Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I have a Cisco 890 Router that is connected to a broadband connection. Internet is up, all services appear to be operational. There is a VPN tunnel to a smaller office in town that shares the internet with the device. We have a scale that just got installed. This scale is on the IP address 192.168.35.115.
I can ping it from the router, I can telnet to it on port 4660 on the internal LAN. When I goto setup a rule that would allow any IP to telnet to the port from the internet, it doesn't appear to be routing.

ip nat inside source static tcp 192.168.35.115 4660 interface Dialer1 4660
access-list 106 permit tcp any any eq 4660

Those are the commands I typed in to allow the traffic on port 4660 through the WAN interface.
Are there any other commands I need to type to allow the traffic to route?
0
Determine the Perfect Price for Your IT Services
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

I had this question after viewing LDAP assigned VPN polices in ASA firewalls with multiple user groups..

I had this set up via LDAP and wanted to move to RADIUS

With out trying to return a class as per the solution in the last question it works fine. But as soon as I return a class it fails?

The class is returned as part of the response

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 175 (0xAF)
Radius: Length = 139 (0x008B)
Radius: Vector: 01A2231F0C2570CD254908D9560CFE4B
Radius: Type = 25 (0x19) Class
Radius: Length = 18 (0x12)
Radius: Value (String) =
6f 75 3d 49 54 2d 56 50 4e 2d 50 6f 6c 69 63 79    |  ou=<policy name>
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x2
Radius: Type = 25 (0x19) Class
Radius: Length = 46 (0x2E)
Radius: Value (String) =
e0 4b 0b 66 00 00 01 37 00 01 02 00 c0 a8 b9 64    |  .K.f...7.......d
00 00 00 00 80 a3 32 b4 9c 4f c2 44 01 d4 91 f9    |  ......2..O.D....
24 e5 bd 7b 00 00 00 00 00 00 09 02                |  $..{........
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 25 (0x19)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 19 (0x13)
Radius: Value (String) =
73 68 65 6c 6c 3a 70 72 69 76 2d 6c 76 6c 3d 31    |  shell:priv-lvl=1
35                                            

Open in new window

0
I need to check the status of my cisco Smartnet. A third party firm procured the Smartnet with 4 switches. How do I confirm from Cisco the status of the Smartnet paid for?
0
I have two 3750 switches that are connected and working but here is my only issues. By the way I am very new to networking so please excuse me being naïve .

My issue is when I have a machine on a different subnet other than the main one 10.46.72.x DNS does not resolve even though I manually add and with a DHCP scope that I removed will not work. Can someone please tell me what  am doing wrong. Here is a copy of the config

[code][/

User Access Verification

Password:
Base-sw1>show running
Base-sw1>en
Base-sw1>enable
Password:
Base-sw1#sh ru
Base-sw1#sh running-config
Building configuration...

Current configuration : 3753 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Base-sw1
!
enable secret 5 $1$lwLf$CJoNDGBl4Ck6AAm/woBVM0
enable password secret cisco
!
no aaa new-model
switch 6 provision ws-c3750g-24ts
system mtu routing 1500
ip subnet-zero
ip routing
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet6/0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet6/0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet6/0/3
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet6/0/4
 switchport trunk encapsulation dot1q…
0
I am comparing the cisco ISR 4331 and RV 345 model and come up with a question:

ISR 4331 cost more than $1000:

https://www.cdw.com/product/cisco-isr-4331-rack-mountable-router/3518189

but only come with very limited Performance:
    Aggregate throughput:  100 Mbps

with extra unknown cost for upgrading from base package to performance package, it can reach 300Mbps.

RV 345 cost about $300,

https://www.cdw.com/product/cisco-small-business-rv345-router-rack-mountable/4557214

but come with an excellent Performance:

   Firewall throughput (TCP)    900 Mbps
    VPN throughput (IPSec)      650 Mbps
    VPN throughput (PPTP)     100 Mbps

It would be no-brainer that everyone should buy RV 345 instead of ISR 4331? then who is going to buy ISR 4331 instead of RV345?
0
Hi,

I am using ASA 5520 version 7.2 and using CLI to configure the ASA. I have two ASA in two building and they are connected through interface GigabitEthernet0/2 and routing as shown in below configuration.

