Cisco :: Can't Get CBAC To Work?
Jul 3, 2012
I'm playing around with CBAC, trying to get a feel for it so I can manage it on some of our routers. I think I have the basics down, but for some reason I'm still having these issues with a 2801 running the attached config:- I had to add the "router-traffic" option to my ICMP inspect line to be able to ping anything at all on the 10.10.2.0 side from the router. We have a router doing firewall duty which is using CBAC but does not have the "router-traffic" option on its ICMP inspect line, but pings from it still work. What gives? I've read that by default (without the "router-traffic" option) traffic originating from within a router will not be inspected by CBAC, so it looks like my lab router is working as expected, I just can't figure out why pings work from the production firewall router.
- I can not copy a config via TFTP to 10.10.2.97. Other network devices can access the TFTP server on .97, so it's my lab router that has the problem. I can ping .97, it can ping this router (.5). It looks to me like I have TFTP allowed through this router, but it doesn't work. When I do a copy command, my TFTP server on .97 sees PUTs coming in, but then says it's not getting responses from the router, so it looks like traffic is only flowing out from the router but not back in. I thought the TFTP inspect would fix that. There doesn't seem to be a "router-traffic" option for the TFTP inspect[CODE]
View 1 Replies
ADVERTISEMENT
Jan 3, 2011
I have a 851 that I'm trying to apply CBAC on. However, it seems that new sessions are stuck in SIS_OPENING. I'm guessing maybe because packets are not returned,I can't understand why - everything works just fine up-until I add ip inspect INBOUND out' on the WAN-interface.
View 19 Replies
View Related
Apr 28, 2013
im in the progress of Configuring a Cisco 881 Router, for a branch office.Behind this Router they have an PBX, is it prossible to inspect SIP packet using CBAC, and thereby open for RSTP pinholes.i only have 1 Public ip adresser, and im not fond of configuring thousands of PAT to the PBX.i have with success, Accomplished this with Global Inspection on ASA Firewalls, but i dont know if this can be done with IOS as well.
View 5 Replies
View Related
Jun 20, 2011
I have a 857 doing NAT for the internal vlan1 interface (192.168.20.0/24) attached traffic.ip nat source static tcp 192.168.20.5 3389 interface dialer0 3389 ip nat inside source list aclAllowNAT interface dialer0 overload I would like to turn CBAC (packet inspection) off, but still maintain an ACL on the ingress to Dialer0 (traffic in from the Web) to protect access to some sensitive material (doctor's surgery) and only allow RDP from designated sites. I realise there are other ways to publish the access to the terminal servers but this way has advantages we need, and is in place.
ip access-list extended aclAllowNAT
permit ip 192.168.16.20.0 0.0.0.255
ip access-list extended aclIngressFromInternet
permit tcp host xx.xx.xx.xx any eq 3389
...
But of course when i do this and apply the access list to dialer0 all NAT traffic stops as it doesn't have CBAC there telling to allow the inspected traffic.
What do i need to put in the aclIngressFromInternet ACL to allow the NAT traffic with CBAC off?
View 8 Replies
View Related
Jul 1, 2011
I need to configure the access list on the outbound internet port to accept the following:
ip access list 10
access-list 10 permit PPTP vpn any xxx.xxx.xxx.xxx
access-list 10 permit RDP any xxx.xxx.xxx.xxx
access-list 10 permit FTP any xxx.xxx.xxx.xxx
access-list 10 permit Postgresql any xxx.xxx.xxx.xxx
access-list 10 permit MacARD any xxx.xxx.xxx.xxx
This method does not work on the Cisco 2921 router with FW
View 1 Replies
View Related
Oct 27, 2012
I am running CBAC on a 1811 running IOS 15.1 and can't figure out how to configure it so that I can preform TFTP upgrades with CBAC enabled. It appears that CBAC doesn't catch self-generated traffic and put in a reverse rule in the ACL. I am trying to upgrade the image on this router using a public-addressed TFTP server on the F0 interface. If I drop the ACL the traffic will work, so why isn't CBAC cacthing the TFTP outbound? [code]
The tftp rule above is for TFTP upgrades on other equipment, using a server behind this router. I tried defining an outbound ACL as well on F0 to get the traffic be "caught" by CBAC but that didn't work. I also tried adding "ip inspect name trust tftp" but that didn't work.
