Cisco Firewall :: Blocking DHCP On 1921 K9

Apr 19, 2012

I have a 1921 k9 router that has several DHCP pools configured. Before implementing the firewall they were all working. After implementing it they stopped working. I messed around and got the routed port GE0/1 handing out IP addresses and left it alone. Somehow it quit handing out IP addresses yesterday.I dont know if its a quick fix or not (getting DHCP working on the interfaces) but if any article that will walk me through getting DHCP working on all of the interfaces. [code]

View 10 Replies


Cisco Switching/Routing :: Firewall On 1921 K9 Blocking UDP Traffic?

Apr 18, 2012

I have a 1921 K9 with a 4 port 10/100/1000 EHWIC switch.

Interface 0/1 =
I have Active Directory setup on the network. When I attempt to join the domain from it joins but I get errors. After some troubleshooting using portqry I have found that the services related to class map DomainTrafficUDP are being reported by portqry as being filtered regardless of policy map settings (currently set to allow).
Building configuration... 
Current configuration : 18833 bytes
! Last configuration change at 11:20:25 NewYork Thu Apr 19 2012 by dave
! NVRAM config last updated at 13:56:45 NewYork Wed Apr 18 2012 by dave


View 2 Replies View Related

Cisco :: 1921 - DHCP Configuration / Assign Fixed IP To One Device While Assigning Others?

Jun 19, 2012

This is IOS 15.1(4)M3 on a 1921 router. The LAN is (DHCP config is further down.) We have a small range that we want to assign via DHCP to devices; .200 through .220 . At the same time, we have a handful of Macintosh systems to which we want to assign a specific address that is not in that 200-220 range. I don't want to configure the assignment based on the Ethernet MAC addresses because these systems might connect via UTP or wireless; that is to say, they have more than one MAC address. They only ever connect using one interface/MAC address at a time, but it's their choice; in some areas wi-fi is available, and in some areas they have to cable-up.
The Mac OSX network settings has a field for "DHCP Client ID". It would be much easier to tell the users of these systems to put their Mac's name in the Client ID field for both their wired and wireless DHCP configs. (As opposed to having them all lookup, and then give me their Ethernet MAC addresses for both of their interfaces.) I tried this with my Mac's (named "shrike") wi-fi interface, but I don't get the address that I expected. I get an address from the .200 to .220 range.
Here's the DHCP-related config from the router:
router#sh run | s dhcp
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp pool OurOffice

Is "client-name" the wrong place to configure the DHCP Client ID?

View 3 Replies View Related

Cisco Switching/Routing :: 881 - Blocking DHCP Requests Of Windows Clients?

Nov 18, 2012

We've got 5 remote offices with cisco 881 routers, Win Clients behind them and all routers connected via vpn site-to-site to central software router.

Mostly all clients recieve ip addresses from routers in their subnets 192.168.x.024
We have Win DHCP Server in subnet
The problem is that some of clients,physically sutuated in subnet, recieve ip addresses from Win DHCP server from subnet.
Here's part of cisco cfg:
interface FastEthernet0
no ip address
interface FastEthernet1


View 3 Replies View Related

Cisco Firewall :: 1921 - IOS Firewall (ZBF) Limit SMTP Connections From Same IP

Mar 14, 2013

IOS Firewall (ZBF) Limit SMTP connections from same IP
we are running a Postfix MTA behind a IOS Firewall (ZBF) on a CISCO1921. Sometimes we get more than 2000 smtp login attemps like
postfix/smtpd[123456]: connect from (...) (...) postfix/smtpd[123456]: lost connection after AUTH from (...)
in one second. May be bruteforce or DoS ... nevertheless - we like to protect the Postfix MTA from this stuff.
Can we inspect the smtp and limit connections in a time period from the the same IP? Something like "not more than 10 smtp connections during 60 seconds from the same ip" .

View 8 Replies View Related

Cisco Firewall :: ASA5505 Firewall Rule Not Blocking

Apr 1, 2013

I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic.  I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did.  That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below.  However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver 
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2) 
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"


View 4 Replies View Related

Cisco Switching/Routing :: IP SLA Support On 1921/K9 Or 1921-SEC/K9?

Oct 5, 2012

We want to puchase new Cisco ISR 1921/K9 .   i want to know does it support the following sample IP-SLA commands
ip sla 2icmp-echo 500frequency 1ip sla schedule 2 life forever start-time now
track 10 rtr 1 reachability
delay down 1 up 1
track 20 rtr 2 reachability
delay down 1 up 1 
ip route track 10ip route track 20
Im asking above question because we will need to enable ip-sla  on  the mentioned router.   as i read on the cisco webside, it says Cisco-ISR-1921/K9-IP Base  support only  IP-SLA RESPONDER  feature nothing else. If  Cisco-921/K9  does not support the above commands , should i go for ordering Cisco-1921-SEC/K9 ? 

