Search this Blog

Saturday, December 15, 2012

How to configure burst byte, rate bps and police parameter in cat 3560 QoS

 We are trying to implement QoS on our guest vlan, to limit vlan bandwith to 1Mbps. The cisco config guide about QoS says that "Policing uses a token-bucket algorithm."
     There is syntax "
police rate-bps burst-byte [exceed-action {drop | policed-dscp-transmit}] " and It says "
For rate-bps, specify average traffic rate in bits per second (b/s). The range is 8000 to 10000000000. " and "
For burst-byte, specify the normal burst size in bytes. The range is 8000 to 1000000. "
 
How does burst-byte impact rate-bps? How does both burst-byte and rate-bps influence the target to limit bandwidth to 1Mbps?
 
Delivered speed depends on the combination of what the traffic is doing and the policer's settings.
 
Consider you're policing (or shaping) at 1 Mbps on a 10 Mbps Ethernet link.  What's actually happening?  When bits are transmitted, they are always transmitted at actual media speed, in this case 10 Mbps.  So, what a policer (or shaper) does is measure the total transmitted number of bits, over some time period, and drop (or queue) bits (actually packets/frames) that exceed the "rate" for the time period.  However, it doesn't matter when the bits are actually transmitted within the measure time period, but too many bits within a time period matters.
 
For example, if we counted a "rate" of 1 Mbps on a time period of 1 second, 1 millions bits will actually be transmitted at 10 Mbps for 1/10 of a second.  If the transmission was continuous, the 1/10 of a second could take place anytime within a second, perhaps the 3rd tenth.  Or, if the bits were transmitted continuously for 1/20 of a second, in two instances, the first transmission could take place during the 4th twentieth of a second, and the second transmission any twentieth there after.  Such combinations meet our measured rate, i.e. no more than 1 million bits during a second.
 
However, suppose we now half our measure period, from 1 second to half a second; i.e. still policing at "1 Mbps".  Now the original transmission of actual 10 Mbps for 1/10 of a second is twice our limit, and if policed, "half" the transmission would be dropped.  If we also again send two transmissions for 1/20 of a second, the first transmission can take place anywhere in the first half second, the second transmission anywhere in the 2nd half second, but if both take place in the same half second, the second transmission would be again, if policed, dropped, although the first transmission would pass.  You can look at the previous 1/10 second transmission as two 1/20 second transmissions back to back.
 
Where this gets involved, and why actual transmission rate depends on measured time periods and actual traffic, for the second example of measuring across a half second, it would seem to always preclude sending one transmission for 1/10 of a second, yet if that transmission started exactly at the last 1/20 second of the first time period, and runs into the first 1/20 second of the second time period, it would be passed.
 
So, without knowing exactly both actual traffic transmission characteristics, and your policing parameter, we can't precisely predict what will happen.  What we can say, larger measure time periods (set via the burst size), allow for more "bursty" transmission, but the overall rate will be the same.  However, especially when policing, dropping some packets can change the senders transmission rate, so the impact using different burst sizes can be very noticeable against some traffic (e.g. TCP).
 
In other words, you second police statement, is likely to allow most typical (i.e. TCP) network traffic to actually near 10 Mbps more so than your first police statement; but can't guarantee that.
 
If you think, I'll make the measured time period very large, then remember actual transmission rate is still always at media rate.  If you were enforcing "1 Mbps" on a gig link, and measured time period was 1 minute, this will allow 1 million bits to be send, at gig rate, anytime during the minute.  Is that okay?  That's something you need to determine.
 
 
Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, December 6, 2012

How to configure Radius on 2960 and 2955

We are trying to configure radius on a 2960 and 2955 switch We  can't see the options to configure radius, do these L2 switches not support radius?

radius-server host 10.1.1.1 auth-port 1645 acct-port 1646 key 123456789
radius-server host 10.1.1.2 auth-port 1645 acct-port 1646 key 123456789
radius-server vsa send accounting
radius-server vsa send authentication

We get this:

Warning: This CLI will be deprecated soon. Please move to radius server CLI.


