I've just started a CCNA course and my lack of knowledge has me a bit stuck. My network is comprised of Cisco components and I'm semi familiar with them just from reading and looking through options. I currently am using a Cisco ASA 5520 on my network and I am trying to join another network via one of the interfaces. My network is 192.168.0.0 255.255.0.0 and my inside interface is 192.168.1.1 255.255.0.0. I enabled a second interface using a static ip of 10.0.0.1 with a subnet of 255.255.255.128. Connected to that interface, I have a Fortigate firewall at 10.0.0.2 255.255.255.128. I can ping just fine from the Fortigate network to the 10.0.0.1 interface on the Cisco ASA 5520 network, but I can not ping the 10.0.0.1 interface (or anything past it) on the ASA 5520 from any computer on the Cisco network. I've read that ACL's and NAT have to be done as well as enabling traffic between interfaces with the same security levels. (both interfaces have security levels of 100 and the option is checked to allow traffic).
Note: each network has it's own internet connection. The connection is to share information on servers on both networks with each other.
I have installed asa 5520 , software ver is 8.4,I have SSM-20 installed in asa 5520. How to pass traffic through this ssm-20 ,how to create sensors,how to update signatures of this IPS module ,is there any procedure to automatically update the signatures .
Just setup a site to site vpn between 2 ASA 5520 Firewalls in two locations but vpn doesn't work even though i see phase 2 completed on the logs. I can't ping across the LANs.
Our ASA 5520 firewall is running 8.0(4) IOS.I have an internal L2L VPN terminating on my firewall (from an internal remote site) on ENG interface.With the default "sysopt connection permit-vpn" command enabled, VPN traffic is allowed to bypass the ENG interface acl.The security level on the ENG interface is set at 50.The security level on the destination interface PRODUCTION is set at 40.Inbound VPN traffic bypasses ENG interface acl and since higher-to-lower security level allows VPN traffic to flow freely from ENG to PRODUCTION, it seems the only place to check/filter VPN traffic is an ACL placed on the PRODCTTION interface and set at INBOUND (outbound VPN traffic).
I have a 2911 router. One interface is configured external (WAN) and two interfaces are configured on separate internal private subnets. What is the configuration to allow all traffic in both directions between the two internal subnets?
I'm having some trouble getting my head round the following but I think it's routing related?
I have a Cisco 3750 switch with the following configured:
interface Vlan1 ip address 192.168.0.223 255.255.254.0 no ip route-cache
[Code].....
The 3750 is connected to a firewall which handles the routing. From the 3750 I can only ping remote networks from the vlan1 interface not from vlan6,8 or 10 i.e ping 10.34.37.101 (remote network) source 192.168.0.223 (vlan1) works but ping 10.34.37.101 source 10.74.10.1 (vlan10) does not? I can ping 10.34.37.101 from computers on the various vlans but not from the 3750 it self.
I looked at setting a default gateway for the various vlan interfaces
I have an ASA that houses 11 VLANs, and I am trying to add a 12th.One of the VLANs is for PCs that have internet only access.The new VLAN will be similar, but for multifunction printers only.VLAN 99 is for internet only and works fine, I can ping the gateway of 10.99.3.33 from any PC in that VLAN.I am creating VLAN 98, modeling it after VLAN 99, and I cannot get a PC in the vlan to ping the gateway of10.98.3.17.Both switch and ASA show the new VLAN 98 as UP, switchport is UP/UP.I have deleted and recreated VLAN 98 a few times, but I cannot get a PC VLAN 98 connectivity.Once it is working on the core switch, I will add it to the trunk to the IDS switches. VTP is not in use, everything is manual. [code]
We have an ASA 5520 which is in multiple context mode. We are trying to pass traffic from the outside interface to the dmz interface. We have a /27 public ip range. We need a small amount of those addresses to be in the DMZ for SIP servers specifically. The rest of the addresses are NAT'd to the inside interface.So i created the outside interface GigabitEthernet0/0 with 1.2.3.192/28 Inside Interface GigabitEthernet0/2 with 192.168.20.0/24 DMZ interface on GigabitEthernet0/2.1 with 1.2.3.208/29 So all i want to do is route traffic that comes in the outside interface and out to the DMZ interface for the 1.2.3.208/29 subnet. I set the gateway address as 1.2.3.214 which is the DMZ interface address on the ASA.
