Since upgrading some of computers in my LAN to Windows 7 they all experience upload issues. I have narrowed it down to CBAC inspection on my Cisco 1711 router, I am running IOS 12.3 I have a simple CBAC inspection set for TCP/UDP only without any application-specific inspects. Download works fine however upload does not seem to work atl all- unless I disable the ip inspection. It is all working fine for any Windows XP but not for Windows 7 machines. Is this a known issue, I am not sure how I can go about this - I don't want to build ACLs now for outside interface and disable stateful inspection mechanisms because CBAC has been working fine for me until recently.
I have a 857 doing NAT for the internal vlan1 interface (192.168.20.0/24) attached traffic.ip nat source static tcp 192.168.20.5 3389 interface dialer0 3389 ip nat inside source list aclAllowNAT interface dialer0 overload I would like to turn CBAC (packet inspection) off, but still maintain an ACL on the ingress to Dialer0 (traffic in from the Web) to protect access to some sensitive material (doctor's surgery) and only allow RDP from designated sites. I realise there are other ways to publish the access to the terminal servers but this way has advantages we need, and is in place.
ip access-list extended aclAllowNAT permit ip 192.168.16.20.0 0.0.0.255 ip access-list extended aclIngressFromInternet permit tcp host xx.xx.xx.xx any eq 3389 ...
But of course when i do this and apply the access list to dialer0 all NAT traffic stops as it doesn't have CBAC there telling to allow the inspected traffic.
What do i need to put in the aclIngressFromInternet ACL to allow the NAT traffic with CBAC off?
I need to configure the access list on the outbound internet port to accept the following:
ip access list 10 access-list 10 permit PPTP vpn any xxx.xxx.xxx.xxx access-list 10 permit RDP any xxx.xxx.xxx.xxx access-list 10 permit FTP any xxx.xxx.xxx.xxx access-list 10 permit Postgresql any xxx.xxx.xxx.xxx access-list 10 permit MacARD any xxx.xxx.xxx.xxx
This method does not work on the Cisco 2921 router with FW
I am running CBAC on a 1811 running IOS 15.1 and can't figure out how to configure it so that I can preform TFTP upgrades with CBAC enabled. It appears that CBAC doesn't catch self-generated traffic and put in a reverse rule in the ACL. I am trying to upgrade the image on this router using a public-addressed TFTP server on the F0 interface. If I drop the ACL the traffic will work, so why isn't CBAC cacthing the TFTP outbound? [code]
The tftp rule above is for TFTP upgrades on other equipment, using a server behind this router. I tried defining an outbound ACL as well on F0 to get the traffic be "caught" by CBAC but that didn't work. I also tried adding "ip inspect name trust tftp" but that didn't work.
I found a Cisco 1711 router in our storage room and I want to factory restore it so we can mess around with it or use it as a backup.
I connected a console cable to it and in Hyperterminal on a Windows XP box I want to try the CTRL+BREAK sequence to clear it out. I'm not concerned with the current config or finding the password, I just want to wipe it like it's never been used before.
This is what I get:
System Bootstrap, Version 12.2(7r)XM4, RELEASE SOFTWARE (fc1) TAC Support: [URL] Copyright (c) 2003 by cisco Systems, Inc. C1700 platform with 131072 Kbytes of main memory
Im new to cisco routes, Im traing to configure a 1711 routes with a dsl 2wire routes, my problem is that Im able to ping anywhere in the routes, but when Im on my computer I can only ping the interfaces on the router but no the 2wire route that gives me access to the internet.
I have a 1711 Catalyst router hooked up behind a cable modem. I configured the router, copied running-config to start up-config then wrote it to memory with "write mem". I unplugged router to move it and when I plugged it back in, I had to start from scratch.
Is this normal, or should router be able to save configuration if powered down?
BTW, I'm using Putty to access router console. Is that the hot setup for Windows 7 or is there something better?
