Improve company productivity with a Business Account.Sign Up

x

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

Main office A  and office B have a vpn tunnel between the two locations via cisco RV325 at both locations.   The vpn stays connected other than occasionally drops.  We recently configured vpn clients using netgear vpn client software. When the clients connect to the VPN the tunnel between Office A and B is dropped.    The client that is connected via the vpn software can open the tunnel but cant access any of the network resources.  If the 325 is rebooted the connection is restored between office A and B.     Cisco is updated with latest firmware on both units.
0
I am not an expert in Cisco. I am just configuring VLAN in my network.
I have create 2 more VLANs other than native VLAN. VLAN 9 with IP 192.168.9.1, VLAN 10 with IP 192.168.10.1 and VLAN1(default) with 192.168.0.254.
Now VLAN9 can reach  VLAN10 and  VLAN10 can reach VLAN9. But VLAN9 and 10 cannot reach VLAN1 IPS. Now I would like to have communication between all these VLANs.
I would like to route all traffics to Fortinet firewall except internal IP traffic. Attached configuration.
Is there anyone who can guide me how to have inter VLAN communication as per best practice?
GTSwitch.txt
0
I am not an expert in Cisco. I am just configuring VLAN in my network.
I have create 2 more VLANs other than native VLAN. VLAN 9 with IP 192.168.9.1 and VLAN 10 with IP 192.168.10.1
now VLAN9 can reach  VLAN10 but VLAN10 cannot reach VLAN9. Is there anyone who can guide me how to have inter VLAN communication as per best practice? Attached configuration. Once I am done I need to configure traffic to firewall for internet access.
GTSwitch.txt
0
Hi everyone

 

Hope you can help

 

I have a parent/child domain test environment - I'm trying to block specific ports between the parent/child clients

 

So parent domain clients are on 10.10.10.0/24 child on 10.10.11.0/24

 

My ACL looks like below:

 

ip access-list extended DENY_FILE_AND_LDAP
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 139 ace-priority 20
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 389 ace-priority 40
deny tcp 10.10.10.0 0.0.0.255 any 10.10.11.0 0.0.0.0 445 ace-priority 60
permit ip any any ace-priority 80

 

this is bound to the child domain VLAN

 

interface vlan 20
name CHILD.DOMAIN_TEST
ip address 10.10.11.254 255.255.255.0
service-acl input DENY_FILE_AND_LDAP

 

I'm trying to block those ports from being open on the child domain clients but it doesn't seem to be working

 

port 389 is LDAP

ports 139 and 445 are windows file share

 

It's not working

 

Any thoughts?

 

Thanks

 

Jason
0
Dear Experts, I saw this error in logging of Cisco Router C3925. Could you please suggest and explain?



The Src address is the Public IP address of this Router (and it was hidden), a Dest address is the Access point's private IP address. This is a diagram:

ISP --------- Router C3925 ------------ Core switch 3750 -------------- Access switch 2960 ------------- Access point Meraki

Many thanks as always!
0
I have a Cisco 3845 running 15.1(4)M12a.

It is consistently running at +85% cpu utilization.  Here is an image of what we see:

GW1.PNG
I Do not see anything over 1%.  Any ideas what else can be causing such a huge tax on the CPU and how I can track it down?
0
Hi,

we are having Cisco CISCO2921/K9 VG router in office. Its unable synchronize with NTP. Below are the out puts ..Any help will be much appreciated.

INBUPPVG501#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 249.9984 Hz, precision is 2**24
reference time is 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 21.24 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000006402 s/s
system poll interval is 64, never updated.

INBUPPVG501#sh run | sec ntp
ntp authentication-key 10 md5 097A1F5C292928300A02032624362D 7
ntp authenticate
ntp trusted-key 10
ntp access-group peer 10
ntp update-calendar
ntp server 10.85.91.5 key 10

INBUPPVG501#sh ntp associations detail
10.85.91.5 configured, authenticated, insane, invalid, unsynced, stratum 16
ref ID .INIT., time 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 1024
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15940.24
delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50
precision 2**24, version 4
org time 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
rec time 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
xmt time DE520F2F.5A63DFE1 (14:19:51.353 IST Tue Mar 13 2018)
filtdelay =     0.00    0.00    0.00    0.00    0.00    …
0
Hi,
I have a client who's got a cisco 1921 and they are upgrading the internet to a Fibre connection with static IP.
Is there an easy way to configure it? GUI setup for this model?
May I have the steps to change this?
By the way, they are going connect to the Fibre 400 which could give them up to 400mbps, can this router handle this? the spec seems to be ok but a friend of mine said these's model is good up to 100mbps only, is that the case?

our Cisco guy is on holiday for two weeks and I personally have no experience with this cisco so struggling...

