Cisco Firewall :: EIGRP Metrics On ASA 2911

Aug 4, 2011

I have two 2911 routers running 15.0(1)M4 in a redundant topology connected to an ASA 5520 firewall running 8.4 version. All gears are running EIGRP. In order to distribute the incoming traffic between the two 2911 routers, I am using 'offset-list out' on them, but in the ASA's routing table I see updates from both 2911 with the same metric, i.e. the offset-list is not working. What are the default metric weights on ASA? How can I change them? I couldn't find any known bug.

View 14 Replies


Cisco Firewall :: ASDM V6.4 / Enabling History Metrics

Mar 5, 2013

I am currently using ASDM v6.4 and would like to enable the historic metrics feature to view/produce graphs/tables for interface using the Last 5 days, every 2 hours option. how this will impact performance and storage space on the device?

View 1 Replies View Related

Cisco VPN :: 3945E-SEC/K9 And 2911-SEC/K9 Contains Advance IP Services Features (like Eigrp / OSPF)

Sep 11, 2011

I am wondering if IOS bundled  by default with CISCO3945E-SEC/K9 and CISCO2911-SEC/K9 contains adv. ip services features (like Eigrp, OSPF etc.).

View 1 Replies View Related

Cisco Firewall :: ASA 5500 / ASDM - View Historical Metrics In Graph Form For Traffic Overview

Sep 25, 2011

Running an ASA 5500, and using ASDM to connect. I need to view the historical metrics in graph form for traffic overview, that is shown on the firewall dashboard. I have enabled historical data, but all I see the 5 minute intervals.

View 4 Replies View Related

Cisco :: 3750 How To Monitor CWDM SFPs Metrics Using SNMP

Apr 25, 2010

We are currently monitoring approximately 50 locations each having one or more cisco devices, Catalyst 3750 and 3560.Locations are connected via CWDM.We would like to monitor interface errors, signal loss and power on CWDM SFP transceivers on Catalyst 3560 and Catalyst 3750 switches. We tried to get these values (as shown using „sh interface transceiver“ command) using SNMP but we didn't get any SNMP result. What MIB or other functions/ modules/ features need to be used/activated on switch?Do we need any additional piece of hardware?

View 25 Replies View Related

Cisco WAN :: 6500 Traceroute Command Output For Routes With Equal Metrics

Aug 31, 2010

=>Routing Protocol in Question EIGRP.
=>Two equal metric routes for destination A(through R1 and R2-SVIs on two upstream 6500s)

Traceroute Output, is the output that alternates between 1.1=>10.1=>1.1 normal granted the two routes are "equal metric routes for the same routing procotol in use" or is that "round robin behavior" indicative of a routing problem?

View 11 Replies View Related

Cisco Firewall :: K-value Mismatch With EIGRP On ASA5540

Mar 7, 2011

I have an ASA- 5585X (v.8.2.4) directly connected to an upstream 6509, which is running EIGRP. I configured the ASA for EIGRP with same AS# and network numbers and no auto-summary.   Here are the log messages I got:
Mar  8 15:11:08: %PIM-5-NBRCHG: neighbor UP on interface Vlan150 (vrf default) Mar  8 15:11:08: %PIM-5-DRCHG: DR change from neighbor to on interface Vlan150 (vrf default)
Mar  8 15:11:11: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Vlan150) isup: new adjacencyMar  8 16:16:08: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Vlan150) isup: new adjacency
Mar  8 16:18:54: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor (Vlan150) is down: K-value mismatch
I lost my SSH connection to the upstream 6509 and couldn't get it back. Luckily I didn't lose my ASDM connection to the ASA, so I disabled EIGRP and went to look at the logs on the 6509.
What causes a K-value mismatch, and how to I rectify the situation?

View 1 Replies View Related

Cisco Firewall :: EIGRP And DMZ Distribution - ASA 5520

Dec 12, 2012

I have been able to get EIGRP  working successfully in the lab like I want.
Attached is the network overview:
We have a Data Center and Corporate office connected via Point to Point Fiber link, eventually we will have two of theseTwo 4948E switches in the Data center acting as cores setup with GLBPCorporate Office has a 3750X acting as a coreCurrently two 4948E's are connected to each other via Port Channel and a L2 trunkTwo set of ASA 5520's one acting as a firewall and for Cisco Any Connect and second for site to site VPN 
What is the best way/pratice that I can distribute this DMZ via EIGRP?  Should I just leave it static on the core like this?

