show ip port-map

log-input

ip access-list log-update threshold <HIT-COUNT>

ipv6 access-list log-update threshold <HIT-COUNT>

ip access-list logging
interval <TIME-INTERVAL>

deny ip any any log

 show running-config access-list
show access-list

R1:

time-range HTTP
periodic weekdays 08:00 to 17:00
!
object-group network VLAN128
136.1.128.0 /24
!
object-group service TCP_VLAN128
tcp eq 25
tcp eq 110
tcp eq 995
tcp eq 143
tcp eq 220
tcp eq 993
!
ip access-list extended EGRESS_VLAN123
permit tcp 136.1.128.0 0.0.0.255 any eq 80 time-range HTTP
permit tcp 136.1.128.0 0.0.0.255 any eq 443 time-range HTTP
permit tcp 136.1.128.0 0.0.0.255 any range 22 23
permit tcp 136.1.128.0 0.0.0.255 any range 20 21
permit icmp 136.1.128.0 0.0.0.255 any echo
permit udp 136.1.128.0 0.0.0.255 any range 33434 33464
!
permit udp 136.1.128.0 0.0.0.255 eq 53 any
permit tcp 136.1.128.0 0.0.0.255 eq 25 any
permit tcp 136.1.128.0 0.0.0.255 eq 110 any
permit tcp 136.1.128.0 0.0.0.255 eq 995 any
permit tcp 136.1.128.0 0.0.0.255 eq 143 any
permit tcp 136.1.128.0 0.0.0.255 eq 220 any
permit tcp 136.1.128.0 0.0.0.255 eq 993 any
!
permit icmp any any packet-too-big
deny ip 136.1.128.0 0.0.0.255 any
permit ip any any
!
!
ip access-list extended INGRESS_VLAN123
permit eigrp any any
permit udp any 136.1.128.0 0.0.0.255 eq 53
permit tcp any 136.1.128.0 0.0.0.255 eq 53
permit object-group TCP_VLAN128 any object-group VLAN128
!
permit tcp any eq 80 136.1.128.0 0.0.0.255 time-range HTTP
permit tcp any eq 443 136.1.128.0 0.0.0.255 time-range HTTP
permit tcp any range 22 23 136.1.128.0 0.0.0.255
permit tcp any range 20 21 136.1.128.0 0.0.0.255
permit icmp any 136.1.128.0 0.0.0.255 echo-reply
permit icmp any 136.1.128.0 0.0.0.255 time-exceeded
permit icmp any 136.1.128.0 0.0.0.255 port-unreachable
!
permit icmp any any packet-too-big
deny ip any 136.1.128.0 0.0.0.255
permit ip any any
!
!
ipv6 access-list DENY_TELNET
deny tcp ::/0 ::/0 eq 23
deny tcp ::/0 eq 23 ::/0
deny ipv6 any any hbh
permit ipv6 ::/0 ::/0
!
!
interface GigabitEthernet0/1.123
ip access-group INGRESS_VLAN123 in
ip access-group EGRESS_VLAN123 out
ipv6 traffic-filter DENY_TELNET in
R1#show object-group
Service object group TCP_VLAN128
tcp eq smtp
tcp eq pop3
tcp eq 995
tcp eq 143
tcp eq 220
tcp eq 993

Network object group VLAN128

136.1.128.0 255.255.255.0
!
!R1#show ip interface gigabitEthernet0/1.123 | i VLAN
Outgoing access list is EGRESS_VLAN123
Inbound access list is INGRESS_VLAN123
!
!R1#show ipv6 interface gigabitEthernet 0/1.123 | i TELNET
Inbound access list DENY_TELNET

R2#show ip port-map | i smtp|imap|pop3

Default mapping: imap tcp port 143 system defined

Default mapping: smtp tcp port 25 system defined
Default mapping: imap3 tcp port 220 system defined
Default mapping: pop3s tcp port 995 system defined
Default mapping: pop3 tcp port 110 system defined
Default mapping: imaps tcp port 993 system defined

SW1#ping 150.1.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
!
!SW1#telnet 150.1.3.3
Trying 150.1.3.3 ... Open

User Access Verification

Password: R3>
!
!SW1#traceroute 150.1.3.3

Type escape sequence to abort.

Tracing the route to 150.1.3.3

1 136.1.128.1 0 msec 0 msec 0 msec 2 136.1.99.3 9 msec * 0 msec

R1#show time-range
time-range entry: HTTP (inactive)

periodic weekdays 8:00 to 17:00

used in: IP ACL entry
used in: IP ACL entry
used in: IP ACL entry
used in: IP ACL entry
!
!SW1#telnet 150.1.3.3 80

Trying 150.1.3.3, 80 ... % Destination unreachable; gateway or host down

!
!SW1#telnet 150.1.3.3 80 /source-interface loopback0

Trying 150.1.3.3, 80 ... Open

? HTTP/1.1 400 Bad Request

Date: Sat, 12 Oct 2013 08:00:19 GMT

Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 150.1.3.3 closed by foreign host]
R4#ping 136.1.128.9

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.128.9, timeout is 2 seconds: U.U.U

Success rate is 0 percent (0/5)

!
!R4#ping 150.1.9.9

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.9.9, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

R4#telnet 136.1.128.9 25
Trying 136.1.128.9, 25 ... % Connection refused by remote host
!
!R4#telnet 136.1.128.9 110
Trying 136.1.128.9, 110 ... % Connection refused by remote host
!
!R4#telnet 136.1.128.9 21
Trying 136.1.128.9, 21 ... % Destination unreachable; gateway or host down
R4#telnet 150::1:1:1

Trying 150::1:1:1 ... % Destination unreachable; gateway or host down

!
!R1#telnet 150::1:4:4

Trying 150::1:4:4 ... % Connection timed out; remote host not responding
 access-enable

access-enable
 access-enable
access-enable

host

timeout

timeout
access-list dynamic-extend

R1:

aaa new-model
aaa authentication login VTY local
aaa authorization exec VTY local
!
username CISCO password CISCO
username CISCO autocommand access-enable host timeout 1
!
ip access-list extended INBOUND_VLAN128
dynamic DACL timeout 5 permit tcp any any
permit tcp any host 150.1.1.1 eq 23
deny tcp any any
permit ip any any
!
interface GigabitEthernet0/1.128
ip access-group INBOUND_VLAN128 in
!
line vty 0 15
login authentication VTY
authorization exec VTY
!
access-list dynamic-extended

SW1#telnet 150.1.4.4
Trying 150.1.4.4 ... % Destination unreachable; gateway or host down
!
!SW1#ping 150.1.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

SW1#telnet 150.1.1.1
Trying 150.1.1.1 ... Open

User Access Verification

Username: CISCO
Password:
[Connection to 150.1.1.1 closed by foreign host]
!
!SW1#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!R1#show ip access-lists
Extended IP access list INBOUND_VLAN128
10 Dynamic DACL permit tcp any any permit tcp host 136.1.128.9 any (17 matches) (time left 50)

20 permit tcp any host 150.1.1.1 eq telnet (79 matches)

30 deny tcp any any (3 matches)
40 permit ip any any (218 matches)
 ip reflexive-list timeout <seconds>
timeout <seconds>

R1:

ip access-list extended IPV4_OUTBOUND_VLAN123

permit tcp 136.1.128.0 0.0.0.255 any reflect IPV4_MIRROR
permit udp 136.1.128.0 0.0.0.255 any reflect IPV4_MIRROR
permit icmp 136.1.128.0 0.0.0.255 any reflect IPV4_MIRROR timeout 10
!
ipv6 access-list IPV6_OUTBOUND_VLAN123
permit tcp ::/0 ::/0 reflect IPV6_MIRROR
permit icmp ::/0 ::/0 reflect IPV6_MIRROR timeout 10
!
ip access-list extended IPV4_INBOUND_VLAN123
permit eigrp any any
evaluate IPV4_MIRROR
!
ipv6 access-list IPV6_INBOUND_VLAN123
 permit 88 any any
permit icmp any any nd-ns
permit icmp any any nd-na
evaluate IPV6_MIRROR
!
interface GigabitEthernet0/1.123
ip access-group IPV4_OUTBOUND_VLAN123 out
ip access-group IPV4_INBOUND_VLAN123 in
ipv6 traffic-filter IPV6_OUTBOUND_VLAN123 out
ipv6 traffic-filter IPV6_INBOUND_VLAN123 in
!
ip reflexive-list timeout 600

R1:

ip access-list extended IPV4_INBOUND_VLAN128

permit eigrp any any
permit tcp 136.1.128.0 0.0.0.255 any reflect IPV4_MIRROR
permit udp 136.1.128.0 0.0.0.255 any reflect IPV4_MIRROR
permit icmp 136.1.128.0 0.0.0.255 any reflect IPV4_MIRROR timeout 10
!
ip access-list extended IPV4_INBOUND_VLAN123
permit eigrp any any
evaluate IPV4_MIRROR
!
ipv6 access-list IPV6_INBOUND_VLAN128
permit 88 any any
permit icmp any any nd-ns
permit icmp any any nd-na
permit tcp ::/0 ::/0 reflect IPV6_MIRROR
permit icmp ::/0 ::/0 reflect IPV6_MIRROR timeout 10
!
ipv6 access-list IPV6_INBOUND_VLAN123
permit 88 any any
permit icmp any any nd-ns
permit icmp any any nd-na
evaluate IPV6_MIRROR
!
interface GigabitEthernet0/1.123
 ip access-group IPV4_INBOUND_VLAN123 in
ipv6 traffic-filter IPV6_INBOUND_VLAN123 in
!
interface GigabitEthernet0/1.128
ip access-group IPV4_INBOUND_VLAN128 in
ipv6 traffic-filter IPV6_INBOUND_VLAN128 in
!
ip reflexive-list timeout 600

SW1#ping 150.1.4.4 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 U.U.U
Success rate is 0 percent (0/5)
!
!SW1#ping 150.1.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
!
!SW1#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!R1#show ip access-lists IPV4_MIRROR
Reflexive IP access list IPV4_MIRROR
permit icmp host 150.1.4.4 host 136.1.128.9 (10 matches) (time left 8)
permit tcp host 150.1.4.4 eq telnet host 136.1.128.9 eq 11625 (30 matches) (time left 592)
 sdm
prefer dual-ipv4-and-ipv6 routing
ip inspect name <RULE-NAME> <protocol> <options>
ipv6 inspect name <RULE-NAME> <protocol> <options>

ip inspect <RULE-NAME> [in|out]

ipv6 inspect <RULE-NAME> [in|out]
 ip inspect dns-timeout <TIMEOUT>

R1:

ip inspect name IPV4_CBAC udp router-traffic

ip inspect name IPV4_CBAC tcp router-traffic
ip inspect name IPV4_CBAC icmp router-traffic
ip inspect name IPV4_CBAC ftp
!
ipv6 inspect name IPV6_CBAC udp
ipv6 inspect name IPV6_CBAC tcp
ipv6 inspect name IPV6_CBAC icmp
ipv6 inspect name IPV6_CBAC ftp
!
ip access-list extended IPV4_INBOUND
permit eigrp any any
deny ip any any
!
ipv6 access-list IPV6_INBOUND
permit 88 any any
permit icmp any any nd-ns
permit icmp any any nd-na
deny ipv6 any any
!
interface GigabitEthernet0/1.123
ip inspect IPV4_CBAC out
 ipv6 inspect IPV6_CBAC out
ip access-group IPV4_INBOUND in
ipv6 traffic-filter IPV6_INBOUND in

SW1#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!SW1#ping 150.1.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
!
!R1#show ip inspect sessions detail
Established Sessions Session 2C86649C (136.1.128.9:8)=>(150.1.4.4:0) icmp SIS_OPEN
Created 00:00:08, Last heard 00:00:08
ECHO request
Bytes sent (initiator:responder) [360:360]
In SID 150.1.4.4[0:0]=>136.1.128.9[0:0] on ACL IPV4_INBOUND (5 matches)
In SID 0.0.0.0[0:0]=>136.1.128.9[3:3] on ACL IPV4_INBOUND
In SID 0.0.0.0[0:0]=>136.1.128.9[11:11] on ACL IPV4_INBOUND
Session 2C866274 (136.1.128.9:54646)=>(150.1.4.4:23) tcp SIS_OPEN

Created 00:00:28, Last heard 00:00:12

Bytes sent (initiator:responder) [40:75]
In SID 150.1.4.4[23:23]=>136.1.128.9[54646:54646] on ACL IPV4_INBOUND (15 matches)

R1#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

 Password: R4>

!
!R1#ping 150.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!
!R1#show ip inspect sessions detail
Established Sessions Session 2C86649C (136.1.99.1:37446)=>(150.1.4.4:23) tcp SIS_OPEN
Created 00:00:15, Last heard 00:00:11
Bytes sent (initiator:responder) [31:71]
In SID 150.1.4.4[23:23]=>136.1.99.1[37446:37446] on ACL IPV4_INBOUND (24 matches)
Session 2C866274 (136.1.99.1:8)=>(150.1.4.4:0) icmp SIS_OPEN

Created 00:00:03, Last heard 00:00:03

ECHO request
Bytes sent (initiator:responder) [360:360]
In SID 150.1.4.4[0:0]=>136.1.99.1[0:0] on ACL IPV4_INBOUND (10 matches)
In SID 0.0.0.0[0:0]=>136.1.99.1[3:3] on ACL IPV4_INBOUND
In SID 0.0.0.0[0:0]=>136.1.99.1[11:11] on ACL IPV4_INBOUND

sdm prefer dual-

ipv4-and-ipv6 routing

SW1:

ipv6 unicast-routing
!
interface Vlan128
ipv6 enable
ipv6 eigrp 111
!
interface Loopback0
ipv6 address 150::1:9:9/128
ipv6 eigrp 111
!
ipv6 router eigrp 111
no shutdown

SW1#telnet 150::1:4:4
Trying 150::1:4:4 ... Open

User Access Verification

Password: R4>
SW1#ping 150::1:4:4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150::1:4:4, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
!
!R1#show ipv6 inspect sessions detail
Established Sessions Session 30058214 (150::1:9:9:21872)=>(150::1:4:4:23) tcp SIS_OPEN
Created 00:00:27, Last heard 00:00:21
Bytes sent (initiator:responder) [45:80]
In SID 150::1:4:4[23:23]=>150::1:9:9[21872:21872] on ACL IPV6_INBOUND (18 matches)
Session 30058594 (150::1:9:9:0)=>(150::1:4:4:0) icmp SIS_OPEN

Created 00:00:02, Last heard 00:00:02

Destinations: 1
Dest addr [150::1:4:4]
Bytes sent (initiator:responder) [260:260]
In SID 150::1:4:4[0:0]=>150::1:9:9[129:129] on ACL IPV6_INBOUND (5 matches)
In SID 150::1:4:4[0:0]=>150::1:9:9[2:2] on ACL IPV6_INBOUND
In SID 150::1:4:4[0:0]=>150::1:9:9[1:1] on ACL IPV6_INBOUND
In SID 150::1:4:4[0:0]=>150::1:9:9[3:3] on ACL IPV6_INBOUND
 bridge crb

bridge irb

bridge irb
bridge <number> route ip

bridge-group <number>

bridge <number> protocol ieee

bridge irb
bridge-group 1 protocol ieee
bridge 1 route ip
!
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC icmp
!
ip acess-list extended OUTSIDE_IN
deny ip any any log
!
interface FastEthernet0/0
bridge-group 1
ip access-group OUTSIDE_IN in
!
interface FastEthernet0/1
 bridge-group 1
ip inspect CBAC in

access-list 201 permit 0x800

access-list 201 permit 0x806
access-list 201 deny 0x8137
access-list 201 permit 0x0 0xFFFF

bridge-group <number> input-type-list <ACL-NUMBER>

ip inspect l2-
transparent dhcp-passthrough
R3:

ip inspect name CBAC_VLAN123 tcp

ip inspect name CBAC_VLAN123 icmp
!
ip access-list extended INBOUND_VLAN34
permit eigrp any any
deny ip any any
!
interface FastEthernet0/1.123
ip inspect CBAC_VLAN123 in
!
interface FastEthernet0/1.34
ip access-group INBOUND_VLAN34 in
!
!
ip inspect name CBAC_VLAN34 tcp
ip inspect name CBAC_VLAN34 icmp
!
ip access-list extended INBOUND_VLAN27
deny ip any any
!
interface BVI99
ip inspect CBAC_VLAN34 in
!
interface FastEthernet0/0
ip access-group INBOUND_VLAN27 in

R1#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!R1#ping 150.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!
!R3#show ip inspect sessions
Established Sessions Session 4A0FFA10 (136.1.99.1:29347)=>(150.1.4.4:23) tcp SIS_OPEN
Session 4A0FF7F0 (136.1.99.1:8)=>(150.1.4.4:0) icmp SIS_OPEN

R3#show ip dhcp binding

Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
136.1.27.54 0148.f8b3.2e24.23 Oct 13 2013 10:37 PM Automatic
!
!R4#ping 136.1.27.54

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.27.54, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/12 ms
!
!R3#show ip inspect sessions
Established Sessions Session 4A0FF7F0 (136.1.99.4:8)=>(136.1.27.54:0) icmp SIS_OPEN
 permit any

show ip port-map

R1:

access-list 80 permit host 150.1.4.4

access-list 80 permit host 150.1.10.10
!
access-list 99 permit host 150.1.4.4
access-list 99 permit host 150.1.10.10
access-list 99 deny any
!
ip urlfilter server vendor websense 136.1.27.100
ip urlfilter exclusive-domain permit cisco.com
ip urlfilter source-interface Loopback0
ip urlfilter allow-mode on
!
ip port-map http port tcp 8080 list 80
ip inspect name CBAC http java-list 99 urlfilter
!
 ip access-list extended INBOUND_VLAN19
permit eigrp any any
deny ip any any
!
ip access-list extended INBOUND_VLAN123
permit eigrp any any
permit tcp host 136.1.27.100 eq 15868 host 150.1.1.1
deny ip any any
!
interface GigabitEthernet0/1.128
ip inspect CBAC in
!
interface GigabitEthernet0/0
ip access-group INBOUND_VLAN19 in
!
interface GigabitEthernet0/1.123
ip access-group INBOUND_VLAN123 in

ip
http port 8080
SW1#ping 150.1.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: .....

