Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi, Experts

We have one modular core switch (6500) and one IPS/IDS module, they can not work each other,

we did lots of searches and we find that we needs IOS 12.2(17a)SX10 or 12.2(14)SX1.

But when we refereed to Cisco site , understood, This version had a bug and Cisco removed it, Does anyone have any guidance about it?

Software version IPS/IDS= 6.2, IOS version core switch=12.2(33)SXj10

Get Cisco Certified in IT Security
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

PAT through ASA 5506 doesn't load GUI of destination

Client has a single static public IP. They have a camera system and door controller system that they need to manage remotely. Using PAT for the cameras on http works fine, however trying to access the door controller does not work on port 90. I have a PAT and ACL for the door controller which passes packet tracer and not seeing any blocks, but alas the web interface of the door controller does not load, just sits there white screen until timeout. I have tried everything I can think of and running out of options. This used to work with the old firewall and for some reason I have been able to get it to work in the past with this ASA but it was hit or miss so I started over, now it doesn't work at all. What is wrong here? I noticed that in the PAT settings there is a "real" and "mapped" port option and in the past it started working when removing the "Real" port. I see the requests coming in from random ports so I wasn't sure if this could be part of the problem. Obviously routing all requests on the outside interface to the door controller is not ideal and breaks my remote access to the firewall.

FYI loading the GUI internally from a web browser on port 90 of the inside IP works fine. It just doesn't seem to pass the data through the firewall. The logs just show connection built and then tear down.

Config is attached, I appreciate any input as to how to get this to work!
Wireless Access in my Home Office

For background read my question:
with Solution by my friend David Johnson.

I had for a long time worked on my kitchen table (we have a large enough kitchen) but I get involved in hour long Skype (MVP) and Adobe Connect (Volunteer work) conversations that get in the way of household activities.

So I went up to Staples (Office Depot) and got a desk and office chair. The desk is compact, glass top, two legs (one at each end) and is very decent quality. The chair is standard office, cushy leather and nice to sit at. This is all in my upstairs Den with a small TV and DVD player.

So at David's suggestion, I got a Ubiquiti Access Point. This has to be the best thing since sliced bread. Connect the LAN side of the POE injector into my Cisco RV325 VPN router and the POE side to the Ethernet cable that goes to the Den. Plug in the Ubiquiti and configure it and now I have a dual radio Access Point (2.4 GHz N and 5 GHz AC) upstairs and same downstairs with my Cisco RV134 wireless router.

Devices (ThinkPad and two iPhones) are absolutely transparent as they move around. Just one SSID for each band and the Ubiquiti looks after everything.

This is a very nice way to support another office in a residence.

Upstairs Office

Great day,
I hope all is doing very well. I was wondering what are people views on
1. pass4sure
I am hearing so much about them. Has anyone tried them? I am wondering because I am feeling a little lazy to study again for certs I have but thinking about upgrading them. I am already working with the product and have for years around 20.
If you do not want to reveal your honest opinion you can email at and still get the point.
Yes the e is missing in the email
Hi Experts,

This week I got a Panasonic ToughBook CF-33 and switched my ISP from Bell to Rogers.

Over Ethernet, using, download with Bell was 300Mbps, with Rogers is 500Mbps.

Over WiFi, the ToughBoook was 80Mbps and now <20Mbps.  On my iPhone, Rogers is getting 300Mbps.

Why is my ToughBook now  under 20Mbps?

One thing that I noticed now is that with Rogers my router is now Hitron CODA-4582U, and the SSID for 2.4GHz and 5GHz can't be the same, where on  Bell (Cisco) they were. The ToughBook now cannot detect the 5GHz SSID. Does the ToughBook CF-33 not support 5GHz?

To make matters even more interesting, my printer only has WiFi interface, which makes it on a different network because of the mismatched SSIDs

As I am typing this I am wondering should I purchase another Cisco router and make the Hitron only as modem?

Any help will be appreciated.

I have a Cisco network running 10/100/1000Mbps. Should I planning on upgrading it to 10Gbps, 40 Gbps, or 100Gbps? What would be involved? New switches, cabling? I would appreciate input from anyone who's also doing the same or planning on doing the same. I would like to know what devices, cables etc you are thinking of, your plan of attack and approximate costs.

Thank you so much in advance.
I'm looking for opinions about setting up DMZ VLANs on switches that are also used for internal networking vs. using separate physical switches for DMZs and internal networks.  Any concerns or benefits you can think of for one over the other.  Assume Cisco equipment.
Hi guys,
Does anyone know, how to check the serial number of the Power Supplies on a Cisco Wireless Controller 5508, either via CLI or GUI?

