The only time i've seen this is when my class-map type inspect is calling an ACL that does NOT exist. Make sure your ACL name you're referring to is correct. In your snippet it seems to be right but double check your config.
On Mon, Oct 10, 2011 at 1:46 PM, <[email protected]>wrote: > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. Re: uRPF. (Mark Senteza) > 2. Zone Based Firewalls and full network permits. (Garrett Skjelstad) > 3. Re: Site to site VPN using CA (waleed ') > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 10 Oct 2011 09:44:38 -0700 > From: Mark Senteza <[email protected]> > To: Adil Pasha <[email protected]> > Cc: CCIE Security Maillist <[email protected]> > Subject: Re: [OSL | CCIE_Security] uRPF. > Message-ID: > <cao+eoqw6g1kjardnc++ectn6lb-dogucw9vpj17hth8efm0...@mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > "ip verify unicast source reachable-via rx" gives you further options, such > as adding an ACL with specified deny or permit and log for packets that > fail > or pass the uRPF check. > > I would always opt for using this syntax, instead of the older one that its > replacing. > > Mark > > On Sun, Oct 9, 2011 at 8:23 AM, Adil Pasha <[email protected]> wrote: > > > Guys, > > > > Is it a correct answer if I use "ip verify unicast reverse-path" instead > of > > " ip verify unicast source reachable-via rx" ??? > > > > I did some search and found out on Cisco's website that the second > command > > is replacing the legacy "reverse-path". > > > > Please shed some light on it. > > > > > > Best Regards. > > ______________________ > > Adil > > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20111010/95f35dd4/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Mon, 10 Oct 2011 10:43:35 -0700 > From: Garrett Skjelstad <[email protected]> > To: OSL Security <[email protected]> > Subject: [OSL | CCIE_Security] Zone Based Firewalls and full network > permits. > Message-ID: > <caprcbc-x3yzkqnn_od9afmxtg_o8to-cxrvm12mc8w2dmcz...@mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > I'm trying to get a zone based firewall that would permit all protocols, > from a specific network, > > However, when I use the inspect statement, I get an error on the reload > that > it's not valid. > > <snip> > %No specific protocol or access-group configured in class TEST-Outbound-CM > for inspection. All packets will be dropped > %No specific protocol or access-group configured in class TEST-Inbound-CM > for inspection. All packets will be dropped > </snip> > > <pertinent code> > policy-map type inspect Out-2-In-PM > class type inspect TEST-Inbound-CM > inspect > class class-default > drop > > zone-pair security outzone-to-inzone source out-zone destination in-zone > service-policy type inspect Out-2-In-PM > > class-map type inspect match-any TEST-Outbound-CM > match access-group name TEST-DestNetworks-ACL > > ip access-list extended TEST-DestNetworks-ACL > permit ip any 172.30.0.0 0.0.255.255 > permit ip any 172.31.0.0 0.0.255.255 > </pertinent code> > > Am I using the wrong type of class map? > > Should I change inspect to be "pass", and that would have it work? > > Am I totally barking up the wrong tree? > -Garrett > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20111010/57dfabfe/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Mon, 10 Oct 2011 17:46:35 +0000 > From: waleed ' <[email protected]> > To: <[email