Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I have a network with many vlan's configured and one of them is my WLAN for Guest network that has no access to any of the other VLAN's.  I need to allow for a couple of url's (public IP) to allow to connect back in.  

I am not sure if this is something on the VLAN or at the ASA.  

I am not sure what information you will need to assist so please let me know I and I will supply.

NOTE: I am very green when it comes to Cisco cli so please be patient
0
Get quick recovery of individual SharePoint items
LVL 1
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

We currently have a fairly simple set up, we have ONE public Web Server IP.   Our In/Out path is ISP line to our Cisco ASA/Firewall to our Host Server.    We use Static IPs from the ISP.   Our objective is to achieve highly reliable access to our Web server.  

We are looking at solution such as DNSMadeEasy + DNS Failover.  

Would the following plan work?
1) We'll acquire a new ISP #2 service as backup for our ISP #1 service.
2) We'll acquire a new Switch. On site our location we'll plug the two lines from ISP #1 and ISP #2 into the new Switch.
3) Run a single line from this new switch into our existing CISCO ASA router, and add configuration rules to Cisco for the new source IP addresses to mirror the rules already there for NAT, port forwarding, etc.

Any recommendations would be appreciated!
0
So heres the setup

I have a new open mesh POE switch I'm trying to plug into existing 2960 so that we can plug in some OM AP's to it.  I can plug in the OMS8 switch into the cisco with the cisco switchport in access mode for the vlan we want it on. I can run a IP scan and see that the switch indeed gets a DHCP lease, i can go to that ip in browser and get the admin interface (not allowed to log in ). But the switch never checks in with cloudtrax.  I have 4 other AP's on the same subnet that check in fine, so i don't think content filtering  (as suggested by their support) is the issue, though they say the switches check into different servers than APS.  So heres the setup

OMS8------>2960----->3650------->5515ASA

is there a way i can search for that mac on either the 3650 or the ASA to see if its getting filtered?
0
Dear Experts,

I went to the cisco website to find the latest firmware for my client's router.

Currently the firmware is isr4300-universalk9.03.13.04.S.154-3.S4-ext.SPA.bin

In the downloads, i found:

3.13S
- 3.13.8S(MD)
- 3.13.7S(MD)
- 3.13.6aS(MD)
- 3.13.6S(MD)
- 3.13.5S(MD)
- 3.13.4S(MD)
- 3.13.3S(ED)
- 3.13.2S(ED)

I deduce that my client is using 3.13.4S(MD)

My account does not allow me to download 3.13.8s(MD) but I can download 3.13.7S(MD) but I am not able to review the version's release note, I clicked on the release note link and it brought me to https://www.cisco.com/c/en/us/support/ios-nx-os-software/ios-xe-3s/products-release-notes-list.html which I do not know which document to look at. As I cannot find the release note for 03.13.7S.

Can anyone please help me on this?
0
I am putting together some phone equipment and servers in a datacenter cabinet.  The datacenter is providing us a redundant router connection using HSRP.  The cabinet has two Ethernet cables: primary, secondary.

We need external routable addresses for each of the two border controllers for the phone system.  They have a WAN port and a LAN port so they can have an external (outside the firewall) connection and also have a local IP address in the same subnet as the servers in the cabinet.

We are trying not to purchase another $2000 Cisco switch for the setup to accept the 2 Ethernet connections.

We have a WatchGuard M370 firewall device with several ports that can be configured in many ways.

We have two layer 2 switches available in the cabinet for use outside and/or inside the firewall. It is a layer 3 device.

I need help in the configuration of this system.

One suggestion was to take the two datacenter network cables and plug them into a standard Layer 2 switch then patch that switch into an external interface on the firewall.  After so many attempts I am trying to remember but I think the path to the internet was broken when BOTH router cables were plugged into that switch.  I am going back to the datacenter tomorrow to try more things but I wanted to get some input from you guys first.  I have the datacenter IP sheet where they provide me the configuration info but didn't want to post live addresses on this site.  Basically they gave me a \29 subnet and …
0
Hey Experts, we have a Digium Switchvox VoIP Server. This past weekend our local power company had to upgrade our facilities power. We gracefully shut down everything Friday night, power was restored yesterday afternoon. This morning we have half of our phones not working as they cannot get an IP now. Our LAN and VoIP LAN are attached to our SonicWALL NSA2600, we have 3 Cisco SG500-28-p Stacked switches. What we have found so far is that any phone connected to the Master switch will not get an IP for the phone. Each desk has 1 Ethernet drop, that goes into the phone and the workstation plugs into the phone. The workstations all work fine to phones that don't work. We have rebooted the switches for good measure and nothing changes. Hoping someone can help shed some light on what the problem is.