I just picked up the E4200 to replace a router, I can remote desktop into a computer that is physically connected to this router, but cannot remote desktop into other computers on the network that are connected via another switch.
I cannot connect via VPN PPTP (normal setup in windows xp), I have managed to connect over VPN direct connected to internet, through the router (WRVS4400n) if I turn off the firewall. But I cannot connect with the firewall enabled,One more thing, the device is on and I have enabled the passthrough (and 'Multicast Passthrough' in firewall basic settings) for all available options where one of the options is PPTP.
Windows 8: So I am trying to transfer files over to a friend. I used to get upwards to 2MB/s but now I am getting 255kb/s upload - both tested using Hamachi network transfer and Bittorrent with private trackers and direct connect also tried with public trackers.
Im new to cisco routes, Im traing to configure a 1711 routes with a dsl 2wire routes, my problem is that Im able to ping anywhere in the routes, but when Im on my computer I can only ping the interfaces on the router but no the 2wire route that gives me access to the internet.
My computer is getting ip addres 192.168.200.100 when I ping th 192.168.1.76 is fine, but when I try to ping the 192.168.1.254 does not work, Im assuming the cisco has activated a dinamic route from .76 to .254, but it is not working, why?
Here is the router configuration
Router#show runBuilding configuration... Current configuration : 1183 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Router!boot-start-markerboot-end-marker!!no aaa new-model!resource policy!memory-size iomem 25ip subnet-zero!!no ip dhcp [Code]....
I need to access a shared folder over a VPN connection. Very simple host network: no Microsoft server, no AD. Just a WRVS4400N router and a peer-to-peer network.
Purchased a second WRVS4400N router to create VPN from SOHO and configured via VPN Setup Wizard.
When at the office, I can map a drive letter to a share on the other computer, as follows
net use f: \192.168.1.111MyShare /User:MYSELF mypass
However, when try same command over VPN, I receive the response:
System error 53 has occurred. The network path was not found.
I also cannot net view the other computer -- same error. However, I can successfully ping 192.168.1.111.
More info:
Routers have latest firmware.
Over VPN I cannot browse network via Windows Explorer (Win7 Network Neighborhood shows only my own PC. In the office I can see the other computer and the NAS appliance "NAS01").
I also cannot connect by entering \192.168.1.111MyShare into Windows Explorer's address bar (although I can do that successfully when at the office), or by choosing Map Network Drive from "Computer".
However, over VPN, I can get into NAS administration via https://192.168.1.3 and I can print to the office TCPIP printer (192.168.1.222)
I'm playing around with CBAC, trying to get a feel for it so I can manage it on some of our routers. I think I have the basics down, but for some reason I'm still having these issues with a 2801 running the attached config:- I had to add the "router-traffic" option to my ICMP inspect line to be able to ping anything at all on the 10.10.2.0 side from the router. We have a router doing firewall duty which is using CBAC but does not have the "router-traffic" option on its ICMP inspect line, but pings from it still work. What gives? I've read that by default (without the "router-traffic" option) traffic originating from within a router will not be inspected by CBAC, so it looks like my lab router is working as expected, I just can't figure out why pings work from the production firewall router.
- I can not copy a config via TFTP to 10.10.2.97. Other network devices can access the TFTP server on .97, so it's my lab router that has the problem. I can ping .97, it can ping this router (.5). It looks to me like I have TFTP allowed through this router, but it doesn't work. When I do a copy command, my TFTP server on .97 sees PUTs coming in, but then says it's not getting responses from the router, so it looks like traffic is only flowing out from the router but not back in. I thought the TFTP inspect would fix that. There doesn't seem to be a "router-traffic" option for the TFTP inspect[CODE]
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (63.223.117.170).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver Cisco Adaptive Security Appliance Software Version 9.0(2) Device Manager Version 7.1(2) Compiled on Thu 21-Feb-13 13:10 by builders System image file is "disk0:/asa902-k8.bin"
I have a 851 that I'm trying to apply CBAC on. However, it seems that new sessions are stuck in SIS_OPENING. I'm guessing maybe because packets are not returned,I can't understand why - everything works just fine up-until I add ip inspect INBOUND out' on the WAN-interface.
