Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I am trying to setup port forwarding with Cisco ASA 1500.  Im trying to setup https://website:3443 to a local address.

things Setup:  

Access rules
outside
permit
Source:  Any  "for Now"
Service 3443
Destination:  local address object for host

Nat Rule
Source Interface outside
Source Any
Destination interface inside
Destination address local address object for host
Service Service 3443
Source Nat Type Static
Source Address Original
Destination Address original
Service original
0
Rowby Goren Makes an Impact on Screen and Online
LVL 12
Rowby Goren Makes an Impact on Screen and Online

Learn about longtime user Rowby Goren and his great contributions to the site. We explore his method for posing questions that are likely to yield a solution, and take a look at how his career transformed from a Hollywood writer to a website entrepreneur.

We have the following devices:

9 Host Servers (Dell R620)

Host 1-5 Connected to the Dell S5148F-ON
Host 6-9 Connected to the Cisco 4500

2 SAN (Unity 400) (MD3600i)
2 Dell S5148F-ON Switches
1 Cisco 4500
1 Cisco 4900

We connected the 2 Dell Switches together using 2 100G link and there both connected to the Hosts 1-5 and to the SAN Unity 400. Also we have a 10G connection from one the Dell S5148F-ON to the Cisco 4500. The Cisco 4500 connects to the Cisco 4900 downstream which gets out to the internet.

Can someone please recommend if this is good practice? If not what your recommendations are :)
0
We have a Cisco 4500 connected to a Cisco Nexus 3172. There is a port channel setup as an access port to allow only VLAN 500 which is the internet VLAN. There is a management VLAN 2422 which is setup with netblock 10.5.0.0/24 which we are trying to access and we have no access to. Would we configure the port channel between Cisco 4500 and Cisco Nexus 3172 as a trunk port and allow VLAN 2422 to have management access to 10.5.0.0/24.
0
I have a client with a LAN, using a Cisco router, and then, in another area of the building I have a D-Link router set up as a wireless access point only (no wired connection to D-Link WAN port, DHCP off).

They want to add a guest network that is isolated from the private LAN.  If I enable the guest network on the D-Link it doesn't work, presumably because the Guest network is trying to go out through the WAN port directly, which isn't used because I've got it configured as an AP only.

If I add another router to handle Guest, in order to get the isolation I need from the company's private LAN, I've had to use 2 additional routers to get the isolation.  Is this the way to go, or is there something better that I can do?

Thanks.
Dave
0
Hi Experts,

on my CISCO switch I have connected 3 access points.
I just know the IP and MAC but I need to know the switchport.

How to find out what is connected on the switchport ?
0
Dear Experts,

I have a set of fortigate firewall policies which I need to duplicate on a cisco router.

I have done most of the point A to point B.

The issue I have now is the NAT and there is an IP Pool, is there a guide on how I can translate the rules from firewall to cisco router?

Any help is appreciated.
0
Hey guys. Hope you might be able to help me out with this sort of...unique situation.

We have two facilities. I'm trying to set up some VLANs, but there's a catch: we have a fiber connection between the two buildings that is causing some problems. Let me give you an outline of our layout.

Internet comes in from ISP to a Cisco RVS4000 router/switch, plugged into WAN. Port one has a cable connecting to the main switch (Cisco) of Facility 1 (F1), which has a DHCP server running Windows Server 2008 (unfortunately. I have a new server to setup when I'm done with this project to fix that). Port three has a cat cable connected to a fiber converter going to single mode fiber running to Facility 2 (F2) about 10 miles away. (That connection is working flawlessly. I can plug into the main switch and be on the same IP range and domain as though it's just a long cat cable, because essentially it is.) At that facility, it's plugged into port 8 of a Netgear (I know) GS510TLP and running to a TP-Link (I know) T1600G-52PS. Port 2 on the Netgear is going to a TP-Link T2600G-28MPS for VoIP and port 3 is going to a T2600-28MPS for cameras.

I created some DHCP scopes and VLANs (VLAN 2 and 3) between all this mess and got it sort of working. By sort of, I mean I can plug into the switch at F1, and VLAN3 will give me a DHCP address from the server. VLAN2 will not. In order to do so, I had to use two other NICs in the DHCP server on the ranges (4.x and 5.x) I'm needing for those …
0
Cisco 5520 Wireless Lan Controller unable to connect access point using wired connection using POE injector using CDP I can see access point but unable to have it show up in access point list.  The access point is directly connected to WLC, with no switch or router but both AP and WLC are using ip in same subnet /24.
0
I have network diagram where we have replace the cisco switches with Aruba switches. We got the current cisco config so we can configure the new Aruba switches accordingly. Can someone help me to share a project plan template or something similar for the implementations. All the cabling will be in place on site and all the devices, spf modules will be there.
0
I have established two VPN connections in AWS from an environment to a third party Cisco VPN firewall.  Everything is set up as it should be, but we are unable to bring the tunnel up.

