Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

Hello Experts
i need help setting up my Hyper V networking side.
I got 3 Dell servers running windows server 2016,
i got 2 Cisco c3750x switches on advanced ip services
and 1 watchguard firewall.

I want physical connectivity as in attached picture so that i can have failover and load balancing.

on servers I am doing NIC teaming with LACP and dynamic mode.
on watchguard firewall i got 2 ports in link aggrigation dynamic mode .
I need help with cisco switches. what exactly i need to do in config to enable failover and load balancing for traffic to/from server VMs (VMs running on hyper v will be using different VLANs) so on switches i need multiple VLANs.  

I am not cisco expert so tried etherchannel/lacp etc but without any luck to get it working.
so yea if someone can share some config please that will be helpful.

thanks
Harry
IMG_3001.JPG
0
My main office ASA 5520 runs an EZVPN site to site with an ASA 5506. Up until storms the other night the VPN was up, after storms the VPN won't reconnect. I've tried rebooting the remote ASA, ran clear crypto ips sa peer <ASA IP> from both sides, and even pulled out the ezvpn config from the remote side and put it back in. No luck

sh crypto isa sa from the 5520 shows:
Company-Firewall# sh crypto isa sa

4   IKE Peer: <Remote FW IP>
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_WAIT_MSG3

Company-Firewall# sh crypto isa sa

Open in new window

Then
4   IKE Peer: <Remote FW IP>
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_TM_INIT_XAUTH_V6H

Open in new window


sh crypto isa sa on the 5506 shows the same thing only AM_WAIT_MSG2 instead of MSG3.

Debugging the connection from the 5520:
debug crypto isa 5
---===---
Jun 11 16:22:21 [IKEv1 DEBUG]Group = <EZVPN Group>, IP = <Remote FW IP>, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1
Jun 11 16:22:21 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
Jun 11 16:22:21 [IKEv1]Group = <EZVPN Group>, IP = <Remote FW IP>, Floating NAT-T from <Remote FW IP> port 500 to <Remote FW IP> port 4500
Jun 11 16:22:22 [IKEv1]Group = <EZVPN Group>, Username = <EZVPN User>, IP = <Remote FW 

Open in new window

0
After installing Cisco Anyconnect VPN client we can no-longer ping servers/ PC's over DNS ONLY IP address when connected with a standard windows VPN.

To give more background, we have this issue on 2 computers, both on a domain. PC's without the cisco anyconnect client work fine on any VPN, the ones with it does not work on any VPN.

We have removed the Cisco VPN client, same issues - PC's outside of the domain are also fine without the client installed.
0
I have a Mikrotik CCR 1009-8G 1S-1S+ and 5 Cisco Switches WS-C2960-24TC-L that were provided by the customer for our use in this network. I have a question on how to setup the VLANS so no Tenant in the building can access any other Tenants network. There is a mix of Static IP tenants and DHCP Tenants. I have the Mikrotik Setup with all the needed VLANS for each DHCP Tenant. I have also assigned each port for VLAN access to only one Tenant. My issue is how to secure the VLANS.

I know this is a vague description of what I have to work with so I have attached a PDF of the network. If any other information is needed please message me and I will attempt to comply.

Thanks in advance for any and all help.

Seven-Floor-Multi-Tenant-Building-De.pdf
0
I need to configure a Cisco 891.  Our provider is giving us a P2P /30 plus a /29 for our use.  In the past I have used 2 routers for this.  The outside router has the /30 on the outside and the /29 on the inside.  Then the inside router would have a default route to the inside interface of the outside router.  I would like to be able to do this with one router if possible.  I found a configuration example on Comcasts web site which I am attaching.  They are using the /29 for NAT.  This all seems good but what I don't get is since there are no IP addresses assigned from the /29 on any interfaces what do I use for a default route for clients using IP addresses in the /29 range.
Comcast-Example-Configuration.txt
0
Hi Team,

I am facing issue for temperature monitoring in Nagios Core 4.1.1 for cisco device(ERROR: Problem retrieving OID 1.3.6.1.4.1.9.9.13.1.3.1.2 table: The requested table is empty or does not exist.).

it is working for some cisco device like 12.4 version but getting error for 15.+ version(ERROR: Problem retrieving OID 1.3.6.1.4.1.9.9.13.1.3.1.2 table: The requested table is empty or does not exist.)

