Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x

Cisco

22K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).

Share tech news, updates, or what's on your mind.

Sign up to Post

Can someone please explain the difference between port forwarding to 3389 and creating an access rule to 3389 on a linksys cisco router

Specifically:
Set a port forward to 3389 to a LAN pc 192.168.0.x
Set an Access rule from "Any" source or a defined Source to the same IP address on the LAN

What is the difference and which has priority
Pleas can you define the differences clearly
0
Nothing ever in the clear!
LVL 1
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

After I've configured the device I can't get out to internet via any of the pcs.  I can access the 5505 from and outside computer and can configure it via the ASDM so I'm not sure what the problem is.  Can someone verify my config below?

ASA Version 8.3(1)
!
hostname ciscoasa
enable password OlOxQ1nyrZ49h6MK encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.2.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.2.0_24
 subnet 192.168.2.0 255.255.255.0
object network SCETI
 subnet 172.172.128.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 object SCETI
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list outside_access_in extended permit tcp any host 192.168.2.100 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source …
0
I've got a 5545x that I'm configuring for remote access VPN.  I've done a few 5506's but this is my first 5545.

I initially started with AnyConnect. I could get the client connected, but I couldn't get a ping response.  The client statistics showed control data was being exchanged.  Client data was being sent, but not received.

I wiped and reconfigured and got the exact same results.   Then I tried configuring IPSec for the legacy VPN Client because I can always get that to work. :-)

Exact same results.  Client connects fine but no data.  "show cry ipsec sa" shows pkts decap are increasing but pkts encaps are not.  

I figure that I'm just missing something and I've been looking at it for so long that I'm just not seeing it. Hoping someone can look at this and see a typo or a missing statement that I'm missing.

I've stripped out all the non-essentials and sanitized the output.  If I got overzealous with the stripping and cleaning, let me know and I'll repost.

Thanks.

Don

P.S.  I've added a bunch of... junk that I don't usually have while throwing things at this to see if something sticks.


ip local pool RA_VPN_POOL 192.168.255.1-192.168.255.62 mask 255.255.255.192
ip local pool AnyConnect_VPN_Pool 192.168.255.129-192.168.255.254 mask 255.255.255.192
!
object network VPN-Nets
 subnet 192.168.255.0 255.255.255.0
!
object-group network Inside-Networks
  network-object 10.10.0.0 255.255.0.0
 network-object 192.168.0.0 255.255.0.0
!

Open in new window

0
I have a cisco SG220-50 smart switch that I'm trying to configure.  I'm able to login using putty via its console port.  My question is, the CLI commands are different.  Example I can't do show ip interface brief .  when I type in show ip ? it only showing dhcp, http, https and igmp as it's option .  What ever happened to show ip interface brief? Another example, when I try to configure line vty it's telling me unknown command.  And when I do line vty question mark, the only option is console, ssh and telnet.   Is this the new CLI or I need to update the firmware?
0
I am testing a wireless controller. I have installed the virtual wireless lan controller from Cisco, running version 8.5.103.0. The management interface is up and I am logged into the web admin console. The wireless network is setup using layer 2, WPA2 with a passcode. The controller sees the access point. I am getting no errors. The issue, is that I don't see the SSID to connect to it from a client. It has to be a small configuration issue I am missing. I have never setup this vWLC before. The wireless network is in the AP group called 'default-group' and the AIR-CAP2602I-A-K9 AP is also associated with this group. What am I missing?

1. Why can't I see the SSID to connect?
2. Do I need to create a virtual interface for the wireless access point? (only the 'management' interface is active and up).
3. If possible, i'd like to keep the wireless on the same subnet as the rest of the LAN. It's small and I don't want to over complicate things by introducing routing.
0
hi guys

I'm on a network and realised that our Outlook was a little slow. So when i did a ping to the default gateway, I had some '1ms' pings but then I had quite a lot of '27ms' and '14ms' times.

The network is all gigabit and on SG500X Cisco switches.

How would one find out if something was occurring causing spikes like that?

If not on the switch itself, what tools would you use? Solarwinds? Whatsupgold? Wireshark?

I'm tired of applications having problems, high millisecond pings etc and never being able to absolutely pin point the exact issue when asked by senior management.

