I have an 887, I'm having trouble wrapping my head around the ZBF. I would like to change it to the old style firewall, but using the CCP it says I must delete the ZBF policys first - fair enough, I deleted all the rules so the firewall looks blank, but it still doesn't want to let me change the firewall mode - saying I must remove all the policies first.
View 5 RepliesAnyway to get the EA6500 back to Classic Style Firmware? I know they offered the roll back on the EA4500.
View 1 Replies View RelatedI need to know if I can pull Netflow style data (Top Talkers, Top Sessions, etc) from ASA 5505s? We are looking at buying some but I need to be able to export this kind of data to my managment station which is also a collector. I have read on this forum that 8.2 and above should support Netflow but I have read conflicting information.
View 2 Replies View RelatedI have a Cisco 8510msr that is connected back to back with a 7206vxr across a 155Meg connection.I receive lots of Output drops on the 7206vxr interface facing the atm switch. When I do the following command:-
kwdair9#sh atm int atm 1/0Interface ATM1/0:AAL enabled: AAL5 , Maximum VCs: 4096, Current VCCs: 27 Maximum Transmit Channels: 0Max. Datagram Size: 4528PLIM Type: SONET - 155000Kbps, TX clocking: LINECell-payload scrambling: ONsts-stream scrambling: ON797522 input, 881483 output, 203946630 IN fast, 223768062 OUT fast, 0 out dropVBR-NRT : 110288 Avail bw = 44712 <====
I only have 44megConfig. is ACTIVEkwdair9# I only get 44Meg of the available 155Meg.There is no QOS on the router and the only commands I can find that vaguely see that refer to QOS are on the ATM switch:-
atm address 47.0091.8100.0000.0007.0d87.b201.0007.0d87.b201.00atm router pnnino aesa embedded-number left-justifiednode 1 level 56 lowest redistribute atm-static?why this is acting like a DS3 link and not a 155Meg link?
What cable I need to connect two 2951 back to back through a HWIC-4T1/E1 card ?
View 1 Replies View RelatedI have two site that has a copper wire ( 2 wire) connection between each router ( No Telco in between ). Now I want to use 1921 router with HWIC-4SHDSL-E card to connect these two site together. Can I use attach configuration to make the connection reference from the diagram ?
View 1 Replies View RelatedI have 2650XM router and 2620 Router Both routers have built in WIC T1 CSU/DSU cards
2620Router --
2620Router#sh int se0/0
Serial0/0 is down, line protocol is down
Hardware is PQUICC with Fractional T1 CSU/DSU
Description: DTE side
MTU 1500 bytes, BW 1544 Kbit, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation HDLC, loopback not set
[code]....
My question is that cisco website says there are two type of cable connections for this type of config --which are --T1 CSU/DSU ConfigurationSet one CSU/DSU to clock source internal, and the other CSU/DSU to clock source line. The linecode, framing, data-coding, and timeslots must be set the same on both CSU/DSUs.Four-Wire 56k CSU/DSU Configuration For my network connection which type of config i should use??Secondly i try to connect these ports by normal crossover cable it did not work.So for this type of connection i know i need T1 cross over cable-- which has RJ 48 connections at both sides.I check cable from ebay which is RJ45 RJ48 cross over -- will this cable work in my router to router connection.
I have 1 2611xm router and 1 2801 router. For my own lab purpose, i want to configure them back to back to support voice services. I don't know what configuration will be required at each end. in 2611xm, i have NM-2V and its also detecting the card, so i hope it will work ? also what commands i need to run on both ends .
View 1 Replies View RelatedI would like configure two router (e.g. 1921) back to back via a 2 pin copper wire. Can I use HWIC-4SHDSL-E card to do it? What is the configuration I can use?
View 7 Replies View RelatedI have two site that has a copper wire (2 wire) connection between each router ( No Telco in between )Now I want to use 1921 router with HWIC-4SH DSL-E card to connect these two ste together.Can I use attach configuration to make the connection reference from the diagram?