Here is how the config on the sonicwall looks for the interfaces
Interfaces on SonicWALL NSA2600
Here is the Stack.
SG500-28P Stack
0
Hi all,

I have requested an additional IP address block from my ISP so that I can assign a public IP directly to my VOIP server. I have received and added a nat statement to my router as follows

ip nat inside source static 10.121.50.1 XXX.XXX.XXX.XXX (being one of the static ip's assigned by our ISP)

I can establish a SIP session with my server from outside however still get no audio either way. I ordered the additional IP so I could NAT everything from the external ip to the server to avoid this exact issue however it hasn't worked. To me it looks like no traffic is going back out the nat statement as the debug always shows 0 packets going out but plenty going in

*Jan 15 15:32:53.900: NAT*: s=183.171.81.177, d=58.XX.XX.X->10.121.50.1 [46336]
*Jan 15 15:32:53.960: NAT*: s=183.171.81.177, d=58.XX.XX.XX->10.121.50.1 [28621]
*Jan 15 15:32:54.208: NAT*: s=10.121.50.1->58.XX.XX.XX, d=183.171.81.177 [0]
*Jan 15 15:32:54.212: NAT*: s=10.121.50.1->58.XX.XX.XX, d=183.171.81.177 [0]

183.171.81.177 is my handphone on 4G  
58.XX.XX.XX public IP
Any help Appreciated
0
I currently have 1 PRI configured on my voice gateway router.  We have had a few instances where we have had 20-21 simultaneous calls at a time, and as you know a single PRI only allows for 23 simultaneous calls.   I am looking to get another PRI from the same telco.  How does this work?  I have another T1(PRI) port on my router, which will be used to connect to the 2nd PRI, but how does it work on the Teclo side?  Do they  trunk the two PRI's together, so I can now have 46 simultaneous calls?  We are going to order another block of DID's with this new PRI as well.  So right now there are 39 numbers associated with the first T1, and I'm not sure yet how many we are going to get with the second block.    Does the telco tie these two PRI's together somehow, so both PRI's can share all the numbers?
0
Hi there, we have started using Meraki devices. While we are very happy with the switching and the wireless solution we are struggling a little with the firewall part of the solution.
Among the many problems we are facing there is one which is more urgent than the others, the Active Directory integration with group policy.

I have successfully followed the documentation found here:
https://documentation.meraki.com/MX-Z/Group_Policies_and_Blacklisting/Integrating_Active_Directory_with_Group_Policies#Create_LDAP_Group_to_Group_Policy_Mappings_in_Dashboard

The AD servers have been added, I've got a green tick on the status and I'm able to query LDAP getting the required security groups to be added to the policies (See AD Authentication Screenshot).

What I have done is putting one AD user in a specific Security Group in AD and build a single rule to block a website and it doesn't work, also on the policy list I cannot see any client added (see Policy Screenshot)
If I manually assign the client to a policy (selecting the clients from Network-wide - > Clients) it works.
This make me think that despite I have followed the documentation and the diagnostic page for AD integration says green light, the AD based authentication is the problem. Also, I don't use the splash screen to authenticate the users, I don't know if it is a requirements but I'm not willing to use any splash screen.

Can someone help me?  


Thanks
-Daniele
ad-auth.png
Policy.png
0
I have a mail server on the inside of my network, I have established all of the ACL's and NAT Statements on the ASA and traffic is flowing correctly inbound. However when the mail server sends traffic outbound ( to external networks) it uses the ASA Primary IP on the outside interface. I would like to force the outbound traffic to external networks to use a particular IP Address (the one that is NAT'ed) for SMTP. As the NAT Statements are already in place and functioning is this a matter of using an extended ACL? If so how should it be constructed? Thank you in advance for the assistance.
0
The Growing Need for Data Analysts
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

Background:
I'm helping a small school with limited resources set up some Cisco APs in their network. We want to keep the wireless devices outside of our internal network via a separate VLAN. I've had difficulty setting up this environment and could use some help.

Equipment:
Some older Cisco 720i APs A handful of old Cisco Catalyst 2960 Switches An APU2C4 appliance running pfSense acting as our Router/Firewall

What I tried:
I don't have much experience with the Cisco CLI, so I've been trying to set up as much as possible on the APs themselves via their web interface. APs have VLANs set up with an open SSID. I tried associating the ports these APs are connected to on the Catalyst 2960 switches with the VLAN we want to use. Also tried to use DHCP Relay (or "IP Helpers" in Cisco-speak) on the pfSense appliance and setup IP helpers on the APs, but I really have no idea what I'm doing at that point.

