Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi, I am trying to determine the best way to configure a WAP4410N, with our ASA5505, so that the WAP will have 3 SSIDs. 1, "Wireless-Inside" will allow internal users to connect to the internal network, 2 "Guest-DMZ" will allow guests access to the internet and not the internal network, and 3 "TimeClock-DMZ", which will only allow our timeclock to connect over the internet to its web instance.

interface Ethernet0/7
 switchport access vlan 30
 switchport trunk allowed vlan 1,15,30
 switchport mode trunk
!

*Inside: This network has Static IP Addresses
interface Vlan1
       nameif inside
       security-level 100
       ip address 192.168.50.140 255.255.255.0
      !
      access-list Inside-to-any extended permit ip 192.168.50.0 255.255.255.0 any
      nat (inside) 2 192.168.50.0 255.255.255.0

interface Vlan15
       description Internal Wireless
       nameif Wireless-Inside
       security-level 100
       ip address 192.168.60.254 255.255.255.0
      !
        access-list Wireless-Inside_access_in extended permit ip 192.168.60.0 255.255.255.0 any
      access-list Wireless-Inside_access_in extended permit icmp 192.168.60.0 255.255.255.0 any
      nat (Wireless-Inside) 2 0.0.0.0 0.0.0.0
      access-group Wireless-Inside_access_in in interface Wireless-Inside
            
      dhcpd address 192.168.60.100-192.168.60.200 Wireless-Inside
      dhcpd dns 192.168.50.50 interface Wireless-Inside
      dhcpd enable Wireless-Inside

interface Vlan30
       description Guest
       no forward interface Vlan1
       nameif Guest-DMZ
       …
0
Choose an Exciting Career in Cybersecurity
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

So heres the setup

I have a new open mesh POE switch I'm trying to plug into existing 2960 so that we can plug in some OM AP's to it.  I can plug in the OMS8 switch into the cisco with the cisco switchport in access mode for the vlan we want it on. I can run a IP scan and see that the switch indeed gets a DHCP lease, i can go to that ip in browser and get the admin interface (not allowed to log in ). But the switch never checks in with cloudtrax.  I have 4 other AP's on the same subnet that check in fine, so i don't think content filtering  (as suggested by their support) is the issue, though they say the switches check into different servers than APS.  So heres the setup

OMS8------>2960----->3650------->5515ASA

is there a way i can search for that mac on either the 3650 or the ASA to see if its getting filtered?
0
Both my Cisco Virtual Wireless Controller and Windows Server 2012 serving as the radius server were rebooted after another admin updated the VMWare tools on them, I started getting calls users (laptops and mobile phones) could not connect to the wireless.

Checking logs on my vWLC console I saw a lot of: AAA Authentication Failure for Client MAC: 54:7c:69:49:ca:1e UserName:<USERNAME> User Type: WLAN USER Reason: Authentication failed

Checking NPS logs on the RADIUS server I started seeing information entries like this: 'The client could not be authenticated  because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.' and 'Reason The client could not be authenticated because the Extensible Authentication Protocol (EAP) Type cannot be processed by the server.'

Application logs showed similar 'information' entries: Negotiation failed. No available EAP methods

I'll paste the full log entries below as well as screen shots of my Radius Client settings as well as Network Policies as well as Remote Connection Policies. After extensive Googling, most fixes point to a cert error, my cert doesn't expire until 2019 so I don't think is the problem but I'm not an expert at this.
0
When i try to login to VPN through Cisco Anyconnect VPN Client from Windows XP machine. It says the following message,Connection attempt failed. Please try later. Even though i have enabled 3DES-SHA1 or RC4-SHA1 Algorithmon my firewall.

Thanks

Ananth
0
An interface on a Cisco switch show Total Output drops is 776, txload 4/255. What does it indicates ? Does it tell something wrong for the cable or the device connecting to the switch ? How to improve this situation ?

