I put a QoS in a WS-C3560CG-8TC-S version 12.2(55)EX2. in our lab file upload or download speed much reduced and drop the packets with QoS everyting is fine without QoS
Here is the config: My question is why I speed reduced a lot and packets to be dropped with QoS.everything is fine WITHOUT QoS.
class-map match-any VoIP description Voice IP Phone RTPmatch access-group 157 class-map match-any WEB description Internal Web, SSL Web, DNS query, Pinnaclematch access-group 153 ! policy-map QOSMARK class VoIP set dscp ef class WEB set dscp cs3
I've got a 1760 router which uses port forwarding (25, 80 and 443) for my internal network services. If, let's say, I try to open a FTP connection on the router, of course the connection will be refused. Is there a way to make the router DROP the packets instead of rejecting them? My Linux iptables configurations drop packets who fail the firewall test, so I would like the router to perform that behavior.Commands for port forwarding:ip nat inside source static tcp 10.10.0.1 80 int f0/0 80 (these work fine)
My operations manager says "Could you go on-site and configure a new clients new internet connection?" I make the arrangements and go on-site. As I'm working with the providers tech he says "Do you have a sub-interface confgured for a dot1q VLAN id of 1057?", I say "What?". Anyway my firewall is not capable of dot1q VLAN, so he says "Do you have a Cisco router that can provide the trunking?", I say "Yes, I tink so but not with me". The question is can I use an SR520 between my firewall and the provider demarc to route the VLAN he is talking about? My initial discovery says yes but I am not quite sure of the details on how to achieve this on the SR520.
I am trying to finish a project and i now have a very un-natural networking question, but i figure that this is the correct place to ask it.
Tools: Routing Device = Router. Test App = Creates and Sends Packets through my machine's NIC via NDIS Driver. WAN = Internet. VPN = Connected over WAN.
I am trying to route/forward/nat promiscuous packets "TO" the Internet to finish my project. The packets are not addressed to my routing device, but it must take them and forward them on to a VPN connected over the WAN. The packets are actually created by my NDIS test app. This means that the packets will be generated on my local LAN, but will not contain the MAC or IP of the routing device. So they will only enter my routing device while it is running in a promiscuous mode.. how would you try to route promiscuous packets out to the internet?
Is it possible to configure DHCP option 150 on the RV220? I have a Cisco 7940 IP phone that is trying to connect back to my office. The VPN is up and I can ping the relevant server but I can't see any way to configure the DHCP option.
I have a RV042 VPN Router with the latest firmware v4.2.1.02.This Router is connected to the main site by a VPN Tunnel.
Now, I like to configure some DHCP Option so I can put a IP Phone behind the RV042. The IP Phone should receive a IP by DHCP from the RV042 and of course, the IP of the Call Manager with the Option 150.
I can configure DHCP and it works fine but I can't find where I have or can configure Option 150.
I've enabled antispoof on all interfaces on asa 5510.If you start a traceroute to a network on the default route, everything works, since replies comes to an interface with route 0.0.0.0/0 defined.If you start a tracer route to a network that is NOT on the default route (let's assume coporate MPLS), you only get response from first carrier router, the other are discarded because of anti spoof violation.
I have ICMP inspection and icmp-error inspection enabled.
I'm trying to configure QoS on my 877 router to give priority to voice packets. However, when I do a show policy-map for WAN interface, all the classes show 0 bps. When I do a show int for the WAN interface, I get the correct bandwidth util.
This 877 is meant for a home network. I'm running a Cisco 7970 phone using phone-proxy back to my HQ. I'm also shaping the traffic.
Here is my config
Class Map match-any EF (id 1) Match ip precedence 5 Class Map match-any class-default (id 0) Match any
ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.
Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future. So we upgraded the firmware and no are at an impasse.
We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server. Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.
I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me.
Working as a consultant I find it annoying I cannot see a drop-down list in the AnyConnect client as you can with the traditional IPSEC VPN client with multiple profiles. How to modify the default profile to list multiple entries?
Is there any option available in any of the Cisco ASA55xx series model to install both csc-ssm and aip-ssm ips modules ? If, so is it advisable to install both ? Is the throughput of ips module has any dependency with the asa chassis throughput ?
configuring policy based route for my cisco router?Basically, I have a 2811 cisco router with 2 ADSL ports. 1 port is for iiNet line and another port is for Telstra line.I want to configure a policy based route on the router so that:Any traffic coming from 1 internal IP (i.e. 172.16.x.1) will go through iinet line (i.e. Dialer 0) interface.Any traffic from rest of the office will go through the Telstra line (i.e. Dialer 1) interface. Is there any easy way to configure this policy based route?
configuring a working route between two subnets (172.28.0.0/16 and 192.168.0.0/24) on a Cisco Catalyst 2960-S.
Problem: The subnet 172.28.0.0/16 is on VLAN 40 and the clients on this subnet have to access a preconfigured device with an ip in 192.168.0.0/24 subnet. The configuration of this device cannot be changed.
I have an Cisco 2960-S Lan Base (c2960s-universalk9-tar.150-1.SE3) switch [URL] that I would like to use to solve this problem.
I plan to configure Static route load-balancing, which just assign different administraive distance to static routes.The route with lower distance is preferred. For example, if ISP A is our primary Internet provider the default route may be configured with a distance of 1 (all static routes are assigned this administrative distance) and the default route through ISP B may be configured with a distance of 100. In that case the default route through ISP B will be used if only the route through ISP A becomes unavailable.
