Cisco Firewall :: How To Configure ASA 8.2(4) Not To Drop Packets With IP Option 7 (record Route)

Oct 21, 2012

How to configure ASA not to drop packets with ip option 7 (record route)?  According to the docs, ip inspect ip option will drop all ip option packets except 0,1,and 20 (EOOL, NOP, or RTRALT):
"If an IP header contains additional options other than EOOL, NOP, or RTRALT, regardless of whether the ASA is configured to allow these options, the ASA will drop the packet. "
Also, policy-map type inspect ip-options treats only these 3.

View 1 Replies


Cisco Switching/Routing :: WS-C3560CG-8TC-S / Speed Reduced And Drop Packets With QoS?

Apr 11, 2012

I put a QoS in a  WS-C3560CG-8TC-S  version 12.2(55)EX2.  in our lab file upload or download speed much reduced and drop the packets with QoS everyting is fine without QoS
Here is the config: My question is why I speed reduced a lot and packets to be dropped with QoS.everything is fine WITHOUT QoS.

class-map match-any VoIP  description Voice IP Phone RTPmatch access-group 157
class-map match-any WEB  description Internal Web, SSL Web, DNS query, Pinnaclematch access-group 153
policy-map QOSMARK
class VoIP  set dscp ef
 class WEB  set dscp cs3


View 4 Replies View Related

Cisco Switching/Routing :: 1760 / Make Router To Drop Packets Instead Of Rejecting Them?

Mar 31, 2012

I've got a 1760 router which uses port forwarding (25, 80 and 443) for my internal network services. If, let's say, I try to open a FTP connection on the router, of course the connection will be refused. Is there a way to make the router DROP the packets instead of rejecting them? My Linux iptables configurations drop packets who fail the firewall test, so I would like the router to perform that behavior.Commands for port forwarding:ip nat inside source static tcp 80 int f0/0 80 (these work fine)

View 4 Replies View Related

Cisco Routers :: Configure SR520 To Route Internet VLAN To Firewall

Jan 20, 2012

My operations manager says "Could you go on-site and configure a new clients new internet connection?" I make the arrangements and go on-site. As I'm working with the providers tech he says "Do you have a sub-interface confgured for a dot1q VLAN id of 1057?", I say "What?". Anyway my firewall is not capable of dot1q VLAN, so he says "Do you have a Cisco router that can provide the trunking?", I say "Yes, I tink so but not with me". The question is can I use an SR520 between my firewall and the provider demarc to route the VLAN he is talking about? My initial discovery says yes but I am not quite sure of the details on how to achieve this on the SR520.

View 2 Replies View Related

Protocols / Routing :: How To Route Promiscuous Packets

Mar 21, 2011

I am trying to finish a project and i now have a very un-natural networking question, but i figure that this is the correct place to ask it.

Routing Device = Router.
Test App = Creates and Sends Packets through my machine's NIC via NDIS Driver.
WAN = Internet.
VPN = Connected over WAN.

I am trying to route/forward/nat promiscuous packets "TO" the Internet to finish my project. The packets are not addressed to my routing device, but it must take them and forward them on to a VPN connected over the WAN. The packets are actually created by my NDIS test app. This means that the packets will be generated on my local LAN, but will not contain the MAC or IP of the routing device. So they will only enter my routing device while it is running in a promiscuous mode.. how would you try to route promiscuous packets out to the internet?

View 6 Replies View Related

Cisco Routers :: Configure DHCP Option 150 On RV220?

May 3, 2012

Is it possible to configure DHCP option 150 on the RV220?  I have a Cisco 7940 IP phone that is trying to connect back to my office. The VPN is up and I can ping the relevant server but I can't see any way to configure the DHCP option.

View 5 Replies View Related

Cisco Routers :: RV042 / How To Configure Some DHCP Option

Jun 19, 2012

I have a RV042 VPN Router with the latest firmware v4.2.1.02.This Router is connected to the main site by a VPN Tunnel.
Now, I like to configure some DHCP Option so I can put a IP Phone behind the RV042. The IP Phone should receive a IP by DHCP from the RV042 and of course, the IP of the Call Manager with the Option 150.
I can configure DHCP and it works fine but I can't find where I have or can configure Option 150.

