Most of the time in a small network, we will be using the Layer 3 device as a default gateway and a DHCP server. And most of the time also, we will be excluding the gateway’s ip address from the dhcp pool. Just to save 1 more configuration line and for the sake of knowledge, the IP address configured on the router interface is automatically excluded from the DHCP address pool :). You need to exclude addresses from the pool if the DHCP server should not allocate those IP addresses.

Documentation

Scenario:

Using Microsoft Windows built in VPN Client to connect to remote PPTP VPN server through Cisco ASA firewall.

Symptom:

Error 619

Solution:

In ASA Firewall, enter below command.
ASA-active#conf t
ASA-active(config)#policy-map global_policy
ASA-active(config-pmap)# class inspection_default
ASA-active(config-pmap-c)#inspect pptp
ASA-active(config-pmap-c)#exit
ASA-active(config)#access-list $Inbound_Interface_ACL permit gre $source_ip/network any
ASA-active(config)#access-list $Inbound_Interface_ACL permit permit tcp $source_ip/network any eq pptp

Common Troubleshooting in Windows VPN Client

1. Open VPN Properties window, go to Security tab.
2. Change “Type of VPN” to PPTP

Incoming search terms:

  • pptp through cisco vpn

object-group network og-rfc1918
10.0.0.0 /8
172.16.0.0 /12
192.168.0.0 /16
!
ip access-list extended acl-nat
permit ip object-group og-rfc1918 any
!
route-map rm-site-a
match ip address acl-nat
match interface FastEthernet0/0
!
route-map rm-site-b
match ip address acl-nat
match interface FastEthernet1/0
!
ip nat inside source route-map rm-site-a interface FastEthernet0/0 overload
ip nat inside source route-map rm-site-b interface FastEthernet1/0 overload

This keeps things a bit simpler because the router can rely on the routing table to figure out which NAT table to use based on the destination rather than hard-coding the destination into the ACLs.

Found this article from Cisco Forum. Credits to original author.

Introduction
Network Address Translation is a very common feature used to address some issues and also to meet some networks’ requirements such as, overlapped networks and Internet links.

In this small document we will discuss a business requirement example, and the main idea behind this example is to demonstrate how to implement and configure NATign with dual homed Internet edge Router  in conjunction with other Cisco IOS advanced features (Policy Based routing PBR and IPSLA ).

Also we will see how all of the above mentioned features work together and how IP SLA will work like a gear to this implementation in term of controlling the exit path of the traffic by controlling the default route in the routing table and PBR decision.

Requirements:
Company XYZ.com has bought a second Internet connection with 1 Mbps in addition to the existing one with 512 Kbps.

  • the requirement is to load share the traffic over those two links
  • web traffic and telnet traffic must use the the new ISP link ISP2  and all other traffic must go thorough the old ISP link ISP1
  • in the case of any of the above links gose down all the traffic should use the remaining link

Note:
this example has been configured in a lab environment and al the private ip addresses used in this document just for the purpose of this example

NAT.jpg

Proposed solution:

  • According to the above requirements we will use Policy Based routing feature to control LAN traffic going to the Internet and which path to use.
  • all traffic from the LAN subnet 10.1.1.0/24 destined to tcp 23, 80 and 443 must be routed to ISP 2  link with next hop 172.16.1.2
  • all other traffic will go though ISP 2 with next hop of 192.168.1.2
  • as we do not have any subnet or ip ranges to use it over the Internet we have to use NATing with overload option to use the Internet interface IP address of each ISP link. For example traffic going through ISP 1 will be seen by ISP one and the Internet as it is from 192.168.1.1 if it is through ISP 2 will be seen as it is from 172.16.1.1
  • In the case of one of the links go down we need all the traffic to use the other remaining link. This will be archived here by using IP SLA with ICMP echo that will be sent to each of the ISP next hop IP addresses in our example 192.168.1.2 and 172.16.1.2
  • the ICMP echo will be sent every 1 second with time out of 500 msec
  •  if the icmp reply not heard from any of those next hops within 1 second that link will be considered down and the default route in the Internet router pointing to that hop will be withdrawn from the routing table and the PBR descion will be changed based on that as well

