Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium







Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I work in a hospital. We use the Stratus iPad app for interpretation.  We have a guest internet circuit that these iPads are on.  The circuit was recently upgraded from 35 Mbps to 100 Mbps. No other changes that i know of. Around that time the Stratus app stopped connecting. There is an asa 5505 on this circuit, but only default config is enabled.

 I took the ipad home and the app worked fine on my home wifi.  I ahve contacted the vendor and our ISP. Both claim it must be a firewall issue, but nothing has changed.  Any ideas?
Big Data Means Big Business
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

The problem occurs when the computer is restarted or turned on, causing loss of IP. It is reviewed and there is an IP that starts with "169. ..." or that is duplicated.

This problem occurs with both static and dynamic IP addresses (dhcp).

It is solved by disabling and re-enabling the network or reconnecting the network cable.

The problem occurs in different computers, especially in win7.

The DHCP server is a Cisco 3650x

We await your help, thanks.

We have cisco2701 router.
A few days ago our monitoring system showed the following message:

Channel      Last Value
Fan 1 State      Shutdown
Fan 2 State      Shutdown
Fan 3 State      Normal
Fan 4 State      Normal

01/16/2018 11:44:16 Down, Error by lookup value 'Shutdown' in channel 'Fan 1 State' - Error by lookup value 'Shutdown' in channel 'Fan 2 State'
01/13/2018 01:45:15 Up, Normal
01/13/2018 01:44:15 Down, Error by lookup value 'Shutdown' in channel 'Fan 3 State'
01/13/2018 00:20:15 Up, Normal
01/13/2018 00:19:15 Down, Error by lookup value 'Shutdown' in channel 'Fan 4 State'
01/11/2018 12:56:31 Up, Normal

if I check the environment status in the router I get the following:
        Fan 1 is believed to be working
        Fan 1 RPM is 11660
        Fan 2 is believed to be working
        Fan 2 RPM is 11660
        Fan 3 is believed to be working
        Fan 3 RPM is 11660
        Fan 4 is believed to be working
        Fan 4 RPM is 11660

is there a there a known  issue related to the fans?
Since the 4 fans have failed randomly and all of them are connected to the motherboard...could this be a motherboard issue?

I appreciate your assistance.

I'm looking for some advise on my network up-link configuration.

I have single Cisco 6500 series acting as a core/distribution switch in my network. Its Equipped dual Supervisors and multiple 1gig line cards.

My access switches are primarily Cisco 2900 Series in a stacked configuration.  Each switch stack has 2 up-links back to the 6500 Core and i am curious what is the best approach to configuring these up-links is ?

should i port-group these trunk links and create a cross-stack Etherchannel ? does this have any implications / downsides ?
or should i simply leave them as independent up-links and allow Spanning-Tree to control them.
Hi Support

Previously we able to access the Cisco ASDM in wireless segment and due to the cut off of the MPLS the wifi was breakdown.

Now we are trying to access the cisco asdm in client vlan, which mean we able to ping from the client desktop to the firewall.

How to allow the traffic from the client vlan to reach the cisco firewall. correct me i believe it need to allow in the cisco firewall for the client vlan to reach the cisco asdm.
I have a network with many vlan's configured and one of them is my WLAN for Guest network that has no access to any of the other VLAN's.  I need to allow for a couple of url's (public IP) to allow to connect back in.  

I am not sure if this is something on the VLAN or at the ASA.  

I am not sure what information you will need to assist so please let me know I and I will supply.

NOTE: I am very green when it comes to Cisco cli so please be patient
We currently have a fairly simple set up, we have ONE public Web Server IP.   Our In/Out path is ISP line to our Cisco ASA/Firewall to our Host Server.    We use Static IPs from the ISP.   Our objective is to achieve highly reliable access to our Web server.  

We are looking at solution such as DNSMadeEasy + DNS Failover.  

Would the following plan work?
1) We'll acquire a new ISP #2 service as backup for our ISP #1 service.
2) We'll acquire a new Switch. On site our location we'll plug the two lines from ISP #1 and ISP #2 into the new Switch.
3) Run a single line from this new switch into our existing CISCO ASA router, and add configuration rules to Cisco for the new source IP addresses to mirror the rules already there for NAT, port forwarding, etc.