I a nutshell, we have established two independent VPN connections, with each on going to a different datacentre.  The configuration has been supplied to the 3rd party agency who are managing an external service that connects through the tunnel to another agency.  The two tunnels are set up as Active and DR tunnels, but will carry the same traffic. in the event of failure, and then our traffic is NAtted twice to reach the destination.

We have tried a number of things but still unable to get the tunnels up from either main or DR datacentre firewalls.

The problem seems to lie in the tunnel configuration; apparently there is an issue with using SLA monitors to keep the tunnel up from the Cisco side; obviously without this the VPN connection will drop.  The information I have seen seems to imply we need to setup a "route all" tunnel at the customer side and then employ static routes to get the right traffic down the tunnel to the firewall - which will cause major issues as our VPC supernet overlaps their networks; also we only want to allow 3 machines on two subnets through the tunnel.

Our other problem is how the VPN failover will work for the DR tunnel.  They are monitoring and will automatically fail over to the secondary VPN tunnel should an issue occur with the primary datacentre …
0
Exploring SharePoint 2016
LVL 12
Exploring SharePoint 2016

Explore SharePoint 2016, the web-based, collaborative platform that integrates with Microsoft Office to provide intranets, secure document management, and collaboration so you can develop your online and offline capabilities.

On my W7 I have a problem to connect through cisco Any Connect ver 4.4 vpn and my ie11 .

when I tried  first login to any Connect it  goes through then I go to My Remote Desktop connection to connect to site I am stack , ie is not showing long in screen  I am getting white screen and error not able to connect??

When I turn of Any Connect  my ie11 is working.
Any idea how to solve this.
0
CISCO 4321
I have connected to the cisco via putty and configured passwords, interface gigabiteither 0, and also 0/0/0. I can ping it on the management port and on 0/0/0, but I cannot access the gui via https://192.168.1.1.

This Guide does not tell much at all and I have not found much on google either. Can someone please point me in the right direction. This is router is not in production.

Current configuration : 1429 bytes
!
! Last configuration change at 20:54:05 UTC Thu Sep 13 2018
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname cisco4321
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family

!
no aaa new-model
no process cpu autoprofile hog
!
!
!
!
!
!
!
!
!
!
!



!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4321/K9 sn FDO21062QE7
!
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
!
!
!
vlan internal allocation policy ascending
no cdp run
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip 

Open in new window

0
Block/Deny all IPv6 traffic on all ports for a layer 2 device for Cisco 2960S

I've recently discovered there is a LOT of IPv6 traffic generated and passed along, within subnets, on our network.   But one subnet usually has 1700 clients, so a little from each client can get pretty overwhelming. I'd like to set a deny ACL on all the ports of these Layer 2 devices, so they won't pass the traffic, even within the subnet.  Most of it is mDNSv6 from Apple devices, and all of it appears to be multi-cast/broadcast.

I have the commands that they say to use, but they aren't working.  On the cisco they are:

Ipv6 access-list <name>
Deny ipv6 any any

Interface g <x/y/z>
Ipv6 traffic-filter <name> in

this works on a Catalyst 3850, which is Layer 3.  But the IPv6 command only has "mld" and "nd" as options.  Cisco's documentation says it should work on a Layer 2 port, inbound only, but was less clear on how to make it work, and all examples they give, across all documentaton is setting it up on a Layer 3 port.

I've also got this to work on Procurve 2530 switches, which are also Layer 2 only.  It definitely blocks all he IPv6 traffic on the Procurves and on the 3850.
0
Hi,

Cisco ACI (SDN) API for integration with cloud management platform, google cloud, AWS or etc for my coming project?

My Explanation for your kind clarification:-
 

1. Uses Cisco CloudCenter Manager user interface or REST API or OpenDaylight APIs (REST) on Northound. Below is the simple diagram and full explanation from Cisco

2. OpenFlow 1.0 / 1.3, OvenVSwitchDB (OVSDB), Netconf/Yang, BGP-LS, PCEP  to programmatically change the configuration of a network device to enable communication on southbound (plug-ins)

3. Network services APIs: Java


Tks.
0
Hi,

What Cisco ACI (SDN) API for integration with cloud management platform? Tks.
0
Cisco ASA 5510 and Cisco 2921
Currently we have a Cisco 2921 ISR that we connect directly to the internet we have a 16 block of IPs routed to internal servers and use anyconnect to VPN into the office and have a office to office vpn with a remote office. We use ACL's to manage all the traffic. This is then connected to a 6509 and we have 4 vLans.
The throughput on the 2921 seems really slow for our remote users.

Im looking into a ASA 5510 to replace the 2921. Is this a good Idea or do I run them in line? Im looking for better performance on the VPN side. The 2921 is slow.
Or do I look at something else all together?
0
Is it possible to use Cisco AnyConnect VPN client to make VPN connections instead of old Cisco VPN client v5.0.07.0440?
Here is a screenshot of the old VPN client connection settings:Old Cisco VPN connection properties
If yes, what the anyConnect's XML profile would be?
0
On a Cisco switch what is the best way to tell if a port or interface is enabled or disabled by using no shut pr shutdown.

Thanks
0
I am trying to setup a port channel between 2 cisco 2960s.  