Thanks for helping
Yashy
0
Newly created VLAN on Cisco Catalyst switches and Meraki MX100 firewall. Download speed is about half of what it should be, upload speed is fine. Put the PC on the primary VLAN and speed issue is gone. There is no bandwidth throttling set on the MX100. I created the vlan new and didn't set any throttling or shaping on the switches. I have looked at the switch configs but I'm not entirely sure where/what to look for.
0
I need to create a user login to a company vpn. the VPN is set up on a CISCO router (I dont know model number) and I need to access it via SSH (done) and then add a new user to it that can then connect to the VPN. what is the SSH command to see what users are already created and then to add the new user via SSH commands. or alternatively to all that can I install some sort of web gui control panel type thing that i can administer the router from?
0
if a users has a VPN connection on my ASA device then potentially he can use those credentials to connect on any computer.  Whilst i can restrict the connection to certain IP addresses and ranges, can I restrict the connection to an individual computer NAT'd behind that public IP address or range.

The risk comes in that i may not  know the patch or AV state of a computer that connects to my internal network.
0
I know sh ver , uptime for 2 days , 4 hours etc..
but i need to know the reason of down , if it is a power issue or reloaded administratively
thanks
0
Free Tool: Site Down Detector
LVL 10
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Hi,

as far as I know , in exchange infrastructure ( 2013 and 2016 ), incoming smtp connections coming from Internet goes through firewall and then NAT ed to the Exchange E-mail server in the internal network. If all Mail Servers are member of DAG,  then I think It is  forwarded to the Virtual IP if the Load Balancer of THE DAG.

My question is about putting CISCO e-mail escurity appliance, iron port between.

Should I direct incoming SMTP connection from firewall ( internet ) to the IP adress of the CISCO applicance and from the applicance to the Virtual IP ad the DAG.

Please advise

F.
0
I am new to PA firewalls and wonder what's other's opinions compare to Ciscos please.  I heard they are user-friendly but security guys hate them.  They can be very pricey as well.
Thanks in advance!
0
I have installed a valid certificate on my 5505, used the wizard to create an Anyconnect solution, everything works until the connection is established. At that point the connecting machine cannot reach local network or VPN'd network.  I have compared the code to other Anyconnect ASA's and they look the same but I must be missing something I'm looking right at (I hope).  
Group policy is set.
Local IP pool is set (different from all networks involved) and no IP conflicts.
Local database is set and user(s) assigned.
Users connect and immediately, no Internet.  You can ping the IP assigned to the VPN adapter, but nothing else.  Please advise any thoughts.
dave

inside is 192.168.16.0/24
IP Pool for VPN 192.168.17.10-25 /24
ssl trust-point TrustPoint inside
ssl trust-point TrustPoint outside
webvpn
 port 444
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.05170-k9.pkg 1
 anyconnect profiles MyAnyconnect_client_profile disk0:/MyAnyconnect_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
group-policy GroupPolicy_MyAnyconnect internal
group-policy GroupPolicy_MyAnyconnect attributes
 wins-server none
 dns-server value 192.168.16.x 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client ssl-clientless
 split-tunnel-policy excludespecified
 split-tunnel-network-list value Split-ACL
 default-domain value MyDomain.com
 webvpn
  anyconnect profiles value MyAnyconnect_client_profile type user
tunnel-group MyAnyconnect type remote-access
0
I´m having problem with cisco vpn. I try with quickvpn and cisco VPN cient both on windows 10 and windows 7. But still nothing.
Getting sometimes DEL_REASON_PEER_NOT_RESPONDING and Error 412.
0
Hello Experts,

I am moving my isolated lab to a 'managed' facility. My current setup includes a Cisco ASA 5525X in Transparent mode, that has one 'exposed' subnet with a public IP that is connected through DTAP to a provider. All other subnets are internal private, not exposed nor advertised, by design. The interfaces are grouped together in a bridge group, and then multiple bridge groups are configured, one for each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA.


The new 'managed' facility's network deployment team is requiring me to enable BGP on my ASA in order to peer with them.
Considering I do not run BGP now, and have no need to advertise routes (or receive advertised outside routes), I disagree with them. I don't think they understand my network design.

My ASA in Transparent mode is basically a Layer 2 firewall that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
Also, I do not have any routers on the 'inside' private subnets, so there will be no router internally for the BGP session to form an adjacency. Please correct me if I'm wrong.