View 3 Replies View Related

Cisco Firewall :: ASA 5510 EIGRP Not Working

Sep 24, 2012

We have 2 ASA5510 and 2 ASA5525. Got a very weird error; up to release 8.4 eigrp works fine, after upgrading to 8.6 eigrp stops working.Can't see any neighbors; but same command from another asa on same network but with release 8.4: [code] I want to put the 5525 on production but would like to do it with latest release; could this be a bug on 8.6?

View 12 Replies View Related

Cisco Firewall :: ASA 5540 Load-balancing Over EIGRP Not Working

Nov 15, 2011

We have an ASA 5540 running 8.4(1) on the inside of dual Internet-facing border routers. The routers run BGP facing out and EIGRP facing in, with the ASA also running EIGRP for the same AS. Both routers redistribute a default route into EIGRP. It was my understanding and expectation that the ASA would learn both of these, as they are equal cost, and load-balance the outbound traffic over the two links. This does not appear to be the case.
The routers both have:
router eigrp 100
network nn.nn.nn.nn
redistribute static


View 9 Replies View Related

Cisco Firewall :: 2911 Router Zone Firewall And IP NAT Enable

Mar 20, 2013

I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems). I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside. I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface. [code]

View 1 Replies View Related

Cisco Firewall :: 2911 Difference Between The Firewall Areas

Oct 4, 2011

I recently inherited a Cisco 2911, that appears to have had Firewall rules imported into Externally Defined Rules. ACL's are currently allowing/disallowing traffic. However, there are no firewall rules configured. To meet compliance we need to have Packet Lavel Inspection (Firewalled) rules. There are two areas in the router, under ACL area, and under Security. What is the difference between these two Firewall areas?Are both areas providing packet level inspection?Can I build Firewall rules (within the Security area) to replace the ACL's?

View 2 Replies View Related

Cisco Firewall :: NAT For A Private IP 2911

Dec 20, 2012

We have some Cisco 2911's that we are configuring 2 VPN's ( second is for redundancy) We are pretty confident on the failover VPN setup using SLA monitoring.
One thing we are stuck on is the redundant VPN will be setup over a 3G connection provided by verizon. Verizon issues a Private IP ( 192.168.100.X) the far end device terminating the VPN has a public ip of 183.172.22.XX , what kind of NAT translation do I need to make this work ?  Also does Cisco have any good configuration examples for VPN Failover setups for Cisco 2911's?

View 4 Replies View Related

Cisco Firewall :: Enabling IPS On 2911 Router?

Sep 20, 2012

I enable the IPS  on the 2911 router .  I am using the Basic IPS signatures that are inbulid on the routers . But sill it showing , that no signature is active .
ip ips signature-category
  category all
      retired true 
ip ips signature-category
   category ios_ips basic
      retired false


View 1 Replies View Related

Cisco Firewall :: 2911 - NAT Any Source Address From Internet

Mar 21, 2011

I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Source Address ==> Destination (nat this to inbound.
So if from the internet tries to hit we want to nat that to both of which sit on our public space.

View 1 Replies View Related

Cisco Firewall :: ASA 5520 / 2911 - TCP Reset-O Message

Oct 30, 2011

Here's the current scenario:
[LAN] <---> ASA 5520 <---> Cisco 2911 <---> [Internet] <---> Server A
Whenever I access a website running in "server A" (only HTTP traffic) everything works fine. The problem is that when I try to access a different service on the same server but listening on port 2000/tcp I get the TCP Reset-O message on the ASA and the workstation's browser says that "Internet Explorer cannot display the webpage".
A weird thing: if I access this service from a machine on the DMZ, it works fine. From the LAN (Inside) it does not work. The main difference is that from the LAN to OUTSIDE the ASA does NAT. From the DMZ to OUTSIDE it's just routed. I did another test from the LAN and the captured traffic is attached. I've been messing around with protocol inspects and firewall + NAT rules on the ASA but no luck at all.

View 5 Replies View Related

Cisco Firewall :: ASA 8.4(2) / EIGRP / Redistribution And Site To Site VPN?

