Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

This C3560 switch used to be working well. Its port25 uplinks to the core switch and allows VLAN 2, 3, 5 - 7 and 100, as shown in the config attached. While one of our guys was working on updating each port description, all of sudden, only ports of VLAN7 and 100 are working while all others are not. "Not working" means unable to ping the servers via those ports. So we restored config from a good backup but still to no avail -- what a bummer!

After we picked one port and issued 'switchport access vlan x' one by one for all non-working VLANs, all became working in the beginning. But minutes later we noticed VLAN 2 and 3 are NOT working again while others remains working. What could be wrong? How to resolve this issue? Please help. (Please refer to the config attached.)
Free Tool: Subnet Calculator
LVL 12
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

What is the Cisco term of the DX80 telepresence bridge point? Cisco Spark connect point?
This maybe a stupid question, however I want to make sure.

If I run a port scan utility, say from SolarWinds for example against a Cisco ASA, will this trigger any kind of threat response from the ASA?  IE will it black list the IP for a short time that is running the port scan?  Are there other ramifications for doing this?

I am thinking it will just drop the traffic or perhaps do nothing, but I am not well versed on what it will do.

Thanks for the feedback.
Is it possible to get a report of Internet usage and or web sites visited from sourcefire and ASA 5512 ?

Any add on reporting tool that would be useful ?

Snort ? Splunk ?
Dear Experts, we realized some abnormal traffic on my Cisco 3925 router when issued command: "show processes cpu, show ip flow top-talker, show ip nat translations" and blocked some IPs which were strange, but the other keep coming to attack us on port 389.

Is there any way to configure the Router so that it can react automatically? for example: block IP when the connection is higher than the pre-defined threshold? my router's CPU is 17-25%, is it too high? normally at offpeak time, it's just about 10%

Please suggest. Many thanks as always!
Hi Experts,

I have to create a new link from my fibre box to my switch.
This is single mode and the cable is an LC-E2000 cable.

I am not able to bring the link up.

I am using the switch C2960X with Singlemode transceiver. But this is not the original transceiver it is a cheaper one.
But in the config the transceiver is visible.

Gi1/0/41                     disabled     1            auto   auto 10/100/1000BaseTX
Gi1/0/42                     disabled     1            auto   auto 10/100/1000BaseTX
Gi1/0/43                     disabled     1            auto   auto 10/100/1000BaseTX
Gi1/0/44                     disabled     1            auto   auto 10/100/1000BaseTX
Gi1/0/45                     disabled     1            auto   auto 10/100/1000BaseTX
Gi1/0/46                     disabled     1            auto   auto 10/100/1000BaseTX
Gi1/0/47                     disabled     1            auto   auto 10/100/1000BaseTX
Gi1/0/48                     connected    1          a-full a-1000 10/100/1000BaseTX
Te1/0/1                      disabled     1            full    10G Not Present
Te1/0/2   "VPLS Internet Upl notconnect   1            full    10G SFP-10GBase-LR
Fa0                          disabled     routed       auto   auto 10/100BaseTX

Open in new window

Do you have any ideas ?
We can't seem to use ASDM to change the inside interface on new two Cisco ASA 5506x devices.

We have experience with ASDM before the bridged group config was added in V9.8. However, in these new devices, we can't seem to change the default config from the subnet to what we want to use them on. Using Step 4/12 in the startup wizard the Edit button when selecting GigabitEthernet1/2 does nothing? If I try to change the BVI1 bridged group IP ASDM will either return an ERROR when applying or hang?  

I have even dabbled with the cmd line to try to do this but always get an error.