 Configurations:
interface FastEthernet1/0
description LAN interface
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip policy route-map PBR    —- this is for policy based routing

interface FastEthernet1/1
description To ISP 1
ip address 192.168.1.1 255.255.255.0
ip nat outside
!
interface FastEthernet2/0
description To ISP 2
ip address 172.16.1.1 255.255.255.0
ip nat outside

  • as we can see above the inside interface was configured as inside NAT interface also a policy based routing with a name of PBR applied to that interface, the configurations of this PBR will be described later
  • both of the Internet ISP links configured as outside NAT interfaces

IP SLA configurations:
ip sla 1
icmp-echo 192.168.1.2
timeout 500
frequency 1
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo 172.16.1.2
timeout 500
frequency 1
ip sla schedule 2 life forever start-time now

  •  as we can see P sla 1 will sends icp echo to ISP 1 ip address every 1 second and IP sla 2 will send it to ISP 2

 track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
!

  • if ip sla 1 did not get icmp replay within 1 second track 10 will be considered as down ( from ISP 1)
  • track 20 same for ISP 2

ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10
ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20

 we have two default routes each one point to one of the ISP’s IP address, also each static default route is associated with the corresponding IP SLA track created above

in this case if ISP 1 link is down the first default route will disappear from  the routing table ( we will see this through some verifications command later in his document).

access-list 10 permit 10.1.1.0 0.0.0.255
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq telnet
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 101 permit ip any any

these ACLs will be used with PBR and NATing
route-map PBR permit 10
match ip address 100
set ip next-hop verify-availability 172.16.1.2 1 track 20
!
route-map PBR permit 30
match ip address 101
set ip next-hop verify-availability 192.168.1.2 2 track 10
!

  • we can see from the above route-map called PBR that we have several checks to our traffic coming from the LAN interface towards the Internet

first check is the ACL level

if the traffic soured from our LAN subnet 10.1.1.0/24 and going to any destination using tcp 23, 80 or 443 then this traffic will be match with ACL 100

if any thing else then will be match with ACL 101

In case of telnet traffic tcp 23, this will be match by ACL 100 and route-map sequence 10

but in this sequence we have another check before we send the traffic to the next hope 172.16.1.2, we need to make sure this next hope is up and reachable this is done by the IP SLA /track 20 created above if this track is up then the traffic will be route thorough ISP2 with a next hop 172.16.1.2

if this track 20 is down then the default static route entry points to ISP2 will be withdrawn from the routing table and traffic matched by ACL 100 under the sequence number of 10 of the route-map will be routed according to the normal routing table which is through ISP1 ( because at this stage we have only one default static route left  points to ISP1).  Any other traffic has not matched by ACL 100 will use the route map sequence 30 with the same concept described above

Now we can see how IP SLA controlling the routing table and the  PBR choice !!!

route-map ISP2 permit 10
match ip address 10
match interface FastEthernet2/0
!
route-map ISP1 permit 10
match ip address 10
match interface FastEthernet1/1

those two Route maps will be used by the NAT command

Please note that we have in each of the route-maps match interface this interface representing the exit interface of that nat

this command is important if we do not use it the router always will use the first nating statement and all our traffic will be sourced in our example from 192.168.1.1 !!

we will see that later in this document the effect of removing the match interface from the route-map

ip nat inside source route-map ISP1 interface FastEthernet1/1 overload
ip nat inside source route-map ISP2 interface FastEthernet2/0 overload

this is simply our nating commands each with is corresponding interface and route-map

verifications:

for the verifications purposes we will use a loopback interface created on both ISP routers in our example to represent an destination in the Internet

which is 100100.100.100/32

show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “static”, distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
192.168.1.2
      Route metric is 0, traffic share count is 1
172.16.1.2
      Route metric is 0, traffic share count is 1

we have two default route in our routing table which means both ISP routers IP addresses are reachable by SLA icmp echo

show route-map PBR
route-map PBR, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop verify-availability 172.16.1.2 1 track 20 [up]
  Policy routing matches: 24 packets, 1446 bytes
route-map PBR, permit, sequence 30
Match clauses:
ip address (access-lists): 101
Set clauses:
ip next-hop verify-availability 192.168.1.2 2 track 10  [up]
  Policy routing matches: 60 packets, 6840 bytes

