Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I'm working on a solution as a vendor over deployment model for CISCO NGFW with following interest:-

•      east-west traffic inside server farm for stopping malware lateral movement
•      user (access layer) to server farm for policy control e.g AV, IPS etc

Constraints / Concerns:
•      Currently there is no l4 policy control or firewall in place , network topology is flat.
•      don't want to buy layer 3 switch for inter-vlan routing
•      internet traffic is managed by another segment not to be passed through proposed ngfw.

Concerns from vendor integrator perspective

•      between application 2 application or App to DB server such traffic can be best addressed with a acl defined at ACL, no botnet, malware exploits or spread from server-server per say. The use of ips and av inspection will be counter-effective.
•      Further, connection between app to DB is heavy traffic , firewall will be kept looking for those connection for long time holding down mem, cpu and effecting throughput as well
•      terminate access to server farm ONLY to layer 3 device (ngfw) for policy control, ngfw compliance features (ips, av)

I'm looking your assistance if there exists an CISCO validated design either for or against the above solution. Thanks.
Hire Technology Freelancers with Gigs
LVL 12
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

I have a user that is trying to connect to my VPN device using Anyconnect with his Windows 10 Surface.    He use to be able to do it a month ago but now he gets this error everytime.  (Attachment).      He has  connected to his wifi at home and even in a McDonald's wifi and still gotten the same error.  I turned off his firewall to see if that was causing an issue but that didn't help.    Does anyone have anything I can try to fix his VPN connection?
I'm trying to replace a Cisco 887 with an ASA to connect our CoLo Cisco 4321 router via VTI tunnel.  Looks like I have everything configured properly but my Tunnel Interface on the ASA will not turn up.   Line and protocol are both down.  When I debug you can see they are trying to establish a connection:

  Initiator COOKIE: e7 4e 84 d4 08 39 37 d1
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 204
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 96
    DOI: IPsec
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 84
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 2
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Transform #: 2
Using a Cisco ASA 5555 with AnyConnect SSL client and split-tunneling enabled, how do I force an inside tunneled route to a FQDN so that the AnyConnect client tunnels thru ASA and presents the egress IP of the ASA to the destination? I've read conflicting results when adding a FQDN to an ACL as a secured route. It would be easier if the host had a static single IP address but its behind aws load balancer so the IP's change. Am I even making sense? In a scale of 1-10 representing my knowledge of ASA's (where 1 = WTF is an ASA, 10 = I configure ASA's in my sleep) I'd say I'm at about a 4.
Main office A  and office B have a vpn tunnel between the two locations via cisco RV325 at both locations.   The vpn stays connected other than occasionally drops.  We recently configured vpn clients using netgear vpn client software. When the clients connect to the VPN the tunnel between Office A and B is dropped.    The client that is connected via the vpn software can open the tunnel but cant access any of the network resources.  If the 325 is rebooted the connection is restored between office A and B.     Cisco is updated with latest firmware on both units.
I am not an expert in Cisco. I am just configuring VLAN in my network.
I have create 2 more VLANs other than native VLAN. VLAN 9 with IP, VLAN 10 with IP and VLAN1(default) with
Now VLAN9 can reach  VLAN10 and  VLAN10 can reach VLAN9. But VLAN9 and 10 cannot reach VLAN1 IPS. Now I would like to have communication between all these VLANs.
I would like to route all traffics to Fortinet firewall except internal IP traffic. Attached configuration.
Is there anyone who can guide me how to have inter VLAN communication as per best practice?
I am not an expert in Cisco. I am just configuring VLAN in my network.
I have create 2 more VLANs other than native VLAN. VLAN 9 with IP and VLAN 10 with IP
now VLAN9 can reach  VLAN10 but VLAN10 cannot reach VLAN9. Is there anyone who can guide me how to have inter VLAN communication as per best practice? Attached configuration. Once I am done I need to configure traffic to firewall for internet access.
Hi everyone


Hope you can help


I have a parent/child domain test environment - I'm trying to block specific ports between the parent/child clients


So parent domain clients are on child on


My ACL looks like below:


ip access-list extended DENY_FILE_AND_LDAP
deny tcp any 139 ace-priority 20
deny tcp any 389 ace-priority 40
deny tcp any 445 ace-priority 60
permit ip any any ace-priority 80


this is bound to the child domain VLAN


interface vlan 20
ip address
service-acl input DENY_FILE_AND_LDAP


I'm trying to block those ports from being open on the child domain clients but it doesn't seem to be working


port 389 is LDAP

ports 139 and 445 are windows file share


It's not working


Any thoughts?




