Cisco Firewall :: 2800 / Implement Backup Between Two Sites

Sep 13, 2011

I need to implement the backup between two sites I have router 2800 which is having a point to point connectivity with the far end.At the far end there is no router ,only one firewall is there on that firewall one access-list is there to allow the traffic .To implement the back up link i have created a site to site vpn  .But the problem is as soon as the tunnel is establised .For the time being i have removed by site to site config from both firewall.

View 7 Replies


Cisco WAN :: 2800 Implement IPSec VPN Between Two Routers

Aug 20, 2009

We want to implement an IPSec VPN between two routers cisco 2800 IOS version of what we need.

View 4 Replies View Related

Cisco Infrastructure :: 1921 / Implement Dynamic QoS Between Two Sites Across Low Speed WAN Link (512k)?

Jan 15, 2013

I have a trouble to implement dynamic QoS between two sites (Site A, and site B) across low speed WAN link (512k). On each site I have Cisco 1921 router. Most important app is Oracle. Because of slow speed WAN links, I want to avoid exact bandwith reservation for Oracle. I only reserve 5% bandwith for network control(icmp, ssh, telnet...) and want configure next Qos scenario:
1. If Oracle traffic exist on a network, it must have 70% of link speed guaranteed, all other apps (e.g mail, file share, ftp) use rest of the bandwith.

2. If there isn't Oracle traffic on a network, all other apps can use all available bandwith.
Issue descrtption:I used all Cisco guides, but when I implemented this on production it simply didn't work. There is no any significant improvement after implementing this (when I start network file sharing accross wan link, Oracle becomes etremly slow.).Here is configuration wich I trying to implement:
ACL-s and class-maps used to mark traffic:
access-list 119 remark ###QoS-MGMT###
access-list 119 permit tcp any any eq 22
access-list 119 permit tcp any any eq telnet
access-list 119 permit icmp any any
access-list 120 remark ###QoS-DB_ORA###


View 5 Replies View Related

Cisco VPN :: 2800 VPN Tunnels For Multiple Sites

Feb 19, 2012

i am building new vpn tunnels for multple sites using 2 ASR 1004, and 100 remote devices cisco 2800 routers.I am thinking of using getvpn to do it, am i thinking correct ? can i use DMVPN

View 3 Replies View Related

Cisco Switching/Routing :: How To Block Sites In 2800

Nov 23, 2012

I have a cisco 2800 router.. (flash:/c2800nm-advsecurityk9-mz.151-4.M4.bin, Version 12.4(13r)T11) configured DHCP, DNS, NATING and Bandwidth restriction...And to stop some social network [URL] i configured ip route Null0 (rang of facebook address) But still i am able to open in my network...
ADMIN-II_2811#sh run
Building configuration... 
Current configuration : 1812 bytes
! Last configuration change at 17:26:33 UTC Sat Nov 24 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec


View 1 Replies View Related

Cisco WAN :: Configure Backup Links On 2800?

Oct 16, 2011

I currently admin a WAN link between two international sites.  I have a 2800 at each end. The primary connection between the two sites is 20MB Ethernet PIP MPLS BGP circuit.  I also have a pair of T1's in a PPP multilink that I switch over to in the event the primary circuit goes down.  I currently am doing the switch over manually.  It takes me about 15 minutes to complete it, but I know there must be a way to make this an automatic process.
So a couple questions:
1) Is there a way to create an "enhanced multilink" with the 2 T1's and the Ethernet circuit in the same bundle, in effect giving me 23MBps bandwidth while still being able to maintain connectivity if one of the 3 links goes down?  This is my preferred solution
and if 1 is not possible then
2) Is there a way to configure the router so if the Ethernet circuit goes down, all traffic will be automatically directed over the T1's, and then come back to the Ethernet when it's back online?

View 5 Replies View Related

Cisco WAN :: 877 / 2800 - Use Static ADSL As Backup Connection

May 3, 2011

We have a few WAN connecting sites to ISP using BGP. we are looking at getting backup link for 1 site.

We have decide to use an IP WAN ADS L link. we will have 877 and 2800 for each link. from understanding, we have a static routing on IPWAN service. means when both BGP WAN and IP WAN connected to the ISP. ISP will use ADSL as primary ignore the BGP link. so other sites will see a BGP route coming from ISP via the ADSL link for this location.
So we have find a manuel solution, leave ADSL unplugged of power but setup same LAN ip address and connect the cable towards the core switch. when WAN link fail, switch on ADSL. So the static route will advertise to the rest of sites. 
just want to know is there any auto solution can disable the ADSL link/ ppp link when the 2800/WAN route is up. and enable the ADSL port when the WAN is down. not sure if HSRP/backup interface/tracking will work? and how?
site office switch - > 2800  - >  ISP  - > ADSL ->  ISP 
(need this link to be backup and protocol down, so the ISP will not able to connect to this link and advertise as next hop)

View 5 Replies View Related

Cisco WAN :: 1800 / 2800 / 2900 - Using ADSL As Backup Line

Aug 1, 2011

Site A, site B, site C, site D is connected using leased line each other. We are using Cisco 1800, 2800 and 2900. Each site also have Internet connection using ADSL connected to firewall, we are using pix 501 and ASA 5510.My question is, can i use the existing ADSL line to be use as a backup line if the leased line is down on any of the site??And i want it to trigger itself, once the leased line is down, the firewall UP the backup line? something like that..

