[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi All,


I am having an issue with my Azure subnets (10.210.0.0/16, 10.211.0.0/16) being able to access my prem subnets over a S2S VPN tunnel.  So currently everything is work fine from my inside internal range (10.1.1.0/24).  As an example when I try to access say ports 88,53,389 etc from the Azure controllers (10.211.20.10, 10.211.20.11) to the Prem Controller (10.1.1.159) it is fine, but when I try to access them from the same Azure controllers to say another local controller 10.1.90.14 I get the following error in the log:


FILTER:srcIP=10.211.20.10;dstIP=10.1.90.14;

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse
flows; Connection protocol src interface_name:source_address/source_port [(idfw_user)] dst interface_name:dst_address/dst_port [(idfw_user)] denied due to
NAT reverse path failure.


When not on the same interface as the host using NAT, use the mapped address instead of the actual address to connect to the host. In addition, enable the inspect command if the application embeds the IP address.


Asymmetric NAT rules matched for forward and reverse flows; Connection for udp src outside:10.211.20.10/57160 dst ED:10.1.90.14/53 denied due to NAT reverse path failure


Now this is the current NAT:


nat (inside,outside) source static OnPremisesNetworks OnPremisesNetworks destination static Azure-Networks Azure-Networks no-proxy-arp route-lookup


The OnPremisesNetworks group object has the inside networks …
0
Introduction to Web Design
LVL 12
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

hi guys

I was looking into cloud switching, such as the tools being offered by Cisco Meraki. They keep saying that you can have your switches in the cloud. But I'm trying to understand how that would work.

Would that mean that in my organisation which consists of two stacks of x 7 switches, totalling 14 switches, that I would suddenly no longer need that anymore if I implemented Meraki's?

We have around 300 people in our office. All of those people have to be connected/patched to a port on the wall and those need to be patched into a switch.  I can't exactly get rid of those physical switches can I? So I'm not really understanding the whole cloud switching situation with Meraki's?

Or have I totally misunderstood the cloud switching scenario?

thanks for helping
Yash
0
I have a new Cisco ASA 5506x and am having difficulty setting up remote management.

SSH on the outside address will work, and is set to accept connection from only specific IPs.  However, I would like to be able to use ASDM from outside as well. (My IOS skills suck.) Using the same IPs as the ssh command does not work, and the client gets a "unable to launch device manager from ..."  

I have Anyconnect VPN working as well, and when connected, I can ping all addresses on the inside network, including the management IP. (same as gateway address) Device is configured to use inside address 10.0.12.0/24, and VPN pool is 10.0.13.0/24.  

I have ' management-access inside'  entered in the configuration, and yes when a PC is connected to the inside ports, the ASDM will come up and run as expected.

I think what is killing this is the default configuration now comes with all the ports on the device (less 'outside') are joined to a bridged network that is by default BVI1. All remaining interfaces are given the nameif of 'inside-1' thru 'inside-7'. To make http work on the inside ports requires adding lines 'http 10.0.12.0 255.255.255.0 inside-1' thru ...inside-7.  If I add 'http 10.0.12.0 255.255.255.0 inside' or http 10.0.13.0 255.255.255.0 inside' it barks at me that this is an 'ambiguous command'.  (same thing if trying to add BVI1) So clearly it wants to reference something that is a physical connection instead of a virtual object.  Problem is that the only other options …
0
Our company has installed a couples of Cisco 2960x stacked up with FlexStack plus. Our security team is concerned about the illegal administrative logon  We need to identity those failed logon either through the vty console or SSH session.

We have done some research and will try to use the following login on-failure log every 1 and login on-success log every 1 to identify and monitor those unsuccessful and successful logon for review.

In order to achieve such requirement, we would like to know it is mandatory or a must to use the "logging <ip address>" to export the logging result to a remote syslog server ? We do Not have a remote syslog server on our infrastructure at the moment. Is it technically possible to use a local buffered logging repository on the Switch to store such login failure/success audit log records instead for the time being ?

Thank you so much for your kind advice in advance.


Regards
Patrick
0
I got the following error While trying to install Cisco AnyConnect Secure Mobility Client Version 4.7.00136 predeploy. "There is a problem with this Windows Installer package. A program run as a part of the setup did not finish as expected. contact your support personnel or package vendor".

i am trying to install this on Windows 10 Version 1803 OS build 17134.441

Your help is greatly appreciated.
0
Dear Experts,

I am at a client location today and they have a local server that will be accessing different sites with various ports. The client has ASA firewall and Cisco Firepower my question is do I add the access rules in Firepower or directly in ASA?

