Cisco Firewall :: ASR1002 - Implement ZBF On Router?

Jun 3, 2012

We are trying to implement the ZBF on our router to assist us in limiting the intial impact of DDOS attacks.We have configured the below and it appears that it's not working, as when un der attack the statistics don't increae.


View 2 Replies


Cisco Firewall :: Can ASA 5505 In Router Mode Implement MAC ACL

Oct 21, 2012

My client is asking can the Cisco ASA 5505 implement MAC ACL in Cisco ASA 5505 which is now running in Router Mode.I have tried to search the document and also tried the ASDM in the Cisco ASA 5505 but could not see any way to do the ACL by MAC address.At the same time how to find out that by using command line the ASA 5505 able to run MAC ACL in router mode?

View 2 Replies View Related

Cisco Firewall :: Implement Secondary ISP To ASA 5510?

Aug 27, 2012

We are in the process of implementing secondary ISP to our ASA firewall and We would like to run both ISPs in parallel so we can test until we finally cutover?

View 2 Replies View Related

Cisco WAN :: Zone Based Firewall On ASR1002 With Xconnect Encapsulation Mpls

Apr 3, 2013

we have an ASR1002 running zone-based-firewall with 2 zones:

I have a common ZFW-configuration on that interfaces, e.g.
class-map type inspect match-any pass_cmap_in
match access-group name pass-ipv4-in
class-map type inspect match-any ph_cmap_in
match access-group name ph-ipv4-in

There is some basic stuff in the Access-Lists; direction ph-ipv4-in contains basically "permit ip any any" and ph-ipv4-out contains some permits for certain services, but nothing else. The pass-ipv4-in/out ACL contains particularly the udp-500/4500-stuff as well as gre/esp/ah.
Here are the zone-pairs:

zone-pair security zone_ph-zone_outside source zone_ph destination zone_outside
service-policy type inspect ph_pmap_in
zone-pair security zone_outside-zone_ph source zone_outside destination zone_ph
service-policy type inspect ph_pmap_out

The xconnect is only built up correctly when I configure the interface in the zone_outside. The destination for the xconnect is an ASR9k. If I do not configure the zone on the L2VPN-Interface, only arp-packet are allowed to tgo through the tunnel.
The L2VPN connects a branch office to the network of "PH". Now the trouble starts: when they are putting a host in the branch office, DHCP via the L2VPn works fine, they can ping anything from the branch office-PC in their local network and reach all internal servers etc.
BUT if they want to go to a destination outside their network, it will not work properly. For example, the branch-office-PC can ping fine, but when they try to connect to a website, e.g., they run into a timeout. Netstat says, that the http-syn is sent, but no ack is received.

On the router, I see:

Session 1178BAE8 (x.y.225.250:2370)=>( http SIS_OPENING
whereas x.y.225.250 is the PC connected via L2VPN in the branch office to their local lan. When they put the same machine in their local lan directly behind the router (without l2vpn) everything works fine. When I switch off the firewall on the Gi0/0/0-Interface, the PC from the branch office also reaches its destination, so for me it looks like the firewall inspects the traffic going via Gi0/0/1 and L2VPN, what in my opinion, it should not do....

View 1 Replies View Related

Cisco Firewall :: 2800 / Implement Backup Between Two Sites

Sep 13, 2011

I need to implement the backup between two sites I have router 2800 which is having a point to point connectivity with the far end.At the far end there is no router ,only one firewall is there on that firewall one access-list is there to allow the traffic .To implement the back up link i have created a site to site vpn  .But the problem is as soon as the tunnel is establised .For the time being i have removed by site to site config from both firewall.

View 7 Replies View Related

Cisco Firewall :: Implement A NAT Configuration After Having Upgraded ASA5510

Aug 17, 2011

I'm having a cow of a time trying to implement a NAT configuration after having upgraded our ASA5510 recently from IOS 8.2 to 8.4. The upgrade went fine, however we now have a need to add a new NAT rule and I'm not sure whether it's possible.
The upgraded NAT rule and access list works fine at allowing external access to a web server.
However we now need to NAT the SOURCE address (either to a pool or single address) of incoming http requests before forwarding the request to the server. Hence the server will see all requests as originating from a pool with a route heading back to the ASA. The basic issue is that the severs default gateway does not return to the ASA, so "tagging" the source address of external requests to an address or interface associated with the ASA should allow the server to return the traffic to the ASA. I know we shouldn't be doing it this way but we can't see any alternative.
Having read a huge amount of examples we can access the server with the above config (or Object NAT), and we can NAT incoming traffic,however we can't combine the two by having all external http requests Source Natted before forwarding to the server.