im in the progress of Configuring a Cisco 881 Router, for a branch office.Behind this Router they have an PBX, is it prossible to inspect SIP packet using CBAC, and thereby open for RSTP pinholes.i only have 1 Public ip adresser, and im not fond of configuring thousands of PAT to the PBX.i have with success, Accomplished this with Global Inspection on ASA Firewalls, but i dont know if this can be done with IOS as well.
We've got 5 remote offices with cisco 881 routers, Win Clients behind them and all routers connected via vpn site-to-site to central software router.
Mostly all clients recieve ip addresses from routers in their subnets 192.168.x.024 We have Win DHCP Server in subnet 192.168.181.024
The problem is that some of clients,physically sutuated in 192.168.10.024 subnet, recieve ip addresses from Win DHCP server from 192.168.181.024 subnet.
Here's part of cisco cfg:
interface FastEthernet0 no ip address ! interface FastEthernet1
I have a pair of asa5520's in active/standby configuration. I plan on ugrading the asa/asdm images to 8.4 shortly (currently on 8.0) and would like to do this with zero downtime. Specifically, I would like to upload the new software to the standby unit, upgrade it, swap standby/active units and then upgrade what will become the standby after the swap.The problem I'm having is getting the new images uploaded onto the standby unit. I've read that the routing table is not shared from the primary and the USB ports are "for future use". I have no problem uploading the new images to the active unit via tftp...but can't do the same to the standby.
They have an ASA-5510 with version 8.2(5). They just upgraded their Internet bandwidth to 30 Mb both ways.If we do a speed test in front of the ASA, we get 28 Mb/s upload and download, with a ping of about 5 to 10 ms.If we go behind the ASA, the download is about the same, the upload is decreased to about 12 Mb/s and the ping goes to 260 ms The license is base, there are no additionnal function added to the firewall (no IPS). I've check the speed and duplex and everything is fine.There are no drops on the interfaces or rules of the firewall, no drops on the Interface of the ISP router either. All interfaces are configured at 100Mb full duplex.I saw a couple of discussions on this in the forums, but they don't seem to come up with anything and they look like they end in the middle of the whole story, like once the problem is solved, they don't update their discussion.
Our internet connection is connected to an ASA. The download speed is ok but the upload is very slow. we have been running some speed test from our LAN, and have been also trying to upload/download file.
Our ASA also have the IPS module. I turned this off but we've got the same result.
I send here attach the configuration file of the ASA.
I'm running a couple of 5520 (with failover configuration) and fw 8.3.1. Everything worked fine until I try to upgrade firewall to new fw version: 8.4.1. [code]
When I try to upload new firrmware or asdm image, ASA, the appliance reboots during tftp session. I've already tried to upload new images on both appliance, or use CLI either ASDM, but the result is always the same: ASA reboots.
From my point of view, the problem isn't the image but could be the firmware I'm running, becouse using fw. 8.0.1 I was able to upalod asdm 8.3.1, but using fw 8.3.1 I can't upload the same image.
As of right now, I don't have access to the PIX itself but can get access to it later today. In the meantime, I wanted to get everyone's opinions on a very peculiar issue I'm seeing with Internet download speeds.
Prior to last week, my company was utilizing a Sprint T1 connection for all visitor traffic. Attached to the Sprint T1 was a Cisco router -> C3524 Switch -> PIX-506E device.
Last week, a decision was made to upgrade our bandwidth for our visitor traffic and we replaced the T1 with a Comcast Business Class cable solution. The bandwidth we ordered was 22Mbit down/5Mbit up. From the cable modem that was provided, we connected it in the same manner -> C3524 Switch -> PIX-506E device.