Any advice on how to actually get this done? Commands and step by step guidance would be greatly appreciated.
0
Hi there,

I have a 2504 WLC at a remote site overseas currently on code 8.3.121.4.  I need to update the code on it due to the KRACK vulnerability, but wasn't sure what the best route was to go on this. Cisco's suggested release is 8.2.166.0 (ED), but I'm hesitant to downgrade the code as I've heard some horror stories (losing configs, etc.) and I don't have an onsite resource there in case things to to hell.  Cisco TACs recommended 8.3 release is 8.3.133.0... would I be better off just upgrading to that version instead?  Would that be safer for a remote update?

Any input is appreciated, thanks!
0
we have small network in the office with cisco router and switch.
and we want to set up vpn and allow 5 directors' home to directly access our network.

Can you share with me some suggests i can start?
0
OK don't laugh. I have a 9 year old Cisco call manager which has run flawlessly for the last 9 years.

Recently it has developed a problem, since it has been end of life'd by Cisco they will not help me with this issue.

Here is the problem.

When a user goes to listen to their voice mail, everything works properly it will tell them they have "X" amount of messages, To listen to your messages press 1...

Once they press one again it works as normal... Saying a message from.... sent on....

Then right when it would normally play that message,

a message will play that says.

"This message contains no recording."  
Then it will go on with the normal  to save it press 2 to delete it press 3

No matter what option you select the next message played is.

"this system is temporarily  unable to complete your call, call gain later, good bye."

On the previous step If you press 2, to save the message. And go into saved messages it is there.

Since I have 90 mailboxes and get over 200 messages a day this is becoming a huge issue.

I'm hoping someone here may have enough knowledge or could at minimum refer me to someone who can help me band aid this until I can work on a replacement plan...

Thanks

Here are some version screen shots.

Show Hardware
https://www.screencast.com/t/WWcVu2wO 

Show System
https://www.screencast.com/t/rgFoIOWBb7
0
Hello,

We have a single catalyst 4500 in our datacenter. It's a WS-C4507R+E with an ipbase license. It has
2x48 10/100/1000BaseT Premium POE blades,
2x4 Supervisor 10GE (SFP+), 1000BaseX (SFP) blades in active & standby hot,
1x12 1000BaseX (SFP) blade and
1x12 10GE (SFP+) blade.

In the interest of replacing this EOL switch, I am looking for a replacement which will last 10-15 years which can easily handle this environment with the possibility of growth and scalability to accommodate modern servers coming with 10GE NICs. I'm also interested in having it in HA mode.

We also have 2960S in stacked an unstacked modes connected to this 4500 via fiber. What can be a good replacement for them also?

Thank you.
0
hi i have setup a test lab and wanted to download a version of ccp admin so i can configure the network just for testing so is there a copy i can download to do this as all i can find are winrar downloads for just the instructions on how to configure ?
0
Hey guys,
I am dealing with a client that has been down all yesterday as well as today with conflicting IP addresses.  I worked with Microsoft and they were able to find the mac address of another device that was giving out DHCP.  I have tried arp on various servers and could not find that mac even after pinging the broadcast address.  I have tried this command: show ip arp vlan (vlan number) | include (mac address) and all that it can really tell me is what the originating port is.  This lead me to two HP switches which also have the mac address but that list the trunk port as the originating source. I am getting absolutely no where with finding this.  Please help!!!!
0
I need to update a bunch of catalyst switches from TLSv1.1 to TLSv1.2. Also need to disable older ciphers. Has anyone implemented this before?

Please share the steps as I can't seem to find anything documentation online for this.

Thank you.
0
hello experts
i am using below powershell script to telnet my network device and do some automatic task, for example change WIFI password and send email out daily, while i test it connect to network devices such as router and switch, it works, but when i try to using this script connect to Cisco WLC it failed because WLC do not support raw telnet mode any more so it drop the telnet connection come from my script. for i am new for powershell, could you help me do some modify for my script so that it not using raw telnet mode while connecting to network device?
thank you

