Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

I would like to know if I am on the right track.

I have a webserver directly connected to a DMZ interface on the active ASA5525X of the active standby failover pair. The failover is configured via another interface.

Right now, if the active ASA fails, the secondary will kick in but this webserver will not be accessible from the outside. What I plan to do is create a VLAN on a switch and plug in the webserver and the DMZ interfaces from both the active and standby ASAs into ports configured for that VLAN.

What am I missing? I do not plan on configuring an IP address for that VLAN or setup any sort of special routing. The only route on that switch is the ip route 0 0 gateway. The ASA DMZ interfaces are configured as ip address standby The webserver is The webserver uses the as the gateway.

When the active ASA is active, the webserver sees it as What happens when the ASA fails over to the secondary? Will the webserver still see the ASA as Or is there routing to be configured on the switch?

Thank you.
Ultimate Tool Kit for Technology Solution Provider
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Dear Experts
We have hosted application on-premises which is behind the firewall.  the application runs on Ubuntu 16.4 server OS and with the components of apache2, mysql5.7, php7.x. This application has to be accessed from the external network( though the internet) which is located in other county from their office where the users will be behind the firewall.  we have to allow the access to them hence I have asked to share their gateway ip so that I can enable access only to this IP.  our hosted application by itself has authentication however we would like to add one more layer of authentication but the remote users will not accept any client software installing on to their local systems like vpn client or OTP SMS, or pass code call back.  They only prefer web based access to the hosted application and they are okay if we send the second level security pass-code to their official email so that finally we can achieve 2 level of authentication which is in additional to allowing their IP only to connect to our network.  Following were my recommendations
1.      Over internet (leased line circuit) Site to Site VPN between their firewall to our firewall so that end users will not have any additional efforts or vpn client not needed, this they denied as their IT policy does not permit to configure their side firewall
2.      Suggested MPLS VPN between their work location to our network but this also been rejected.
Now I am thinking of some solution like placing the Cisco ASA SSL VPN…
I'm trying to setup another SSID on a Cisco 2504 WLC. I've mirrored (I believe) the settings of an already existing SSID/network with the difference of subnet, etc. The traffic is routed through a Cisco 2811 and various switches. The switch that identifies the VLANs, has also been configured accordingly. Could be problems in multiple places since I've done this a number of times, but never came across this issue.

To start, I can't ping the interface IP of that newly created SSID from any device, including the switch that the controller is connected to.

This is the config of the switch that the controller is connected to where the other networks work:

I figure if I can get to the interface IP (as usual), I'll be able to get to my DHCP server, get an address, and get to the internet.

Any assistance is greatly appreciated.
I have a potentially stupid question.

I have only worked with Cisco ASA 5505 appliances and SG/SF 300  series Cisco switches.  Recently I picked up a Catalyst 3560CX 8 TC model switch, and have been having nothing but trouble trying to configure it.

On my bench I was able to assign ports 1-8 a basic 'switch' management IP of  Seemed to work fine.  The PC I plugged into port 1 had no issues pinging it, connecting to it, allowing me to configure it.

I then took the unit onsite and plugged port 1 into a Cisco SG300 series switch.
The port light on the C3560CX went green, switched immediately to amber, and stayed solid amber.  The switch port on the SG300 went dead as though nothing was connected.  I disconnected the cable but the C3560CX still showed a solid amber light for that port.  Just for fun I plugged the cable into port 3.  Exactly the same outcome.

I checked the port on the SG300.  I ensured it was set to Trunk.  I turned off Auto SmartPort for the SG300 interface (GE30).  No change.  
Rebooted C3560CX and waited the 5 minutes for it to come backup - did exactly the same thing = dead amber port.

I disconnected the C3560CX, moved it to a PC, static assigned an IP to the PC, and hooked it up a switch port.  Now I can ping no problem. I can log into the web console no problem.  Everything seems fine.

Everything is VLAN1 - default.  Ports set to trunk.  

Hook it back up to the network by uplinking to SG300 - dead port.

I’m preparing to add a second ASA 5516X to be a failover and am looking for a simple network diagram for 2 ASAs so I can understand how it needs to be connected.
If you have the SNMP v3 r/w password - can you create an enable level user account or modify the password of an existing user account
on a Cisco ISR router? I have a device that I realized is not authenticating with radius and the local admin password is lost. But I see
that snmp v3 is working correctly.
I have a Cisco RV134 Wireless Router in my basement near the back wall of my house. It is 3 feet from the basement ceiling under the family room.

My main office desk is in the kitchen (beside the family room) and I often (as now) use the kitchen table for my Laptop (which is Wireless and only Wired if I bring out my adapter dongle - no RJ45 jack as the laptop is too thin for that).

Using inSSider V4 (MetaGeek) I see 5 GHz signal strength from -59 to about -68 dBm.  2.4 GHz is a bit higher but nothing to be concerned about. Overall wireless performance in my office location is excellent and very (very) good most anywhere on the main floor.

My desktop computer is wired Ethernet and is on the office desk along with my printer which is networked.