What is this? Can someone explain?

The warning message just indicates the new(er) version of IOS will probably not support this feature Eg. radius-server NAME.  The newer version is yet to be available from Cisco. The warning message is allowing you time to migrate to a more supportable configuration (you know, research for a better way to perform your task).

The new command set is indeed like this:

radius server AAAISE1
address ipv4 10.19.250.50 auth-port 1812 acct-port 1813
key 7 01115506555E172F32
!
radius server AAAISE2
address ipv4 10.19.250.51 auth-port 1812 acct-port 1813
key 7 130744101444150A38

Same stuff, different format. You could think of it like the format for extended IP ACLs.

Please click here for Cisco documentation.
When you get to this link, scroll down to the Security, Services and VPN section. Next click on Cisco IOS Security Command Reference: Commands M to R. From there can find a link to the radius server command.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, November 27, 2012

What are the steps to upgrade IOS for VSS 6509 switches?

We have 2 6509 switches configured with VSS. We would like to enable SSH but it is not available existing IOS which is "s72033-ipbase-mz.122-33.SXI3.bin". SSH available in "s72033-ipbasek9-mz.122-33.SXI10".

Please advise step by step procedure for upgrade the IOS with VSS configured switches.


Here are the steps to upgrade IOS for VSS 6509 
1.  Copy the IOS from the TFTP to the active blade supervisor card:  copy tftp:///IOS.bin sup-bootflash:
2.  Copy the IOS from the TFTP to the secondary blade supervisor card:  copy tftp:///IOS.bin slavesup-bootflash:
3.  Go to enable mode and change the bootstring/boot variable.
NOTE:  In this step, what we've done is specify that the chassis boot the NEW IOS and also specify that the chassis boot the old or existing IOS in case the first one fails.

conf t
NO boot system flash sup-bootdisk:OLD_IOS.bin
boot system flash sup-bootdisk:NEW_IOS.bin
boot system flash sup-bootdisk:OLD_IOS.bin
end
copy run start
reboot

Please click here for Cisco IOS In-Service Software Upgrade procedures from Cisco. 


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Sunday, November 18, 2012

Wake on LAN across a corporate environment


How do you setup wol in an environment where there are about 8 sites all connected on a private MPLS.
Each site has 20 - 50 PC's on it. We have been asked to configure the Cisco equipment to allow from a single place the ability to wake any PC at any office. We have looked at various documents on the Cisco website, but we are still not quite sure.

- start on the router connecting the subnet where the WoL source is located.
- determine what protocol port number is to be used for WoL.
- configure an ip forward-protocol to match that protocol port.
- configure an ip helper-address for every remote subnet which needs to receive WoL. (this is the most tedious of the steps since you need one per remote subnet)
- then on each remote router where WoL will be received configure an ip directed-broadcast on each interface where clients are connected that will receive WoL.

Depending on how concerned you are with security issues you may want to make use of the optional capability to configure an access list to control the directed broadcast to limit it to WoL.

In summary
- you need an ip forward-protocol statement to match the protocol port that will be used for WoL (frequently it is port 6 but depending on the server it might be something different).
- you need an ip helper-address configured on the source subnet for each destination subnet to forward the WoL as a broadcast to the remote subnet.
- you need an ip directed-broadcast on each remote subnet to permit forwarding of the WoL packet onto the subnet as a broadcast.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, October 23, 2012

How do you install Software via CLI from Junos software copied to SRX?

