Cisco :: 4507 - Filtering Outbound Sys Log Messages
Apr 10, 2013
How can I filter outbound sys log messages, so they include only configuration changes messages..
On Cisco 2900 I used:
logging discriminator CFG LOG msg- body includes "PARSER" | "CONFIG"
logging host x.x.x.x discriminator CFG LOG
logging x.x.x.x
How can I do the same on 4507? This feature on Cisco routers is called "Reliable Delivery and Filtering for Sys log" and is available for 12.4(11)T and 12.2(33)SRB (7600) . I am running Version 12.2(25)EWA6 on my Catalyst, so it is not available.
The software I am using is a simple solar winds sys log server.
View 2 Replies
ADVERTISEMENT
May 5, 2013
We are redistributing routes from BGP to OSPF and we want to filter out some of this routes from the OSPF proccess to be announced to neightbours.We want to announce some networks from ASR#1 to Catalyst. We are redistributing them from BGP to OSPF Area 0. Then, to prevent loops in the topology, these routes have to be filtered out from been redistributed from Area 0 to Area 1 in the Catalyst, so Enterasys appliances don't install those routes through OSPF but to point them out through default route to ASR#2.Is it possible with only one OSPF proccess or we have to separate OSPF in two proccess to redistribute between them?
View 8 Replies
View Related
Feb 7, 2012
I have come across articles mentioning that URL Filtering can be implemented by using ASA 5505 with URL Filtering Servers. But Websense and other Web Filtering Servers are paid ones ? Are there any free solutions available ? What exactly is N2H2 ? The reason is I don 't want to increase the CPU utilization of ASA by implementing URL filtering within the device. If I have around 30 nodes which connects to the internet via a 2Mbps line through ASA 5505 and if I want to block around say 10 or 15 URLs , will it increase CU utilization beyond permissible limits ? Currently the CPU Utilization is around 10 - 15 . Here's the infrastructure setup .
------------------------------------------------------------
Nodes -->Switches-->ASA 5505-->Internet
-------------------------------------------------------------
View 4 Replies
View Related
Dec 6, 2012
I have two ISP, I want to divide Inbound to ISP1 and Outbound to ISP2.
View 3 Replies
View Related
Feb 28, 2011
We're running 8.3(2) in the ASA5540. Users all over our enterprise connect to a business partner's application through the ASA/VPN. We have a class-b address space, and since the users are spread out all over the place, I have the entire class-b space as the local object in the ACL that allows traffic through the VPN tunnel.
The business partner has concerns that our entire address space is available to access the VPN tunnel. So I thought, to alleviate their concerns, to PAT all of our connections outbound to a single IP address.
How is this done in 8.3(2)? We use ASDM to configure the 5540. For example, say our class-b is 159.12.0.0 and the PAT'd IP address will be 199.30.36.6.
View 5 Replies
View Related
May 27, 2013
I've got an 887M router which will be configured with two linke - one ADSL, one 3G - both of which will have (obviously) a separately suppplied IP address from the different ISP's being used. The 3G is a backup - plain and simple - for use only when the DSL service flakes out (which it does often)
Routing is pretty simple - I'll either do soemthing with a bit of PBR, or a simple weighted static, but the NAT has me scratching my head a little.
Can I have two outbound NAT pools (ip nat outside) for each interface which will be used ONLY for traffic going out the interface concerned?
For example, I have one for the primary link
ip nat inside source list 2 interface Dialer1 overload
Can I do the same for the second dialer interface like this
ip nat inside source list 2 interface Dialer2 overload
and have them automatically switch to using the dialer 2 IP for the outbound NAT if the dialer 1 link fails?
I don't think I've ever come across this before, so I'm not sure if it can even be done.
View 1 Replies
View Related
Aug 10, 2011
For about the past 2 or 3 months, I have been experiencing outbound packet loss at about the same time every evening. That timeframe is about 7 PM - 10 PM. This is most noticeable on Teamspeak 3 because of the voice disruption that other users report to me.
View 1 Replies
View Related
Oct 21, 2011
Both of these ISDNs are up, this gives us 4 channels. Someone said they recieved a busy tone when they attempted to dial out. I looked over the system and seen there are two outbound pots dial-peers. Each dial-peer references one of the BRI ports. The preferences are the same on each dial-peer. I think what is happening is that the system is randomly selecting one of the dial-peers due to the preference, even if both channels of the BRI are in use. How does the system know if that port has both channels in use? I've not used ISDN before, so tried to enter the B-channel sub interface and the system (UC500) tells me I cannot do this. I was thinking about adding each channel into a trunk group and then referencing the trunk group in the dial-peer. I can obviously add both BRI's into one trunk group.
