I have a a firewall policy on a Cisco 2911 - the zone policy from OutZone>InZone basically drops everything apart from inspected traffic on the opposite direction and a few essential traffic generated externally (such as Outlook web access and E-mail exchanging). However, I seem to be getting a lot of firewall drops coming from the immediate gateway of the ADSL WAN address to the internal IP range on port 3. I get about 10 hits every 5 seconds.
policy-map type inspect FWPol_Out-In
class type inspect CCP_PPTP
class type inspect FCMAP_In-Email
class type inspect FCMAP_In-OutlookWebAccess
%FW-6-LOG_SUMMARY: 1 packet were dropped from IMMEDIATE WAN GATEWAY:0 => INTERNAL IP ADDRESS:3 (target:class)-(FWPair_Out-In:class-default), the immediate gateway would ping an internal IP address? Keepalive? Could this be stemming from another problem? The traffic wasn't generated internally as all InZone>OutZone is inspected.
Our Local Network is behind the CISCO ASA Firewall.Whenever we are accessing to Client VPN server,it is getting connected but after few Minutes (May be 5/10/30 Min),the sessions are terminating. The same traffic through PIX is no issue , only with ASA Firewall. See the following Error and request you give the possible root cause for this.
2011-04-09 16:15:09 Local4.Info 172.16.1.68 %ASA-6-302016: Tear down UDP connection 87447908 for OUTSIDE:220.127.116.11/4500 to inside:172.16.9.10/4410 duration 0:27:49 bytes 18653
We have two ASA5510s, each with outside interfaces to the same two ISPs (different IP addresses within the same subnet, of course). Both ASAs allow ICMP on all (inside and outside) interfaces. One ASA's default route is to ISP-1 and the other is to ISP-2. We can ping the default gateways for both ISPs from only one ASA. From the other ASA, we can only ping the default gateway for the default route but not the other. The pings originate from an inside client, first configured with the default gateway for ASA-1, then for ASA-2. Why does this happen, how do I troubleshoot something like this and how do I fix it?
Switching out a 5510 as our primary firewall with a 5520. I've essentially copied the working config from the 5510, and put it on to the 5520, making small changes where necessary. Plug everything. I cannot get out to the internet.
-All interfaces have no shut on them -No machine can ping out to the internet gateway -All machines can ping out to the inside interface of the firewall -It's not a problem with the internet because I can take a laptop, enter in our outside interface information, plug it into the internet gateway, and I can get out to the internet just fine.
I have newly deployed network. I have two ASA5520-AIP20-k9. both connected to ISP and configured as Active/standby failover. the ASAs were working fine at first but later on, the internet connection becomes very slow. the ping reply i am getting from my next hop(ISP router) varies during the peak hour is some times in 2000 msec or above but during off hours, the ping reply time is 1 and 2 msec. when I directly connect my laptop to the link that comes from the ISP its ping reply is 1msec and 2msec. I thought the ping reply of the ASA5520 to the ISP gateway should be constant and should be 1 and 2 msec regardsless of the traffic passing through the firewall.
We have a VPN setup between two Cisco RV082 routers, the VPN status shows as connected however I can't ping the other network. I am unable to ping between routers, let alone ping computers behind those routers.
We have 2 branches, branch 1 is on a static IP and branch 2 is Dynamic. I am able to connect via QuickVPN from Branch 2 to Branch 1 and remote desktop to computers, however have yet to VPN/remote desktop in the opposite direction.
To me it seems like a firewall issue at branch 2, but what's causing this. Also they are currently running 2 differnet firmware version not sure if this would cause a problem.
I have, what I believe to be, a simple issue - I must be missing something. Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209). There is a PC (10.51.253.210) plugged into e0/1.
I know the PC is configured correctly with Windows firewall tuned off. The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue. Basically, the VPN is up and running but PC 10.51.253.210 cannot get out
I set this up and I can ping all the gateways but never the hosts. I was hoping I could make these links between 6500's a mix of L2 and L3. Check it out. They are connected in a linear fashion R1--->R2--->R3. I can ping from R1 to R3's SVI4 gateway but I can never ping a host on that SVI4. I was hoping that I could use the port-channels between 6500's as routed links or as trunk links depending on the type of traffic....thought it would ease the migration. I suppose I could always get rid of the port-channels and just make separate L2 and L3 links between the 6500's.