Success rate is 0 percent (0/5)

!
!SW1#telnet 150.1.4.4 8080

Trying 150.1.4.4, 8080 ... Open

? HTTP/1.1 400 Bad Request

Date: Sat, 12 Oct 2013 23:28:01 GMT

Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 150.1.4.4 closed by foreign host]

!
!R1#show ip inspect sessions

Established Sessions Session 2C86649C (136.1.128.9:60458)=>(150.1.4.4:8080) http SIS_OPEN

R1#show ip port-map | i http

Default mapping: http tcp port 80 system defined
Host specific: http tcp port 8080 in list 80 user defined
Default mapping: https tcp port 443 system defined
!
!R1#show ip inspect config
Session audit trail is disabled
Session alert is enabled
one-minute (sampling period) thresholds are [unlimited : unlimited] connections
max-incomplete sessions thresholds are [unlimited : unlimited]
max-incomplete tcp connections per host is unlimited. Block-time 0 minute.
tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name CBAC
http java-list 99 url-filter is on alert is on audit-trail is off timeout 3600
!
!R1#show ip inspect interfaces
Interface Configuration Interface GigabitEthernet0/1.128
Inbound inspection rule is CBAC
http java-list 99 url-filter is on alert is on audit-trail is off timeout 3600

Outgoing inspection rule is not set

Inbound access list is not set
Outgoing access list is not set

R1#show ip urlfilter config

Websense URL Filtering is DISABLED

Primary Websense server configurations

========================================= Websense server IP address Or Host Name: 136.1.27.100
Websense server port: 15868
Websense retransmission time out: 6 (in seconds)
Websense number of retransmission: 2

Secondary Websense servers configurations

============================================
Other configurations
===================== Allow Mode: ON

System Alert: ENABLED

Audit Trail: DISABLED
Log message on Websense server: DISABLED
Truncate Hostname: DISABLED
Truncate Script-parameters: DISABLED
Maximum number of cache entries: 5000
Maximum number of packet buffers: 200
Maximum outstanding requests: 1000
 ip inspect tcp synwait-time <seconds>

ip inspect
tcp max-incomplete host <number> block-time <minutes>

ip inspect hashtable-size

ip inspect alert-off

ip inspect log

drop-pkt

       
R1:

ip inspect hashtable-size 2048

no ip inspect audit-trail
ip inspect alert-off
!
ip inspect name CBAC tcp
ip inspect name CBAC icmp audit-trail on
ip inspect name CBAC icmp alert on
!
ip inspect max-incomplete low 900
ip inspect max-incomplete high 1000
ip inspect one-minute low 90
ip inspect one-minute high 100
ip inspect tcp synwait-time 15
ip inspect tcp max-incomplete host 50 block-time 5
!
ip access-list extended INBOUND
permit eigrp any any
deny ip any any
!
interface GigabitEthernet0/1.128
ip inspect CBAC in
!
interface range GigabitEthernet0/0 , GigabitEthernet0/1.123
ip access-group INBOUND in

R1:

ipv6 inspect hashtable-size 2048

no ip inspect audit-trail
ipv6 inspect alert-off
!
ipv6 inspect name CBAC tcp
ipv6 inspect name CBAC icmp audit-trail on
ipv6 inspect name CBAC icmp alert on
!
ipv6 inspect max-incomplete low 900
ipv6 inspect max-incomplete high 1000
ipv6 inspect one-minute low 90
ipv6 inspect one-minute high 100
ipv6 inspect tcp synwait-time 15
ipv6 inspect tcp max-incomplete host 50 block-time 5
!
ipv6 access-list INBOUND
permit 88 any any
permit icmp any any nd-ns
permit icmp any any nd-na
deny ipv6 any any
!
interface GigabitEthernet0/1.128
ipv6 inspect CBAC in
!
interface range GigabitEthernet0/0 , GigabitEthernet0/1.123
ipv6 traffic-filter INBOUND in

R1#show ip inspect all

Session audit trail is disabled
Session alert is disabled
one-minute (sampling period) thresholds are [90 : 100] connections
max-incomplete sessions thresholds are [900 : 1000]
max-incomplete tcp connections per host is 50. Block-time 5 minutes.
tcp synwait-time is 15 sec
-- tcp finwait-time is 5 sec
tcp idle-time is 3600 sec -- udp idle-time is 30 sec
tcp reassembly queue length 16; timeout 5 sec; memory-limit 1024 kilo bytes
dns-timeout is 5 sec
Inspection Rule Configuration
Inspection name CBAC tcp alert is off audit-trail is off timeout 3600
icmp alert is on audit-trail is on timeout 10
Interface Configuration Interface GigabitEthernet0/1.128
Inbound inspection rule is CBAC

tcp alert is off audit-trail is off timeout 3600

icmp alert is on audit-trail is on timeout 10
Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set

SW1#ping 150.1.4.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
!
!SW1#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!R1:
%FW-6-SESS_AUDIT_TRAIL_START: Start icmp session: initiator (136.1.128.9:8) -- responder (150.1.4.4:0)
%FW-6-SESS_AUDIT_TRAIL: Stop icmp session: initiator (136.1.128.9:8) sent 360 bytes -- responder (150.1.4.4:0) sent
R1#debug ip inspect events
INSPECT special events debugging is on

!
!SW1#telnet 136.1.27.100

Trying 136.1.27.100 ... % Connection timed out; remote host not responding

!
!R1:

FIREWALL sent a TCP pkt (136.1.27.100:23) tcp flag:0x4 -> 136.1.128.9:33590 seq 0 ack 0 wnd 4128, GigabitEthernet0/1
FIREWALL sent a TCP pkt (136.1.128.9:33590) tcp flag:0x4 -> 136.1.27.100:23 seq 2541624063 ack 0 wnd 0, GigabitEther
R1:
interface GigabitEthernet0/1.128
standby ip 136.1.128.12
standby priority 150
standby preempt
standby name CBAC
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 136.1.128.1
remote-port 5000
remote-ip 136.1.128.2
!
redundancy inter-device
scheme standby CBAC

R2:

interface GigabitEthernet0/1.128
standby ip 136.1.128.12
standby preempt
 standby name CBAC
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 136.1.128.2
remote-port 5000
remote-ip 136.1.128.1
!
redundancy inter-device
scheme standby CBAC

R1#show redundancy inter-device

Redundancy inter-device state: RF_INTERDEV_STATE_INIT
Pending Scheme: Standby (Will not take effect until next reload)
Pending Groupname: CBAC
Scheme: <NOT CONFIGURED>
Peer present: UNKNOWN
Security: Not configured
!
!R2#show redundancy inter-device
Redundancy inter-device state: RF_INTERDEV_STATE_INIT
Pending Scheme: Standby (Will not take effect until next reload)

Pending Groupname: CBAC

Scheme: <NOT CONFIGURED>
Peer present: UNKNOWN
Security: Not configured

R1: and R2:

ip inspect name CBAC tcp

ip inspect name CBAC udp
!
ip access-list extended INBOUND
permit eigrp any any
 deny ip any any
!
interface GigabitEthernet0/1.128
ip inspect CBAC in redundancy stateful CBAC
!
interface GigabitEthernet0/1.123
ip access-group INBOUND in

R1#show redundancy inter-device

Redundancy inter-device state: RF_INTERDEV_STATE_ACT
Scheme: Standby Groupname: CBAC Group State: Active
Peer present: RF_INTERDEV_PEER_COMM
Security: Not configured
!
!R1#show redundancy states
my state = 13 -ACTIVE
peer state = 8 -STANDBY HOT
Mode = Duplex
Unit ID = 0

Maintenance Mode = Disabled

Manual Swact = enabled Communications = Up

client count = 13
client_notification_TMR = 60000 milliseconds
RF debug mask = 0x0
!
!R2#show redundancy inter-device
Redundancy inter-device state: RF_INTERDEV_STATE_STDBY
Scheme: Standby Groupname: CBAC Group State: Standby
Peer present: RF_INTERDEV_PEER_COMM
Security: Not configured
!
!R2#show redundancy states
my state = 8 -STANDBY HOT
peer state = 13 -ACTIVE
Mode = Duplex
Unit ID = 0

Maintenance Mode = Disabled

Manual Swact = cannot be initiated from this the standby unit
Communications = Up

client count = 13
client_notification_TMR = 60000 milliseconds
RF debug mask = 0x0

SW1#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!R1#show ip inspect sessions detail
Established Sessions Session 31B1E238 (136.1.128.9:27243)=>(150.1.4.4:23) tcp SIS_OPEN
Created 00:00:16, Last heard 00:00:14
Bytes sent (initiator:responder) [37:74]
In SID 150.1.4.4[23:23]=>136.1.128.9[27243:27243] on ACL INBOUND (14 matches)
HA state: HA_ACTIVE
!
!R2#show ip inspect sessions detail
Established Sessions Session 2D125CF4 (136.1.128.9:27243)=>(150.1.4.4:23) tcp SIS_OPEN
Created 00:00:19, Last heard never
Bytes sent (initiator:responder) [0:0]
In SID 150.1.4.4[23:23]=>136.1.128.9[27243:27243] on ACL INBOUND
HA state: HA_STANDBY

R1: and R2:

ip inspect name CBAC http
!
!SW1#telnet 150.1.4.4 80
Trying 150.1.4.4, 80 ... Open
?
HTTP/1.1 400 Bad Request
Date: Sun, 13 Oct 2013 07:16:45 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 150.1.4.4 closed by foreign host]
!
!R1#show ip inspect sessions detail
Established Sessions Session 31B1E238 (136.1.128.9:36430)=>(150.1.4.4:80) http SIS_OPEN
Created 00:00:08, Last heard 00:00:08
Bytes sent (initiator:responder) [0:0]
In SID 150.1.4.4[80:80]=>136.1.128.9[36430:36430] on ACL INBOUND (2 matches)
!
!R2#show ip inspect sessions detail
R2#
R1:

appfw policy-name IM_POLICY

application im yahoo
server permit ip 136.1.27.101
service text-chat action allow
service default action reset
audit-trail on
!
application im msn
server deny ip 136.1.27.102
audit-trail on
!
application http
port-misuse im action reset
!
ip inspect name CBAC appfw IM_POLICY
ip inspect log drop-pkt
!
interface GigabitEthernet0/1.128
ip inspect CBAC in

R1#show ip port-map | i msgr

Default mapping: ymsgr tcp port 5050 system defined
Default mapping: msnmsgr tcp port 1863 system defined
!
!R1#show ip inspect interfaces
Interface Configuration Interface GigabitEthernet0/1.128
Inbound inspection rule is CBAC
Application Policy name IM_POLICY Application: im yahoo
service default action: reset
service text-chat action: allow
server: permit ip 136.1.27.101
audit-trail: on Application: im msn
server: deny ip 136.1.27.102
audit-trail: on Application http

port-misuse im action reset

Outgoing inspection rule is not set
Inbound access list is not set
Outgoing access list is not set

SW1#telnet 136.1.27.11 5050

Trying 136.1.27.11, 5050 ... % Connection timed out; remote host not responding
!
!R1:
%FW-6-SESS_AUDIT_TRAIL_START: Start im-yahoo session: initiator (136.1.128.9:47145) -- responder (136.1.27.11:5050)
!
!R1#show ip inspect sessions
Half-open Sessions
Session 315F71E0 (136.1.128.9:47145)=>(136.1.27.11:5050) im-yahoo SIS_OPENING
!
!
%FW-6-SESS_AUDIT_TRAIL: Stop im-yahoo session: initiator (136.1.128.9:47145) sent 0 bytes -- responder (136.1.27.11:

SW1#telnet 136.1.27.101 57171

Trying 136.1.27.101, 57171 ... % Connection timed out; remote host not responding
!
!R1:
%FW-6-SESS_AUDIT_TRAIL_START: Start im-yahoo session: initiator (136.1.128.9:33326) -- responder (136.1.27.101:57171
!
!R1#show ip inspect sessions
Half-open Sessions
Session 315F71E0 (136.1.128.9:33326)=>(136.1.27.101:57171) im-yahoo SIS_OPENING
!
!
%FW-6-SESS_AUDIT_TRAIL: Stop im-yahoo session: initiator (136.1.128.9:33326) sent 0 bytes -- responder (136.1.27.101

SW1#telnet 136.1.27.102 1863

Trying 136.1.27.102, 1863 ... % Connection timed out; remote host not responding
!
!R1:
%FW-6-DROP_PKT: Dropping im-msn session 136.1.128.9:57749 136.1.27.102:1863 with ip ident 7786 tcpflags 0x6002 se

SW1#telnet 136.1.27.55 1863

Trying 136.1.27.55, 1863 ... % Connection timed out; remote host not responding
!
!R1:
%FW-6-SESS_AUDIT_TRAIL_START: Start im-msn session: initiator (136.1.128.9:13058) -- responder (136.1.27.55:1863)
!
!R1#show ip inspect sessions
Half-open Sessions
Session 315F71E0 (136.1.128.9:13058)=>(136.1.27.55:1863) im-msn SIS_OPENING
!
!
%FW-6-SESS_AUDIT_TRAIL: Stop im-msn session: initiator (136.1.128.9:13058) sent 0 bytes -- responder (136.1.27.55:18
 zone

security <NAME>

zone-pair security <NAME> source <NAME>

destination <NAME>
 service-policy type inspect <POLICY-NAME>

zone-member security

<ZONE>

match access-group [number|name <NAME>]

class-map type inspect match-all CMAP_HTTP

match access-group name ACL_INSIDE
match protocol http
 show ip port-map

match class-map

class-map match-any CMAP_PROTOCOLS

match protocol http
match protocol ftp
match protocol dns
match protocol icmp

!
ip access-list extended ACL_INSIDE
perm ip 192.168.0.0 0.0.0.255 any
!
class-map match-all CMAP_INSIDE
match class-map CMAP_PROTOCOLS
match access-group name ACL_INSIDE
 ipv6 access-list <NAME>

