We help IT Professionals succeed at work.






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Does anyone by chance have a step by step install documentation created for a Cisco ASA 5508 for anyconnect?  We had a firewall die and installed this one as new.   They were IPSEC now on SSL.  We need to deploy anyconnect to everyone and just need to tweak the document to fit our clients config.  Any help would be greatly appreciated.   No one can tunnel in without setting this up.   This is pretty high priority.
Mobile VPN to Cisco ASA 55xx-
I'm not as Cisco user until recently and I have a question that I think a Cisco admin can answer- Where do I configure the policies for accessing local LAN resources via mobile device connected to the ASA 55xx VPN ?  Any help would be greatly appreciated.  Thanks!
We have two Cisco 4500's running IOS 3.06 and using VSS. On one of the interfaces of the port channel that connects to our Core switch, we are setting a high output drop rate. The switch hosts 95% of our VMware Server and VDI environment. Cisco support stated the drops are mostly like caused by one of the interfaces is getting overwhelmed. Since the Load Balancing policy is set to Source IP, and support suggested we change it. Which is the best LB policy to use?
I am looking for Anyconnect 4.8+ version for Mac. Catalina is making my life miserable. I understand if I had a CISCO SmartNet this wouldn't be a question but anyone know anywhere else to obtain? ***insert laughing here
Hi, I have a Cisco RV340, I enabled the PPTP server like I have with the old RV042's setup the users and passwords and from the client I get the following error.

The remote connection was denied because the user name and password combination you provided is not recognized or the selected authentication protocol is not permitted on the remote access server

I have checked MSChap v2 and all.

Thanks all.
Running into an issue where there are perhaps 100 hosts all trying to ping HSRP address for keepalives for active directory. Is there a way to determine if the switch is being overwhelmed with ping requests? What would I be looking for?
How do I setup a user so they can connect using SSH to a firewall. I can do it but I don't know how to assign that person permissions.  The firewall is a Cisco ASA 5525.
Hi peoples - my scenario is this: I want to setup my router to forward rdp traffic across my router to my server.
1. All incoming traffic from ISP going to G 0/0.
2. Want RDP traffic from 10.1.x.x: 3389 to be forwarded to the server.

What commands would I have to set up on the router to achieve this?

Thanks in advance for any help!!
I have been trying to SSH to my ASA 5525 and get a list of users that are currently connected to Remote Access VPN.  I run show vpn-sessiondb remote and I get an error that states, "Info: There are presently no active sessions of the type specified".  According to ASDM Monitoring > VPN > VPN Statistics > Sessions it shows that I have a number of Active sessions.  This makes sense because I have one of them.  

Any ideas?
When I add a new blade to a UCS chassis the server profile from a template has it create six vNICs - two for mgt, two for iSCSI, two for data. They are numbered 0 through 5. And so it is also on the VMWare side where VMNICs are numbered 0 to 5. But the last time I turned the newly registered server over to the VMWare admins the VMNICs 0 through 5 had the mac addresses all jumbled up. What was 1 in UCS might be 4 in VMWare, 2 might align with  3 and so on. My question is - what mechanism determines which NIC as defined by its mac address is associated with what sequence number in VMWare. Is it just a matter of how the VMW engineer selects the NICs for attachment to the VM? Do they all come in at once and VMW just decides the sequence number of each? Inquiring minds want to know!

Hi all,

We have squid proxy server on Ubuntu 16.04 in our company and use Cisco ASA redirects the Internet traffic through wccp tunnel. We planed to upgrade the Ubuntu to 18.04 recently.

I setup the new proxy server on Ubuntu 18.04 in a test environment, but the wccp didn't work.

Here are the configurations and some troubleshooting steps I have taken:

### Squid config
acl localnet src  # RFC 1122 "this" network (LAN)
acl localnet src             # RFC 1918 local private network (LAN)
acl localnet src          # RFC 6598 shared address space (CGN)
acl localnet src         # RFC 3927 link-local (directly plugged) machines
acl localnet src          # RFC 1918 local private network (LAN)
acl localnet src         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # …
I was hoping that you can point me in the right direction, and provide some instructions on how to complete switch port mapping.
I would like to discover MAC and possibly IP addresses of all devices connected, and match each with a specific switch port.

- Cisco SNMP configuration
- Recommended network tool (paid version is fine)

We are dealing with multiple Cisco network switches, mostly SG-500s and SG-250s.
Simple flat network for now, two VLANs default and voice.

Please let me know, your help is much appreciated.

Thank you,
If I wanted to just add a PAN firewall to a DMVPN spoke site with an ISR, would it be fine for the ISR to sit NATted behind the firewall?