I have spent two days trying to get either of these devices working properly to no avail. I need help, the cisco forums are rubbish imho and there seem to be very few 9.8+ links on how to do this. I am not sure where this is going wrong?
Cisco Call Manager Express with Cisco 7970 IP Phones.   All phones are displaying the message "3:Forwarded to 046" in the lower left hand corner of the display.  This happened all of a sudden.  This does not match the display message configured in the CME.  I have tried changing the message and a hard reset of both the phones, CME and IADD.Cisco-7970.JPG
hi I was running my sdm software on one of my win 7 pc no problems and was previously with isp: - successfully

I have ping connectivity from my router, switch and pc and vice versa

I have now changed to isp: vodaphone  - & installed sdm on my 2nd win 7 pc - but for some reason now sdm will not open a browser & instead it prompts to download:


it also throws a notepad file on my desktop showing error on my 1st win 7 pc that was originally running sdm - successfully
my 2nd win 7 pc that I installed sdm after the isp change does not through the below error on my desktop

exception_access_violation (0xc0000005) at pc=0x04f439a6, pid=1124, tid=2628

when I connected to my vodaphone router a browser did showing saying that it could take a few weeks to fully sync everything or words to those affects but I assumed it meant the speed connection.

I have also uninstalled ie 11 and re-installed and also the same with google but still cannot get sdm to open the software

any help ?

I then decided to open my sdm already installed on my 1st win 7 that has been working and exact same issue so it makes me believe since the change to another isp that something has not quite updated or I need to download a specific update !!

or is it as the above url describes that i may have a bug on both pc's or some software i have installed has caused…
Hello all my company has 3 branches, all branches connect to internet by PPPoE with dynamic ip address l would like to configure DMVPN and IPsec do you have any solution about this ?
Prepare for an Exciting Career in Cybersecurity
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Hello Experts

I want some help with object naming Cisco ASA. What is the best method do you use for better management ?
For example I have below requirement hence what will be the efficient way to do it. /24	TCP	10.10000.136.33	               20,21,1234,5660,5900,9044,9903,443 /24	TCP	                               20,21,22,80,5660,9055,443 /24	TCP	                               80,3389,5900,443 /24	TCP	                               3389,5631,443 /24	TCP	                               22,443,8080 /24	TCP	                               22,5800,5900,443 /24	TCP	                               20,21,22,23,5660,9055,443 /24	TCP	                               22,5800,5900,443,8000 /24	TCP	                               443 /24	TCP	                               22,5900,443 /24	TCP	                              20,21,443 

Open in new window

Appreciating any help and suggestions
Please could you help me, I am below as I am newbie to managed switches and would like to enable Web Console - Manage the Switch through the web interface for my CISCO 3650G, I would like this so that I can visualise a little better while I am learning to use the command line.

Currently if I visit the management IP using internet explorer I see the attached but I'm unable to see theCISCO 3650G IssuesCISCO 3650G Issues web interface, IE says page cant be displayed.
Hi – so we have about 20 Cisco 10/100 switches at 1 location, that we are looking to upgrade to gigabit. The models we have currently are 3750-24PS-S and 2960-24PC-S, and we haven’t decided which ones we are going to upgrade to yet (if anyone has suggestions, I’ll take them) About 15 years ago I used to manage some switches at an office where I worked, but I’ve totally forgotten since then. When we upgrade, I’m assuming we can copy the running config from each old switch, copy to the to new switch, and everything should work? All help and suggestions are greatly appreciated.
I have a question regarding Cisco ASA 5505.
I have a business requirement where I need to adjust the configuration of my asa5505 router.
Current Environment
Currently users use a cisco any connect client installed and configured on their laptops (Windows 7/10) to connect to the business office network remotely for file access.
Remote Users authenticate to the business office network through the router with their asa user credentials.  

Once the end user is connected to the business VPN - their network traffic/data packets shows that their source Public IP address is their local ISP - not the business office Public IP Address is.  So if there are 20 remote users connected from 20 different locations - each remote user would have a unique public IP address in their data packet source address.

What is required
For a host of business reasons that are not important here - we need to adjust the current router config so that when a remote user is connected to the office VPN, they transmit data showing their source Public IP address to be the Office Router Public IP address.

We want to change the router so that every user connecting to the vpn will send data packets such that their source address is the business office public ip address.  20 users connected would all have the same exact public IP source address.