both SLA traks 10 and 20 in UP state shown in the route maps show command

now lets ping 100.100.100.100 from the an internal host in subnet 10.1.1.0/24 and we enable debug of NATing on the Internet edge router to see the translated traffic

ping 100.100.100.100

*Dec 19 20:24:44.103: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [80]
*Dec 19 20:24:44.371: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [80]

this is showing us that icmp traffic translated to ->192.168.1.1,

this means that icmp traffic has been match with ACL 101 and because track 10 is up traffic sent to 192.168.1.1 then translated using NAT

this is the PBR debug result for the above ping

*Dec 19 20:25:12.247: IP: s=10.1.1.10 (FastEthernet1/0), d=100.100.100.100, len
100, FIB policy match
*Dec 19 20:25:12.251: IP: s=10.1.1.10 (FastEthernet1/0), d=100.100.100.100, g=19
2.168.1.2, len 100, FIB policy routed
*Dec 19 20:25:12.259: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [81]
*Dec 19 20:25:12.623: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [81]

Now lets see the result when we do a telnet session from the internal network:

telnet 100.100.100.100

*Dec 19 20:26:00.375: IP: s=10.1.1.10 (FastEthernet1/0), d=100.100.100.100, len
44, FIB policy match
*Dec 19 20:26:00.375: IP: s=10.1.1.10 (FastEthernet1/0), d=100.100.100.100, g=17
2.16.1.2, len 44, FIB policy routed
*Dec 19 20:26:00.383: NAT*: s=10.1.1.10->172.16.1.1, d=100.100.100.100 [57504]    — the traffic used 172.16.1.1 link —–
*Dec 19 20:26:01.159: NAT*: s=100.100.100.100, d=172.16.1.1->10.1.1.10 [25782]

lets shut down ISP1 link to simulated a link down and see how IP SLA will work in this situation:

ping 100.100.100.100

*Dec 19 20:27:54.139: %TRACKING-5-STATE: 10 rtr 1 reachability Up->Down
*Dec 19 20:27:57.895: NAT*: s=10.1.1.10->172.16.1.1, d=100.100.100.100 [82]
*Dec 19 20:27:58.099: NAT*: s=100.100.100.100, d=172.16.1.1->10.1.1.10 [82]

now our ICMP traffic match by ACL 101 is using the link of ISP2 with 172.16.1.1 as the source IP.

we can see bellow that interface connected to ISP 1 is still up, but because the next hop not reachable via ICMP,  IP SLA removed the default route that uses ISP1 next hop from the routing table

interfaces up/up but default route to ISP1 disappeared because of SAL track 10

FastEthernet1/0            10.1.1.1        YES NVRAM  up                    up

FastEthernet1/1            192.168.1.1     YES NVRAM  up                    up

FastEthernet2/0            172.16.1.1      YES manual up                    up

show ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via “static”, distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
* 172.16.1.2
      Route metric is 0, traffic share count is 1

lets bring it back to up now

*Dec 19 20:31:29.143: %TRACKING-5-STATE: 10 rtr 1 reachability Down->Up

Routing entry for 0.0.0.0/0, supernet
Known via “static”, distance 1, metric 0, candidate default path
Routing Descriptor Blocks:
192.168.1.2
      Route metric is 0, traffic share count is 1
172.16.1.2
      Route metric is 0, traffic share count is 1

ping 100.100.100.100

*Dec 19 20:32:15.559: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [183]
*Dec 19 20:32:16.071: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [183]

Now lets remove the match interface command from each of the NAT route-maps and see the result

(config)#route-map ISP1
(config-route-map)#no ma
(config-route-map)#no match in
(config-route-map)#no match interface fa1/1
(config-route-map)#route-map ISP2
(config-route-map)#no ma
(config-route-map)#no match int fa2/0
(config-route-map)#

#clear ip nat translation *

then we do ping and telnet we will see al the traffic will be translated to 192.168.1.1 regardless which exit the traffic is using !!!

ping 100.100.100.100

*Dec 19 20:33:47.615: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [184]
*Dec 19 20:33:48.067: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [184]