{INTERNET}-----[public IP]{PAN}[private IP}------[private IP]{ISR DMVPN}{private site IPs}-----{switch}

Currently the ISR has the public IP at its outside interface. The idea would be to give the public IP to the PAN and NAT to a new private IP on the outside of the DMVPN router. Would DMVPN work in that scenario?

Or would I be better off to configure the PAN as a virtual wire and retain the public IP address at the router?
Hello I'm using CUCM 11.5 and using SIP phones. I have my DID's and looks like I have what I need to have setup so that I can connect to my ISTP. but when they dial in, they cannot establish a connection to download their config files.

I wanted to know what else do I need to setup in CUCM? For SIP phones?

We have CUCM V12.5 installed. I have users in London, Paris and Singapore and I am having issues with Call Forwarding.

I am based in London and if I put my 8851 on call forward to my mobile anyone in the London office can call my number and it will forward to my mobile fine.

If someone in my Paris or Singapore offices calls my number they get "Fast Busy". If I turn call forwarding off they can call me fine.

If I forward my number to another internal number it also works fine. The issue just seems to be forwarding to external numbers.

Each location uses its own Device Pools, Partitions and CSS's etc...

My guess is the call is coming to london and then trying to break out of the London Voice Gateway but the format is incorrect. The London Voice Gateway is a Cisco ISR4321 andis attached to a SIP line.

Thanks in advance
I have 8gigs installed on a VMware ESXI 6.0.0 and I want to increase the memory of a Cisco Defense Center VM from 4gigs to 8gigs.   How do I do this?


On one of my DMVPN Cisco 3945 routers, show licenses revealed that HSECK9 was enabled. But the column to the right to it said "RightToUse" was No. How can a feature like hsecK9 be enabled but Right To Use be set to no? Is the feature enabled and available to the system or not??

VPN01#sho license feature
Feature name             Enforcement  Evaluation  Subscription   Enabled  RightToUse
ipbasek9                 no           no          no             yes      no
securityk9               yes          yes         no             yes      yes
uck9                     yes          yes         no             no       yes
datak9                   yes          yes         no             no       yes
FoundationSuiteK9        yes          yes         no             no       yes
AdvUCSuiteK9             yes          yes         no             no       yes
LI                       yes          no          no             no       no
ios-ips-update           yes          yes         yes            no       yes
SNASw                    yes          yes         no             no       yes
hseck9                   yes          no          no             yes      no
cme-srst                 yes          yes         no             no       yes
mgmt-plug-and-play       yes          no          no             no       no
mgmt-lifecycle           yes          no          no             no       no
mgmt-assurance           yes          no          no             no       no
Have you ever fat fingered a command into a Cisco device - and then you're blocked
from entering anything further as the device attempts to resolve the "host" you've
typed. Is there any way to have the Cisco router or switch just tell you they don't
recognize the command you typed rather than assuming you want it to go on a hunt
 to resolve your mistake?

% Bad IP address or host name
Translating "sholog"...domain server (
Translating "sholog"...domain server (
Below is a snippet of sho crypto session on a DMVPN router. Altho the status of the session is down I can't get these entries to disappear from the router. I've tried "clear crypto session" and "clear crypto sa peer". Yet these keep showing up like a zombie. What's going on with this?

Interface: GigabitEthernet0/0
Session status: DOWN
Peer: port 500
  IPSEC FLOW: permit ip
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip
        Active SAs: 0, origin: crypto map
  IPSEC FLOW: permit ip
        Active SAs: 0, origin: crypto map
I'm looking for help determining the best solution for our environment for wireless.  We currently have an 8 year old Cisco 5508 Wireless LAN Controller, and 94 Aironet access points split between really 3 buildings.  We are due for a refresh and have a bid in from a vendor who is recommending using Meraki WiFi6 with licensed cloud controller, and did not suggest using a locally managed WLC with Aironet APs.

We are a school district and need feedback as this is a vendor I have not dealt with before so I have trust issues.  I like the idea of not having a physical piece of hardware on site that if fails my wireless is down, but I don't like paying costly yearly licensing fees either.  Any insight?
I have an ASA adjacent to a router with the following redistribution into the EIGRP AS shared with the Cisco ASA:

redistribute eigrp 100 metric 100000 0    255    1      1500 route-map EIGRP100-TO-EIGRP10

When I look on the ASA route table it's showing an AD of 170 and a metric of 25856 for the routes in EIGRP 10 that were redistributed from EIGRP 100.