protected]>, <[email protected]> > Cc: ccie security <[email protected]> > Subject: Re: [OSL | CCIE_Security] Site to site VPN using CA > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > > Oct 10 10:20:28.343: ISAKMP:(1005): peer wants cert issued by cn=R2 CA > Server,l=London,st=MI > > Oct 10 10:20:28.343: ISAKMP:(1005): issuer name is not a trusted root. > > I think the problem is here , u must authenticate with the CA server R2 > and enroll certificate for ur router too > > crypto ca trustpoint R2 > enroll url http://{R2 IP address} > crypto ca authenticae R2 > crypto ca enroll R2 > > Regards > > Date: Mon, 10 Oct 2011 12:48:16 +0530 > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: Re: [OSL | CCIE_Security] Site to site VPN using CA > > Hi, > > I changed static route as suggested by Piotr. Still packets are not > encrypting and decrypting. Below is the output: > > R3#ping 1.1.1.1 source lo3 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: > > Packet sent with a source address of 3.3.3.3 > > Oct 10 10:20:27.299: IPSEC(sa_request): , > (key eng. msg.) OUTBOUND local= 20.1.1.1, remote= 10.1.1.1, > local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1), > > remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1), > protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), > lifedur= 3600s and 4608000kb, > spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 > > Oct 10 10:20:27.307: ISAKMP:(0): SA request profile is (NULL) > Oct 10 10:20:27.307: ISAKMP: Created a peer struct for 10.1.1.1, peer port > 500 > Oct 10 10:20:27.307: ISAKMP: New peer created peer = 0x66161B68 peer_handle > = 0x80000006 > > Oct 10 10:20:27.307: ISAKMP: Locking peer struct 0x66161B68, refcount 1 for > isakmp_initiator > Oct 10 10:20:27.311: ISAKMP: local port 500, remote port 500 > Oct 10 10:20:27.311: ISAKMP: set new node 0 to QM_IDLE > Oct 10 10:20:27.311: insert sa successfully sa = 66BDF730 > > Oct 10 10:20:27.311: ISAKMP:(0):Can not start Aggressive mode, trying Main > mode. > Oct 10 10:20:27.315: ISAKMP:(.0):No pre-shared key with 10.1.1.1! > Oct 10 10:20:27.315: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID > > Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-07 ID > Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-03 ID > Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-02 ID > Oct 10 10:20:27.319: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM > > Oct 10 10:20:27.323: ISAKMP:(0):Old State = IKE_READY New State = > IKE_I_MM1 > > Oct 10 10:20:27.323: ISAKMP:(0): beginning Main Mode exchange > Oct 10 10:20:27.323: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500 > peer_port 500 (I) MM_NO_STATE > > Oct 10 10:20:27.327: ISAKMP:(0):Sending an IKE IPv4 Packet. > Oct 10 10:20:27.695: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 > sport 500 Global (I) MM_NO_STATE > Oct 10 10:20:27.699: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > > Oct 10 10:20:27.699: ISAKMP:(0):Old State = IKE_I_MM1 New State = > IKE_I_MM2 > > Oct 10 10:20:27.707: ISAKMP:(0): processing SA payload. message ID = 0 > Oct 10 10:20:27.707: ISAKMP:(0): processing vendor id payload > > Oct 10 10:20:27.707: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 > mismatch > Oct 10 10:20:27.707: ISAKMP (0:0): vendor ID is NAT-T RFC 3947 > Oct 10 10:20:27.711: ISAKMP : Scanning profiles for xauth ... > Oct 10 10:20:27.711: ISAKMP:(0):Checking ISAKMP transform 1 against > priority 10 policy > > Oct 10 10:20:27.711: ISAKMP: encryption AES-CBC > Oct 10 10:20:27.711: ISAKMP: keylength of 128 > Oct 10 10:20:27.711: ISAKMP: hash SHA > Oct 10 10:20:27.715: ISAKMP: default group 2 > Oct 10 10:20:27.715: ISAKMP: auth RSA sig > > Oct 10 10:20:27.715: ISAKMP: life type in seconds > Oct 10 10:20:27.715: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 > Oct 10 10:20:27.719: ISAKMP:(0):atts are acceptable. Next payload is 0 > Oct 10 10:20:27.719: ISAKMP:(0):Acceptable atts:actual life: 0 > > Oct 10 10:20:27.719: ISAKMP:(0):Acceptable atts:life: 0 > Oct 10 10:20:27.719: ISAKMP:(0):Fill atts. in sa vpi_length:4 > Oct 10 10:20:27.723: ISAKMP:(0):Fill atts in sa life_in_seconds:86400 > Oct 10 10:20:27.723: ISAKMP:(0):Returning Actual lifetime: 86400 > > Oct 10 10:20:27.723: ISAKMP:(0)::Started lifetime timer: 86400. > > Oct 10 10:20:27.723: ISAKMP:(0): processing vendor id payload > Oct 10 10:20:27.723: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 > mismatch > Oct 10 10:20:27.727: ISAKMP (0:0): vendor ID is NAT-T RFC 3947 > > Oct 10 10:20:27.727: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > Oct 10 10:20:27.727: ISAKMP:(0):Old State = IKE_I_MM2 New State = > IKE_I_MM2 > > Oct 10 10:20:27.739: ISAKMP (0:0): constructing CERT_REQ for issuer cn=R2 > CA Server,l=London,st=MI > > Oct 10 10:20:27.743: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500 > peer_port 500 (I) MM_SA_SETUP > Oct 10 10:20:27.743: ISAKMP:(0):Sending an IKE IPv4 Packet. > Oct 10 10:20:27.747: ISAKMP:(0):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_COMPLETE > > Oct 10 10:20:27.747: ISAKMP:(0):Old State = IKE_I_MM2 New State = > IKE_I_MM3 > > Oct 10 10:20:28.239: ISAKMP (0:0): received packet from 10.1.1.1 dport 500 > sport 500 Global (I) MM_SA_SETUP > Oct 10 10:20:28.243: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH > > Oct 10 10:20:28.243: ISAKMP:(0):Old State = IKE_I_MM3 New State = > IKE_I_MM4 > > Oct 10 10:20:28.247: ISAKMP:(0): processing KE payload. message ID = 0 > Oct 10 10:20:28.335: ISAKMP:(0): processing NONCE payload. message ID = 0 > > Oct 10 10:20:28.339: ISAKMP:(1005): processing CERT_REQ payload. message ID > = 0 > Oct 10 10:20:28.339: ISAKMP:(1005): peer wants a CT_X509_SIGNATURE cert > Oct 10 10:20:28.343: ISAKMP:(1005): peer wants cert issued by cn=R2 CA > Server,l=London,st=MI > > Oct 10 10:20:28.343: ISAKMP:(1005): issuer name is not a trusted root. > Oct 10 10:20:28.347: ISAKMP:(1005): processing vendor id payload > Oct 10 10:20:28.347: ISAKMP:(1005): vendor ID is Unity > Oct 10 10:20:28.347: ISAKMP:(1005): processing vendor id payload > > Oct 10 10:20:28.347: ISAKMP:(1005): vendor ID is DPD > Oct. 10 10:20:28.351: ISAKMP:(1005): processing vendor id payload > Oct 10 10:20:28.351: ISAKMP:(1005): speaking to another IOS box! > Oct 10 10:20:28.351: ISAKMP:received payload type 20 > > Oct 10 10:20:28.351: ISAKMP:received payload type 20 > Oct 10 10:20:28.355: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_MAIN_MODE > Oct 10 10:20:28.355: ISAKMP:(1005):Old State = IKE_I_MM4 New State = > IKE_I_MM4 > > > Oct 10 10:20:28.415: ISAKMP:(1005):Send initial contact > Oct 10 10:20:28.415: ISAKMP:(1005):Unable to get router cert or routerdoes > not have a cert: needed to find DN! > Oct 10 10:20:28.415: ISAKMP(0:1005): Unable to get our DN from