[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

how to make mac filtering i want to give access to certain mac address's

Current configuration : 2000 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DHCP-Server
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$K0OI$7rFPJ32VUIm4QXxC6xflE0
enable password sakhizada
!
aaa new-model
!
!
aaa group server tacacs+ sakhizada
 server 192.168.1.4
!
aaa authentication login default local
aaa authorization exec default group tacacs+ local
!
!
aaa session-id common
clock timezone Kabul 4 30
no ip routing
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.40
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool ITCKPUPool
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 192.168.0.2 192.168.0.3
   domain-name ITCKPU.EDU.AF
   lease 0 1
!
ip dhcp pool ITPool
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.0.2 192.168.0.3
   domain-name ITCKPU.EDU.AF
!
!
ip domain name ITCKPU.EDU.AF
multilink bundle-name authenticated
!
!
!
username admin privilege 15 password 0
archive
 log config
  hidekeys
!
!
!
class-map match-any UNWANTED-PCs
 match source-address mac 0024.D687.343C
 match source-address mac B452.7E75.B48D
 match source-address mac CC20.E883.25A4
!
!
policy-map block
 class UNWANTED-PCs
   drop
!…
0
Hi,

Scenario -- Cisco 3550

1) Guest Network  --- 10.2.3.0 /24
2) LAN Users --- 10.41.0.0/16

I want that users with IP address (10.2.3.0/24) should not be able to access 10.41.0.0/16 network. But at the same time i want 10.41.0.0/16 to have access to this 10.2.3.0 network.

Is it possible in Cisco 3550 to achieve this.

Thanks
Mahesh
0
I have a cisco SG220-50 smart switch that I'm trying to configure.  I'm able to login using putty via its console port.  My question is, the CLI commands are different.  Example I can't do show ip interface brief .  when I type in show ip ? it only showing dhcp, http, https and igmp as it's option .  What ever happened to show ip interface brief? Another example, when I try to configure line vty it's telling me unknown command.  And when I do line vty question mark, the only option is console, ssh and telnet.   Is this the new CLI or I need to update the firmware?
0
hi folks

i am wondering if anyone ever used Cisco WRVS4400N's port mirroring feature to monitor traffic of a given port?

i have tried any individual port or even all ports together as the source, but i still cannot see any mirrored traffic from listening to the specific port (Port 4), as shown below.

Screen-Shot-2017-09-13-at-13.29.04.png
i have no idea why the device doesn't work as expected. do you have any suggestion please?

regards,
bbao
0
I have a Cisco ASA 5506 going into a new location with a main internet connection and a secondary, failover internet connection. I'd like to do two or three ICMP checks to make sure the main internet connection is down (say one of your ICMP targets goes down for unrelated reasons) before failing over to the secondary.

I think I've found it with this forum post: https://supportforums.cisco.com/t5/firewalling/asa-sla-tracking-w-multiple-icmp-checks/m-p/1368376/highlight/true#M46524

The answer part being the following:
 I’ve tried all of these options any haven’t gotten any of them to work.  But here is what I came up with that does seem to work really well.  You can ping two, four, or even more Internet hosts and only when all of them fail does the ASA failover to the backup ISP:

route outside 0.0.0.0 128.0.0.0 <primary gateway> 1 track 100

route outside 128.0.0.0 128.0.0.0 <primary gateway> 1 track 100

route outside 0.0.0.0 0.0.0.0 <primary gateway> 2 track 101

route outside-failover 0.0.0.0 0.0.0.0 <backup gateway> 254

track 100 rtr 100 reachability

track 101 rtr 101 reachability

sla monitor 100

  type echo protocol ipIcmpEcho 208.67.222.222 interface outside

  num-packets 3

  frequency 10

sla monitor 101

  type echo protocol ipIcmpEcho 8.8.8.8 interface outside

  num-packets 3

  frequency 9

sla monitor schedule 100 life forever start-time now

sla monitor schedule 101 life forever start-time now

   This way both 208.67.222.222 (OpenDNS) and 

Open in new window

0
I am trying to connect two Cisco switches, a 3550 switch to a port on the 4503. I have my 3350 port 0/2 connected to my 4503 on the blade  3/25 port.

I have both ports on both switch configured as follows:

switchport trunk encapsulation dot1q
 switchport mode trunk

both ports are enabled but I am not getting any link lights between the two ports.  I have tried standard and crossover cables.  I am sure I am missing something simple.  We are not running multiple vlans, just default.  Any help would be appreciated.


John
0
Hi Experts,

I just found out one of our Cisco 3750G switches with seven VLAN interfaces where each of them is assigned with an IP address. (see below) I want to know if assigning every VLAN interface with an IP is necessary. And what is the purpose for assigning an IP for a VLAN? Thank you.

