Cisco

22K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I had this question after viewing Cisco SG300-28p inter vlan routing.
0
NFR key for Veeam Backup for Microsoft Office 365
LVL 1
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

I am new to VLANs, I have a single CISCO SG300-10.  How do I configure 3 VLAN to create 3 separate networks which can communicate on the 1 SG300-10 switch. Would be nice to provide internet access.  I cannot tell step by step how to do this.  I have read the posts, but none match up pt for pt with SG300-10 interface. Not sure whether to use General or Trunk, Tag or Untagged.  

I am creating 3 VLANs on the SG300-10
VLAN 1 = default 192.168.1.254 on GE1
VLAN 10 = 192.168.0.250 =GE3-GE5
VLAN 20 =172.16.20.250 = GE7-GE9
VLAN 30 = 192.168.77.250=GE10

How should the ports be configured so the hosts on the VLANs can communicate with each other.   I keep reading the inter vlan should happen automagically, but it is not happening.
0
Hi all,

I have a very large network in my work and i need a tool that i can run it in order to build for me a full diagram for my network
And to show me all the firewalls,switches, endpoints...etc.
0
So we have an ASA5506 that is currently co-managed by two internal departments (long story).  Because of this we're currently using Duo two-factor auth with AAA for SSH access/management (user authenticates with username/password and then must accept an SMS push on their cellular device as well).  Normally we use Solarwinds NCM to automate backup device configs daily via SSH with a specialized service account, but because of the mandatory two-factor we can't use this method on the shared ASA.

I might be able to push our SecOps team for the ability to create a single non two-factor SSH login specifically for config backups, but what other secure options are there that I'm not thinking of?
0
I placed a simple extended named ACL on my Cisco 3825.  Everything works except our alarm system.  It keeps beeping which indicates it can't communicate properly.  Here's the ACL I applied to the WAN interface IN:
Extended IP access list OurFirewall
    10 permit icmp any any echo-reply (1 match)
    20 permit tcp any any established (69546 matches)
    30 permit udp any any eq domain
    40 permit udp any eq domain any (2127 matches)

Really simple.  The only thing I have outbound is the numbered ACL that allows our internal IPs overload on external IP.  

According to alarm company the only thing it needs is outgoing specific port, but as I said, there's no restriction on outbound traffic.  Can someone see something I'm missing?

As a second questions, could someone provide instruction on how I'd implement rules to prevent inbound and outbound torrent traffic?
0
I'm running older cisco swithces, 2960, 3750, etc...
I configured ntp via:
ntp server 192.5.41.40
Type: clock timezone PST -7 0

But I was thinking, I should use hostname instead, so I tried to use time.google.com, but I keep on getting a "translating" error.

Any ideas how to fix that?
0
Hi
I have new Cisco AP1852E APs trying to join to exciting setup done by previous vendor.
new APs are joined to controller but after it is joined, I'm not able to access the AP via ssh using its IP and also not able to set time(via console).

I have 20 other APs (setup by previous vendor) and I can see I can ssh to them except the newly joined AP.

I understand that I may ignore this since AP are joined but why not able to ssh those newly joined AP ? How to enable SSH ?
And how to set time correctly in those AP ? I tried Clock set .... command but it says unrecognized.
Plz suggestion ?
AP Image version is 8.3.122
0
When you use Microsoft PSTN calling - can you use your old Cisco 7945 phones provided you load them with the SIP firmware instead of the SCCP?
0
Aug 15 16:57:58 2017 router608d14 kernel: #warn<4> ACCESS_RULE: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:be:d9:c1:2e:42:08:00 SRC=10.128.144.149 DST=10.128.144.255 LEN=247 TOS=0x00 PREC=0x00 TTL=128 ID=18415 PROTO=UDP SPT=138 DPT=138 LEN=227

Aug 15 16:57:58 2017 router608d14 kernel: #warn<4> ACCESS_RULE: IN=eth0 OUT= MAC=88:5a:92:60:8d:14:e8:50:8b:36:23:67:08:00 SRC=10.128.144.101 DST=199.193.204.134 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43496 DF PROTO=TCP SPT=50297 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
0
We are planning on standing up 2 Exchange 2016 servers. One in the Americas and one in Asia that would also act as failovers.
How can I setup the 2 IronPorts to differentiate between the two locations? Both would be serving the same domain.
0
New feature and membership benefit!
LVL 9
New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Is there a Cisco fanless 12 port or 24 port POE switch, gigabit?
I installed a 3750G-24 port switch in my office and the thing is loud, starting to get annoying.

I need at least 9 ports with the uplink, hence the 12 port minimum.
0
We had a Cisco Catalyst 1900 switch die this morning and need to replace it. My concern is getting the right fibre connections. What will I need to do if I want to replace the 1900 with a Cisco Catalyst 2960?

Thank you!