View 3 Replies
View Related
Jan 13, 2012
Since upgrading some of computers in my LAN to Windows 7 they all experience upload issues. I have narrowed it down to CBAC inspection on my Cisco 1711 router, I am running IOS 12.3 I have a simple CBAC inspection set for TCP/UDP only without any application-specific inspects. Download works fine however upload does not seem to work atl all- unless I disable the ip inspection. It is all working fine for any Windows XP but not for Windows 7 machines. Is this a known issue, I am not sure how I can go about this - I don't want to build ACLs now for outside interface and disable stateful inspection mechanisms because CBAC has been working fine for me until recently.
View 7 Replies
View Related
Jul 7, 2009
I have seen this a couple of times on two different routers. One is a 3745 and another a 1811 running 12.4(15)T4 and 12.4(6)T11, respectively.
When we have IOS firewall running (either IP inspect or ZFW), we will experience intermittent slow HTTP connections.
Symptoms include page timeouts, CSS not loading and just overall slow performance. Disabling the inspection cures the issues.
View 19 Replies
View Related
Mar 23, 2013
I have a cisco 2811 router set up as a nat/firewall gateway for my network. I've configured it for CBAC on using ip inspect and an access list.What I want is to use audit-trail to record network traffic (which means sending syslog messages to a server) concerning established sessions from my own network to locations in the outside. If i configure this using ip inspect audit-trail and no ip inspect alert-off, the configuration looks like this: [code] which works just fine, but there is the matter of icmp packets.
Since i use polling software that needs to check some machines in the outside part of the network, it is only natural that several icmp sessions are established through the Inspection Rule per minute. The problem is that since these sessions are recorded along with everything else, my syslogs are flooded with these (since i am using logging trap informational) to the point that more messages are generated about icmp than all other traffic combined, especially in non-working hours.What I am asking is a way for the audit-trail to be selecively disabled for icmp, so that the outgoing (echo) &incoming (echo reply) sessions can be established without generating syslog messages.
View 1 Replies
View Related
Sep 6, 2011
Is there any chance the Wireless Repeater mode work with WPA2-AES ?If not, which model of AP should I buy to connect it with my wap54g as Wireless Repeater?
View 4 Replies
View Related
Sep 2, 2011
I'm trying to set up my DIR-655 so I can use VPN to access my work PC. How can I set this up?
View 2 Replies
View Related
Nov 19, 2011
I have a DIR-655 B1 router. The firmware is 2.00 NA. Just to clarify, the DSi itself does work with WPA, but the games only work with WEP. I made a guest account and set it to WEP and it still does not work. I have tried making the main connection WEP as well, but when I go on the game and try it, it says it is WPA and not WEP. My friend has a DIR-655 as well, but the hardware and firmware version are different. Her games work flawlessly.
View 10 Replies
View Related
Aug 8, 2011
I am delving into the world of Certificates and the ASA. I am having the HARDEST time grasping this though. I've poured over Cisco whitepapers, been reading through books and things just aren't solidifying in my head. So my question is, how do Certificates for SSL work on the ASA? Where does the data transmit and how does an ASA talk to a CA and User for things?
Lets do this basic topology for the discussion:
End User------SSL VPN---> ASA--->Internal CA
So in theory we are supposed to create a certificate and install it on the ASA and then set the outside interface to trust that cert?
How do identity certs and root certs also work out on the ASA? I have instructions that pretty much say
Create RSA key
Create new trustpoint
cry ca auth newtrustpoint
cry ca enroll newtrustpoint
cry ca import ?