-----------------------------------------
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.2.1.1 255.255.255.0
!
interface Vlan20
 ip address 10.2.2.1 255.255.255.0
!
interface Vlan30
 ip address 10.2.3.1 255.255.255.0
!
interface Vlan40
 ip address 10.2.4.1 255.255.255.0
!
interface Vlan50
 ip address 10.2.5.1 255.255.255.0
!
interface Vlan60
 ip address 10.2.6.1 255.255.255.0
!
interface Vlan100
 ip address 10.2.0.1 255.255.255.0
------------------------------------------
0
Hi,

I'm having some issues getting communication flowing between the ASA and the L3 switch.  The goal is to have multiple VLANs behind the L3 switch, assigned by groups of ports where hosts or L2 switches will connect from there.  I can't figure out what I am doing incorrectly.

ASA port GE1/0 is directly connected to L3 switch port GI0/25.

VLANS on Switch:
VLAN81:  10.10.81.1 /24
VLAN103:  10.10.103.1/24


ASA Info:
Interface:  Outside (public IP Address, we'll say 2.2.2.2)
Interface:  GE1/0 TRUNK
Interface:  GE1/0.200 172.16.103.254 255.255.255.0

route trunk 10.10.81.0 > 172.16.103.1
route trunk 10.10.103.0 > 172.16.103.1


L3 Switch Info
int gi0/25:  ip address 172.16.103.1 255.255.255.0 (no switchport)

vlan81 10.10.81.1 255.255.255.0
vlan103 10.10.103.1 255.255.255.0

route 0.0.0.0 0.0.0.0 172.16.103.254



I can ping the switch IP (172.16.103.1) from the ASA, but I cannot ping the ASA (.254) from the switch.  I can post full configs if that helps but I can't seem to get this right.  Any help is greatly appreciated.
0
I am testing a wireless controller. I have installed the virtual wireless lan controller from Cisco, running version 8.5.103.0. The management interface is up and I am logged into the web admin console. The wireless network is setup using layer 2, WPA2 with a passcode. The controller sees the access point. I am getting no errors. The issue, is that I don't see the SSID to connect to it from a client. It has to be a small configuration issue I am missing. I have never setup this vWLC before. The wireless network is in the AP group called 'default-group' and the AIR-CAP2602I-A-K9 AP is also associated with this group. What am I missing?

1. Why can't I see the SSID to connect?
2. Do I need to create a virtual interface for the wireless access point? (only the 'management' interface is active and up).
3. If possible, i'd like to keep the wireless on the same subnet as the rest of the LAN. It's small and I don't want to over complicate things by introducing routing.
0
Why am I not able to receive incoming calls?
0
while accessing or login via ssh to Nexus 5672UP IS too slow taking 5mins to execute basic show commands .verified cpu under 20% utilization & process  no processes with more than  1.05% utilization.from logs found % VPC-2-KEEP_ALIVE_RECV_FAIL:In domain 1, none other than this found in logs .running image:n6000-uk9.7.3.2.N1.1.bin .
we have other Nexus switch with same specs having no issues with response .And also find no VPC-2-KEEP_ALIVE_RECV_FAIL:In domain 1, logs in this switch .how to resolve the slowness issue.
0
I am trying to add a non cisco SFP between two catalysts, and am getting the error %PHY-4-SFP_NOT_SUPPORTED: The SFP in (PortNo#) is not Supported.

I have tried running the commands:

Switch(config)#service internal
Switch(config)#no errdisable detect cause gbic-invalid
Switch(config)#service unsupported-transceiver
Switch(config)#int gi0/49
Switch(config-if)#no shutdown
Switch(config-if)#do copy run start

However, the issue is still occurring. I have rebooted the switch after the above with no joy. Cable being used is a StarTech 3m SFP+ 10-Gigabit Ethernet (10Gbe) Twinax Cable. I will be upgrading the firmware to 15.2.6 while waiting for a reply.

Any help will be appreciated.

Switch Ports Model                     SW Version            SW Image            
------ ----- -----                     ----------            ----------          
*    1 50    WS-C2960X-48TS-LL         15.2(2)E6             C2960X-UNIVERSALK9-M
0
I'm having issues with streaming media abuse on company iPhones while on our corporate LAN and need to find a solution to block them from that. However, they all use O365 on their iPhones so I can't just block them from Internet access completely.

My thought is to create a separate SSID on our Cisco WLC for their iPhones and configure our Cisco ASA 5512X to point only that particular subnet to our hosted Cisco Web Security service and let them get our General Users Block policy, which blocks streaming media.

Does anyone know if this is possible and, if so, how to set this up on the ASA?

Or any other ideas?
0
hi guys

I'm on a network and realised that our Outlook was a little slow. So when i did a ping to the default gateway, I had some '1ms' pings but then I had quite a lot of '27ms' and '14ms' times.

The network is all gigabit and on SG500X Cisco switches.

How would one find out if something was occurring causing spikes like that?

If not on the switch itself, what tools would you use? Solarwinds? Whatsupgold? Wireshark?

I'm tired of applications having problems, high millisecond pings etc and never being able to absolutely pin point the exact issue when asked by senior management.