View 1 Replies View Related

Cisco WAN :: Reliable Static Routing Backup Using Object Tracking On 2800

Jan 29, 2012

I was configuring route tracking at a client with several sites to route across GRE tunnels and being able to detect a failure of the main site. To my surprise when configuring a 2800 series router (after sucessfully configuring a 1800 series on the same infrastructure), a 2821 with  IOS 12.4(24)T2 IPbase, the commands for ip sla object tracking don't show up.The feature navigator says the router supports this, but it just won't take the commands (also tried older versions of the commands such as "ip sla monitor.." and "rtr .." to no avail).

View 5 Replies View Related

Cisco WAN :: 2800 / Error Opening Flash - Config-backup-1 (No More Root Directory Entries Available)

Oct 7, 2012

I have Cisco 2800 series router.  When I am trying to write memory getting error message  " Error opening flash:config-backup-1 (No more root directory entries available)" When there is simultaneous access to a router's NVRAM, we might encounter these errors. In order to clear the line the other user(s) is (are) connected on and free the NVRAM, issue the clear line command. But still getting the same error message.

View 1 Replies View Related

Cisco Firewall :: Implement Secondary ISP To ASA 5510?

Aug 27, 2012

We are in the process of implementing secondary ISP to our ASA firewall and We would like to run both ISPs in parallel so we can test until we finally cutover?

View 2 Replies View Related

Cisco Firewall :: ASR1002 - Implement ZBF On Router?

Jun 3, 2012

We are trying to implement the ZBF on our router to assist us in limiting the intial impact of DDOS attacks.We have configured the below and it appears that it's not working, as when un der attack the statistics don't increae.


View 2 Replies View Related

Cisco Firewall :: Can ASA 5505 In Router Mode Implement MAC ACL

Oct 21, 2012

My client is asking can the Cisco ASA 5505 implement MAC ACL in Cisco ASA 5505 which is now running in Router Mode.I have tried to search the document and also tried the ASDM in the Cisco ASA 5505 but could not see any way to do the ACL by MAC address.At the same time how to find out that by using command line the ASA 5505 able to run MAC ACL in router mode?

View 2 Replies View Related

Cisco Firewall :: Implement A NAT Configuration After Having Upgraded ASA5510

Aug 17, 2011

I'm having a cow of a time trying to implement a NAT configuration after having upgraded our ASA5510 recently from IOS 8.2 to 8.4. The upgrade went fine, however we now have a need to add a new NAT rule and I'm not sure whether it's possible.
The upgraded NAT rule and access list works fine at allowing external access to a web server.
However we now need to NAT the SOURCE address (either to a pool or single address) of incoming http requests before forwarding the request to the server. Hence the server will see all requests as originating from a pool with a route heading back to the ASA. The basic issue is that the severs default gateway does not return to the ASA, so "tagging" the source address of external requests to an address or interface associated with the ASA should allow the server to return the traffic to the ASA. I know we shouldn't be doing it this way but we can't see any alternative.
Having read a huge amount of examples we can access the server with the above config (or Object NAT), and we can NAT incoming traffic,however we can't combine the two by having all external http requests Source Natted before forwarding to the server.

View 8 Replies View Related

Cisco :: 2900 - Implement Zone-Based Firewall?

Dec 25, 2012

I am looking to implement Zone-Based Firewall on some 2900 series routers (2911 and 2921.)  Based on some research I've done it looks like the cisco2911-sec/k9 and cisco2921-sec/k9 bundles should be all I need.  Is this correct, or is there some other licensing component that needs to be enabled for me to implement Zone-Based Firewall?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - How To Implement NAT On Multiple Internal VLANs (DMZ)

Apr 4, 2011

I've got a cisco asa 5520 and setting up the NAT for multiple DMZs on it. 

 I want to use PAT on the outside interface.
internally ive created subinterfaces for the VLANs and connected to a trunk port on a switch.
configure NAT for this scenario. I've got only 1 external public IP address.