View 2 Replies View RelatedJust to get this clear as having issues with a E1 link with CRC's at one.Router A,Network-Clock-Participate WIC 1,Should router B have clock participate for WIC 1? We currently have controllers set as UNFRAMED but guess we can set to NO-CRC4 both ends and telco will pass this.
View 1 Replies View RelatedI'm looking for instructions on how to setup and connect two RV082 routers together with a crossover cable between their WAN ports. This is to connect two separate LANS together via an ethernet connection. For staging we are setting everything up with a crossover cable in our shop. Ultimately the crossover cable will be replaced by a microwave link between the two LANS several miles apart. There will be no internet connection.
View 7 Replies View Relatedsecuring a back-toback connection using E1.The connection is between two cities, using 2x CISCO 1841 router + VWIC-1MFT-E1 interface at each city.
The E1 connections has been provided by our local telco, and they are completely private. The customer is a bank, and they asking me if this is a secure connection or not. If possible, we need to guarantee that no body can get access to the bank network even if they brought E1 modem at one of the ends (telco PoP).
I searched a lot but couldnt find a clear document about connecting 2 G.SHDSL routers back to back.First of all I am not sure which type of cable (RJ11) is used for connecting two 878 routers. Does it have to be cross or straight cable.
Which RJ11 pairs will be connected each other [code]
According the configuration samples One router must be CPE and the other must be CO for simulating DSLAM.
I'm having some trouble getting two Cisco 888's to work correctly back to back.. The two routers will ultimately be used in conjunction with a BT EPS8 circuit which is effectively four wires short distance between customer sites. We have configured lots of these using the older Cisco 878's.
Anyway, as i've been struggling to get line sync on site I've gone back to basics and connected the two 888's back to back. However, I've found that no matter what I do I can only get the routers to sync at 384kbps!? And that's with a one meter RJ11-RJ11 cable.. Very strange. When we've used the 878's we get much more bandwidth. I have tried statically assigning the line rate at both ends but it still only works at 384kbps.
I have an old Pix(on ASA 8.0) having a lot VPNs with pre-share keys setup. And it has been too old to find out what those pre-share keys are on any documents. Now I need to replace this PIX with a new ASA. My question is how can I find out those pre-share keys, so I can setup same VPNs on the new firewall and make it plug-and-play. Any way I can export then import those VPN pre-share keys from the old PIX to the new ASA? Or export and import whole configuration, but hardware are different.
How can I setup same VPN pre-share keys as the that of the old Pix on the new ASA?
I downloaded a new image to my ASA 5510 and found out up on reboot that the ASA doesn't have enough memory so I am booting to the "ciscoasa" prompt with no config. I still have my old image in disk0:. How do I roll back to this old image?
View 1 Replies View RelatedI have asa 5505 with security plus license, I configured dual ISP with two different ISP provider. I followed below cisco document to configure dual ISP [URL] The Configuration works during the testing, while removing the primary ISP cable from firewall. The problem i am facing is my primary ISP is down but the gateway is still up and it not switch over to backup ISP. For SLA which IP should i monitor so once my primary ISP is down it will fallback to Secondary.
View 5 Replies View RelatedI have a sending application that it is establishing a TCPIP socket connection to a vlient that has a receiving application on another server (completely separate networks) The receiving end has a Cisco Router 1605R and has allowed my connection using this firewall rule
access-list 101 permit tcp host xx.xxx.xx.xx any eq 5600 log
(where the x are actually numbers corresponding to the senders IP address)
I can establish an outbound connection to the receiver and the connection shows up on the machine. After the connection is established I can send data and it is received by the receiving application (I observed this using a socket test application, data actually gets through the firewall) However I need to send an acknowledgment back on the same session to the sender. This cannot be transmitted and shortly after I try sending the connection is closed with error 10060.