View 8 Replies View Related

Cisco :: 2900 - Implement Zone-Based Firewall?

Dec 25, 2012

I am looking to implement Zone-Based Firewall on some 2900 series routers (2911 and 2921.)  Based on some research I've done it looks like the cisco2911-sec/k9 and cisco2921-sec/k9 bundles should be all I need.  Is this correct, or is there some other licensing component that needs to be enabled for me to implement Zone-Based Firewall?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - How To Implement NAT On Multiple Internal VLANs (DMZ)

Apr 4, 2011

I've got a cisco asa 5520 and setting up the NAT for multiple DMZs on it. 

 I want to use PAT on the outside interface.
internally ive created subinterfaces for the VLANs and connected to a trunk port on a switch.
configure NAT for this scenario. I've got only 1 external public IP address.

View 1 Replies View Related

Cisco WAN :: BVI Configuration On ASR1002 Router

Oct 14, 2012

We have a cisco7206 router which is going to be replaced with an ASR1002 router. The 7206 has some interfaces in a BVI-group - the config of which i am trying to translate over into IOS XE (which runs on the ASR1002). How to translate this config from IOS to IOS XE.

View 3 Replies View Related

Cisco Firewall :: ASA5550 - Implement Traffic Shaping / Policing Primarily For P2P Traffic?

Mar 10, 2011

We are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.

View 1 Replies View Related

Cisco WAN :: Implement MPLS On 2651 Router?

May 18, 2012

I have some Cisco 2651 routers, I was trying to implement MPLS on those routers, Can i accomplish this upgrading newer IOS version? link to download the supported IOS.

View 2 Replies View Related

Cisco WAN :: How To Implement Bandwidth Distribution In 1841 Router

Mar 7, 2012

I got a 5MBps Lease Line Connection via FAST ETHERNET PORT. i got a Cisco 1841 Router.
 I want to distribute bandwidth in this ratio 2MBps/2MBps/1MBps
2MBps = Office Connection
2MBps = Computer Laboratory Connection
1MBps = WIFI Connection 
1841 has only 2 Fast Ethernet ports
so im planning to add up a 2modules of 2-Port Fast Ethernet High-Speed WIC for Cisco Integrated Services Routers

View 18 Replies View Related

Cisco WAN :: How To Configure NAT On ASR1002

Aug 25, 2012

I am going to configure the NATing on ASR1002 and expecing to have near about 1Million nat translation. Will ASR1002 support 1million nat translations ? how many NAT translations are supportable on the ASR1002 ?I am going to configure NAT on ASR1002-5G/K9 U& have FLASR1-FWNAT-RED.

View 1 Replies View Related

Cisco WAN :: ASR1002 IOS Upgrade From 2.x To 3.x?

May 29, 2013

Right now I have a ASR1002 running a very old IOS version.Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVENTERPRISEK9-M), Version 12.2(33)XNE, RELEASE SOFTWARE (fc1) asr1000rp1-ipbasek9. – 25-NOV-2009?
I am looking to upgrade to a newer version.I was wondering if there are any tricks when upgradeing this IOS. Is it as easy as loading the IOS onto the ASR and then changing the bootpath or is there an upgrade path I must follow? Also would there any need for a licence between 2.x and 3.x.

View 2 Replies View Related

Cisco WAN :: ASR1002 Web Logon

Jan 27, 2011

The loopback of the ASR1002 is When I use a browser to access it, I got the authentication dialog box asking for username/password. I input the information and submit. But authentication box comes back again and ask for the username/password.
The username/password is test okay. But somehow, the web GUI just does not use it.

View 2 Replies View Related

Cisco WAN :: ASR1002 - How Does It Differ From SFP-GE-L Adapter

Feb 5, 2009

Is the GLC-LH-SM SFP compatible with the ASR1002 and how does it differ from the SFP-GE-L adapter?