View 4 Replies View Related

Cisco Firewall :: URL Blocking Through ASA 5510 Without ISA

May 10, 2011

I have cisco ASA 5510 with ios version 7.07 & all users are browsing the internet via PAT through ASA. i want to block some sites/URLs like facebook, yahoo etc.

View 2 Replies View Related

Cisco :: Firewall Blocking Users From Connecting From Outside?

Oct 5, 2012

I set up a cisco 2811 to replace a netgear router at the office. I have nat set up and with ccp I added a firewall on the router using the basic firewall wizard. Just about everything works internet, receiving and sending emails on exchange from the pc. Issue I'm having noone can access the company email on their phone.Also theres a camera system that would be accessible to view from the live feed from outside the office and my boss can't access the camera. I port mapped all the custom applications and added new traffic rule from self -> outzone. It didn't work tried to add one from outzone -> self or inzone but i get a prompt stating it only accepts protocols tcp,udp, sip, h323, icmp and a few other I can't think of. I'm pulling out my hair trying to get this to work everything worked seamlessly on the netgear router and nothing was really defined just the inbound ip address of the applications and protocols that are allowed.

Lets say for reference purposes my ip addresses for internet is

internet /24
email server /24
web cam application /24
8000 in
8001 out

View 1 Replies View Related

Cisco Firewall :: ASA5505 URL Filtering / Blocking?

Jul 7, 2012

I have ASA 5505 running 7.2.4, I want to prevent users accessing some web sites such as facebook , youtube and hotmail etc.

Which ASA 5505 IOS version should I use to block web access?
I don't want to isntall a dedicated filtering server ( websense etc) , I just want to block web sites statically on ASA 5505 via ASDM as I only have few sites to block.
know if ASA 5505 can do URL filtering, and what IOS is required ?

View 1 Replies View Related

Cisco Firewall :: ASA 5510 Blocking Port 25?

Dec 13, 2010

I have a Cisco ASA 5510. I have detected an infected workstation on my internal LAN which has caused my IP to be blacklisted by Barracuda Networks and other RBL. I have scanned and cleaned the workstation removing the spambot. I want to prevent all my internal workstations from sending SMTP traffic on Port 25 through my ASA 5510 device. I only need to allow my Exchange Server access to send out traffic on port 25. configure this setup using ASDM 5.0?  I know it may be easier using CLI, but using the ASDM would really be preferred.

View 4 Replies View Related

Cisco Firewall :: ASA 5505 Blocking FTP Port

Nov 28, 2011

I am working on an ASA5505 and am trying to open the ftp port. I have a server ( on the local LAN which is attempting to download antivirus updates from the net via ftp.  
ASA Version 8.3(2)
hostname SITE
enable password XXXXXX
passwd XXXXXX


View 4 Replies View Related

Cisco Firewall :: SA520W - Blocking URLs

Mar 17, 2011

I purchased a SA520W for my company, and i have some probles for configuring firewall. I want to deny access to facebook, youtube and twitter but not for 4 hosts which needs this websites for work. I tried to configure content filtering > blocking URLs but with this solution, I deny acces for all users, So, I tried to make IP v4 rules :

The 4 hosts who may access to these websites are to 127
Example :
Service : Any
Action: block always
Source hosts : to
destination hosts : (one of the facebook's ip)
but it does not work. So, I am looking for an other solution, or maybe my rule is not correctly configured ?

View 5 Replies View Related

Cisco Firewall :: Blocking P2P Traffic On E2500?

Feb 15, 2013

networking but can understand with a bit of explanation.. I own a restaurant and provide free WiFi for my customers with a Cisco E2500, I am gettign bills that are through the roof, I contacted my ISP and was told users were accessing P2P downloads(uTorrent, etc.). How can I block these applications?

View 1 Replies View Related

Cisco Firewall :: 5510 Blocking All Websites Except Few

Nov 16, 2011

How to block a single website, but I want to do the opposite. I would like to block all website except for a handful of them. Any example configs?

View 3 Replies View Related

Cisco Firewall :: Blocking Countries On ASA 5505?

Sep 8, 2011

I am required to block the IP neworks used by approx 10 coutries.  The issue is if using an ACL this works out to be about 18,000 lines, I have done all the summarization possible.. are there any other options? as the ASA 5505 crashes when implementing this many lines.

View 3 Replies View Related

Cisco Firewall :: 2800 - Blocking Url Access?

