Cisco LAN :: 2651XM Command To Disable Packet Inspection?
Oct 3, 2012
-cisco 2651XM
-IOS: c2600-ipbasek9-mz.124-23.bin
I need to diable RDP packet inspection on this router but I can't find where I do that. I'm having troubele with audio on a sip line and I read here (bottom of page) url...that turning off RDP packet solved the problem. I've looked through the config and searched on google but couldn't find the asnwer. what is the command to turn off RDP packet inspection?
View 3 Replies
ADVERTISEMENT
Jun 13, 2012
I am using the Cisco ASA5510 for my Telepresent infarstructure. I have a problem with Encrypted SIP calling for call in/out.
Is there is a way to disable the TLS inspection for Cisco ASA5510?
View 2 Replies
View Related
Jan 18, 2012
I am having issues with PXE boot images for PCs cannot be loaded from remotely.The diagnosis revealed that SunRPC & TFTP were being inspected by ASA causing drop of packets.So I excluded these two inspections for the particular server behind the firewall. It seem to resolve the issue for instance but it crawled back again.
Is there a way that the inspection can be turned off for that particular server at the IP level?
View 1 Replies
View Related
Oct 4, 2011
I have two RV 120W routers with a IPSec VPN.I have problems with VoIP traffic inside the VPN.In PIX and ASA systems I know the solution is disable h323 inspection. Possible to disable h323 inspection in a RV 120W Router?
View 2 Replies
View Related
Oct 31, 2011
Cisco 2651xm router
IOS: c2600-ipvoicek9-mz.124-15.T7.bin
Can a 2651XM router be configured as a PPTP VPN endpoint (client)? I ask because I want to connect this router to a professional vpn (privacy) service such as proxpn or mullvad or similar. If it can't, any vpn privacy services that cater for cisco-based vpn connection?
View 0 Replies
View Related
Feb 21, 2012
We have a number of 2651XM with WIC-1ADSL. These are supplied by another company and we do not have access to the configs.We are told that the maximum througput from the ADSL WIC to the FastEthernet 0/1 is 2.5Mbps ( "it's a backplane issue" ), even though the ADSL speed reported by the router on the external interface is 8MbpsT
View 3 Replies
View Related
Oct 2, 2012
cisco 2651XM router
IOS: c2600-adventerprisek9-mz.124-15.T8.bin
if I do #sh arp in the terminal with this router I see a rogue entry thus:
Internet 192.168.0.4 0 Incomplete ARPA
My whole LAN operates on 172.16.x.x/16, there are no 192.168.x.x devices connected. In the past I've had 192.x.x.x devices running but for a long time and the router has been restarted since then. I've tried several clear commands in the terminal but this entry is stuck there and I've also seen it in a wireshark scroll on a pc when monitoring the routers' adsl traffic - it shows up an an SNMP entry and I do use SNMP on my router, but that data goes to a 172.16.x.x. machine. How can I clean this entry out?
View 8 Replies
View Related
Apr 17, 2012
I have Cisco 2651XM and currently running old IOS c2600-is-mz.123-26.bin (IP PLUS) which I used the NAT protocol. I was wondering can I use IP-BASE on this router and I am not sure if this feature set has NAT protocol.
View 1 Replies
View Related
Aug 4, 2012
We have a Cisco 2651XM at the edge of our network, which routes our public IP block. This sits on a 100 Mbit/s ethernet pipe (full duplex) up in the datacenter. We are also running 100mb full duplex on our our side of the network. We have several public servers behind the router.
We have recently set-up a new Apple OS X Lion Server to serve a few websites. However, when downloading some files from the server the from a remote location, I noticed I can only get a maximum of 15 Mbit/s out of the connection.
When downloading a large file over HTTP (Apache) from this OS X Lion server from another server on the same internal network (behind the router), we get a full 100 Mbit/s transfer speed.
However, when we download the same file from anywhere on the internet (external side of the router), we can only manage to get 15 Mbit/s out of the transfer.
However, we also have other Linux & Windows servers that we can achieve a full 50 Mbit/s (our office connection speed) externally under the same network conditions.
So it also appears it's only for a single connection - not a limitation for the whole server. If I open two HTTP connections, I can get say 15 Mbit/s out of each transfer - totalling 30 Mbit/s... if that makes sense.