I am basically asking for confirmation from the experts before I pass this higher up the management chain.

Thank you in advance for your expertise!

Jerry
0
Dear Experts, this interface VLAN 7 suddenly went DOWN this afternoon without any change. I tried to delete interface and recreated, shut and no shut but did not help. It shows like the screenshot. Could you please suggest and explain? Many thanks in advance!

Core switch is Cisco C3750, Access switch is Cisco SG500
vlan7.PNG
0
I can't display any logs.   I can't enable logging. logging enable and logging console x commands are not available

show logging command shows only: syslog logging:  enable. the other loggings are all disabled.
0
Hello,

I have basic cisco route quetion, I  got the following output from  sh ip route.

Does it mean all those 4 IPs traffic will be forwarded to 192.168.0.1 ?

      65.0.0.0/32 is subnetted, 4 subnets
S        65.110.1.47 [5/0] via 192.168.0.1, FastEthernet4
S        65.110.1.48 [5/0] via 192.168.0.1, FastEthernet4
S        65.110.1.58 [5/0] via 192.168.0.1, FastEthernet4
S        65.110.1.62 [5/0] via 192.168.0.1, FastEthernet4
0
MY company use mpls tunnel between site offices and HO, one switch (Cisco CAT 3560 8 port ) in our site office connected to the service provider mpls device (it use IP/MPLS microwave solutions) to connect HO through Service Provider MPLS network.

the issue is the switch (Cat 3560) port LED connect with MPLS device blinking green and amber, the tunnel is also down.

so what might be the cause for this issue?
0
Concerto's Cloud Advisory Services
LVL 4
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Hi All,
We have Cisco WS-C3850-24XU switch plenty of free 10GB ports. All the ESXi servers are in on the same rack and connecting virtual network on this switch. We have some spare 10GeE ports left. We are thinking of running the iscsi network on this switch to connect to our SAN. It might save some money buying a switch for iscsi. Are we looking for trouble even though we run in separate VLAN? Is there any KB article/white paper which I can make a case to buy a separate switch?
1
Hello,

Our users launch an in-house app from their iPAD that connects to the IIS 7.5 WEB server in Europe from the US.  

In the app, the user can submit their signature from their iPAD.  

The issue is when the user hit submit, the upload of the signature is not happening.  

This is an intermittent issue.  Our developers think it is the file size being submitted from the iPAD that might cause the issue.  They have already change the IIS settings and WEB config ini file but it does seem to help.  

They want us to start checking some network log.  

I am just wondering if anyone have some idea of how to troubleshoot this...

Thanks.
0
Dear wizards, does anyone know the impact of Cisco commands which we type on devices' performance (like resource, CPU...) Will it slow down the connection between users and Internet?

For example: if I type "ip access list extended ETC", then defines lots of policies on it, how many resource should them take from the Router?
0
Let's say I want to permit PING. If I specify PING in the Application tab, in the next tab over "Service" should I set that to "application default"?  If I set that service to ANY is that the equivalent of permit IP any any in Cisco?
0
I'm running CUCM 9 and Unity connection 9.  All screen's on my Cisco IP phones go dim (black) at 5pm.  I know this has to be a global setting in CUCM, as all phones do this, but I can't figure out where to go to change this.  We have recently extended the hours the office is open, so I need to change this.  Does anyone know where this setting is?  Thanks!
0
hi all,

We have a Cisco ISR 4431 that we want to block the internet for so firstly can i simply enter a new access list such as:
access-list 101 deny tcp host 192.168.0.8 any eq 80    (as we currently only have access-list 100 on the router)
and then attach it to the outbound (or inbound) interface for the router ?
Second part of this is that there is a lan to lan VPN from the router to a paris datacentre that i stilll need it to access so this won't affect that will it ? or will i need to put in an exception to allow 80 to that certain ip range ?
Thanks
0

Cisco

22K

Solutions

14K

Contributors

Cisco PIX is a dedicated hardware firewall appliance; the Cisco Adaptive Security Appliance (ASA) is a firewall and anti-malware security appliance that provides unified threat management and protection the PIX does not. Other Cisco devices and systems include routers, switches, storage networking, wireless and the software and hardware for PIX Firewall Manager (PFM), PIX Device Manager (PDM) and Adaptive Security Device Manager (ASDM).