Thanks for helping
Yashy
0
Hello;

Am facing an issue where my Cisco ASR 1002-X keeps rebooting itself at random time. When i run the show version, i can see the reason for reload is: critical process fault, fman_fp_image, fp_0_0, rc=139

On my syslog server, i keep getting this error: %IOSXE-3-PLATFORM: SIP0: cpp_cp: QFP:0.0 Thread:171 TS:00000041045846946120 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error,

 I dont know if that could be the reason of my router reload or if it's an IOS bug, am running asr1002x-universalk9.03.16.04b.S.155-3.S4b-ext.SPA.bin.

 
Your help will be highly appreciated.
0
I hope your the right person,  Here is an outline of my problem,  I have configured a Cisco 5510 ASA and would like to tighten the rulebase to make the firewall more secure.

Please can you help
0
I have a Cisco 5510 ASA and would like to tighten up the firewall rules.
0
Hi,
I am preparing my CCNP Switch Certification, While I was reviewing Spanning tree chapter
Questions I came across that Question 6 Answer was not in the list. so please check with me if I am right or not
Book:CCNP  Routing and Switching SWITCH 300-115 by David Hucaby

6. Which of the following commands is most likely to make a switch become the root
bridge for VLAN 5, assuming that all switches have the default STP parameters?
a. spanning-tree root
b. spanning-tree root vlan 5
c. spanning-tree vlan 5 priority 100
d. spanning-tree vlan 5 root
0
Newly created VLAN on Cisco Catalyst switches and Meraki MX100 firewall. Download speed is about half of what it should be, upload speed is fine. Put the PC on the primary VLAN and speed issue is gone. There is no bandwidth throttling set on the MX100. I created the vlan new and didn't set any throttling or shaping on the switches. I have looked at the switch configs but I'm not entirely sure where/what to look for.
0
Hi,

Any chance someone come accross PBR and acess list conflict on 1841/1941 router configuration.

We have access list to allow specific IP addresses on 1 subnet browse Internet.

For some (1 specific at the moment we've created Policy Based Routing to route all it's traffic via different gateway on another router.

It's only working if I do not have allow Internet access list applied to that LAN interface.

Hoping for some ideas.

Thanks
0
Hello there experts,

While I'm no stranger to VPN, I'm a little stumped on this one, I can't get our site-to-site VPN working from our US office to Corporate Office In Switzerland. Maybe I'm missing something on my side? I'm running an ASA 5510 and on their side they are running a Checkpoint firewall. Just a little background here:

[Corporate: Networks-10.100.1.0/24 10.1.1.0/24] Gateway IP 195.141.x.x ----> [US Office: Networks- 192.168.16.0/24 192.168.17.0/24 10.103.0.0/16) Gateway 65.244.x.x

Here is the the VPN config:

Crypto Map:

crypto map outside_map 1 match address outside_1_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 195.141.x.x
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside

ACL: access-list outside_1_cryptomap_1 line 1 extended permit ip object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_11 0xf153cc6d
  access-list outside_1_cryptomap_1 line 1 extended permit ip 10.103.0.0 255.255.0.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0x29b89420
  access-list outside_1_cryptomap_1 line 1 extended permit ip 10.103.0.0 255.255.0.0 10.100.1.0 255.255.255.0 (hitcnt=0) 0x42025e5a
  access-list outside_1_cryptomap_1 line 1 extended permit ip 192.168.16.0 255.255.255.0 10.1.1.0 255.255.255.0 (hitcnt=0) 0x060f09d1
  access-list outside_1_cryptomap_1 line 1 extended permit ip 192.168.16.0 255.255.255.0 10.100.1.0 255.255.255.0 (hitcnt=0) 0x422b3aec
  access-list …
0
New Leadership at Webroot

Dick Williams has decided to retire after 8 years at Webroot, and more than five decades in the business world. Webroot has named a new CEO, Mike Potts, who will start September 25. Dick will remain on Webroot’s Board of Directors.
 
Mike brings more than 25 years of experience as a seasoned technology industry veteran spanning the application and security sectors. He most recently served as an integration executive in the security business group at Cisco after the acquisition of Lancope, where he served as president and CEO. Prior to Lancope, Mike was president and CEO of Air Defense, which was acquired by Motorola in 2008. He has a long history of driving innovation and growth and is the right person to continue our path to success at Webroot.

Dick expresses his sincere thanks and appreciation to all of our customers and advocates for helping Webroot achieve its current success, and for being incredible partners over the years.

Check out Dick's blog and our press release for more information on this announcement.
5
How can i pass my ccna routing and switching 200-125
0
I need to create a user login to a company vpn. the VPN is set up on a CISCO router (I dont know model number) and I need to access it via SSH (done) and then add a new user to it that can then connect to the VPN. what is the SSH command to see what users are already created and then to add the new user via SSH commands. or alternatively to all that can I install some sort of web gui control panel type thing that i can administer the router from?
0
if a users has a VPN connection on my ASA device then potentially he can use those credentials to connect on any computer.  Whilst i can restrict the connection to certain IP addresses and ranges, can I restrict the connection to an individual computer NAT'd behind that public IP address or range.

The risk comes in that i may not  know the patch or AV state of a computer that connects to my internal network.
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).