Update: I also notice slower ping latency when pinging from outside the network. Most of the servers reply in 15ms while the new OS X server usually takes over 40ms on average.
Router show ver:
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(11)YT2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
[Code].....
View 11 Replies
View Related
Jul 10, 2012
cisco 2561xm router with WIC1-adsl card and NM-16ESW switchIOS: c2600-ipbasek9-mz.124-23.bin ,I recently had to temporarily disconnect my above router for a few days and replace it with a cheap plastic home router and was embarrased to discover my adsl broadband speed shot up 45% with the cheap router. With the cisco 2651XM I always got a max download of 400kb/sec but with the cheap router I was getting 580kb/sec. Clearly something is wrong with my cisco config, I put this down to the mtu setting, which in the cheap router wasn't shown but set to auto. I've tried different mtu settings in the cisco router (including 'no mtu' but never get more than 400Kb/sec.My isp indicates optimum mtu is 1500 but that doesn't produce any speed increase.What can I do here to get the cisco router working to maximum speed?
View 8 Replies
View Related
Oct 12, 2012
cisco 2651XM router with WIC1 adsl card and NM-16ESW switch
IOS: c2600-ipbasek9-mz.124-23.bin
I use the following config to export traffic from the adsl card to a fasterthernet port so I can look at the adsl traffic in wireshark on a pc:router(config)#ip traffic-export profile my_rite router(conf-rite)#int FastEthernet 0/0 router(conf-rite)#bidirectional router(conf-rite)#mac-address abcd.efgh.ijkl (mac address of PC) router(conf-rite)#exit router(config)#int dialer0 router(config-if)#ip traffic-export apply my_rite this config works and I can see stuff going on in wireshark but it's only one way. This config only shows traffic going out from my adsl card, but no incoming. There is defintely traffic going both ways because everything about my adsl connection is working perfectly. I've tried using a different fastethernet port, even tried exporting to a different pc but all I see is outgoing ie: source is my public ip address but never as destination . I have bidirectional in the config but it still only shows outgoing. I even tried a different IOS (c2600-adventerprisek9-mz.124-15.T8.bin) but still it doesn't show incoming traffic. Could it be my ISP in some way hiding incoming traffic from view?
View 3 Replies
View Related
Feb 19, 2012
our WAN is connected via L2WAN and using EIGRP to connect the sites. Currently there are 35 EIGRP neighbors over L2WAN and we are to install 15 more sites and will be connected to the same L2WAN. Some sites are still using Cisco 2651XM and we would like to know if it can still handle another 15 EIGRP neighbors. Some sites are 2800 and 2900 routers. And is there any other things to consider for EIGRP over L2WAN?
View 5 Replies
View Related
Sep 23, 2012
I 'm trying to set up a home lab with a couple of 28XX and 2651XM series routers.I would like to simulate a frame-relay connection between HQ, Branch1 and Branch2 . All of them are conneced to a PSTN switch (2811 router) via T1 cross over cables. The connectivity is like this. [code] I have configured all the routers and FR switch with necessary configuration. However the link between HQ and Branch1 is not coming up. On both the routers I could see the line protocol is down.I have pasted the configuration below.[code]
View 4 Replies
View Related
Feb 27, 2011
im unable to create pri-group under T1 controllers in 2651xm , I have 3 T1 VWIC controller cards [dual port], tried using differnt IOS [advance enterprise/IPVoice/SPservices], i can onyl see channel-group unter the controllers.
network-clock-particiapte slot 1
network-clock-participate wic 0
i havent added "isdn switch type", does addign these command enables the Pri-group, also wheni do sh inv, i see 3 pvdms, but no serail number,
View 6 Replies
View Related
Apr 13, 2013
-cisco 2651xm router
-cisco 1760 router
I have a cisco 2651xm router here at home, and at another remote location I have a cisco 1760 router, both are connected to the internet via adsl (WIC1-ADSL card).The problem is that from home I can't connect to the snmp-service on the 1760 router. I'm using a PC that's on the LAN of the 2651XM router, the blockage is in the 2651XM router, because if I swap it for a cheap plastic domestic router I can get snmp data from the 1760 router, and this is without any port forwarding in the domestic router. What config do I need on the 2651XM router so it will pass this traffic?
