Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi Guys,

Certain users are reporting that they are unable to route to public internet when they are connected to VPN. We have a split tunnel. Some users are able to, others aren't. I have no idea where to look. Any help will be appreciated.
I had this question after viewing Cisco ASA 5505 and Microsoft DHCP superscope.

Hello everyone, i am new to this forum and i have a question similar to this one.

i have a Microsoft Sever 2008 R2 which is the DNS and DHCP . IP Scope is -
its sonnected to a switch and then to an ASA5505 that goes outside to the internet. its all working and fine. but then the users using WIFI and cable to connect and the IP range is all but used up so i want to extend. i created a supercope in microsoft sever 2008 r2 and its range is - also on the ASA i created an interface name inside1 and assinged it an ip of /24

how can i get this to work using the ASA?

I work in a hospital. We use the Stratus iPad app for interpretation.  We have a guest internet circuit that these iPads are on.  The circuit was recently upgraded from 35 Mbps to 100 Mbps. No other changes that i know of. Around that time the Stratus app stopped connecting. There is an asa 5505 on this circuit, but only default config is enabled.

 I took the ipad home and the app worked fine on my home wifi.  I ahve contacted the vendor and our ISP. Both claim it must be a firewall issue, but nothing has changed.  Any ideas?
The problem occurs when the computer is restarted or turned on, causing loss of IP. It is reviewed and there is an IP that starts with "169. ..." or that is duplicated.

This problem occurs with both static and dynamic IP addresses (dhcp).

It is solved by disabling and re-enabling the network or reconnecting the network cable.

The problem occurs in different computers, especially in win7.

The DHCP server is a Cisco 3650x

We await your help, thanks.

We have cisco2701 router.
A few days ago our monitoring system showed the following message:

Channel      Last Value
Fan 1 State      Shutdown
Fan 2 State      Shutdown
Fan 3 State      Normal
Fan 4 State      Normal

01/16/2018 11:44:16 Down, Error by lookup value 'Shutdown' in channel 'Fan 1 State' - Error by lookup value 'Shutdown' in channel 'Fan 2 State'
01/13/2018 01:45:15 Up, Normal
01/13/2018 01:44:15 Down, Error by lookup value 'Shutdown' in channel 'Fan 3 State'
01/13/2018 00:20:15 Up, Normal
01/13/2018 00:19:15 Down, Error by lookup value 'Shutdown' in channel 'Fan 4 State'
01/11/2018 12:56:31 Up, Normal

if I check the environment status in the router I get the following:
        Fan 1 is believed to be working
        Fan 1 RPM is 11660
        Fan 2 is believed to be working
        Fan 2 RPM is 11660
        Fan 3 is believed to be working
        Fan 3 RPM is 11660
        Fan 4 is believed to be working
        Fan 4 RPM is 11660

is there a there a known  issue related to the fans?
Since the 4 fans have failed randomly and all of them are connected to the motherboard...could this be a motherboard issue?

I appreciate your assistance.

I'm looking for some advise on my network up-link configuration.

I have single Cisco 6500 series acting as a core/distribution switch in my network. Its Equipped dual Supervisors and multiple 1gig line cards.

My access switches are primarily Cisco 2900 Series in a stacked configuration.  Each switch stack has 2 up-links back to the 6500 Core and i am curious what is the best approach to configuring these up-links is ?

should i port-group these trunk links and create a cross-stack Etherchannel ? does this have any implications / downsides ?
or should i simply leave them as independent up-links and allow Spanning-Tree to control them.
Hi Support

Previously we able to access the Cisco ASDM in wireless segment and due to the cut off of the MPLS the wifi was breakdown.

Now we are trying to access the cisco asdm in client vlan, which mean we able to ping from the client desktop to the firewall.

How to allow the traffic from the client vlan to reach the cisco firewall. correct me i believe it need to allow in the cisco firewall for the client vlan to reach the cisco asdm.

Currently we having issue to make outbound and inbound call.