View 4 Replies View Related

Cisco WAN :: ASR1002 How To Attach L2 Interface

Mar 11, 2012

We have an ASR1002 with asr1000rp1-adventerprisek9.03.05.01.S.152-1.S1.bin software.I couldn't find any documentation on how to attach an L2 interface, in my case a subinterface with a single dot1q vlan, to a BDI interface.I'm able to create a bridge-domain interface but it's down down.The command bridge-domain on the subinterface url...

View 2 Replies View Related

Cisco WAN :: ASR1002 - Inspection Of ACL Hits

Aug 17, 2011

I'm aware ACL's are handled in hardware on the ASR platform but wondered if there was any way to inspect how many hits we get on each line of an ACL on the ASR, I can't seem to find a command to do this.
Using LOG is not possible due to the large number of hits.

View 2 Replies View Related

Cisco WAN :: Load Balancing On ASR1002?

Jun 25, 2012

One of our customer just purchased ASR1002 router, they have three internet links from different ISPs and they dont have any remote site, they have three different public IP pool as their respective ISPs. So, is it possible to load balance the internet traffic using all three link on Cisco ASR router ( IOS - Advance Enterprise Services)

View 3 Replies View Related

Cisco WAN :: BGP Flapping Peer With ASR1002

Oct 18, 2011

We are having an issue with BGP flapping peer. We have a ASR1002 as Route Reflector and it work fine with all peers except with 2 peers.

View 3 Replies View Related

Cisco VPN :: Create VPN Between ASA5510 And ASR1002

Apr 6, 2013

im trying to create a VPN between a Cisco ASA5510 and an ASR1002 when my Loopback interface is The Source IP . [code]

View 1 Replies View Related

Cisco WAN :: Configuring IP Accounting On ASR1002?

Oct 23, 2011

what command is required to configure ip accounting on an interface?
I would have thought to what is required is on the interface, turn on Ip accounting i.e.
int gi0/0/0
ip accounting
However, there is no ip accounting command within the interface.  We are running version Version 15.1(1)S2.

View 6 Replies View Related

Cisco WAN :: Error During Boot IOS On ASR1002?

Dec 27, 2011

During the boot ios we found the error messages below. How can i clear this messages?
Missing or illegal ip address for variable DEFAULT_GATEWAY Using midplane macaddr
Missing or illegal ip address for variable IP_ADDRESS
Missing or illegal ip address for variable IP_SUBNET_MASK

View 2 Replies View Related

Cisco WAN :: ASR1002 With Full Bgp Table(s)

Jun 19, 2011

I've inherited a project building an internet connectivity solution for a large corporate. It has its own AS and its own PI space. They are putting in 100Mbit connections from 5 different Tier1's , taking full internet routing from each. Cisco ASR1002's have already been specified and purchased for the job. I'm not familiar with the ASR platform at all - is it up to the job with full routing tables? multiple instances of full tables ? (not likely to put all 5 into one box!)

View 2 Replies View Related

Cisco WAN :: ASR1002 Dynamic NAT Entries Are Not Released

May 31, 2012

we are using an ASR 1002 for dynamic NAT (with route maps). I do have a Problem with the usage of the NAT pool it self.The total NAT Translations for the pool are:

#sh ip nat stat
[Id: 1] route-map natted-host-01 pool nat-pool-01 refcount 136
pool nat-pool-01: netmask
start XX.XX.202.0 end XX.XX.203.255
type generic, total addresses 512, allocated 88 (17%), missee 0
If i now look into the NAT translation Table i do get less entries:
#sh ip nat translations filter map-id dynamic 1 total Total number of translations: 43
Only a deeper look into the QFP gives here the right values:
# sh platform hardware qfp active feature nat data The ouput count matches the values I get if i isue a sh ip nat stat
My question is how is it handled internally.
We do have a problem too, with raising usage of the pool over the time.Once allocated Pool entries are not released after a period of time. And no NAT translation occur for that used IP NAT pool Addresses.
The timer on the device are set:
ip nat translation timeout 300
ip nat translation tcp-timeout 900
ip nat translation pptp-timeout 900
ip nat translation udp-timeout 120
ip nat translation routemap-entry-timeout 900
ip nat translation max-entries 750000

View 1 Replies View Related

Cisco WAN :: ASR1002 / 1006 SFP Compatibility With SPA Module?

