Cisco

22K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I'm running older cisco swithces, 2960, 3750, etc...
I configured ntp via:
ntp server 192.5.41.40
Type: clock timezone PST -7 0

But I was thinking, I should use hostname instead, so I tried to use time.google.com, but I keep on getting a "translating" error.

Any ideas how to fix that?
0
Free Tool: ZipGrep
LVL 9
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Aug 15 16:57:58 2017 router608d14 kernel: #warn<4> ACCESS_RULE: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:d4:be:d9:c1:2e:42:08:00 SRC=10.128.144.149 DST=10.128.144.255 LEN=247 TOS=0x00 PREC=0x00 TTL=128 ID=18415 PROTO=UDP SPT=138 DPT=138 LEN=227

Aug 15 16:57:58 2017 router608d14 kernel: #warn<4> ACCESS_RULE: IN=eth0 OUT= MAC=88:5a:92:60:8d:14:e8:50:8b:36:23:67:08:00 SRC=10.128.144.101 DST=199.193.204.134 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=43496 DF PROTO=TCP SPT=50297 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
0
We are planning on standing up 2 Exchange 2016 servers. One in the Americas and one in Asia that would also act as failovers.
How can I setup the 2 IronPorts to differentiate between the two locations? Both would be serving the same domain.
0
Is there a Cisco fanless 12 port or 24 port POE switch, gigabit?
I installed a 3750G-24 port switch in my office and the thing is loud, starting to get annoying.

I need at least 9 ports with the uplink, hence the 12 port minimum.
0
I've been asked to turn on logging for code ASA-6-302014.  According to Cisco it's the Teardown TCP connection.
I have logging enabled and have set notifications  for syslog ID 302014.  I can't seem to get ASA-6-302014 to show in my log files, but I get ASA-5-302014.  Is this the same thing?

Our ASA is a 5520 8.2(1) 

Thanks,

Eric
0
I have a cisco ASA 5505 firewall.  I allow RDP thru to an inside address server.
Is there a log I can view to see what ip came in through with proper user and pw.
0
Hello again!

I'm trying to find some sort of tutorial, or other information on the proper syntax and such for Nessus .audit files, specifically for Cisco products.

The "Nessus Compliance Reference" on Tenable's website doesn't explain nearly well enough the different meta-characters and their uses (I.E. ^, $, bracketing), nor does it explain how Nessus looks at IF/OR/AND statements.

Any help would be greatly appreciated!

EDIT: To explain better.

I understand the basic syntax:
<check_type: "Cisco"> 
  <item>
    type       : CONFIG_CHECK
    description: "Enable password is set and encrypted"
    info       : "Check to see if the enable password is encrypted"
    item       : "enable secret [^ ]+"
    required   : YES
    severity   : HIGH
  </item>
</check_type>

Open in new window


But the part on line 6 after ENABLE SECRET is part of what I don't understand (I am having to rewrite an .audit file to suit my organization's needs).

Another example of stuff that I'm attempting to do, but not understanding how:
<if>
  <condition type:"OR">
    <item>
      type        : CONFIG_CHECK
      description : "Check for aaa auth login default"
      info        : "The network element must have DNS servers defined if it is configured as a client resolver."
      item        : "ip domain-lookup"
      item        : "ip name-server [^ ]+"
      severity    : MEDIUM
    </item>
    <item>
      type        : CONFIG_CHECK
      description : "Check for aaa auth login default"
      info        : "The network element must have DNS servers defined if it is configured as a client resolver."
      item        : "no ip domain-lookup"
      severity    : MEDIUM
    </item>
  </condition>

Open in new window


What I'm aiming for is that if either one of those checks is positive, then the system has passed that particular audit, as both of those will meet the requirements.
0
Hello,

I got a "new to me" Cisco 3825 to try to fix some capacity issues our old router is having.  It's a consumer grade Linksys router.  I've tried to duplicate the connection settings, but I cannot make it out to the internet.  From a host on the connected switch I can ping various LAN points.  However, I cannot even ping an external IP, such as 8.8.8.8.  