P.S. Show inventory will only show the chassis serial number
hello experts
i have a Cisco 1852 AP, configured it to controller, several Cisco 1832 have no problem to join it, but i have two AIR-CAP1702I-D-K9, i can't get it joined, i already update the soft to same version with the controller,, from the console i got the following message, not sure why it is trying to load c3700... file.
please advice.

*Jul 20 05:58:01.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246
*Jul 20 05:58:01.255: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: peer_port: 5246
*Jul 20 05:58:01.255: %CAPWAP-5-SENDJOIN: sending Join Request to archive download capwap:/c3700 tar file
*Jul 20 05:58:01.327: %CAPWAP-6-AP_IMG_DWNLD: Required image not found on AP. Downloading image from Controller.
*Jul 20 05:58:01.331: Loading file /c3700...
Hello looking for some help on this. My ISP did an update that made it necessary for us to update our outside IP address config setting from static to DHCP. I change it and give them the Mac address of the ASA and it usually after they update the table it pulls the correct IP address. That part seems to be fine but for some reason, after the change, my site to site VPN will not come back up. Nothing else has changed. Any ideas on this? 

ciscoasa# sho run: Saved:ASA Version 8.2(5)!hostname ciscoasadomain-name 111.comenable password w3iW.W8jLtqmhFnt encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 nameif inside security-level 100 ip address!interface Vlan2 nameif outside security-level 0 ip address dhcp setroute!boot system disk0:/asa825-k8.binftp mode passivedns server-group DefaultDNS domain-name 111.comobject-group network obj_anyaccess-list NONATACL extended permit ip VPNACL extended permit ip OUTSIDEACL extended permit icmp any anypager lines 24logging asdm informationalmtu inside 1500mtu outside 1500icmp unreachable rate-limit 1 burst-size 1asdm image disk0:/asdm-731-101.binno asdm history enablearp timeout 

Open in new window

Cloud Class® Course: Amazon Web Services - Basic
LVL 12
Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

I do tech work for small businesses and I barley dabble in VPN connections. I'm using a cisco VPN firewall. This one site I have a VPN tunnel is live, but for what ever reason when I use one to one NAT the device on that IP loses internet connection.
I need the one to one NAT for them to be able to ping the device. Any advice as to what I can do to avoid losing internet on this device? Is there another way? Remember I'm bit of a noobie when it comes to this stuff.
Thanks in advance.
We have a legacy XP machine  that has custom software that  it uses for data collection of devices. The software upgrade is out of budget so we decided to put a firewall in the mix.

If we have 1 ASA and need to retain the IP address of the legacy XP machine with ports 400, 900, and 950 what would that config look like?
Can I load an image onto a Cisco 3850 switch which has no IOS by attaching an external DVD player to the USB port and use the command prompt to acces the burned image on the DVD pkayer disc?
We have Cisco Callmanagers and Unity Connections for voicemail.  Our problem is this:
We have a number, say 1234.  It is set so that when a user dials it and it is busy or not answered, it rolls to 5678, which if not answered or busy, forwards to voicemail.  

The problem is, if you dial 5678 it works properly, eventually going to the mailbox.  However, if you dial 1234, it does eventually roll to 5678, but if not picked up, it then goes to the system general message instead of the vm for 5678.
Have Cisco 1900 serial router a HA function ?
Hi Experts,

I am having a problem with my Cisco 897VA router and allowing access to internal servers from internal devices.

Any attempted access gets a not authorised response.  We can access it via IP or if placed in the host file on the user pc.  There is no issues accessing from external devices.

This however is a pain to do.  I do not wish to modify my internal DNS server at this stage or run a separate one for just one zone as this was working fine under a previous router, this has just happened since switching to the 897va.

Server we want to access has internal IP of :
External IP is:

This is my current sanitized running config:

Current configuration : 10024 bytes
! Last configuration change at 08:08:17 NZST Thu Jul 19 2018 by mike
! NVRAM config last updated at 21:35:34 NZST Wed Jul 18 2018 by mike
! NVRAM config last updated at 21:35:34 NZST Wed Jul 18 2018 by mike
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
hostname Gateway
logging buffered 65535
logging console critical
enable secret 9 $9$3JnjQpR9JT50Sn$JLsMVFipNYhVK/xdt6uahIPXx87ZfnOiS8Yd36old6E
aaa new-model
aaa authentication login default local
aaa authentication login userlist local
aaa authentication ppp …
I have created new 26 vlan in cisco switch. But when i checked spanning tree instance for those vlan i see spanning tree instance only for 4 vlan for rest of vlan i did not see any instance.