Thx

---
GigabitEthernet1/0/14 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet, address is 381c.xxxx.xxxx (bia 381c.xxxx.xxxx)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 4/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 776
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 44000 bits/sec, 73 packets/sec
  5 minute output rate 1821000 bits/sec, 152 packets/sec
     3457773 packets input, 964760961 bytes, 0 no buffer
     Received 31107 broadcasts (19813 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 19814 multicast, 0 pause input
     0 input packets with dribble condition detected
     4206341 packets output, 4232934589 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 …
0
Hey guys,
I am dealing with a client that has been down all yesterday as well as today with conflicting IP addresses.  I worked with Microsoft and they were able to find the mac address of another device that was giving out DHCP.  I have tried arp on various servers and could not find that mac even after pinging the broadcast address.  I have tried this command: show ip arp vlan (vlan number) | include (mac address) and all that it can really tell me is what the originating port is.  This lead me to two HP switches which also have the mac address but that list the trunk port as the originating source. I am getting absolutely no where with finding this.  Please help!!!!
0
I had to rebuild my Cisco Prime machine.  Since then it's only seeing the AP's on one controller.  I have about 250 APs currently that I can see on each controller.  The tricky part of this is one controller has Software Version 8.0.133.0 and the 2nd controller has 8.2.141.0.  I had to do this because we purchased new AP's and we haven't upgrades switches to support the newer APs so I've split them.  Is there a way for the controller (Prime) to see both controller APs
0
One of a AP connecting to a Cisco PoE switch always loss heartbeat and resume later automatically.

I have checked the interface of the switch connecting to this AP, and it shows a high values in the interfaces. Is it indicated an issue in the switch physical interface or the AP itself problem ? How can I further identify the problem ?

Thx
0
I had a weird scenario.
after installing some updates and restarting the VM's on hyper V.
i noticed that ALL workstations on a VLAN able to ping each other, All servers on the same VLAN able to ping each other.
all servers and workstations are able to ping each other excel TWO.
two servers couldn't ping any workstations, nor the opposite.
not sure why there two servers only.
we restarted everything, that did no fix the problem.
we restarted the switch, the problem was fixed.
while looking at the logs on the switch, i noticed some duplicate MAC addresses of the same host.
the switch is a cisco switch, i don't have much more to share, and it seems pretty odd, don't know where to start in my troubleshooting. any ideas ? brain storming with me can be helpful.
thank you
0
I have an ASA 5505 running an old OS:

ASA 8.2(5)
ASDM 6.2(5)53

I have downloaded:

ASA 9.24
ASDM 7.82

Which I believe are the newest support OS for the ASA 5505.  Is there an upgrade path or can I just upload the bin files and assign them to be used and reboot?

Thanks in Advance
0
Free Tool: SSL Checker
LVL 11
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Hi all Experts!

For about 3 weeks ago we installed 3 new Cisco servers and Exchange 2016 CU7. C: is local disk and the rest where the databases are are on SAN. OS is Windows server 2016

After the SAN disk was configured/connected to the servers they started to BSOD. So far i have seen ntoskrnl.exe and msexchnageworker in the dump files.

Have googled arround for some days now but cant find any good answers.

Anybody here that can advice?

Regards
Krister
0
Which two configurations can a PPPoE client support ? (Choose Two)

a. 8 clients are configured on a single CPE.
b. The client is connected to multiple hosts over DMVPN
c. The client is installed on the same network device as the server
d. The client is connecting over an ATM PVC.
e. The client is installed on a native IPv6 network.
0
Hell0 Experts

I recently installed a Cisco 1921 router as the def gateway for my network. I also have a Cisco ASA5505 9.2 on the LAN behind the router. My goal is to allow AnyConnect Client SSL, Clientless SSL and site to site VPN passthrough on the router. So far I had a chance to test Client SSL and Clientless SSL and my router configuration does not seem to be working. From the LAN I can establish a VPN session to the outside interface of the ASA. Can you please review my configuration and point me in the right direction?