View 3 Replies
View Related
Feb 20, 2013
cisco 2651xm router
IOS: c2600-ipbasek9-mz.124-15.T14.bin
I have a 16 port hub (NM-16ESW) installed in this router. Is there a way to lock down this hub so that only whitelisted machines will be allowed to connect to its ports? ie: by mac address or some other type of permission method? How to be able to plug their computer into the hub and join the network unless their device has been ok'd first.
View 12 Replies
View Related
Nov 22, 2011
I was wondering if i can enable url filtering on my 2691 or 2651XM routers so that if someone visits any website i can see that under router logs. right now i am using kiwi syslog that logs the router activities.
View 3 Replies
View Related
Jan 31, 2012
More and more recently I'm seeing that inspect ICMP and ICMP error do not allow trace route to work through the firewall from inside to outside.I used to go in, enable the inspections and subsequent trace route's worked. Now when this is enabled, the firewall still blocks return trace route.
View 4 Replies
View Related
Jul 8, 2011
We have ASA 5580 with multiple context in our company. On the one of the context (where the DNS servers are located) i can see a lot of DNS drops.
View 1 Replies
View Related
Sep 22, 2011
I am aware there is a feature request but don't see any updates. Taking the chance here that its fallen through the cracks and someone has figured out another way to monitor inspection load on ASA-SSM-20 IPS. We are currently running 7.0(5a)E4. I want to be able to use Solarwinds Orion to monitor Inspection Load on our IPS devices.
View 1 Replies
View Related
Aug 17, 2011
I'm aware ACL's are handled in hardware on the ASR platform but wondered if there was any way to inspect how many hits we get on each line of an ACL on the ASR, I can't seem to find a command to do this.
Using LOG is not possible due to the large number of hits.
View 2 Replies
View Related
May 25, 2011
I have multiple customers and servers behind my ASA5510s. After moving a new customer with an FTP server behind the firewalls, they immediatly had issues with customers connecting to their FTP server. I had the default inspection rules running regarding FTP. After removing the "inspect ftp" from the global policy their issues went away. Since this is a larger customer I can't force them to change their server, I need to accomodate and fix this on the firewall. I left the "inspect ftp" command out and there have been sporatic issues from other customers, unable to connect to outside FTP servers from the terminal servers and timeouts and disconnects to our own FTP servers.
This is what I "think" is the solution.. I added a second inspection policy after the default one and only added "inspect ftp" to it. Then I used the "exclude" option to exclude the new customer. That new customer is fine and things are better, but still not working right. Does the following config accomplish what I want?? Does the exclude ACL get what I need or do I need an "include" or permit statement in that ACL?
object-group network DM_INLINE_NETWORK_10 network-object 172.24.X.0 255.255.255.0
object-group service DM_INLINE_TCP_1 tcp port-object eq ftp port-object eq ftp-data
access-list global_mpc extended deny tcp any object-group DM_INLINE_TCP_1 object-group DM_INLINE_NETWORK_10(code)
View 3 Replies
View Related
Jan 12, 2011
Im trying to configure HTTP Inpsection with regex matching on a ASA 5505 (8.2) so that I can deny all websites apart from google and yahoo. And also enclude host 192.168.1.2 from this inspection. I have been through a number of examples and the syntax below appears correct but appears not to work. The logs report only that traffic has been dropped by the inspection policy.
View 11 Replies
View Related
Jan 29, 2013
ASA 5520 running 8.4.5:We had an issue with a remote SMTP connection getting screwed up as a result of ESMPT inspect.It took me 3 hours of troubleshooting the SMTP connection before finally figuring out that the firewall was the culprit. What really through me off was that I saw nothing in the ASA logs (warning and above) that showed packets were being dropped. I'm probably crazy but I thought I remembered seeing entries in the log when packets were dropped due to a type of inspection (specifically, I remember entries in the log saying something to the effect of packet dropped due to ESMPT inspect, packet too big). My quesiton to Cisco TAC was: Is there a simple way to have the log give a warning every time a packet is dropped due to any inspection rule, just like we can see any drops due to ACLs? So far the only answer has been a complex list of log changes to allow debugging and notifications of certain events. This isn't something I want to roll out to all my ASAs.
View 5 Replies
View Related
Aug 20, 2012
I have an SF-300-24 port switch and am having an issue. When a device says "Who has 192.168.0.1" (which is the default gateway) two devices are replying in the affirmative, and therefor the MAC address table is getting screwed up. I know the correct MAC address of 192.168.0.1 is 00:1b:21:95:02:b0, so how do I tell the router to disgard any packets that say otherwise? I tried to figure out DHCP snooping and IP source guard, and ARP Inspection, but I am not getting anywhere and keep losing connectivity to the switch.