Any recommendations would be appreciated!
So heres the setup

I have a new open mesh POE switch I'm trying to plug into existing 2960 so that we can plug in some OM AP's to it.  I can plug in the OMS8 switch into the cisco with the cisco switchport in access mode for the vlan we want it on. I can run a IP scan and see that the switch indeed gets a DHCP lease, i can go to that ip in browser and get the admin interface (not allowed to log in ). But the switch never checks in with cloudtrax.  I have 4 other AP's on the same subnet that check in fine, so i don't think content filtering  (as suggested by their support) is the issue, though they say the switches check into different servers than APS.  So heres the setup


is there a way i can search for that mac on either the 3650 or the ASA to see if its getting filtered?
Dear Experts,

I went to the cisco website to find the latest firmware for my client's router.

Currently the firmware is isr4300-universalk9.03.13.04.S.154-3.S4-ext.SPA.bin

In the downloads, i found:

- 3.13.8S(MD)
- 3.13.7S(MD)
- 3.13.6aS(MD)
- 3.13.6S(MD)
- 3.13.5S(MD)
- 3.13.4S(MD)
- 3.13.3S(ED)
- 3.13.2S(ED)

I deduce that my client is using 3.13.4S(MD)

My account does not allow me to download 3.13.8s(MD) but I can download 3.13.7S(MD) but I am not able to review the version's release note, I clicked on the release note link and it brought me to https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-3s/products-release-notes-list.html which I do not know which document to look at. As I cannot find the release note for 03.13.7S.

Can anyone please help me on this?
I am putting together some phone equipment and servers in a datacenter cabinet.  The datacenter is providing us a redundant router connection using HSRP.  The cabinet has two Ethernet cables: primary, secondary.

We need external routable addresses for each of the two border controllers for the phone system.  They have a WAN port and a LAN port so they can have an external (outside the firewall) connection and also have a local IP address in the same subnet as the servers in the cabinet.

We are trying not to purchase another $2000 Cisco switch for the setup to accept the 2 Ethernet connections.

We have a WatchGuard M370 firewall device with several ports that can be configured in many ways.

We have two layer 2 switches available in the cabinet for use outside and/or inside the firewall. It is a layer 3 device.

I need help in the configuration of this system.

One suggestion was to take the two datacenter network cables and plug them into a standard Layer 2 switch then patch that switch into an external interface on the firewall.  After so many attempts I am trying to remember but I think the path to the internet was broken when BOTH router cables were plugged into that switch.  I am going back to the datacenter tomorrow to try more things but I wanted to get some input from you guys first.  I have the datacenter IP sheet where they provide me the configuration info but didn't want to post live addresses on this site.  Basically they gave me a \29 subnet and …
Get quick recovery of individual SharePoint items
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

Hey Experts, we have a Digium Switchvox VoIP Server. This past weekend our local power company had to upgrade our facilities power. We gracefully shut down everything Friday night, power was restored yesterday afternoon. This morning we have half of our phones not working as they cannot get an IP now. Our LAN and VoIP LAN are attached to our SonicWALL NSA2600, we have 3 Cisco SG500-28-p Stacked switches. What we have found so far is that any phone connected to the Master switch will not get an IP for the phone. Each desk has 1 Ethernet drop, that goes into the phone and the workstation plugs into the phone. The workstations all work fine to phones that don't work. We have rebooted the switches for good measure and nothing changes. Hoping someone can help shed some light on what the problem is.

Here is how the config on the sonicwall looks for the interfaces
Interfaces on SonicWALL NSA2600
Here is the Stack.
SG500-28P Stack
Hi all,

I have requested an additional IP address block from my ISP so that I can assign a public IP directly to my VOIP server. I have received and added a nat statement to my router as follows

ip nat inside source static XXX.XXX.XXX.XXX (being one of the static ip's assigned by our ISP)

I can establish a SIP session with my server from outside however still get no audio either way. I ordered the additional IP so I could NAT everything from the external ip to the server to avoid this exact issue however it hasn't worked. To me it looks like no traffic is going back out the nat statement as the debug always shows 0 packets going out but plenty going in