cert, using > my FQDN as identity > > Oct 10 10:20:28.419: ISAKMP:(1005):SA is doing RSA signature authentication > using id type ID_FQDN > Oct 10 10:20:28.419: ISAKMP (0:1005): ID payload > next-payload : 6 > type : 2 > FQDN name : R3 > > protocol : 17 > port : 500 > length : 10 > Oct 10 10:20:28.423: ISAKMP:(1005):Total payload length: 10 > Oct 10 10:20:28.423: ISAKMP:(1005): no valid cert found to return > Oct 10 10:20:28.423: ISAKMP: set new node 645628590 to QM_IDLE > > Oct 10 10:20:28.427: ISAKMP:(1005):Sending NOTIFY CERTIFICATE_UNAVAILABLE > protocol 1 > spi 0, message ID = 645628590 > Oct 10 10:20:28.431: ISAKMP:(1005): sending packet to 10.1.1.1 my_port 500 > peer_port 500 (I) MM_KEY_EXCH > > Oct 10 10:20:28.431: ISAKMP:(1005):Sending an IKE IPv4 Packet. > Oct 10 10:20:28.431: ISAKMP:(1005):purging node 645628590 > Oct 10 10:20:28.435: ISAKMP (0:1005): FSM action returned error: 2 > Oct 10 10:20:28.435: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, > IKE_PROCESS_COMPLETE > > Oct 10 10:20:28.435: ISAKMP:(1005):Old State = IKE_I_MM4 New State = > IKE_I_MM5 > .. > Success rate is 0 percent (0/5) > R3# > Oct 10 10:20:37.744: ISAKMP:(1005): no outgoing phase 1 packet to > retransmit. MM_KEY_EXCH > > Oct 10 10:20:38.136: ISAKMP (0:1005): received packet from 10.1.1.1 dport > 500 sport 500 Global (I) MM_KEY_EXCH > Oct 10 10:20:38.136: ISAKMP:(1005): phase 1 packet is a duplicate of a > previous packet. > Oct 10 10:20:38.136: ISAKMP:(1005): retransmitting due to retransmit phase > 1 > > Oct 10 10:20:38.140: ISAKMP:(1005): no outgoing phase 1 packet to > retransmit. MM_KEY_EXCH > Oct 10 10:20:48.148: ISAKMP (0:1005): received packet from 10.1.1.1 dport > 500 sport 500 Global (I) MM_KEY_EXCH > Oct 10 10:20:48.148: ISAKMP:(1005): phase 1 packet is a duplicate of a > previous packet. > > Oct 10 10:20:48.148: ISAKMP:(1005): retransmitting due to retransmit phase > 1 > Oct 10 10:20:48.152: ISAKMP:(1005): no outgoing phase 1 packet to > retransmit. MM_KEY_EXCH > Oct 10 10:20:57.300: IPSEC(key_engine): request timer fired: count = 1, > > (identity) local= 20.1.1.1, remote= 10.1.1.1, > local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1), > remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1) > > Oct 10 10:20:57.304: IPSEC(sa_request): , > (key eng. msg.) OUTBOUND local= 20.1.1.1, remote= 10.1.1.1, > local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1), > remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1), > > protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), > lifedur= 3600s and 4608000kb, > spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 > Oct 10 10:20:57.308: ISAKMP: set new node 0 to QM_IDLE > Oct 10 10:20:57.312: ISAKMP:(1005):SA is still budding. Attached new ipsec > request to it. (local 20.1.1.1, remote 10.1.1.1) > > Oct 10 10:20:57.312: ISAKMP: Error while processing SA request: Failed to > initialize SA > Oct 10 10:20:57.312: ISAKMP: Error while processing KMI message 0, error 2. > Oct 10 10:20:58.152: ISAKMP (0:1005): received packet from 10.1.1.1 dport > 500 sport 500 Global (I) MM_KEY_EXCH > > Oct 10 10:20:58.156: ISAKMP:(1005): phase 1 packet is a duplicate of a > previous packet. > Oct 10 10:20:58.156: ISAKMP:(1005): retransmitting due to retransmit phase > 1 > Oct 10 10:20:58.156: ISAKMP:(1005): no outgoing phase 1 packet to > retransmit. MM_KEY_EXCH > > Oct 10 10:21:08.153: ISAKMP (0:1005): received packet from 10.1.1.1 dport > 500 sport 500 Global (I) MM_KEY_EXCH > Oct 10 10:21:08.157: ISAKMP:(1005): phase 1 packet is a duplicate of a > previous packet. > Oct 10 10:21:08.157: ISAKMP:(1005): retransmitting due to retransmit phase > 1 > > Oct 10 10:21:08.157: ISAKMP:(1005): no outgoing phase 1 packet to > retransmit. MM_KEY_EXCH > Oct 10 10:21:18.138: ISAKMP (0:1005): received packet from 10.1.1.1 dport > 500 sport 500 Global (I) MM_KEY_EXCH > Oct 10 10:21:18.138: ISAKMP:(1005): phase 1 packet is a duplicate of a > previous packet. > > Oct 10 10:21:18.138: ISAKMP:(1005): retransmitting due to retransmit phase > 1 > Oct 10 10:21:18.142: ISAKMP:(1005): no outgoing phase 1 packet to > retransmit. MM_KEY_EXCH > Oct 10 10:21:27.302: IPSEC(key_engine): request timer fired: count = 2, > > (identity) local= 20.1.1.1, remote= 10.1.1.1, > local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1), > remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1) > > Oct 10 10:21:42.315: ISAKMP: quick mode timer expired. > Oct 10 10:21:42.315: ISAKMP:(1005):src 20.1.1.1 dst 10.1.1.1, SA is not > authenticated > Oct 10 10:21:42.315: ISAKMP:(1005):peer does not do paranoid keepalives. > > > Oct 10 10:21:42.319: ISAKMP:(1005):deleting SA reason "QM_TIMER expired" > state (I) MM_KEY_EXCH (peer 10.1.1.1) > Oct 10 10:21:42.323: ISAKMP:(1005):deleting SA reason "QM_TIMER expired" > state (I) MM_KEY_EXCH (peer 10.1.1.1) > > Oct 10 10:21:42.323: ISAKMP: Unlocking peer struct 0x66161B68 for > isadb_mark_sa_deleted(), count 0 > Oct 10 10:21:42.327: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1: > 66161B68 > Oct 10 10:21:42.327: ISAKMP:(1005):deleting node -723389659 error FALSE > reason "IKE deleted" > > Oct 10 10:21:42.327: ISAKMP:(1005):deleting node 467977890 error FALSE > reason "IKE deleted" > Oct 10 10:21:42.331: ISAKMP:(1005):Input = IKE_MESG_INTERNAL, > IKE_PHASE1_DEL > Oct 10 10:21:42.331: ISAKMP:(1005):Old State = IKE_I_MM5 New State = > IKE_DEST_SA > > > Oct 10 10:21:42.335: IPSEC(key_engine): got a queue event with 1 KMI > message(s)^Z > R3#un all > > > On Mon, Oct 10, 2011 at 1:12 AM, Piotr Matusiak <[email protected]> wrote: > > > > Hi, > > You have wrong static routes configured on R1 and R3. IP address 1.1.1.1 is > local on R1, there should be static configured for 3.3.3.3. same on R3. > > > > > Regards, > Piotr > > > > > 2011/10/9 parvez ahmad <[email protected]> > > Hi All, > > Network Diagram, > > > lo1-----R1(10.1.1.1)--------(10.1.1.2)R2(20.1.1.2)-----------(20.1.1.1)R3---lo3 > > loop2 for NTP Server > > > I am creating site to site tunnel between R1 and R3 by using CA.but it is > not working. > where loop1 and loop3 are the intresting traffic with respected routers. R1 > and R3 are authenticated and enrolled with CA server lo2. > > > > > > > > > > -----------------------------------------------------------------------------------R1 > config--------------------------------------------------------------------------------------- > > > > > > > > crypto pki trustpoint R3 enrollment url http://2.2.2.2:80 subject-name CN > = R3.cisco.com > > > > > > revocation-check crl rsakeypair R3.cisco.com > crypto pki certificate chain R3 certificate ca 01 30820241 308201AA > A0030201 02020101 300D0609 2A864886 F70D0101 04050030 > > > > > > > quit > > crypto isakmp policy 10 encr aes group 2crypto isakmp identity dn!!crypto > ipsec transform-set TSET esp-aes esp-sha-hmac > > > > > > !crypto map MAP 10 ipsec-isakmp set peer 20.1.1.1 set transform-set TSET > match address ACS!!!ip ssh version 1! > > > > > > !!!interface Loopback1 ip address 1.1.1.1 255.255.255.0!interface > FastEthernet0/0 ip address 10.1.1.1 255.255.255.0 duplex auto > > > > > > speed auto crypto map MAP > router eigrp 1 network 10.0.0.0 no auto-summary!ip forward-protocol ndip > route 1.1.1.0 255.255.255.0 10.1.1.2 > > > > > > !!ip http serverno ip http secure-server!ip access-list extended ACS permit > ip host 1.1.1.1 host 3.3.3.3 > > ntp authentication-key 1 md5 13061E010803 7 > > > > > > ntp authenticatentp trusted-key 1ntp clock-period 17179880ntp server > 2.2.2.2-----------------------------------------------------------------------R2 > Config > > > > > > ----------------------------------------------------------------------- > crypto pki server R2 database level complete database archive pem password > 7 060506324F41584B56 > > > > > > issuer-name CN = R2 CA Server,L = London,ST = MI cdp-url > http://2.2.2.2/cgi-bin/pkiclient.exe?operation=GetCRL > > > > > database url flash: > !crypto pki trustpoint R2 revocation-check crl rsakeypair R2.cisco.com > !crypto pki certificate chain R2 > > > > > > certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 > F70D0101 04050030 > quit > > interface FastEthernet0/0 ip address 10.1.1.2 255.255.255.0 > > > > > > duplex auto speed auto!interface FastEthernet0/1 ip address 20.1.1.2 > 255.255.255.0 duplex auto speed auto!router eigrp 1 > > > > > > network 2.0.0.0 network 10.0.0.0 network 20.0.0.0 no auto-summary!ip > forward-protocol nd!!ip http serverno ip http secure-server > > > > > > > > ntp authentication-key 1 md5 14141B180F0B 7ntp authenticatentp trusted-key > 1ntp source Loopback0ntp master 2 > -------------------------------------------------------------------- > > > > > > R3 > Config-------------------------------------------------------------------- > crypto pki trustpoint R3 enrollment url http://2.2.2.2:80 > > > > > > subject-name CN = R3.cisco.com revocation-check crl rsakeypair > R3.cisco.com > > > > > > crypto pki certificate chain R3 > certificate ca 01 30820241 308201AA A0030201 02020101 300D0609 2A864886 > F70D0101 04050030 > 4B201CC6 E7 quit > > crypto isakmp policy 10 > > > > > > encr aes group 2crypto isakmp identity dn!!crypto ipsec transform-set TSET > esp-aes esp-sha-hmac!crypto map MAP 10 ipsec-isakmp > > > > > set peer 10.1.1.1 > set transform-set TSET match address ACS > interface Loopback3 ip address 3.3.3.3 255.255.255.0!interface > FastEthernet0/0 no ip address > > > > > > shutdown duplex auto speed auto!interface FastEthernet0/1 ip address > 20.1.1.1 255.255.255.0 duplex auto speed auto crypto map MAP > > > > > > !router eigrp 1 network 20.0.0.0 no auto-summary!ip forward-protocol ndip > route 3.3.3.0 255.255.255.0 20.1.1.2!!ip http server > > > > > > no ip http secure-server!ip access-list extended ACS permit ip host 3.3.3.3 > host 1.1.1.1 > ntp authentication-key 1 md5 00071A150754 7ntp authenticate > > > > > > ntp trusted-key 1ntp clock-period 17179821ntp server 2.2.2.2! > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20111010/833f855e/attachment.html> > > End of CCIE_Security Digest, Vol 64, Issue 24 > ********************************************* >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