Refer to the following steps for copying the software to the SRX and then performing the software installation via the CLI:
  1. Copy software to SRX via SCP or FTP to /var/tmp:  
    For example:
    user@srx>  scp  junos-srxsme-11.4R4.4-domestic.tgz  user@srx:/var/tmp/junos-srxsme-11.4R4.4-domestic.tgz

    OR

    user@srx>  ftp   (and login) 
    user@srx>  lcd /var/tmp 
    user@srx>  bin 
    user@srx>  get junos-srxsme-11.4R4.4-domestic.tgz
    user@srx>  bye
  2. Install software with the commands below.  For detailed instructions, refer to Installing the Software.
    For example:
    From the local file in /var/tmp
    user@srx>  request system software add no-copy /var/tmp/junos-srxsme-11.4R4.4-domestic.tgz
    user@srx>  request system reboot


    Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, October 22, 2012

How to setup the Configuration of NetScreen-Remote Side:

Create New Policy by clicking the New Connection icon on upper left corner.  Label this new connection Corporate
  1. On Remote Party Identity and Addressing
    1. ID Type: IP Subnet
    2. Subnet: 172.16.10.0
    3. Netmask: 255.255.255.0
    4. Click Connect using Secure Gateway Tunnel
    5. ID Type: IP Address: 1.1.1.1
  2. Expand the connection Corporate
    1. Click Security Policy
      1. Select Phase 1 Negotiation Mode: Aggressive
      2. De-Select Enable Perfect Forward Secrecy (PFS)
      3. De-select "Enable Replay Detection"
    2. Click My Identity
      1. Select Certificate: None
      2. ID Type: Email address: sales@ns.com
      3. Click Pre-Shared Key
        1. Click Enter Key
          1. Enter the Pre-shared key sharedikeid
          2. Click OK
    3. Expand Security Policy
      1. Expand Authentication (Phase 1)
        1. Select Proposal  1
          1. Authentication Method: Pre-Shared Key;Extended Authentication
          2. Encryption Alg: Triple DES
          3. Hash Alg: SHA
          4. SA Life: Unspecified
          5. Key Group: Diffie-Hellman Group 2
      2. Expand Key Exchange (Phase 2)
        1. Select Proposal 1
          1. Encrypt Alg. Triple DES
          2. Hash Alg. SHA
          3. Encapsulation: Tunnel
    4. Click Save

Please click here for  information on configuring other IPSec VPN clients

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, October 9, 2012

Do an offline attack update using guiSvrCli.sh when the NSM server does not have internet access?

Attack update can be performed from the CLI using the guiSvrCli.sh script. This tool, by default, uses the HTTP URL https://services.netscreen.com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo.dat for downloading latest attack DB information.

If the NSM server does not have access to the internet, administrators can follow this procedure to perform attack update via CLI:

1) Obtain the two attack update files (the data file and the attack object database file) from the website.   Copy and paste the content from the URL into a file and name the file as NSMFP3-DI-IDPAttackUpdateInfo.dat or NSM-SecurityUpdateInfo.dat for 2006 and higher. Place these two files (dat file and zip file) on the NSM server under /tmp.
To obtain the dat file:

For Older NSM releases prior to NSM 2006.1t2: NSMFP3-DI-IDPAttackUpdateInfo.dat
For NSM 2006.1 and above: NSM-SecurityUpdateInfo.dat
For the .zip file (that consists of the attack object database), copy both files to /tmp directory on the NSM GUI Server.

For Older NSM releases prior to NSM 2006.1r: NSMFP3-DI-IDP.zip
For NSM 2006.1 (r1 & r2) NSMFP6-DI-IDP.zip
For NSM 2007.1 and 2007.2 NSMFP7-DI-IDP.zip
For NSM 2007.3 NSMFP9-DI-IDP.zip
For NSM 2008.1 NSMFP10-DI-IDP.zip
For NSM 2008.2 NSMFP11-DI-IDP.zip
For NSM 2009.1 NSMFP12-DI-IDP.zip
For NSM 2010.1 NSMFP12-DI-IDP.zip
For NSM 2010.2 NSMFP13-DI-IDP.zip
For NSM 2010.3 NSMFP14-DI-IDP.zip
For NSM 2010.4 NSMFP14-DI-IDP.zip

2) Login to the NSM server (GUI Server) via SSH as root.  If you are using an NSMXpress device, log in as admin and run sudo su - and type in the admin password.  Change to location $NSROOT/GuiSvr/var/svrcli. ($NSROOT in most installs is set to /usr/netscreen).