Dear Experts, I saw this error in logging of Cisco Router C3925. Could you please suggest and explain?

The Src address is the Public IP address of this Router (and it was hidden), a Dest address is the Access point's private IP address. This is a diagram:

ISP --------- Router C3925 ------------ Core switch 3750 -------------- Access switch 2960 ------------- Access point Meraki

Many thanks as always!
I have a Cisco 3845 running 15.1(4)M12a.

It is consistently running at +85% cpu utilization.  Here is an image of what we see:

I Do not see anything over 1%.  Any ideas what else can be causing such a huge tax on the CPU and how I can track it down?
Prepare for an Exciting Career in Cybersecurity
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.


we are having Cisco CISCO2921/K9 VG router in office. Its unable synchronize with NTP. Below are the out puts ..Any help will be much appreciated.

INBUPPVG501#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 249.9984 Hz, precision is 2**24
reference time is 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 21.24 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000006402 s/s
system poll interval is 64, never updated.

INBUPPVG501#sh run | sec ntp
ntp authentication-key 10 md5 097A1F5C292928300A02032624362D 7
ntp authenticate
ntp trusted-key 10
ntp access-group peer 10
ntp update-calendar
ntp server key 10

INBUPPVG501#sh ntp associations detail configured, authenticated, insane, invalid, unsynced, stratum 16
ref ID .INIT., time 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 1024
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15940.24
delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50
precision 2**24, version 4
org time 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
rec time 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
xmt time DE520F2F.5A63DFE1 (14:19:51.353 IST Tue Mar 13 2018)
filtdelay =     0.00    0.00    0.00    0.00    0.00    …
I have a client who's got a cisco 1921 and they are upgrading the internet to a Fibre connection with static IP.
Is there an easy way to configure it? GUI setup for this model?
May I have the steps to change this?
By the way, they are going connect to the Fibre 400 which could give them up to 400mbps, can this router handle this? the spec seems to be ok but a friend of mine said these's model is good up to 100mbps only, is that the case?

our Cisco guy is on holiday for two weeks and I personally have no experience with this cisco so struggling...

Any help is much appreciated.

Hi Community.

We are deploying a 10Gbps connection between two of our locations.

To establish the connectivity we are using a C3850-24XS with IP Services either side of the circuit.

We need to establish multiple routing domains (distinct routing tables) to separate trusted and untrusted traffic. With this in mind we were thinking that it would be best to establish a trunk between the sites and use Vlan SVIs between the two sites, using /30 IP addresses either end.

I need to restrict the amount of bandwidth for each routing domain and was wondering if I could enable shaping for traffic egressing the Vlan from either side of the connection?

I can't find a lot of information regarding this in the design guides or forums. There is lots of information related to physical interfaces and sub-interfaces but not a lot relating to SVIs.

Is this even possible?

I have cisco router RV016 with two wan configured and working fine. My problem is because some sites like Banks block the access when the connection change the IP WAN1 to IP WAN2. How I can configure the router to use any wan, but stay  on that wan, without change until another connection ?

