I have a network behind an 861 and users are unable to access e-mail from the local exchange server from their iPads using the 802.11wireless network. The wilrelss network is working fine and the iPad users connect fine.I was told that that i need to configure "hairpin DNS".
View 2 RepliesI am position to migrate from CatOS 6509 switch to native IOS 6509 switch. long time ago, there was some site to convert automatically based on copy and paste onto the tool, but i can not find.
Does anybody know how to convert CatOS configuration to Native IOS configuration ? It is not IOS change, but it is configuration convert.
I have been searching for days trying to find out what could be wrong with the configuration of an ASA5505 running Firmware version 7.2(2). I am trying to set up a hairpin connection between my laptop on the VPN tunnel (192.168.25.12) to access the server across the L2L VPN (192.168.1.10) on the diagram below.
The remote VPN function is working, as I can RDP to the 192.168.25.10 server from my laptop, and the L2L VPN is working since I can RDP from server 192.168.25.10 to server 192.168.1.10. I am trying specifically to run RDP from my laptop without having to log into the .25 network.
I have tried multiple changes to my NAT tables and my ACL configurations to no avail.[code]
We have a corporate site with a Cisco ASA 5580 (8.1), a remote office with a Cisco ASA 5510 (8.2) with a L2L VPN to corporate. A vendor has a L2L VPN to the corporate ASA with access to the remote office across the VPNs (hairpinning). The corporate office accesses an application at the vendor on port 23. Everything is working with regards to the vendor accessing resources to the remote office and the corporate office accessing the application at the vendor. Our goal now is to restrict the vendor to port 23 from the corporate network and port 9100 to the remote office. On the corporate ASA I setup a VPN filter and applied to the vendor's L2L vpn but when I apply the filter (see below) all traffic stops to the vendor such as telnet.
View 6 Replies View RelatedI have several machines behind this firewall. Each machine has it's own outside static IP and i've setup a NAT for each machine to their outside IP.Everything is working great, EXCEPT, from behind the firewall, I can't browse my own websites that I am hosting from behind the firewall. From a command prompt, the machines can resolve the url to the correct outside IP of our web server. Our DNS is externally hosted. I just can't get a website to open from behind the firewall. IE won't connect.
I did some logging, and I see from the firewall logs, the inside machine trying to hit the external ip. The log shows an INTERNAL IP on a random port trying to hit the external IP of our webserver on port 80. It says success! If I use packet tracer entering the same ips and ports, it also says success. And yet the site won't load on the inside machine?
The client machine I am testing from behind the firewall does also have it's own natted external ip. I'm not a command line/scripts guy. Looking at my ASDM Device Setup Interface GUI pagae, I see at the bottom both boxes are checked, one for enable traffic between different interfaces at the same security level, and the other enable traffic between hosts on same interface. My outside interface is security 0, my internal network interface security is 100.
Need configuring Client to Site IP Sec VPN with Hairpin on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IP Sec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make traditional Hairpin model work in this scenario.
Following is the Running-Cong with Normal Client to Site IP Sec VPN configured with No internal Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel:
ASA Version 8.2(1)
!
hostname ciscoasa
[ code ].......
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
What needs to be done here, to hairpin all the traffic to internet coming from VPN Clients. That is I need clients connected via VPN tunnel, when connected to internet, should have their IP's Nattered against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16).
Is It possible to hairpin clientless SSLVPN connections (ASA5510)? I'd like to create a portal that allows a user to log into the central clientless webpage and access RDP/VNC resources at remote sites connected via site-to-site VPN. Initial testing shows the user can access resources at the hub site, but not the spokes. I have the standard:
same-security-traffic permit inter-interfacesame-security-traffic permit intra-interface
...entered on the ASA.
In 3750 switch,I have configured intervlan routing.I have three vlans Vlan 10,vlan 20,Vlan 30 and I have assigned IP address for that Vlan.In vlan 10,I have connected one systen gigabitethernet 0/1 interface.From my system I am able to ping vlan 10 ip address but I can't able to ping other vlan ip address (vlan 20,vlan 30).Is it possible to up the protocol for all that time.