Aug 18, 2011

we are looking at adding our ASA's to our EIGRP autonomus system. .is it possible to redistribute "routes" which are accessible only from a site to site VPN?  I put "routes" in quote marks because the remote networks do not appear in the routing table.BTW the firewalls are running ASA 8.4(2)

View 2 Replies View Related

Cisco Firewall :: 2911 - Immediate Gateway Dropped Ping Traffic

Jun 13, 2011

I have a a firewall policy on a Cisco 2911 - the zone policy from OutZone>InZone basically drops everything apart from inspected traffic on the opposite direction and a few essential traffic generated externally (such as Outlook web access and E-mail exchanging). However, I seem to be getting a lot of firewall drops coming from the immediate gateway of the ADSL WAN address to the internal IP range on port 3. I get about 10 hits every 5 seconds.

policy-map type inspect FWPol_Out-In
class type inspect CCP_PPTP
class type inspect FCMAP_In-Email
class type inspect FCMAP_In-OutlookWebAccess

 %FW-6-LOG_SUMMARY: 1 packet were dropped from IMMEDIATE WAN GATEWAY:0 => INTERNAL IP ADDRESS:3 (target:class)-(FWPair_Out-In:class-default), the immediate gateway would ping an internal IP address? Keepalive? Could this be stemming from another problem? The traffic  wasn't generated internally as all InZone>OutZone is inspected.

View 1 Replies View Related

Cisco Firewall :: 2911 - IOS Content Filtering Using Trend Micro

Apr 26, 2012

I have IOS content filtering using the Trend Micro subscription service working on a 2911 running 15.1.(3)T3 with the security license option and a 30 day demo Trend subscription. Once I figured out that the content filtering for Trend appears to be completely broken in 15.2 (even using docs for 15.2) I went back to 15.1 and it works great.
Everything seems great so far except I would like to have a more 'fancy' or custom blocked page where a user can have a couple links to either go to the trend micro reporting page [URL] or some other page, and maybe some branding so they know the page is coming from our network and is not some fake security thing or phishing attempt or whatever.
I know I can use the 'parameter-map type urlf policy trend ' section to do a tiny bit of customization of the text that appears on the default blocked page display and there is an option for it to go to a simple redirect instead ('block-page redirect -url') but how to do more with either the built in page or the redirect- url to keep the information of what page the user was trying to access and why it was blocked (category etc.) while adding more features.
Oh, one last thing, this doesn't support any kind of 'user override' or anything like that does it? So that a network can have a filter applied but an admin could override the filtering to allow temporary access to something?

View 1 Replies View Related

Cisco Firewall :: Block Gtalk On New 2911 Security Enabled Router?

May 8, 2010

I want to block gtalk on my new cisco 2911 security enabled router.

View 3 Replies View Related

Cisco WAN :: 2911/K9 And 2911-Sec/K9 - BOM For Upgrade?

Dec 25, 2011

I am having one router CISCO2911/K9 (Cisco 2911 w/3 GE,4 EHWIC,2 DSP,1 SM,256MB CF,512MB DRAM,IPB). But now my management asking me to upgrade this router as CISCO2911-SEC/K9.
What will be the BOM for this up gradation.

View 2 Replies View Related

Cisco Firewall :: 2911 - Control Link In Zone-Based Policy High Availability

Jun 26, 2012

I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
This is a single point of failure and what I need is a way to mitigate that. Under:

application redundancy
group 1
control <interface> protocol 1

only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?

View 1 Replies View Related

Cisco Firewall :: Configure 2911 ISR To Block Peer-to-peer Traffic?

Jul 25, 2011

I see that Application protection - blocking peer-to-peer file sharing traffic is a capability of Cisco IOS Firewall. How do i configure my Cisco 2911 ISR to block peer-to-peer file sharing traffic?

View 1 Replies View Related

Cisco :: CISCO Advanced Firewall On 2911 Router Using CCP?

Dec 29, 2012

Guys I am using a cisco 2911 router with three interfaces: Gi0/0 connected through a switch to all my servers and Gi0/2 which will connect to another server, and Gi0/1 is my outside interface connecting through a switch to two ISP's.I have webservers and Terminal servers/File Servers with network address connected throught My Gi0/0 interface.Now I want to implement a Cisco Advanced firewall for security on my router using CCP.I want the firewall to work such that it allows external users to access the servers on Gi0/0 through ports 0,23,25,20,21,53, 110,3389. and to access the SIP server on Gi0/2. My issue is can i just create two DMZ's for both interface Gi0/0 and Gi0/2 without creating an inside zone and Gi0/1 as outside zone as my internal traffic is mostly server based and the users connect remotely through terminal server to access resourcess using RDP, secondly how do I open the relevant ports.I have checked alot and all I have seen is just basic process on using the wizard I have no idea how to go about this issue.

