I had problem with IP conflit address from cisco router 2911 , all the time the router respond with ARP reply (duplicate use of IP : x.y.z.t with the same Mac Address ) and the IP subject of conflit dosen't appear in any router's interfaces configuration (basic configuration without dhcp) ,the problem was solved problem when I desactivete proxy arp but I can't understand this behavior , why arp proxy respond to all IP address with same Mac even the IP dosen't exist in router ?
I am trying to connect to a Security-enabled wireless netowork. I have the key. My problem is that I can't seem to figure out how to enter it. When I try to connect I open the "view available networks"window. I see the network name and it shows a strong signal (all 5 green bars).
We are experiencing bridge storms and network slow downs and we believe we have traced the issue down to users plugging a cat 5/6 cable between 2 ports on the wall both wired back to a SGE2010 switch.
So we did a test - we plugged a single short cat 6 cable between 2 ports on a SGE2010, our access switch. Suprisingly, even with STP enabled, the switch DID NOT block one of the ports and in a few minutes the ENTIRE NETWORK was down, as CDP, STP, and ARP traffic became a multi-gigabit storm throughout the network.
Why on earth does this switch not block a port that is obviosly looped?
Every other cisco switch since I started on 1900XL's did this in 1999.
We have purchased a number of 2911 routers.We got Base & security license as we wanted to enable encryption. However we probably wont use the security.We are replacing 2811 routers.Unfortunately the 2811 routers have FXS ports with 2 - 4 POTS handsets - I completely forgot about these ports when I was ordering.Now I have VIC3-FXS cards which are ok in the 2911 but unfortunately I cant get them to work.I am missing PVDMs (well adapters anyway), and even if I got them the router wont take any commands relating to voice due to the license.Is is possible to 'rehost' the security and turn it into a UC ?I am new to these 2911 and Licensing.
I went through all discussions regarding how to block access to some web sites. And I was trying to implement them but it didn't work. I've used 887G-3G-K9 router and UC540, and I'm not sure if it's possible to do that on them or I need to get a license for that or to buy ASA. How can I check that URL blocking is available feature on those devices?
I've used 2 methods:
2) class-map and policy-map
class-map match-any http match protocol http url "*facebook.com*" match protocol http url "*www.facebook.com*"
I am trying to connect a Control network that can not have access to the Internet, or any other network for that matter, to my Admin network so that I can retrieve trend data about the plant that goes into a database. Right now the process is print information, hand jam into excel spreadsheet, print again, and hand jam into another excel spreadsheet on the other network. Reports are printed automatically once a day, but would like a simplified way of getting data from one network to the other without having to re-enter data several times. Current policies stipulate no USB drives connected to Control systems. Even if we could loosen that, personnel needed to transfer data is not available and going to each individual machine would take more time than current system.Now that background is laid, I have two 2911 ISR routers with EIGRP configured, each with a 4 port EHWIC card. The 3 L3 ports on the router are setup as follows: interface G0/1 to the internet, interface G0/2 to a wireless back haul, and interface G0/0 for IT network. I then have 3 VLANs setup on the EHWICs for our Admin network. We will move the IT network to a VLAN on the remaining EHWIC port and connect the two 2911's through the G0/0 interface. I am going to have one computer on my Administration network dedicated to receiving the information and have a program that will take that data and import it to a database. I need to allow only that computer to receive traffic from the Control network and I need no traffic to flow back into the Control network. In other words I will transmit data from the control network to the admin computer using one protocol (TFTP more than likely) and block any other traffic coming out of and going into the Control network.
We have a standard modem/wireless setup that has worked fine for years. Last month, my sister brought her laptop over and, for some unknown reason, choose "set up a connection or network" and unknowingly changed the setup to a security enabled network. I have no idea why she couldn't just log on without any problem. She has the same modem at her house, and I have no problem logging on at her house. Anyway, it now asks for a password, and she swears she never entered one. I can go online if I plug in an ethernet cord but that means my laptop can only go online at my desk. And I cannot use the internet features on my ipod touch. Is there a way to reset the modem back to a regular unsecured setup?