We suspect firewall is blocking, how to resolve the issue in Cisco ip phones.
We currently have a fairly simple set up, we have ONE public Web Server IP.   Our In/Out path is ISP line to our Cisco ASA/Firewall to our Host Server.    We use Static IPs from the ISP.   Our objective is to achieve highly reliable access to our Web server.  

We are looking at solution such as DNSMadeEasy + DNS Failover.  

Would the following plan work?
1) We'll acquire a new ISP #2 service as backup for our ISP #1 service.
2) We'll acquire a new Switch. On site our location we'll plug the two lines from ISP #1 and ISP #2 into the new Switch.
3) Run a single line from this new switch into our existing CISCO ASA router, and add configuration rules to Cisco for the new source IP addresses to mirror the rules already there for NAT, port forwarding, etc.

Any recommendations would be appreciated!
Hi, I am trying to determine the best way to configure a WAP4410N, with our ASA5505, so that the WAP will have 3 SSIDs. 1, "Wireless-Inside" will allow internal users to connect to the internal network, 2 "Guest-DMZ" will allow guests access to the internet and not the internal network, and 3 "TimeClock-DMZ", which will only allow our timeclock to connect over the internet to its web instance.

interface Ethernet0/7
 switchport access vlan 30
 switchport trunk allowed vlan 1,15,30
 switchport mode trunk

*Inside: This network has Static IP Addresses
interface Vlan1
       nameif inside
       security-level 100
       ip address
      access-list Inside-to-any extended permit ip any
      nat (inside) 2

interface Vlan15
       description Internal Wireless
       nameif Wireless-Inside
       security-level 100
       ip address
        access-list Wireless-Inside_access_in extended permit ip any
      access-list Wireless-Inside_access_in extended permit icmp any
      nat (Wireless-Inside) 2
      access-group Wireless-Inside_access_in in interface Wireless-Inside
      dhcpd address Wireless-Inside
      dhcpd dns interface Wireless-Inside
      dhcpd enable Wireless-Inside

interface Vlan30
       description Guest
       no forward interface Vlan1
       nameif Guest-DMZ
So heres the setup

I have a new open mesh POE switch I'm trying to plug into existing 2960 so that we can plug in some OM AP's to it.  I can plug in the OMS8 switch into the cisco with the cisco switchport in access mode for the vlan we want it on. I can run a IP scan and see that the switch indeed gets a DHCP lease, i can go to that ip in browser and get the admin interface (not allowed to log in ). But the switch never checks in with cloudtrax.  I have 4 other AP's on the same subnet that check in fine, so i don't think content filtering  (as suggested by their support) is the issue, though they say the switches check into different servers than APS.  So heres the setup


is there a way i can search for that mac on either the 3650 or the ASA to see if its getting filtered?
Dear Experts,

I went to the cisco website to find the latest firmware for my client's router.

Currently the firmware is isr4300-universalk9.03.13.04.S.154-3.S4-ext.SPA.bin

In the downloads, i found:

- 3.13.8S(MD)
- 3.13.7S(MD)
- 3.13.6aS(MD)
- 3.13.6S(MD)
- 3.13.5S(MD)
- 3.13.4S(MD)
- 3.13.3S(ED)
- 3.13.2S(ED)

I deduce that my client is using 3.13.4S(MD)

My account does not allow me to download 3.13.8s(MD) but I can download 3.13.7S(MD) but I am not able to review the version's release note, I clicked on the release note link and it brought me to which I do not know which document to look at. As I cannot find the release note for 03.13.7S.

Can anyone please help me on this?
I am putting together some phone equipment and servers in a datacenter cabinet.  The datacenter is providing us a redundant router connection using HSRP.  The cabinet has two Ethernet cables: primary, secondary.

We need external routable addresses for each of the two border controllers for the phone system.  They have a WAN port and a LAN port so they can have an external (outside the firewall) connection and also have a local IP address in the same subnet as the servers in the cabinet.

We are trying not to purchase another $2000 Cisco switch for the setup to accept the 2 Ethernet connections.

We have a WatchGuard M370 firewall device with several ports that can be configured in many ways.