Any help is much appreciated.

Thanks
Jason
0
Hi Community.

We are deploying a 10Gbps connection between two of our locations.

To establish the connectivity we are using a C3850-24XS with IP Services either side of the circuit.

We need to establish multiple routing domains (distinct routing tables) to separate trusted and untrusted traffic. With this in mind we were thinking that it would be best to establish a trunk between the sites and use Vlan SVIs between the two sites, using /30 IP addresses either end.

I need to restrict the amount of bandwidth for each routing domain and was wondering if I could enable shaping for traffic egressing the Vlan from either side of the connection?

I can't find a lot of information regarding this in the design guides or forums. There is lots of information related to physical interfaces and sub-interfaces but not a lot relating to SVIs.

Is this even possible?
Topology.JPG
0
HI,

I have cisco router RV016 with two wan configured and working fine. My problem is because some sites like Banks block the access when the connection change the IP WAN1 to IP WAN2. How I can configure the router to use any wan, but stay  on that wan, without change until another connection ?

Thanks
0
I am moving 15 voice/data lines from a Netgear switch to a Cisco SG200 managed switch.  The voice is web based.  I have only 1 vlan on the cisco switch which is the default vlan1.  I can connect the Cisco switch to the Comcast router and can log in to both.
When I move an Ethernet connection from the Netgear port to a Cisco port the router sees the move as does the Cisco switch when I log in to both. My problem is correctly configuring the voice on the vlan. I have tried Auto Voice Vlan with the Smartport however I'm not getting anywhere so I'm missing some things I'm sure.
I have been in IT for quite a while but the majority of my experience is in hardware repair, desktop support, some windows server mgmt and basic network configuration and setup. I've never worked with a managed switch before or voip and while it's over my head I'm confident that I can get this with some assistance. (It took me quite a while to get as far as I am)
Any help would be greatly appreciated as always.
0
Will this work for a cisco Expressway install using IOS router as fire wall

interface GigabitEthernet0/0
 description Internal LAN
 ip address 192.168.0.250 255.255.255.0
 ip access-group OutboundInternet in
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description Fiber Internet Connection (Primary internet access)
 ip address 50.206.31.130 255.255.255.248
 ip access-group Internet in
 ip nat outside
 ip nat enable
 ip inspect HQ-INPECT-OUT out
 ip virtual-reassembly in
 ip verify unicast reverse-path
 duplex full
 speed 1000
 ntp broadcast client
 crypto map VPN
!
nterface GigabitEthernet0/2
 description EXPRESSWAY
 ip address 172.29.2.24 255.255.255.0
 ip nat outside  
 ip nat enable  
!
!
object-group network LocalEXPRESSWAY  
 172.29.2.0 255.255.255.0
object-group network RFC1918Private
 10.0.0.0 255.0.0.0
 172.16.0.0 255.240.0.0
 192.168.0.0 255.255.0.0

Object-group service VOIP_DMZ
tcp 80
tcp 443
tcp 22
tcp 161
udp 123
tcp range 3000-35999
tcp 389
tcp 636
udp 514
udp range 3000-35999
udp 1024
udp 53
tcp 6970
tcp 8443
tcp 7400
tcp 2222
tcp 7001
udp range 36000-36001
udp 3478
udp 1024
udp range 36002-59999
tcp range 25000-29999


ip access-list extended Guest_2_WAN
 permit tcp object-group LocalEXPRESSWAY any

ip access-list extended privateToPublic
 permit object-group VOIP_DMZ …
0
Here’s the design in bullet form:

•      The existing core switching is 1-Gbps (couple Cisco Catalyst 3650 48-port stacked switches, almost at full density), and the new 10-Gbps switches are Cisco Catalyst 3850 SFP+.
•      The 3850s have UCS servers (as well as Veeam backup, etc.) connected at 10-Gbps, but are connected to the core switching at 1-Gbps.
•      The 3850 SFP+ interfaces connecting to the core 3650s are configured for 1-Gbps operation.
•      The core 3650s are connected to ASA firewalls at 1-Gbps, which provides a DMZ for externally-facing applications.

It turns out that a majority of server-to-server traffic is between internal SQL instances and public resources (web & application tiers) in the DMZ, so the traffic goes 10-Gbps from ESXi to the 3850s, then has to be sent over 1-Gbps to the core 3650s towards the DMZ. When we first tried to cutover to this deployment, all server access pretty much stopped. Troubleshooting revealed that the outgoing interfaces on the 3850s were exhibiting an extremely high number of interface drops/discards. Since then, the customer is only extending very limited backup traffic (a couple small applications) over these connections, and the interface discards are still outrageously high. (Not sure if related, but the 3850 switches are also running unexpectedly high CPU utilization of 70%, and again, aren't handling most of the server traffic yet.)  As you can see in the design diagram below, the ESXi environment still has multiple 1-Gbps …
0
I am using a Cisco ASA 5505 Sec Plus Version 8.2 (5). My ISP has provided me with two subnets. The first is a WAN /30 which provides the peering between my ISP and the outside interface attached to the ISP handoff. The second IP subnet is a LAN subnet. A publicly routed /28. I have assigned the single usable IP from the /30 to the outside interface of my ASA to access the internet. I am able to route the /28 as needed through ACL's and NATs. I am installing a hosted VoIP system that needs to assign one of the IPs from my /28 to it's WAN interface. Normally I would just use a layer 2 switch and set this device up parallel to my ASA. Since everything is behind the /30 however, this is not possible. I must place the VoIP device behind my ASA. So I need to route incoming traffic being sent to a specific IP in my /28 block to the VoIP device behind my ASA. Let me know if additional details are needed. Thanks.
0
Two cisco switches connected via trunk port. can ping all vlan gateways from the core switch which has got route defined.on the second switch cannot ping any of the vlan ip addresses.  happend after cable rearrangement. on the second switch have clients connnected via ip phones and they are working ok however.

any advice.

vlan 10 - 192.168.10.x
vlan 30 - 192.168.30.x
vlan 20 -192.168.20.x
vlan 80 -19.168.80.x

gateway of last resort setup on the mains witch to 0.0.0.0 192.168.80.1. can see all VLAN allowed via trunk port. cant see any problem with cabling either.

both are cisco switches.
0
Hi Everyone,

I was wondering if anyone can help or advise? Unfortunately I feel i'm running out of ideas at the moment and so If anyone can help it would be very much appreciated

Recently I've setup an 365 hybrid deployment with exchange 2013 to use AD SSO for our VLE and to gradually move over our organisations users and decommission the exchange server.

Unfortunately I'm having difficulties getting the the Exchange Online connectors to communicate correctly with our on-premise. After using the Hybrid Deployment wizard the connectors are setup automatically but point to our council/ISP TMG server. As the connectors require a direct connection I have asked them to setup a public IP/address for our on-premise exchange server for the connector to use. When trying to validate this connector I receive the error log:

450 4.4.317 Cannot connect to remote server [Message=451 5.7.3 STARTTLS is required to send mail] [LastAttemptedServerName=*server*] [LastAttemptedIP=*ip*] [*EUR02.prod.protection.outlook.com*]

There are Cisco routers but I have been advised that no SMTP inspection is taking place between any of the routers. Using telnet on my desktop to our on-premise shows that STARTTLS is there but when trying it from our Offsite backup server it shows the following:

250 - *on-premise exchange* hello [IP]
250 - SIZE 104857600
250 - PIPELINING
250 - DSN
250 - ENHANCEDSTATUSCODES
250 - 8BITMIME
250 - BINARYMIME
250 - CHUNKING

We have a Sonicwall NSA3600 …
0
I have a Cisco 3650 running 16.3.5b Lan base. I want do disable the login but prompt for the enable password with connecting via the console cable. I am using AAA for ssh access. The "no login local" command isn't an option.

aaa group server tacacs+ Clear_Pass
 server XXX.XXX.XXX.XXX
 server XXX.XXX.XXX.XXX
 server-private XXX.XXX.XXX.XXX timeout 3 key 7 PASSWORD
 ip vrf forwarding Mgmt-vrf
 ip tacacs source-interface Loopback1
!
aaa authentication login default group tacacs+ local enable
aaa authorization exec default if-authenticated
aaa authorization network default if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+

username cisco privilege 15 password 7 CISCO

line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 privilege level 15
 logging synchronous
 transport input ssh
line vty 5 15
 privilege level 15
 logging synchronous
 transport input ssh
0
Cisco Site to Site VPN Authentication

I would ike to know for instance , I have 2 separate companies ... CompanyA and CompanyB linked by Site to Site VPN. Users from CompanyB are supposed to remote and use Applications in CompanyA.

In this case how do you make User from CompanyB authenticate to CompanyA and use their resources. Do they need Cisco VPN Client ? if so, is CompanyA able to add  additional factor authentication, like RSA token or it is not necessary. worth to mention that CompanyA uses Active Directory.

Any clarification will be very much appreciated.

Thank you
0
Need assistance into getting into this switch that someone before me attempted to configure
0
Cisco ASA 5505 and 5506-x Multiple SIte-To Site VPN Question -

I am trying to figure out how to do this - Config weise.

I have multiple sites and am trying to achomplish the following for ease of use and licenseing.


We have our main office (MAIN - 1.2.3.4)

We have branch office (B - 2.3.4.5)

We have branch office (C - 3.4.5.6)

Looking to get hub and spoke configured so that Only branch offices have ot VPN connect to the Main office rather than mesh VPN(we have a lot more offices)

Currently we have some setup as MESH and I am trying to chang eover to hub and spoke so that BRAND B and BRANCH C can talk to eachother without having ot be connected directly to eachother.


Anyone have config example? I have tried setting this up but I am at a loss -



I have added to the access-list the IP networks and added them tot he VPN as wel.

NO Traffic getting through for brand to branch.
0
I have configured RADIUS authentication using IOS 12.4. I'm very new to the RADIUS configuration using IOS 15.3. I have a Cisco Catalyst 6807-XL switch which I need to configure to authenticate using RADIUS but it doesn't seem to work. The authentication using local database works fine though.
0
In our data center I currently have Dell Force 10 core switches and a Cisco 4506e chassis with 4 48 port modules in it.  I am using 161 ports in the 4506 chassis.  While no EOL has been determined on the 4506 chassis I am looking to replace it since it is approaching ten years old.  This used to be a core switch until the Force 10 switches were installed two years ago.  The core switch is also the VTP server for the environment.   If it helps, I am considering the 4506e to be a hybrid switch (distribution and access) since it has trunk ports to other smaller access switches in the building plus regular ports on various VLANs for hosts.   Looking for some suggestions for a Cisco switch setup that can handle 192 connections (leaves me wiggle room) and possibly budget friendly.  All of our other access switches in the building are Cisco 2960 48 port with a couple of locations being a stacked pair.
0
Hi I wish to know which 1841 cisco router I should purchase so can use with SDM or ASDM software ?

Ive been viewing  the following:

https://m.ebay.co.uk/sch/i.html?_from=R40&_trksid=m4084.l1313&_nkw=1841+cisco+router
0
Hi I wish to use the SDM or ASDM or CCP software & have been looking at the following 2841 cisco routers as they should be compatible.

I wish to know which one would be the best to purchase ?
0
Hi Experts,

We currently have inherited a Cisco 891F router/firewall that we need to allow a certain group of inbound IPs over SMTP (port 25) into our mail server.  The router is currently configured for allowing the existing spam filter service to a certain IP range through an object group and is currently functional.

object-group network Spam-Filtering
 description Spam-Filtering
 208.xx.xx.0 255.255.248.0

The object-group is later defined later in the config under the following command for allowing through the WAN IP address.

permit tcp object-group Spam-Filtering host 71.xx.xx.179 eq smtp

Trying to use the existing configured object group, I've tried adding the following command (in config mode), followed by each IP addresses needed to be added to the group.  Running the 'show run' command to confirm the host addresses have been added into the object-group.

object-group network Spam-Filtering
92.xx.xx.74 255.255.255.255
69.xx.xx.226 255.255.255.255

However, traffic was still not coming through from our spam filter provider.  Eventually, I've end trying to allow all inbound IPs to pass through by the following command.  But was still unable to get traffic to come through into our mail server.  Attempted to use 'telnet 71.xx.xx.179 25' to test but would not get a response externally.

permit tcp any host 71.xx.xx.179 eq smtp

Are there any steps or commands I may be applying incorrectly to allow the external IPs to pass through the router?    …
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).