I have a simple setup where I have a 2911 router with three interfaces, Inside, Outside and a second "Inside" interface which is labelled as a DMZ. The Zone Firewall applied to the "DMZ" is actually Inside (until I can work through problems). I need to be able to access a device on the DMZ via its external IP so I have designed NAT to use IP Nat Enable commands. This is now working for me fine. However, since utilising IP Nat Enable, my zone firewall now denies return TCP / UDP traffic and consequently I no longer have any internet access. Looking at the syslog messages, the reason for this is that the router is denying these return flows not because they are matching the outside-to-inside policy, but rather they are matching the outside-to-SELF policy. The router seems the detect that the internet traffic is being returned to SELF, when in reality the NAT rule should pick this up and forward it to inside. I can understand why this is happening, because I am NATting all private / inside traffic behind the external IP of the router, which is assigned to the Gi0/0 interface. [code]
My Toshiba laptop running Vista as an operating connects just fine to the wireless network at my house. However, I will soon be house-sitting at a house that also has security-enabled wireless available. I connect just fine at my house, but whenever I put in the password at their house it says that that it cannot connect because of a timeout. I can't figure out what the problem is, because I recently went to the public library that has wifi and got on just fine. why in the world it will not connect to this specific wireless router??
My wife and I Security Enabled our wireless network several months ago.We recently moved, and after transferring Internet service, we realized we'd lost our passkey.My wife's laptop has, after one failed attempt to connect to the network, refused to even show the network as an available connection.We currently have the router set to broadcast SSID.We have restored factory settings on the router and completely revamped the security setup.We've removed all other networks in the area as optional connections on her computer.We also replaced the ethernet cord to my desktop because the old one started erratically disconnecting.Nothing's worked.My wife's computer is a Dell laptop using Windows Vista.
We are designing a solution for our customer, they plan to connect 5 site to their main office, on the main office, they use CISCO2911, branch use CISCO1921, so my question is:
1, If I want to use IPSec VPN connect branch and main office, apart from the router, I only need to buy the Security pack, like SL-19-SEC-K9/SL-29-SEC-K9, no need to buy SL-19-DATA-K9/SL-29-DATA-K9, am I right?
2, If I want to use SSL VPN connect branch and main office, apart from the router and SL-19-SEC-K9/SL-29-SEC-K9, I only need to buy L-FL-SSLVPN10-K9 for CISCO2911 in main office, no need to buy L-FL-SSLVPN10-K9 for branch as each CISCO1921 has two default SSL license?
I have installed CSA on windows 7 with rule to block rpc port 135.But when i am scannig this host, this port is still opened.I changed OS to Win Vista,Win7 x86, but there is no changes.Is it possible to block port 135 using CSA on windows 7?
I want to block 10.0.0.1 and 192.168.1.1 but my router says invalid domain so if will the guess network be able to go to page 10.0.0.1 and 192.168.1.1 even though I don't block it? I have a bypass account but don't want anyone else to access 10.0.0.1 and 192.168.1.1. Also can you tell me some proxy sites I can block?
when I run nestat -b command. I always see a lan ip sending TCP traffic to my computer with state syn_receivedProto >> Lan Address >> Foreign Address >> state >> Process idTCP >> (my ip) >> 192.168.2.222(lan ip) >> syn_received >> 4
my brother's computer has been trying to block numerous websites recently, most notable google/youtube and apple. it doesnt seem to be a problem directly with his firewall, but it's causing many issues. I read another forum post stating to[CODE]
I found an interesting manual at this forum for blocking websites whits local content filtering. After I've modified the variables to get more details, I stopped at on question. My current Problem is "zone-pair.