EIGRP Metric = 256 * ( (K1*Bw) + ( (K2*Bw) / (256-Load) ) + (K3*Delay) ) * (K5 / (Reliability + K4) ) )    {I'm assuming default K values 1 0 1 0 0 }

256*((1*100,000)+((0*bw/256-load))+(1*0)   *    (0/255+0) => 25,600,000
           K`1*BW            K2*Bw                    K3*dely    K5/Rel+K4

Anyhow the ASA is seeing traffic taking this route as 25856. I can not figure out where that number is coming from. The actual bandwidth between the ASA and router is 1Gbps.

Any insight appreciated!
Dear Experts,

I would like to find out what would be the best suited network certification to obtain for myself.
I have a mish-mash background, after getting M.S. in computer science with software engineering emphasis, I was working as a software/field engineer, then software project manager.
After taking time off to raise children, I started my own business as an IT consultant, where I did everything from hardware/software installation, infrastructure management, training, and troubleshooting for small businesses.  All of my knowledge came from basically learning as I needed from vendors and other sources.
A few more jobs later, I am now bouncing back and forth between Sr. System/Network Admin roles at my current employer.
My problem is, besides my degree, I do not have any certification, but I can administer Cisco/Fortinet Firewalls, switches, Windows servers, Exchange servers, and am versed in PowerShell scripts as well as Java, VBA.  I feel very non-standardized, and would like to have some type of certification.  Since I really don't need to learn more about Windows servers or Azure AD, I was leaning towards some type of network certification.  Cisco, CompTIA Network+, etc.  I do have basic theoretic knowledge on networking from my graduate courses, however I have a feeling some of those are outdated at this point.
Please advise.
I am needing extra server ports to my Cisco UCS 6248UP fabric interconnect. I already have the
expansion module but I need still more ports. The Cisco config limits doc notes

There is a limit of twenty FEX for each UCS domain. For example, you can either have ten 2232 FEX for each FI or a combination of ten chassis and ten FEX.
Does that refer to the 2232PP FEX in the second URL below? So long as I purchase the license would that allow me to add more chassis?


I am trying to determine the root cause of slow file transfers to the internet from our backup appliance. We are seeing data transfer rates in the 3Mb/sec range, while performing a speed test on the same switch/VLAN/subnet yields a 300Mb/sec throughput.

Looking at the stats on the switch port connected to the appliance it would appear that the output rate (542Kbps) is way below that entering the port (20Mbs). Can anyone explain why the input/output appears to be so different and what might be done (if needed) to speed this up?

MTU 1500 bytes, BW 10000000 Kbit, DLY 10 usec
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, medium is broadcast
  Port mode is access
  full-duplex, 10 Gb/s
  Beacon is turned off
  Auto-Negotiation is turned on, FEC mode is Auto
  Input flow-control is off, output flow-control is off
  Auto-mdix is turned off
  Switchport monitor is off
  EtherType is 0x8100
  EEE (efficient-ethernet) : n/a
  Last link flapped 6d00h
  Last clearing of "show interface" counters never
  3 interface resets
  30 seconds input rate 20774480 bits/sec, 1810 packets/sec
  30 seconds output rate 538656 bits/sec, 919 packets/sec
  Load-Interval #2: 5 minute (300 seconds)
    input rate 20.78 Mbps, 1.77 Kpps; output rate 542.22 Kbps, 899 pps
    159749599463 unicast packets  17391 multicast packets  146958 broadcast pack
    159749763812 input packets  95785989605583 bytes
    0 jumbo packets  0 …
I have DMVPN with two hubs and an EIGRP relationship to a firewall (as well as to the spokes.)
The problem I am running into is that all of the DMVPN traffic is trying to egress Via one of the two VPN  hubs - HUB 1 - it's at capacity for passing encrypted traffic.

SPOKE----HUB 1----FW
SPOKE----HUB 2----FW

HUB1 is assigning a metric to the routes it learns from the spokes which is preferable to HUB2.
So that's why the FW is sending all the traffic to HUB1.

 redistribute eigrp 300 metric 100000 0 255 1 1500 route-map EIGRP300-TO-EIGRP100

 redistribute eigrp 300 metric 100000 10 255 1 1500 route-map EIGRP300-TO-EIGRP100

The firewall and the HUB DMVPN routers speak via EIGRP100. Hub to spokes via 300.

What I want to do is for the firewall to prefer one hub for half of the sites roughly. I could put in some static routes as a quick fix out of the traffic jam. I could remove HUB 1 from half of the spokes and that would make the HUB 2 the best path for half of the spokes. But surely there's a more elegant approach using route maps.

Something to the effect of..

If you match ACL SAVE-MY-DMVPN, you have a better metric than HUB 1. Otherwise you keep the same metric you have now and let HUB 1 keep doing its thing.







Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).