I am looking to change my Failover Int IPs on my PIX 515E Bundle, Cisco PIX Firewall Version 6.3(5)123 with the least impact on the network.
For example:
interface ethernet5 "state"
IP address 172.18.0.245, subnet mask 255.255.255.252
ip address state 172.18.0.245 255.255.255.252
failover ip address state 172.18.0.246
I want to change these lines to .....
interface ethernet5 "state"
IP address 172.18.0.185, subnet mask 255.255.255.252
ip address state 172.18.0.185 255.255.255.252
failover ip address state 172.18.0.186
I added a new server and created a new static NAT assignment on the ASA 5510 to the server's IP. When I browse to the web to check what public IP it's reporting, it shows the wrong IP. I disabled the network interface on the server, ran "clear xslate", reenabled the network interface, ran "sho xlate" and while the correct translation was in the table, the server still reported the wrong IP address.I even ran a packet trace and it showed the IP address being correctly translated to the proper public IP, but when I browse to the web I get the same erroneous public IP. [code]
View 8 Replies View RelatedI have 2 cisco asa 5540's configured in active/standby mode. I need to change the hostname and domain name as per our standards. Does changing the hostname has any impact on the traffic flow?
View 1 Replies View RelatedWe have 2 x ASA 5520s in active/standby and we have a block of 30 public IP's that NAT to many servers etc and we use it for our Corp VPN. We are changing ISPs soon and we will be getting a new block of public IPs where do I even start to plan the migration and how? Can I overlap somehow and do a slow migration or must I do it in one big swoop?
View 1 Replies View RelatedI need to NAT a port range spanning from TCP and UDP 50,000 to 59,999 from inside global address 58.96.x.x on loopback2 to an inside local address of 192.168.5.5.Currently all the existing NAT translations are 1-to-1 that map inside global addresses on a wide span of Loopbacks and a Dialer Interface to inside local addresses on few subnets which are fine.I'm using an 1811 with an ADVIPSERVICESK9-M image, version 12.4(6)TS
View 1 Replies View RelatedI am setting up my lab using two 2901 routers which is running on 15.2 IOS.I am trying to simulate a back to back BRI.BRI Module: WIC-1B-S/T-V3 (x2) one of each router.
I followed this amazing document to understand the concept of BRI and configuration. url..but it never says if i can use the module that i have mentioned.
Q1. What cabling i need to use to setup back to back BRI using 2x 2901 routers with these modules?
Q2. What cabling do i need to use.
Q3. Is it actually possible to use these 2 modules alone to simulate a back to back BRI..?
We have an ASA 5520, working fine.One of the interfaces is connected to users PCs and printers mainly. Last months the number of devices has grown rapidly, and we would like to make some changes in it in order for it to be able to host new devices.We thought on change subnet mask of actual subnet (10.0.2.0/24) to 10.0.2.0/23, so it can hold as many devices.I understand I have to make some changes in the ASA, but my question is:What will happend to the acces rules I have created?Will I need to create them again? There are some objects which carry information about subnet mask, so I suppose I will need to redefine them, but for those without any subnet mask information, will I have to redefine them?
View 2 Replies View RelatedI bought a 5500 series ASA and SecPlus license for example. Suddenly my ASA hardware got broken and changed for a new one. What about my old license? How i could activate this license on new ASA?
View 2 Replies View RelatedWe have 2 firewall (ASA5510) pairs. Each pari configured for Active/Stdby mode.
Pair1 : Internet browising, Remote access VPN, Citirx access & L2L VPN access
For this pair , I need to move the 'outside' interface to Gig 1/3 and change the IP addresses. (minimize the downtime)[code] Remove the ip from outside interface and add the new IP and enable to monitor interface outside?
I had a working active/passive pair of ASA5510's, and then I had to do a rush firmware upgrade, but didn't have time to do it on the secondary at the same time. Now I have made config changes and upgraded the secondary firmware to be the same, and wish to know if I plug it back in if it will think the secondary has the "correct" config or if it will know that the primary is newer. I disconnected the failover cable because it was complaining about version mismatches constantly.