View 2 Replies View RelatedI've one Cisco 3750G-12S with ip routing enable, the swtich is with IP Service firmware, with PRR support.Currently set my default static route 0.0.0.0 0.0.0.0 10.1.18.71 to my Firewall A Currently all of the VLAN for will be routed to 10.1.18.71
I've created a new VLAN 2 for my 10.1.2.0/24 network with the VLAN interface 2 ip address 10.1.2.10, my intention is to route 10.1.2.0/24 traffic to my 10.1.2.1 by creating the access list and route-map.
I've configure my test pc with a static ip and my gateway pointing to 10.1.2.10 (VLAN 2 gateway) , i'm not able to route to 10.1.2.1.
Why does mine show this and NOT all 4 ports and 1 wan port?
Manases#sh verCisco Internetwork Operating System SoftwareIOS (tm) C831 Software (C831-K9O3SY6-M), Version 12.3(2)XA7 [code]...
How do I make it show all my ports? when I plug in something to port 1-4 it shows me on the log that I plug in to e0. I got port1-4 and 1 wan port.
I was recently given a PIX 501 router. I am very new to the world of Cisco, but want to learn. I got a few things setup on the router but, am not sure how to get it to use my DSL connection. My DSL modem IP is 192.168.2.1. Below is my router config. What more do I need to do? Also, is the outside IP not the IP of the DSL modem?
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
[Code]...
i have the asa5505. the configuration of asa 5505 is:
: Saved
Code...
i analyzed this traffic i see problem with the nat- Asymmetric NAT rules matched for forward and reverse flows. where i made error?
how to backup the configuration of ACS 5.3 then restore it on the secondary ACS 5.3 Appliance in order to save time without configure the 2nd Appliance?
View 1 Replies View Relatedi have linksys modem which already running for differents vlans i cerated another different vlans 10 amd 20 for 10 and 20 i need internet how should i configure internet on another core switch3750
View 0 Replies View RelatedI have been using a Cisco 877 to connect to BT broadband and it was working fantastically with no issues. For reasons outwith my control we have moved to 02 and I cannot get the cisco router to connect (the supplied router works fine). O2 support is limited as they say they will not assist in the config of third party routers but they have supplied the below (the line has a static IP). I have also included my current config which was working fine with BT. I have attempted to write in the updated info but have been unable to get the line to connect. [code]
View 6 Replies View Relatedi have a router 2921 with the aproprieted voice card for E1 and licenses. I would like to know how to configure it for incoming and outgoing calls. I already configured the ephone and SIP phones for internal calls. now i just need to configure it for send and receive external calls.
Router:
IOS: c2900-universalk9-mz.SPA.153-1.T
CME: 9.1
ISP from Brazil:
type: E1
signal: R2 Digital
Channels: 32
Phone Number Iniital: XXXX-9250 (main)
ephones-dn numbers: 9250 to 9280
Any configuration example to build a vpc b/w 5ks and 7ks? i have total 4 links between them . If not, I am assuming to have the following config for the port-channels:- (Provided the vpc domain is configured).
N5k1 and 2:
int eth1/10-11
channel-group 10 mode active
switchport mode trunk
int po10
switchport mode trunk
switchport trunk allowed vlan a-d
[code]....
So, its basically vpc 10 that has 4 physical links b/w the vpc domain of 7ks and vpc domain of 5ks.
I'm currently trying to get up to speed on a 1941W ISR. I belive i have most of the configuration correct based on reading the documents on this site. However, i'm noticing that my lan to lan network performance is very slow. Peaking out about 3mbs. I was reading some documentation that suggested MGF (MultiGigabit Fabric) might resolve this problem.
I have a basic setup in my test environment trying to emulate a branch deployment. 1941W connected to a access switch (3400).
- I'm getting slow perfomance (thoughput) between the vlans 66,30,10. Will MGF fix this problem? How do i configure it?
Building configuration...
Current configuration : 7474 bytes
!
! Last configuration change at 09:26:04 PCTime Fri Dec 28 2012 by xxx
! NVRAM config last updated at 09:26:05 PCTime Fri Dec 28 2012 by xxx
[Code]......
We recently switched a faulty N5548UP with a replacement and everything went fine, with the exception of one minor thing.