View 2 Replies
View Related
Jan 9, 2012
I just migrated our office network router to a RV082. While configuring it, I came across three problems:
(1) From our ISP we have four public IP addresses which I want to make use of for outbound traffic. With the previous router we used we could configure LAN IPs(ranges) to map to static public IPs. Does RV082 support this? I could not find an option for that at the web-interface. From what I understand the 1-1 NATing only goes both incoming and outgoign ways and actually is 1-1 and not the many-to-one I am looking for.
(2) How is it possible to configure incoming port forwards to use a specific WAN interface? Will it always be the primary WAN interface?
(3) Does the telnet access provide more configuration options? I could not log in to it with the same user credentials as with the web-interface.
Serial Number : NKS1532xxxxFirmware Version : v4.0.4.02-tm (Jul 4 2011 13:30:56)PID VID : RV082 V03Firmware MD5 Checksum : 1f84d8d0a2a8b99f9bfa4409e64547aaLANWorking Mode : Gateway
View 0 Replies
View Related
Sep 20, 2012
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies
View Related
Mar 31, 2011
I have a Cisco 877 on an ADSL connection. QoS isn't doing the trick -- I need to reserve 200 meg or so of my outbound (upstream) bandwidth for VoIP to end complaints about voice quality. Any example of how to classify SIP, RTP, IAX, and Skype traffic and put a rate limit on anything that doesn't fall into that category? The VoIP phones also are in their own IP range on the LAN side if that would make things easier...or I could even connect them into a specific port on the internal switch in the router.
View 9 Replies
View Related
Mar 4, 2013
I multi homed to dual ISPs using a single 6509e. Currently, I am only receiving a default from wash ISP and marking one with a higher local pref. most of my traffic flow is inbound, so this config meets my need. The issue I have: if either ISP has has an outage upstream from my directly connected peer, my router does not detect that and continues to send traffic out thru that provider only to be black holed. My 6509 will only support 256k routes, so full route tables isn't an option. I could receive partials from each ISP. Is there any other method to detecting this upstream ISP issue and then adjusting my local pref on my default to use the alternate provider path?
View 3 Replies
View Related
Jan 12, 2011
I need to attach a QOS policy to a layer 2 WAN interface between two sites. This is actually an extended LAN circuit with 500Mb/s of allocated bandwidth. The interfaces are Gigabit so I want to make sure I don't attempt to transmit traffic faster than 500Mb/s. What is the best way to implement an outbound QOS policy that sets the minimum and maximum speed to be the same? This policy will be implemented on a 4900M with the 20 port GigE module
View 3 Replies
View Related
Oct 5, 2011
I'm having some issues getting ActiveFTP to pass through an ASA 5505, I finally found out when I tested the FTP via cmd on windows(after the major hassle of getting credentials out of the software co) that it does open the connection on the control port, but whenever I try to send/recieve data the connection is dropped, for troubleshooting purposes I've even gone as far as opening up all ports 1-65535 with an acl to no avail, I believe the FTP traffic is encrypted with SSL(can't get a solid Y/N from the company).
View 1 Replies
View Related
Mar 30, 2011
Below is the interesting part of my config. I have static NAT configured and working inbound for the Exchange Server and the Barracuda, however outbound traffic from those hosts comes out as the interface IP. Thoughts? I've tried a number of things (outside, inside), etc.
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network DSN-EXCH01
host 10.250.231.51
object network MAIL-IN
host 10.250.231.50(code)
View 3 Replies
View Related
Jan 30, 2012
I know I can use the RTR statement to determine when the primary ISP circuit goes down via this technote: url...My question can I assign static Nats on the backup ISP connection to the same inside servers in the dmz.?Example 10.1.1.11 is mapped to ISP1 ExternaIP of 65.217.77.11. Can it 10.1.1.11 also be mapped to ISP2's 208.217.77.11?This way I can get my DNS changed and my inbound traffic to servers in my DMZ on the asa 5510 running 8.0.3 code can continue to receive Inbound traffic.
View 1 Replies
View Related
May 7, 2012
How can I achieve this. I am obviously a novice cisco user and really fight my way around. I just want to grant access to a vendor to connect to his vpn. What ports need opened and what else do I need to do?