So what are all of these steps specifically doing? Also in ASDM it shows a normal Certificate and an Identity Certificate. I can't really figure out the difference between the two. Does one cert talk to the CA and the other identify the ASA to the CA?
View 7 Replies
View Related
Jun 15, 2012
I have a test on eigrp next week and have been doing it in packet tracer so i`m ready but i can`t seem to get EIGRP to work!I have 3 routers and the loopback interfaces are configured because there`s not enough PCs to actually connect up to the kit. [code]
View 5 Replies
View Related
Jun 25, 2012
I have a L2L VPN tunnel on a Cisco ASA 5520 that I'm trying to get RRI to work on. On my cryptomap ACL I have defined a local object-group and a remote object-group, and I'm performing one-to-one NAT on the local group. I also have a route map configured that will take the static routes and redistribute them into my EIGRP AS. Two things I've noticed -1, I'm not seeing any static routes on my ASA that point to the remote subnets, and 2, the ACL that I've used in my route map definition is not getting any hits on it.
View 2 Replies
View Related
Jul 5, 2011
I'm having trouble getting this to work, after my upgrade to Mac OS X Lion the Anyconnect client can no longer login. Reinstalling didn't work for me.
View 24 Replies
View Related
May 22, 2011
I was running V4.1.2 up until recently for my nac install. This needed to be upgraded to support windows 7 so the CAM and CAS were upgraded to version 4.7.1. The CAS is running a trusted certificate from Entrust and the CAM is running a self signed cert (perfigo).
First question is will this work with version 4.7.1? I have read a lot of threads about SSL being used between the CAM and CAS.
I have gone through the steps to export the CAM Cert and import it into the CAS Trusted certificate Authorities and vice versa but I still get the following error message on the CAS:
"Warning: The current Trusted Certificate Authority URL is suited for lab environments only. Cisco recommends importing a third-party Certificate Authority. Please check your Clean Access Manager(s) and standby
Clean Access Server for similar messages. "
Is this purely because I am using the self signed Cert on the CAM? If I purchase a cert from Entrust for the CAM, will this correct the problem?
View 1 Replies
View Related
Feb 23, 2010
I can't get IPv6 to work on my Cisco 877:Do I need to do something to enable it? I have a /56 from our ISP that I would need to configure.
View 12 Replies
View Related
Nov 30, 2011
I have a stack of SGE2010P switches with 3 vlans (1, 10 and 255) on it. Connected to it via a trunk port, I have a SF300-24P.On the trunk ports, I have vlan 1 untagged, vlans 10 and 255 tagged (on both sides, obviously).On the SGE2010 stack, I can set a ports primary vlan id to vlan 10, and workstations work correctly.On the SF300, if I set a port to type general, and the ports default vlan to 10 (on the port to vlan page), I cannot get any communication to work.This is my first time with a non-CLI switch, and am having real problems figuring out how to troubleshoot this problem.
View 1 Replies
View Related
Oct 18, 2011
Does aps work with Wcs ?? .
View 4 Replies
View Related
Apr 22, 2013
I purchased 3 of these Wireless-G access points and none of them are plug and play. I am here because I have spent the last three hours trying to go through every step they suggest in the Quick Start Guide.
I tried entering in a web browser the default IP address and wait for a login that does not appear.
View 4 Replies
View Related
Nov 8, 2011
i have a problem regarding VPN setup on 5510 ASA and other side 5520 ASA. previously we created the VPN but it works only when the other side start pinging to our side.i have to mention here that we created the BI- Directional traffice on for both side .we have to configure tunnel up for both side .
View 2 Replies
View Related
Mar 11, 2011
Why in some places I can not switch on my VPN ? The strange thing is when I use the VPN server of my office , this work OK and it is the same VPN client. So this means that I do something wrong in my private CISCO 1841 ROUTER.Here bellow what does not work and at the bottom the same computer same network.