I trust you have the picture here.

I want to put a small office (desk and chair) in my second floor Den for those times when I must engage in a telephone meeting and using the Kitchen office is inconvenient.  I have ordered a desk and chair from Staples and should have it next week. The Den office is at the front of the house .

Wi-Fi performance in the Den Office location is -66 dBm to -73 or so dBm or lower strength by a bar or two in my W-Fi Icon.  Sometimes I notice some lag in page load but nothing terrible.

It happens I have an CAT 5e Ethernet connection in the Den attached to my Cisco RV325 VPN main router. The Rogers Hitron Modem, the Cisco RV325 router, and the Cisco RV134 AC router are all on the same …
Cisco IP Phone 7941 still trying to upgrade.

Physically took phone to TFTP Server and uploaded current OS software to the phone.

Everthing in Call Manager looks good.

Cleared port security on the switch.

Phone daisy chained to PC.

PC has good Internet/Network connectivity.
Hi All,

Trying to copy a config from a Production switch to Backup switch that will act as a backup hot spare. I matched the ios correctly and was able to back up the config from Production, however when I restore the config to the backup switch it gives some errors because I am connecting via tftp on port 1 of the backup switch and assigned an address to connect.

Do I have to fix manually or is there a clean way of connecting via tftp and restoring. There is no usb or other connection ports in that back such as using a cross-over. Thanks in advance for you assistance
We currently have 13 Access Points controlled by a Cisco WLC 2504.  We have two WLans - one for Guest and one for employees.  Our employees use WLan 1 which accesses the DHCP server on my domain.  The Guest uses WLAN 2 which access the DHCP on my router.  On my DHCP server we have two separate subnets with plenty of IP's available.  Due to some routing issues, I needed to use most of the available IP's for phones.  Once that was cleared up, those IP's are now free again.  My problem is that we are now unable to get an IPV4 address from the employee access point.   We have two subnets, so there are plenty.  What do I need to do to fix this issue.  Interesting enough when I create a separate vlan pn my router, any device connected to the employee access points gives me the error message - no internet access
Cloud Class® Course: SQL Server Core 2016
LVL 12
Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Set up CCIE LAB on GNS 3

Setting up CCIE LAB  in GNS3 is possible for routers but not switches.
I would like to know if I can use Physical Switches and connect them to the Laptop where GNS3 is running and get the Lab Setup ?
if so , What are the components needed to get this Lab Setup ?

Thank you

We configured a SPAN port in a Cisco switch to be used for an upcoming network analysis solution but we need to make sure that it is functioning before implementation date.
What is best method to test a SPAN port ?

hello experts
i am configure wired 802.1x via Cisco 2950 switch which authenticate against Cisco ACS 5.7, but i can't get it works.
for 2950 switch, version is : (C2950-I6K2L2Q4-M), Version 12.1(22)EA13
configs on 2950:
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
dot1x guest-vlan supplicant
interface FastEthernet0/8
 switchport access vlan 15
 switchport mode access
 switchport nonegotiate
 dot1x port-control auto
 dot1x timeout tx-period 10
 dot1x guest-vlan 88
 dot1x reauthentication
 dot1x auth-fail vlan 88
 spanning-tree portfast
 ip dhcp snooping trust
radius-server host ACS_IP auth-port 1812 acct-port 1813 key 7 08221C5C591725
radius-server retransmit 3
radius-server key 7 110A4917471C2B
ip radius source-interface Vlan22

for ACS policy i configured to authenticate "domain users" group, for the testing client computer i can sure i should configure it correctly.

so i need your help to identify where the problem is.

thank you
hello experts
i have two sites, which there is a IPSEC VPN tunnel via two Cisco ASA firewall, i have no problem to access from site A to site B or B to A, but i can't access the inside interface for the other site, for example from site A can't ping to ASA-B inside interface and the same from site B can't ping to ASA-A inside interface, so how can i configure a policy so that such access available.

thank you
Can anyone tell me if there are any security vulnerability with the Cisco 3650? If so please explain and or direct me to a security advisor.
Can multiple Cisco access points be managed by one Cisco wireless lan controller that is remotely connected I.e New York, to California?

Why or why not?
I am using the TP-Link USB adapter on Window 10 machines connected to Cisco 3500 series WLC system. (TP-Link Archer T2U)

I am having issue with dropped packets and client performance and I appreciated the network, WLan deployment etc must be considered in this scenario but I am getting the below System event on the Windows 10 machines and I cannot determine how to resolve it, has anyone come across and overcome this issue.
System Event
Event ID: 5013
Source: netr28ux
"The adapter is configured such that the receive space is smaller than the maximum packet size. Some packets may be lost."
Note that this also an Informational event not an error

I cant be sure if this is affecting the network performance or if I am losing packets as a result, there are no options to change the receive buffer size on this wifi adapter withing device properties either

Any help on this issue much appreciated
Would it be beneficial mixing up different switches models in the same office.  For example we're using C3850 access switches and need to add few more to cover the entire office.
Cisco recommends going with new C9300 for the access layer.  Would it create some operational issues?  I like to keep a consistency but like to evaluate a potential upgrade.
I am unable to access our Cisco ASA 5505 via ASDM because we don't know IP address. We were setting up the ASA to act as a DHCP server and made a mistake and changed the IP address. We have the credentials to access it via the ASDM but without the password it won't work. I've tried to access it using Putty but it's asking for a password we don't have.  Is there a way to figure out what IP it is set for?
Get Cisco Certified in IT Security
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.