Is it safe to add the secondary back in or is it possible it will be declared newer and overwrite the config?
I am setting up a network that will use the 1941 router with a cellular card (HWIC) to connect to the Internet for communication with remote stations in the field. The 1941 has a static IP address (166.142.xxx.yyy) on the Internet provided by the ISP (Verizon). The 1941 is connected via ethernet to the ASA5510. The end goal is to have the field cell routers (Digi Transport WR-44-R, also static IP) connect to the ASA5510 via VPN tunnels for communication back to the servers behind the firewall. I'm not sure exactly how to configure the 1941 so that the remote router can connect to the ASA using the public IP of the 1941 router. I have the 1941 working stand alone and can connect to the Internet and pass traffic, but I tried a static NAT to translate the public IP to the private IP of the ASA and cannot pass traffic. below is part of the 1941 configuration: [code]
Do I need to use VLAN bridging to accomplish the task or am I missing something with the NAT?
I have an ASA 5510, one public IP address on my outside interface, an internal email server and a private network.I would like...
1: Users on my private network to be able to access the internet (PAT them to external outside address)
2: Email to be delivered to my MX (my single public IP address translated back to my internal email server.
i.e. can I share my single public IP address to serve translation in both directions (private users surfing the Internet (in-to-out) and an outside to inside NAT for email) ?
Email (MX) = 1.2.3.4
Public (outside) address = 1.2.3.4
Email server internal = 10.1.2.3
Internal private subnet for users = 10.0.0.0/8
I'm fine tuning some of our ASA logging config, and am having an issue with one particular syslog ID.The message is: syslog 106100: default-level informational (enabled)and the log settings are:
Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Standby logging: disabled
Debug-trace logging: disabled
[code]....
This ACE log entry is generated by explicit deny any any statements at the end of all the ACLs, e.g.access-list inside_access_in extended deny ip any any log interval 600 Based on the config, I would expect to see this being logged to the syslog server, but not to the local buffer, but am still seeing them locally in the buffer:
Feb 22 2012 10:58:20: %ASA-4-106100: access-list inside_access_in denied udp INSIDE/HOSTABC(52629) -> OUTSIDE/HOSTXXX(162) hit-cnt 5 300-second interval [0x3baecf1e, 0x0]
It also still shows these as level "warning", %ASA-4-106100, instead of the default %ASA-6-106100 I've tried removing and re-applying the config at different levels but it still reports in the buffer log as level "warning", %ASA-4-106100 This also doesnt affect every 106100 log that is generated. Most messages are generated at the correct level 6 severity but some seem to randomly log at level 4. There doesn't seem to be any pattern to this. The same access-list line can produce severity level 4 and 6 106100 messages.
I'm able to build my tunnel but unable to RDP nor ICMP back to the internal network.
VPN Client IP: 192.168.200.200
INTERNAL IP: 172.17.130.200
my configuration is below:
HOME-ASAFW02(config)# wr t: Saved:ASA Version 8.4(4)!hostname HOME-ASAFW02domain-name hsd1.nj.comcast.netenable password ViPq56cvd3SGvB08 encryptedpasswd 8bcozHCAwCqA5BmN encryptednames!interface Ethernet0/0description OUTSIDE-Connectionswitchport access vlan 2switchport protected!interface Ethernet0/1description INSIDE-Connectionswitchport protectedspeed 100duplex full!interface Ethernet0/2description WiFi-LinkSYSswitchport access vlan 3switchport protected!interface Ethernet0/3shutdown!interface Ethernet0/4shutdown!interface Ethernet0/5shutdown!interface Ethernet0/6shutdown!interface Ethernet0/7shutdown!interface Vlan1description INTERNAL-Networknameif insidesecurity-level 100ip address 172.17.130.129 255.255.255.128!interface Vlan2description OUTSIDE-Link-to-ISPnameif
[code]....