Below is the message#

INND-S-D-01-AUS#sh spanning-tree vlan 626

Spanning tree instance(s) for vlan 626 does not exist

Note: All vlan are up,At present no port assign to these Vlan.
Hi All,

I am facing an issue while configuring soft zoning for host and 3 par.
when I activate zoneset on Switch1 , Switch2 zones deactivates and show 0 active path on storage and vice versa
only for 3 par. Other zones for other storage are still intact on those switch.

Ive got a HP MSA 1050 which has two controllers on the rear which has fibre connections (see image). I want to connect this to my network switch which is a CISCO 3560G Network Switch. What exactly do I need to connect it to the network switch so I can then attach it to my VM Host via the network?

Prepare for an Exciting Career in Cybersecurity
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

I have created new 26 vlan in cisco switch. But when i checked spanning tree instance for those vlan i see spanning tree instance only for 4 vlan for rest of vlan i did not see any instance.

Below is the message#

INND-S-D-01-AUS#sh spanning-tree vlan 626

Spanning tree instance(s) for vlan 626 does not exist.
Dear Experts, we are moving our Data Center in the next 2 months. What should we consider and take note in order to move DC smoothly?

Our environment:
- 4 x Server ESXi6.5 (HP Gen9)
- 2 x Routers Cisco 3925
- 2 x Core Switch Cisco 3750/3560
- 1 x Firewall Sophos XG
- 10 x Access Switch Cisco CE500
- 5 x WAP Cisco Meraki MR18
- 5 x Physical Server IBM x3650

Many thanks!
Hi All,

Have and existing cisco stack of 7 switches, all POE. The power for POE on one of the switches failed, data still works. Were replacing that switch with a new switch and just want some basics step to do so. We downgraded the new switch to match the IOS of the stack. Below is the current stack. Please let me know if there is anything else I need to be aware of when adding and removing a switch. Thanks,

Existing stack see stack properties below.
The priority of the master is 5 and all other switches are set lower
The new switch is set to 1 same as some of the existing switches, does that matter? or do I need to set the priority higher for master and assign a lower priority it for all other switches. If so, will I have to reload the stack?

Remove the switch
Power off and disconnect the stacking cables
 - commands -  no switch stack-member-number provision type. Is this step necessary?

Add new switch
Ensure IOS is same as stack
Ensure priority is lower than the master on the stack
 - command - switch stack-member-number provision type. Is this step necessary?

 1       Slave     0017.94b1.1780     1         Ready
 2       Slave     0017.94b5.c700     2         Ready
 3       Slave     0017.94b5.fa80     3         Ready
 4       Slave     0017.94b5.bd00     4         Ready
*5       Master    0017.94b5.d000     5         Ready
 7       Slave     fcfb.fbd5.ca80     1         Ready
 8       Slave     001b.2b65.0500     1         Ready
I would like to know if I am on the right track.

I have a webserver directly connected to a DMZ interface on the active ASA5525X of the active standby failover pair. The failover is configured via another interface.

Right now, if the active ASA fails, the secondary will kick in but this webserver will not be accessible from the outside. What I plan to do is create a VLAN on a switch and plug in the webserver and the DMZ interfaces from both the active and standby ASAs into ports configured for that VLAN.

What am I missing? I do not plan on configuring an IP address for that VLAN or setup any sort of special routing. The only route on that switch is the ip route 0 0 gateway. The ASA DMZ interfaces are configured as ip address standby The webserver is The webserver uses the as the gateway.

When the active ASA is active, the webserver sees it as What happens when the ASA fails over to the secondary? Will the webserver still see the ASA as Or is there routing to be configured on the switch?

Thank you.
Scenario 9
This article is about building Dynamic Multipoint VPN tunnels in Cisco CSR1000V router with IOS XE. There are two CSR1000V hub routers configured with single tier Phase 3 DMVPN Cloud.
Dear Experts
We have hosted application on-premises which is behind the firewall.  the application runs on Ubuntu 16.4 server OS and with the components of apache2, mysql5.7, php7.x. This application has to be accessed from the external network( though the internet) which is located in other county from their office where the users will be behind the firewall.  we have to allow the access to them hence I have asked to share their gateway ip so that I can enable access only to this IP.  our hosted application by itself has authentication however we would like to add one more layer of authentication but the remote users will not accept any client software installing on to their local systems like vpn client or OTP SMS, or pass code call back.  They only prefer web based access to the hosted application and they are okay if we send the second level security pass-code to their official email so that finally we can achieve 2 level of authentication which is in additional to allowing their IP only to connect to our network.  Following were my recommendations
1.      Over internet (leased line circuit) Site to Site VPN between their firewall to our firewall so that end users will not have any additional efforts or vpn client not needed, this they denied as their IT policy does not permit to configure their side firewall
2.      Suggested MPLS VPN between their work location to our network but this also been rejected.
Now I am thinking of some solution like placing the Cisco ASA SSL VPN…






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).