R1:

ip access-list extended INSIDE_TO_OUTSIDE

permit ip 150.1.0.0 0.0.255.255 150.1.0.0 0.0.255.255
!
ip access-list extended OUTSIDE_TO_OUTSIDE
deny icmp 150.1.0.0 0.0.255.255 150.1.0.0 0.0.255.255
permit icmp any any
!
ip access-list extended INSIDE_TO_SELF
permit tcp 136.1.19.0 0.0.0.255 any eq 23
permit tcp 136.1.19.0 0.0.0.255 any eq 80
!
ip access-list extended EIGRP
permit eigrp any any
!
ip access-list extended ICMP
permit icmp any any echo
!
!
class-map type inspect match-any INSIDE_TO_OUTSIDE_PROTOCOLS
match protocol ftp
match protocol tftp
match protocol http
!
class-map type inspect match-all INSIDE_TO_OUTSIDE_TELNET
match protocol telnet
match access-group name INSIDE_TO_OUTSIDE
!
class-map type inspect match-any OUTSIDE_TO_OUTSIDE_PROTOCOLS
match protocol http
match protocol ssh
!
class-map type inspect match-all OUTSIDE_TO_OUTSIDE_ICMP
match protocol icmp
match access-group name OUTSIDE_TO_OUTSIDE
!
class-map type inspect match-any INSIDE_TO_SELF
match access-group name INSIDE_TO_SELF
!
class-map type inspect match-any EIGRP
match access-group name EIGRP
!
class-map type inspect match-any ICMP
match access-group name ICMP
!
!
policy-map type inspect INSIDE_TO_OUTSIDE
class INSIDE_TO_OUTSIDE_PROTOCOLS
inspect
class INSIDE_TO_OUTSIDE_TELNET
inspect
!
policy-map type inspect OUTSIDE_TO_OUTSIDE
class OUTSIDE_TO_OUTSIDE_PROTOCOLS
inspect
class OUTSIDE_TO_OUTSIDE_ICMP
inspect
!
policy-map type inspect INSIDE_TO_SELF
class INSIDE_TO_SELF
inspect
class EIGRP
pass
!
policy-map type inspect SELF_TO_INSIDE
class ICMP
inspect
class EIGRP
pass
!
policy-map type inspect OUTSIDE_TO_SELF
class EIGRP
pass
!
policy-map type inspect SELF_TO_OUTSIDE
class ICMP
inspect
class EIGRP
pass
!
!
zone security INSIDE
zone security OUTSIDE
!
!
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE
!
zone-pair security OUTSIDE_TO_OUTSIDE source OUTSIDE destination OUTSIDE
service-policy type inspect OUTSIDE_TO_OUTSIDE
!
zone-pair security SELF_TO_INSIDE source self destination INSIDE
service-policy type inspect SELF_TO_INSIDE
!
zone-pair security SELF_TO_OUTSIDE source self destination OUTSIDE
service-policy type inspect SELF_TO_OUTSIDE
!
zone-pair security INSIDE_TO_SELF source INSIDE destination self
service-policy type inspect INSIDE_TO_SELF
!
zone-pair security OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect OUTSIDE_TO_SELF
!
!
interface GigabitEthernet0/0
zone-member security INSIDE
!
interface GigabitEthernet0/1.123
zone-member security OUTSIDE
!
interface GigabitEthernet0/1.128
zone-member security OUTSIDE

R1#show ip eigrp neighbors

EIGRP-IPv4 Neighbors for AS(111)

H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
5 136.1.19.10 Gi0/0 10 00:38:14 7 100 0 59
4 136.1.99.4 Gi0/1.123 11 00:38:23 3 100 0 151
3 136.1.99.3 Gi0/1.123 11 00:38:23 5 100 0 130
2 136.1.99.2 Gi0/1.123 13 00:38:23 1 100 0 40
1 136.1.128.9 Gi0/1.128 11 00:38:23 4 100 0 56
0 136.1.128.2 Gi0/1.128 11 00:38:23 1 100 0 41

SW1#telnet 150.1.1.1
Trying 150.1.1.1 ... % Connection timed out; remote host not responding
!
!SW2#telnet 150.1.1.1
Trying 150.1.1.1 ... Open

User Access Verification

Password: R1>
!
!R1#show policy-firewall session zone-pair INSIDE_TO_SELF
Zone-pair: INSIDE_TO_SELF
Service-policy inspect : INSIDE_TO_SELF Class-map : INSIDE_TO_SELF(match-any)
Established Sessions = 1
Session 31733FA0 (136.1.19.10:38250)=>(150.1.1.1:23) tcp SIS_OPEN/TCP_ESTAB

Created 00:00:24, Last heard 00:00:22

Bytes sent (initiator:responder) [37:74]
Class-map : EIGRP(match-any)
Class-map : class-
(match-any)

R1#telnet 150.1.9.9
Trying 150.1.9.9 ... % Connection timed out; remote host not responding
!
!R1#ping 150.1.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.9.9, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!
!R1#ping 150.1.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.10.10, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!
!R1#show policy-firewall session zone-pair SELF_TO_INSIDE
Zone-pair: SELF_TO_INSIDE
Service-policy inspect : SELF_TO_INSIDE Class-map : ICMP(match-any)
Established Sessions = 1
Session 31734DA0 (136.1.19.1:8)=>(150.1.10.10:0) icmp SIS_OPEN

Created 00:00:01, Last heard 00:00:01

ECHO request
Bytes sent (initiator:responder) [360:360]
Class-map : EIGRP(match-any)
Class-map : class-default(match-any)
SW2#telnet 150.1.9.9

Trying 150.1.9.9 ... % Connection timed out; remote host not responding
!
!SW2#telnet 150.1.9.9 /source-interface loopback0
Trying 150.1.9.9 ... Open

User Access Verification

Password: SW1>
!
!R1#show policy-firewall session zone-pair INSIDE_TO_OUTSIDE
Zone-pair: INSIDE_TO_OUTSIDE
Service-policy inspect : INSIDE_TO_OUTSIDE
Class-map : INSIDE_TO_OUTSIDE_PROTOCOLS(match-any) Class-map : INSIDE_TO_OUTSIDE_TELNET(match-all)
Established Sessions = 1
Session 31735120 (150.1.10.10:53022)=>(150.1.9.9:23) telnet:tcp SIS_OPEN/TCP_ESTAB
Created 00:00:13, Last heard 00:00:10
Bytes sent (initiator:responder) [40:69]
Class-map : class-default(match-any)
!
!SW1#telnet 150.1.10.10 /source-interface loopback0
Trying 150.1.10.10 ... % Connection timed out; remote host not responding

SW1#telnet 150.1.10.10 80
Trying 150.1.10.10, 80 ... % Connection timed out; remote host not responding
!
!SW2#telnet 150.1.9.9 80
Trying 150.1.9.9, 80 ... Open
?
HTTP/1.1 400 Bad Request
Date: Sun, 13 Oct 2013 18:48:06 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 150.1.9.9 closed by foreign host]
!
!R1#show policy-firewall session zone-pair INSIDE_TO_OUTSIDE
 Zone-pair: INSIDE_TO_OUTSIDE
Service-policy inspect : INSIDE_TO_OUTSIDE Class-map : INSIDE_TO_OUTSIDE_PROTOCOLS(match-any)
Established Sessions = 1
Session 317354A0 (136.1.19.10:48839)=>(150.1.9.9:80) http:tcp SIS_OPEN/TCP_ESTAB

Created 00:00:03, Last heard 00:00:03

Bytes sent (initiator:responder) [0:0]
Class-map : INSIDE_TO_OUTSIDE_TELNET(match-all)
Class-map : class-default(match-any)

SW1#ping 150.1.3.3 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 .....
Success rate is 0 percent (0/5)
!
!SW1#ping 150.1.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
!
!R1#show policy-firewall session zone-pair OUTSIDE_TO_OUTSIDE
Zone-pair: OUTSIDE_TO_OUTSIDE
Service-policy inspect : OUTSIDE_TO_OUTSIDE
Class-map : OUTSIDE_TO_OUTSIDE_PROTOCOLS(match-any) Class-map : OUTSIDE_TO_OUTSIDE_ICMP(match-all)
Established Sessions = 1
Session 31735820 (136.1.128.9:8)=>(150.1.3.3:0) icmp SIS_OPEN

Created 00:00:02, Last heard 00:00:02

ECHO request
Bytes sent (initiator:responder) [360:360]
Class-map : class-default(match-any)

SW1#telnet 150.1.3.3 /source-interface loopback0

Trying 150.1.3.3 ... % Connection timed out; remote host not responding
!
!SW1#telnet 150.1.3.3 80 /source-interface loopback0
 Trying 150.1.3.3, 80 ... Open
?
HTTP/1.1 400 Bad Request
Date: Sun, 13 Oct 2013 18:59:06 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 150.1.3.3 closed by foreign host]
!
!R1#show policy-firewall session zone-pair OUTSIDE_TO_OUTSIDE
Zone-pair: OUTSIDE_TO_OUTSIDE
Service-policy inspect : OUTSIDE_TO_OUTSIDE Class-map : OUTSIDE_TO_OUTSIDE_PROTOCOLS(match-any)
Established Sessions = 1
Session 31735BA0 (150.1.9.9:48082)=>(150.1.3.3:80) http:tcp SIS_OPEN/TCP_ESTAB

Created 00:00:03, Last heard 00:00:03

Bytes sent (initiator:responder) [0:0]
Class-map : OUTSIDE_TO_OUTSIDE_ICMP(match-all)
Class-map : class-default(match-any)

sdm prefer dual-

ipv4-and-ipv6 routing

SW1:

ipv6 unicast-routing
!
interface Vlan128
ipv6 enable
ipv6 eigrp 111
!
interface Loopback0
ipv6 address 150::1:9:9/128
ipv6 eigrp 111
!
ipv6 router eigrp 111
no shutdown

SW1#telnet 150::1:3:3 80
Trying 150::1:3:3, 80 ... Open
?
HTTP/1.1 400 Bad Request
Date: Sun, 13 Oct 2013 21:06:36 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 150::1:3:3 closed by foreign host]
!
!R1#show policy-firewall session zone-pair OUTSIDE_TO_OUTSIDE
Zone-pair: OUTSIDE_TO_OUTSIDE
Service-policy inspect : OUTSIDE_TO_OUTSIDE Class-map : OUTSIDE_TO_OUTSIDE_PROTOCOLS(match-any)
Established Sessions = 1
Session 317362A0 [150::1:9:9]:26548=>[150::1:3:3]:80 tcp SIS_OPEN/TCP_ESTAB

Created 00:00:07, Last heard 00:00:07

Bytes sent (initiator:responder) [0:0]
Class-map : OUTSIDE_TO_OUTSIDE_ICMP(match-all)
Class-map : class-default(match-any
%FW-6-PASS_PKT: (target:class)-(VLAN123_TO_VLAN34:ICMP) Passing icmp pkt
136.1.99.1:0 => 150.1.4.4:0 with ip ident 0
 bridge irb
bridge <number> route ip

bridge-group <number>

bridge <number> protocol ieee

bridge irb
bridge-group 1 protocol ieee
bridge 1 route ip
!
interface FastEthernet0/0
bridge-group 1
zone-member security INSIDE
!
interface FastEthernet0/1
bridge-group 1
zone-member security OUTSIDE

show
ip port-map show ipv6 port-map
ip port-map <protocol> ipv6 port-map <protocol>

ip port-
map telnet port <PORT> list <ACL> ipv6 port-map telnet port <PORT> list <ACL>
access-list 1 permit 136.1.27.0 0.0.0.255
!
ip port-map telnet port tcp 80 list 99

R3:

ip access-list extended ICMP

permit icmp any any
!
ip access-list extended HTTP
permit tcp any host 150.1.4.4 eq 80
permit tcp any host 150.1.4.4 eq 21
!
access-list 1 permit host 150.1.4.4
!
!
ip port-map http port tcp 21 list 1
!
!
class-map type inspect match-all ICMP
match protocol icmp
match access-group name ICMP
!
class-map type inspect match-all HTTP
match access-group name HTTP
match protocol http
!
!
policy-map type inspect VLAN123_TO_VLAN34
class ICMP
pass log
class HTTP
inspect
class class-default
drop log
!
policy-map type inspect VLAN34_TO_VLAN123
class ICMP
pass log
class class-default
drop log
!
!
zone security VLAN123
zone security VLAN34
!
!
zone-pair security VLAN123_TO_VLAN34 source VLAN123 destination VLAN34
service-policy type inspect VLAN123_TO_VLAN34
!
zone-pair security VLAN34_TO_VLAN123 source VLAN34 destination VLAN123
service-policy type inspect VLAN34_TO_VLAN123
!
!
interface FastEthernet0/1.123
zone-member security VLAN123
!
interface FastEthernet0/1.34
zone-member security VLAN34

R3#show policy-firewall config zone

Zone: self
Description: System defined zone
Zone: VLAN123
Member Interfaces:
FastEthernet0/1.123
Member of Zone-pairs:
Zone VLAN123 is source of Zone-pair VLAN123_TO_VLAN34
Zone VLAN123 is destination of Zone-pair VLAN34_TO_VLAN123
Zone: VLAN34
Member Interfaces:
FastEthernet0/1.34
Member of Zone-pairs:
Zone VLAN34 is destination of Zone-pair VLAN123_TO_VLAN34
Zone VLAN34 is source of Zone-pair VLAN34_TO_VLAN123
!
!R3#show policy-firewall config policy-map
 Policy Map type inspect VLAN123_TO_VLAN34 Class ICMP
Pass log Class HTTP
Inspect
Class class-default
Drop log

Policy Map type inspect VLAN34_TO_VLAN123

Class ICMP
Pass log
Class class-default
Drop log
!
!R3#show policy-firewall config class-map
Class Map type inspect match-all ICMP (id 1)
Match access-group name ICMP
Match protocol icmp
Class Map type inspect match-all HTTP (id 2)

Match access-group name HTTP

Match protocol http

R1#ping 150.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!
!R3:
%FW-6-PASS_PKT: (target:class)-(VLAN123_TO_VLAN34:ICMP) Passing icmp pkt 136.1.99.1:0 => 150.1.4.4:0 with ip ident 0
!
!R4#ping 150.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!
!R3:
%FW-6-PASS_PKT: (target:class)-(VLAN34_TO_VLAN123:ICMP) Passing icmp pkt 136.1.99.4:0 => 150.1.1.1:0 with ip ident 0
!
!R3#show policy-firewall session zone-pair VLAN123_TO_VLAN34
Zone-pair: VLAN123_TO_VLAN34
Service-policy inspect : VLAN123_TO_VLAN34
Class-map : ICMP(match-all)
 Class-map : HTTP(match-all)
Class-map : class-default(match-any)
!
!R3#show policy-firewall stats zone-pair VLAN123_TO_VLAN34

policy exists on zp VLAN123_TO_VLAN34

Zone-pair: VLAN123_TO_VLAN34

Service-policy inspect : VLAN123_TO_VLAN34

Class-map: ICMP (match-all)
Match: access-group name ICMP
Match: protocol icmp Pass
10 packets, 800 bytes

Class-map: HTTP (match-all)

Match: access-group name HTTP
Match: protocol http

Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created 00:06:21
Last statistic reset 00:00:14
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
TCP reassembly statistics
received 0 packets out-of-order; dropped 0
peak memory usage 0 KB; current usage: 0 KB
peak queue length 0

Class-map: class-default (match-any)

Match: any
Drop
0 packets, 0 bytes

R1#telnet 150.1.4.4 80
Trying 150.1.4.4, 80 ... Open
?
HTTP/1.1 400 Bad Request
Date: Tue, 15 Oct 2013 05:21:24 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request [Connection to 150.1.4.4 closed by foreign host]

!
!R3#show policy-firewall session zone-pair VLAN123_TO_VLAN34
Zone-pair: VLAN123_TO_VLAN34
Service-policy inspect : VLAN123_TO_VLAN34
Class-map : ICMP(match-all) Class-map : HTTP(match-all)
Established Sessions = 1
Session 49E62320 (136.1.99.1:49957)=>(150.1.4.4:80) http:tcp SIS_OPEN/TCP_ESTAB

Created 00:00:16, Last heard 00:00:16

Bytes sent (initiator:responder) [0:0]
Class-map : class-default(match-any)
SW2:
interface range fastEthernet 1/0/1 - 2
switchport trunk allowed vlan add 1

R1:
interface GigabitEthernet0/1
ip address 136.1.1.1 255.255.255.0
!
parameter-map type inspect global
redundancy
exit
!
redundancy
application redundancy
group 1
name ZBPF
preempt
priority 150
control GigabitEthernet0/1 protocol 1
data GigabitEthernet0/1
asymmetric-routing interface GigabitEthernet0/1
!
interface GigabitEthernet0/1.123
redundancy rii 10 decrement 60
redundancy asymmetric-routing enable
!
interface GigabitEthernet0/1.128
redundancy rii 20 decrement 60
redundancy group 1 ip 136.1.128.12 exclusive