What do I need to change in my current configuration to make this happen?
I'm working on a solution as a vendor over deployment model for CISCO NGFW with following interest:-

•      east-west traffic inside server farm for stopping malware lateral movement
•      user (access layer) to server farm for policy control e.g AV, IPS etc

Constraints / Concerns:
•      Currently there is no l4 policy control or firewall in place , network topology is flat.
•      don't want to buy layer 3 switch for inter-vlan routing
•      internet traffic is managed by another segment not to be passed through proposed ngfw.

Concerns from vendor integrator perspective

•      between application 2 application or App to DB server such traffic can be best addressed with a acl defined at ACL, no botnet, malware exploits or spread from server-server per say. The use of ips and av inspection will be counter-effective.
•      Further, connection between app to DB is heavy traffic , firewall will be kept looking for those connection for long time holding down mem, cpu and effecting throughput as well
•      terminate access to server farm ONLY to layer 3 device (ngfw) for policy control, ngfw compliance features (ips, av)

I'm looking your assistance if there exists an CISCO validated design either for or against the above solution. Thanks.
I'm trying to replace a Cisco 887 with an ASA to connect our CoLo Cisco 4321 router via VTI tunnel.  Looks like I have everything configured properly but my Tunnel Interface on the ASA will not turn up.   Line and protocol are both down.  When I debug you can see they are trying to establish a connection:

  Initiator COOKIE: e7 4e 84 d4 08 39 37 d1
  Responder COOKIE: 00 00 00 00 00 00 00 00
  Next Payload: Security Association
  Version: 1.0
  Exchange Type: Identity Protection (Main Mode)
  Flags: (none)
  MessageID: 00000000
  Length: 204
  Payload Security Association
    Next Payload: Vendor ID
    Reserved: 00
    Payload Length: 96
    DOI: IPsec
    Payload Proposal
      Next Payload: None
      Reserved: 00
      Payload Length: 84
      Proposal #: 1
      Protocol-Id: PROTO_ISAKMP
      SPI Size: 0
      # of transforms: 2
      Payload Transform
        Next Payload: Transform
        Reserved: 00
        Payload Length: 36
        Transform #: 1
        Transform-Id: KEY_IKE
        Reserved2: 0000
        Encryption Algorithm: 3DES-CBC
        Hash Algorithm: MD5
        Group Description: Group 2
        Authentication Method: Preshared key
        Life Type: seconds
        Life Duration (Hex): 00 01 51 80
      Payload Transform
        Next Payload: None
        Reserved: 00
        Payload Length: 40
        Transform #: 2
Using a Cisco ASA 5555 with AnyConnect SSL client and split-tunneling enabled, how do I force an inside tunneled route to a FQDN so that the AnyConnect client tunnels thru ASA and presents the egress IP of the ASA to the destination? I've read conflicting results when adding a FQDN to an ACL as a secured route. It would be easier if the host had a static single IP address but its behind aws load balancer so the IP's change. Am I even making sense? In a scale of 1-10 representing my knowledge of ASA's (where 1 = WTF is an ASA, 10 = I configure ASA's in my sleep) I'd say I'm at about a 4.
Main office A  and office B have a vpn tunnel between the two locations via cisco RV325 at both locations.   The vpn stays connected other than occasionally drops.  We recently configured vpn clients using netgear vpn client software. When the clients connect to the VPN the tunnel between Office A and B is dropped.    The client that is connected via the vpn software can open the tunnel but cant access any of the network resources.  If the 325 is rebooted the connection is restored between office A and B.     Cisco is updated with latest firmware on both units.
I am not an expert in Cisco. I am just configuring VLAN in my network.
I have create 2 more VLANs other than native VLAN. VLAN 9 with IP, VLAN 10 with IP and VLAN1(default) with
Now VLAN9 can reach  VLAN10 and  VLAN10 can reach VLAN9. But VLAN9 and 10 cannot reach VLAN1 IPS. Now I would like to have communication between all these VLANs.
I would like to route all traffics to Fortinet firewall except internal IP traffic. Attached configuration.
Is there anyone who can guide me how to have inter VLAN communication as per best practice?
Keep up with what's happening at Experts Exchange!
LVL 12
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Hi everyone