So I have an asa 5505 running ipsec and anyconnect and it has been working great for months. I have not made any changes to the config, but suddenly all of my anyconnect traffic is being dropped. The vpn uses the same subnet as the LAN. I tried putting a rule in to allow all traffic from the LAN subnet on the outside interface. Now I just get the WEBVPN-SVC Action-Drop in packet tracer.
I have a SG300-10 in layer 3 mode attached to a Fortinet firewall (FG). The Fortinet syslog is reporting repeated traffic violations with the following info:
src: << IP of the interface that the SG is attached to >> dst: << IP of system connected to another interface within the same VLAN on the FG >> src port: 0 dst port: 1281 service: 5/1/icmp
The traffic is dropped as it is not authorized traffic but I'm wondering what this is....Googling the dst port came up with "healthd" but not sure how that plays into this connection - does the SG use healthd? I have not found any system behind the SG that can be pinned as the source and the ACL/ACEs on the SG are very strict (only allows tcp port 443 from systems behind the SG)
I have a 2911 router that I am trying to use a h.323 gateway for faxing purposes.Right now I can 4 digit dial and 10 digit the number and my analog phone answers, but when I try to place a call I get a fast busy immediately (as soon as I pick up the receiver)
I have a Cisco 2911 Router and I need to split the traffic from my Lan (Gi0 / 0) by ISP1 (fa0 / 0) and that of my servers (Gi/0/0) by ISP2 (fa0 / 1). [code]My problem comes when wanting to communicate with my remote networks that reach the int Gi 0/1, because when my network to match the policy- route internet sends me all the way.
I cannot ping and end node on my system from my Cisco 2911. I've tried to configure my computer to ping the device and I am able to. It seems the difference between using my computer and the 2911 is that with my computer I am able to set the default gateway as the end node's ip.
Recently bring up a new Router connected to ISP A and the Netflow collector/server is located in different location and they are connected to ISP B. I have enabled snmp and netflow config on my router(2911) but not receiving the netflow packets are not reaching the server for due to some strange reason whereas other packets like ICMP for snmp are reaching the netflow collector.Finally,I created GRE tunnel between the two locations routers and set the route for the netflow collector/server to the tunnel other end IP. In this way the netflow traffic are reaching successfully to the server.
I have following scenario - router 2911 connected to 2950 switches with about 80 vlans. How can I limit speed on each of the 79 vlans (to equal % acros all of them) and give vlan 80 lets say 30% of total bandtwith. Since I am new to QOS, can you point me to the right website or give me example.
I have some issues with router configuration. I cannot open any external web pages, but ping or telnet is just fine. Im using router-on-a-stick scenario. Router connected to LAN trough EtherSwitch module. Config attached.
last week I installed a new router (2911) in my network.We had to create two different VLANs for the new setup to work as wanted.I have a Windows 2008 R2 which is a Domain Controller for Active Directory on the ip address 192.168.0.195.That server (HP DL180 G6) has two NICs. One has the above IP address and the other one has 192.168.0.199.
On the other VLAN, I have a server, running the same OS, that I want to re-join, as it formerly was, the AD on the first server (192.168.0.195). This server has the new IP address 192.168.10.194.All these are connected to a Cisco switch SG 200-50 Gigabit Smart Switch. That one is connected to a Cisco 2911 router.
The problem is that, once the old 192.168.0.194 got to be 192.168.10.194, the 192.168.0.195 can't ping it anymore... At least not all the time... Sometime it works, sometimes not... Neither can't the 10.194 ping the 0.195 all the time. When one way works the other one doesn't... When one pings the other one successfully, the other one can't...
I have a 2911 router. One interface is configured external (WAN) and two interfaces are configured on separate internal private subnets. What is the configuration to allow all traffic in both directions between the two internal subnets?