Robert
0
My church has a C2851 that has 3 vlans.  It provides DHCP to 2 of those.  The other dhcp is provided by a windows server.  The server vlan never loses connection to the internet but the other 2 access the internet for a day or two then stop until I reboot the router. Below is the interface setup & dhcp pool.  Am I doing something wrong?

ip dhcp pool guests
   network 10.10.0.0 255.255.252.0
   default-router 10.10.0.1
   dns-server 8.8.8.8
   lease 0 12
!
ip dhcp pool Employees
   network 172.28.0.0 255.255.252.0
   default-router 172.28.0.1
   dns-server 8.8.8.8
   lease 0 12
!
!





interface GigabitEthernet0/1.100
 description Admin vlan 100
 encapsulation dot1Q 100
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.110
 description Employees vlan 110
 encapsulation dot1Q 110
 ip address 172.28.0.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1.200
 description Guest vlan 200
 encapsulation dot1Q 200
 ip address 10.10.0.1 255.255.252.0
 ip nat inside
 ip virtual-reassembly in
0
i had ASA 5510 and i copied the configs to new ASA 5512 but some changes on the nat. everything works as in the ASA 5510 however my LAN is very unstable. user connection time-out to my LAN SERVERS and even remote users on the remote access vpn also experienced network time out.

please below the changes on the nat. can anyone check if there is a problem on this statement that might cause my network instability
.................................................. .................................................. .................................................. .................................................. .................................................. ...........
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static any any destination static NETWORK_OBJ_192.16 8.17.0_25 NETWORK_OBJ_192.168.17.0_25 no-proxy-arp route-lookup
!
object network asy_server
nat (outside,dmz) static 192.168.32.199
object network HRIS
nat (outside,inside) static 192.168.0.100
object network ASY
nat (outside,dmz) static 192.168.32.199
object network BANKSRM
nat (outside,dmz) static 192.168.32.15
object network Hris
nat (outside,inside) static 192.168.0.100 service tcp 3040 https
object network Mails
nat (outside,inside) static 192.168.0.99 service tcp 3000 https
object network mails
nat (inside,outside) static 192.168.0.99 service tcp 3000 https
object network ob32-192.168.32.0
nat (dmz,vpns) static 192.168.32.0
object network obj-192.168.20.0…
0
I've been asked to turn on logging for code ASA-6-302014.  According to Cisco it's the Teardown TCP connection.
I have logging enabled and have set notifications  for syslog ID 302014.  I can't seem to get ASA-6-302014 to show in my log files, but I get ASA-5-302014.  Is this the same thing?

Our ASA is a 5520 8.2(1) 

Thanks,

Eric
0
I have a cisco ASA 5505 firewall.  I allow RDP thru to an inside address server.
Is there a log I can view to see what ip came in through with proper user and pw.
0
Hello again!

I'm trying to find some sort of tutorial, or other information on the proper syntax and such for Nessus .audit files, specifically for Cisco products.

The "Nessus Compliance Reference" on Tenable's website doesn't explain nearly well enough the different meta-characters and their uses (I.E. ^, $, bracketing), nor does it explain how Nessus looks at IF/OR/AND statements.

Any help would be greatly appreciated!

EDIT: To explain better.

I understand the basic syntax:
<check_type: "Cisco"> 
  <item>
    type       : CONFIG_CHECK
    description: "Enable password is set and encrypted"
    info       : "Check to see if the enable password is encrypted"
    item       : "enable secret [^ ]+"
    required   : YES
    severity   : HIGH
  </item>
</check_type>

Open in new window


But the part on line 6 after ENABLE SECRET is part of what I don't understand (I am having to rewrite an .audit file to suit my organization's needs).

Another example of stuff that I'm attempting to do, but not understanding how:
<if>
  <condition type:"OR">
    <item>
      type        : CONFIG_CHECK
      description : "Check for aaa auth login default"
      info        : "The network element must have DNS servers defined if it is configured as a client resolver."
      item        : "ip domain-lookup"
      item        : "ip name-server [^ ]+"
      severity    : MEDIUM
    </item>
    <item>
      type        : CONFIG_CHECK
      description : "Check for aaa auth login default"
      info        : "The network element must have DNS servers defined if it is configured as a client resolver."
      item        : "no ip domain-lookup"
      severity    : MEDIUM
    </item>
  </condition>

Open in new window


What I'm aiming for is that if either one of those checks is positive, then the system has passed that particular audit, as both of those will meet the requirements.
0
Hello,

I got a "new to me" Cisco 3825 to try to fix some capacity issues our old router is having.  It's a consumer grade Linksys router.  I've tried to duplicate the connection settings, but I cannot make it out to the internet.  From a host on the connected switch I can ping various LAN points.  However, I cannot even ping an external IP, such as 8.8.8.8.  

Following is the show run:

Router1#show run
Building configuration...