But when I trying to configureWith Enhanced Object Tracking to do the route failover (a generic track object can monitor presence of an ip route, state of an SLA), I found my IOS not support such Track command. [code]
Basically I have an internet router (1841ISR) with 1 internal (LAN) connection and 2 internet connections. What I want to do is route specific traffic for 3 of my internally hosted services (smtp, https, etc) through one internet connection (fa0/0) and then route all other traffic through the unmanaged/dynamic IP ADSL connection (Dialer 0).
I have an 887VA-w connected at home. I am using ip virtual-reassembly an all interfaces (dialer and all internal VLANs), I am also using CBAC (currently setting up ZBF). The issue I am having is that I keep getting drop packet error messages and the reasons can differ. Below are some of the outputs I recieve: [code] I have done a show ip virtual-reassembly on all the interfaces and the counter is shown as 0.
I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.
Outside users with certain public ip addresses are not able to access our website. Below is a log from our ASA 5550 8.2(5) on one of the clients that's being dropped. Packet trace result shows that the outside public addresses are allowed. We do have a TAC case open.
how to configure a backup route to the internet. My client has 2 ISP and basically they want to use 1 ISP and in case the ISP fails, use the other one as backup route to the internet.
The problem I’m facing is that each ISP is plugged to a dedicated ASA 5510, so 1 ISP in one firewall and 1 in the other. Both ASA are plugged to an internal network in a dedicated VLAN with a L3 switch and that L3 switch manages the internal network.
My question is, how can I tell my switch to use ASA1 to go out to the internet and in case the ASA 1 OR THE LINK TO INTERNET used by ASA 1 fails, use ASA 2? It would be great if I can send traffic to the internet thru both connections at the same time. Also, I know the ASA has High Availability configuration, but that applies only if both licenses in the devices are the same and I have a mismatch with the SVPN license, and also I don't know if with my current topology I can use the High Availability model, so I think I can’t use that option and the solution must be applied in the L3 switch, but I don’t know how to tell it to use ASA1 and if failure of the device or the outside interface plugged to ISP 1, then use ASA2. Besides, I would like to know how to optimize this config to do the switch between internet connections seamless to the users if possible (there are VoIP calls on this floor, so I don't want to drop the calls).
I have a capture set up of type "asp-drop all", and I am capturing certain packets with no indicated ASP drop reason. See output below (ASA 5510 with 8.0(5)23 code):asa5510-8.0# show capture, capture ASP type asp-drop all buffer 15000 circular-buffer [Capturing - 14912 bytes]
I have two ASA5510-BUN-K9 Fws and I am planning to buy 2 x L-ASA5510-SEC-PL= to put them in HA.I was wondering if the support contract that I curently have for the two ASAs is still valid or do I have to buy any support upgrade?
I am having an issue where the ASA is dropping packets on the vlan interfaces. I have it as a dedicated router/firewall for a 100mb connection .
Vlan1 is the internal networkVlan2 is the network to cable modem
Eth 0/1 is connected to a 2960G switch with hard coded 100mb Full Duplex at each end, this is the inside interface. Eth 0/0 is the connection to the cable modem, this is the outside interface, set at auto at both ends.
Im getting on the vlans eg. 51253 packets dropped however network traffic isnt impacted and everything runs fine, as well as 46532 switch ingress policy drops.
ciscoasa# sh int vlan1Interface Vlan1 "inside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 70ca.9b36.ab80, MTU 1500 IP address 10.x.x.x, subnet mask 255.255.255.0 Traffic Statistics for "inside": 43250588
We have a setup with a MS-TMG - ASA (8.2.4(4) in routing mode) - (internal) Router - FWSM - Router - Exchange with NLB. We have now the problem that IMAPS is not really working through this setup. It works from internal (without ASA and TMG inbetween), but not reliably through the internet. There is a rule on the ASA which permits the ports from the TMG to the Exchange NLB address.We opened a case with Microsoft and they told us that not all tcp-syn packets are received by the Exchange server which were sent by the TMG.Thus I sniffed on the ASA with a packet capture and indeed, a lot of syn packets were on the interface to the TMG, but not anymore on the interface to the internal router.This ASA also filters all other internet<->company traffic, so there's a lot of stuff running.
Maybe it's dropped in the ASP, or is the capture maybe not valid?Here the show asp drop:
ASA01-Internet# sh asp drop Frame drop: Invalid TCP Length (invalid-tcp-hdr-length) 1 Reverse-path verify failed (rpf-violated) 319 Flow is denied by configured rule (acl-drop) 477077 First TCP packet not SYN (tcp-not-syn) 10212 TCP data send after FIN (tcp-data-past-fin) 41 TCP failed 3 way handshake (tcp-3whs-failed) 824 TCP RST/FIN out of order (tcp-rstfin-ooo) 1419 TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff) 6 TCP SYNACK on established conn (tcp-synack-ooo) 1 TCP packet SEQ past window (tcp-seq-past-win) 821 TCP invalid ACK
I am trying to configure my ASA 5545 firewall in area 0 but when I do so, the neighbor relationship never establishes. A debug on OSPF gives only one response: [code] Why the ASA is ignoring the input packets?
I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run
Current configuration : 8005 bytes ! version 12.4 no service pad