Jan 30, 2012

I wish to block some url that users have access through my LAN
Thats  i wish to block icmp,access towards such sites, i wish to block icmp  because dns will resolve the domain and they can access through ip  address.
what i have in place is a cisco 2800 series routers

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - Blocking In / Out Emails

Feb 26, 2013

I've configured a Cisco ASA5520, i can access to internet and other applications in my office but when i sent an email from inside to outside and vis-versa, i can't receive emails in both side

View 3 Replies View Related

Cisco Firewall :: ASA 5505 Port Blocking?

Jun 24, 2012

I have an ASA 5505 running 8.4.I am only letting ICMP traffic in from the outside.As a test, I opened a couple of ports I need on the ASA.I cannot access these ports and I do not get a denied error in the log.
I contacted the ISP and they are not blocking these ports.I ran an online port scanner to check ports 1-100 as a test.  They all came up as blocked on the port scanner.  The only deny error I got on the ASA was for port 80.Is this normal behavior?  If so, how do I get it to show all of the deny errors so I know the traffic is at least hitting the firewall?

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - CSC Blocking Using IP / Users

Jan 17, 2012

I am new at ASA 5520 and CSC module (version 6.3). I would like to know what configurations are possible for my network users if i use the CSC trend micro blocking using IP address or AD users, I know that i could select users/groups from the windows  AD or select the IP addresses that i want to use for blocking or permit HTTP traffic (URL, etc).

My question is on the client side, how the CSC knows what AD users is the one that is requesting certain HTTP pages, or if i user a proxy server, i lose the IP/users options on the CSC??..or i could use authentication options on the proxy for example?.

I have been looking information about this but the manuals only explain the configuration options that i could configure on the CSC Trend Micro page, but it doesn't say which network environment i could use or need.

View 2 Replies View Related

Cisco Switching/Routing :: 1921 To Replace A Software Firewall

Feb 26, 2013

We purchased a cisco 1921 router to replace a software firwall not long ago. The router was sold as a firewall with the suggestion that an ASA would be unnecessary.Unfortunately a router does not replace/do the jobs a firewall does, so I looked online and noticed that Cisco do offer firweall security features in one of their IOS.How do I tell if this is implemented on my router?If not, does my IOS support this, or do I need to buy an extension/another version of the IOS?,The version of the IOS I have is: c1900-universalk9-mz.SPA.151-4.M4.bin.

View 3 Replies View Related

Cisco Firewall :: ASA 5520 For Blocking LogMeIn And GoToMyPC

Sep 1, 2010

How to block LogMeIn and GoToMyPC?  We are using an ASA 5520.  We mainly want to prevent people coming into our network using those applications.  Also, our helpdesk uses LogMeIn Rescue and would need to allow that for them. 

View 6 Replies View Related

Cisco Firewall :: ASA5505 Blocking LAN Domain Queries

Dec 6, 2012

data centre hosted system with 4 servers connected to a CISCO ASA5505, everything was working fine with 4x windows server 2003 machines but since pulling 2 out and replacing them with windows server 2008 machines i get a flood of the error below and it blocks communications back to the IP listed which is the domain controller so naturally this makes the 2 new servers unusable.
1: they are all connected to the inside VLAN directly via the ASA's switch ports.
2: the are all in the same subnet including the ASA inside interface
3: removing the gateway on the affected machines makes no difference the ASA continues to block it which indicates whether or not the machines use the asa as a gateway its inspecting the traffic and blocking. [code]

View 3 Replies View Related

Cisco Firewall :: SA520 Blocking Incoming Calls?

Nov 8, 2012

I have an SA520 that is being used as a front end firewall.  Behind it I have an IP PBX.  The VOIP provides are registered and I can make outgoing calls.  However It appears that the SA520 is either blocking or not routing the calls.  I have opened the ports recommended by both the IP PBX and the VOIP provider.  What do I need to do to make incoming calls through the SA520?                 

View 1 Replies View Related

Cisco Firewall :: 5520 - Blocking URL And Instant Messenger

May 11, 2011

Can  we block websites and messenger on Cisco ASA 5520 running code 8.2 ,  we are looking to block , , , msn messenger, yahoo messenger, google talk and messenger. All Internet traffic from users are passing via the firewall and for 20 users on this site we do not have microsoft ISA or bluecoat.

View 6 Replies View Related

Cisco Firewall :: 5510 CSC SSM Blocking Valid Site

Sep 10, 2012

We have a Cisco ASA 5510 with a CSC SSM 20 module installed. As of this morning a valid site (Public School System) is being blocked at my site. It says the site is of High risk. I have tried entering the site in the block list exceptions but it still comes up as a high risk site.