Following is the show run:

Router1#show run
Building configuration...

Current configuration : 1625 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$fi/i$a3lQyNfFM/KRdVN7KFGuy/
enable password <password>
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.2
!
ip dhcp pool DHCP
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.1
   dns-server 8.8.8.8 8.8.4.4
!
!
no ip domain lookup
ip name-server 8.8.8.8
ip name-server 8.8.4.4
voice-card 0
 no dspfarm
!
!
interface Loopback0
 ip address 10.0.2.1 255.255.255.0
!
interface GigabitEthernet0/0
 description LAN
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
 media-type rj45
 no mop enabled
!
interface GigabitEthernet0/1
 description WAN
 ip address <external IP> 255.255.255.248
 ip nat outside
 duplex auto
 speed auto
 media-type rj45
!
interface …
0
Hi Sir,

Would like to ask for your help about the problem listed below,

[Tunnel Authorize Fail] ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xccb797a8) not found (maybe expired)

Hoping that you can help me resolve this matter.


Thank you in advance.
0
Hi All

 I have had the Cisco ASA5505 setup as the firewall for my company for about 3 Years, without issue I have been able to use CISCO ANYCONNECT to connect remotely to my network etc.. For some reason, I now get a message stating " anyconnect not enabled on the vpn server".. my sh run webvpn is below

Free memory:        71697768 bytes (27%)
Used memory:       196737688 bytes (73%)
-------------     ----------------
Total memory:      268435456 bytes (100%)
5505ASA# sh run webvpn
webvpn
 enable outside
 anyconnect-essentials
 svc enable
 tunnel-group-list enable
5505ASA#
If I go through the ASDM wizard and attempt to install the SSL VPN via anyconnect, I get an error as shown in screenshot below. ( File write error check disk space)  which I am not understanding as the cache-fs they say to use does not exsist.

its a small office, with only anyconnect , asdm, and asa.bin files on it, small running config,  so I am lost as to why I cannot add Anyconnect especially when its always worked.  

sh disk 0 is also shown below.

5505ASA# sh disk
--#--  --length--  -----date/time------  path
    3  4096        May 17 2013 13:51:48  log
   13  4096        Aug 13 2017 15:29:23  coredumpinfo
   12  4096        Aug 29 2009 07:33:22  crypto_archive
   97  16459776    May 17 2013 13:47:00  asa822-k8.bin
   98  11869456    May 17 2013 13:49:32  asdm-625-53.bin
   99  35167466    Mar 03 2014 10:04:32  anyconnect-win-3.1.05152-k9.pkg

127111168 bytes total …
0
Industry Leaders: We Want Your Opinion!
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Hi again everyone -

So sorry to be a pest. Now that I have my ASA 5505 up and running with successful Internet access by devices on my LAN, I can't seem to get my DMZ to gain internet access. Nor can I get a simple IPSec site-to-site VPN to work.  This is really frustrating as the ASA on the other side already participates in another separate site-to-site VPN (setup by me) which works just fine.

I have looked at NAT rules and access rules and can't seem to find the difference. The only thing I did differently on this VPN was try Diffe-Hellman Group 1 as group 2 settings didn't work.

Below is the sanitized config of the ASA that has a working DMZ and a working VPN as well as the non-working VPN.  I have replaced my static public IP with xx.xx.xx.xx and the peer IPs in the VPNs are vv.vv.vv.vv for the one that works and ng.ng.ng.ng for the one that doesn't work.

I will return to this post momentarily and add a comment with the running configuration of the ASA at the other site.

Thanks in advance for any help.

Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password /zzzzzzzzz encrypted
passwd zzzzzzz.zzzz encrypted
names
name 192.168.1.0 dmz_outside
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.0.0.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.xx.xx 255.255.255.252
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 
0
Have an ASA with firesight installed, it appears that streaming out is being blocked.  We use a boxcaster device, Was wondering how i can allow the IP or Mac outside unrestricted
0
I'm not sure why, but can someone tell me what I'm doing wrong, I'm trying to setup a cert so I can SSH into the switch, but I keep on getting this invalid input.