Our company has installed a few Layer 2 Cisco 2960x switch (Stackable). Currently the switches has been configured with a few VLANs to separate the network traffic from one department to another. There is a Routing with Firewall function device (Not managed by our team) which major function is to route traffic between our VLANs. Whenever we need to open certain ports (e.g. tcp, upd or ICMP), we need to send a request to the team who take care of the firewall function device and the lead time takes almost 2 weeks. I am not sure the model of the routing/firewall devices but seems to be Cisco nexus as well as Fortigate firewall.  Our management would like us to take back the firewall security setting control by our own team. Based on just a few Cisco 2960x (Layer 2 switch), may I know is it possible to use ACL (Standard or Extend) to control the routing between VLAN based on Host IP Address and port from one Vlan to another. Do we have to purchase new equipment in order to accomplish our goal or just make use of the Cisco 2960x switches. Our plan is that the routing function is still leave it to the other team and allowing traffic of any-to-any. We can then make use of the Cisco 2960x ACL (Access List) to deploy a more restricted security control and not sure if it is technical possible.  As we are a bit new to the Cisco Technical implementation and your kind advice is very much appreciated.

Thanks & Regards
Can someone explain me on high level Cisco licensing differences?  I understand there are lanbase, ipbase, and ip services.
For some reason Cisco sold me core switches 3850 with lanbase, but access switches with ip base licensing.  Not a production impact but Cisco TAC  raised a concern.
I need to buy more access switches.  What licenses should I get for those?  And is there a pricing difference?

Thanks in advance.
I have one switch that is giving me a problem, randomly, once or twice a week, the trunk ports just shuts down.  I noticed all the ports have lights on them, except the trunk port.
I have restarted the switch and the port still doesn't come up.  If I unplug the cable and plug it into another port, then plug it back into the trunk port, then it comes back up.

I reviewed the config and as far as I can see, it's all the same except one switch is using the: spanning-tree portfast default  command.
I wonder if I should even be using that command, as I noticed some switches have the command and some do not.  
Besides that, the config is the same, so I wonder what is causing port 28 on switch .38 to shut down.  So port 28 on switch .38 is connect on port 50 switch .39.

I have attached the configs, if anyone has an idea's, I'm all open to hear them.
Can't access GUI on Cisco 2960S. Any ideas?

This is what I get when I try to use the GUI.
VoIPSwitch#sh flash

Directory of flash:/

    2  -rwx    10893632   Jan 1 1970 00:01:22 +00:00  c2960s-universalk9-mz.122-55.SE2.bin
    3  -rwx         676   Mar 1 1993 00:42:04 +00:00  vlan.dat
    4  drwx         512   Mar 1 1993 00:03:02 +00:00  online_diag
    5  -rwx        3096   Mar 1 1993 00:18:29 +00:00  multiple-fs
    6  -rwx        1915   Mar 1 1993 00:18:29 +00:00  private-config.text
    8  -rwx        7582   Mar 1 1993 00:18:29 +00:00  config.text

System image file is "flash:/c2960s-universalk9-mz.122-55.SE2.bin"

cisco WS-C2960S-48LPS-L

Switch Ports Model              SW Version            SW Image
------ ----- -----              ----------            ----------
*    1 52    WS-C2960S-48LPS-L  12.2(55)SE2           C2960S-UNIVERSALK9-M

Configuration register is 0xF

Here is the running config
VoIPSwitch#sh run
Building configuration...

Current configuration : 7582 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname VoIPSwitch
enable secret 5 $1$7zA0
enable password 7 0000GqN8z/tU
username admin password 7 104359121112104359121112104359121112104359121112

no aaa new-model
switch 1 provision ws-c2960s-48lps-l
no ip …
On a cisco Nexus 3172 Chassis - if I enable flow control in and then out on an existing up/up port, will there be
an interruption in traffic flowing over the port? Generally these ports are part of an Etherchannel group. TY
I have a couple Cisco 3650's in a stack that act as my core switching in datacenter.  They do both L2/L3 for remote locations connected by a muni ring fiber deployment.  We also have several IDF is the same building but due to all the SFP slots in the core stack being populated, there isn't any room to run 10gb uplinks back to the core stack from all the other 3650's in the IDFs.. There also isn't enough available ports to do port channel back to the 3650, so what i was thinking was adding something else to the core stack that would accomodate the additional 8-10 SFP's we would need.  Looking for recommendations..obviously don't need another 48 port switch, was wondering if there was something specialized that could stack with the 3650s that could give me the additional capacity?






Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).