[root@phi-nagios ~]# /usr/local/nagios/libexec/check_snmp_temperature.pl -f  -H 172.29.223.177 --type cisco1 -o F -C 247monitor  -a'.' -o C -w 70 -c 80
OK - . Temperature is 32C | .=32;70;80
[root@phi-nagios ~]# /usr/local/nagios/libexec/check_snmp_temperature.pl -f  -H 172.29.222.162 --type cisco1 -o F -C 247monitor  -a'.' -o C -w 70 -c 80
ERROR: Problem retrieving OID 1.3.6.1.4.1.9.9.13.1.3.1.2 table: The requested table is empty or does not exist.
[root@phi-nagios ~]#


Working for below cisco version
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 3800 Software (C3825-ADVSECURITYK9-M), Version 12.4(11)XJ3, RELEASE SOFTWARE (fc1)
Synched to technology version 12.4(11)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled

not working for below version

SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S6b, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2017 by Cisco Systems, …
0
Hello Experts

I have an issue and i count on you to help me . II working for a client to configure Exchange Hybrid and Lync Hybrid
The client has a Cisco ASA where some services are Nat like OWA etc..
But before he was using only Onpremisses Services

I want to know what i should configure in Cisco ASA to communicate effectively with O365

I was not concern about this ASA issue until i experienced some problems with certain services like Free Busy or a Lync Online User migrated not able to speak to On premisses User

ANd the configuration seems to be OK

Rgds
0
Hi
Cisco ASA 5506 X, I mistakenly deleted the boot file - I meant to delete the ASDM version :-). So I can only boot into rommon. I have seen many articles about using tftp in rommon to copy an image but the problem I have is that the ASA interfaces are down. No link light. My Ethernet cable shows as not connected, so my TFTP server is not listening. I have tried using a normal patch cable directly between my PC and ASA, also plugging both interfaces into a switch.

Does anyone know how to fix this?

Thanks very much.

Alasdair
0
Cisco ASA 5520 with AnyConnect VPN authenticated via LDAP. I'm trying to tighten my security down by limiting which users are allowed. I've taken a test user out of the two groups defined by my dynamic access policy and the user is still allowed to connect in. Why?

I have four pictures attached explaining my situation as I understand it:
1) My LDAP Attribute map shows "Users" or the "<Location> Users" OUs/Containers are mapped attributes.
2) My Dynamic Access Policy shows users that are a member of the "Administrators" OR "<Company Name> Company" group are allowed to continue.
3) A test admin user that's been removed from the "Administrators" group  & has never been a part "<Company Name> Company" group.
4) A normal level test user that's been removed from the "<Company Name> Company" group & has never been a part of the "Administrators" group.

Both of these users can VPN in fine. Why? Any help is appreciated.
AnyConnect_LDAP-Attribute.JPG
AnyConnect_Dynamic-Access-Policy.JPG
Anyconnect_Admin-Groups.JPG
Anyconnect_Test-Groups.JPG
1
Hello,

  My question is angled from a purchasing perspective.
  Cisco Brand SFP & SFP+ modules are priced more than a hundred times than 3rd party SFP/SFP+ modules.
  I'm also aware that even Cisco brand SFP/SFP+ modules don't work in just any Cisco Brand Switch.
  My question is:  How picky are Cisco Switches such as the IE4000, IE5000 Series with 3rd party SFP/SFP+ (such as FS, Axiom, SmartOptics).  
These 3rd party vendors like to use the same model number as the Cisco Brands, so they are assumedly close in operation to the Cisco Brand SFPs.  They've been 'tested' and work interchangeably in some models of switches.  How safe it is it to assume that they will work
  At the relative price points, it's worth a buy and try approach, but I'm looking for some insight or experience from others as a benchmark.
Thank you,
0
Hi
We are having issues with pushing out applications (using PDQ by admin arsenal) to remote vpn clients (win10).  