R2:

interface GigabitEthernet0/1
ip address 136.1.1.2 255.255.255.0
!
parameter-map type inspect global
redundancy
exit
!
redundancy
application redundancy
group 1
name ZBPF
preempt
priority 100
control GigabitEthernet0/1 protocol 1
data GigabitEthernet0/1
asymmetric-routing interface GigabitEthernet0/1
!
interface GigabitEthernet0/1.123
redundancy rii 10
redundancy asymmetric-routing enable
!
interface GigabitEthernet0/1.128
redundancy rii 20
redundancy group 1 ip 136.1.128.12 exclusive
R1: and R2:

class-map type inspect match-any TELNET

match protocol telnet
!
class-map type inspect match-any HTTP
match protocol http
!
policy-map type inspect INSIDE_TO_OUTSIDE
class TELNET
inspect
class HTTP
pass
class class-default
pass
!
policy-map type inspect OUTSIDE_TO_INSIDE
class TELNET
inspect
class HTTP
pass
class class-default
pass
!
!
zone security INSIDE
zone security OUTSIDE
!
!
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE
!
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_TO_INSIDE
!
!
interface GigabitEthernet0/1.128
zone-member security INSIDE
!
interface GigabitEthernet0/1.123
zone-member security OUTSIDE
R1:

interface GigabitEthernet0/1.128
bandwidth 10000

SW1#show ip route 150.1.3.3

Routing entry for 150.1.3.3/32
Known via "eigrp 111", distance 90, metric 156416, type internal
Redistributing via eigrp 111
Last update from 136.1.128.1 on Vlan128, 00:04:14 ago
Routing Descriptor Blocks: * 136.1.128.1, from 136.1.128.1, 00:04:14 ago, via Vlan128
Route metric is 156416, traffic share count is 1
Total delay is 5110 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2
!
!R3#show ip route 150.1.9.9
Routing entry for 150.1.9.9/32
Known via "eigrp 111", distance 90, metric 307200, type internal
Redistributing via eigrp 111
Last update from 136.1.99.2 on BVI99, 00:02:01 ago
Routing Descriptor Blocks: * 136.1.99.2, from 136.1.99.2, 00:02:01 ago, via BVI99

Route metric is 307200, traffic share count is 1

Total delay is 11000 microseconds, minimum bandwidth is 100000 Kbit
Reliability 255/255, minimum MTU 1500 bytes
Loading 1/255, Hops 2

R1#show redundancy application asymmetric-routing interface group 1

AR Group ID:1 interface GigabitEthernet0/1 neighbor 136.1.1.2,
transport context:
my ip 136.1.1.1, my port 53000
 peer ip 136.1.1.2, peer port 53000
!
!R1#show redundancy application asymmetric-routing tunnel group 1
Group ID:1
rii 10, idb GigabitEthernet0/1.123 packet sent: 0, packet received: 0
byte sent: 0, byte recv: 0
encap: length 32
IP :45 00 00 00 00 00 00 00 FF 11 00 00 88 01 01 01 88 01 01 02
UDP:CF 08 CF 08 00 00 00 00
AR :00 01 00 0A
!
!R2#show redundancy application asymmetric-routing interface group 1
AR Group ID:1 interface GigabitEthernet0/1 neighbor 136.1.1.1,
transport context:
my ip 136.1.1.2, my port 53000
peer ip 136.1.1.1, peer port 53000
!
!R2#show redundancy application asymmetric-routing tunnel group 1
Group ID:1
rii 10, idb GigabitEthernet0/1.123 packet sent: 0, packet received: 0
byte sent: 0, byte recv: 0

encap: length 32
IP :45 00 00 00 00 00 00 00 FF 11 00 00 88 01 01 02 88 01 01 01
UDP:CF 08 CF 08 00 00 00 00
AR :00 01 00 0A

SW1#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!R1#show policy-firewall session ha
Session 318AEFA0 (136.1.128.9:40390)=>(150.1.4.4:23) telnet:tcp SIS_OPEN/TCP_ESTAB
Created 00:01:15, Last heard 00:01:13
Bytes sent (initiator:responder) [37:74] HA State: ACTIVE, RG ID: 1
Established Sessions = 1
!
!R1#show redundancy application asymmetric-routing tunnel group 1
Group ID:1
rii 10, idb GigabitEthernet0/1.123 packet sent: 0, packet received: 14
byte sent: 0, byte recv: 1134
encap: length 32
IP :45 00 00 00 00 00 00 00 FF 11 00 00 88 01 01 01 88 01 01 02
UDP:CF 08 CF 08 00 00 00 00
AR :00 01 00 0A
!
!R2#show policy-firewall session ha
Session 3144E7C0 (136.1.128.9:40390)=>(150.1.4.4:23) telnet:tcp SIS_OPEN/TCP_ESTAB
Created 00:01:27, Last heard never
Bytes sent (initiator:responder) [0:0] HA State: STANDBY, RG ID: 1
Established Sessions = 1
!
!R2#show redundancy application asymmetric-routing tunnel group 1
Group ID:1
rii 10, idb GigabitEthernet0/1.123 packet sent: 14
, packet received: 0 byte sent: 1134
, byte recv: 0
encap: length 32
IP :45 00 00 00 00 00 00 00 FF 11 00 00 88 01 01 02 88 01 01 01
UDP:CF 08 CF 08 00 00 00 00
AR :00 01 00 0A

R3#telnet 150.1.9.9
Trying 150.1.9.9 ... % Connection timed out; remote host not responding

SW1#telnet 150.1.3.3 80
Trying 150.1.3.3, 80 ... Open
?
HTTP/1.1 400 Bad Request
Date: Tue, 15 Oct 2013 21:46:29 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 150.1.3.3 closed by foreign host]
!
!R1#show redundancy application asymmetric-routing tunnel group 1
Group ID:1
rii 10, idb GigabitEthernet0/1.123 packet sent: 0, packet received: 414
byte sent: 0, byte recv: 32334
encap: length 32
IP :45 00 00 00 00 00 00 00 FF 11 00 00 88 01 01 01 88 01 01 02
UDP:CF 08 CF 08 00 00 00 00
AR :00 01 00 0A
!
!R2#show redundancy application asymmetric-routing tunnel group 1
Group ID:1
rii 10, idb GigabitEthernet0/1.123 packet sent: 414
, packet received: 0 byte sent: 32334
, byte recv: 0
encap: length 32
IP :45 00 00 00 00 00 00 00 FF 11 00 00 88 01 01 02 88 01 01 01
UDP:CF 08 CF 08 00 00 00 00
AR :00 01 00 0A

R3#telnet 150.1.9.9 80
Trying 150.1.9.9, 80 ... Open
?
HTTP/1.1 400 Bad Request
Date: Tue, 15 Oct 2013 21:51:31 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 150.1.9.9 closed by foreign host]
 class-map type inspect http policy-map type inspect http

class-map type inspect http match-any HTTP_APPLICATION

match req-resp protocol-violation
!
policy-map type inspect http HTTP_APPLICATION
class type inspect http HTTP_APPLICATION
reset
!
class-map type inspect match-any HTTP_TRAFFIC
match protocol http
!
policy-map type inspect INSIDE_TO_OUTSIDE
class type inspect HTTP_TRAFFIC
inspect
service-policy http HTTP_APPLICATION
match protocol ftp
parameter-map type regex REGEX_CISCO
pattern [cC][iI][sS][cC][oO]
!
class-map type inspect http CMAP_CISCO
match request header host regex REGEX_CISCO

R1:

parameter-map type regex REGEX_IMAGES

pattern .*\.([jJ][pP][gG]|[pP][nN][gG]|[gG][iI][fF])
!
parameter-map type regex REGEX_DIGG
pattern .*[dD][iI][gG][gG]\.[cC][oO][mM]
!
class-map type inspect http match-all CMAP_HTTP_AIC
match request header host regex REGEX_DIGG
match request uri regex REGEX_IMAGES
!
class-map type inspect pop3 match-any CMAP_POP3_AIC
match login clear-text
match invalid-command
!
class-map type inspect imap match-any CMAP_IMAP_AIC
match login clear-text
match invalid-command
!
class-map type inspect aol match-any CMAP_AOL_AIC
match no service text-chat
!
policy-map type inspect http PMAP_HTTP_AIC
class CMAP_HTTP_AIC
reset
log
!
policy-map type inspect pop3 PMAP_POP3_AIC
class CMAP_POP3_AIC
reset
log
!
policy-map type inspect imap PMAP_IMAP_AIC
class CMAP_IMAP_AIC
reset
log
!
policy-map type inspect im CMAP_AOL_AIC
class CMAP_AOL_AIC
log
!
class-map type inspect match-all INSIDE_TO_OUTSIDE_HTTP
match protocol http
!
class-map type inspect match-all INSIDE_TO_OUTSIDE_POP3
match protocol pop3
!
class-map type inspect match-all INSIDE_TO_OUTSIDE_IMAP
match protocol imap
!
!
class-map type inspect match-all INSIDE_TO_OUTSIDE_AOL
match protocol aol
!
policy-map type inspect INSIDE_TO_OUTSIDE
class INSIDE_TO_OUTSIDE_HTTP
inspect
service-policy http PMAP_HTTP_AIC
class INSIDE_TO_OUTSIDE_POP3
inspect
service-policy pop3 PMAP_POP3_AIC
class INSIDE_TO_OUTSIDE_IMAP
inspect
service-policy imap PMAP_IMAP_AIC
class INSIDE_TO_OUTSIDE_AOL
inspect
service-policy im PMAP_AOL_AIC
!
!
zone security INSIDE
zone security OUTSIDE
!
!
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE
!
!
interface GigabitEthernet0/0
zone-member security INSIDE
!
interface GigabitEthernet0/1.128
zone-member security OUTSIDE

SW2#telnet 150.1.9.9 80
Trying 150.1.9.9, 80 ... Open GET /image.jpg HTTP/1.1
Host: digg.com
[Connection to 150.1.9.9 closed by foreign host]
!
!R1:

%APPFW-4-HTTP_HDR_FIELD_REGEX_MATCHED: Header field (^[Hh][Oo][Ss][Tt]:.*[dD][iI][gG][gG]\.[cC][oO][mM]) matched - r

%APPFW-4-HTTP_URI_REGEX_MATCHED: URI regex (.*\.([jJ][pP][gG]|[pP][nN][gG]|[gG][iI][fF])) matched - resetting sessio

R1:
access-list 1 permit 150.1.9.9
ip port-map pop3 port tcp 7 list 1
!
!SW1:
service tcp-small-servers
!
!SW2#telnet 150.1.9.9 7
Trying 150.1.9.9, 7 ... Open WWHOHO

[Connection to 150.1.9.9 closed by foreign host]

!
!R1:
%FW-5-POP3_INVALID_COMMAND: (target:class)-(INSIDE_TO_OUTSIDE:INSIDE_TO_OUTSIDE_POP3):Invalid POP3 command from init
 police rate <Bps> burst <Bytes>

policy-map type inspect OUTSIDE_TO_INSIDE

class ICMP
inspect
police rate 256000 burst 8000

parameter-map type inspect parameter-map-name

alert {on|off}
audit-trail {on|off}
dns-timeout <seconds>
icmp idle-timeout <seconds>
ipv6 routing-header-enforcement
 max-incomplete {low <num-of-conn> | high <num-of-conn>}
one-minute {low <num-of-conn> | high <num-of-conn>}
tcp max-incomplete host <threshold> [block-time <minutes>]
sessions maximum <sessions>
tcp finwait-time <seconds>
tcp idle-time <seconds>
tcp synwait-time <seconds>
udp idle-time <seconds>

show parameter-map type

inspect default

parameter-map type inspect INSIDE

sessions maximum 100
!
policy-map type inspect INSIDE_TO_OUTSIDE
cass INSIDE_TRAFFIC
inspect INSIDE
parameter-map type inspect global
waas {enable|disable}
l2-transparent dhcp-passthrough
tcp reset-PSH
log {dropped-packets|summary}

l2-transparent dhcp-passthrough

log dropped-packets enable

log dropped-packets enable

%FW-6-DROP_PKT: Dropping Unknown-l4 session 0.0.0.0:0 0.0.0.0:0 due to policy match failure with ip ident 0
%FW-6-DROP_PKT: Dropping Unknown-l4 session 0.0.0.0:0 0.0.0.0:0 due to One of the interfaces not being cfged for z
!
!
%FW-6-DROP_PKT: Dropping tcp session 150.1.10.10:58776 150.1.9.9:23 due to Policy not present on zone-pair with ip
%FW-6-DROP_PKT: Dropping tcp session 150.1.10.10:45826 150.1.9.9:23 due to One of the interfaces not being cfged f
R1:

parameter-map type inspect PARAMETER

max-incomplete low 1000
max-incomplete high 2000
one-minute low 10
one-minute high 100
!
parameter-map type inspect global
log dropped-packets enable
!
class-map type inspect match-any PROTOCOLS
match protocol icmp
match protocol telnet
!
policy-map type inspect INSIDE_TO_OUTSIDE
class PROTOCOLS
inspect PARAMETER
police rate 256000 burst 16000
!
policy-map type inspect OUTSIDE_TO_INSIDE
class PROTOCOLS
inspect
!
!
zone security INSIDE
zone security OUTSIDE
!
!
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE
!
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_TO_INSIDE
!
!
interface GigabitEthernet0/0
zone-member security INSIDE
!
interface GigabitEthernet0/1.128
zone-member security OUTSIDE
R1#show parameter-map type inspect
parameter-map type inspect default
audit-trail off
alert on max-incomplete low 2147483647
max-incomplete high 2147483647
one-minute low 2147483647
one-minute high 2147483647
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host 4294967295 block-time 0
sessions maximum 2147483647
parameter-map type inspect PARAMETER
audit-trail off
alert on max-incomplete low 1000
max-incomplete high 2000
one-minute low 10
one-minute high 100
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 30
tcp max-incomplete host 4294967295 block-time 0
sessions maximum 2147483647
parameter-map type inspect global
alert on
sessions maximum 2147483647
waas disabled
l2-transparent dhcp-passthrough disabled log dropped-packets enabled
log summary disabled
max-incomplete low 18000
max-incomplete high 20000 one-minute low 2147483647
one-minute high 2147483647
 tcp reset-PSH disabled

R1#show policy-firewall config zone-pair INSIDE_TO_OUTSIDE

Zone-pair : INSIDE_TO_OUTSIDE
Source Zone : INSIDE
Destination Zone : OUTSIDE
Service-policy inspect : INSIDE_TO_OUTSIDE Class-map : PROTOCOLS(match-any)
Match protocol icmp
Match protocol telnet
Action : inspect Parameter-map : PARAMETER
Action : Police rate 256000 burst 16000
Class-map : class-default(match-any)
Match any
Action : drop log Parameter-map : Default

SW2#ping 150.1.9.9

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.9.9, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
!
!SW2#ping 150.1.9.9 size 1400 timeout 0 repeat 1000

Type escape sequence to abort.