C1921 Config:
Int G0/0
ip add x.x.x.99 255.255.255.252
ip nat outside
ip virtual-reassebly
!
Int Gi0/0.17
des ASA UPLINK - OUTSIDE
enc dot.1Q 17
ip add 172.17.0.2 255.255.255.252
!
Int Gi0/0.100
desc LAN
enc dot1Q17
ip add 192.168.1.2 255.255.255.0
!
ip access-list standard ACL-NAT
permit 192.168.1.0 0.0.0.255
permit 172.16.0.0 0.0.0.255
!
ip nat inside source static list ACL-NAT int gi0/0 overload
ip nat inside source static udp 192.168.0.1 500 x.x.x.99 500 extendable
ip nat inside source static udp 192.168.0.1 4500 x.x.x.99 4500 extendable
ip nat inside source static udp 192.168.0.1 1701 x.x.x.99 1701 extendable
ip nat inside source static tcp 192.168.0.1 1723 x.x.x.99 1723 extendable
ip nat inside source static tcp 192.168.0.1 443 x.x.x.99 443 extendable

ASA Config
int vlan 17
nameif outside
ip add 172.17.0.1 255.255.255.252
!
int vlan 100
nameif inside
ip add 192.168.1.1 255.255.255.0
!
route outside 0.0.0.0…
0
The 3750G (v12) is issuing dhcp to a bunch of voip phones.

When I connect another segment into the switch (for a maintenance workstation), that segments DHCP server is in competition when a DHCP request comes in. Oddly enough it replies faster than the one on the switch which itself seems odd but that's yet another subject.

The question is how can I block DHCP activity both ways on a single port of this switch?
0
I have a 3750G issuing DHCP to a bunch of voip phones and mostly seems to work.
I have option 66 configured
ip dhcp pool Phones
   network 192.168.200.0 255.255.255.0
   default-router 192.168.200.254
   option 66 ip 192.168.200.200

Open in new window


but when I look at the phones GUI I see this odd value
	DHCP Option Server Path	@(HH

Open in new window

I'm not even sure what question to ask other than is there a different way I'm supposed to set option 66?
0
I am trying to understand the effect of configuring  ip summary-address rip 0.0.0.0 0.0.0.0  on the Hub router in DMVPN Network.
per the  book, Spokes should see in their routing tables the RIP default Route 0.0.0.0, but it is not the case in my LAB

Hub#sh run 
Building configuration...

Current configuration : 1636 bytes
!
! Last configuration change at 12:59:12 UTC Sat Dec 30 2017
!
upgrade fpd auto
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Hub
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
ip source-route
no ip icmp rate-limit unreachable
ip cef    
!
!
!
!
no ip domain lookup
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
redundancy
!
!
ip tcp synwait-time 5
! 
!         
!
!
!
!
!
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 !
!
interface Tunnel0
 ip address 172.16.123.1 255.255.255.0
 no ip redirects
 ip nhrp authentication DMVPN
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip summary-address rip 0.0.0.0 0.0.0.0
 tunnel source FastEthernet0/1
 tunnel mode gre multipoint
 !
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
interface FastEthernet0/1
 ip address 192.168.123.1 255.255.255.0
 duplex auto
 speed auto
 !
!
interface FastEthernet1/0
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
 !
!
!

Open in new window

0
Still learning...
Some time ago I added web logon creds to this 3750G and I cant remember them. How can I clear those creds so they aren't needed or reset them to something I will write on the darn thing?
Switch>enable
Switch#show run
Building configuration...

Current configuration : 1486 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Switch
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c3750g-24ps
system mtu routing 1500
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/2
interface GigabitEthernet1/0/3
interface GigabitEthernet1/0/4
interface GigabitEthernet1/0/5
interface GigabitEthernet1/0/6
interface GigabitEthernet1/0/7
!...
interface GigabitEthernet1/0/28
!
interface Vlan1
 ip address 192.168.200.254 255.255.255.0
ip classless
ip http server
ip http secure-server
line con 0
line vty 5 15
end

Open in new window


Found a post that suggested a "Skinny" install meaning no GUI installed. If true - why a prompt? Can I add it?
Switch#dir
Directory of flash:/

    3  drwx         192   Mar 1 1993 00:19:54 +00:00  c3750-ipbasek9-mz.122-55.S         E11
  510  -rwx        1486  Mar 24 1993 20:55:35 +00:00  config.text
  511  -rwx          24  Mar 24 1993 20:55:35 +00:00  private-config.text
  512  -rwx        2072  Mar 24 1993 20:55:35 +00:00  multiple-fs

32514048 bytes total (16817152 bytes free)
Switch#

Open in new window


In addition, can this switch become a DHCP server?  I dont believe so as the doc mention considerations when the switch receives DHCP config - but nothing on creating them. But I need to ask.  I will need a simple DHCP server for this assembly (SIP Phones using Free PBX) and using the switch would be ideal if it did work like that.
0
If a router run a BGP with neighbors, will it use the BGP Path attributes and Best-Path algoritm to determine the best route to particular network and then put it into routing table ?  Or, does the router only check its BGP routing table only and decide which path to go for a particular network ?