View 6 Replies
View Related
Apr 25, 2012
We have purchased LMS 4.0 -300 and were wondering how well the software will perform on a Virtual Enviornment.
View 3 Replies
View Related
Nov 7, 2011
I had the Cisco 877W Router working in my old company. The old company was closed and I bring all of network equirments to new company.I am trying to setup this router to new company but lost menu, console cable and software CD.
View 2 Replies
View Related
Oct 18, 2012
I have an RV180 VPN router.I try to enable the VPN users with PPTP or QuickVPN but is not working.For PPTP sometimes my windows 7 connects to the router, sometimes doesn't connect with a random error message.When it connects, the windows 7 from outside the lan can see the computers from inside the lan but the computers from inside the lan cannot see the windows7 one. This is random also. When i succed to connect, from that computer, the internet is not working anymore.I tried to set the VPN in the same subnet as lan, i tried with different subnet. Is not working.I updated the last firmware. The same.Restore factory settings couple of times, the same.
View 6 Replies
View Related
Oct 30, 2011
I woudl like to ask all of you that i have ASA 5510 and i want to do VPN client authetication with LDAP, after verify username and password with AD and it use policy with ACS?
View 3 Replies
View Related
May 8, 2011
I see a topology, I wonder if this topo can work?two ASA config active/standby ASA is VPN server, two fortigate firewall config active/passive.Normally I see ASA must config: inside, outside, .. . and vpn config.But this topo, ASA may not have inside, outside.
View 4 Replies
View Related
Sep 20, 2012
I've been asked to configure an 881 with a Verizon 3G backup connection as a backup to the FE4 primary WAN connection. I've been unable to get any connectivity through 3G, and in most cases, as soon as I try to configure 3G, I lose connectivity through FE4.Currently, I don't even have FE4 connected. I'm just trying to get the 3G connection working, so then I can take it back to the office and have a functional 3G backup connection. [code]
View 1 Replies
View Related
Oct 7, 2011
I have two routers 2811, which set ntp client. Different versions of the IOS, other devices are working properly. My routers takes time to ntp with other router,which take time from ntp server.
View 1 Replies
View Related
Feb 19, 2011
is it possible to configure a Cisco 878 Router to act as a device(router) between a DSL Modem and the LAN ?
There is the following scenarium: "Deutsche Telekom DSL Modem -> Cisco Router 878 -> LAN"
DSL is an SDSL Connection with a static IP address.
View 1 Replies
View Related
Mar 19, 2012
I have problem with bandwidth management on my RVS4000.
That is the way how i done it:
All traffic (TCP & UDP on all ports)
IP range 192.168.0.2 - 192.168.0.2 (My IP adress)
Guaranted download speed 1kbps
Maximum download speed 5000kbps
after saving setting and rebooting router I have maximum download speed on my PC 12000kbps, Why QOS doesnt work ?
View 3 Replies
View Related
Sep 12, 2011
Rx:, recently I have perchase 2 RV120W routers thinking that it must be very easy to setup the site to site vpn. i cannot get my remore office to link to my main office and vice verser.
Scenaro
- I'm using 2 RV120W routers for each site.
- Site A using a subnet of 192.168.10.0 mask 255.255.255.0
- Site B using a subnet of 192.168.11.0 mask 255.255.255.0
I have setup the VPN using the wizard and I got site to site tunnels connected and show as 1/1 Connected (1 user) in the status he IPsec connection status show
--Policy Name: VPNA
--Endpoint : public IP address from my ISP 203.117.222.221
--Packets Tx:145 Rx:0 and Kbytes shows Tx: 29.55 Rx:0
Q1 why I cannot use dynamic DNS naming in the policy setting ? eg: aaa.dyndns.org, I have to use the ip address instead eg: 203.117.222.221
Q2. I cannot connect from Site A to Site B , I can't even do a ping to 192.168.11.1 from Site A. even though it show the Site to site tunnel is coonected.
View 2 Replies
View Related