We have two layer 2 switches available in the cabinet for use outside and/or inside the firewall. It is a layer 3 device.

I need help in the configuration of this system.

One suggestion was to take the two datacenter network cables and plug them into a standard Layer 2 switch then patch that switch into an external interface on the firewall.  After so many attempts I am trying to remember but I think the path to the internet was broken when BOTH router cables were plugged into that switch.  I am going back to the datacenter tomorrow to try more things but I wanted to get some input from you guys first.  I have the datacenter IP sheet where they provide me the configuration info but didn't want to post live addresses on this site.  Basically they gave me a \29 subnet and …
Hey Experts, we have a Digium Switchvox VoIP Server. This past weekend our local power company had to upgrade our facilities power. We gracefully shut down everything Friday night, power was restored yesterday afternoon. This morning we have half of our phones not working as they cannot get an IP now. Our LAN and VoIP LAN are attached to our SonicWALL NSA2600, we have 3 Cisco SG500-28-p Stacked switches. What we have found so far is that any phone connected to the Master switch will not get an IP for the phone. Each desk has 1 Ethernet drop, that goes into the phone and the workstation plugs into the phone. The workstations all work fine to phones that don't work. We have rebooted the switches for good measure and nothing changes. Hoping someone can help shed some light on what the problem is.

Here is how the config on the sonicwall looks for the interfaces
Interfaces on SonicWALL NSA2600
Here is the Stack.
SG500-28P Stack
Hi all,

I have requested an additional IP address block from my ISP so that I can assign a public IP directly to my VOIP server. I have received and added a nat statement to my router as follows

ip nat inside source static XXX.XXX.XXX.XXX (being one of the static ip's assigned by our ISP)

I can establish a SIP session with my server from outside however still get no audio either way. I ordered the additional IP so I could NAT everything from the external ip to the server to avoid this exact issue however it hasn't worked. To me it looks like no traffic is going back out the nat statement as the debug always shows 0 packets going out but plenty going in

*Jan 15 15:32:53.900: NAT*: s=, d=58.XX.XX.X-> [46336]
*Jan 15 15:32:53.960: NAT*: s=, d=58.XX.XX.XX-> [28621]
*Jan 15 15:32:54.208: NAT*: s=>58.XX.XX.XX, d= [0]
*Jan 15 15:32:54.212: NAT*: s=>58.XX.XX.XX, d= [0] is my handphone on 4G  
58.XX.XX.XX public IP
Any help Appreciated
I currently have 1 PRI configured on my voice gateway router.  We have had a few instances where we have had 20-21 simultaneous calls at a time, and as you know a single PRI only allows for 23 simultaneous calls.   I am looking to get another PRI from the same telco.  How does this work?  I have another T1(PRI) port on my router, which will be used to connect to the 2nd PRI, but how does it work on the Teclo side?  Do they  trunk the two PRI's together, so I can now have 46 simultaneous calls?  We are going to order another block of DID's with this new PRI as well.  So right now there are 39 numbers associated with the first T1, and I'm not sure yet how many we are going to get with the second block.    Does the telco tie these two PRI's together somehow, so both PRI's can share all the numbers?
Both my Cisco Virtual Wireless Controller and Windows Server 2012 serving as the radius server were rebooted after another admin updated the VMWare tools on them, I started getting calls users (laptops and mobile phones) could not connect to the wireless.

Checking logs on my vWLC console I saw a lot of: AAA Authentication Failure for Client MAC: 54:7c:69:49:ca:1e UserName:<USERNAME> User Type: WLAN USER Reason: Authentication failed

Checking NPS logs on the RADIUS server I started seeing information entries like this: 'The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.' and 'Reason The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.'