View 1 Replies
View Related
Sep 18, 2011
I've tried a few different ways unsuccessfully so thought I'd ask here.I'm trying to forward an outgoing port on a Cisco 800 series router. ie. When a user inside the network connects to the router on port 1234, it opens up the same port on a server on the Internet.
View 2 Replies
View Related
Aug 1, 2012
How to set the default outbound policy as block in access rules of rv220w? I configure my company router RV220W to block all outbound service traffic, just allow outbound service as : http, https, smtp, dns_tcp / udp. it works fine for some hours, the next day, the rules like expired, the https / smtp / DNS service fail to outgoing, only the http is still ok? What happen? Now I just set the default outbound policy as allow, all traffic can go out, but that is meaningless for a firewall device.
View 1 Replies
View Related
Jan 30, 2013
I'm trying to configure a simple ACL to block smtp traffic from leaving my LAN -- basically prevent internal users from setting up internet email accounts in their email clients and sending through that smtp server. i want my Exchange server only to send smtp traffic. here's what i have:
-access-list 102 extended permit tcp host 10.10.1.29 eq smtp any eq smtp <===10.10.1.29 is Exchange
-access-list 102 extended deny tcp any eq smtp any eq smtp
-access-list 102 extended permit ip any any
-access-group 102 in interface inside
after i apply this ACL to the ASA, i am still able to send from my internet email address setup in Outlook using my "foreign" smtp server.
View 1 Replies
View Related
Oct 14, 2012
I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits), as well a a WInXP box. All of these are connected to the same switch, which is connected to the inside port of my PIX 515.
For a few sites (mozilla.org happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that matter - will not go through the PIX (from inside to wan). I have verified this by first, using wireshark to watch the packets being sent out from the client box, then by using the trace function in the PIX to see that the packets ARE arriving at the inside interface, but ARE NOT sent out of the wan interface.
This is for the linux boxes ONLY. When I do the same thing with my WinXP box, all works: in the PIX trace, I see the packets arrive at the inside interface, and leave the wan interace. And access to these sites are okay.
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
Some background:
I have been using this PIX for about 10 years now, with the same configuration (except IP addresses). Only in the last several months has this problem started to show up.
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something else. I don't have any support license, and have not been able to get any software upgrades. Here is its version info:
taz(config)# sho ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Compiled on Fri 07-Jun-02 17:49 by (code)
Serial Number: 405200362 (0x1826ddea)
Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60
PS: Since this PIX is at its end of life, I was wondering if any of the software upgrades would be now available without a license?
View 2 Replies
View Related
Apr 4, 2013
We've got a proyect that requires a few thin clients to connect to a remote PCoIP server.
Looking to the documentation, the only port required to be open through Firewalls is TCP/UDP 4172, however, we've seen (making interface captures) that it somehow also uses ESP (IP protocol 50).
We've got a static NAT translation translating those thin clients to a public IP address, we've created ACLs to allow inbound (shouldn't be necessary as our user is connecting to a remote server) and outbound traffic for TCP/UDP 4172 and ESP and I cannot make it work.
I've also enabled IPSec pass-through Inspection to no avail.
how should we configure our ASA to enable this kind of traffic?
View 4 Replies
View Related
Oct 2, 2012
I need to open some outbound ports in order for our CCTV company to receive alarms from our internal CCTV Machine.
The ip addresses of the company who access the CCTV are as follows:
213.130.134.56
81.130.198.97
The above are fixed IP addresses. The internal machine is on 192.168.204.170
The outbound ports that I need to open are the following:
TCP
21
23
80
5201
UDP
1025
2074
2075
I have access to the current config if needs be.
View 8 Replies
View Related
Mar 26, 2013
What I'm trying to do seems pretty basic, but I cannot get it working on the RV180?I have 5 Fixed IPs. Using Access Rules I have configured a few inbound rules with specified WAN Destination addresses and these are correctly port forwarding these inbound ports on the specified Public IP addresses. Perfect!
However, for outbound, I need to do the equivalent for one public IP for outgoing SMTP so that our mail servers public facing address is not the standard WAN address and therefore will not fail a reverse DNS lookup. At the moment I have emails bouncing all over the place and panic has set in. I thought the SNAT option was the soltuion, but that just seems to break traffic flow completely on the specified port. I had this working no problem on my old Netgear, but I had to replace it due to throughput limitations.