3) Make a copy of the file updateAttacks.vtl then edit it and replace the https URL found in this file with the directory path as :
  For releases prior to 2006.1 as:   file:///tmp/NSMFP3-DI-IDPAttackUpdateInfo.dat
  For 2006.1 and higher as:   file:///tmp/NSM-SecurityUpdateInfo.dat

4) Run the guiSvrCli.sh script to update attack db:

Change to the utils directory: cd /usr/netscreen/GuISvr/utils

Run one of the following commands for NSM version 2007.1, 2007.2 and 2007.3:
  To perform only the attack update, run the command: ./guiSvrCli.sh --update-attacks --post-action --none
  To perform attack update and device update, run the command: ./guiSvrCli.sh --update-attacks --post-action --update-devices

Run one of the following commands for NSM version 2008.1 and above:
    To perform only the attack update, run the command: ./guiSvrCli.sh --update-attacks --post-action --none
   To perform attack update and device update, run the command: ./guiSvrCli.sh --update-attacks  --post-action --update-devices

5) Once run, you will be prompted for the domain/user; enter : global/super as well as the super user's password (super, the admin user for NSM, not root).

Monday, October 8, 2012

Why isn't there a remote-as statement for any neighbors except for those in the global routing process & ipv4 vrf VRF-1 address-family?


The neighbor ... remote-as command is used to declare what is the BGP AS number used by the neighbor. The  configuration of a PE node like the one you have examined is an example of multiprotocol BGP MP BGP.

In MP BGP we define the neighbors with neighbor ...remote-as in router BGP configuration. The various address families like ipv4  unicast, ipv4 multicast, vpnv4 represent different areas of interest. Each BGP peer can be interested only in some specific address families and not in all of them.

The key command to tell the router that a specific neighbor is interested in address-family X is the neighbor activate command. With this command we instruct the local node in sending and receving updates named NLRI ( Network Layer Reachability information) for the specific address family X.



Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, September 12, 2012

Juniper SSG5 Software Upgrade To or Beyond 6.2.0r4.0 Causes Constant Reboot/Crash

We are trying to upgrade the software on my SSG5.  I started with 6.2.0r2.  We wanted to go to the newest 6.2.0 release (6.2.0r10).  But the SSG keeps crashing after it's been up for about 10 seconds.  So, we started upgrading a release at a time.  We successfully get all the way up to 6.2.0r3.  But if we try 6.2.0r4 or newer (6.2.0r9, 6.2.0r10 or even 6.3.0r7) the SSG crashes. 

We thought maybe it was the bootloader, so we upgraded that to 1.3.3, but we get the same result.


Juniper fixed this issue in Release 6.2.0r12.Here are the Release Notes that talks about the fix :

"587433-Sometimes after OS upgrade, the firewall did not start up because of a certain condition in flash writing mechanism."

Upgrade your device to 6.2.0r12 or 6.3.0r9 to fix the issue.

If the device is crashing try to update the firmware using boot loader.

If you are still having issues install  the old firmware to the box through console/bootloader and then boot it up. Then take a backup of configuration and then erase  all configuration from the device. Then  upgrade it again to an empty device and check the new firmware. Then  copy/paste the installation of the old configuration and it should work correctly. 



Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, September 6, 2012

Choice of right interface encapsulation of VPLS in Juniper switching

We would like to configure the vlan-id blow 512 and we know that only the encapsulation that “extended-vlan-vpls” and “flexible-ethernet-services” can support it. Our case is without the special function ,so we are confused on which encapsulation to use. Can you suggest the best practice?