Sending 1000, 1400-byte ICMP Echos to 150.1.9.9, timeout is 0 seconds:
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
....................
Success rate is 0 percent (0/1000)
!
!R1:
%FW-6-DROP_PKT: Dropping icmp session 136.1.19.10:0 150.1.9.9:0 on zone-pair INSIDE_TO_OUTSIDE class PROTOCOLS due t
!
!R1#show policy-firewall stats zone-pair INSIDE_TO_OUTSIDE

policy exists on zp INSIDE_TO_OUTSIDE

Zone-pair: INSIDE_TO_OUTSIDE

Service-policy inspect : INSIDE_TO_OUTSIDE

Class-map: PROTOCOLS (match-any)

Match: protocol icmp
2 packets, 1460 bytes
30 second rate 0 bps
Match: protocol telnet
0 packets, 0 bytes
30 second rate 0 bps

Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:40]

Session creations since subsystem startup or last reset 2

Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:01:43
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 2
Last half-open session total 0
TCP reassembly statistics
received 0 packets out-of-order; dropped 0
peak memory usage 0 KB; current usage: 0 KB
peak queue length 0
Police
rate 256000 bps,16000 limit conformed 40 packets, 43592 bytes; actions: transmit
exceeded 997 packets, 1409854 bytes; actions: drop

conformed 0 bps, exceed 20000 bps

Class-map: class-default (match-any)

Match: any
Drop
SW2:
interface range fastEthernet1/0/1 - 2
switchport trunk allowed vlan add 1

R1:
interface GigabitEthernet0/1
ip address 136.1.1.1 255.255.255.0
!
parameter-map type inspect global
redundancy
exit
!
redundancy
application redundancy
group 1
name ZBPF
preempt
priority 150
control GigabitEthernet0/1 protocol 1
data GigabitEthernet0/1
!
interface GigabitEthernet0/1.123
redundancy rii 10 decrement 60
!
interface GigabitEthernet0/1.128
redundancy rii 20 decrement 60
redundancy group 1 ip 136.1.128.12 exclusive
R2:

interface GigabitEthernet0/1
ip address 136.1.1.2 255.255.255.0
!
parameter-map type inspect global
redundancy
exit
!
redundancy
application redundancy
group 1
name ZBPF
preempt
priority 100
control GigabitEthernet0/1 protocol 1
data GigabitEthernet0/1
!
interface GigabitEthernet0/1.123
redundancy rii 10
!
interface GigabitEthernet0/1.128
redundancy rii 20
redundancy group 1 ip 136.1.128.12 exclusive

R1: and R2:

class-map type inspect match-any ZBPF

match protocol telnet
match protocol http
!
policy-map type inspect INSIDE_TO_OUTSIDE
class ZBPF
inspect
!
policy-map type inspect OUTSIDE_TO_INSIDE
class ZBPF
inspect
!
!
zone security INSIDE
zone security OUTSIDE
!
!
zone-pair security INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE_TO_OUTSIDE
!
zone-pair security OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect OUTSIDE_TO_INSIDE
!
!
interface GigabitEthernet0/1.128
zone-member security INSIDE
!
interface GigabitEthernet0/1.123
zone-member security OUTSIDE

R1#show redundancy application group 1

Group ID:1
Group Name:ZBPF

Administrative State: No Shutdown

Aggregate operational state : Up My Role: ACTIVE
Peer Role: STANDBY
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes

RF Domain: btob-one
RF state: ACTIVE
Peer RF state: STANDBY HOT
!
!R2#show redundancy application group 1
Group ID:1
Group Name:ZBPF

Administrative State: No Shutdown

Aggregate operational state : Up My Role: STANDBY
Peer Role: ACTIVE
Peer Presence: Yes
Peer Comm: Yes
Peer Progression Started: Yes

RF Domain: btob-one
RF state: STANDBY HOT
Peer RF state: ACTIVE

R1#show redundancy application control-interface group 1

The control interface for rg[1] is GigabitEthernet0/1
Interface is Control interface associated with the following protocols: 1
BFD Enabled
Interface Neighbors: Peer: 136.1.1.2 Standby RGs: 1 BFD handle: 0
!
!R2#show redundancy application control-interface group 1
The control interface for rg[1] is GigabitEthernet0/1
Interface is Control interface associated with the following protocols: 1
BFD Enabled
Interface Neighbors: Peer: 136.1.1.1 Active RGs: 1 BFD handle: 0

R1#show redundancy application protocol group 1

RG Protocol RG 1
------------------ Role: Active
Negotiation: Enabled Priority: 150
Protocol state: Active
Ctrl Intf(s) state: Up
Active Peer: Local
Standby Peer: address 136.1.1.2, priority 100, intf Gi0/1
Log counters:
role change to active: 4
role change to standby: 5
disable events: rg down state 1, rg shut 0
ctrl intf events: up 5, down 4, admin_down 1
reload events: local request 0, peer request 3

RG Media Context for RG 1

-------------------------- Ctx State: Active
Protocol ID: 1
Media type: Default Control Interface: GigabitEthernet0/1
 Current Hello timer: 3000 Configured Hello timer: 3000, Hold timer: 10000
Peer Hello timer: 3000, Peer Hold timer: 10000

Stats:
Pkts 453, Bytes 28086, HA Seq 0, Seq Number 453, Pkt Loss 0
Authentication not configured
Authentication Failure: 0
Reload Peer: TX 0, RX 0
Resign: TX 1, RX 1
Standby Peer: Present. Hold Timer: 10000
Pkts 208, Bytes 7072, HA Seq 0, Seq Number 552, Pkt Loss 0

R1#show redundancy rii

No. of RIIs in database: 2
Interface RII Id decrement GigabitEthernet0/1.123 :
10 60
GigabitEthernet0/1.128 : 20 60
!
!R2#show redundancy rii
No. of RIIs in database: 2
Interface RII Id decrement GigabitEthernet0/1.123 : 10 0
GigabitEthernet0/1.128 : 20 0

SW1#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!R1#show policy-firewall session zone-pair INSIDE_TO_OUTSIDE
Zone-pair: INSIDE_TO_OUTSIDE
Service-policy inspect : INSIDE_TO_OUTSIDE
Class-map : ZBPF(match-any) Established Sessions = 1
Session 2CF740A0 (136.1.128.9:18976)=>(150.1.4.4:23) telnet:tcp SIS_OPEN/TCP_ESTAB
 Created 00:00:14, Last heard 00:00:12
Bytes sent (initiator:responder) [37:74] HA State: ACTIVE, RG ID: 1
Class-map : class-default(match-any)
!
!R2#show policy-firewall session zone-pair INSIDE_TO_OUTSIDE
Zone-pair: INSIDE_TO_OUTSIDE
Service-policy inspect : INSIDE_TO_OUTSIDE
Class-map : ZBPF(match-any) Established Sessions = 1
Session 312B9DC0 (136.1.128.9:18976)=>(150.1.4.4:23) telnet:tcp SIS_OPEN/TCP_ESTAB
Created 00:00:31, Last heard never
Bytes sent (initiator:responder) [0:0] HA State: STANDBY, RG ID: 1

Class-map : class-default(match-any)
R4#telnet 150.1.9.9

Trying 150.1.9.9 ... Open

User Access Verification

Password: SW1>

!
!R1#show policy-firewall session Zone-pair OUTSIDE_TO_INSIDE

Zone-pair: OUTSIDE_TO_INSIDE
Service-policy inspect : OUTSIDE_TO_INSIDE
Class-map : ZBPF(match-any) Established Sessions = 1
Session 2CF74420 (136.1.99.4:58486)=>(150.1.9.9:23) telnet:tcp SIS_OPEN/TCP_ESTAB

Created 00:00:18, Last heard 00:00:17

Bytes sent (initiator:responder) [40:69] HA State: ACTIVE, RG ID: 1

Class-map : class-default(match-any)
!
!R2#show policy-firewall session zone-pair OUTSIDE_TO_INSIDE

Zone-pair: OUTSIDE_TO_INSIDE
Service-policy inspect : OUTSIDE_TO_INSIDE
Class-map : ZBPF(match-any) Established Sessions = 1
Session 312BA140 (136.1.99.4:58486)=>(150.1.9.9:23) telnet:tcp SIS_OPEN/TCP_ESTAB

Created 00:00:32, Last heard never

Bytes sent (initiator:responder) [0:0] HA State: STANDBY, RG ID: 1

Class-map : class-default(match-any)
 supplicant-group=<group_name>

match user-group <group_name>

R3:

aaa new-model
aaa authentication login CONSOLE none
aaa authentication login default group ACS
aaa authorization auth-proxy default group ACS
!
line console 0
login authentication CONSOLE
!
aaa group server radius ACS
server-private 172.16.1.100 key cisco
ip radius source-interface Loopback0
!
ip admission name RADIUS_ACS proxy telnet
!
zone security TRUSTED
zone security UNTRUSTED
!
class-map type inspect match-any PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp
!
class-map type inspect match-all USER_GROUP
match user-group CCIE_GROUP
!
class-map type inspect match-all PROTOCOLS_AUTHENTICATED
match class-map PROTOCOLS
match class-map USER_GROUP
!
policy-map type inspect TRUSTED_TO_UNTRUSTED
class type inspect PROTOCOLS
inspect
!
policy-map type inspect UNTRUSTED_TO_TRUSTED
class type inspect PROTOCOLS_AUTHENTICATED
inspect
!
zone-pair security TRUSTED_TO_UNTRUSTED source TRUSTED destination UNTRUSTED
service-policy type inspect TRUSTED_TO_UNTRUSTED
!
zone-pair security UNTRUSTED_TO_TRUSTED source UNTRUSTED destination TRUSTED
service-policy type inspect UNTRUSTED_TO_TRUSTED
!
interface FastEthernet0/0
zone-member security UNTRUSTED
ip admission RADIUS_ACS
!
interface FastEthernet0/1.34
zone-member security TRUSTED
!
interface FastEthernet0/1.123
zone-member security TRUSTED
!
interface BVI99
zone-member security TRUSTED
R2#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!R2#ping 136.1.27.51

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.27.51, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/8 ms
!
!R3#show policy-firewall session
Established Sessions = 1 Session 49F14DE0 (136.1.99.2:8)=>(136.1.27.51:0) icmp SIS_OPEN
Created 00:00:02, Last heard 00:00:02
ECHO request Bytes sent (initiator:responder) [360:360]
R3#show policy-firewall session zone-pair UNTRUSTED_TO_TRUSTED
Zone-pair: UNTRUSTED_TO_TRUSTED
Service-policy inspect : UNTRUSTED_TO_TRUSTED
Class-map : PROTOCOLS_AUTHENTICATED(match-all) Established Sessions = 1
Session 49F15860 (136.1.27.51:1272)=>(150.1.4.4:23) tcp SIS_OPEN/TCP_ESTAB

Created 00:00:05, Last heard 00:00:03

Bytes sent (initiator:responder) [38:65]
Class-map : class-default(match-any)

R3#show ip auth-proxy cache username CCIE_USER

Authentication Proxy Cache
User Name : CCIE_USER
Client IP : 136.1.27.51
Client Port : 1271
Timeout : 60
Time Remaining : 59 Connection state : INTERCEPT

EPM information : Authproxy

Admission feature : Authproxy
AAA Policies : Supplicant-Group : CCIE_GROUP

EOU information
-------------------------------------------------------------------------
Address Interface AuthType Posture-Token Age(min)
-------------------------------------------------------------------------

EPM information : EOU

Existing Firewall Sessions Information:

Session 49F15160 (136.1.27.51:1272)=>(150.1.4.4:23) tcp SIS_OPEN/TCP_ESTAB

Created 00:01:15, Last heard 00:01:12
Bytes sent (initiator:responder) [32:65]

R3#show ip dhcp binding

Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
136.1.27.51 0148.f8b3.2e24.23 Nov 25 2013 12:00 AM Automatic
!
!R3#show epm session ip 136.1.27.51
Admission feature : Authproxy
AAA Policies : Supplicant-Group : CCIE_GROUP
!
!R3#show user-group
Usergroup : CCIE_GROUP
------------------------------------------------------------------------
User Name Type Interface Learn Age (min)
------------------------------------------------------------------------
136.1.27.51 IPv4 FastEthernet0/0 Dynamic 2
R3:

aaa new-model
aaa authentication login CONSOLE none
aaa authentication login default group ISE
aaa authorization auth-proxy default group ISE
!
line console 0
login authentication CONSOLE
!
aaa group server radius ISE
server-private 172.16.3.100 key cisco
ip radius source-interface Loopback0
!
ip admission name RADIUS_ISE proxy http
ip http server
!
zone security TRUSTED
zone security UNTRUSTED
!
class-map type inspect match-any PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp
!
class-map type inspect match-all USER_GROUP
match user-group CCIE_GROUP
!
class-map type inspect match-all PROTOCOLS_AUTHENTICATED
match class-map PROTOCOLS
match class-map USER_GROUP
!
policy-map type inspect TRUSTED_TO_UNTRUSTED
class type inspect PROTOCOLS
inspect
!
policy-map type inspect UNTRUSTED_TO_TRUSTED
class type inspect PROTOCOLS_AUTHENTICATED
inspect
!
zone-pair security TRUSTED_TO_UNTRUSTED source TRUSTED destination UNTRUSTED
service-policy type inspect TRUSTED_TO_UNTRUSTED
!
zone-pair security UNTRUSTED_TO_TRUSTED source UNTRUSTED destination TRUSTED
service-policy type inspect UNTRUSTED_TO_TRUSTED
!
interface FastEthernet0/0
zone-member security UNTRUSTED
ip admission RADIUS_ISE
!
interface FastEthernet0/1.34
zone-member security TRUSTED
!
interface FastEthernet0/1.123
zone-member security TRUSTED
!
interface BVI99
zone-member security TRUSTED
R2#telnet 150.1.4.4
Trying 150.1.4.4 ... Open

User Access Verification

Password: R4>
!
!R2#ping 136.1.27.51

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.27.51, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/8 ms
!
!R3#show policy-firewall session
Established Sessions = 1 Session 49F14DE0 (136.1.99.2:8)=>(136.1.27.51:0) icmp SIS_OPEN
Created 00:00:02, Last heard 00:00:02
ECHO request Bytes sent (initiator:responder) [360:360]
R3#show policy-firewall session zone-pair UNTRUSTED_TO_TRUSTED
Zone-pair: UNTRUSTED_TO_TRUSTED
Service-policy inspect : UNTRUSTED_TO_TRUSTED
Class-map : PROTOCOLS_AUTHENTICATED(match-all) Established Sessions = 2
Session 49F1A1E0 (136.1.27.51:1566)=>(150.1.4.4:80) tcp SIS_OPEN/TCP_CLOSEWAIT
Created 00:00:34, Last heard 00:00:34
Bytes sent (initiator:responder) [307:192]
Session 49F1A560 (136.1.27.51:1567)=>(150.1.4.4:80) tcp SIS_OPEN/TCP_ESTAB

Created 00:00:34, Last heard 00:00:34

Bytes sent (initiator:responder) [0:0]
Class-map : class-default(match-any)

R3#show ip auth-proxy cache username CCIE_USER

Authentication Proxy Cache
User Name : CCIE_USER
Client IP : 136.1.27.51
Client Port : 1562
Timeout : 60
Time Remaining : 60 Connection state : ESTAB

EPM information : Authproxy

Admission feature : Authproxy
AAA Policies : Supplicant-Group : CCIE_GROUP
EOU information
-------------------------------------------------------------------------
Address Interface AuthType Posture-Token Age(min)
-------------------------------------------------------------------------

EPM information : EOU

Existing Firewall Sessions Information:

Session 49F1A1E0 (136.1.27.51:1566)=>(150.1.4.4:80) tcp SIS_OPEN/TCP_CLOSEWAIT

Created 00:01:59, Last heard 00:00:59
Bytes sent (initiator:responder) [307:192]

Session 49F1A560 (136.1.27.51:1567)=>(150.1.4.4:80) tcp SIS_OPEN/TCP_ESTAB

Created 00:01:59, Last heard 00:00:59
Bytes sent (initiator:responder) [0:0]

R3#show ip dhcp binding

Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
136.1.27.51 0148.f8b3.2e24.23 Nov 25 2013 12:00 AM Automatic
!
!R3#show epm session ip 136.1.27.51
Admission feature : Authproxy
AAA Policies : Supplicant-Group : CCIE_GROUP
 match security-group source tag <value>

R1:

aaa new-model
aaa authentication login CONSOLE none
aaa authentication login default group ISE
aaa authorization auth-proxy default group ISE
!
line console 0
login authentication CONSOLE
!
aaa group server radius ISE
server-private 172.16.3.100 key cisco
ip radius source-interface Loopback0
!
ip admission name RADIUS_ISE proxy telnet
!
cts role-based sgt-map host 150.1.3.3 sgt 10
!
zone security TRUSTED
zone security UNTRUSTED
!
class-map type inspect match-any PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp
!
class-map type inspect match-any SECURE_GROUP
match security-group source tag 2
match security-group source tag 10
!
class-map type inspect match-all PROTOCOLS_AUTHENTICATED
match class-map PROTOCOLS
match class-map SECURE_GROUP
!
policy-map type inspect TRUSTED_TO_UNTRUSTED
class type inspect PROTOCOLS
inspect
!
policy-map type inspect UNTRUSTED_TO_TRUSTED
class type inspect PROTOCOLS_AUTHENTICATED
inspect
!
zone-pair security TRUSTED_TO_UNTRUSTED source TRUSTED destination UNTRUSTED
service-policy type inspect TRUSTED_TO_UNTRUSTED
!
zone-pair security UNTRUSTED_TO_TRUSTED source UNTRUSTED destination TRUSTED
service-policy type inspect UNTRUSTED_TO_TRUSTED
!
interface GigabitEthernet0/1.123
zone-member security UNTRUSTED
ip admission RADIUS_ISE
!
interface GigabitEthernet0/1.128
zone-member security TRUSTED
!
interface GigabitEthernet0/0
zone-member security TRUSTED
SW1#ping 136.1.27.51

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.27.51, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms

!
!R1#show policy-firewall session zone-pair TRUSTED_TO_UNTRUSTED
Zone-pair: TRUSTED_TO_UNTRUSTED
Service-policy inspect : TRUSTED_TO_UNTRUSTED
Class-map : PROTOCOLS(match-any) Established Sessions = 1
Session 316DD620 (136.1.128.9:8)=>(136.1.27.51:0) icmp SIS_OPEN

Created 00:00:03, Last heard 00:00:03

ECHO request
Bytes sent (initiator:responder) [360:360]
Class-map : class-default(match-any)

R3#ping 136.1.128.9

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.128.9, timeout is 2 seconds: .....
Success rate is 0 percent (0/5)
!
!R3#ping 136.1.128.9 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.128.9, timeout is 2 seconds:
Packet sent with a source address of 150.1.3.3 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms
!
!R1#show policy-firewall session zone-pair UNTRUSTED_TO_TRUSTED
Zone-pair: UNTRUSTED_TO_TRUSTED
Serv:e-policy inspect : UNTRUSTED_TO_TRUSTED
Class-map : PROTOCOLS_AUTHENTICATED(match-all) Established Sessions = 1
Session 316DE420 (150.1.3.3:8)=>(136.1.128.9:0) icmp SIS_OPEN

Created 00:00:02, Last heard 00:00:02

ECHO request
Bytes sent (initiator:responder) [360:360]
Class-map : class-default(match-any)
R3#telnet 136.1.128.9
Trying 136.1.128.9 ... Open
Firewall authentication
Username:CCIE_USER
Password:
Firewall authentication Success.
Connection will be closed if remote server does not respond
Connecting to remote server...