We have a 2911 Router running 15.0(1)M4. G 0/0 is our LAN interface, and it has three subinterfacesG0/0.1 is our data LAN, and the gateway for our Windows machines. This is the interface this question concerns.G0/0.23 is a separate LAN for various equipmentG0/0.192 is another LAN for equipmentG 0/1 is connected to the internet, and has a public address.S 0/0/0 is a T1 PPP, connected to our core data centerS 0/1/0 is a backup T1 PPP, again, connected to our core data center.There are three static routes entered:ip route 0.0.0.0 0.0.0.0 10.12.1.1 100 This is the first PPPip route 0.0.0.0 0.0.0.0 10.13.1.1 200 This is the secondary PPPip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx 255 It currently has a cost of 255 while i figure this one out. xxx.xxx.xxx.xxx represents the cable company gateway, which I can ping properly. I've also used "gigabitethernet 0/1" in place of the next hop ip with the same results. The public interface is properly connected, and can ping it's next hop (the cable company gateway). When I change the static route for gigabitethernet 0/1 to a cost of "0", the router can properly ping DNS names, such as google.com through the public interface.
However, devices on the data LAN cannot reach any public addresses except for the router's public interface, let alone DNS names (I am using 18.104.22.168 as my test IP). If I revert the cost back to 255, making the PPP the gateway of last resort, these devices can again connect. (they travel through the PPP to our Data center's internet)
This confuses me. If our server, on the same LAN as the router can ping the public interface (it's definitley not leaving the 2911, as latency is less than 1ms), and the router itself can ping outside addresses, what is preventing the router's public interface from passing traffic to the internet from any source other than itself? I have attached our running config in the hopes that there is something obvious I'm missing (the public ip addresses have been changed so they are not exposed). I simply want clients on our 10.23.0.0 LAN to get to the internet via the public interface of the local router, and still connect to corporate resources using the PPP links. MAS_2911#sho run
Current configuration : 5666 bytes ! ! Last configuration change at 01:47:50 eastern Sat Sep 24 2011 by redacted
I am configuring a 2921 with enhanced security using the CCP. I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting. It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine. I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
If I set the allow rule to log, I see the following line in the application security log:
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 22.214.171.124:58141 => 126.96.36.199:23 with ip ident 0 (where 188.8.131.52 is the external laptop and 184.108.40.206 is my WAN IP address of the 2921)
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
Is this the expected behavior of "Allow" action? Is there something I can do to make sure "allow" traffic actually gets through?
’m somewhat new to Cisco routers this is my first attempt at getting one to work. I work in an environment with multiple locations, most are using the Cisco Model: 2911/K9 or the Model: 2921/K9 routers running IOS Version 15.0.We just added a new small office and all I had in the way of a router was a Cisco C1841-IPBASE-M router, running IOS Version 12.4.When setting up the C1841 I kept the configuration pretty much the same as the others allowing for the differences in the OS. I can remote into the 0/0 (outside port) from over the network, I can ping to that port without fail, but I can’t send or receive traffic from the 0/1 (inside port).
i'm having problem to ping succesfully default gateway on Router1 from Router2. Basically i can: - ping from R1 the serial interface on R2 and default gateway on R2 - telnet from R1 to R2 - ping from R2 to serial link on R1, BUT I CANNOT ping default gateway from R2 to R1 Below is the photo showing topology and running configuration on both routers
Since last week we started noticing this problem that the branch users started to complain of slow application response.. After verifying it with the ISP and middle network we noticed that if i ping from my machine (ie usernetwork) to the WAN Router interface (facing the ASA) , i get time outs.. which is strange cause this is directly connected to it via ethernet cable.
I have a VM server, whose IP is in customer VLAN600 ( 220.127.116.11/24 ) and Peer end is switch then Firewall.Switch is configured with same VLAN600 and learning mac-address of Server on VLAN 600, Firewall is also having VLAN600 and IP is 18.104.22.168/24.Server is not able to Ping/reach Firewall and vice versa.
Have been given a Dell computer for my daughter, it is only just over a year old and cant get it to connect to internet. It keeps saying that the router is not working, when I know it is ok because my other computers work on the internet ok. When I was looking to see if I could find problem I managed to access something which let me check computer connection and it came up that the Gateway IP Ping failed so I would not be able to connect to internet