Obviously a device on the network is misconfigured, unfortunately it is a large wireless network and the misconfigured device is 30 miles away on the top of a mountain. I am hoping to bandaid it locally and then eventually go out and fix the offending equipment.
View 2 Replies
View Related
Aug 9, 2012
We have several customers running ASA 8.4x code and all seem to be plagued with the ESMTP inspection bug CSCtr92976.I have tested this in the lab with an ASA 5505 running 8.4(1), 8.4(2) and 8.4(4)1 & 8.4(4)3 and the behaviour is always the same. I have an Exchange 2007 server and I can see in the logs the following messages:
2012-08-10T13:04:37.331Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,3,192.168.102.28:25,192.168.250.26:52756,<,XXXX XXXXXXXXXXXXXXX,
2012-08-10T13:04:42.345Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,4,192.168.102.28:25,192.168.250.26:52756,>,500 5.3.3 Unrecognizedcommand, 2012-08-10T13:05:20.506Z,EXCHANGEDefault EXCHANGE,08CF3610468A42D7,5,192.168.102.28:25,192.168.250.26:52756,<,XXX,
This is with the default ESMTP inspection enabled. I have also created a custom ESMTP inspection policy that does nothing but log and the behaviour is still the same. Sometimes traffic will pass but most of the time it won't. The workaround is to just disable the ESMTP inspection.
View 2 Replies
View Related
Sep 21, 2011
By default ASA applies DNS packet inspection with a default (maximum) packet size of 512bytes as recommended by RFC 1035, anything above is dropped.
I have a customer that is trying to use larger packet sizes due to extension mechanisms for DNS defined in RFC2671.
My question is , is it safe to increase the default packet size in the DNS inspection thus applied globally for all DNS traffic, or should / can we apply a policy that applies only to this specific customer ?
View 3 Replies
View Related
May 3, 2011
let me know how to enable HTTP inspection in ASA 5505 through ASDM.
View 1 Replies
View Related
Mar 6, 2013
How config dynamic alp inspection for 300 or 500 series ? I find in admin guide it's no simple to do.
View 8 Replies
View Related
May 9, 2012
I was under the impression that all Cisco ASA firewalls shipped with a default inspection policy.
Example
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
[Code]......
can I build this myself? Why is it missing (I have two other ASA 5505s here that also do not have it). What would I do to rebuild it?
View 2 Replies
View Related
Mar 2, 2011
I have a network of 3750's configured for DAI with DHCP Snooping implanted and working with windows XP for around a year. Now we've changed a couple machines for windows 7. I have a floor with around 200 workstations on XP and about 4 on Seven.Two of these WIN7 are triggering the err-disable for arp inspection (configured by default to block interfaces sending over 15 arp pps) I noticed that when I go on windows -> network and I do a refresh, sometimes (most of the time after boot up or idle time) it will trigger the massive arp response on the network. I noticed that all hosts on the network updated their arp entry for that computer(win7) at the same time, for some reason I don't know. The windows 7 tries to reply over fifty arp requests for its IP which caused the port to be put on err-disable.There were no applications running on the windows7 computer at the time of the tests, only wireshark and its default services.This computer has configured:DHCP with WINS Its on a windows domain has netbios over TCP.
View 1 Replies
View Related
Jan 10, 2011
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:class-map inspection_default match default-inspection-traffic
What "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
View 9 Replies
View Related
Jul 16, 2009
I have an issue with Cisco ASA 5520, The summary is below!
Packet # 1 on inside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@10.7.100.1
Packet # 1 on outside interface the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this bcz of the inspection.
Packet # 2 on outside capture the Call-ID was: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44
Packet # 2 on inside capture the Call-ID stay: Call-ID: 2a54f680-
a5d1de2a-160c-164070a@149.5.33.44 --- this is the problem.
(This suppose to be Call-ID: 2a54f680-a5d1de2a-160c-164070a@10.7.100.1)The inspection should change the Call-ID for the incoming packet as it did with the outgoing packet. Whenever, the CM receive the trying message with different Call-ID it considered as new session and it keep sending invitation messages for the SIP provider.NAT is enabled.
View 2 Replies
View Related