Since the change, I noticed that our visitor V LAN hasn't really had much of a change in Internet speeds. Doing some quick speed tests, it shows that our download caps at around 5Mbit but our uploads are in the 22Mbit range.Thinking Comcast messed up and accidentally flipped our download/upload speeds, I was on the phone with them for almost an hour as we investigated the issue. They finally had me connect directly to the Comcast cable modem to test on my laptop. The results are that from the cable modem, the speeds are correct (I get 22Mbit down, 5Mbit up).
I'm not really sure how to troubleshoot this or where to even begin. At first I thought maybe our PIX couldn't handle the speeds, but it's handling the upload rate just fine. All I know this has to be equipment on our side since Comcast had me test directly from the cable modem.
I have cisco ASA 5510 with ios version 7.07 & all users are browsing the internet via PAT through ASA. i want to block some sites/URLs like facebook, yahoo etc.
I set up a cisco 2811 to replace a netgear router at the office. I have nat set up and with ccp I added a firewall on the router using the basic firewall wizard. Just about everything works internet, receiving and sending emails on exchange from the pc. Issue I'm having noone can access the company email on their phone.Also theres a camera system that would be accessible to view from the live feed from outside the office and my boss can't access the camera. I port mapped all the custom applications and added new traffic rule from self -> outzone. It didn't work tried to add one from outzone -> self or inzone but i get a prompt stating it only accepts protocols tcp,udp, sip, h323, icmp and a few other I can't think of. I'm pulling out my hair trying to get this to work everything worked seamlessly on the netgear router and nothing was really defined just the inbound ip address of the applications and protocols that are allowed.
Lets say for reference purposes my ip addresses for internet is
internet 55.34.23.43 /24 email server 192.168.10.252 /24 web cam application 192.168.10.10 /24 8000 in 8001 out
I have ASA 5505 running 7.2.4, I want to prevent users accessing some web sites such as facebook , youtube and hotmail etc.
Which ASA 5505 IOS version should I use to block web access?
I don't want to isntall a dedicated filtering server ( websense etc) , I just want to block web sites statically on ASA 5505 via ASDM as I only have few sites to block.
know if ASA 5505 can do URL filtering, and what IOS is required ?
I have a Cisco ASA 5510. I have detected an infected workstation on my internal LAN which has caused my IP to be blacklisted by Barracuda Networks and other RBL. I have scanned and cleaned the workstation removing the spambot. I want to prevent all my internal workstations from sending SMTP traffic on Port 25 through my ASA 5510 device. I only need to allow my Exchange Server access to send out traffic on port 25. configure this setup using ASDM 5.0? I know it may be easier using CLI, but using the ASDM would really be preferred.
I am working on an ASA5505 and am trying to open the ftp port. I have a server (192.168.10.202) on the local LAN which is attempting to download antivirus updates from the net via ftp.
Saved : ASA Version 8.3(2) ! hostname SITE enable password XXXXXX passwd XXXXXX names
I purchased a SA520W for my company, and i have some probles for configuring firewall. I want to deny access to facebook, youtube and twitter but not for 4 hosts which needs this websites for work. I tried to configure content filtering > blocking URLs but with this solution, I deny acces for all users, So, I tried to make IP v4 rules :
The 4 hosts who may access to these websites are 192.168.50.124 to 127
Example : FROM Zone : LAN TO : WAN Service : Any Action: block always Source hosts : 192.168.50.32 to 192.168.50.123 destination hosts : 66.220.158.11 (one of the facebook's ip)
but it does not work. So, I am looking for an other solution, or maybe my rule is not correctly configured ?
networking but can understand with a bit of explanation.. I own a restaurant and provide free WiFi for my customers with a Cisco E2500, I am gettign bills that are through the roof, I contacted my ISP and was told users were accessing P2P downloads(uTorrent, etc.). How can I block these applications?