*Jan 15 15:32:53.900: NAT*: s=, d=58.XX.XX.X-> [46336]
*Jan 15 15:32:53.960: NAT*: s=, d=58.XX.XX.XX-> [28621]
*Jan 15 15:32:54.208: NAT*: s=>58.XX.XX.XX, d= [0]
*Jan 15 15:32:54.212: NAT*: s=>58.XX.XX.XX, d= [0] is my handphone on 4G  
58.XX.XX.XX public IP
Any help Appreciated
I currently have 1 PRI configured on my voice gateway router.  We have had a few instances where we have had 20-21 simultaneous calls at a time, and as you know a single PRI only allows for 23 simultaneous calls.   I am looking to get another PRI from the same telco.  How does this work?  I have another T1(PRI) port on my router, which will be used to connect to the 2nd PRI, but how does it work on the Teclo side?  Do they  trunk the two PRI's together, so I can now have 46 simultaneous calls?  We are going to order another block of DID's with this new PRI as well.  So right now there are 39 numbers associated with the first T1, and I'm not sure yet how many we are going to get with the second block.    Does the telco tie these two PRI's together somehow, so both PRI's can share all the numbers?
Hi there, we have started using Meraki devices. While we are very happy with the switching and the wireless solution we are struggling a little with the firewall part of the solution.
Among the many problems we are facing there is one which is more urgent than the others, the Active Directory integration with group policy.

I have successfully followed the documentation found here:

The AD servers have been added, I've got a green tick on the status and I'm able to query LDAP getting the required security groups to be added to the policies (See AD Authentication Screenshot).

What I have done is putting one AD user in a specific Security Group in AD and build a single rule to block a website and it doesn't work, also on the policy list I cannot see any client added (see Policy Screenshot)
If I manually assign the client to a policy (selecting the clients from Network-wide - > Clients) it works.
This make me think that despite I have followed the documentation and the diagnostic page for AD integration says green light, the AD based authentication is the problem. Also, I don't use the splash screen to authenticate the users, I don't know if it is a requirements but I'm not willing to use any splash screen.

Can someone help me?  

Both my Cisco Virtual Wireless Controller and Windows Server 2012 serving as the radius server were rebooted after another admin updated the VMWare tools on them, I started getting calls users (laptops and mobile phones) could not connect to the wireless.

Checking logs on my vWLC console I saw a lot of: AAA Authentication Failure for Client MAC: 54:7c:69:49:ca:1e UserName:<USERNAME> User Type: WLAN USER Reason: Authentication failed

Checking NPS logs on the RADIUS server I started seeing information entries like this: 'The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.' and 'Reason The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.'

Application logs showed similar 'information' entries: Negotiation failed. No available EAP methods

I'll paste the full log entries below as well as screen shots of my Radius Client settings as well as Network Policies as well as Remote Connection Policies. After extensive Googling, most fixes point to a cert error, my cert doesn't expire until 2019 so I don't think is the problem but I'm not an expert at this.
I have a mail server on the inside of my network, I have established all of the ACL's and NAT Statements on the ASA and traffic is flowing correctly inbound. However when the mail server sends traffic outbound ( to external networks) it uses the ASA Primary IP on the outside interface. I would like to force the outbound traffic to external networks to use a particular IP Address (the one that is NAT'ed) for SMTP. As the NAT Statements are already in place and functioning is this a matter of using an extended ACL? If so how should it be constructed? Thank you in advance for the assistance.
When i try to login to VPN through Cisco Anyconnect VPN Client from Windows XP machine. It says the following message,Connection attempt failed. Please try later. Even though i have enabled 3DES-SHA1 or RC4-SHA1 Algorithmon my firewall.


I'm helping a small school with limited resources set up some Cisco APs in their network. We want to keep the wireless devices outside of our internal network via a separate VLAN. I've had difficulty setting up this environment and could use some help.