Overview:
Currently we have three sites, two using on premise Cisco ASA firewalls that provided VPN access via the old Cisco VPN client and another site that is an MPLS core (which the other two sites will link to in the coming months).  The MPLS core is a Cisco 5512 and thats using Cisco anyconnect VPN.

All three sites are on 10.255.255.0, 10.255.254.0 and 10.255.253.0 ranges.  
On prem DNS has revers lookup zones added for the three 10. ranges.

I think the issue has arisen since migrating one of the sites from on premise configuration to MPLS, but this could just be coincidence.

The remote VPN clients can browse the PDQ servers bu UNC but the server cannot connect the other way.

We can nslookup, tracert and ping fine from the server.

If the remote machines connect to either of the corporate LANs (some are connected over site to site VPN) PDQ can deploy fine (we can UNC to the client also).

We suspect this if firewall related but the management company cannot find a fix.

Ideas?
0
Hi,

I need  add Cisco 2960 and 3560 switch in GNS3 for practice, kindly suggest how it can be possible
0
My office have many cisco switch and  routers. What is best centralized tool/ software to monitor\ control the cisco router and switch?
0
Hello, I have a ws-C2960s-48fps-L that it’s not turning on at all someone told me that it cost around 5,000$ how truth is this? And how?
0
I currently have a Watchguard Firebox in place and have recently purchased a Cisco Catalyst 2960 to server as our primary switch. Our Watchguard currently manages our WAP's (also Watchguard) which have a private and public wifi network which is segmented through the use of VLAN's.

I'm extremely new to Cisco and I'm trying to determine how I would go about configuring the ports on the switch to pass along all VLAN traffic which should allow the WAP's to continue functioning.
0
How can you determine was is causing noise at a Cisco 3700 Wireless Access Point? We are running into issues where client will drop with the SNR decreases due to a spike in noise. How can one troubleshoot?
0
I asked this question concerning Cisco Wireless and restricting wifi users to specific OUs within my Active Directory. The response I got was: "Set you base OU to the "main" OU, set deny read permissions to the OUs you do not want for the account the WLC is using to connect and problem is solved." I've created a test OU, placed a test user in this OU, denied the account I've set up for my WLC full control on this OU and yet the user can still connect to the wifi. What am I doing wrong?

I've attached two sanitized screenshots showing my LDAP config on my vWLC and the Security properties on my test OU. Any help is appreciated.
CiscoWifi.JPG
CiscoWifi_2.JPG
0
Dear Experts,

I need to edit an external ASA 5506W interface using VLAN 50 so it can work with AT&T.

I am not able to use SSH please don't ask. I can only use the ASDM from a windows laptop with no internet access.

Does anyone know the steps on how to get this? AT&T will not see the ASA until the interface if VLAN tagging VLAN 50.

I created the VLAN 50 yet the actual interface still does not manage to ping the AT&T Gateway. I have it as a subinterface...

My Linux laptop does not manage to SSH to the ASA. That way is hard to paste some configuration for your review.


Interface GigabitEthernet1/1 "", is up, line protocol is up
  Hardware is Accelerator rev01, BW 1000 Mbps, DLY 10 usec
      Full-Duplex(Full-duplex), 100 Mbps(100 Mbps)
      Input flow control is unsupported, output flow control is off
      Available but not configured via nameif
      MAC address b4de.31cb.8bb2, MTU not set
      IP address unassigned
      3 packets input, 764 bytes, 0 no buffer
      Received 0 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 pause input, 0 resume input
      0 L2 decode drops
      4224 packets output, 377294 bytes, 0 underruns
      0 pause output, 0 resume output
      0 output errors, 0 collisions, 0 interface resets
      0 late collisions, 0 deferred
      0 input reset drops, 19 output reset drops
      input queue (blocks free curr/low): hardware (1020/1020)
      output queue (blocks free curr/low): hardware (1023/1017)
Interface GigabitEthernet1/1.50…
0
Hello,

A client has a single location network spread across several floors. The tech they had earlier configured their network with a class A 10.0.0.0/8. They've run this for a decade and are now looking to make it more efficient. They only have 300 users, a couple of hundred other devices like printers, scanners, UPSes etc on a single VLAN. They do have a DMZ VLAN with its own class C 192.168.0.0/16. They are planning on bringing in VOIP on its own VLAN (IP scheme undecided yet). It's a Cisco shop with ASAs and catalysts running the network.

What would be your suggestion/plan please?

Thank you.
0
RDS - encryption error...

Getting this on a laptop frequently this morning, connected over remote VPN.  

Also get it a few occasions when the user worked on a different machine over site to site VPN tunnel.

Server 2016.
Clients Win10 1803.
Site to site VPN - Cisco ASA 5505
remote VPN Cisco client and more recently cisco anyconnect.

Ideas?
0
Need help changing WAN side on Cisco 2900 series.
0
We have a newly purchased switch which needs to have its current firmware backed up and also to upgrade the firmware.

Before I plug in the RJ45, I realized that we don’t have the.copper SFP.. I have not tried the management port yet.

Am I right to say that other than adding an SFP,, I tried to insert a usb flash drive but it says removed usbflash0.

What do I need to do to the USB or what other options to backup the IOS software and upgrade its iOS software?
0
Is there a method other than individually copying out the files from the switch?

I know downloading from the cisco can also be done but is there no other way to Toto the files as a package into a bin tar file?
0
Hello experts,

I wanted to start out by saying I am not a Cisco Asdm Expert.

Now that I have that out of the way, i have a question.

When I connect to our ASDM either directly, or when I make a VPN connection, there is a certificate warning.  It warns that the connection may not be safe and asks if we want to download a temporary certificate.  It has always been like this since I have been here (4 years), I did not set this up.

Currently and for over a year I have a proposal to management to get our new ASDM installed to replace our out of date one.  It is still not approved.

I found this article here:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107956-renew-ssl.html

to look into what I need to do to either renew our certificate or install a new one, or to at least present to management to see if we we want too, since we are moving to the other one.  In going through this article, I am not seeing ANY CERTIFICATES installed on our ASDM.

So are we not secure?

I am so confused how to go about either getting us secure, and getting us a new certificate or/and also proving to them they never purchased one.  I can confirm that the certificates I have managed since I have been here, there isn't one for our ASDM.

Thank you,

Karen
0
There is a cisco wlc 2504 firmware 8.5.103.0. With external web-authentication there was an error -
*webauthRedirect: Jun 03 14:23:13.832: %EMWEB-6-PARSE_ERROR: webauth_redirect.c:1477 parser exited. client mac= e0:2c:b2:3d:42:45 bytes parsed = 0 and bytes read = 216
*webauthRedirect: Jun 03 14:23:13.832: %EMWEB-6-HTTP_REQ_BEGIN_ERR: http_parser.c:579 http request should begin with a character
*webauthRedirect: Jun 03 14:22:09.084: %EMWEB-6-PARSE_ERROR: webauth_redirect.c:1477 parser exited. client mac= e0:2c:b2:3d:42:45 bytes parsed = 0 and bytes read = 216
*webauthRedirect: Jun 03 14:22:09.084: %EMWEB-6-HTTP_REQ_BEGIN_ERR: http_parser.c:579 http request should begin with a character
*webauthRedirect: Jun 03 14:21:39.053: %EMWEB-6-PARSE_ERROR: webauth_redirect.c:1477 parser exited. client mac= e0:2c:b2:3d:42:45 bytes parsed = 0 and bytes read = 216
*webauthRedirect: Jun 03 14:21:39.053: %EMWEB-6-HTTP_REQ_BEGIN_ERR: http_parser.c:579 http request should begin with a character1770264

While loading -
*nmspRxServerTask: Jun 03 23:45:54.311: %NMSP-6-SOCK_BIND_SUCC: locp_task.c:2495 NMSP Socket bind . socket: 68. bind success  trying 0
*osapiReaper: Jun 03 23:45:47.734: %OSAPI-5-CLEAN_TASK: osapi_task.c:3581 Reaper cleaning up exited task 'autoInstallTask' (0x1b78e210)
*nmspTxServerTask: Jun 03 23:45:47.717: %NMSP-6-NMSP_CONNECTION_START: locp_https_conn.c:2426 NMSP Init. Received CMX service Config Init Request
*spamApTask1: Jun 03 23:45:32.770: …
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).