View 3 Replies View Related

Cisco Firewall :: 5510 Trace-route / Antispoofing On Not Default Route

Jun 24, 2011

I've enabled antispoof on all interfaces on asa 5510.If you start a traceroute to a network on the default route, everything works, since replies comes to an interface with route defined.If you start a tracer route to a network that is NOT on the default route (let's assume coporate MPLS), you only get response from first carrier router, the other are discarded because of anti spoof violation.
I have ICMP inspection and icmp-error inspection enabled.

View 1 Replies View Related

Cisco WAN :: Configure QoS On 877 Router To Give Priority To Voice Packets?

Dec 6, 2010

I'm trying to configure QoS on my 877 router to give priority to voice packets.  However, when I do a show policy-map for WAN interface, all the classes show 0 bps.  When I do a show int for the WAN interface, I get the correct bandwidth util.
This 877 is meant for a home network.  I'm running a Cisco 7970 phone using phone-proxy back to my HQ. I'm also shaping the traffic.
Here is my config
Class Map match-any EF (id 1)
   Match ip  precedence 5
  Class Map match-any class-default (id 0)
   Match any

View 5 Replies View Related

Cisco Firewall :: CGR2010 - Using Zone Firewall Option?

May 25, 2011

I will be using a cgr2010 and want to use the zone firewall option. Can i configure sub interfaces on the same main interface to be in different zones

View 1 Replies View Related

Cisco Firewall :: ASA 5510 / 4GE SSM - FP L2 Rule Drop

Nov 10, 2011

ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.
Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future.  So we upgraded the firmware and no are at an impasse.
We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server.  Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.
I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me. 

View 28 Replies View Related

Cisco Firewall :: AnyConnect 3.0 Profile Drop-down List

May 2, 2012

Working as a consultant I find it annoying I cannot see a drop-down list in the AnyConnect client as you can with the traditional IPSEC VPN client with multiple profiles. How to modify the default profile to list multiple entries?

View 5 Replies View Related

Cisco Firewall :: Option For ASA55xx - To Install Csc-ssm And Aip-ssm IPs Modules

Jul 19, 2012

Is there any option available in any of the Cisco ASA55xx series model to install both csc-ssm and aip-ssm ips modules ? If, so is it advisable to install both ? Is the throughput of ips module has any dependency with the asa chassis throughput ?

View 1 Replies View Related

Cisco WAN :: Configure Policy Based Route On 2811 Router?

Jan 19, 2013

configuring policy based route for my cisco router?Basically, I have a 2811 cisco router with 2 ADSL ports. 1 port is for iiNet line and another port is for Telstra line.I want to configure a policy based route on the router so that:Any traffic coming from 1 internal IP (i.e. 172.16.x.1) will go through iinet line (i.e. Dialer 0) interface.Any traffic from rest of the office will go through the Telstra line (i.e. Dialer 1) interface. Is there any easy way to configure this policy based route?

View 8 Replies View Related

Cisco Switching/Routing :: How To Configure Route Between Two Subnets On 2960-S

Jun 21, 2012

configuring a working route between two subnets ( and on a Cisco Catalyst 2960-S.
Problem: The subnet is on VLAN 40 and the clients on this subnet have to access a preconfigured device with an ip in subnet. The configuration of this device cannot be changed.
I have an Cisco 2960-S Lan Base (c2960s-universalk9-tar.150-1.SE3) switch [URL] that I would like to use to solve this problem.

View 17 Replies View Related

Cisco WAN :: 12416 Configure Static Route Load Balancing

May 14, 2011

I got an issue when configure my 12416 router.
I plan to configure Static route load-balancing, which just assign different administraive distance to static routes.The route with lower distance is preferred. For example, if ISP A is our primary Internet provider the default  route may be configured with a distance of 1 (all static routes are assigned this administrative distance) and the default route through ISP B may be configured with a distance of 100. In that case the default route through ISP B will be used if only the route through ISP A becomes unavailable.

But when I trying to configureWith Enhanced Object Tracking  to do the route failover (a generic track object can monitor presence of an ip route, state of an SLA), I found my IOS not support such Track command. [code]

View 2 Replies View Related

Cisco LAN :: 1841 - Configure Dynamic / Static Nat With Route-Maps

Aug 4, 2009

Basically I have an internet router (1841ISR) with 1 internal (LAN) connection and 2 internet connections. What I want to do is route specific traffic for 3 of my internally hosted services (smtp, https, etc) through one internet connection (fa0/0) and then route all other traffic through the unmanaged/dynamic IP ADSL connection (Dialer 0).