*Dec 19 20:34:51.675: NAT*: i: tcp (10.1.1.10, 21603) -> (100.100.100.100, 23) [
64704]
*Dec 19 20:34:51.679: NAT*: i: tcp (10.1.1.10, 21603) -> (100.100.100.100, 23) [
64704]
*Dec 19 20:34:51.683: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [64704]
*Dec 19 20:34:51.847: NAT*: o: tcp (100.100.100.100, 23) -> (192.168.1.1, 21603)
[52374]
*Dec 19 20:34:51.847: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [52374]
*Dec 19 20:34:52.123: NAT*: i: tcp (10.1.1.10, 21603) -> (100.100.100.100, 23) [
64705]

lets put match interface back  to the nat route-maps

*Dec 19 20:36:23.379: NAT*: i: icmp (10.1.1.10, 16) -> (100.100.100.100, 16) [18
5]
*Dec 19 20:36:23.383: NAT*: i: icmp (10.1.1.10, 16) -> (100.100.100.100, 16) [18
5]
*Dec 19 20:36:23.387: NAT*: s=10.1.1.10->192.168.1.1, d=100.100.100.100 [185]
*Dec 19 20:36:23.827: NAT*: o: icmp (100.100.100.100, 16) -> (192.168.1.1, 16) [
185]
*Dec 19 20:36:23.827: NAT*: s=100.100.100.100, d=192.168.1.1->10.1.1.10 [185]

telnet 100.100.100.100

*Dec 19 20:36:52.099: NAT*: i: tcp (10.1.1.10, 16305) -> (100.100.100.100, 23) [
46655]
*Dec 19 20:36:52.099: NAT*: i: tcp (10.1.1.10, 16305) -> (100.100.100.100, 23) [
46655]
*Dec 19 20:36:52.103: NAT*: s=10.1.1.10->172.16.1.1, d=100.100.100.100 [46655]
*Dec 19 20:36:52.259: NAT*: o: tcp (100.100.100.100, 23) -> (172.16.1.1, 16305)
[41145]
*Dec 19 20:36:52.259: NAT*: s=100.100.100.100, d=172.16.1.1->10.1.1.10 [41145]
*Dec 19 20:36:52.355: NAT*: i: tcp (10.1.1.10, 16305) -> (100.100.100.100, 23) [
46656]
*Dec 19 20:36:52.359: NAT*: s=10.1.1.10->172.16.1.1, d=100.100.100.100 [46656]
*Dec 19 20:36:52.375: NAT*: i: tcp (10.1.1.10, 16305) -> (100.100.100.100, 23) [
46657]

Conclusion:
to conclude the above configuration example, by using NAT with other Cisco IOS features in particular IP SLA the network will be more automated and reliable, we can track the next hop reachability and we may use other advanced features of IP sla such as link jitter, in the case that we have VOIP traffic. Also by using PBR functionalities we were able to classify our traffic and send it based on the requirements over the two links to avoid congesting one link and leave the other link as passive/back up only.

Thank you
Marwan Alshawi

A very useful IOS tips from PacketLife

Keyboard shortcuts

These shortcuts can be used to speed up operating with the CLI:

Ctrl+B or Left Move the cursor one character to the left
Ctrl+F or Right Move the cursor one character to the right
Esc, B Move the cursor one word to the left
Esc, F Move the cursor one word to the right
Ctrl+A Move cursor to the beginning of the line
Ctrl+E Move cursor to the end of the line
Ctrl+P or Up Retrieve last command from history
Ctrl+N or Down Retrieve next command from history
Ctrl+T Swap the current character with the one before it
Ctrl+W Erase one word
Ctrl+U Erase the entire line
Ctrl+K Erase all characters from the current cursor position to the end of the line
Ctrl+X Erase all characters from the current cursor position to the beginning of the line
Ctrl+L Reprint the line
Ctrl+C Exit configuration mode
Ctrl+Z Apply the current command and exit configuration mode

Filter output

Most show commands support filtering with the pipe (|) character, allowing a user to display only the information he’s looking for.

Switch# show interface status | include notconnect
Gi1/0/7                         notconnect   1          auto   auto 10/100/1000BaseTX
Gi1/0/9                         notconnect   1          auto   auto 10/100/1000BaseTX
Gi1/0/22                        notconnect   1          auto   auto 10/100/1000BaseTX

Filter options are include, exclude, and begin. The remaining characters after one of these filter types is processed as a regular expression, which could be a simple string (as in the example above) or something a bit more complex. The example below demonstrates filtering for interface numbers and any assigned IP addresses.