[Connection to 136.1.128.9 closed by foreign host]

!
!R3#telnet 136.1.128.9
Trying 136.1.128.9 ... Open

User Access Verification

Password: SW1>
!
!R1#show policy-firewall session zone-pair UNTRUSTED_TO_TRUSTED
Zone-pair: UNTRUSTED_TO_TRUSTED
Service-policy inspect : UNTRUSTED_TO_TRUSTED
Class-map : PROTOCOLS_AUTHENTICATED(match-all) Established Sessions = 1
Session 316DDD20 (136.1.99.3:31411)=>(136.1.128.9:23) tcp SIS_OPEN/TCP_ESTAB
Created 00:00:26, Last heard 00:00:24
Bytes sent (initiator:responder) [40:69]
Class-map : class-default(match-any)
!
!R3#ping 136.1.128.9

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.128.9, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

R1#show ip auth-proxy cache username CCIE_USER

Authentication Proxy Cache

Authentication Method : Unknown User Name : CCIE_USER

Client IP : 136.1.99.3
Client Port : 20352
Timeout : 60
Time Remaining : 60 Connection state : ESTAB

EPM information : Authproxy

Admission feature: AUTHPROXY AAA Policies:
SGT: 0002-0

EOU information
-------------------------------------------------------------------------
Address Interface AuthType Posture-Token Age(min)
-------------------------------------------------------------------------

EPM information : EOU

Existing Firewall Sessions Information:

!
!R1#show epm session ip 136.1.99.3
Admission feature: AUTHPROXY AAA Policies:
SGT: 0002-0
!
!R1#show cts role-based sgt-map all
Active IP-SGT Bindings Information

IP Address SGT Source

============================================ 136.1.99.3 2 LOCAL
150.1.3.3 10 CLI

IP-SGT Active Bindings Summary

============================================
Total number of CLI bindings = 1
Total number of LOCAL bindings = 1
Total number of active bindings = 2
 class-map

type control tag match-all <class_name>

tag-name=<tag_value> match tag <tag_value>

policy-map type control tag <policy_name>

identity policy <identity_name>

identity policy <identity_name>

access-group <acl_name>

user-group

<group_name>
R3:

aaa new-model
aaa authentication login CONSOLE none
aaa authentication login default group ACS
aaa authorization auth-proxy default group ACS
!
line console 0
login authentication CONSOLE
!
aaa group server radius ACS
server-private 172.16.1.100 key cisco
ip radius source-interface Loopback0
!
ip access-list extended DEFAULT_ACL
permit tcp any any eq 23
!
ip access-list extended CCIE_USER_ACL
permit ip any any
!
identity policy CCIE_USER_IDENTITY
access-group CCIE_USER_ACL
user-group CCIE_GROUP
!
class-map type control tag match-all CCIE_USER_CLASS
match tag CCIE_USER_TAG
!
policy-map type control tag ADMISSION
class type control tag CCIE_USER_CLASS
identity policy CCIE_USER_IDENTITY
!
ip admission name RADIUS_ACS proxy telnet service-policy type tag ADMISSION
!
zone security TRUSTED
zone security UNTRUSTED
!
class-map type inspect match-any PROTOCOLS
match protocol tcp
match protocol udp
match protocol icmp
!
class-map type inspect match-all USER_GROUP
match user-group CCIE_GROUP
!
class-map type inspect match-all PROTOCOLS_AUTHENTICATED
match class-map PROTOCOLS
match class-map USER_GROUP
!
policy-map type inspect TRUSTED_TO_UNTRUSTED
class type inspect PROTOCOLS
inspect
!
policy-map type inspect UNTRUSTED_TO_TRUSTED
class type inspect PROTOCOLS_AUTHENTICATED
inspect
!
zone-pair security TRUSTED_TO_UNTRUSTED source TRUSTED destination UNTRUSTED
service-policy type inspect TRUSTED_TO_UNTRUSTED
!
zone-pair security UNTRUSTED_TO_TRUSTED source UNTRUSTED destination TRUSTED
service-policy type inspect UNTRUSTED_TO_TRUSTED
!
interface FastEthernet0/0
zone-member security UNTRUSTED
ip admission RADIUS_ACS
ip access-group DEFAULT_ACL in
!
interface FastEthernet0/1.34
zone-member security TRUSTED
!
interface FastEthernet0/1.123
zone-member security TRUSTED
!
interface BVI99
zone-member security TRUSTED
R2#telnet 150.1.4.4
Trying 150.1.4.4 ... Open
User Access Verification

Password: R4>
!
!R2#ping 136.1.27.51

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.27.51, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/8 ms
!
!R3#show policy-firewall session
Established Sessions = 1 Session 49F14DE0 (136.1.99.2:8)=>(136.1.27.51:0) icmp SIS_OPEN
Created 00:00:02, Last heard 00:00:02
ECHO request Bytes sent (initiator:responder) [360:360]
R3#show ip access-lists DEFAULT_ACL

Extended IP access list DEFAULT_ACL

10 permit tcp any any eq telnet
20 permit ip any any (100 matches)
!
!R3#show ip access-lists interface fastEthernet0/0

Extended IP access list DEFAULT_ACL in

10 permit tcp any any eq telnet
20 permit ip any any (118 matches)

R3#show policy-firewall session zone-pair UNTRUSTED_TO_TRUSTED

Zone-pair: UNTRUSTED_TO_TRUSTED
Service-policy inspect : UNTRUSTED_TO_TRUSTED
Class-map : PROTOCOLS_AUTHENTICATED(match-all) Established Sessions = 1
Session 49F15860 (136.1.27.51:1272)=>(150.1.4.4:23) tcp SIS_OPEN/TCP_ESTAB

Created 00:00:05, Last heard 00:00:03

Bytes sent (initiator:responder) [38:65]
Class-map : class-default(match-any)
R3#show ip access-lists DEFAULT_ACL

Extended IP access list DEFAULT_ACL permit ip host 136.1.27.51 any (61 matches)
10 permit tcp any any eq telnet
20 permit ip any any (130 matches)
!
!R3#show ip access-lists interface fastEthernet0/0
Extended IP access list DEFAULT_ACL in permit ip host 136.1.27.51 any (66 matches)

10 permit tcp any any eq telnet

20 permit ip any any (130 matches)

R3#show ip auth-proxy cache username CCIE_USER

Authentication Proxy Cache
User Name : CCIE_USER
Client IP : 136.1.27.51
Client Port : 3842
Timeout : 60
Time Remaining : 60 Connection state : INTERCEPT

EPM information : Authproxy

Admission feature : Authproxy Tag Received : CCIE_USER_TAG
Policy map used : ADMISSION Class map matched : CCIE_USER_CLASS

EOU information
-------------------------------------------------------------------------
Address Interface AuthType Posture-Token Age(min)
-------------------------------------------------------------------------

EPM information : EOU

Existing Firewall Sessions Information:

Session 49BEF700 (136.1.27.51:3842)=>(150.1.4.4:23) tcp SIS_OPEN/TCP_ESTAB

Created 00:04:33, Last heard 00:04:30
Bytes sent (initiator:responder) [32:65]
R3#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
136.1.27.51 0148.f8b3.2e24.23 Nov 26 2013 12:00 AM Automatic
!
!R3#show epm session ip 136.1.27.51
Admission feature : Authproxy Tag Received : CCIE_USER_TAG
Policy map used : ADMISSION Class map matched : CCIE_USER_CLASS
!
!R3#show user-group
Usergroup : CCIE_GROUP
------------------------------------------------------------------------
User Name Type Interface Learn Age (min)
------------------------------------------------------------------------
136.1.27.51 IPv4 FastEthernet0/0 Dynamic 6
 ip nat inside source static
[tcp|udp|esp] <inside_local> [port] [<inside_global>|interface <interface>] [port]
extendable

reversible

ip nat inside source static 150.1.9.9 136.1.99.100 route-map VLAN19_SUBNET

ip nat inside source static 150.1.9.9 136.1.99.150 route-map ALL_SUBNET

ip nat inside source static 150.1.9.9 136.1.99.100 route-map VLAN19_SUBNET reversible

ip nat inside source static 150.1.9.9 136.1.99.150 route-map ALL_SUBNET reversible

match interface match ip next-hop

R1:

interface GigabitEthernet0/1.128
ip nat inside
!
interface GigabitEthernet0/1.123
ip nat outside
!
interface GigabitEthernet0/0
ip nat outside
!
access-list 100 permit ip any 136.1.19.0 0.0.0.255
access-list 150 deny ip any 136.1.19.0 0.0.0.255
access-list 150 permit ip any 136.1.0.0 0.0.255.255
access-list 190 permit ip any 150.1.0.0 0.0.255.255
!
route-map VLAN19_SUBNET permit 10
match ip address 100
!
route-map ALL_SUBNET permit 10
match ip address 150
!
route-map LOOPBACK_SUBNET permit 10
match ip address 190
!
ip nat inside source static 150.1.9.9 136.1.99.100 route-map VLAN19_SUBNET reversible
ip nat inside source static 150.1.9.9 136.1.99.150 route-map ALL_SUBNET reversible
ip nat inside source static 150.1.9.9 136.1.99.190 route-map LOOPBACK_SUBNET reversible
!
ip nat inside source static 136.1.128.9 136.1.19.250 extendable
ip nat inside source static 136.1.128.9 136.1.99.250 extendable
ip nat inside source static tcp 136.1.128.9 80 interface GigabitEthernet0/1.123 8080
!
ip nat log translations syslog

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.1:8080 136.1.128.9:80 --- ---
--- 136.1.19.250 136.1.128.9 --- ---
--- 136.1.99.100 150.1.9.9 --- ---
--- 136.1.99.150 150.1.9.9 --- ---
--- 136.1.99.190 150.1.9.9 --- ---
--- 136.1.99.250 136.1.128.9 --- ---
!
!R1#show ip nat statistics
Total active translations: 7 (5 static, 2 dynamic; 2 extended)
Peak translations: 7, occurred 00:00:08 ago Outside interfaces:
GigabitEthernet0/0, GigabitEthernet0/1.123
Inside interfaces:
GigabitEthernet0/1.128
Hits: 5 Misses: 0
CEF Translated packets: 5, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source [Id: 0] route-map ALL_SUBNET
[Id: 0] route-map LOOPBACK_SUBNET
[Id: 0] route-map VLAN19_SUBNET

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

SW1#ping 150.1.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds: .!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms

!
!R1#show ip nat translations icmp
Pro Inside global Inside local Outside local Outside global
icmp 136.1.19.250:2 136.1.128.9:2 150.1.3.3:2 150.1.3.3:2

SW1#ping 150.1.10.10 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.10.10, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
!
!R1#show ip nat translations icmp
Pro Inside global Inside local Outside local Outside global
icmp 136.1.99.190:3 150.1.9.9:3 150.1.10.10:3 150.1.10.10:3

SW1#ping 136.1.27.3 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.27.3, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms
!
!R1#show ip nat translations icmp
Pro Inside global Inside local Outside local Outside global
icmp 136.1.99.150:4 150.1.9.9:4 136.1.27.3:4 136.1.27.3:4

SW1#ping 136.1.19.10 source loopback0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 136.1.19.10, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
!
!R1#show ip nat translations icmp
Pro Inside global Inside local Outside local Outside global
icmp 136.1.99.100:8 150.1.9.9:8 136.1.19.10:8 136.1.19.10:8

R3#telnet 136.1.99.1 8080

Trying 136.1.99.1, 8080 ... Open
HELO
HTTP/1.1 400 Bad Request
Date: Mon, 25 Nov 2013 23:20:53 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request

[Connection to 136.1.99.1 closed by foreign host]
!
!R1#show ip nat translations tcp
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.1:8080 136.1.128.9:80 136.1.99.3:60423 136.1.99.3:60423

tcp 136.1.99.1:8080 136.1.128.9:80 --- ---

R3#ping 136.1.19.250

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.19.250, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!
!R3#ping 136.1.99.250

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.99.250, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!
!R1#show ip nat translations icmp

Pro Inside global Inside local Outside local Outside global

icmp 136.1.19.250:47 136.1.128.9:47 136.1.99.3:47 136.1.99.3:47
icmp 136.1.99.250:48 136.1.128.9:48 136.1.99.3:48 136.1.99.3:48

R3#telnet 136.1.99.100
Trying 136.1.99.100 ... % Connection refused by remote host
!
!R3#telnet 136.1.99.190
Trying 136.1.99.190 ... % Connection refused by remote host
!
!R3#telnet 136.1.99.150
Trying 136.1.99.150 ... Open

User Access Verification

Password: SW1>
!
!R1#show ip nat translations tcp
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.150:23 150.1.9.9:23 136.1.99.3:41706 136.1.99.3:41706

tcp 136.1.99.1:8080 136.1.128.9:80 --- ---

R3#telnet 136.1.99.100 /source-interface loopback0

Trying 136.1.99.100 ... % Connection refused by remote host
!
!R3#telnet 136.1.99.150 /source-interface loopback0
Trying 136.1.99.150 ... % Connection refused by remote host
!
!R3#telnet 136.1.99.190 /source-interface loopback0
Trying 136.1.99.190 ... Open

User Access Verification

Password: SW1>

!
!R1#show ip nat translations tcp
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.190:23 150.1.9.9:23 150.1.3.3:33044 150.1.3.3:33044

tcp 136.1.99.1:8080 136.1.128.9:80 --- ---

 ip nat translation timeout <seconds>

reversible
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 136.1.99.200:29 136.1.128.9:29 150.1.3.3:29 150.1.3.3:29
--- 136.1.99.200 136.1.128.9 --- ---
!
!R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

icmp 136.1.99.200:31 136.1.128.9:31 150.1.3.3:31 150.1.3.3:31

reversible

type match-host

R1:

interface GigabitEthernet0/1.128
ip nat inside
!
interface GigabitEthernet0/1.123
ip nat outside
!
interface GigabitEthernet0/0
ip nat outside
!
access-list 10 permit host 136.1.128.9
access-list 100 permit ip 150.1.9.0 0.0.0.255 136.1.0.0 0.0.255.255
access-list 190 permit ip 150.1.9.0 0.0.0.255 150.1.0.0 0.0.255.255
!
ip nat pool ACL10_POOL 136.1.99.10 136.1.99.10 prefix-length 24
ip nat pool ACL100_POOL 136.1.99.100 136.1.99.105 prefix-length 24
ip nat pool ACL190_POOL 136.1.99.200 136.1.99.205 netmask 255.255.255.0
!
route-map ACL100_RMAP permit 10
match ip address 100
!
route-map ACL190_RMAP permit 10
match ip address 190
!
ip nat inside source list 10 pool ACL10_POOL
ip nat inside source route-map ACL100_RMAP pool ACL100_POOL reversible
ip nat inside source route-map ACL190_RMAP pool ACL190_POOL
!
ip nat translation timeout 3600
ip nat translation max-entries host 136.1.128.9 3