Some older Cisco 720i APs A handful of old Cisco Catalyst 2960 Switches An APU2C4 appliance running pfSense acting as our Router/Firewall

What I tried:
I don't have much experience with the Cisco CLI, so I've been trying to set up as much as possible on the APs themselves via their web interface. APs have VLANs set up with an open SSID. I tried associating the ports these APs are connected to on the Catalyst 2960 switches with the VLAN we want to use. Also tried to use DHCP Relay (or "IP Helpers" in Cisco-speak) on the pfSense appliance and setup IP helpers on the APs, but I really have no idea what I'm doing at that point.

Any advice on how to actually get this done? Commands and step by step guidance would be greatly appreciated.
Hi there,

I have a 2504 WLC at a remote site overseas currently on code  I need to update the code on it due to the KRACK vulnerability, but wasn't sure what the best route was to go on this. Cisco's suggested release is (ED), but I'm hesitant to downgrade the code as I've heard some horror stories (losing configs, etc.) and I don't have an onsite resource there in case things to to hell.  Cisco TACs recommended 8.3 release is would I be better off just upgrading to that version instead?  Would that be safer for a remote update?

Any input is appreciated, thanks!
Concerto Cloud for Software Providers & ISVs
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

we have small network in the office with cisco router and switch.
and we want to set up vpn and allow 5 directors' home to directly access our network.

Can you share with me some suggests i can start?
OK don't laugh. I have a 9 year old Cisco call manager which has run flawlessly for the last 9 years.

Recently it has developed a problem, since it has been end of life'd by Cisco they will not help me with this issue.

Here is the problem.

When a user goes to listen to their voice mail, everything works properly it will tell them they have "X" amount of messages, To listen to your messages press 1...

Once they press one again it works as normal... Saying a message from.... sent on....

Then right when it would normally play that message,

a message will play that says.

"This message contains no recording."  
Then it will go on with the normal  to save it press 2 to delete it press 3

No matter what option you select the next message played is.

"this system is temporarily  unable to complete your call, call gain later, good bye."

On the previous step If you press 2, to save the message. And go into saved messages it is there.

Since I have 90 mailboxes and get over 200 messages a day this is becoming a huge issue.

I'm hoping someone here may have enough knowledge or could at minimum refer me to someone who can help me band aid this until I can work on a replacement plan...


Here are some version screen shots.

Show Hardware

Show System

We have a single catalyst 4500 in our datacenter. It's a WS-C4507R+E with an ipbase license. It has
2x48 10/100/1000BaseT Premium POE blades,
2x4 Supervisor 10GE (SFP+), 1000BaseX (SFP) blades in active & standby hot,
1x12 1000BaseX (SFP) blade and
1x12 10GE (SFP+) blade.

In the interest of replacing this EOL switch, I am looking for a replacement which will last 10-15 years which can easily handle this environment with the possibility of growth and scalability to accommodate modern servers coming with 10GE NICs. I'm also interested in having it in HA mode.

We also have 2960S in stacked an unstacked modes connected to this 4500 via fiber. What can be a good replacement for them also?

Thank you.
hi i have setup a test lab and wanted to download a version of ccp admin so i can configure the network just for testing so is there a copy i can download to do this as all i can find are winrar downloads for just the instructions on how to configure ?
An interface on a Cisco switch show Total Output drops is 776, txload 4/255. What does it indicates ? Does it tell something wrong for the cable or the device connecting to the switch ? How to improve this situation ?


GigabitEthernet1/0/14 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 381c.xxxx.xxxx (bia 381c.xxxx.xxxx)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 4/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 776
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 44000 bits/sec, 73 packets/sec
  5 minute output rate 1821000 bits/sec, 152 packets/sec
     3457773 packets input, 964760961 bytes, 0 no buffer
     Received 31107 broadcasts (19813 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 19814 multicast, 0 pause input
     0 input packets with dribble condition detected
     4206341 packets output, 4232934589 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 …
Hey guys,
I am dealing with a client that has been down all yesterday as well as today with conflicting IP addresses.  I worked with Microsoft and they were able to find the mac address of another device that was giving out DHCP.  I have tried arp on various servers and could not find that mac even after pinging the broadcast address.  I have tried this command: show ip arp vlan (vlan number) | include (mac address) and all that it can really tell me is what the originating port is.  This lead me to two HP switches which also have the mac address but that list the trunk port as the originating source. I am getting absolutely no where with finding this.  Please help!!!!






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).