View 1 Replies View Related

Cisco Firewall :: Firewall Alert In Log Buffer 2800 Isr

Aug 3, 2012

I'm getting this in my log buffer off my Cisco 2800 ISR. Seems like a firewall alert and  I've looked it up but, having a hard time really understanding what this really means.Should I be worried about this? Aug  2 18:27:56.380: %FW-4-ALERT_ON: getting aggressive, count (3/500) current 1-min rate: 501,Aug  2 18:28:29.792: %FW-4-ALERT_OFF: calming down, count (0/400) current 1-min rate: 84.

View 1 Replies View Related

Cisco Firewall :: 2800 - Blocking Url Access?

Jan 30, 2012

I wish to block some url that users have access through my LAN
Thats  i wish to block icmp,access towards such sites, i wish to block icmp  because dns will resolve the domain and they can access through ip  address.
what i have in place is a cisco 2800 series routers

View 2 Replies View Related

Cisco WAN :: Router 2800 Install Firewall IOS

Jul 27, 2011

I have Cisco router 2800 IOS and Version is (c2800nm-spservicek9-mz.124-6T5.bin)  (IOS Version 12.4(6)T5).I wnt to install firewall.

View 1 Replies View Related

Cisco Firewall :: ASA 5510 And 2800 VPN Router Connectivity?

Apr 23, 2013

I have been tasked to connect a 2800 router to our ASA 5510 firewall.  The router will be used as a VPN router.  It will terminate two different VPN connections to two different networks.  I can setup the 2800 VPN config but what would I need to do to setup the firewall.  I am using an extra Ethernet port(it has 4) to directly connect the router. The FW has our outside internet connection, the DMZ, and our inside LAN connection.  I do not have a lot of experience with Firewalls and I do not want to create a security breach while trying to set this up!!

View 5 Replies View Related

Protocols / Routing :: Unable To Access Any Sites Except Google Sites

Jul 8, 2012

MY ISP installed one router in my lab.for internet connectivity they mail me steps :connect your Laptop directly to gi0/3 port to check internet connectivity with public ip 1.1.1.x and Gateway with subnet mask after connection I surprised because I am able to access only google sites like gmail,google search etc. but I am able to ping/traceroute all sites.from browser I am able to access only google sites only.In Router no firewall no such access list.

View 2 Replies View Related

Cisco Firewall :: 2800 - Can't Getting Layer 7 App Filtering In ZoneBased Policy FW

Jan 8, 2012

I am trying to get layer 7 application protocol to work in a simple test setup, I need to get this working to filter roommate traffric . Simple configuration with two interface(inside and outside). With layer application configured, everything works fine, but when applied layer 7 it does not block the web site i want... URL filter  and parameter map don't work either...
Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3)
parameter-map type urlfilter URL-FILTERaudit-trail onparameter-map type regex humoronpattern [Hh][Uu][Mm][Oo][Rr][Oo][Nn][.][Cc][Oo][Mm]
parameter-map type regex LAPOSTE1pattern LAPOSTE.NET(code)

View 1 Replies View Related

Cisco Firewall :: ASA5550 - Implement Traffic Shaping / Policing Primarily For P2P Traffic?

Mar 10, 2011

We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.

View 1 Replies View Related

Cisco Firewall :: 2800 Routers / ASA 5510 Cannot Ping Via Route Inside?

Mar 3, 2013

I recently added a business cable modem to relieve some of the congestion I was getting on my T1 for our MPLS network.  There was an ASA 5510 collecting dust in a closet here and I thought it would be the perfect device for firewalling the traffic coming in from the Cable modem, and handling the routing of our internal MPLS traffic as well.  Internet setup was cake.  The test laptop I have using the ASA as it's gateway has great internet service but it cannot ping across either of our MPLS networks.  I have one MPLS with AT&T and one MPLS with EarthLink.  My hope was to use the cable modem as the Default route for all unspecified internet traffic and route our internal MPLS traffic to the cisco 2800 routers that are currently in place for the MPLS.  I can ping across the MPLS when I telnet to the ASA, but I cannot ping across the MPLS from the client that is connected to the ASA.
Here's the topology I'm working with
Cable Modem
ASA 5510


View 8 Replies View Related

Sites Blocked By Netgear Firewall

Aug 26, 2012

i've had my netgear wireless router for about a year now.i went to facebook and i recieved a message on a red and black screen t hat said this site has been blocked by netgear fire wall. i've never changed any of my setting since i got this router so i'm not sure why all of a sudden certain sites have been blocked.. i've tried logging into my account to try to change my settings using my default username and password but it keeps saying that i dont have access.

View 5 Replies View Related

Cisco Firewall :: How To Access Folder Between Two Sites - ASA5505

Oct 27, 2011

I manage to configure the firewall 5505 so that it can ping between outside and DMZ and also between DMZ and inside.
Outside and Inside are not accessible to each other because Outside No Forward to Inside.
My purpose now wants to access the shared folder by Windows Explorer ( under Network ) between for example DMZ and inside. I tried to do it but cannnot even see the Host of the other party network. For example, if I open Windows explorer at DMZ, I can't see the Host at Inside Network. Same as I open Windows Exploere at Inside, I can't see also the Host at DMZ network.
How am I configure so that I can access the hsot as well as shared folder of two sites which already can ping each other?