I am always not sure and the client has no preference.

Please let me know from your experience how to tackle this .

Thanks,
0
Problem with MPLS VPNv4 setup. IGP is visible to Customers. BGP session seems to be up. What am I doing wrong? Cisco IOU setup using GNS3. IOS 15
PE1_startup-config.cfg
PE2_startup-config.cfg
P1_startup-config.cfg
0
Hi,
I would like to understand this process a bit more and the authentication flow.  Using ClearPass (similar to ISE) as a RADIUS server.

PC authenticates successfully via dot1x (EAP-TLS) when plugged into jack.  However, when plugged in via VoIP, it fails.   Discovered that the pC is not able to auth via MAB because the MAC is not in the MAC Address table.   Once added MAC to MAC Address table, PC successfully authenticates via dot1x and MAB.

What is the relation to VoIP here?  If the PC can auth successfully via dot1x(EAP-TLS) on its own, what triggers the PC to roll over to MAB and fail?
1
I have two Cisco ASA's.

Both in the same office.

1. Cisco ASA 5508-x
2. Cisco ASA 5506-x

Each ASA has a different ISP connected to the Outside interface.

Each ASA has multiple internal vLans.

I need to physically connect the devices to one another and setup routes between vLans on each device.

I have assigned two of the interfaces the following IP addresses:

5508 Interface 8 - 10.10 111.1/24
5506 Interface 4 - 10.10 111.2/24

I have directly connected the interfaces with an ethernet cable. I can ping across from interface to interface successfully, but the other vLans on either ASA cannot ping each other.

Can I accomplish my goal with this physical setup? If so, what am I missing?
0
I have a L2 connection set up via Comcast ENS service. It supposed to resemble a large L2 full mesh network.

I have inherited several sites working via this service and am pretty green insofar and R&S.

I am trying to bring a up a new site using and SFP port on 3560 but I'm unsure on how to configure the port. It's connected via the ENS but does not see any of the other connected devices.

I can get to the switch via SSH without issue.

 
   Current configuration : 4017 bytes
!
! Last configuration change at 22:40:39 UTC Wed Nov 28 2018 by jadmin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname datacenter-CORESW1
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 
!
no aaa new-model
system mtu routing 1500
!
!
!
ip domain-name xxx.org
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
crypto pki trustpoint TP-self-signed-1543620224
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1543620224
 revocation-check none
 rsakeypair TP-self-signed-1543620224
!
!
crypto pki certificate chain TP-self-signed-1543620224
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
!
!
!
!
!
vlan internal allocation policy ascending
!
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!

Open in new window

0
Python 3 Fundamentals
LVL 12
Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

Packet can't flow between vlan 12 and 34 on cisco switch/router

I have a device on VLAN 12 (10.12.14.100), and it needs to communicate with a server on VLAN 34 (10.34.14.20).  A trace route to VLAN 34 from 12 gets to one hop on the gateway then stops.  How can I check why the router isn't routing to VLAN 34?

Thanks,
0
I have a voicemail server that is not communicating with the outside world, meaning it is not sending voicemail to email.  

I believe it is an issue with the router, but I am not sure what the actual problem is.  I used to have everything running through a Cisco router with this static route:
ip route 10.10.0.0 255.255.255.0 192.168.100.254

I now just use pfSense and I have a static route set up that says:

Network                                              Gateway                                     Interface      
10.10.0.0/24                                       ShoreTel - 192.168.100.254      LAN




Is there something else I need to do?  