Application logs showed similar 'information' entries: Negotiation failed. No available EAP methods

I'll paste the full log entries below as well as screen shots of my Radius Client settings as well as Network Policies as well as Remote Connection Policies. After extensive Googling, most fixes point to a cert error, my cert doesn't expire until 2019 so I don't think is the problem but I'm not an expert at this.
I have a mail server on the inside of my network, I have established all of the ACL's and NAT Statements on the ASA and traffic is flowing correctly inbound. However when the mail server sends traffic outbound ( to external networks) it uses the ASA Primary IP on the outside interface. I would like to force the outbound traffic to external networks to use a particular IP Address (the one that is NAT'ed) for SMTP. As the NAT Statements are already in place and functioning is this a matter of using an extended ACL? If so how should it be constructed? Thank you in advance for the assistance.
When i try to login to VPN through Cisco Anyconnect VPN Client from Windows XP machine. It says the following message,Connection attempt failed. Please try later. Even though i have enabled 3DES-SHA1 or RC4-SHA1 Algorithmon my firewall.


I'm helping a small school with limited resources set up some Cisco APs in their network. We want to keep the wireless devices outside of our internal network via a separate VLAN. I've had difficulty setting up this environment and could use some help.

Some older Cisco 720i APs A handful of old Cisco Catalyst 2960 Switches An APU2C4 appliance running pfSense acting as our Router/Firewall

What I tried:
I don't have much experience with the Cisco CLI, so I've been trying to set up as much as possible on the APs themselves via their web interface. APs have VLANs set up with an open SSID. I tried associating the ports these APs are connected to on the Catalyst 2960 switches with the VLAN we want to use. Also tried to use DHCP Relay (or "IP Helpers" in Cisco-speak) on the pfSense appliance and setup IP helpers on the APs, but I really have no idea what I'm doing at that point.

Any advice on how to actually get this done? Commands and step by step guidance would be greatly appreciated.
Hi there,

I have a 2504 WLC at a remote site overseas currently on code  I need to update the code on it due to the KRACK vulnerability, but wasn't sure what the best route was to go on this. Cisco's suggested release is (ED), but I'm hesitant to downgrade the code as I've heard some horror stories (losing configs, etc.) and I don't have an onsite resource there in case things to to hell.  Cisco TACs recommended 8.3 release is would I be better off just upgrading to that version instead?  Would that be safer for a remote update?

Any input is appreciated, thanks!
we have small network in the office with cisco router and switch.
and we want to set up vpn and allow 5 directors' home to directly access our network.

Can you share with me some suggests i can start?
OK don't laugh. I have a 9 year old Cisco call manager which has run flawlessly for the last 9 years.

Recently it has developed a problem, since it has been end of life'd by Cisco they will not help me with this issue.

Here is the problem.

When a user goes to listen to their voice mail, everything works properly it will tell them they have "X" amount of messages, To listen to your messages press 1...

Once they press one again it works as normal... Saying a message from.... sent on....

Then right when it would normally play that message,

a message will play that says.

"This message contains no recording."  
Then it will go on with the normal  to save it press 2 to delete it press 3

No matter what option you select the next message played is.

"this system is temporarily  unable to complete your call, call gain later, good bye."

On the previous step If you press 2, to save the message. And go into saved messages it is there.

Since I have 90 mailboxes and get over 200 messages a day this is becoming a huge issue.

I'm hoping someone here may have enough knowledge or could at minimum refer me to someone who can help me band aid this until I can work on a replacement plan...


Here are some version screen shots.

Show Hardware 

Show System

We have a single catalyst 4500 in our datacenter. It's a WS-C4507R+E with an ipbase license. It has
2x48 10/100/1000BaseT Premium POE blades,
2x4 Supervisor 10GE (SFP+), 1000BaseX (SFP) blades in active & standby hot,
1x12 1000BaseX (SFP) blade and
1x12 10GE (SFP+) blade.

In the interest of replacing this EOL switch, I am looking for a replacement which will last 10-15 years which can easily handle this environment with the possibility of growth and scalability to accommodate modern servers coming with 10GE NICs. I'm also interested in having it in HA mode.

We also have 2960S in stacked an unstacked modes connected to this 4500 via fiber. What can be a good replacement for them also?

Thank you.
hi i have setup a test lab and wanted to download a version of ccp admin so i can configure the network just for testing so is there a copy i can download to do this as all i can find are winrar downloads for just the instructions on how to configure ?






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).