Jump to content
Sadikhov IT Certification forums


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About ejeangilles

  • Rank
  1. ejeangilles

    ACS 4.2 group settings and AAA help

    I solved it. Now I just need to know if there's anyway to configure the enable password for a group instead of user by user.
  2. I 've been trying to figure this out for a few days and maybe you guys can help me out. I'm trying to get more familiar with AAA and this what I'm trying to accomplish. -I have a cisco switch and I also have ACS 4.2 running on windows 2003 and that's authenticating with a 2003 active directory server which is working ok. -Level 1 group that can only run those user level commands and they should not go into enable or configuration terminal -Level 15 group has access to everything. -Level 1 and Level 15 groups are expecting to login with the AD credentials at first which drops them into user mode. -Only level 15 group should be able to go into enable mode. -I want specify the "Enable" password within TACACS and not use the "enable password" command in the IOS. -I don't want to use local usernames and passwords except for a backway to get in. I tried to configure the "Max privilege for any client" to level 1 or 15 per group but that doesn't seem to work. This is bascially what I have so far. aaa new-model aaa authentication login default group tacacs+ local username admin privilege 15 password 0 xxxx Can you guy tell me what I'm missing?
  3. Man. I feel so stupid. The dhcp monitoring service wasn't even turned on. My advice is to learn to take a break after long hours of labs.
  4. I have a problem with my Cisco 7961 phones not registering on my CUCM 8.6 install on ESXi 5. Weird because I have Cisco IP communicator phones that register with no problem. You guys know what I can be missing. I have restarted the CUCM and services multiple times. The phone log on my phones say it can't find dhcp and DNS unknown host but my CUCM is configured by IP address. I also attached some screenshots. Help me out here guys...
  5. I have a home network setup with a Pix 515 and 3550 L3 switch. My Pix 515 (unrestricted) is setup with subinterfaces. Everything works fine as far as DHCP, internet, and ASDM. The only thing is I can't seem to ping my internal clients from my ASA. I can ping my L3 switch vlan IP but not my internal client IP. My client PC's can ping both L3 switch IP and ASA inside interface. Is there ACL that's blocking? I did an packet tracer and it tells me it dropped due to an access list but I have them in place. I feel I'm missing something simple. Information below Internet <----> Pix515 <----> L3switch <----> PC's MYFIREWALL# sh run : Saved : PIX Version 8.0(4)28 ! hostname MYFIREWALL enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface Ethernet0 speed 100 duplex full nameif outside security-level 0 ip address 173.x.x.114 ! interface Ethernet1 speed 100 duplex full no nameif no security-level no ip address ! interface Ethernet1.10 vlan 10 nameif inside security-level 100 ip address ! interface Ethernet1.20 vlan 20 no nameif no security-level no ip address ! ftp mode passive clock timezone EST -5 clock summer-time EDT recurring access-list 101 extended permit icmp any any echo access-list 101 extended permit icmp any any echo-reply access-list 101 extended permit icmp any any source-quench access-list 101 extended permit icmp any any unreachable access-list 101 extended permit icmp any any time-exceeded pager lines 24 logging enable logging timestamp logging buffer-size 20000 logging buffered debugging logging asdm informational mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image flash:/asdm-603.bin no asdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 access-group 101 in interface outside route outside 173.x.x.118 1 timeout xlate 3:00:00 timeout conn 9:09:09 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy http server enable http outside http inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet outside telnet timeout 5 ssh timeout 5 console timeout 0 dhcpd dns dhcpd domain aejg.net ! dhcpd address inside dhcpd enable inside ! threat-detection basic-threat threat-detection statistics host threat-detection statistics access-list no threat-detection statistics tcp-intercept username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15 ! ! prompt hostname context Cryptochecksum:ed3a9e8e32f486f73ad65f0ce7a95b3f : end ------------------------ MYFIREWALL# packet-tracer input inside icmp 8 0 detail$ Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x4392f78, priority=1, domain=permit, deny=false hits=130328, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 Phase: 2 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 3 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in inside Phase: 4 Type: ACCESS-LIST Subtype: Result: DROP Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x4397fb8, priority=500, domain=permit, deny=true hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=, mask=, port=0 dst ip=, mask=, port=0, dscp=0x0 Result: input-interface: inside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule -------------------------------- MYFIREWALL# ping Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds: ????? ------------------------------- MYSWITCH#sh run Building configuration... Current configuration : 2518 bytes ! version 12.2 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname MYSWITCH ! ! no aaa new-model ip subnet-zero ip routing ! ! no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! ! ! vlan internal allocation policy ascending ! ! interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate duplex full speed 100 ! interface FastEthernet0/2 switchport mode dynamic desirable ! interface FastEthernet0/3 switchport mode dynamic desirable ! interface FastEthernet0/4 switchport mode dynamic desirable ! interface FastEthernet0/5 switchport access vlan 10 switchport mode access duplex full speed 100 spanning-tree portfast ! interface FastEthernet0/6 switchport mode dynamic desirable ! interface FastEthernet0/7 switchport mode dynamic desirable ! interface FastEthernet0/8 switchport mode dynamic desirable ! interface FastEthernet0/9 switchport mode dynamic desirable ! interface FastEthernet0/10 switchport mode dynamic desirable ! interface FastEthernet0/11 switchport mode dynamic desirable ! interface FastEthernet0/12 switchport mode dynamic desirable ! interface Vlan1 no ip address shutdown ! interface Vlan10 ip address ip directed-broadcast ! ip classless ip route ip http server
  6. I have 2 Cisco ASA 5505 one has a security plus license and the other one doesn't. My Cisco ASA 5505 with the security plus license is going bad and I would like to transfer the security plus license to my other ASA. Is this possible? Of course, with Cisco's approval
  7. ejeangilles

    Internetwork Expert

    I am very interested. Please email me at ejgilles@gmail.com