I am moving 15 voice/data lines from a Netgear switch to a Cisco SG200 managed switch.  The voice is web based.  I have only 1 vlan on the cisco switch which is the default vlan1.  I can connect the Cisco switch to the Comcast router and can log in to both.
When I move an Ethernet connection from the Netgear port to a Cisco port the router sees the move as does the Cisco switch when I log in to both. My problem is correctly configuring the voice on the vlan. I have tried Auto Voice Vlan with the Smartport however I'm not getting anywhere so I'm missing some things I'm sure.
I have been in IT for quite a while but the majority of my experience is in hardware repair, desktop support, some windows server mgmt and basic network configuration and setup. I've never worked with a managed switch before or voip and while it's over my head I'm confident that I can get this with some assistance. (It took me quite a while to get as far as I am)
Any help would be greatly appreciated as always.
Will this work for a cisco Expressway install using IOS router as fire wall

interface GigabitEthernet0/0
 description Internal LAN
 ip address
 ip access-group OutboundInternet in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 duplex auto
 speed auto
interface GigabitEthernet0/1
 description Fiber Internet Connection (Primary internet access)
 ip address
 ip access-group Internet in
 ip nat outside
 ip nat enable
 ip inspect HQ-INPECT-OUT out
 ip virtual-reassembly in
 ip verify unicast reverse-path
 duplex full
 speed 1000
 ntp broadcast client
 crypto map VPN
nterface GigabitEthernet0/2
 description EXPRESSWAY
 ip address
 ip nat outside  
 ip nat enable  
object-group network LocalEXPRESSWAY
object-group network RFC1918Private

Object-group service VOIP_DMZ
tcp 80
tcp 443
tcp 22
tcp 161
udp 123
tcp range 3000-35999
tcp 389
tcp 636
udp 514
udp range 3000-35999
udp 1024
udp 53
tcp 6970
tcp 8443
tcp 7400
tcp 2222
tcp 7001
udp range 36000-36001
udp 3478
udp 1024
udp range 36002-59999
tcp range 25000-29999

ip access-list extended Guest_2_WAN
 permit tcp object-group LocalEXPRESSWAY any

ip access-list extended privateToPublic
 permit object-group VOIP_DMZ …
Here’s the design in bullet form:

•      The existing core switching is 1-Gbps (couple Cisco Catalyst 3650 48-port stacked switches, almost at full density), and the new 10-Gbps switches are Cisco Catalyst 3850 SFP+.
•      The 3850s have UCS servers (as well as Veeam backup, etc.) connected at 10-Gbps, but are connected to the core switching at 1-Gbps.
•      The 3850 SFP+ interfaces connecting to the core 3650s are configured for 1-Gbps operation.
•      The core 3650s are connected to ASA firewalls at 1-Gbps, which provides a DMZ for externally-facing applications.

It turns out that a majority of server-to-server traffic is between internal SQL instances and public resources (web & application tiers) in the DMZ, so the traffic goes 10-Gbps from ESXi to the 3850s, then has to be sent over 1-Gbps to the core 3650s towards the DMZ. When we first tried to cutover to this deployment, all server access pretty much stopped. Troubleshooting revealed that the outgoing interfaces on the 3850s were exhibiting an extremely high number of interface drops/discards. Since then, the customer is only extending very limited backup traffic (a couple small applications) over these connections, and the interface discards are still outrageously high. (Not sure if related, but the 3850 switches are also running unexpectedly high CPU utilization of 70%, and again, aren't handling most of the server traffic yet.)  As you can see in the design diagram below, the ESXi environment still has multiple 1-Gbps …
I am using a Cisco ASA 5505 Sec Plus Version 8.2 (5). My ISP has provided me with two subnets. The first is a WAN /30 which provides the peering between my ISP and the outside interface attached to the ISP handoff. The second IP subnet is a LAN subnet. A publicly routed /28. I have assigned the single usable IP from the /30 to the outside interface of my ASA to access the internet. I am able to route the /28 as needed through ACL's and NATs. I am installing a hosted VoIP system that needs to assign one of the IPs from my /28 to it's WAN interface. Normally I would just use a layer 2 switch and set this device up parallel to my ASA. Since everything is behind the /30 however, this is not possible. I must place the VoIP device behind my ASA. So I need to route incoming traffic being sent to a specific IP in my /28 block to the VoIP device behind my ASA. Let me know if additional details are needed. Thanks.
Two cisco switches connected via trunk port. can ping all vlan gateways from the core switch which has got route defined.on the second switch cannot ping any of the vlan ip addresses.  happend after cable rearrangement. on the second switch have clients connnected via ip phones and they are working ok however.

