Last week I had 2 of my blackest days on technical field. The reason seems to be this equipment. I am not a data engineer however in the last 3 weeks I did my best to learn how to configure the OA. The configuration I did looks to work however if I reboot the router the forwarding engine fails with several reasons. (I encounter these kind of problems during tests but I did not take them serious --> a big mistake).
Code: Select all
!
! NVRAM config last updated at 21:45:06 EEST Fri Apr 29 2011 by admin
!
! Statlog Configuration
!
logging on
logging buffered priority 7
logging buffered size 128
logging console 3
logging system 5
service timestamps log
logging rate-limit 1 10 tag SWE subtag DOS
logging rate-limit 1 10 tag PVSTD subtag PKT
logging rate-limit 1 10 tag SWE subtag SESSION
ip domain-name ifblocal
!
line vty exec-timeout 0 0
!
hostname USG
!
!VRF Configuration
!
! MULTICAST Configuration
!NOE port reservation
ip name-server 62.217.x.x
! PVST Global configuration
modem enable
!
http enable
https enable
ssh enable
snmp enable
!
!
! Clock Timezone
!
clock timezone europe bucharest
!
! CWMP Configuration
!
!
! CWMP Configuration (End)
!
!
! CWMP interface configuration
!
!
! CWMP interface configuration (End)
!
!
! SNMP Configurations
!
snmp system location xxxx
snmp agent xcommunity xxxx
!
aaa services
!
username xxxx password xxxx
username recovery password xxxxx
username xxxx password xxxx
!
!
!
!
!
interface GigabitEthernet3/0
description WAN
ip address x.x.151.82/30
ip address x.x.157.22/30 secondary
ip address x.x.157.130/29 secondary
vrrp 1 ip x.x.157.130
vrrp 1 ip x.x.157.131 secondary
vrrp 1 ip x.x.157.132 secondary
vrrp 1 ip x.x.157.133 secondary
vrrp 1 ip x.x.157.134 secondary
no shutdown
top
!
interface GigabitEthernet3/1
shutdown
top
!
interface Vlan10
description LAN-IFB
ip address 10.0.0.250/24
no shutdown
top
!
interface Vlan20
description AP-PUBLIC
ip address 10.0.1.1/24
no shutdown
top
!
interface Vlan100
description VoIP
ip address 10.0.100.1/24
no shutdown
top
!
interface switchport0/0
switchport mode trunk
switchport hybrid native vlan 10
switchport trunk allowed vlan 10
no shutdown
top
!
interface switchport0/1
switchport mode trunk
switchport hybrid native vlan 20
switchport trunk allowed vlan 20
no shutdown
top
!
interface switchport0/2
switchport mode trunk
switchport hybrid native vlan 100
switchport trunk allowed vlan 100
no shutdown
top
!
interface switchport0/3
switchport mode hybrid
switchport hybrid native vlan 123
no shutdown
top
!
interface switchport0/4
shutdown
top
!
interface switchport0/5
shutdown
top
!
interface switchport0/6
shutdown
top
!
interface switchport0/7
switchport mode hybrid
switchport hybrid native vlan 10
no shutdown
top
!
interface Tunnel1
ip address 172.16.0.2/24
tunnel source 192.168.0.220
tunnel destination 192.168.0.80
mode gre
tunnel df-bit clear
no shutdown
top
!
!
ip route 0.0.0.0/0 GigabitEthernet 3/0 x.x.151.81
ip route 10.0.200.0/24 Tunnel 1
!
match-list Internet
1 ip any any
match-list vlan10xxxx
1 ip prefix 10.0.0.0/24 prefix 10.0.200.0/24
match-list WAN-IN-Carthame
1 tcp any host x.x.157.130 service eq 443
2 tcp any host x.x.157.130 service eq 8180
3 tcp any host x.x.157.130 service eq 8443
4 tcp any host x.x.157.130 service eq 3389
match-list WAN-IN-CarthameWEB
1 tcp any host x.x.157.131 service eq 80
2 tcp any host x.x.157.131 service eq 3389
match-list WAN-IN-S01
1 tcp any host x.x.157.132 service eq 3389
match-list WAN-IN-S02
1 tcp any host x.x.151.82 service eq 3389
match-list PetreIN
1 tcp any host x.x.151.82 service eq 50007
match-list Carthame-SNAT
1 ip host 10.0.0.2 any
match-list CarthameWEB-SNAT
1 ip host 10.0.0.4 any
match-list AP-Public-SNAT
1 ip prefix 10.0.1.0/24 any
match-list WAN-IN-Mail
1 tcp interface GigabitEthernet 3/0 host x.x.151.82 service eq 22
2 tcp interface GigabitEthernet 3/0 host x.x.151.82 service eq 25
3 tcp interface GigabitEthernet 3/0 host x.x.151.82 service eq 995
match-list S01-SNAT
1 ip host 10.0.0.1 any
match-list forbid25
1 tcp any any service eq 25
match-list allow25
1 tcp host 10.0.0.6 any service eq 25
match-list forbidvlan
1 ip prefix 10.0.0.0/24 prefix 10.0.1.0/24
2 ip prefix 10.0.100.0/24 prefix 10.0.1.0/24
!