zone security Z-SECRUTIY-SOURCE zone security Z-SECRUTIY-DESTINATION zone-pair security ZP-SECURITY source Z-SECRUTIY-SOURCE destination Z-SECRUTIY-DESTINATION service-policy type inspect CM-INSPECT-TRAFFIC
I am currently running a Windows 2003 Server Edition and I have an issue, we run a small piece of software for controlling the nights takings which connects to the tills database on the network.This piece of software is not password protected and is held in a safe, however it has come to our attention that an employee may have taken possession of a copy of this application and we need to block the application been run on the network.Now this is were it gets difficult, I know to stop the application I could just use the Software Restriction Policy with Hash Rules which would solve that. However the problem is that sometimes people WILL need to run this software on the network and not get blocked.These people may not have their own accounts etc so I am trying to workout a way that we can allow someone to bypass the software restriction policy with a password prompt, is this possible or is their another way around this issue?
On connecting VPN, i am getting this warning: Enabling VPN connection will block all traffic that doesn't get sent to this peer. After Yes, it stops all browsing. I want to access internet plus vpn connection.
In my curiosity, when I typed one of my family members, I was so shocked to find that his personal information is right on the websites, as if he gave 'permission' to see his privacy, i.e., his age, marital status, even his home address. when I typed all of my family members, their personal informations are also on websites as if they all gave 'permission' to see their privacy.
It's 'privacy invasion' to see all of our family personal informations.
My question is; How to block websites from viewing all of my family members' personal informations?
I am doing a security assessment of an organization that uses 871/881 routers with the firewall features enabled. I see the following commands defining packet inspection done by the firewall software.
-ip inspect name inet-users tcp -ip inspect name inet-users udp -ip inspect name inet-users icmp
What I am trying to define is the inspect name "inet-users". It is obviously a constant defined by IOS as it is not defined anywhere in the configuration file like any other "variable" and does not generate an error.What does "inet-users" define? I'm assuming it is all users using the interface(s) where the inspect commands are used, but is that correct? The Cisco IOS manuals do not contain a reference to "inet-users" hence why I'm here asking.
how do I verify if CG-NMS is enabled on ASA5520. I just need to know if it's enable/install to be enabled and used?Cisco Adaptive Security Appliance Software Version 8.0(5)28..Device Manager Version 6.1(5)51
this is regarding my RV042. Its firmware version is v4.1.1.01-sp (Dec 6 2011 20:03:18), unchanged from how I received it. I purchased less than a month ago. I have a problem wherein the firewall behavior is not what I expect it to be, where I expect only allowed ports/services to be open to a given private IP from the outside but am finding that all are open to that private IP!
Let me describe the current configuration. I am going to blank out all digits of the public IP addresses when discussing them except for the final digits for security reasons.Router's WAN1 is set up as static, X.X.X.189. This is part of my public IP block. WAN2 is disabled. One-to-One NAT is enabled. Three instances of it are set up. One, for example is 192.0.2.89 (a private IP) mapped to X.X.X.180, a public IP, part of our public block. Forwarding is not enabled. There is no DMZ Host. That is set to 192.0.2.0. Firewall and SPI are Enabled. Access Rules for the firewall are set up in addition to the default rules which are present to Deny all traffic with WAN1 and WAN2 as the source from any source to any destination. This to me means that unless I set up Allow actions, there should be no access from the outside, WAN1. As an example of one of my Allow rules, I have this:
Action: Allow Service: HTTP Log: Not log Source interface: WAN1 Source IP: ANY Destination IP: Single, 192.0.2.89 Time: Always
My problem: My expectation is that based on the One-to-One NAT setting, the public IP X.X.X.180 is now associated with the private IP 192.0.2.89, but nothing from public to private is allowed unless allowed by the firewall, which is only set to allow HTTP / port 80 to 192.0.2.89. But the behavior is that 192.0.2.89 is, as presently configured, open to everything from the associated public IP, not just port 80, but all ports! It is as if my firewall rules have no impact whatsoever.