IP range for building 1 is 10.20.20.0  mask 255.255.255.0
IP range for building 2 is 192.168.0.0 mask 255.255.255.0

I have two device in building 2 with an IP address 192.168.0.160 and 192.168.0.161 that uses port 4370.  I need to connected to these devices using interface GigabitEthernet0/2. How I can open port 4370 in ASA so I can connected to that device?


interface GigabitEthernet0/2
 nameif LOOP
 security-level 100
 ip address 200.200.200.2 255.255.255.0
route LOOP 10.20.20.0 255.255.255.0 200.200.200.1 1

interface GigabitEthernet0/2
 nameif LOOP
 security-level 100
 ip address 200.200.200.1 255.255.255.0
route LOOP 192.168.0.0 255.255.255.0 200.200.200.2 1

Open in new window


Thanks
0
I have over 200 wireless machines that are currently wpa2 and TKIP.  My old Cisco controller didn't allow wpa2 and AES so we used TKIP.  My new controller a Cisco 5520 doesn't not allow wpa2 and TKIP. I'm stuck in catch 22.  Is there any way to change TKIP on the machines remotely, my users have no rights on the machines and I'd have to take off all the autologin settings and one by one change the encryption.  I don't want to have to create a group policy.  I'd rather use a script if possible
0
Can an x86 appliance running ESXi from dell work on Cisco Viptela or Nuage SDWAN plaform? Aaron Tomosky is most qualified to answer and he is my local EE Guru.

Thanks;
1
HI Experts,

I attempted to change a password for a Cisco ASA 5515.  I am pretty sure i reset the whole thing, it's ok if I did, i needed to start over anyways.

The problem is I cannot get out of Rommon mode.

I did this tutorial
https://www.youtube.com/watch?v=JnatwN9YNUs

and suggested towards end of page
https://community.cisco.com/t5/other-security-subjects/asa-keeps-booting-to-rommon/td-p/604628

I am currently at a rommon #0>  prompt

Getting it back to default to reset up would be ideal but pretty sure I messed it up.  

Please help.  Thank you
0
I need to make sure this is proper connection for what I need:

I'm currently running a GLC-LH-SM in a 3560.

I'm wanting to switch it to a 10G connector and I believe  SFP-10G-LR is the correct SFP Module.

It's a Single Mode Fiber with an LC connector. Is that correct?
0
Thriving as a woman in IT
Thriving as a woman in IT

The IT workforce is diversifying, but the gender gap in tech remains very real. Overcoming stereotypes, and the glass ceiling is important not only for individual women working in the field but for the industry as a whole. Here are eight things women in IT do to succeed.

Dear Expert,

I have  client computers connecting to 1 GB speed access to switches 3750/3850.

These access switches connect to a pair of 6500 core switches. These go out to the SD WAN ISP, and they mark the Skype traffic, both voice and video.

I would like to prioritise Skype traffic on the LAN segment from desktop SfB client to the edge. We use SfB online only.

Would a class map suffice and any recommendations would be highly appreciated.

Many Thanks in advance
0
I have an unlabeled Cisco Access Point blinking green and red. Alas it's also unlabeled and
it's at a remote site. I don't see any ports flapping on the switches and if I show cdp nei
on the switches the resulting APs are matching what I'm seeing in the Wirelss LAN controller.

My understanding of red/green flashing is that it means the AP is trying to register to a WLC
unsuccessfully. Where would I see logging evidence of an AP unsuccessfully trying to register?
Any other thoughts on how I might be able to get more info on this flashing AP? AIR-CAP35
(Aeronet 3500 series AP)

Users in the vicinity of the flashing AP have been reporting bad performance. This could
be a red herring or perhaps related. Thank you.
0
Any fiber experts out there?  I need to know that I am about to purchase the correct SFP modules for the following scenario:  2 - Cisco 2960S-48LPS-L switches need to communicate over a 1000' link of OM1 single-mode fiber.  The switches are running  iOS ver 12.2(55)SE8.  What SFP part number do you come up with?
0
Hi All,

I recently upgraded our Cisco ASA 5545 to version 9.9(2)36.  Since the upgrade we are not able to transfer files to/from our Azure tenants via the site to site vpn we have setup.  Here is an example:  

Local Server: 10.1.1.151
Azure server: 10.211.20.100

We can ping both ways fine, but file trans are failing.  It just hangs when I try a transfer.  For the monitoring I am seeing TCP Reset-I from inside.  Could this be the reason the file transfers are failing?  If so, anybody have any idea how to remedy that reset??

Jan 08 2019      08:25:33      302014      10.211.20.100      445      10.1.1.151      51178      Teardown TCP connection 38499637 for outside:10.211.20.100/445 to inside:10.1.1.151/51178 duration 0:05:53 bytes 5384 TCP Reset-I from inside

Thanks in advance.
0
I had this question after viewing Cisco ASA 5505 host license limit workaround and dhcp lease time.

In my office network some end users cant access the internet even though they are connected to the lan.

Is there a workaround ? I am using Cisco asa 5505 with 50 license limit.
0
getting errors from my Cisco 2504 Wireless Lan controller syslog

MYWLC: *Dot1x_NW_MsgTask_2: 1x_ptsm.c:730 Client MAC Address may be using an incorrect PSK

i have been noticing some dropped connections lately so i decided to setup syslog and seeing hundreds of these errors
0
Cisco site to site bridge.  

I have a remote site that has a Cisco 867VAE on ADSL and I can telnet to it.  They use it for internet access.  