I am using the following:
Switch2#(config) int port-channel 1
 Switch2#(config-if) switchport mode trunk
 Switch2#(config-if) switchport trunk encapsulation dot1q
 Switch2#(config-if)!
 Switch2#(config)int range gig 0/45-48
 Switch2#(config-if) channel-group 1 mode active
 Switch2#(config-if)!

The problem is  I get Invalid input detected at

 #switchport trunk  encapsulation dot1q
                                   ^
 % Invalid input detected at '^' marker


Could someone tell me what I am doing wrong?
0
Become a Leader in Data Analytics
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

i have a Cisco ASA 5520 and 500MB internet/bandwidth line, the problem is the throughput on the FW is low and it throttles the bandwidth. Execs don't want me to upgrade now so i was wondering is there some kind of add on i can use  


ASA 5520
1: ASA5520, 512 MB RAM, CPU Pentium 4 Celeron 2000 MHz
2: Up to 2048MB RAM
3: Intel Celeron M Processor 450 2.0GHz
4: Cavium Nitrox Lite CN1010
0
Hi,

There a web server hosted on internet no body can access from internet except allowed IPs.
so we can access it from our prem but not from internet.
we created sslvpn on Cisco ASA and added the URL of the web server as book mark but it doesn't work.
we found that ASA the traffic to internet directly not through the Proxy,
how we can make ASA to send the traffic to this URL to the proxy?

Regards
0
I am facing below issue

please suggest why this is happening.

24-Dec-2015 16:14:00 %LINK-I-Up:  gi28
24-Dec-2015 16:14:01 %LINK-W-Down:  gi38
24-Dec-2015 16:14:03 %LINK-I-Up:  gi38
24-Dec-2015 16:14:05 %STP-W-PORTSTATUS: gi28: STP status Forwarding
24-Dec-2015 16:14:06 %LINK-W-Down:  gi48
24-Dec-2015 16:14:07 %STP-W-PORTSTATUS: gi38: STP status Forwarding
24-Dec-2015 16:14:08 %LINK-I-Up:  gi48
24-Dec-2015 16:14:10 %LINK-W-Down:  gi17
24-Dec-2015 16:14:12 %STP-W-PORTSTATUS: gi48: STP status Forwarding
24-Dec-2015 16:14:13 %LINK-I-Up:  gi17
24-Dec-2015 16:14:13 %LINK-W-Down:  gi22
24-Dec-2015 16:14:14 %LINK-W-Down:  gi11
24-Dec-2015 16:14:14 %LINK-W-Down:  gi36
24-Dec-2015 16:14:14 %LINK-I-Up:  gi22
24-Dec-2015 16:14:15 %LINK-I-Up:  gi11
24-Dec-2015 16:14:16 %LINK-I-Up:  gi36
24-Dec-2015 16:14:17 %LINK-W-Down:  gi40
24-Dec-2015 16:14:17 %STP-W-PORTSTATUS: gi17: STP status Forwarding
24-Dec-2015 16:14:19 %LINK-I-Up:  gi40
24-Dec-2015 16:14:19 %STP-W-PORTSTATUS: gi22: STP status Forwarding
24-Dec-2015 16:14:20 %STP-W-PORTSTATUS: gi11: STP status Forwarding
24-Dec-2015 16:14:20 %STP-W-PORTSTATUS: gi36: STP status Forwarding
0
Long story short, at the bottom of my Cisco 2960 switch config I want to:

1) add the line:  logging esm config

2) delet the line: transport input none


  Can someone show me how to do?

I want to do this to exactly match a config I copied from.
0
I am going to trunk 2 cisco 2960s via cat 5.  I already copied the config from switch 1 to switch 2.  trunks and ports are setup.

My question is, the crypto key on switch 2 now looks a little different that switch 1 (since I copied I thought it should be the same?)  The first few lines are the same, but then it changes.  Is this ok?  Do I need to generate another crypto key for the second switch?  Or since the first switch already has a crypto key, do I even need another one?
0
This is using 2 VMware ESXi 6.5 hosts. There are 5 VMs per host. We are intend to have 1 vlan for management, 1 for backup segment, and 1 for the production segment. we intend to configure a NIC teaming on 2 physical network (vmnic0 & 1) port per host. Respective port-group for each vlan id were created. 101 for production, 121 for mgmt, and 122 for backup. All 3 port groups joined to the same vswitch0. Load-balancing mode is, Route based on IP hash.

This ESXi Hosts are connected to Cisco Catalyst 2960-48-port switch. The Ethernet channels were configured as follows,

int port-channel 1
  switchport trunk allowed vlan 101,121,122
  switchport mode trunk

int gigabitethernet1/15
  switchport trunk native vlan 101
  switchport trunk encap dot1q
  switchport trunk allowed vlan 101,121,122
  switchport mode trunk
  channel-group 1 mode on

int gigabitethernet1/16
  switchport trunk native vlan 101
  switchport trunk encap dot1q
  switchport trunk allowed vlan 101,121,122
  switchport mode trunk
  channel-group 1 mode on

Do these configurations work?

Thank in advance.
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).