Enter configuration commands, one per line.  End with CNTL/Z.
dan_3750G_.40(config)#ip domain-name dan_3750G_.40.com
dan_3750G_.40(config)#crypto key generate rsa
                       ^
% Invalid input detected at '^' marker.

dan_3750G_.40(config)#crypto key generate rsa
                       ^
% Invalid input detected at '^' marker.

dan_3750G_.40(config)#crypto ?
% Unrecognized command
dan_3750G_.40(config)#crypto
                       ^
% Invalid input detected at '^' marker.

dan_3750G_.40(config)#
dan_3750G_.40(config)#


dan_3750G_.40(config)#end
dan_3750G_.40#show ver
Aug 10 20:05:22.226 pst: %SYS-5-CONFIG_I: Configured from console by console
dan_3750G_.40#show ver
Cisco IOS Software, C3750 Software (C3750-IPSERVICES-M), Version 12.2(50)SE5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 28-Sep-10 12:56 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02C00000

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

dan_3750G_.40 uptime is 20 minutes
System returned to ROM by power-on
System restarted at 19:44:45 pst Thu Aug 10 2017
System image file is …
0
Hello -

I presently have a CIsco ASA 5505 (running ASA version 8.2(1) ) sitting behind my Comcast Business gateway. I have a static public IP through Comcast. The Comcast gateway is in pass-through mode (i.e. its LAN DHCP, WiFi, and MoCa are turned off).

I have configured my Cisco with the necessary VLANs and interfaces such that I have an inside network of 10.0.10.xxx and a DMZ of 192.168.10.xxx.

I am fairly certain that I have the correct NAT and ACL settings done.

From the ASA, I can successfully ping my Comcast static IP and the Comcast gateway address - but nothing else. And, of course, any client devices connected to either the ASA's inside interfaces or DMZ cannot access the Internet.

FWIW, I have also checked with Comcast to make sure there are no compatibility issues with their device and Cisco ASAs (because I'm only getting an orange LED on the Comcast gateway's Ethernet port - no green link light). The ASA is set to auto duplex and speed.

If I configure a laptop with the static IP and plug it directly into the Comcast gateway, it works fine.

I have attached a text file with my ASA configuration.

Can anyone suggest a possible fix?

Thanks much.
ASA5505_Config.txt
0
Hi , I've got a cisco aironet AP AIR-AP2892E that has 4 ports for antenna to be connected too. till not this has all been individual antenna so it was nice and straightforward. however i now have a directional antenna which i need to get installed.

The antenna is an AIR-ant2566P4W-R which has 4 cables runs from it. what im not sure about is does it matter which port these are connected too on the AP or can any cable go to any port there is no guidance within the product on this .

regards
0
What's to prevent someone from spanning ports on say a Cisco switch and capturing NSX SDN traffic and recreating the traffic it discovers? How is the NSX traffic kept secure from the L2/L3 switches it rides on?

Thanks.
0
I have two Windows 2012 R2 servers with internal static 192.168.20.x IPs and want to be able to place a switch between them so they can PING to each other, allowing me to plug my static Windows 10 Pro 192.168.20.x IP laptop into the switch so it can also PING these servers

 1. Do I need a managed switch with a static IP in the same 192.168.20.x range and have the switch act as the  192.168.20.1 Gateway ?
 2. If not, what unmanaged switch do you recommend since I was thinking I needed a switch to act as my gateway ?
0
Not sure what' i'm doing wrong here as I've done this countless times on older versions.  Have new 2960-x running 15.2,  wanting to use ethernet 1/0/48 as my trunk.   so i do this

switchport mode trunk
switchport trunk allowed vlan 10,19,20,30

but when i sh vlan, none of the vlans show associated with port
0
I have multiple cisco switches, from 2960 to 3750, and we are using voip phones that use the same ports as the computers.
So I'm thinking to to leave the computers on the default vlan, which is vlan 1, and have the voip phones on vlan 200 or some other vlan.  As far as I know, to have each port in two separate vlans, I would have to make all ports trunk ports, is there a better or another way than doing that?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE
LVL 4
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

I`ve been trying to configure my new toy and getting nowhere. When I put in "https://192.168.1.1/admin" I get the "This page can`t be displayed".