Switch# show run | include interface|ip address
interface FastEthernet0
 ip address 192.168.0.1 255.255.255.0
interface FastEthernet1
interface FastEthernet2
 ip address 192.168.1.1 255.255.255.0
 ip address 192.168.2.1 255.255.255.0 secondary
interface FastEthernet3

You can also filter by section. Thanks to Carl Baccus to reminding me to include this.

R1# show run | section bgp
router bgp 100
 no synchronization
 redistribute connected
 neighbor 172.16.0.2 remote-as 200
 neighbor 172.16.0.9 remote-as 300
 no auto-summary

Skip through the configuration

You can begin viewing a configuration with the begin filter:

Router# show run | begin interface
interface FastEthernet0/0
 no ip address
 shutdown
...

You can also skip forward to a certain line once you’ve already begun viewing the configuration by hitting / at the --More-- prompt, followed by the string you want to match:

Router# sh run
Building configuration...

Current configuration : 601 bytes
!
version 12.4
...
!
!
/interface
filtering...
interface FastEthernet0/0
 no ip address
 shutdown
...

Do the do

Exec commands can be issued from within configuration mode via the do command. This can be handy for double-checking the current configuration before applying any changes.

Switch(config-if)# do show run int f0
Building configuration...

Current configuration : 31 bytes
!
interface FastEthernet0
description Internal LAN
ip address 172.16.0.1 255.255.0.0
end

Insert question marks

You can insert question marks into literal strings (such as interface descriptions) by typing CTRL+V immediately before the question mark. This acts as an escape character and prevents the command line from summoning the help menu.

Switch(config-if)# description Where does this go[ctrl+v]?

The interface description will appear as “Where does this go?”

Disable domain lookup on typos

Don’t you hate it when this happens?

Switch# shrun
Translating "shrun"...domain server (255.255.255.255)
% Unknown command or computer name, or unable to find computer address

You can disable automatic DNS lookups with no ip domain-lookup, which will remove the delay before returning a new console prompt. However, this will also prevent you from referencing remote hosts by name, for example when telneting.

Switch(config)# no ip domain-lookup
...
Switch# shrun
Translating "shrun"
% Unknown command or computer name, or unable to find computer address

Another option is to leave DNS enabled, but configure your console ports and vtys to have no preferred transport for logging in to remote devices.

Router(config)# line console 0
Router(config-line)# transport preferred none
...
Router# asdfxyz
              ^
% Invalid input detected at '^' marker.

Router#

You can no longer telnet by typing an IP address on the console, instead use the “telnet” or “ssh” commands for connecting to the desired hostname or ip address.

Synchronous logging

When logging to the console is enabled, a Cisco device will often dump messages directly to the screen. This can become irritating when it interrupts you in the midst of typing a command. (FYI, you can continue typing normally and the command will still take, but this still throws some people off.)

Synchronous logging can be enabled to “clean up” the CLI when this happens, outputting a fresh prompt below the message, along with any partially completed command.

Switch(config)# line con 0
Switch(config-line)# logging synchronous
Switch(config)# line vty 0 15
Switch(config-line)# logging synchronous

Revert a configuration to its default

The default command, called from global configuration, can be used to revert any part of a configuration to its default value (which is often nothing). For example, it can be used to remove all configuration from a particular interface:

Switch(config)# default g1/0/5
Interface GigabitEthernet1/0/5 set to default configuration
Switch(config)# ^Z
Switch# show run int g1/0/5
Building configuration...

Current configuration : 38 bytes
!
interface GigabitEthernet1/0/5
end

Show only applied access lists

For reasons unknown to me, IOS doesn’t include a command to view what interfaces have ACLs applied. The closest we can get is drudging through the entire output of show ip interface. But, with a little ingenuity and the help of regular expressions, we can summon an efficient view of where our ACLs are applied.

Switch# sh ip int | inc line protocol|access list is [^ ]+$
FastEthernet0 is up, line protocol is down
FastEthernet1 is up, line protocol is up
  Inbound  access list is prohibit-web
FastEthernet2 is up, line protocol is up
  Inbound  access list is 42
FastEthernet3 is up, line protocol is down
FastEthernet4 is up, line protocol is up

For those curious, the regex above matches a line which either a) contains the string “line protocol”, or b) contains the string “access list is ” followed by a single word. This matches an ACL number or name (which can’t contain spaces) but not “not set”.