View 19 Replies View Related

Cisco Firewall :: 2911 / Site To Site VPN Using 3G USB Modem?

Sep 26, 2011

Using 3G USB modem on a Cisco router 2911 can you establish site to site VPN?

View 3 Replies View Related

Cisco :: Can`t Seem To Get EIGRP To Work

Jun 15, 2012

I have a test on eigrp next week and have been doing it in packet tracer so i`m ready but i can`t seem to get EIGRP to work!I have 3 routers and the loopback interfaces are configured because there`s not enough PCs to actually connect up to the kit. [code]

View 5 Replies View Related

Cisco WAN :: Does 861 Have EIGRP Support

Aug 11, 2012

Does Cisco 861 have EIGRP support?

View 1 Replies View Related

Cisco WAN :: 881 EIGRP Missing?

Aug 25, 2011

We use all Cisco router in our business mostly 1841 and 871.   But now i'm currently working with a new router:
Just purchased last week - Cisco 881
The Cisco IOS is:

Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.0(1)M6, RELEASE SOFTWARE (fc1)

->System image file is "flash:c880data-universalk9-mz.150-1.M6.bin"
As all our router are Cisco we use EIGRP as our routing protocal.  But with this router all I see is:
#router ?
odr  On Demand stub Routes
rip  Routing Information Protocol (RIP)
Where is my EIGRP ? I can't configure eigrp, so my router wont be doing much routing.

View 6 Replies View Related

Cisco WAN :: 5000 RTO EIGRP

Jul 5, 2012

I have a issue in my network, i have 2 data connections with 2 different ISP (Principal & Backup connection). But with ISP "X" the RTO are stable (RTO 240), but with the ISP "Y" the RTO is in 5000 and the connection always are flapping.

View 13 Replies View Related

Cisco WAN :: No EIGRP In 861 Wireless Router?

Feb 13, 2011

My Cisco 861 wireless router (CISCO861W-GN-E-K9) don't support EIGRP. What will I do to enable it?

View 1 Replies View Related

Cisco WAN :: 6509 - 10 Gig EIGRP Metric

Oct 3, 2006

I have recently connected a 10 Gig connection from the local telco between two sites on 6509's.  These two sites also have a 1 Gig links between them.  When I connected the 10 Gig link I expected the 10 gig link to be the preferred route, but after looking at the routes I noticed that both links have the same EIGRP path cost. Also the minimum BW for both links is 1000000Kb or 1Gb. Why?

View 11 Replies View Related

Cisco WAN :: EIGRP On L3 3750G Is Not Working

Feb 23, 2011

We have 2x 3750G L3 switches and I am trying to set them up to use  EIGRP but for some reason it’s not working, I created 2 routed ports on each switch and I want to route vlan10 traffic to vlan20 to S2. I also enable EIGRP as the routing protocol but I still cannot ping between VLAN 10 and VLAN20 ,  here are the configs for both switches. What am I doing wrong?
Current configuration : 1943 bytes
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption

View 6 Replies View Related

Cisco WAN :: EIGRP Variance In 6500

Jul 19, 2011

Our customer wants load-balance across unequal circuits due to the primary link being saturated. Primary link is 10Mb and backup is 4mb (multilink 2 x 2Mb).

I have tried implementing this using ‘variance’ under EIGRP on the 6500 switch but can’t seem to get both WAN routes in the routing table - unless I use the same metric on the route-maps we use for redistribution – e.g. set metric 10000 100 255 1 1500
If I do this the 6500 sees both routes but I’m concerned too much traffic will go via the lower speed link causing more problems. I have adjusted the delay under redistribution to make the 4Mb less preferred and I see this under ‘show ip eigrp top’ and thought the ‘variance’ command on the 6500 switch would work. But no matter what I set variance to it still doesn’t enter the less preferred route in the routing table.

Topology is as follows:
       |----2800---WAN (10Mb)
____|----3640---WAN (4Mb)
We use BGP on the WAN and redistribute into EIGRP on the LAN using route maps as follows:
2800 (10Mb)
router eigrp 5555
redistribute bgp 888 metric 10000 200 255 1 1500 route-map bgp-eigrp
no auto-summary
router bgp 888

View 6 Replies View Related

Copyrights 2005-15, All rights reserved