If I ping from a host at 10.10.0.10 I can ping to 10.10.0.254 and 192.168.100.254, but not any further (for instance, the pfSense box at 192.168.100.1 is not reachable).  If I ping from 10.10.0.254 I can get anywhere (my network gateway, inside the 192.168.100.0 network, the next hop on the network, the internet).
0
hello Experts
i have two Cisco 2960 switch, they all looks same from physical appearance, one of them it is normal and can be upgrade with newer version IOS, but the other one is very strange, it showed it is some how 2918 switch, if i try upgrade it via a 2960 image it could not start up, could you let me know what exact it is? need some other upgrade such as firmware?
the show version output is below, let me know if you need more info and please advice.
thanks

GZHQ-L2SW-01(config)#do sh ver
Cisco IOS Software, C2918 Software (C2918-LANLITEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 09-Mar-09 20:16 by gereddy
Image text-base: 0x00003000, data-base: 0x01000000

ROM: Bootstrap program is C2918 boot loader
BOOTLDR: C2918 Boot Loader (C2918-HBOOT-M) Version 12.2(44r)SE, RELEASE SOFTWARE (fc1)

GZHQ-L2SW-01 uptime is 20 minutes
System returned to ROM by power-on
System image file is "flash:/c2918-lanlitek9-mz.122-44.SE6/c2918-lanlitek9-mz.122-44.SE6.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable …
0
I am setting up a switch. Completed all the configs, and can ping all the switches in the rack to and from the new switch.

Can also ping the TACACS+ server from all the other switches.

But when I add the AAA configs below, I cannot ping the TACACS+ server from the new switch.

AAA Setup Steps

!!! Create Local User !!!
!!! Insert Commands Below !!!
aaa new-model
!
tacacs server PRI-ACS
address ipv4 xxx.xxx.xxx.xxx
key 7 1449248SCK50382F
!
tacacs server SEC-ACS
address ipv4 xxx.xxx.xxx.xxx
key 7 1449248SCK50382F
!
radius server PRI-ACS
address ipv4 xxx.xxx.xxx.xxx auth-port 12345acct-port 12345
key 7 1449248SCK50382F
!
radius server SEC-ACS
address ipv4 xxx.xxx.xxx.xxx auth-port 12345 acct-port 12345
key 7 1449248SCK50382F
!
aaa group server tacacs+ ACSTACACS
server name PRI-ACS
server name SEC-ACS
!
aaa group server radius ACSRADIUS
server name PRI-ACS
server name SEC-ACS
!
aaa authentication login default group ACSTACACS local
aaa authentication enable default group ACSTACACS enable
aaa authorization exec default group ACSTACACS if-authenticated
aaa authorization network default group ACSRADIUS
aaa authorization auth-proxy default group ACSRADIUS
aaa accounting update newinfo periodic 1440
aaa accounting dot1x default start-stop group ACSRADIUS
!
!!! LOG OUT !!!
!!! LOGIN WITH LOCAL !!!
!!! INSERT COMMANDS BELOW !!!
!
aaa authorization commands 1 default group ACSTACACS if-authenticated
aaa authorization commands 15 …
0
Hi everyone. Strange VMware problem we are having here and looking for idea.

vSAN running two hosts and a witness. For the vSAN portion, each node is connected to a Cisco 3850 via a pair of twinax cables. On one node there are no lights on the switch where the twinax connect. This was working before. I have tried the cables elsewhere and they work. I have tried other ports on the 3850 and it doesn't work there either. Dell just replaced the network card and it didn't help. On the switch, "sh int status" shows the twinax is plugged in, but not connected. Same for the server.

VMware shows nothing unusual other than the connection is down.

Again, this was working. Problem is only one node. The other one is fine as is the witness.

Anything else?
1
I just set up  a site to site VPN between an ASA 5510 and a Meraki  MX64. The site are connected and up but cant communicate across them. Im sure its a routing issue. Here is an image of my setup.Network

I cant ping anything on the inside of either.

Here is what I have for routing

nat (inside,outside) source static NETWORK_OBJ_10.110.100.0_24 NETWORK_OBJ_10.110.100.0_24 destination static NETWORK_OBJ_10.5.0.0_24 NETWORK_OBJ_10.5.0.0_24 no-proxy-arp route-lookup
0
Parsing every line of a Cisco 3850 switch.

When I was in Seminary, we had to parse Greek verbs.

For example, luei – present active indicative.

By way of analogy, in order to better understand the 3850 switch, I want to be able to parse every line of the running config.

Honestly do not understand most of config.

For example,

class-map match-any CM-BRDCST-VIDEO

I understand the words, but the meaning alludes me as well as which command placed this line in the config.
0
Does anyone know why we're only seeing a little performance increase in the download and upload speed after migrating from an Cisco ASA 5520 to a Cisco ASA FirePower 2130 Bundle?  We're only seeing less than 1% increase in download and about 5% increase in download.  See attached speedtest taken before and after the migration from outside the ASA.