View 9 Replies View Related

Cisco Firewall :: 887VA-W Keep Getting Drop Packet Error Message

Jul 13, 2012

I have an 887VA-w connected at home. I am using ip virtual-reassembly an all interfaces (dialer and all internal VLANs), I am also using CBAC (currently setting up ZBF). The issue I am having is that I keep getting drop packet error messages and the reasons can differ. Below are some of the outputs I recieve: [code] I have done a show ip virtual-reassembly on all the interfaces and the counter is shown as 0.

View 6 Replies View Related

Cisco Firewall :: Drop Rate-1 ASA 5505 Web Server Not Accessible

May 8, 2012

My web server was down for the day now it's back on but the ASA not accessible with error drop rate-1 exceed

View 3 Replies View Related

Cisco Firewall :: Resolving Drop During Port Forwarding On ASA5500

Jan 10, 2012

I am attempting to port-forward on an ASA 5500 to internal host .100. The outside interface recieves its IP via DHCP. Packets are being denied so I ran packet-tracer and get the following error from outside to ssh port on internal host.
#packet-tracer input outside tcp 79.x.x.x 1025 71.x.x.x ssh
 Phase: 1
Result: ALLOW

View 7 Replies View Related

Cisco Firewall :: ASA 5550 Proxy Inspector Drop Reset

Dec 19, 2012

Outside users with certain public ip addresses are not able to access our website.  Below is a log from our ASA 5550 8.2(5)  on one of the clients that's being dropped.  Packet trace result shows that the outside public addresses are allowed.  We do have a TAC case open.

View 1 Replies View Related

Cisco Firewall :: Disable Telnet Option Completely In ASA 5510?

Dec 12, 2012

I want to disable the telnet option/feature on ASA 5510
i tried no telnet  alone it wont work as i didnt configured any telnet at all.

View 1 Replies View Related

Cisco Switching/Routing :: How To Configure Sm-es2-16-p Service Module To Route Over 2911

Jun 17, 2012

Any example of how to configure an sm-es2-16-p service module to route over an Cisco 2911?

View 2 Replies View Related

Cisco Switching/Routing :: 5510 How To Configure A Backup Route To Internet

Jul 24, 2012

how to configure a backup route to the internet.  My client has 2 ISP and basically they want to use 1 ISP and in case the ISP fails, use the other one as backup route to the internet.
The problem I’m facing is that each ISP is plugged to a dedicated ASA 5510, so 1 ISP in one firewall and 1 in the other.  Both ASA are plugged to an internal network in a dedicated VLAN with a L3 switch and that L3 switch manages the internal network.
My question is, how can I tell my switch to use ASA1 to go out to the internet and in case the ASA 1 OR THE LINK TO INTERNET used by ASA 1 fails, use ASA 2?  It would be great if I can send traffic to the internet thru both connections at the same time.  Also, I know the ASA has High Availability configuration, but that applies only if both licenses in the devices are the same and I have a mismatch with the SVPN license, and also I don't know if with my current topology I can use the High Availability model, so I think I can’t use that option and the solution must be applied in the L3 switch, but I don’t know how to tell it to use ASA1 and if failure of the device or the outside interface plugged to ISP 1, then use ASA2.  Besides, I would like to know how to optimize this config to do the switch between internet connections seamless to the users if possible (there are VoIP calls on this floor, so I don't want to drop the calls). 

View 5 Replies View Related

Cisco Firewall :: ASA 5510 / 8.0 - Capture Type ASP Drop Entries With No Reason?

Dec 4, 2011

I have a capture set up of type "asp-drop all", and I am capturing certain packets with no indicated ASP drop reason.  See output below (ASA 5510 with 8.0(5)23 code):asa5510-8.0#  show capture, capture ASP type asp-drop all buffer 15000 circular-buffer [Capturing - 14912 bytes]

View 2 Replies View Related

Cisco Firewall :: ASA 5510 High Drop Count On Management Interface

Sep 4, 2012

I have a 5510 FW in multi-context mode that is showing a high drop count on the Management interface in the Admin context.

View 1 Replies View Related

Cisco Firewall :: ASA5510-BUN-K9 / Find Out Rate-limit Drop Source Ip?