Aug 15, 2011

I am trying  to bring up a couple of ASR's. They are fitted with SPA modules (SPA-8X1GE-V2). These have SFP modules GLC-T fitted into them. For the life of me I cannot get these ports to come up. If I have a look at the inv the SFP's show as GE-T's (physically they are GLC-T's)
Is there a compatability problem with these GLC-T's on ASR 100x?

View 3 Replies View Related

Cisco WAN :: ASR1002-X L2TP Tunnels Up But No Ping

Jun 13, 2013

we are testing an ASR1002-X which acts as LNS for L2TP tunnels.
- All tunnels are UP (sh vpdn all return list of tunnels)
- VirtualAccess interfaces are UP
- C routes are added in routing table
but ping remote IPs  don't work !!! [code]

View 1 Replies View Related

Cisco WAN :: Configure NetFlow Top Talkers On ASR1002?

Sep 5, 2012

I am trying to configure the NetFlow Top Talkers function on an ASR1002 with ADVENTERPRISEK9-M, Version 15.2(4)S.  With this new Hardware and Software I am surprised to see that the command:
ip flow-top-talkers
top 50
sort-by packets
cannot be found on the CLI - it's just not there.  

View 1 Replies View Related

Cisco WAN :: ASR1002 - Licensing Not Supporting Any Device

Jun 30, 2011

I have recently purchased ASR1002-RP1-ESP5 with 2 x 4K Broadband licenses to be used as LNS. Cisco have sent me PAK files for the licenses however when I try to enter the licenses into the device I get an error message saying that Licensing is not supported on this platform.
Any experience with this platform and installation of the broadband licenses?
When I spoke to Cisco TAC they told me that for this particular model the licensing is on "trust" basis where you buy license and do not install it on the actual router - similar to what 7200 used to do.

View 1 Replies View Related

Cisco WAN :: Management And BITS Ports On ASR1002

Aug 30, 2011

We recently purchased a Cisco ASR1002 router with four on-board Gigabit SFP-style Ethernet ports. However, when I do a "show ip interface brief", I see that there's an extra Gigabit Ethernet port. See the last interface in the following output:
ASR_1002_router#sh ip int b
Interface                         IP-Address       OK?     Method Status          Protocol
GigabitEthernet0/0/0       unassigned      YES  manual     down                down

On the router itself, in addition to the four Ethernet SFP ports, there are four additional RJ-45 ports. They're labeled "BITS", "MGMT", "CON", and "AUX". I know what the Con and Aux ports are, but what are the Bits and Mgmt ports? And is one of them the Gigabit Ethernet interface that I see listed at the bottom of the output? And if it is, is there anything special about it, or is it just another routed Ethernet port? Can I do something special with it, like out-of-line managment?

View 1 Replies View Related

Cisco WAN :: ASR1002 Running SubPackages And IOS Vulnerability?

Apr 19, 2012

We have ASR1002 routers configured to run individual SubPackages, at this point everything is operating without problems.We just received a Cisco Security Advisory informing us SSHv2 is vulnerable in our version of router code.We have to upgrade to the recommended stable release, so we downloaded, installed and expanded the IOS to expose the SubPackages on the ASR routers bootflash.

Since we are running SubPackages, do we need to upgrade all SubPackages (I.E. complete IOS upgrade) of can we just upgrade the vulnerable SubPackage? How do you determine which SubPackage contains the SSHv2 application?

View 2 Replies View Related

Cisco WAN :: ASR1002-X - L2TP Tunnels Up But No Ping?

Jun 13, 2013

We are testing an ASR1002-X which acts as LNS for L2TP tunnels.
- All tunnels are UP (sh vpdn all return list of tunnels)

- VirtualAccess interfaces are UP

- C routes are added in routing table
but ping remote IPs  don't work !

LNS1# sh ver
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSAL-M), Version 15.3(2)S1, RELEASE SOFTWARE (fc1)
Technical Support: [URL]


View 1 Replies View Related

Cisco :: Can Implement BGP Without IGP Protocol

Feb 9, 2013

Can we implement BGP without IGP Protocol ? If yes, then how can we do it ? If no, why ?

View 11 Replies View Related

Copyrights 2005-15, All rights reserved