View 12 Replies View Related

Cisco Firewall :: 5505 / Can't Connect To All Sites Outside From Inside

Dec 20, 2012

For some reason there are some sites that I cannot access websites from inside interface.One such example is where I am receiving this message in the browser:The connection has timed out   The server at is taking too long to respond.This has "suddenly" happened, and so I am wondering what others have done when such things has happened. My outside has a dhcp-IP, and I have noticed that this address had changed, so I corrected this in my router settings.ASA version is 5505
These are my settings:

: Saved
ASA Version 8.4(2)
hostname ciscoasa
enable password 123412321 encrypted
passwd 1231231 encrypted


View 4 Replies View Related

Cisco Firewall :: PIX 515 Blocking Outbound Traffic To Certain Sites

Oct 14, 2012

I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits),  as well a a WInXP box. All of these are connected to the same switch,  which is connected to the inside port of my PIX 515.
For a few sites ( happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that  matter - will not go through the PIX (from inside to wan). I have  verified this by first, using wireshark to watch the packets being sent  out from the client box, then by using the trace function in the PIX to  see that the packets ARE arriving at the inside interface, but ARE NOT  sent out of the wan interface.
This is for the linux boxes ONLY. When I do the same thing with my WinXP  box, all works: in the PIX trace, I see the packets arrive at the  inside interface, and leave the wan interace. And access to these sites  are okay.
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
Some background:
I have been using this PIX for about 10 years now, with the same  configuration (except IP addresses). Only in the last several months has  this problem started to show up.
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something  else. I don't have any support license, and have not been able to get  any software upgrades. Here is its version info:
taz(config)# sho ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Compiled on Fri 07-Jun-02 17:49 by (code)
Serial Number: 405200362 (0x1826ddea)
Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60

PS: Since this PIX is at its end of life, I was wondering if any of the  software upgrades would be now available without a license?

View 2 Replies View Related

Cisco Firewall :: Accessing Internal Sites Via External IP 5505

Jun 4, 2012

I have a Cisco 5505, 2 sites that are internal, 1 external IP (dhcp from cable modem).   While on my laptop, ipad, iphone, I cannot access the server via it's external IP address.  I MUST use the internal IP in order to access this site. I have heard of hairpinning, internal dns server(don't really want this).

View 8 Replies View Related

Cisco Firewall :: 5520 Connect Two Overlapping IP Address Sites

Dec 13, 2012

I am trying to connect two overlaping IP address sites ( see attached diagram). Site A LAN address will dynamic NAT to at ASA5520.All the users from site A need to get services from site B ( DHCP, DNS, Mailbox,Print Servers, AD loggin etc). All the connections will be initiating from site A to B.
1-will all these services will run over NATed address.( dynamic) or I have to change to static NAT?

2- Any sample config for ASA 5520 for this type of network?

View 3 Replies View Related

Cisco Firewall :: ASA 5505 With Backup ISP?

May 8, 2012

I am working with a client that currently has an ASA 5505 with two ISPs for failover using a tracked interface.  I would like to configure logging so that the ASA will email us when the Primary ISP goes down and fails over to the backup.  Here is what I have so far...
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 12


The primary interface is Outside and the backup is obviously Backup

View 2 Replies View Related

Cisco Firewall :: ASA 5505 Backup ISP Configuration

Jun 13, 2011

I'm having problems configuring an asa 8.2(1) with a backup isp.  I followed the asdm instructions in this document: [URL]
I have my backup interface configured as DHCP and the static routes set. Pinging the gateway and other external IP address from the backup interfaces works normally. I have also tried configuring the backup interface as a static address but got the same results.
When removing the primary wan link, all traffic stops. When I ping a external DNS, I get these errors in the log: portmap translation creation failed for udp src inside: dst backup: 8, code0)
I though this type of error is related to a NAT problem, not sure where to look though.

View 4 Replies View Related

Cisco Firewall :: ASA5510 Dual ISP And VPN On Backup

Dec 19, 2012

ASA5510 ios v8.4.I've setup dual ISPs and I'm trying to get ipsec VPN client access to work on the backup interface (outside-backup). The goal is to have outbound traffic on the inside subnet NAT'd through the main interface (outside) while inbound ipsec VPN clients connect and operate off of outside-backup.crypto map is applied to 'interface outside-backup,' however clients are unable to connect. If I switch the default route to go through outside-backup everything starts to work again.

View 1 Replies View Related

Copyrights 2005-15, All rights reserved