Nov 22, 2011

I have two ASA5510-BUN-K9 Fws and I am planning to buy 2 x L-ASA5510-SEC-PL= to put them in HA.I was wondering if the support contract that I curently have for the two ASAs is still valid or do I have to buy any support upgrade?

View 1 Replies View Related

Configure Netgear Router Dgn1000 To Route Time Warner Road Runner Ethernet?

Mar 1, 2012

In order to feed my netgear dgn1000 adsl modem/router with a rca roadrunner modem with ethernet single jack do I enable NAT or not on Netgear router and do I use router as DHCP or not?

View 2 Replies View Related

Cisco Firewall :: ASA5505 Dropping Packets

Apr 30, 2013

I am  having an issue where the ASA is dropping packets on the vlan  interfaces. I have it as a dedicated router/firewall for a 100mb connection .
Vlan1 is the internal networkVlan2 is the network to cable modem
Eth 0/1 is connected to a 2960G switch with hard coded 100mb Full  Duplex at each end, this is the inside interface. Eth 0/0 is the  connection to the cable modem, this is the outside interface, set at  auto at both ends.
Im getting on the vlans eg. 51253 packets dropped however network  traffic isnt impacted and everything runs fine, as well as 46532 switch  ingress policy drops.
ciscoasa# sh int vlan1Interface Vlan1 "inside", is up, line protocol is up Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec MAC address 70ca.9b36.ab80, MTU 1500 IP address 10.x.x.x, subnet mask Traffic Statistics for "inside": 43250588


View 1 Replies View Related

Cisco Firewall :: ASA 8.2.4(4) Seems To Be Dropping Valid TCP SYN Packets?

Feb 28, 2012

We have a setup with a MS-TMG - ASA (8.2.4(4) in routing mode) - (internal) Router - FWSM - Router - Exchange with NLB.  We have now the problem that IMAPS is not really working through this setup. It works from internal (without ASA and TMG inbetween), but not reliably through the internet. There is a rule on the ASA which permits the ports from the TMG to the Exchange NLB address.We opened a case with Microsoft and they told us that not all tcp-syn packets are received by the Exchange server which were sent by the TMG.Thus I sniffed on the ASA with a packet capture and indeed, a lot of syn packets were on the interface to the TMG, but not anymore on the interface to the internal router.This ASA also filters all other internet<->company traffic, so there's a lot of stuff running.
Maybe it's dropped in the ASP, or is the capture maybe not valid?Here the show asp drop:

ASA01-Internet# sh asp drop
Frame drop:  Invalid TCP Length (invalid-tcp-hdr-length)                                  1  Reverse-path verify failed (rpf-violated)                                  319  Flow is denied by configured rule (acl-drop)                            477077  First TCP packet not SYN (tcp-not-syn)                                   10212  TCP data send after FIN (tcp-data-past-fin)                                 41  TCP failed 3 way handshake (tcp-3whs-failed)                               824  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 1419  TCP SEQ in SYN/SYNACK invalid (tcp-seq-syn-diff)                             6  TCP SYNACK on established conn (tcp-synack-ooo)                              1  TCP packet SEQ past window (tcp-seq-past-win)                              821  TCP invalid ACK


View 9 Replies View Related

Cisco Firewall :: Route To Internet Through Old PIX515 Firewall

Jun 10, 2012

We have a wifi network for guests, that we route to internet through an old PIX515 Firewall. We recently tuned the timers to lower values in order to "save" on resources and publix address usage.
The timers we use are:
-timeout xlate 0:30:00
-timeout conn 0:30:00 half-closed 0:05:00 udp 0:02:00 icmp 0:00:02
Through verifying the new timers, we noticed at some xlate connections (TCP PAT) that are idle for ever!!In the connection table, I cannot find an idle connection for longer than 1h....

View 1 Replies View Related

Cisco Firewall :: 5545 OSPF Input Packets Ignored

Sep 26, 2012

I am trying to configure my ASA 5545 firewall in area 0 but when I do so, the neighbor relationship never establishes.  A debug on OSPF gives only one response: [code] Why the ASA is ignoring the input packets?

View 4 Replies View Related

Cisco Firewall :: 871 - Default Class Map Is Dropping All Packets

Aug 21, 2012

I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time.  I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part.
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing. Cisco871#sh run

Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad


View 1 Replies View Related

Copyrights 2005-15, All rights reserved