Current configuration : 1625 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$fi/i$a3lQyNfFM/KRdVN7KFGuy/
enable password <password>
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.2
!
ip dhcp pool DHCP
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.1
   dns-server 8.8.8.8 8.8.4.4
!
!
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
voice-card 0
 no dspfarm
!
!
interface Loopback0
 ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/0
 description LAN
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface GigabitEthernet0/1
 description WAN
 ip address <external IP> 255.255.255.248
 ip nat outside
 duplex auto
 speed auto
 media-type rj45
!
interface …
0
Hi Sir,

Would like to ask for your help about the problem listed below,

[Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xccb797a8) not found (maybe expired)

Hoping that you can help me resolve this matter.


Thank you in advance.
0
Visualize your virtual and backup environments
LVL 1
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Hi All

 I have had the Cisco ASA5505 setup as the firewall for my company for about 3 Years, without issue I have been able to use CISCO ANYCONNECT to connect remotely to my network etc.. For some reason, I now get a message stating " anyconnect not enabled on the vpn server".. my sh run webvpn is below

Free memory:        71697768 bytes (27%)
Used memory:       196737688 bytes (73%)
-------------     ----------------
Total memory:      268435456 bytes (100%)
5505ASA# sh run webvpn
webvpn
 enable outside
 anyconnect-essentials
 svc enable
 tunnel-group-list enable
5505ASA#
If I go through the ASDM wizard and attempt to install the SSL VPN via anyconnect, I get an error as shown in screenshot below. ( File write error check disk space)  which I am not understanding as the cache-fs they say to use does not exsist.

its a small office, with only anyconnect , asdm, and asa.bin files on it, small running config,  so I am lost as to why I cannot add Anyconnect especially when its always worked.  

sh disk 0 is also shown below.

5505ASA# sh disk
--#--  --length--  -----date/time------  path
    3  4096        May 17 2013 13:51:48  log
   13  4096        Aug 13 2017 15:29:23  coredumpinfo
   12  4096        Aug 29 2009 07:33:22  crypto_archive
   97  16459776    May 17 2013 13:47:00  asa822-k8.bin
   98  11869456    May 17 2013 13:49:32  asdm-625-53.bin
   99  35167466    Mar 03 2014 10:04:32  anyconnect-win-3.1.05152-k9.pkg

127111168 bytes total …
0
Hi again everyone -

So sorry to be a pest. Now that I have my ASA 5505 up and running with successful Internet access by devices on my LAN, I can't seem to get my DMZ to gain internet access. Nor can I get a simple IPSec site-to-site VPN to work.  This is really frustrating as the ASA on the other side already participates in another separate site-to-site VPN (setup by me) which works just fine.

I have looked at NAT rules and access rules and can't seem to find the difference. The only thing I did differently on this VPN was try Diffe-Hellman Group 1 as group 2 settings didn't work.

Below is the sanitized config of the ASA that has a working DMZ and a working VPN as well as the non-working VPN.  I have replaced my static public IP with xx.xx.xx.xx and the peer IPs in the VPNs are vv.vv.vv.vv for the one that works and ng.ng.ng.ng for the one that doesn't work.

I will return to this post momentarily and add a comment with the running configuration of the ASA at the other site.

Thanks in advance for any help.

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password /zzzzzzzzz encrypted
passwd zzzzzzz.zzzz encrypted
names
name 192.168.1.0 dmz_outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 
0
Hi
Someone must be using "route based on physical nic load". I wonder how the uplink physical ports to be configured? LACP/LAG whatever in Cisco term.
We have Cisco 3850.
0
Dear Experts,
I have an issue lately after upgrading email security appliance. All outbound mails are using my Cisco firewall interface IP and often bounces as my email server public IP is different. Email appliance is Sophos EA.
My email server public IP is 86.xxx.xxx.197
Cisco FW ASA interface public IP 86.xxx.xxx.196
There is n option on sophos to change outbound IP address it takes primary up (internal).
On Cisco I have all SMTP traffic going out via 86.xxx.xxx.197. but still traffic from sophos EA goes out via 196.
What should I do on Cisco ASA to make sophos ( internal IP 192.168.1.88) to use 86.xxx.xxx.197 for all outbound traffic.
0
Have an ASA with firesight installed, it appears that streaming out is being blocked.  We use a boxcaster device, Was wondering how i can allow the IP or Mac outside unrestricted
0
For a few years, I've been running Cisco Any Connect 3.1 because their latest version, 4.2 causes blue screen of death BSOD driver corrupted expool errors whenever I use it.

This page on their site talks about this being a known bug.
https://quickview.cloudapps.cisco.com/quickview/bug/CSCuy01698

However, as of this morning, they have decided to auto-update me to 4.2 and now the nightmare has started all over again.

I've uninstalled and reinstalled twice now, hoping to figure out how to stop the auto update. There are messages about using the anyconnectlocalpolicy.xml file to turn off auto updates:
<BypassDownloader>true</BypassDownloader>

However, that does not exist in my directory, so that must be applicable to an older version.

I find NO WHERE where this bug is fixed. And since it is auto updating, I would think it would go all the way to the fix if one existed.

Can anyone tell me how to stop this nightmare? Either stop it from auto updating? Anything in my control panel area that allows me to stop apps from updating? Or anything?

thanks!
0

Cisco

22K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).