Speed up running-config display

When the show running-config command is issued, the output has to be assembled from numerous values in memory into the human-friendly display you see on the CLI. Unfortunately, the longer your configuration is, the more time this takes. IOS 12.3T introduced a feature to cache the running configuration text for quicker output:

Router(config)# parser config cache interface

Changing the break character to Ctrl+C

Router(config)# line vty 0 15
Router(config-line)# escape-character 3
Router(config)# line con 0
Router(config-line)# escape-character 3

Show running configuration with all defaults

Append the full command to show running-config to include all the default statements which are normally hidden for brevity.

Reload command

One of the classic mistakes is to incorrectly update an access-list on an interface when you are connected to the device remotely. And suddenly, the Telnet connection is dropped to the router because of a forgotten list entry that would permit your incoming connection.

When you are doing something tricky, you can use the following feature of the reload command, which causes the router to reboot in a certain number of minutes. For example, let’s tell the router to reboot in three minutes.

Router# reload in 3
    Reload scheduled in 3 minutes
Proceed with reload? [confirm]

Now, we have three minutes to do what we need to do. Let’s say we are applying an access-list to serial0.

Router# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# interface serial0
Router(config-if)# ip access-group 110 in
Router(config-if)# ^Z

We made the change and everything still works. (Well, at least our connection wasn’t dropped.) Now all we have to do cancel the impending reload with the following command:

Router# reload cancel

If the reload is not canceled, all the changes made will be discarded since they only exist in the running configuration.

Decrypting type-7 passwords in house on a device

A good way to catch trailing spaces within passwords

Router(config)#username user1 password 0 pass1word
Router#sh run | inc username
username user1 password 0 pass1word

Router(config)#service password-encryption
Router#sh run | inc username
username user1 password 7 06160E325F1F1E161713

then

Router(config)# key chain TEST
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string 7 06160E325F1F1E161713

Router(config-keychain-key)#sh key chain TEST
Key-chain TEST:
    key 1 -- text "pass1word"
        accept lifetime (always valid) - (always valid) [valid now]
        send lifetime (always valid) - (always valid) [valid now]

Using command aliases

You can speed up your routine operations in IOS if you create aliases to often used commands, for exmaple:

Router(config)# alias exec sip show ip interface brief
Router(config)# exit
Router#  sip
Interface           IP-Address            OK? Method Status              Protocol
FastEthernet0/0     192.168.0.1           YES manual up                  up

Basic configuration in IOS

aaa new-model
tacacs-server host 192.168.1.1 timeout 10 key sup36s3c63t
tacacs-server directed-request
aaa authentication login default group tacacs+ local enable
aaa authentication login SSH group tacacs+
aaa authentication login CONSOLE local
aaa authentication enable default group tacacs+ enable none
aaa authorization exec default group tacacs+ none
aaa authorization commands 15 default group tacacs+ none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common

line con 0
login authentication CONSOLE

line vty 0 4
login authentication SSH

Basic configuration in HP Procurve (as version WB.15.12.0010)
HP-2920-24G-PoEP(config)tacacs-server host 192.168.1.1 key sup36s3c63t
HP-2920-24G-PoEP(config)aaa authentication console login tacacs local
HP-2920-24G-PoEP(config)aaa authentication console enable tacacs local
HP-2920-24G-PoEP(config)aaa authentication ssh login tacacs local
HP-2920-24G-PoEP(config)aaa authentication ssh enable tacacs local

Tested using this TACACS+ config
Explanation for Cisco AAA Configuration
Explanation for HP Procurve AAA Configuration

Incoming search terms:

  • enable aaa accounting in hp router

Lab environment/requirement
Ubuntu/Debian server
Tacacs+ software from Shruberry
Cisco Catalyst switches
User id: advanxer
Password: helloword
Enable password: ciscoenable

Download and install tacacs+
wget ftp://ftp.shrubbery.net/pub/tac_plus/tacacs+-F4.0.4.27a.tar.gz

Extract it
tar -zxvf tacacs+-F4.0.4.27a.tar.gz

Go into extracted folder
cd tacacs+-F4.0.4.27a

Install dependencies (if needed)
apt-get install build-essential flex bison libwrap0-dev