!
! Filter Policy configuration
!
ip filter Port25
1 match any allow25 permit log
2 match any forbid25 deny log
default permit
top
!
interface GigabitEthernet3/0
ip filter out Port25
top
!
ip filter vlan10-100deny
1 match any forbidvlan deny log
default permit
top
!
interface Vlan20
ip filter out vlan10-100deny
top
!
!
!
! NAT Policy configuration
!
ip nat WAN-IN
110 match any WAN-IN-S02 destination-nat host 10.0.0.5
140 match any PetreIN destination-nat host 10.0.0.86
150 match any WAN-IN-Carthame destination-nat host 10.0.0.2
160 match any WAN-IN-CarthameWEB destination-nat host 10.0.0.4
170 match any WAN-IN-Mail destination-nat host 10.0.0.6
190 match any WAN-IN-S01 destination-nat host 10.0.0.1
top
!
interface GigabitEthernet3/0
ip nat in WAN-IN
top
!
ip nat Internet
40 match any Carthame-SNAT source-nat host x.x.157.130
50 match any CarthameWEB-SNAT source-nat host x.x.157.131
60 match any AP-Public-SNAT source-nat host x.x.157.22
70 match any S01-SNAT source-nat host x.x.157.132
210 match any Internet source-nat host x.x.151.82
top
!
interface GigabitEthernet3/0
ip nat out Internet
top
!
!
!
! Dos attack configuration
!
!
!
! System doesn't have IDS License
! IDS configuration may not be effective
!
!Snort configuration
firewall
intrusion snort
top
!
!
! Firewall configuration
!
!
! IPSEC License installed
!
! IPSEC Policy configuration
!
crypto ike key xxx peer 192.168.0.80
crypto ike dpd interval 300 timeout 1500
crypto ipsec transform-set myset esp-md5-3des
crypto map xxxx ipsec-ike default
peer 192.168.0.80
match vlan10xxxx
transform-set default
pfs group2
! Applied to : GigabitEthernet3/0
interface GigabitEthernet3/0
crypto map xxxx
top
crypto ipsec profile pv
pfs group5
lifetime seconds 28800
lifetime kilobytes 28800
! Applied to:
interface Tunnel1
ipsec-profile pv
top
! No client object Defined
! No client profile Defined!
!
!QoS Configuration
!
!
!
!DDNS configurations
!
!
!
top
top
!
!
! IP-Policy configuration
!
ip-policy PBR-IFB
10 match any S01-SNAT next-hop x.x.157.129
20 match any Carthame-SNAT next-hop x.x.157.129
30 match any CarthameWEB-SNAT next-hop x.x.157.129
40 match any AP-Public-SNAT next-hop x.x.157.21
exit
!
interface GigabitEthernet3/0
ip-policy PBR-IFB
exit
!
!
!Customized-Services
!
!
!
!
!
!
!
top
!
!
!
!
! DHCP Server Configuration
!
service dhcp enable
!
ip dhcp pool p20
network 10.0.1.0 255.255.255.0
range 10.0.1.100 10.0.1.200
!
option routers 10.0.1.1
option dns-server x.x.193.1 primary
top
!
!
!
! DHCP CLIENT Configuration
!
!
ip dhcp client default_client
vendor-class-identifier FDC broadband-forum.org
parameter-req-list vendor-specific
top
!
interface GigabitEthernet3/0
dhcp client default_client
top
!
!
!
top
top
!
!
!OAM Configuration
!
oam
top
!
!
!
!NHRP configurations
!
top
!
!
! DHCP Relay configuration
!
!
end
The reason for using vrrp is that we cannot add in other way (as secondary address for example) that range of external IP's (or at least we didn't figure a way to do it).
Errors on reboot:
Code: Select all
sername :2011 Apr 29 20:50:08: %SWE-3-ARPD: VRF ADD Notification with vrfid 0
2011 Apr 29 20:50:10: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
2011 Apr 29 20:50:10: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:11: %CE-2-LOG: Setting gre for_us node 32 default to 7
2011 Apr 29 20:50:11: %SWE-2-GRE: For us node 32 default 7
2011 Apr 29 20:50:11: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:12: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
2011 Apr 29 20:50:20: %CE-2-LOG: Setting gre for_us node 32 default to 7
2011 Apr 29 20:50:20: %SWE-2-GRE: For us node 32 default 7
2011 Apr 29 20:50:20: %SWE-3-ARPD: VRF ADD Notification with vrfid 0
2011 Apr 29 20:50:24: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
2011 Apr 29 20:50:24: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:26: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:27: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
In this point I have to detach all policies from Giga interface, reboot, reatach one by one the policies.....
Is this a configuration problem? A bug? Both?
Any help on this guys?
(Murray, Benny?)
Any help is appreciated. Other comments regarding overall experience with OA5510, 5740 also appreciated.