If you configure "flexible-ethernet-services" encapsulation for a physical interface,  the you can configure different encapsulations under the logical sub-interfaces.

xe-3/2/0 {
        flexible-vlan-tagging;
        encapsulation flexible-ethernet-services;
        unit 3401 {
            encapsulation vlan-vpls;
            vlan-id 3400;
            }
       unit 3400 {
            encapsulation vlan-ccc;
            vlan-id 3400;
            }
        }


That means you can configure different types of  services  ( VPLS, L2VPN etc ) under a single physical interface. But, this encapsulation is supported by certain types of hardware.

Please click here for documentation from Juniper Networks on encapsulation.


"flexible-ethernet-services—For Gigabit Ethernet IQ interfaces and Gigabit Ethernet PICs with small form-factor pluggable transceivers (SFPs) (except the 10-port Gigabit Ethernet PIC and the built-in Gigabit Ethernet port on the M7i router), use flexible Ethernet services encapsulation when you want to configure multiple per-unit Ethernet encapsulations."

On the other hand, if you configure "extended-vlan-vpls",  you will be able to configure VPLS services only in that interface / logical interfaces.


Also keep in mind that changing the encapsulation on the physical interface is going to bounce all logical interfaces associated with it, so you may want to do that in a maintenance window.



Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, July 4, 2012

VRRP active and backup Router behavior

On VRRP it says when you config timer on master then backup router also follows those hello timers. But when we config the advertise  timer on master then both routers R1 and R2 becomes master and they show different timers .Can you please let us know why this happens?

The virtual address in vrrp can be assigned as the physical address of a real interface. In other words, if you have 192.168.7.1 as in R1, then you can assign 192.168.7.1 as the vIP unlike with HSRP where it has to be different. When vrrp is assigned a virtual address that's equal to the real address, that router becomes the master. If the router were to go down, preemption is automatically enabled by default in vrrp and causes the router with the next higher priority to take over. The problem that I think you're seeing is that there's no real ip of 192.168.7.3 being used. In that case, neither of these are really being seen as the master of the group. So because of this, since both priorities are the same, the next check is going to be the highest ip address of the group will become the master. If you want to change this behavior, you can set the priority of the one that you want as the primary to something higher than 100 and it will take over as master after your configured time of 60 seconds.

The timers between the routers in the group need to match. The master is the router that controls the timers, so when you change the timer on the master you can learn the timers on the backup or set the timer to the same interval as the other router. The default is 1 second for advertisement. From what I see, if you change the backups timer, it becomes master. Now with 2 masters, you can't change the other (original master) timer to learn from the original master because it seems that the priority and highest address still comes into play. With the original master, you'd have to send the different timer or change your priority to prefer the other router as master before sending the timer from it. On the other router (whichever backup you want) you would need to either learn (vrrp timers learn) or set your timer manually to the timer that's being sent from the master.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, July 3, 2012

3560X: recovery without pressing "mode button"


Does anyone know if there's a way for password recovery on 3560X without pressing "mode button"?
A way, for example, to reach ROMMON with some escape sequence as in routers?
  1. Rename the IOS filename extension from BIN to something else.
  2. Reboot the appliance and you'll be guaranteed to go into ROMmon.
  3. Rename the IOS filename extension back to BIN.
  4. Rename the config.text file.
  5. Boot the appliance.
  6. Continue with the password recovery procedure


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Thursday, June 28, 2012

How do you enable NetFlow on Catalyst 6506 with WS-SUP720-3B?


What are the steps to enable Netflow on a Supervisor Engine 720 with the following Policy Feature Card:  WS-F6K-PFC3B.
 
Is it better to configure it on the PFC or on the MSFC ? What are the differences?

* Enabling NetFlow on the PFC
To enable NetFlow statistics collection on the PFC, perform this task: 
mls netflow (Enables NetFlow on the PFC).
 
no mls netflow (Disables NetFlow on the PFC.)
 
* Enabling NetFlow on the MSFC
 
int Vlanxxx
 
ip flow-export ingress
ip route-cache flow

 
NetFlow and NDE on the MSFC

The NetFlow cache on the MSFC captures statistics for flows routed in software. The MSFC supports NetFlow aggregation for traffic routed in software.