View 3 Replies
View Related
Sep 12, 2012
Cisco Router 2900.My setup pppoe dsl 8mbps and i read on other website kinda sound of MTU.. but i dont know what is this or exact number of MTU. [code]
View 2 Replies
View Related
Jan 24, 2012
I have the need to do an outbound NAT redirection. So what I mean is this. I have a custom program that uses SSH to port 22 from a server inside the ASA firewall. This goes out to a server on the Internet over port 22. The ISP of the SSH server told me that they changed their SSH port from 22 to 2102. So instead of changing the custom code on the developed application on the server... I thought it would be easier to do a OUTBOUND NAT redirection for the ASA to see port 22 from the server and redirect it OUTBOUND to port 2102.
so for example:
The server is at 192.168.0.2 and it uses a program to initiate SSH traffic to 205.246.1.1. The server sends to port 22 but I need it automatically changed on the firewall to port 2201 at 205.246.1.1.
It is a Cisco ASA 5510. The server at 192.168.0.2 does have a fixed IP address on the outside with INBOUND NAT for things like port 25 (mail) traffic etc. Lets pretend that was at 64.18.23.60.
View 1 Replies
View Related
Nov 20, 2011
I'm running a Cisco ASA 5510 with version 7.2(3) and I've been tasked with permitting some inbound & outbound TCP & UDP ports to/from a specified address space on the internet.
In looking at my current ASA config I see other access lists already configured so I'm assuming I can just set up a new access list in similar fashion, but I wanted to verify here first.
View 6 Replies
View Related
Feb 29, 2012
I have hooked up to the Cisco 2821 router a T1 on Serial and Cable Modem to GigEth0/1 and I want to split outbound traffic so that all regular users will use G0/1 interface for web traffic and the rest of the traffic stays with the T1. I am having an issue where the users on the network are not able to use the internet when using the following config:
!
interface GigabitEthernet0/0.10
description Data
encapsulation dot1Q 50
[Code].....
View 11 Replies
View Related
Jun 10, 2012
We have a main office and 4 remote offices (only showing 1 remote office in the diagram). We are using GRE over IPSec VPNs to the remote offices which terminate on the 2811 router in the main office. We are using the 2811 as it is the only device that we have that can terminate GRE. The 2811 router is connected to the outside switch and is configured with a public IP address. We also have a ASA5510 in the main office which is connected in the same manner and is used for Web, e-mail traffic etc.Both the main office and remote offices have a 10Mbps Internet connection.
We have an issue with voice quality between sites as we are finding it difficult to control bandwidth utilization in the main office. When users in the main office download web content it can saturate the 10Mbps Internet connection causing voice quality issues. We have configured outbound shaping on the branch routers to make sure that aggregate inbound traffic from all branches to the main office does not saturate the link but we cannot control traffic from the Internet.I understand that controlling inbound traffic from the Internet is difficult without controlling QoS on the ISPs side. Is there any way that can reserve inbound bandwidth to ensure that web traffic does not impact voice? Also in this design, which is the best place to configure outbound QoS from the main office?
View 4 Replies
View Related
Jun 9, 2013
How to rate limit a 3560 inbound and outbound using different QoS methods. I've read about vlan class maps/policy maps, using the rate limit command on the physical interface, using the srr-queue bandwidth command(it's a gig switch so not sure that would work) and marking all packets and then applying QoS. I'm just learning QoS so trying to figure all of this out and find the best way to do things.
Also, I was told to do this because it's not advisable to have a connection to your ISP that is not 10mb or 100mb on a switch, since they are not divisible by 10 and it can cause issues?
View 2 Replies
View Related
Dec 13, 2012
I have a 521 with 1.01.24 The fxs port is registered and inbound calls work. When the customer picks up the phone to make a call they get a busy tone.
View 1 Replies
View Related
May 9, 2013
How to migrate the following config from a CSM to and ACE20 module.
Currently we have a CSM configured as below:- 452 Client and 453 Server sharing the same Public vlan.
We require outbound access from groups of internal individual servers to external addresses.
CSM config
module ContentSwitchingModule 8
vlan 452 client
ip address 10.206.135.252 255.255.252.0
[Code].....
View 7 Replies
View Related
Dec 6, 2012
We have a ASA5510 and I need to open port 22 for a speacific IP in our LAN outbound only.
View 15 Replies
View Related