We're currently unable to authenticate using tacacs+.
When trying to enter the command 'aaa authentication login default group [groupname]', the following msg appears: too big pss key or value size could not update aaa configuration
We're running 5.0(3)N2(2b).
I currently work in the IT field part-time as a end-user support technician while I am finishing my Bachelor's Degree in Network Administration. I'm not completely new to networking at this point, but I am by no means a master of it either. The basics of small networks (less than 10 PCs) and the lower-end of small business grade Cisco equipment are not unfamiliar to me. Up until this point however, I have had very little experience with any higher-end Cisco networking equipment.
Now on to the questions, which may seem like the answers should be obvious, but let's face it, I do not have the resources to own much equipment myself at this time for experimentation purposes, nor does the school I am attending have a lot of financial resources to provide us with recent hardware to learn on. What I want to know are a few things about PoE as implemented on Cisco devices, specifically the SG200-50P small business series switch. According to the technical documentation, the switch supports PoE on 24 of its 48 ports, specifically 1 - 12 and 24 - 36; simple enough. The switch is currently installed in an office that has less than 24 connected devices, but that is currently expanding. None of the PoE ports are utilized as of yet, but going forward, there will be more than 24 connected devices. Will another switch need to be installed if the additional connected devices (PCs and printers) are not using PoE, or is the PoE an auto-sensing feature that will simply remain disabled if a device that does not require power over the network cable is connected? Is there some setting that needs to be changed through the management interface to keep devices that should not be drawing power from doing so?
There will likely be some additional questions generated by my inquiry, and I fully understand if these are completely novice questions, but I admittedly do not know the answer. When I Googled it, I was greeted by a few hundred thousand results, the first dozen or so pages of results all being for places to purchase this particular type of switch, so I thought I would try my luck on the forums of the place that made it.
On a recommendation from a network engineer, I got a used Cisco 891. Having worked with small business routers most of my working life, I thought this should not be a problem. However, I had no clue these things used a console and command line to initialize. I have the console cable, am able to console into the device, but am haphazardly issuing command lines straight out of the PDF manual but cannot get Cisco CP to discover the device.
From what I can tell, I am stuck at the point where the manual tells me to enable http server. I ran the command lines several times, executed write mem where available, but when I run the show services command, http is not enabled.
And if you do refere to command lines, I was reading some other forums and they were speaking of "run this command, run that command" but I could not make out the correct syntax, in what mode, whether it be config or config t, etc. So I might need a wee bit of handholding.
I'm hoping that once I can get Cisco CP or CPE to discover the device, I can make my way through the GUI to configure since those usually do make sense to me. As of now, I'm in the thick of it ...
I am trying to configure a 891 W to basically provide DNS from my ISP to my internal clients on the 891 W. Currently when I am on a PC I can see that I receive my IP information along with the correct ISP DNS IPs. However when I try to connect or resolve a URL it fails. Nor can I perform an ns lookup from the cli of the 891 W. I seem to be having a translation issue with DNS.
View 2 Replies View RelatedI am trying to configure Cisco SG300-52 switch for the first time and stuck without CLI configuration option. The configuration can be done using GUI, however, configuring using CLI would be more comfortable (as I am used to work with CLI of other Cisco switches)..
I was able to lo gin to switch using SSH, but the CLI appears in MENU format and was not able to find any way to go to CLI mode.
As per some blogs, in SG300 switches CLI mode can be accessed using Ctrl + Z in Menu, which did not work either in my case.
Switch is running with latest firmware version Sx300 Firmware Version 1.2.7.76.
I have a headquarters office that has recently bought a new voice system.
We have a site to site connection from the head office to 3 remote offices. All have ASA5505 firewall.
I have created 2 interface on the ASA5505: 1: inside with vlan1 and switch port port12: voice with vlan100 and switch port port2
Port1 on the asa goes to port 23 on the switch for vlan data
Port2 on the asa goes to port 24 on the switch for vlan voice
Port23 is member of vlan1 data
I added vlan100 to port 24 but by default vlan1 is member and i can't remove it. Its greyed out
All ports on the switch are member of vlan1 and vlan 100 because the port on the switch goes to the phone and from the phone there is a port that goes to the PC. Phones are getting addresses, and PC as well.