R1#show ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 9, occurred 03:27:17 ago Outside interfaces:
GigabitEthernet0/0, GigabitEthernet0/1.123
Inside interfaces:
GigabitEthernet0/1.128
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 16] access-list 10 pool ACL10_POOL refcount 0
pool ACL10_POOL: netmask 255.255.255.0
start 136.1.99.10 end 136.1.99.10
type generic, total addresses 1, allocated 0 (0%), misses 0
[Id: 17] route-map ACL100_RMAP pool ACL100_POOL refcount 0
pool ACL100_POOL: netmask 255.255.255.0
start 136.1.99.100 end 136.1.99.105
type generic, total addresses 6, allocated 0 (0%), misses 0
[Id: 18] route-map ACL190_RMAP pool ACL190_POOL refcount 0
pool ACL190_POOL: netmask 255.255.255.0
start 136.1.99.200 end 136.1.99.205
type generic, total addresses 6, allocated 0 (0%), misses 0

Total doors: 0
Appl doors: 0
Normal doors: 0 nat-limit statistics:
host 136.1.128.9: max allowed 2, used 0, missed 0

Queued Packets: 0

SW1#ping 150.1.3.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds: .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/8 ms
!
!SW1#ping 136.1.19.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.19.10, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
!
!SW1#ping 136.1.99.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.99.3, timeout is 2 seconds: .....
Success rate is 0 percent (0/5)
!
!R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 136.1.99.10:41 136.1.128.9:41 150.1.3.3:41 150.1.3.3:41
icmp 136.1.99.10:42 136.1.128.9:42 136.1.19.10:42 136.1.19.10:42
--- 136.1.99.10 136.1.128.9 --- ---
!
!R1#show ip nat statistics | section nat-limit
nat-limit statistics: host 136.1.128.9: max allowed 3, used 3, missed 10

R1#show ip nat translations verbose

Pro Inside global Inside local Outside local Outside global
--- 136.1.99.10 136.1.128.9 --- --- create 00:07:47, use 00:01:04
timeout:3600000, left 00:58:55
, Map-Id(In): 16,
flags:
limited, use_count: 0, entry-id: 148, lc_entries: 0

SW1#ping 136.1.19.10 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.19.10, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
!
!SW1#ping 136.1.99.3 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.99.3, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 .!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/8 ms
!
!R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 136.1.99.100:49 150.1.9.9:49 136.1.19.10:49 136.1.19.10:49
icmp 136.1.99.100:50 150.1.9.9:50 136.1.99.3:50 136.1.99.3:50
--- 136.1.99.100 150.1.9.9 --- ---
R3#telnet 136.1.99.100
Trying 136.1.99.100 ... Open

User Access Verification

Password: SW1>show tcp brief

TCB Local Address Foreign Address (state)
05F79E84 150.1.9.9.23 136.1.99.3.29369 FINWAIT2
05F7BD68 150.1.9.9.23 136.1.99.3.36625 ESTAB
05F7B8AC 136.1.128.9.23 136.1.99.3.59401 FINWAIT2
05C3D2AC 136.1.128.9.23 136.1.99.3.56711 FINWAIT2
05F7A340 136.1.128.9.23 136.1.99.3.45257 FINWAIT2
!
!R1#show ip nat translations tcp
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.100:23 150.1.9.9:23 136.1.99.3:36625 136.1.99.3:36625

SW1#ping 150.1.3.3 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.3.3, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
!
!SW1#ping 150.1.10.10 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.10.10, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
!
!R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
icmp 136.1.99.200:52 150.1.9.9:52 150.1.3.3:52 150.1.3.3:52
icmp 136.1.99.200:53 150.1.9.9:53 150.1.10.10:53 150.1.10.10:53
!
!R3#telnet 136.1.99.200
Trying 136.1.99.200 ... % Connection refused by remote host
overload

   
 reversible

reversible

interface
R1:

interface GigabitEthernet0/1.128
ip nat inside
!
interface GigabitEthernet0/1.123
ip nat outside
!
interface GigabitEthernet0/0
ip nat outside
!
access-list 10 permit 136.1.128.0 0.0.0.255
access-list 20 permit 150.1.9.0 0.0.0.255
!
ip nat pool ACL10_POOL 136.1.99.10 136.1.99.15 prefix-length 24
!
route-map ACL10_RMAP permit 10
match ip address 10
!
ip nat inside source route-map ACL10_RMAP pool ACL10_POOL overload reversible
ip nat inside source list 20 interface Loopback0 overload
!
ip nat translation port-timeout tcp 23 120
ip nat translation finrst-timeout 30

R1#show ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0 Outside interfaces:
GigabitEthernet0/0, GigabitEthernet0/1.123
Inside interfaces:
GigabitEthernet0/1.128

Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 34] access-list 20 interface Loopback0 refcount 0
[Id: 33] route-map ACL10_RMAP pool ACL10_POOL refcount 0
pool ACL10_POOL: netmask 255.255.255.0
start 136.1.99.10 end 136.1.99.15
type generic, total addresses 6, allocated 0 (0%), misses 0

Total doors: 0
Appl doors: 0
Normal doors: 0
nat-limit statistics:
Queued Packets: 0

SW1#telnet 150.1.3.3
Trying 150.1.3.3 ... Open

User Access Verification

Password: R3>
!
!R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.10:50708 136.1.128.9:50708 150.1.3.3:23 150.1.3.3:23
tcp 136.1.99.10:0 136.1.128.9:0 --- ---
!
!R3#telnet 136.1.99.10
Trying 136.1.99.10 ... Open

User Access Verification

Password: SW1>
!
!R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.10:23 136.1.128.9:23 136.1.99.3:47864 136.1.99.3:47864

tcp 136.1.99.10:50708 136.1.128.9:50708 150.1.3.3:23 150.1.3.3:23

tcp 136.1.99.10:0 136.1.128.9:0 --- ---
R1#show ip nat translations verbose

Pro Inside global Inside local Outside local Outside global

tcp 136.1.99.10:50708 136.1.128.9:50708 150.1.3.3:23 150.1.3.3:23
create 00:00:20, use 00:00:18 timeout:120000, left 00:01:41
, Map-Id(In): 33,
flags:
extended, use_count: 0, entry-id: 254, lc_entries: 0
tcp 136.1.99.10:0 136.1.128.9:0 --- ---
create 00:00:20, use 00:00:20 timeout:3600000, left 00:59:39, Map-Id(In): 33,
flags:
extended, extendable, global-only-entry, routemap-out2in, use_count: 1, entry-id: 253, lc_entries: 0

R1#show ip nat translations verbose

Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.10:50708 136.1.128.9:50708 150.1.3.3:23 150.1.3.3:23
create 00:00:06, use 00:00:04 timeout:120000, left 00:00:25
, Map-Id(In): 33,
flags:
extended, timing-out, use_count: 0, entry-id: 254, lc_entries: 0
tcp 136.1.99.10:0 136.1.128.9:0 --- ---
create 00:00:06, use 00:00:06 timeout:3600000, left 00:59:53, Map-Id(In): 33,
flags:
extended, extendable, global-only-entry, routemap-out2in, use_count: 1, entry-id: 258, lc_entries: 0
SW1#telnet 150.1.3.3 /source-interface loopback0

Trying 150.1.3.3 ... Open

User Access Verification

Password: R3>

!
!R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 150.1.1.1:54949 150.1.9.9:54949 150.1.3.3:23 150.1.3.3:23
 interface

reversible
 add-route

add-route

R1:
interface GigabitEthernet0/1.128
ip nat inside
!
interface GigabitEthernet0/1.123
ip nat outside
!
access-list 10 permit 136.1.27.0 0.0.0.255
!
ip nat pool ACL10_POOL 136.1.128.100 136.1.128.102 prefix-length 30
ip nat outside source list 10 pool ACL10_POOL add-route
ip nat outside source static 150.1.3.3 136.1.128.3 add-route

R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global
--- --- --- 136.1.128.3 150.1.3.3
!
!R1#show ip nat statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended)
Peak translations: 0 Outside interfaces:
GigabitEthernet0/1.123
Inside interfaces:
GigabitEthernet0/1.128

Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Outside Source
[Id: 5] access-list 10 pool ACL10_POOL refcount 0
pool ACL10_POOL: netmask 255.255.255.0
start 136.1.128.100 end 136.1.128.102
type generic, total addresses 3, allocated 0 (0%), misses 0

Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0

R1#show ip route static | b Gateway

Gateway of last resort is not set

136.1.0.0/16 is variably subnetted, 10 subnets, 2 masks

S 136.1.128.3/32 [1/0] via 150.1.3.3
SW1#telnet 136.1.128.3

Trying 136.1.128.3 ... Open

User Access Verification

Password: R3>

!
!R1#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- --- --- 136.1.128.3 150.1.3.3
tcp 136.1.128.9:26078 136.1.128.9:26078 136.1.128.3:23 150.1.3.3:23

R3#telnet 150.1.9.9 /source-interface fastEthernet0/0

Trying 150.1.9.9 ... Open

User Access Verification

Password: SW1>
!
!R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- --- 136.1.128.101 136.1.27.3
tcp 150.1.9.9:23 150.1.9.9:23 136.1.128.101:41824 136.1.27.3:41824
!
!R1#show ip route static | b Gateway
Gateway of last resort is not set

136.1.0.0/16 is variably subnetted, 9 subnets, 2 masks

S 136.1.128.3/32 [1/0] via 150.1.3.3 S 136.1.128.101/32 [1/0] via 136.1.27.3
ip nat enable
 reversible

interface

R1:
interface GigabitEthernet0/1.128
ip nat enable
!
interface GigabitEthernet0/1.123
ip nat enable
!
interface Loopback0
ip nat enable
!
access-list 100 permit ip 136.1.99.0 0.0.0.255 any
access-list 150 permit ip 136.1.27.0 0.0.0.255 any
!
route-map ACL150_RMAP permit 10
match ip address 150
!
ip nat source static 150.1.3.3 136.1.128.3
ip nat source list 100 interface Loopback0 overload
!
ip nat pool ACL150_POOL 136.1.128.150 136.1.128.155 prefix-length 24
ip nat source route-map ACL150_RMAP pool ACL150_POOL overload
R1#show ip nat nvi translations
Pro Source global Source local Destin local Destin global
--- 136.1.128.3 150.1.3.3 --- ---
!
!R1#show ip nat nvi statistics
Total active translations: 1 (1 static, 0 dynamic; 0 extended) NAT Enabled interfaces:
GigabitEthernet0/1.123, GigabitEthernet0/1.128, Loopback0

Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Source [Id: 6] access-list 100 interface Loopback0 refcount 0[Id: 3] route-map ACL150_RMAP pool ACL150_POOL refco
pool ACL150_POOL: netmask 255.255.255.0
start 136.1.128.150 end 136.1.128.155
type generic, total addresses 6, allocated 0 (0%), misses 0
R3#telnet 150.1.9.9 /source-interface loopback0

Trying 150.1.9.9 ... Open

User Access Verification

Password: SW1>

!
!SW1#telnet 136.1.128.3 /source-interface loopback0

Trying 136.1.128.3 ... Open

User Access Verification

Password: R3>

!
!R1#show ip nat nvi translations

Pro Source global Source local Destin local Destin global

tcp 136.1.128.3:50851 150.1.3.3:50851 150.1.9.9:23 150.1.9.9:23

--- 136.1.128.3 150.1.3.3 --- ---

tcp 150.1.9.9:60103 150.1.9.9:60103 136.1.128.3:23 150.1.3.3:23
R3#telnet 150.1.9.9

Trying 150.1.9.9 ... Open

User Access Verification

Password: SW1>

!
!R1#show ip nat nvi translations

Pro Source global Source local Destin local Destin global

tcp 150.1.1.1:27128 136.1.99.3:27128 150.1.9.9:23 150.1.9.9:23

--- 136.1.128.3 150.1.3.3 --- ---

R3#telnet 150.1.9.9 /source-interface fastEthernet0/0

Trying 150.1.9.9 ... Open

User Access Verification

Password: SW1>
!
!R1#show ip nat nvi translations
Pro Source global Source local Destin local Destin global
tcp 136.1.128.150:48870 136.1.27.3:48870 150.1.9.9:23 150.1.9.9:23
--- 136.1.128.3 150.1.3.3 --- ---
!
!SW1#telnet 136.1.128.150
Trying 136.1.128.150 ... % Connection refused by remote host
R1:
ip nat stateful id 11
primary 136.1.128.1
peer 136.1.128.2
mapping-id 10

R2:

ip nat stateful id 22
backup 136.1.128.2
peer 136.1.128.1
mapping-id 10

ip nat stateful id <nr>

redundancy <hsrp_group_name>

mapping-id <nr>

redundancy <hsrp_group_name>

mapping-id <nr>

redundancy

mapping-id <nr>
 interface

R1:
interface GigabitEthernet0/1.128
ip nat inside
standby 10 ip 136.1.128.12
standby 10 priority 150
standby 10 preempt
standby 10 name HSRPNAT
!
interface GigabitEthernet0/1.123
ip nat outside
!
ip nat stateful id 11
redundancy HSRPNAT
mapping-id 30
!
access-list 100 permit ip 136.1.128.0 0.0.0.255 any
!
ip nat pool ACL100_POOL 136.1.99.100 136.1.99.105 prefix-length 24
ip nat inside source static 150.1.9.9 136.1.99.9 redundancy HSRPNAT mapping-id 30
ip nat inside source list 100 pool ACL100_POOL mapping-id 30 overload

R2:

interface GigabitEthernet0/1.128
ip nat inside
standby 10 ip 136.1.128.12
standby 10 preempt
standby 10 name HSRPNAT
!
interface GigabitEthernet0/1.123
ip nat outside
!
ip nat stateful id 22
redundancy HSRPNAT
mapping-id 30
!
access-list 100 permit ip 136.1.128.0 0.0.0.255 any
!
ip nat pool ACL100_POOL 136.1.99.100 136.1.99.105 prefix-length 24
ip nat inside source static 150.1.9.9 136.1.99.9 redundancy HSRPNAT mapping-id 30
ip nat inside source list 100 pool ACL100_POOL mapping-id 30 overload

R1#show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: ACTIVE
: State READY
: Local Address 136.1.128.1 : Local NAT id 11
: Peer Address 136.1.128.2 : Peer NAT id 22
: Mapping List 30

!
!R2#show ip snat distributed

Stateful NAT Connected Peers

SNAT: Mode IP-REDUNDANCY :: STANDBY
: State READY
: Local Address 136.1.128.2 : Local NAT id 22
: Peer Address 136.1.128.1 : Peer NAT id 11
: Mapping List 30

created-by-remote

R4#telnet 136.1.99.9
Trying 136.1.99.9 ... Open

User Access Verification

Password: SW1>
!
!R1#show ip nat translations tcp verbose
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.9:23 150.1.9.9:23 136.1.99.4:31153 136.1.99.4:31153
 create 00:00:13, use 00:00:11 timeout:86400000, left 23:59:48,
flags: extended, use_count: 0 nat_id: 11 nat_entry_num: 28 nat_mapping_id[in]: 30
nat_mapping_id[out]: 0, entry-id: 37, lc_entries: 0
!
!R2#show ip nat translations tcp verbose
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.9:23 150.1.9.9:23 136.1.99.4:31153 136.1.99.4:31153
create 00:00:44, use 00:00:44 timeout:86400000, timing-out,
flags: extended, created-by-remote , use_count: 0 nat_id: 11 nat_entry_num: 28 nat_mapping_id[in]: 30
nat_mapping_id[out]: 0, entry-id: 13, lc_entries: 0

created-by-remote

SW1#telnet 150.1.3.3
Trying 150.1.3.3 ... Open

User Access Verification

Password: R3>
!
!R1#show ip nat translations tcp verbose
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.100:62149 136.1.128.9:62149 150.1.3.3:23 150.1.3.3:23
create 00:00:55, use 00:00:51 timeout:86400000, left 23:59:08, Map-Id(In): 9,
flags: extended, use_count: 0 nat_id: 11 nat_entry_num: 29 nat_mapping_id[in]: 30
nat_mapping_id[out]: 0, entry-id: 38, lc_entries: 0
!
!R2#show ip nat translations tcp verbose
Pro Inside global Inside local Outside local Outside global
tcp 136.1.99.100:62149 136.1.128.9:62149 150.1.3.3:23 150.1.3.3:23
create 00:01:30, use 00:01:30 timeout:86400000, timing-out, Map-Id(In): 3,
flags: extended, created-by-remote , use_count: 0 nat_id: 11 nat_entry_num: 29 nat_mapping_id[in]: 30
nat_mapping_id[out]: 0, entry-id: 14, lc_entries: 0
 set ip next-hop <IP_address>

ip policy route-map <rmap_name>

set ip default next-hop

<IP_address>

R1:

access-list 100 permit ip any 136.1.0.0 0.0.255.255

access-list 150 permit ip any 150.1.0.0 0.0.255.255
!
route-map POLICY_ROUTING permit 10
match ip address 100
set ip next-hop 136.1.128.2
!
route-map POLICY_ROUTING permit 20
match ip address 150
set ip next-hop 136.1.99.2
!
route-map POLICY_ROUTING permit 30
set ip default next-hop 136.1.99.3
!
interface GigabitEthernet0/0
ip policy route-map POLICY_ROUTING

R1#show ip policy
Interface Route map Gi0/0 POLICY_ROUTING
!
!R1#show route-map
route-map POLICY_ROUTING, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 136.1.128.2 Policy routing matches: 0 packets, 0 bytes
route-map POLICY_ROUTING, permit, sequence 20
Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 136.1.99.2 Policy routing matches: 0 packets, 0 bytes
route-map POLICY_ROUTING, permit, sequence 30
Match clauses:
Set clauses:
ip default next-hop 136.1.99.3 Policy routing matches: 0 packets, 0 bytes
SW2#traceroute 136.1.27.3

Type escape sequence to abort.