NetFlow and NDE on the PFC

The NetFlow cache on the PFC captures statistics for flows routed in hardware. The PFC supports sampled NetFlow and NetFlow aggregation for traffic routed in hardware.

Having said the above, the Sup720 theoretically should switch all packets in hardware, so having the Netflow in PFC would be the way to go.  However, there might be some packets that gets software switched in which the Netflow and NDE in PFC will not catch.  The document does not say about not having support in configuring Netflow in both PFC and MSFC.

Please click here for the Netflow Data Export guide.
Please click here for Netflow Configuration guide. 


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Wednesday, June 27, 2012

What are the minimum recommended Cisco NX-OS Releases for Cisco Nexus 7000 Series Switches?


Cisco recommends that customers with new Cisco Nexus 7000 Series deployments choose from the following minimum recommended releases:

• Within the NX-OS Release 5 train, the Cisco Nexus 7000 engineering team recommends running the latest NX-OS Release 5.2 software.

• Within the NX-OS Release 6 train, the Cisco Nexus 7000 engineering team recommends running the latest NX-OS Release 6.0 software.

Cisco recommends that customers with existing Cisco Nexus 7000 Series deployments upgrade to the following minimum recommended releases:

• Within the NX-OS Release 4 train:

–The most recent Cisco NX-OS Release 4.2 software is the recommended release for general features and functions.

–Cisco NX-OS Release 4.2(6) is the minimum recommended release for general features and functions.

• Within the NX-OS Release 5 train:

–The most recent Cisco NX-OS Release 5.2 software is the recommended release for general features and functions.

–Cisco NX-OS Release 5.1(5) is the minimum recommended release. However, future upgrades from Release 5.1(5) will be to the long-lived Release 5.2 train. Cisco strongly recommends that customers begin qualification of Release 5.2.

–For customers currently running Release 5.2 software, the minimum recommended software is 5.2(3a).

–For customers who have deployed OTV or FabricPath, the minimum recommended software is Release 5.2(3a).

• Within the NX-OS Release 6 train, Cisco NX-OS Release 6.0(2) is the minimum recommended release for customers requiring the hardware or software features introduced in the 6.x train.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, June 26, 2012

Reaching an IP inside global from the inside network

Is it possible to reach an IP Inside global address from the inside network (or LAN) on a cisco router when doing NAT?

The case is the following:

A client who doesn't have a DMZ told me he was having issues with his web application only from his LAN, meaning outside the LAN on the internet the application runs fine, the issue is the public IP Address is referenced on many links in the web application and when people is using the application from the LAN they cannot reach the public IP address because this is being nat-ed...

when packets to the public address reach the router inside interface i guess it is routing them instead of realizing that the public address is being statically nat-ed...

The configs are as follows:
 
interface FastEthernet4
desc WAN
ip address 190.120.14.2 255.255.255.248
ip nat outside
!
interface Vlan1
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static 192.168.1.27 190.120.14.4
 
It has to some workaround to make this works...Again the problem is: clients in the LAN cannot reach statically nat-ed address defined as inside global, so the clients cannot reach the local web server using the public nat-ed address of the webserver.

You can use the NAT virtual interface by using the ip nat enable command on the interfaces and removing the ip nat outside/inside commands.

You also need to change your NAT statement from:

ip nat inside source list

To:

ip source list ......

I have seen many weird things using the NVI interface. It seems buggy with IOS and I feel it may depend on your router and or version of IOS. Currently I have everything configured but my NAT statement doesn't keep the overload portion of the command in the running config even though I entered it.

If you decide to go this route you can confirm you are using the NVI interface by using the command:

Show ip nat nvi translations

If you see entries here things are working correctly. You shouldnt see new entries under:

Show ip nat translations

I would like to work with you and anyone else on here to solve this problem. It sounds like many are still trying to find work arounds to browse to the inside global address to contact their internal server.


Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */