Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I'm adding VOIP on an existing site that uses either Cisco SRW20xx or SG300-xx switches.  I'd like you to comment on my plan for doing this:

The VOIP will be coming in from the internet on it's own connection / firewall and will be using a separate local area subnet.
It will generally be distributed through all the switches unless there's no phone at all, just computers or network devices.

There is a central LAN switch that feeds into other switches in cascade.  I will refer to this as the TOP switch here.

My plan for the downstream switches is this:
Assign VOIP VLAN 100 to all the switch ports along with the Default VLAN 1.
Trunk all the switch ports.
Tag VOIP VLAN 100.

My plan for the TOP switch is this (there being only Default VLAN 1 and VOIP VLAN 100):
Trunk all the switch ports that feed downstream switches.
Trunk any switch ports that directly feed a VOIP phone.
Leave any other ports on Default VLAN 1 in Access Mode.
Assign VOIP VLAN 100 to a single switch port that goes to the firewall.  
Make this a General Mode port joined to VOIP VLAN 100.
Manually tag this port <<< is that right?
Internet Port Setting / TaggedThe VOIP firewall won't have any VLANs set up, just a generic LAN.

Since I've never done this before, I'm a bit unclear as to whether the VOIP firewall port needs to be tagged or not BUT the port sure needs to be part of the VOIP VLAN 100 ONLY with no interVLAN routing / connection.  I want the traffic on the two VLANs to be completely …
0
TLDR:  after a period of time ARP from  devices in a layer 2 connected VLAN quit registering on our SD-WAN edge device, stopping them from traversing that edge or being routed by that edge.

Hardware:
SD-WAN edge:  Velocloud Edge 540 (problem has persisted through numerous firmware revisions)
Cisco Stack:  1 Cisco SG500X-48 and 5 Cisco SG500X-48P’s connected loop/chain stack configuration using SFP+ fiber connectors. (also firmware updated more than once).

Configuration:
VC is the router/firewall SD-WAN with redundant internet connections that establishes edge to edge IPSEC tunnels and tunnel to our internet gateway.
The Cisco stack connects 10 VLAN’s to the VC but is not doing any routing or firewall activities.  The Cisco has 2 management IP interfaces in those VLANS (1 and 318), the rest are purely layer 2 connected.
Cisco interface to VC is set:
interface gigabitethernet1/1/8
 description VC-StackConnection
 switchport trunk allowed vlan add (necessary vlans)
 switchport default-vlan tagged (default-vlan being 1)


The VC is set:
Mode: Trunk
Drop Untagged


Symptoms:
After an unspecified amount of time (2 weeks to 6 weeks) at our HQ location where the equipment is located, most or all of the devices in some of the layer 2 connected VLAN’s cannot communicate externally.   Internal communication work as expected (same broadcast domain) for the most part.   Sometimes…
0
I want to configure a port on a cisco catalyst 2960 to use a particular vlan without a role.

When I try to do this in the GUI I cannot configure the port vlan without assigning it a role.   When I try to de-select a role in the smartports section, it clears my vlan assignment and checks "assign selected role to all ports". Can someone give me the command line on how to configure the port in a putty session?  or, tell me how to configure it in the GUI.
0
I work in a corporate environment and recently we ran into some issues that raised some questions.

We are a huge international company with millions of end point devices. We are tiered with the central office controlling satellite offices and then the satellites feed the local sites of 250+ devices. We recently had a failure of the main offices double-failover which caused most satellites to have failover failures as well.

I had noticed for the past few months that the end points were behaving erratically, startup signal without any signal issued which I suspected was software corruption or bad cables both are recurring nightmares.

The main question, is it possible for nexus and catalyst devices to store and forward and fail to erase the successfully transmitted packets and days later on a 80% utilized gigabit network start to retransmit those packets. The switches are old and most have flash failures and have to be chain loaded when started up.

I did notice after the site restart that the endpoints worked as designed. I also heard that the switches were out of memory during the network outage and the voip phones worked with some issues during the outage.
0
Hi Experts,

I keep getting the following messages on the kiwi sys log server from the cisco asa firewall. I am trying to figure out, why are these being  generated and how i can get more clarity on them.  

11-30-2017      10:42:42      Local4.Warning      10.x.x.x      Nov 30 2017 15:42:42 ciscoasa : %ASA-4-733100: [ Scanning] drop rate-2 exceeded. Current burst rate is 2 per second, max configured rate is 8; Current average rate is 20 per second, max configured rate is 4; Cumulative total count is 74899


This is my current config

FW# show run | i log
logging enable
logging timestamp
logging buffer-size 500000
logging buffered debugging
logging trap notifications
logging asdm informational
logging device-id hostname
logging host inside 10.x.x.2
logging host inside 10.x.x.26
logging permit-hostdown
logging class config buffered debugging

FW# show run all threat-detection
threat-detection rate dos-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate bad-packet-drop rate-interval 600 average-rate 100 burst-rate 400
threat-detection rate bad-packet-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate acl-drop rate-interval 600 average-rate 400 burst-rate 800
threat-detection rate acl-drop rate-interval 3600 average-rate 320 burst-rate 640
threat-detection rate conn-limit-drop rate-interval 600 average-rate 100 burst-rate 400
0
I have a small office with one VLAN.  There are 15 IP phones and 15 PC's that plug into a Cisco 3560G switch.  The phones and PC's are on the same VLAN.  The phones are provided via a hosted VOIP provider.  Lately we have been experience voice quality issues.  The hosted VOIP provider have asked us to prioritize the voice traffic so it has priority over all other traffic out to the WAN.  My network is very simple and looks as follows:

Cable Modem----------Cisco 2911 Router-----------Cisco 3560G switch (phones and PC's plug into this switch.)

Could someone please send me a sample config on how to accomplish this?  Thank You!
0
Hi Experts,

Looking to see what i am missing. We have a new location and have one cisco switch connected to a cisco router. I have assigned an IP, subnet mask and default gateway to Vlan 1.

From the desktop we can ping out to all subnets(5) including remote desktop to workstations. From a remote subnet back to the new location we can ping the switch and router and access them, but can not access any computers or any devices that are attached to the switch. There are no host firewalls enabled on the computers.

Thanks
0
hello experts
i just setup WLC to manage my APs, WLAN authenticate via RADIUS(windows NPS), all works well, but i need only one session per users, in another word, one user could only connect one device to my WLAN via the same username/password.
while i read some document, previous version (7.3) looks support this function, see below picture, but i can't find any related setting on current version(8.3), please advice.

thank you

WLC.png
0
Dear Experts, we have this diagrams:

Internet ------ Router ------- Core Switch -------- Catalyst switch 500 ------- users

We suffered the slow Internet problem from yesterday, and from the Catalyst log, we saw these things:

1.JPG
On the Core switch at that time, the "show processes cpu" show 20% where as normally it is just 8-10%, nothing special in the Router. So can you please suggest? Is it a DoS attack? How can we avoid it on Core switch Cisco 3560?
0
I had this question after viewing PIX 515, Dual ISPs, and dual global NAT statements.  

i have read that the ASA can"t support dual ISP's  except for  failover from one to the other. However the cisco ASA 5506-x has new firmware starting at v9.4.1. that states PBR (Policy Based routing)  is a new feature, however, I also read that it doesn't work.

 My Lab 5506-x died so I can't test. and don't want to test on a production unit.  What i want to do is very common.   I have two VLans and I want to route one vlan through ISP1 and the other through ISP2.   I have attached a network topology.  Has anyone had any success and if so can you please share your config settings and commands.

Vlan 1     =  Inside     (192.168.1.0 /24 ) - Eth 0/2
Vlan 100 = Phones  (10.1.1.0 /24)          - Eth 0/3
ISP1 = outside    –   (85.85.85.0 /24)      - Eth 0/1
ISP2 =  outside2 –  (75.75.75.160 /29)  - Eth 0/8

Thank you for any help on this, the ASA 5506-x with Licenses is not cheap so this a bummer.

-Vanya
Temp-RHDC-solution.JPG
0
Hello EE,

I have a cisco wireless controller and cisco APs , I was checking interference devices on APs and I see the AP reported interference and provided a device type with RSSI -81.

What can I do to mitigate this type of situation.

Thank you.
0
We have two buildings across the street from one another, one has our network and the other has our customers network.  However we have to put one of our time clocks in the customer building.  I am looking for a cheap solution to connect the two buildings via wireless so I can put our time clock on our network.  They are approximately 70 yards apart.  We use Cisco gear but I do not necessarily need Cisco.  In the past we've done this with Netgear WG302 access points but I'm looking for something more modern and easy to setup.  Thank you.
0
Hello - can a single port be set to jumbo frames on a Catalyst 3850 switch? If not, will setting it globally affect other ports where the client is not capable of Jumbo frames and needs a 1500 MTU?
0
Hello,

My question is, what would be the best way to have Cisco anyconnect users failover to a DR site.

Currently working on a project to bring up a DR site, trying to see what the best way to have users roll over to the DR site.

is there a way to do this without buying a new domain or would the best case scenario be to buy a new domain for users to connect to?

Thank you and best regards.
0
Hi, we have DHCP snooping enabled, and ASA doing DHCP-Relay. Between 2960-L and ASA is another switch doing snooping.

Anyway we have this 2960-L as access switch trunked at 4500. When not using dhcp snooping on access, all is working fine.
DHCP-Discover, DHCP-Offer from DHCP Server and PXE-Server, DHCP-Request from Client to PXE-Server for more information regarding PXE and the DHCP-ACK from PXE-Server with all the needed information(boot file name).

however when using ip dhcp snooping on 2960-L, the important last DHCP-ACK packets from the PXE-Server are not showing up at the client interface anymore. so the Client misses the PXE-boot important information for tftp, times out and does a DHCP-Release to restart the operation...

As i said, all is working fine with only disabling dhcp snooping on access switch.
IOS already changed from 15.2-5 to 15.2-6
0
I have a 14 office MPLS link that was working with a Mitel phone system.   We had an emergency need to move the offices so I came up with a solution to use an Cisco ASA to create an IPSec VPN tunnel from the new location to the firewall.

Currently, I only get one-way audio when making calls.  
Additionally, my Mitel Controller is showing a SIP LINK Failure alarm.
I got the tunnel up and running and everything can be pinged.

I am so confused.

Maybe this is a problem with my Access-Control List?  

Here is the top part of my Cisco Config:

ASA Version 8.4(2)8
!
hostname dartmouth-asa
domain-name test.com
enable password OzKLyBY8hcexbQv8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 description INTERNET/OUTSIDE
 switchport access vlan 2
!
interface Ethernet0/1
 description VOICE
!
interface Ethernet0/2
 description DATA
 switchport access vlan 3
!
interface Ethernet0/3
 description DATA
 switchport access vlan 3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif voice
 security-level 100
 ip address 192.168.171.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Vlan3
 nameif data
 security-level 100
 ip address 192.168.172.1 255.255.255.0
!
boot system disk0:/asa842-8-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name test.com
same-security-traffic…
0
I have just purchased a used cisco 1941 router. I have tried several key combinations while I am connected through putty console. I have tried ctrl + shift + x + 6 and ctrl + pause/insert and ctrl + shift. I rebooted the router while still being connected to the console/session and keep getting the  below screen.

System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2012 by cisco Systems, Inc.

Total memory size = 512 MB - On-board = 512 MB, DIMM0 = 0 MB
CISCO1941W-A/K9 platform with 524288 Kbytes of main memory
Main memory is configured to 64/-1(On-board/DIMM0) bit mode with ECC disabled


Readonly ROMMON initialized
program load complete, entry point: 0x80803000, size: 0x1b340
program load complete, entry point: 0x80803000, size: 0x1b340


IOS Image Load Test
___________________
Digitally Signed Release Software
program load complete, entry point: 0x81000000, size: 0x41b22a8
Self decompressing the image : #################################################################################################################################################################################################################################################################################################################################################################################################### [OK]

Smart Init is disabled. IOMEM set to: 25

Using iomem percentage: 25
Configured …
0
Cisco has advised BT of an issue relating to a component manufactured by one of their suppliers that affects some Cisco Optical Networking, Routing, Security & Switching products. In some hardware units, the clock signal component degrades over time. Cisco expects product failures to increase over time, beginning after the unit has been in operation for approximately 18 months.

Can anyone advise how to spot the issue and what symptom to look for if the unit has suffered such a defect?
0
Hello Experts,

I have a few DCs (Server 2008 and 2016) in my environment. Three of them are on the 192.168.0.0/24 network and one is located at a remote site (192.168.1.0/24) which is accessible over a site to site VPN. I can join any Windows client to the domain when the client is on 192.168.0.0/24 subnet. If I am at the remote site I can join any Win client to the domain that is part of the 192.168.1.0/24 subnet.

The problem I have is when I attempt to join a Win client that is not part of the DCs' subnets. I believe this is true for both locations. Please see the attached file to review the error message I get when I attempt to join a Win client to the domain. My client is on the 10.0.0.0/24 network. There is no ACLs on the def. GW  (Cisco ASR) between 192.168.0.0/24 and 10.0.0.0/24. Also, I am not filtering any traffic on VPN.

So far I was able to confirm the DCs are reachable from 10.0.0.0/24 (ping and RDP). As far as I can tell the SRV records look good, however I do not see the _msdcs folder in the Forward Lookup Zone. Also, I noticed that the domain name is GPS instead of GPS.local or GPS.net for example.

GPS-AD-2.GPS was decommissioned some time ago and AD-1 is to follow shortly. All DC are multi-homed but the I only have one NIC active at the moment for troubleshooting purposes.

Any help is greatly appreciated.

Thank You in advance.
Error.txt
0
Not my first rodeo, but trying to update the image on a 5508-x. I put it in Rommon mode, set everything and nothing happens. The interesting part is from the ASA I can ping my laptop, from my laptop I can only ping the ASA while it is pinging me. Never seen this type of issue before. Below is some screen output, I honestly don't think it has anything to do with file size, tried 2 TFTP servers.

Success rate is 100 percent (10/10)
rommon 11 > ping 192.168.5.132
Sending 10, 32-byte ICMP Echoes to 192.168.5.132 timeout is 4 seconds
!!!!!!!!!!
Success rate is 100 percent (10/10)
rommon 12 > tftpdnld
             ADDRESS: 192.168.5.99
             NETMASK: 255.255.255.0
             GATEWAY: 192.168.5.1
              SERVER: 192.168.5.132
               IMAGE: ftd-boot-9.7.1.4.lfbff
             MACADDR: 00:27:e3:c1:96:11
           VERBOSITY: Progress
               RETRY: 40
          PKTTIMEOUT: 7200
             BLKSIZE: 1460
            CHECKSUM: Yes
                PORT: GbE/1
             PHYMODE: Auto Detect

TFTP: Received error number 0, <file is too big (107035120 bytes) and will take 73312 blocks to be sent with block size of 1460 bytes>.
TFTP: Operation terminated.
rommon 13 >
0
Dear Experts, I setup a static NAT entry on Cisco Router 3925, write memory after that, but when I hit: "show run | in ip nat", I could not find that entry but we can use that public IP address. Can you please suggest?
0
hello experts
please check below screenshot, i am a little confused because i am actually not purchased any license.
vWLC_License1.pngvWLC_License2.pngvWLC_License3.png
0
Please excuse me as I know this might be a really basic question but could sure use some assistance. I have 4 subnets setup on my router and trying to connect them to my 3 switches. I have the following cisco switches.they are connected to a soho gigabit switch and that goes to a cisco 1841 router. I am doing router on a stick/intervlan

1) 3560 uplink port 15
2) 2960 uplink port 15
3) 3750 uplink port 23

I was able to setup vlan1 and mapped an ip to this port on the 2960 switch. When I tried to setup the other vlans and map them to ip addresses they are down and even with no shutdown cannot get the protocol to come up. Do I need to have this mapped to an uplink for every vlan I have.,


Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  172.16.23.9     YES manual up                    up
Vlan20                 172.16.23.52    YES manual up                    down
Vlan96                 172.16.23.98    YES manual up                    down

My end goal is to get these vlans setup and working on the others

FastEthernet0              unassigned      YES manual up                    up  
FastEthernet0.32           172.16.23.33    YES manual up                    up  
FastEthernet0.96           172.16.23.97    YES manual up                    up  
FastEthernet0.128          172.16.23.129   YES manual up                    up  
FastEthernet0.160          172.16.23.161   YES manual up                    up  …
0
Trying to configure a CISCO 1941 router in order to distribute internet services to a hotel guests
the Scenario as following
40 d-link wi-fi access point
access switch d-link
Cisco 1941 with interfaces (gig0/0 gig0/1)
technicolor TG670s with two DSL line connected

and the ISP provide me one ip to access the internet

what is the Configuration required for CISCO 1941
0
Hi,

My ASA has 1 public IP 203.162.5.8 and using for VPN.
Now I want to add 1 more public IP 203.162.5.9 and forward all ports request to a local server 192.168.1.5.
My local LAN: 192.168.1.0/24
My network: Internet -> ASA5525 -> LAN

Please help guide how to to config my ASA.

Thanks a lot.
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).