Function Get-Telnet
{   Param (
        [Parameter(ValueFromPipeline=$true)]
        [String[]]$Commands = @("username","password","disable clipaging","sh config"),
        [string]$RemoteHost = "HostnameOrIPAddress",
        [string]$Port = "23",
        [int]$WaitTime = 1000,
        [string]$OutputPath = "\\server\share\switchbackup.txt"
    )
    #Attach to the remote device, setup streaming requirements
    $Socket = New-Object System.Net.Sockets.TcpClient($RemoteHost, $Port)
    If ($Socket)
    {   $Stream = $Socket.GetStream()
        $Writer = New-Object System.IO.StreamWriter($Stream)
        $Buffer = New-Object System.Byte[] 1024 
        $Encoding = New-Object System.Text.AsciiEncoding

        #Now start issuing the commands
        ForEach ($Command in $Commands)
        {   $Writer.WriteLine($Command) 
            $Writer.Flush()
            Start-Sleep -Milliseconds $WaitTime
       

Open in new window

0
Identify and Prevent Potential Cyber-threats
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Dear Sirs, i have configured an ASA 5510 with 4 interfaces (Outside, DMZ, Inside, Branch_Offices). On my DMZ I have 3 servers: DNS, Mail and Web, but i don't know how to do that (Now i have traffic from outside to a unique server in the DMZ. I need from outside can get into the website and send emails to people into the inside. I have traffic from inside and dmz to outside

Here's the configuration:

: Saved
:
ASA Version 8.2(1)
!
hostname ASAFCHFW
domain-name MYDOMAIN.COM
enable password kFJzUkFi3silH1Ye encrypted
passwd PVSASRJovmamnVkD encrypted
names
name A.B.c.d BCP description BCP
name A.B.0.0 Linkser description Linkser
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address x.y.z.131 255.255.255.240
!
interface Ethernet0/1
 nameif Branch_Office
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
 nameif DMZ
 security-level 10
 ip address 172.16.31.1 255.255.255.0
!
interface Ethernet0/3
 nameif Inside
 security-level 100
 ip address 192.168.0.2 255.255.255.0
!
interface Ethernet0/3.1
 description Inside
 vlan 1
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3.2
 description ServerFarm
 vlan 2
 nameif SvrFarm
 security-level 100
 no ip address
!
interface Management0/0
 nameif LinkserNet
 security-level 100
 ip address 172.16.6.2 255.255.255.252
!
!
time-range ilimitado
 periodic daily 0:00 to 23:59
!
banner exec # WARNING!! Unauthorized …
0
We have a c3750-48PS the switch works fine on the computers, but the Access Point doesn't come up, it lights up, but it doesn't see the Wireless Controller. The Access Point is a 2802I.

Any ideas?
0
Hey,

I am super new to phone systems and am only asking in the absence of my usual go-to phone engineer. We have a client with a FreePBX phone system and Cisco SPA525G handsets. They would like to use the Link Key 5 button (bottom button to the right of the screen) on their reception phone to pickup any internal or external calls for when other staff are away from their desk.
I've tried a few things in the config of the phone, but have not been able to get this working yet.
I don't think we should need to adjust the config in FreePBX (could be wrong), as apparently this used to be working and the PBX config hasn't changed in quite some time.

This is as far as I've been able to get with the research and reading I've done (which doesn't work):
fnc=blf+cp;nme=Call Pickup

Any assistance would be appreciated!
linekey5.png
0
Does anybody know how to create a wireless network and tag it on a Vlan?  Can someone also tell me how to tag a vlan on an existing SSID?  I poked around myself and was able to find where the Wlans are and how to create them but no where can I find an option to tag them on a vlan.
0
Hey guys,
We have just acquired a client that uses Cisco stuff.  I am looking at the show run file for one of their devices.  I see non default vlans added to the ports, but I don't see any list of vlans.  Somewhere at the top of the file I see, "vlan internal allocation policy."  The stuff that I am reading about it is confusing, but it seems that what this is doing is importing vlans from another device.  Is this correct?
0
We are still attempting to resolve random VOIP issues ( dropped calls, 1/2 rings then straight to voicemail, etc...) We have implemented a new Meraki MR320 switch and placed all desktops/phones (daisy chained) on this new switch.  We have this Meraki switch uplink to physical port on our firewall. There are no other switches connected to the Meraki. Physical port on firewall that Meraki is connected to is part of a bridge to another port on firewall which contains rest of our network switches. We have 2 vlans, voice and data setup on Meraki. I am seeing the messages on the Meraki log below over and over randomly during the day. Is this an issue? I have done some research on RSTP and port settings for the Meraki but still not sure I have the full grasp and if what I am seeing is actually an issue. FYI, we do not have devices being unplugged when seeing the issues. We have newer cabling to all ports.

STP Log
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).