Hope you can help


I have a parent/child domain test environment - I'm trying to block specific ports between the parent/child clients


So parent domain clients are on child on


My ACL looks like below:


ip access-list extended DENY_FILE_AND_LDAP
deny tcp any 139 ace-priority 20
deny tcp any 389 ace-priority 40
deny tcp any 445 ace-priority 60
permit ip any any ace-priority 80


this is bound to the child domain VLAN


interface vlan 20
ip address
service-acl input DENY_FILE_AND_LDAP


I'm trying to block those ports from being open on the child domain clients but it doesn't seem to be working


port 389 is LDAP

ports 139 and 445 are windows file share


It's not working


Any thoughts?




Dear Experts, I saw this error in logging of Cisco Router C3925. Could you please suggest and explain?

The Src address is the Public IP address of this Router (and it was hidden), a Dest address is the Access point's private IP address. This is a diagram:

ISP --------- Router C3925 ------------ Core switch 3750 -------------- Access switch 2960 ------------- Access point Meraki

Many thanks as always!
I have a Cisco 3845 running 15.1(4)M12a.

It is consistently running at +85% cpu utilization.  Here is an image of what we see:

I Do not see anything over 1%.  Any ideas what else can be causing such a huge tax on the CPU and how I can track it down?

we are having Cisco CISCO2921/K9 VG router in office. Its unable synchronize with NTP. Below are the out puts ..Any help will be much appreciated.

INBUPPVG501#sh ntp status
Clock is unsynchronized, stratum 16, no reference clock
nominal freq is 250.0000 Hz, actual freq is 249.9984 Hz, precision is 2**24
reference time is 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
clock offset is 0.0000 msec, root delay is 0.00 msec
root dispersion is 21.24 msec, peer dispersion is 0.00 msec
loopfilter state is 'FSET' (Drift set from file), drift is 0.000006402 s/s
system poll interval is 64, never updated.

INBUPPVG501#sh run | sec ntp
ntp authentication-key 10 md5 097A1F5C292928300A02032624362D 7
ntp authenticate
ntp trusted-key 10
ntp access-group peer 10
ntp update-calendar
ntp server key 10

INBUPPVG501#sh ntp associations detail configured, authenticated, insane, invalid, unsynced, stratum 16
ref ID .INIT., time 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
our mode client, peer mode unspec, our poll intvl 64, peer poll intvl 1024
root delay 0.00 msec, root disp 0.00, reach 0, sync dist 15940.24
delay 0.00 msec, offset 0.0000 msec, dispersion 15937.50
precision 2**24, version 4
org time 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
rec time 00000000.00000000 (05:30:00.000 IST Mon Jan 1 1900)
xmt time DE520F2F.5A63DFE1 (14:19:51.353 IST Tue Mar 13 2018)
filtdelay =     0.00    0.00    0.00    0.00    0.00    …
I have a client who's got a cisco 1921 and they are upgrading the internet to a Fibre connection with static IP.
Is there an easy way to configure it? GUI setup for this model?
May I have the steps to change this?
By the way, they are going connect to the Fibre 400 which could give them up to 400mbps, can this router handle this? the spec seems to be ok but a friend of mine said these's model is good up to 100mbps only, is that the case?

our Cisco guy is on holiday for two weeks and I personally have no experience with this cisco so struggling...

Any help is much appreciated.

Hi Community.

We are deploying a 10Gbps connection between two of our locations.

To establish the connectivity we are using a C3850-24XS with IP Services either side of the circuit.

We need to establish multiple routing domains (distinct routing tables) to separate trusted and untrusted traffic. With this in mind we were thinking that it would be best to establish a trunk between the sites and use Vlan SVIs between the two sites, using /30 IP addresses either end.

I need to restrict the amount of bandwidth for each routing domain and was wondering if I could enable shaping for traffic egressing the Vlan from either side of the connection?

I can't find a lot of information regarding this in the design guides or forums. There is lots of information related to physical interfaces and sub-interfaces but not a lot relating to SVIs.

Is this even possible?






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).