Install tacacs+
./configure
make install

Check tacacs+ is installed
ls /usr/local/bin/
You should see 2 files:
tac_plus – tacacs+ executable file
tac_pwd – generate DES or MD5 encryption of a password

Create user id and encrypted password, for example username is advanxer password is helloworld
[email protected]:~# tac_pwd
Password to be encrypted: helloworld
6Zvw8uD3yX4eI

Create encrypted password for enable password:
[email protected]:~# tac_pwd
Password to be encrypted: ciscoenable
2mq3JtC3knwQw

Now we have this user info:
username advanxer
cleartext password helloword encrypted password 6Zvw8uD3yX4eI
cleartext enable password ciscoenable encrypted password 2mq3JtC3knwQw

Tacacs+ configuration
Create tacacs folder in /etc & create the tac_plus.conf file
mkdir /etc/tacacs
cd /etc/tacacs
nano tac_plus.conf

#setting the tacacs/NAS key"
key = "sup36s3c63t"

# Where is the accounting records to go
accounting file = /var/log/tacacs.log

#Enable password setup for all users:
user = $enable$ {
login = des 2mq3JtC3knwQw
}

#user accounts–here user details are defined
#[email protected]
user = advanxer {
default service = permit
member = networkadmingroup
login = des 6Zvw8uD3yX4eI
}

#user account for read only access
user = helpdesk{
default service = deny
member = readonly
login = des 6Zvw8uD3yX4eI
}

#group details
# admin group
group = networkadmingroup {
default service = permit
service = exec {
priv-lvl = 15
}
}

# read only group
group =readonly {
default service = deny
service = exec {
priv-lvl = 0
}
cmd=show {
permit .*
}
cmd=enable {
permit .*
}
cmd=exit {
permit .*
}
}

To support Cisco Nexus OS, add following lines to your user groups so it will become like this:
# admin group
group = networkadmingroup {
default service = permit
service = exec {
priv-lvl = 15
shell:roles=”network-admin”
}
References:
http://freelinuxtutorials.com/tutorials/installation-setup-of-free-tacacs-server-in-linux/
http://wiki.gentoo.org/wiki/TACACS_Server_using_tac_plus#Installation
http://www.debianhelp.co.uk/tacas.htm
http://routing-bits.com/2011/05/24/nexus-user-roles/

Incoming search terms:

  • tac_pwd tac_plus conf

Problem Category: Security – Network Firewalls and Intrusion Prevention Systems
Problem Subcategory: Adaptive Security Appliance (ASA) non-VPN problem
Problem Type: Product Feature/Function Question
Problem Details: We suspected there is a memory leak on our ASA 5585-X. Can you guide me where to look for the “fragment size” value from the “show memory detail” output.

TAC reply:
++ I understand that you are looking towards the fragment size value in the show mem detail output and then based on the values would determine the bin size value to be used in show mem binsize
++ From the details shared, I see that the total free memory available on the unit is 68%.
++ Also if you could observe the details pertaining to the counters “MAX CONTIGOUS FREE MEM” and “Free MEM” they values are more are less the same which indicates that the amount of memory being leaked by fragmentation is not high (almost nil).
++ Now coming to the point where you were concerned over the outputs of fragments size across the device, usually the count associated with the block size increases and decreases when the block size are released back, if we observe an abnormal increase in the count value for any blocks and continue to see that they are not released which would be indicated by the count value.
++ Depending on the block size that we see the count abnormally increasing we can specify that value in the command show mem binsize

Show Memory Detail
Gather the output of “show memory detail”
Look in the column listed “total (bytes)” under the “MEMPOOL_GLOBAL_SHARED POOL STATS” to find the 5 largest values
Issue the command “show memory binsize” using the associated value under “fragment size (bytes)”

Memory Tracking
Enable the command “memory tracking enable” to turn on memory tracking
Issue the command “show memory tracking” at regular intervals to see the change in memory allocation
Issue the command “show memory tracking address | i ” where is the pc counter (in hex) of the largest growing process from the previous step
Gather the output “show memory tracking dump
” for any of the memory address locations picked at random from the output of the previous step

Also check  http://itsecworks.wordpress.com/2010/11/23/troubleshooting-asa-high-memory-issues/