I have a Cisco 2851 at my site (and a shelf full of other ethernet and DSL routers in case this one is not adequate) providing ethernet access for my site.  

I need to access a device at the remote site (preferably without taking down Internet Access for more than a few minutes).  This device does not have a gateway configured, so I can't simply portforward to it or configure a site to site gre tunnel (as either would require a gateway or route on the device in question)

SO I decided to do a transparent bridge.

All the examples I can find say that a router can either route or bridge, but not both.  I don't believe that this is a real limitation.  After thinking about it, I want to set up a sub interface on the destination router that will bridge to a router at my site.  Presumably, this will involve creating a site to site VPN and attaching it to a bridge group.  

Can someone please help me achieve my goal - either using the method I have described - or a totally different method.  

I have remote access to configure the remote router.  I have no access to the device in question.  Physical access to the device or remote site is not possible.  There are no computers at the remote site that I can say, TeamViewer to and then connect locally to the device.  

thanks

John
0
Hello Experts,

We have a external client that we need to be able to reach from our internal network.  We are not able to reach this ip address from our internal network.  We can trace route and ping this the ip needed from outside our network successfully.  We are not able to do a trace route or ping inside our network either.  We looked at our CISCO asa and discovered that there is a rule in the ACL that is Denying us the ability to do this.

We need to be able to reach this ip but are not sure how to go about changing or adjusting this rule, or if or why we even need to block this?  We didn't set this up.

Thank you for your help.

Karen
0
Need some Esxi commands to get the adapter info and IP for the Cisco CIMC(Out Of Band Management) Port!

We have a Cisco UCSC-C220-M3BE running Esxi 5.1.0, 1065491  

We do not know the IP for the CIMC(Out Of Band Management) Port and we need to remotely manage the physical server to troubleshoot a local disk issue!  We are trying to avoid having to go down to the datacenter and physically connect to the server.  

I was wondering if there are any Esxi commands we can run from an ssh into the esxi host that will give us any info on the NIC adapter for that specific port and possibly discover what the IP is?  

This Port is not used by ESXi for managment.  It is the Out Of Band Management NIC specifically for remote management to the Physical server itself.

Any help would be appreciated
0
Exploring SQL Server 2016: Fundamentals
LVL 12
Exploring SQL Server 2016: Fundamentals

Learn the fundamentals of Microsoft SQL Server, a relational database management system that stores and retrieves data when requested by other software applications.

HI,
I have a cisco BE6000 CUCM in my office, but I am looking to enable personal and corporate directory. I have made some attempts but it is not work.
I need your help please experts.

Best Regards,

Aristide
0
Hi,
I have a big problem with Cisco voip configuration. I have two CME router which is connected by IPsec over gre tunnel vpn. The flow between router Irak and router CI is correct but we can not make any calls, we heard a busy tone. However the calls between Router CI and Router Irak work well.
I don't know how to fix this issue. I need your help please.

Best Regards,
puttyrouterci.log
puttyirak.log
0
I Have a Cisco ASA for regular use, internet, vpn, ex.   We are moving an application to the cloud and the company sent use another firewall (ASA) just for VPN purposes.  I gave them a public and private address for the VPN device.  I set this up with the LAN portion of the VPN Device connected to the switch which the switch port is trucked.  The WAN portion is connected to a port on the company ASA. I set up a nat from the from the public IP I gave them and Private IP.  I then set up an access list a number different ways.  Most notably I opened everything up to see if I could access the VPN ASA but couldn't.  Couldn't ping it either.  Is there something I'm missing, do I need to add a glabal command allowing the same-security traffic because the internal of the vpn device and company asa has the same security level as does the wan portion.
0
Can Cisco WiFi prioritize Skype for Business online real time ports? These would be UDP 50,000-59,999 and UDP 3478, 3479, 3480, 3481.
How would the access point be able to classify and prioritize that traffic relative to the other traffic received on the radio?
0
I'm wanting to setup QoS for Skype for Business Online. When I do a packet capture I see that the real time
ports that come into play are the UDP 50,000 - 59,999. The article below calls the 50,000 - 59,999 as optional.
Is there any way through group policy to tell skype to use the UDP 3478, 3479, 3480, 3481 only or at least
to prefer it? Marking all TCP/UDP 50,000-59,999 for EF classification seems pretty broad.


https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Simplified-port-requirements-for-Skype-for-Business-Online/ba-p/77094
0
I cannot telnet to idrive servers 148.66.224.40 on port 443. As a result the remote backup quit working. I can telnet to on other client networks. We have a Cisco ASA 5506. Im using ADSM to try and figure this out. I have uninstalled antivirus, disabled pc firewall etc. Below is a screenshot of the rule I created to try and fix this.

I have another network that has no firewall and is wide open for testing, and I cannot telnet to it on that one either. ISP says they are not blocking that address.

Windows Server 2012
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).