I`ve searched various boards and have been unable to find a solution.

http server  is enabled

zombie(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.2(4)
Device Manager Version 7.6(1)

Compiled on Tue 14-Jul-15 22:19 by builders
System image file is "disk0:/asa924-k8.bin"
Config file at boot was "startup-config"

zombie up 17 hours 14 mins

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz,
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.06
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.09
                             Number of accelerators: 1

 0: Int: Internal-Data0/0    : address is 2c54.2d0f.88b0, irq 11
 1: Ext: Ethernet0/0         : address is 2c54.2d0f.88a8, irq 255
 2: Ext: Ethernet0/1         : address is 2c54.2d0f.88a9, irq 255
 3: Ext: Ethernet0/2         : address is 2c54.2d0f.88aa, irq 255
 4: Ext: Ethernet0/3         : address is 2c54.2d0f.88ab, irq 255
 5: Ext: Ethernet0/4         : address is 2c54.2d0f.88ac, irq 255
 6: Ext: Ethernet0/5         : address is 2c54.2d0f.88ad, irq …
0
I have exhausted my public IPs and want to utilize one of them to serve two purposes.  I'm having a block on the best way to accomplish this allowing traffic in on the same public IP but the private destination is dictated by service/port to two different IPs.    
Public - 9.9.9.9 on interface INET-2
Private - 1.1.1.1 (tcp port 577) on interface DMZ
              - 2.2.2.2 (tcp ports 8530-8531) on interface INSIDE

If I do them individually I know I get the warning for overlap and the one higher seeded in in the rules will work but the lower seeded will not.  Much appreciated!
0
Hello - we recently installed a new ASA5516 firewall, and have been having our US users access the ASA's public address in order to install the new AnyConnect software - which has been working.  We have a user in France, however, who is being blocked apparently due to the server not being trusted and a missing security certificate.  We do not have a security certificate for the ASA yet, so we're wondering if theres a way around this without having to install a certificate - like we do with the other US users?
0
I'm looking online to buy some SFP's for my cisco 3750G and 2960G swithces, does anyone know if these will work?

http://www.prolabs.com/products/datasheets/brocade/E1MG-TX-C.pdf
0
I am using an older Cisco ISA500 router, and a SF200-48 Smart Switch and an SG110-24 dumb switch.

I have GE3 on the ISA router configured as 192.168.3.0/24 (VLAN ID 3, PCI network) which is uplinked to the SG110-24.
I have GE6 on the ISA router configured as 192.168.2.0/24 (VLAN ID 1, non PCI network) which is uplinked to the SF200-48.

The scenario is that this is a grocery store, and all of their POS equipment is plugged into the SG110-24 24 port dumb switch uplinked GE3 on the router which is configured for VLAN ID 3 for PCI compliance.
 
We have two UniFi APs that are plugged into ports 24 and 48 on the SF200-48. I have ports 24 and 48 on this switch untagged for VLAN ID 1 and tagged for VLAN 3.

I have two SSID's configured on these UniFi AP's.. one for the store network that issues out DHCP addresses from the default VLAN 1 network which works fine, and one for the PCI network that should issue out DHCP addresses on the 192.168.3.0/24 subnet, however,I am not receiving an IP address via DHCP when connecting to my SSID tagged to VLAN 3 on my access points.
 
Can someone tell me where I'm going wrong? I don't really have any experience implementing VLANs.
If I plug directly into the SF110-24, I am getting an IP via DHCP on the 192.168.3.0/24 subnet so DHCP is working for that VLAN.
0
What is the earliest wireless controller code which will support the new Cisco 3800 series access points.
0

Cisco

22K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).