Tracing the route to 136.1.27.3

1 136.1.19.1 8 msec 0 msec 0 msec 2 136.1.128.2 0 msec 0 msec 0 msec

3 136.1.99.3 8 msec * 0 msec

!
!R1#show route-map

route-map POLICY_ROUTING, permit, sequence 10

Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 136.1.128.2 Policy routing matches: 9 packets, 540 bytes

route-map POLICY_ROUTING, permit, sequence 20

Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 136.1.99.2
Policy routing matches: 0 packets, 0 bytes
route-map POLICY_ROUTING, permit, sequence 30
Match clauses:
Set clauses:
ip default next-hop 136.1.99.3
Policy routing matches: 0 packets, 0 bytes

SW2#traceroute 150.1.3.3

Type escape sequence to abort.

Tracing the route to 150.1.3.3

1 136.1.19.1 0 msec 0 msec 0 msec 2 136.1.99.2 0 msec 0 msec 0 msec

3 136.1.99.3 9 msec * 0 msec
!
!R1#show route-map
route-map POLICY_ROUTING, permit, sequence 10
Match clauses:
 ip address (access-lists): 100
Set clauses:
ip next-hop 136.1.128.2
Policy routing matches: 9 packets, 540 bytes
route-map POLICY_ROUTING, permit, sequence 20
Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 136.1.99.2 Policy routing matches: 6 packets, 360 bytes

route-map POLICY_ROUTING, permit, sequence 30

Match clauses:
Set clauses:
ip default next-hop 136.1.99.3
Policy routing matches: 0 packets, 0 bytes

R3:
interface Loopback1
ip address 160.1.33.33 255.255.255.255

SW2:

ip route 160.1.33.33 255.255.255.255 136.1.19.1

R1#show ip route 160.1.33.33 255.255.255.255

% Subnet not in table
!
!SW2#traceroute 160.1.33.33

Type escape sequence to abort.

Tracing the route to 160.1.33.33

1 136.1.19.1 0 msec 8 msec 0 msec 2 136.1.99.3 0 msec * 0 msec

!
!R1#show route-map
route-map POLICY_ROUTING, permit, sequence 10
Match clauses:
ip address (access-lists): 100
 Set clauses:
ip next-hop 136.1.128.2
Policy routing matches: 9 packets, 540 bytes
route-map POLICY_ROUTING, permit, sequence 20
Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 136.1.99.2
Policy routing matches: 6 packets, 360 bytes
route-map POLICY_ROUTING, permit, sequence 30
Match clauses:
Set clauses:
ip default next-hop 136.1.99.3 Policy routing matches: 6 packets, 360 bytes

debug ip policy
IP: s=136.1.19.10 (GigabitEthernet0/0),
d=160.1.33.33, len 28, policy rejected -- normal forwarding

R1:
ip route 160.1.33.33 255.255.255.255 136.1.99.2
!
!SW2#traceroute 160.1.33.33

Type escape sequence to abort.

Tracing the route to 160.1.33.33

1 136.1.19.1 0 msec 0 msec 8 msec 2 136.1.99.2 0 msec 0 msec 0 msec

3 136.1.99.2 !H * !H
!
!R1#show route-map
route-map POLICY_ROUTING, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 136.1.128.2
Policy routing matches: 9 packets, 540 bytes
route-map POLICY_ROUTING, permit, sequence 20
Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 136.1.99.2
 Policy routing matches: 6 packets, 360 bytes
route-map POLICY_ROUTING, permit, sequence 30
Match clauses:
Set clauses:
ip default next-hop 136.1.99.3 Policy routing matches: 15 packets, 900 bytes
ip local policy route-map <rmap_name>

R1:

access-list 100 permit ip any host 150.1.9.9

access-list 150 permit ip any host 150.1.3.3
!
route-map LOCAL_ROUTING permit 10
 match ip address 100
set ip next-hop 136.1.99.2
!
route-map LOCAL_ROUTING permit 20
match ip address 150
set ip next-hop 136.1.128.2
!
ip local policy route-map LOCAL_ROUTING

R1#show ip policy
Interface Route map local LOCAL_ROUTING
!
!R1#show route-map
route-map LOCAL_ROUTING, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 136.1.123.2 Policy routing matches: 0 packets, 0 bytes
route-map LOCAL_ROUTING, permit, sequence 20
Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 136.1.128.2 Policy routing matches: 0 packets, 0 bytes

R1#traceroute 150.1.3.3
Type escape sequence to abort.
Tracing the route to 150.1.3.3
VRF info: (vrf in name/id, vrf out name/id) 1 136.1.128.2 0 msec 0 msec 0 msec
2 136.1.99.3 4 msec * 0 msec
!
!R1#show route-map
route-map LOCAL_ROUTING, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 136.1.123.2
 Policy routing matches: 0 packets, 0 bytes
route-map LOCAL_ROUTING, permit, sequence 20
Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 136.1.128.2 Policy routing matches: 6 packets, 492 bytes

R1#traceroute 150.1.9.9
Type escape sequence to abort.
Tracing the route to 150.1.9.9
VRF info: (vrf in name/id, vrf out name/id) 1 136.1.99.2 0 msec 0 msec 0 msec
2 136.1.128.9 4 msec * 4 msec
!
!R1#show route-map
route-map LOCAL_ROUTING, permit, sequence 10
Match clauses:
ip address (access-lists): 100
Set clauses:
ip next-hop 136.1.99.2 Policy routing matches: 6 packets, 474 bytes

route-map LOCAL_ROUTING, permit, sequence 20

Match clauses:
ip address (access-lists): 150
Set clauses:
ip next-hop 136.1.128.2
Policy routing matches: 6 packets, 492 bytes
R1:
ip access-list extended TELNET
permit tcp 136.1.27.0 0.0.0.255 eq 23 any
!
ip access-list extended VOICE
permit udp any any range 16384 32767
!
class-map match-any TELNET
match access-group name TELNET
!
class-map match-all ICMP
 match protocol icmp
match packet length min 1201
!
class-map match-all VOICE
match access-group name VOICE
match packet length min 64 max 64
!
class-map match-all OTHER
match input-interface GigabitEthernet0/1
match ip precedence 0
!
policy-map MARKING
class TELNET
set ip precedence 2
class ICMP
drop
class VOICE
set ip dscp ef
class OTHER
set ip precedence 1
!
interface GigabitEthernet0/0
service-policy output MARKING

R1#show policy-map interface gigabitEthernet0/0 output

GigabitEthernet0/0

Service-policy output: MARKING

Class-map: TELNET (match-any)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group name TELNET
0 packets, 0 bytes
5 minute rate 0 bps
QoS Set
precedence 2
Packets marked 0
Class-map: ICMP (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps Match: protocol icmp
Match: packet length min 1201
 drop
Class-map: VOICE (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps Match: access-group name VOICE
Match: packet length min 64 max 64
QoS Set
dscp ef
Packets marked 0
Class-map: OTHER (match-all)
0 packets, 0 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps Match: input-interface GigabitEthernet0/1
Match: ip precedence 0
QoS Set
precedence 1
Packets marked 0
Class-map: class-default (match-any)

11 packets, 1122 bytes

5 minute offered rate 0000 bps, drop rate 0000 bps
Match: any

SW2#telnet 136.1.27.3
Trying 136.1.27.3 ... Open

User Access Verification

Password: R3>
!
!R1#show policy-map interface gigabitEthernet0/0 output | section TELNET
Class-map: TELNET (match-any)
22 packets, 1278 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: access-group name TELNET 22 packets, 1278 bytes
5 minute rate 0 bps
QoS Set
precedence 2 Packets marked 22

R3#ping 150.1.10.10 size 1200

Type escape sequence to abort.
Sending 5, 1200-byte ICMP Echos to 150.1.10.10, timeout is 2 seconds: !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
!
!R3#ping 150.1.10.10 size 1201

Type escape sequence to abort.

Sending 5, 1201-byte ICMP Echos to 150.1.10.10, timeout is 2 seconds: .....
Success rate is 0 percent (0/5)
!
!R1#show policy-map interface gigabitEthernet0/0 output | section ICMP
Class-map: ICMP (match-all) 5 packets, 6075 bytes
5 minute offered rate 2000 bps, drop rate 2000 bps

Match: protocol icmp

Match: packet length min 1201
drop

R1#show policy-map interface gigabitEthernet0/0 output | section OTHER

Class-map: OTHER (match-all) 5 packets, 6070 bytes
5 minute offered rate 0000 bps, drop rate 0000 bps
Match: input-interface GigabitEthernet0/1
Match: ip precedence 0
QoS Set
precedence 1 Packets marked 5
configure replace nvram:startup-config
R1:

time-range WEEKENDS
periodic weekend 0:00 to 23:59
!
time-range WEEKDAYS
periodic weekdays 16:00 to 23:59
periodic weekdays 0:00 to 9:59
!
ip access-list extended TIME_BASED_ACL
deny ip 136.1.128.0 0.0.0.255 150.1.0.0 0.0.255.255 time-range WEEKENDS
deny ip 136.1.128.0 0.0.0.255 136.1.19.0 0.0.0.255 time-range WEEKDAYS
permit ip any any
!
interface GigabitEthernet0/1.128
ip access-group TIME_BASED_ACL in

R1#show time-range
time-range entry: WEEKDAYS (active)
periodic weekdays 16:00 to 23:59
periodic weekdays 0:00 to 9:59
used in: IP ACL entry time-range entry: WEEKENDS (inactive)
 periodic weekend 0:00 to 23:59
used in: IP ACL entry
!
!R1#show clock
06:44:43.155 UTC Tue Dec 3 2013

SW1#ping 136.1.19.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.19.10, timeout is 2 seconds: U.U.U
Success rate is 0 percent (0/5)
!
!SW1#ping 136.1.19.10 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 136.1.19.10, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/9 ms
!
!R1#show ip access-lists
Extended IP access list TIME_BASED_ACL
10 deny ip 136.1.128.0 0.0.0.255 150.1.0.0 0.0.255.255 time-range WEEKENDS (inactive)
20 deny ip 136.1.128.0 0.0.0.255 136.1.19.0 0.0.0.255 time-range WEEKDAYS (active) (5 matches)

30 permit ip any any (93 matches)

SW1#ping 150.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds: !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

!
!SW1#ping 150.1.1.1 source loopback0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 150.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 150.1.9.9 !!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

        
 clear config reset system

User: admin
Password:*********(Cisco Controller) >clear config
Are you sure you want to clear the configuration? (y/n) y

Configuration Cleared!(Cisco Controller) >reset system

The system has unsaved changes. Would you like to save them now? (y/N) n

Configuration Not Saved! Are you sure you would like to reset the system? (y/N) y

System will now restart!Restarting system.

Welcome to the Cisco Wizard Configuration Tool

Use the '-' character to backup

Would you like to terminate autoinstall? [yes]: yes

AUTO-INSTALL: process terminated -- no configuration loaded

System Name [Cisco_37:b2:c4] (31 characters max): WLC

Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): *********
Re-enter Administrative Password : *********

Management Interface IP Address: 172.16.5.100

Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 172.16.5.1
Management Interface VLAN Identifier (0 = untagged):
Management Interface Port Num [1 to 4]: 1
Management Interface DHCP Server IP Address: 172.16.5.1
Virtual Gateway IP Address: 1.1.1.1
Mobility/RF Group Name: CCIE-SECURITY
Network Name (SSID): CCIELAB
Configure DHCP Bridging Mode [yes][NO]:
Allow Static IP Addresses [YES][no]:
Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]:

Enable 802.11b Network [YES][no]:

Enable 802.11a Network [YES][no]:
Enable 802.11g Network [YES][no]:
Enable Auto-RF [YES][no]:
Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: no

Warning! No AP will come up unless the time is set.

Please see documentation for more details.
Configuration correct? If yes, system will save it and reset. [yes][NO]: yes

Configuration saved! Resetting system with new configuration...

(Cisco Controller) >show port summary

STP Admin Physical Physical Link Link

Pr Type Stat Mode Mode Status Status Trap POE
-- ------- ---- ------- ---------- ---------- ------ ------- -------
1 Normal Forw Enable Auto 100 Full Up Enable N/A
2 Normal Disa Enable Auto Auto Down Enable N/A
3 Normal Disa Enable Auto Auto Down Enable Enable (Power Off)
4 Normal Disa Enable Auto Auto Down Enable Enable (Power Off)
!
!(Cisco Controller) >show interface summary

Interface Name Port Vlan Id IP Address Type Ap Mgr Guest

-------------------------------- ---- -------- --------------- ------- ------ -----
management 1 untagged 172.16.5.100 Static Yes No
virtual N/A N/A 1.1.1.1 Static No No

(Cisco Controller) >show wlan summary

Number of WLANs.................................. 1

WLAN ID WLAN Profile Name / SSID Status Interface Name

------- ------------------------------------- -------- --------------------
1 CCIELAB / CCIELAB Enabled management

(Cisco Controller) >show ap summary

Number of APs.................................... 1

Global AP User Name.............................. Not Configured

Global AP Dot1x User Name........................ Not Configured

AP Name Slots AP Model Ethernet MAC Location Port Country Priority

------------------ ----- -------------------- ----------------- ---------------- ---- ------- ------
AP0006.f63b.9ada 2 AIR-LAP1262N-A-K9 00:06:f6:3b:9a:da default location 1 US 1
!
!(Cisco Controller) >show ap join stats summary all

Number of APs.............................................. 1

Base Mac AP EthernetMac AP Name IP Address Status

f0:29:29:04:21:f0 00:06:f6:3b:9a:da AP0006.f63b.9ada 136.1.47.100 Joined
!
!(Cisco Controller) >show dtls connections

AP Name Local Port Peer IP Peer Port Ciphersuite

 -------------------- ------------- ---------------- ------------- ------------------------------
AP0006.f63b.9ada Capwap_Ctrl 136.1.47.100 47534 TLS_RSA_WITH_AES_128_CBC_SHA

(Cisco Controller) >show ap data-plane all

Min Data Data Max Data Last

AP Name Round Trip Round Trip Round Trip Update
------------------ -------------- -------------- -------------- ------
AP0006.f63b.9ada 0.000s 0.000s 0.000s 23:18:20
!
!(Cisco Controller) >show ap link-encryption all

Encryption Dnstream Upstream Last

AP Name State Count Count Update
------------------ --- -------- -------- ------ AP0006.f63b.9ada Dis 0 0 23:18