We're not using the FirePowre feature of the ASA FP 2130 except just terminating the ASA with VPN connections for remote users.  

We're expecting to see a lot better performance, especially having to spend quite a bit of money on the new appliance and management is asking for an explanation.  The Cisco ASA FP2130 is two hops below the ISP. Right above is it a CheckPoint Firewall and then the Edge Gateway.

Thank you in advance,
LN
0
Hi All,

I’ve got a situation where our network which is a flat one vlan network with 2 Cisco switches (one PoE dedicates to phones, other dedicated to data) and we’ve found after looking over the data switch logs that we’re getting MAC flaps.

After more in depth digging it seems it’s the Unify / Ubiquity access points that are causing the flapping. (Probably when a MAC roams between AP’s)

However, we’re experiencing network problems probably when this happens it causes a “freeze” on the whole vlan, not enough for the PC’s to notice but the phone calls drop.

My question is, would the above be feasible ? And would a quick fix be to turn off spanning tree on the AP ports?

My long term fix would be to put the AP’s in its own VLAN which would stop things like this effecting the native vlan.

Cheers
Shaun
0
Big Business Goals? Which KPIs Will Help You
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

hi guys

We have a load of Watchguard Access Points and they are connected to a Draytek 1100 PoE switch. This switch is then connected to our backbone switch which is a Cisco 3750.

We have set DHCP on the WiFi network that the access points are on in a way to be from 10.0.5.20 on wards and the management IP of this Draytek PoE being 10.0.5.6. Every single day, people complain about not being able to access the internet properly and then it fixes itself again. Then it happens again.

When they do complain, I end up not being able to access the management IP page of the Draytek on 10.0.5.6. This makes me believe that it is in fact this particular PoE causing the issues we are having.

Could that be the underlying problem?

Thanks for helping
Yash
0
Cisco Nexus 7K: Can you create a policy map that NATs the source address of specified traffic
AND sets the ip next hop?

Current:
route-map gohere-or-pbr deny 10
  match ip address bypass-pbr
route-map gohere-or-pbr permit 20
  match ip address send-to-pbr
set ip next-hop 10.10.3.244

Imagined:
route-map gohere-or-pbr deny 10
  match ip address bypass-pbr
route-map gohere-or-pbr permit 20
  match ip address send-to-pbr
set source-ip-address 74.55.166.77
set ip next-hop 10.10.3.244

Or would that not be possible?
0
So have an issue with a new comcast install. They state the customer is responsible for providing a Layer 3 device to route traffic between the 2 comcast networks.  Basically comcast provides 2 networks, a layer 3 network for the point to point connection for the circuit and the customer usable IP network.  There needs to be a device installed that will route traffic between the 2.  Per their conditions "You are responsible for securing and providing a Layer 3 router capable of routing traffic between Comcast Business and your LAN. We do not consult or configure Customer Premise Equipment (CPE). The Layer 3 router should have at least two Layer 3 WAN network interfaces. One interface should face Comcast P2P (/30) and the other interface should face your LAN (/29 - /24)."

Could i Get this done with an asa, or is there something else that would be better suited and cheaper?
0
How to convert Cisco Access Point AIR-AP2802E to standalone/autonomous.
I have downloaded the firmware  from cisco site but dont know how to do that.
Is there anyone who can assist me to convert this.

Thanks
0
For popular devices like Cisco switches, there are centralized tools
like TACACS & Radius that can be used for password policy (eg:
complex password, password expires every 60 days which CatOS
/IOS can't enforce) and patch management.

However, for IOTs like SCADA PCs, Moxa switches, security CCTVs
& Mitsubishi PLCs, is there any central management tool that could
do password policy management and centrally deploy patches??


In particular, there's a strong user requirement to connect these
IOTs to enterprise network & the enterprise network is connected
to Internet.
0
picI have router on a stick fa0/0.10 10.10.10.1/30 on R1 and an IP address assigned to R2 f0/0 10.10.10.2/30. I am trying to understand why I cannot ping R2 from R1?

pic
R1 config:
interface FastEthernet0/0
 no ip address
 duplex full
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.252
!

Open in new window


R2 config:
interface FastEthernet0/0
 ip address 10.10.10.2 255.255.255.252

Open in new window

0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).