View 2 Replies View Related

Cisco Firewall :: ASA5520 Allowing / Blocking Skype

Sep 17, 2012

I have the following: redundant ASA5520s on v8.2(1)proxy server/web filter for blocking access to websites for staff/studentsusers who want to use SkypeCisco Catalyst 4507 corea dozen VLANs for staff/student/WiFi etcCisco core policy that routes 80/443 to transparent proxy on a WiFi VLAN Windows desktops have direct proxy settings in IE .Pretty much all outbound ports are closed with 80/443 and a handful of specifics for various things open. Because of this Skype attempts to use 80/443 which are sent to the proxy server but bnecause they're not HTTP/HTTPS they cannot be understood. Skype attitude is to open 1024-65535 which is just plain stupid!
There's no way to specify which port(s) Skype uses for outbound. I tried opening 33000-33099 which worked perfectly for 2-3 devices (Win laptop, iPad) but others failed all the time.I've seen people mention using an AIP-SSM module in the ASA for blocking Skype (and other things eg torrents). Is it possible to use this module to allow Skype eg on ports 1024-65535 whilst blocking any other application from using those ports?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 ACL For Blocking Outbound SMTP

Jan 30, 2013

I'm trying to configure a simple ACL to block smtp traffic from leaving my LAN -- basically prevent internal users from setting up internet email accounts in their email clients and sending through that smtp server. i want my Exchange server only to send smtp traffic. here's what i have:
-access-list 102 extended permit tcp host eq smtp any eq smtp <=== is Exchange
-access-list 102 extended deny tcp any eq smtp any eq smtp
-access-list 102 extended permit ip any any
-access-group 102 in interface inside
after i apply this ACL to the ASA, i am still able to send from my internet email address setup in Outlook using my "foreign" smtp server.

View 1 Replies View Related

Cisco Firewall :: PIX 515 Blocking Outbound Traffic To Certain Sites

Oct 14, 2012

I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits),  as well a a WInXP box. All of these are connected to the same switch,  which is connected to the inside port of my PIX 515.
For a few sites ( happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that  matter - will not go through the PIX (from inside to wan). I have  verified this by first, using wireshark to watch the packets being sent  out from the client box, then by using the trace function in the PIX to  see that the packets ARE arriving at the inside interface, but ARE NOT  sent out of the wan interface.
This is for the linux boxes ONLY. When I do the same thing with my WinXP  box, all works: in the PIX trace, I see the packets arrive at the  inside interface, and leave the wan interace. And access to these sites  are okay.
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
Some background:
I have been using this PIX for about 10 years now, with the same  configuration (except IP addresses). Only in the last several months has  this problem started to show up.
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something  else. I don't have any support license, and have not been able to get  any software upgrades. Here is its version info:
taz(config)# sho ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Compiled on Fri 07-Jun-02 17:49 by (code)
Serial Number: 405200362 (0x1826ddea)
Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60

PS: Since this PIX is at its end of life, I was wondering if any of the  software upgrades would be now available without a license?

View 2 Replies View Related

Cisco Firewall :: 2851 HTTPS URL Blocking Using Class Map

Aug 3, 2011

I have a request for blocking urls using a class map. I have made this work with HTTP, however it does not work for https. This is a 2851 router with IOS Version 12.4(15)T7. I see i could use the command "match protocol secure-https" however this does not let me specify any specific urls.
Does a new IOS version will support what I'm trying to do? Or if there is another way?

View 2 Replies View Related

Cisco Firewall :: ASA 5510 - CSC SSM Blocking Valid Site

Jul 8, 2012

We have a Cisco ASA 5510 with a CSC SSM 20 module installed. As of this morning a valid site (Public School System) is being blocked at my site. It says the site is of High risk. I have tried entering the site in the block list exceptions but it still comes up as a high risk site...      

View 1 Replies View Related

Cisco Firewall :: 2921 - ZBFW Not Blocking Traffic From DMZ

Apr 22, 2013

OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.

View 5 Replies View Related

Cisco Firewall :: 1921-SEC / Terminate Each IPSec Connection In Separated Zone

Apr 26, 2011

We are using a CISCO1921-SEC Router. On the "WAN" side we have 1 public IP Adress assigned by DHCP. At the moment we are using the WAN Interface with a crypto-map as endpoint of some IPSec connections. We set up a zone-based-firewall with "WAN" and "LAN" zone. In this setup all IPSec Endpoints are on one Interface - connections to the "LAN" zone can be managed by rulesets. What about connections between IPSec connections and the zone "self".We like to terminate each IPSec connection in a separated zone. How can this be configured ?Each one on a "tunnel inetface" with "tunnel source ..." binding ?

View 4 Replies View Related

Copyrights 2005-15, All rights reserved