I am having a kind of loop because there is 2 exit for vlan1 (port 23 and 24) and that's slowing down my system and sometime i loose the connectivity to my servers.
When i do a show arp on my asa, i do see that some IP are beeing learned on the wrong interface. some PC addresses 192... are on the voice and some voice IP 10.10... are on the inside.
I am pretty sure that the problem comes from my switch configuration.
I've goggled and searched here, and I can't seem to find what I'm looking for. I need to make a couple changes to a clients Cisco 800 series router, enable ping replies add ip addresses to the ssh ACL.I can't seem to find any basic commands for CLI anywhere.
View 2 Replies View RelatedI have a Cisco 850 router that whas having problems getting an ip address via DHCP. I did some stuff on it but that didn't work, so I rebooted the router to go back to my last saved startup config. When I turned it back on and connected t othe CLI console I got the "Would you like to enter the initial configuration dialogue?" message. Thinikng I just forgot to save anything to the startup config I went through the initial set up again and made sure to save everything to the startup config. After going through the intial config and setting up a vlan to assign DHCP to clients I saved the config and rebooted, upon reboot and connecting to the CLI console I got the same "Would you like to enter the initial configuration dialogue?" message. Tryign the setup once more and making sure everything was saved to startup config I rebooted again just to make sure the changes would stick, and sure enough they didn't. Whay is the config not saving to the startup config?
View 3 Replies View RelatedI'm looking to do a basic QOS configuration which states that VOIP traffic has priority over anything else.
View 3 Replies View Related.If the fex is physically disconnected from 5K, Should the fex config be retained or lost?I have a 2148t fex which was single homed to a 5K.The Fex was physically disconnected from 5K, but its logical configuration is still present on port channel and physical interface.when I do show fex XXX , it says not found and no fex information is available I have not tried connecting the fex back to 5K to see if the fex config is retained.
View 1 Replies View RelatedI am just going to deploy some new 4900Ms for a customer. Want to know if configuring management for 4900 (everything like NTP, AAA, SNMP , DNS ) is doable through management interface in management VRF and there are no caveats to be aware of.
View 1 Replies View RelatedI have one switch 3750G12S I joined the company new, I found that they want to replace it with Alcatel stack switches. I didnt configure this Cisco switch before. how to configure it. I have 4 other new cisco switches in the topology which is not created yet. the 4 switches are all 2960.
View 17 Replies View RelatedAt a college we have Ciscos 2960 and are trying to setup VLAN tagging and also using RST or MST. The traffic on the jack should get tagged vlan 248.We were told by the college that Ciscos in the labs will not work with the Alcatel switch that provides access to the lab. That Alcatel is in Bridge 1x1 mode. The college will not change the configuration on the Alcatel.We got the Ciscos to do VLAN tagging and can get network access. However the spanning- tree is not read properly. Cisco does not properly read the Alcatel's RSTP (since the Alcatel is doing tagging on the BPDUs). It places the root of the spanning tree under vlan1 instead of vlan248.
The college strongly recommends HP Procurves and we are using that as test.The following is the configuration on the HP and it works with no effort (it reads the spanning-tree information as MST)We will end up getting HPs instead, if the Cisco cannot work with the Alcatels.
Recently I'm working with my client to setup their network and he want me to limit user access internet bandwidth to 2 Mbps and the topology show below.Users ---> Switch ---> NAT Router ---> (int gi1/0/24 - qos apply) Edge Switch ---> INTERNET ROUTER (12Mbps) --->> INTERNET,This is my configuration, but it doesn't work, the end user still able to get more than 2Mbps internet speed.Access-list 100 permit ip any any dscp default,class-map match-all QoS_Floor_Limit, match access-group 100.
View 1 Replies View Relatedtry to configure QoS on a Cisco Small Business SG300 Switch. I followed the instruction on [URL] and configured one Port for tagging my Traffic from a Aastra IP Phone. Tagging works fine (i verified with wireshark).The problem is, that all traffic to a PC connected directly to the Aastra IP Phone is blocked. Is there a possibility to tag any other traffic to the port as a default?
View 1 Replies View Related