any advice.

vlan 10 - 192.168.10.x
vlan 30 - 192.168.30.x
vlan 20 -192.168.20.x
vlan 80 -19.168.80.x

gateway of last resort setup on the mains witch to can see all VLAN allowed via trunk port. cant see any problem with cabling either.

both are cisco switches.
Free Tool: ZipGrep
LVL 12
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Hi Everyone,

I was wondering if anyone can help or advise? Unfortunately I feel i'm running out of ideas at the moment and so If anyone can help it would be very much appreciated

Recently I've setup an 365 hybrid deployment with exchange 2013 to use AD SSO for our VLE and to gradually move over our organisations users and decommission the exchange server.

Unfortunately I'm having difficulties getting the the Exchange Online connectors to communicate correctly with our on-premise. After using the Hybrid Deployment wizard the connectors are setup automatically but point to our council/ISP TMG server. As the connectors require a direct connection I have asked them to setup a public IP/address for our on-premise exchange server for the connector to use. When trying to validate this connector I receive the error log:

450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail] [LastAttemptedServerName=*server*] [LastAttemptedIP=*ip*] [**]

There are Cisco routers but I have been advised that no SMTP inspection is taking place between any of the routers. Using telnet on my desktop to our on-premise shows that STARTTLS is there but when trying it from our Offsite backup server it shows the following:

250 - *on-premise exchange* hello [IP]
250 - SIZE 104857600
250 - DSN
250 - 8BITMIME

We have a Sonicwall NSA3600 …
I have a Cisco 3650 running 16.3.5b Lan base. I want do disable the login but prompt for the enable password with connecting via the console cable. I am using AAA for ssh access. The "no login local" command isn't an option.

aaa group server tacacs+ Clear_Pass
 server-private XXX.XXX.XXX.XXX timeout 3 key 7 PASSWORD
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface Loopback1
aaa authentication login default group tacacs+ local enable
aaa authorization exec default if-authenticated
aaa authorization network default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

username cisco privilege 15 password 7 CISCO

line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 logging synchronous
 transport input ssh
line vty 5 15
 privilege level 15
 logging synchronous
 transport input ssh
Cisco Site to Site VPN Authentication

I would ike to know for instance , I have 2 separate companies ... CompanyA and CompanyB linked by Site to Site VPN. Users from CompanyB are supposed to remote and use Applications in CompanyA.

In this case how do you make User from CompanyB authenticate to CompanyA and use their resources. Do they need Cisco VPN Client ? if so, is CompanyA able to add  additional factor authentication, like RSA token or it is not necessary. worth to mention that CompanyA uses Active Directory.

Any clarification will be very much appreciated.

Thank you
Need assistance into getting into this switch that someone before me attempted to configure
Cisco ASA 5505 and 5506-x Multiple SIte-To Site VPN Question -

I am trying to figure out how to do this - Config weise.

I have multiple sites and am trying to achomplish the following for ease of use and licenseing.

We have our main office (MAIN -

We have branch office (B -

We have branch office (C -

Looking to get hub and spoke configured so that Only branch offices have ot VPN connect to the Main office rather than mesh VPN(we have a lot more offices)

Currently we have some setup as MESH and I am trying to chang eover to hub and spoke so that BRAND B and BRANCH C can talk to eachother without having ot be connected directly to eachother.

Anyone have config example? I have tried setting this up but I am at a loss -

I have added to the access-list the IP networks and added them tot he VPN as wel.

NO Traffic getting through for brand to branch.
I have configured RADIUS authentication using IOS 12.4. I'm very new to the RADIUS configuration using IOS 15.3. I have a Cisco Catalyst 6807-XL switch which I need to configure to authenticate using RADIUS but it doesn't seem to work. The authentication using local database works fine though.






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).