem was, outgoing connections were also being translated for those servers when the connections were going to Cisco VPN clients.
The fix I ended up with was one we’d used before – apply a route-map to the internal interface, directing all the traffic destined for the VPN client to a loopback interface without the “nat inside” statement, effectively causing the packets to skip the NAT process entirely.
I wonder, though, if there might not be a cleaner solution. After all the normal NAT overload command allows for a route-map to specify what traffic to translate and what traffic to pass untranslated, why not the static NAT commands?
I’m not sure if I’ll get a chance to research this anytime soon, but if I do, I’ll be sure to post what I find.
Finally, I took the time to put this together. This is a quick-and-dirty guide to replicating a project that I did for someone. It’s not going to tell you every detail of what to type, but it should get you going in the right direction if you’re needing some guidance. Continue reading »
Tomorrow I’ve got to see if I can dig up an ATA PCMCIA memory card to use with a Cisco 7206VXR I/O controller and NPE-400 engine. Yeah, it’s getting kinda long in the tooth, but it’s a pretty good solution for aggregating data T1′s into the network. Michael and I are part of a data center move, and as we near the end of the move, data T1′s are last to go. I’ve managed to swing replacing the PA-8T serials with PA-MC-8T1/E1 cards, so we’ll be able to get rid of the external CSU/DSU shelf. Saves rack space, power, and makes things easier to configure and maintain.
Anyway, I was configuring a spare 7206 for the new data center to move the T1′s over onto, and realized the ATA PCMCIA flash card was a sad 16MB. Can’t get a very recent IOS onto a 16MB card. So, I’ve got to dig around and see if I can find a larger one. I have plenty of Compact Flash cards from different things, but ATA PCMCIA might be a little hard to come by without just buying a new one.
Found out a surprising limitation today on the Cisco ASA5505. Apparently you cannot have more than 1 subnet assigned to a VLAN. For instance, if a company is using 192.168.0.0/24 for their servers and 192.168.1.0/24 for their PC’s, and they haven’t graduated to the point of managed VLAN-aware switches, there is no way to put both their subnets onto a single ASA interface and route between them.
On a Cisco router, it would be as simple as:
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0 secondary
The ASA just doesn’t support it, apparently. I’m not sure what would happen if I put 192.168.0.1/24 on VLAN2 on Ethernet0/1 and 192.168.1.1/24 on VLAN3 on Ethernet0/2 and plugged both of them into the unmanaged switch network. Of course, that brings its own challenges due to the 3-VLAN limitation on the base license, etc….
Luckily, in the application I was configuring it for, I found out that the company could easily drop the second subnet and simplify things a lot.
This has come up a few times lately in my line of work – the need to set up and allow Cisco VPN client software to connect to the customer’s router, and pass all Internet traffic through that router and back out. Continue reading »
Sometimes things go right for a change. I finally got my dual-ISP single-hub DMVPN with mGRE, ipsec and EIGRP working. I may have to do some tuning of the failover to smooth things out, but it’s working, and that’s what’s important. I can kill the primary ISP connection and after a short delay of 20 [...]
I think I might have found a new Cisco bug! I found out that the current 12.4(23) Advanced IP Services image will not boot correctly on a new 3845 router. It dies with a bus error and tries again several times, only to finally end up in rommon mode because it can’t boot. I reverted [...]
Here’s a neat trick that I found. Many Cisco-savvy techs through the years have known that it’s very handy to use a 2511 as a serial terminal server. Hook up both breakout cables and you can have serial console access to up to 16 other Cisco devices. For a remote data center, this can come [...]
Well, it’s been a week for Cisco bugs. A couple ASA5510′s that I manage succumbed to a bug that causes a gradual performance decrease until they are no longer usable or accessible remotely. Luckily it was a known bug that was fixed in a newer firmware version. A quick upgrade after-hours and things are up [...]
I’m kind of a geek at heart, so years ago when I found out about OpenWRT, I had to use it somewhere, anywhere. OpenWRT is an open-source third-party operating system built to run on consumer-grade broadband routers like the Linksys WRT54G wireless router. If you’ve got some tech skills, it’s not too difficult to hack [...]
