What about router platforms? Will I have a chance to test it with 1841 or 2800 routers? At least IPExperts lab gives an example of statefull IPSec HA with 2811 routers.
Eugene Sent from iPhone On Jun 22, 2012, at 7:57 PM, "Kingsley Charles" <[email protected]<mailto:[email protected]>> wrote: Yes, you need a reload for HA to work. With regards Kings On Sat, Jun 23, 2012 at 12:10 AM, Eugene Pefti <[email protected]<mailto:[email protected]>> wrote: Bruno and all, I have a stupid question to ask. The white paper given below says that IPSec HA is supported only by high-end routers. I didn’t have any problem adding all required commands on 1841 router but didn’t test it yet because I still don’t understand all the nitty-gritty details about it specifically about routers to be reloaded for the configuration to take effects. Moreover the configs in this white paper miss “local-port” statement that should go before “local-ip”. I don’t know who in the sound mind will remember all the commands required to set interdevice communication to enable stateful IPSec failover. Hoping that VPN availability guide is accessible during the lab in case such a task http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/12-4t/sec-state-fail-ipsec.html Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Bruno Silva Sent: Thursday, June 21, 2012 11:12 PM To: <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Security] Need help understanding "no-alias" NAT option Hi Eugene, Apart from who wrotte the solution for this task, what I think is not the case, I have also came across this task and for some reason this is not the only wrong thing on it. This is a ipsec ha solution that you're trying to configure and for some reason the solution not only does not work as it is also confusing in some parts. Since I came across a lot of problems with this solution this is what helped me a lot: http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd80278edf.html Hopefully you can find the same help I found in this document. BR, Bruno Silva Enviado via iPad Em 22/06/2012, às 00:27, Mike Rojas <[email protected]<mailto:[email protected]>> escreveu: Yep, Anyone who think differently is very appreciated... Mike ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT option Date: Fri, 22 Jun 2012 03:17:55 +0000 Unfortunately it doesn’t make sense to me either because R2 runs in the routed mode. I believe it’s just the faulty solution in the first place. I’m not going to point fingers who the solution provider is but it’s not IPExperts ;) From: Mike Rojas [mailto:[email protected]] Sent: Thursday, June 21, 2012 8:13 PM To: Eugene Pefti; [email protected]<mailto:[email protected]> Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT option Hi, Assuming that the router 2 is not on transparent mode, taking it out it wouldnt make much difference, because the packet will be routed to the next hop (R2), assuming that there is a route for the network of the ASA to be behind router2 on the HSRP routers. It would make sense if they are all on the same broadcast domain. Mike. ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]>; [email protected]<mailto:[email protected]> Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT option Date: Fri, 22 Jun 2012 03:05:49 +0000 Hi Mike, Yes, I’m familiar with it. It’s the same as you say “sysopt noproxyarp” on the ASA. My question is about why would you do it? Can someone will give me a good example? I’m doing a task and it asks to configure a peer for a pair of HSRP routers. I’ll have to give a sketch of the topology to make it more or less clear: R1----+--- R2-----(163.1.132.0)-----ASA-----R6 R3----| So to be precise R1 and R3 should have their IPSec peer set to 163.1.132.113 which is ASA interface. The solution configures static NAT on R2 binding 163.1.132.113 to R6 loopback: ip nat inside source static 6.0.0.1 163.1.132.113 no-alias If R2 will stop responding to ARP requests sent to 163.1.132.113 how the whole thing will work ? Eugene From: Mike Rojas [mailto:[email protected]] Sent: Thursday, June 21, 2012 7:54 PM To: Eugene Pefti; [email protected]<mailto:[email protected]> Subject: RE: [OSL | CCIE_Security] Need help understanding "no-alias" NAT option Hey Eugene, Are you familiar with proxyARP? Basically, the router will answer arp for any address that is on its range assigned to a particular interface associated with a NAT right? well, this command will stop the router so it doesnt do it anymore. Mike ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Date: Fri, 22 Jun 2012 02:44:22 +0000 Subject: [OSL | CCIE_Security] Need help understanding "no-alias" NAT option What are use cases of this “no-alias” NAT option. All references I found in Cisco docs say little to me. Quoting: • Autoaliasing of Pool Addresses: Many customers want to configure the NAT software to translate their local addresses to global addresses allocated from unused addresses from an attached subnet. This requires that the router answer ARP requests for those addresses so that packets destined for the global addresses are accepted by the router and translated. (Routing takes care of this packet delivery when the global addresses are allocated from a virtual network which isn't connected to anything.) When a NAT pool used as an inside global or outside local pool consists of addresses on an attached subnet, the software will generate an alias for that address so that the router will answer ARPs for those addresses. This automatic aliasing also occurs for inside global or outside local addresses in static entries. It can be disabled for static entries can be disabled by using the "no-alias" keyword:. ip nat inside source static <local-ip-address> <global-ip-address> no-alias Why would the router NOT reply on behalf of those global addresses ? Eugene _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com> _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