Thx
0
Hi ,

I use syslog server to collect the logs from Ciso devices which includes Cisco VPN. But i get too many events from syslog event id # 419002

I would like to set in my Cisco VPN not to forward the syslog event#419002 to my syslog server, can you help me by letting me know the configuration which i will have to make it at my device end?

Thank you,
0
Become an Android App Developer
LVL 11
Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

If the laptop (Dell 7470 Win 10)  negotiates with the switch to become 100F - does that mean
that the laptop nic is likely configured for 100/Full and the AutoNegotiation at the switch port just matches that? Or could there be something else getting this to 100F with no collisions, no errors.

There are incrementing Total Output Drops (see below) and I'm suspecting that perhaps the failing to get to 1000F is playing a part in having more drops that we should.

Catalyst 4500 L3 Switch Software (cat4500es8-UNIVERSALK9-M), Version 03.03.02.XO

#show int gig 3/12
GigabitEthernet3/12 is up, line protocol is up (connected)
  Hardware is Gigabit Ethernet Port, address is 588d.0985.7a9b (bia 588d.0985.7a9b)
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000-TX
  input flow-control is on, output flow-control is on
  Auto-MDIX on (operational: on)
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:19, output never, output hang never
  Last clearing of "show interface" counters 22:42:29
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 72056
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 55000 bits/sec, 50 packets/sec
     4661 packets input, 3011441 bytes, 0 no …
0
We manage a network of devices and would like to maintain a library of configs that are automatically backed up when they are changed on the end devices.

We are happy with the config on the remote and core devices and that they will trigger a config snapshot to be exported to a Server running Server 2012.

The question is whether we use FTP, we have tried this but it is very problematic and intermittant with Usernames and passwords.

We have also tried TFTP but again, a little problematic.

I would be very grateful for any advice or pointers.
0
Intro

I would like to setup my personal firewall directly to the Netgear DM200 ADSL Modem (in modem mode).

This would allow me to connect directly through VPN to my work ASA5510.

Setup

ADSL Phone line <-> ADSL filter/splitter <-> Netgear DM200 <-> ASA5505 <->BT HomeHub5

I have set the DM200 in modem mode with the username "bthomehub@btbroadband.com", i dont know the password or the Authentication method "PAP or CHAP or MSCHAP"

The ASA is also asking for an VPDN group which I have no details for....

The DM200 is working because I can access th einternet when connected to the LAN port when in Modem mode.

Issue

Ultimately i just want to securely VPN into my work ASA but it would be useful to implement the Firewall for all outgoing internet traffic instead of placing it behind the BT Homehub5 that im replacing .

I would really appreciate it if anybody could offer any advice or help.
0
Is my matching below correct or not ?

CHAP
  Generates a unique authentication string for each transaction
  supports md-sessions re-authentication

PAP
 require a username and password only
 provides minimal security
0
Hello Community,
I need your help,  I have cisco ASR 5500, we are using for VPN client For IOS device, and i need to activate split tunneling,
Someone can help al all ready do this operation,
Thank you b yadvance for your help
0
I've deployed a CentOS 7 server, installed TACACS+ & I'm trying to configure it to work with a a set of managed Cisco Catalyst 2960x switches that I have deployed in our production network (i'm only attempting this on an unused switch at present, purely for testing).

I have the following:-

1.) Connectivity between TACACS+ server & switch (can ping between both and telnet from switch to TACACS+ on TCP 49)
2.) TACACS+ config file (attached) - syntax validated
3.) Cisco IOS config (attached)
4.) TACACS+ IOS debug output (attached)

When I try to SSH to the Cisco switch, I keep receiving "Access Denied". I get a brief delay whereby there's chatter between TACACS & switch, then come the debug output errors.

I have ready many articles regarding adding a IP TACACS source-interface, unfortunuately I still receive the same error.

Any help would be appreciated.
cisco_debug_output.txt
cisco_shrun_output.txt
tacacs_config.txt
0

Cisco

23K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).