I have the security levels for both set to 50 and in the ASDM I have checked off "Enable traffic between two or more interfaces which are configured with same security levels"
But now the need has arisen that we allow each subnet to be routable to each other for SMTP traffic, how can I accomplish this?
How to configure traffic flow between computers inside VLANs and a routed port? Here is the setup details:
1. Switch 3750-X 2. VLAN 100 - ( SVI IP address 192.168.100.1 /24) 3. VLAN 200 - ( SVI IP address 192.168.200.1 /24) 4. routed port gi1/0/48 (IP address 192.168.150.1 /24). Note: this port is directly connected to a firewall ASA 5520 port IP 192.168.150.100 /24
Ip routing is enabled on the switch and inter vlan traffic is flowing ok. I can ping the routed port gi1/0/48 from any computer connected in the VLAN 100 or 200. For example computer with IP 192.168.100.25 can ping the routed port 192.168.150.1. Switch can ping firewall port 192.168.150.100 and the 'sh ip route' command shows the network 192.168.150.0 /24 as directly connected network.
any computer in the two VLANs CANNOT ping firewall ASA port 192.168.150.100 Is it because inter VLAN routing does not work with a routed port on L3 switch? I looked up fallback bridging, but it is meant for non IP traffic.The goal is I am trying to set the ASA port as an internet gateway for VLANs.
I would like to ask a question about the setup that I'm trying to implement.I've got two WICs, 3G and LTE, in the router, one has its static IP address using 3G network, and another one has negotiated IP address using LTE network.There is no physical circuit/connection coming in to this place.Let say 3G network is (A.A.A.A|Cellular 0/0/0), and LTE network is (Negotiated IP|Cellular 0/1/0).There are two different network coming to the router. Let say they are 10.1.1.0/24, and 10.1.2.0/24,I want to route 10.1.1.0/24 traffic using 3G Network A.A.A.A Cell0/0/0,and route 10.1.2.0/24 traffic using LTE network, Negotiated IP Cell0/1/0. We're talking about only the default routes here.
We currently installed a 100Mbps fiber line with Ethernet hand-off. I purchased a Cisco 3925 ISR to be the gateway for this connection. I am not going to use it for any security purposes. I have an ASA5520 that will do that work. Right now I am currently just trying to get the router online.
I know the following
Laptop <--->GB 0/1((()))GB0/0<---->Ethern et handoff from ISP.
I can ping and SSH to the outside interface of the router from outside the network. I can also ping and SSH to the router from the laptop that is directly attached to the routers GB0/1 port. From the Router's CLI I can ping IP addresses on the internet. From the laptop I can not. I can not access the internet through the router though. Here is my config.Building configuration...
Current configuration : 3724 bytes!! Last configuration change at 02:17:03 UTC Tue Jan 15 2013 by ggsis! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsis! NVRAM config last updated at 02:09:33 UTC Tue Jan 15 2013 by ggsisversion 15.1service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname XXXNAMEXXX!boot-start-markerboot-end-marker!!logging buffered 51200 warningsenable secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX!no aaa new-modelmemory-size iomem 20!no ipv6 cefip source-routeip cef!!!!!no ip domain lookupip domain name XXXXXXXXXXXXXXDomainXXXXXXXXXXXmultilink bundle-name authenticated!!crypto pki token default removal timeout 0!crypto pki trustpoint TP-self-signed-XXXXXXXXXXXXXXXXenrollment selfsignedsubject-name cn=IOS-Self-Signed-Certificate-XXXXXXXXXXXXXrevocation-check nonersakeypair TP-self-signed-XXXXXXXXXXXXXX!!crypto pki certificate chain TP-self-signed-XXXXXXXXXXXXXXcertificate self-signed
I would like to passthrough ICMP 8 (ping) requests through the DIR-655 to my server. I found where to allow the router to respond to ICMP 8 requests, however, I do not want the router to responder, rather the server itself. Is there a way to pass these requests through to the server?
A former coworker of mine setup VPN capabilities to our office network shortly before he left. It is no longer working. We can connect to VPN but I'm not able to ping any devices on the remote network or Remote Desktop to any of the server. After 30 minutes, the VPN connection drops. I have attached our ASA 5505 config to assist in troubleshooting.
I can telnet to the router and ping places on the inside and outside. However when I connect a laptop to the inside interface I can ping to the outside for a bit but can't open a web page and then connectivity is gone all together. At first I thought it was a NAT issue but I know I am good on that front. I have attempted to change the speeds and duplex settings on the outside interface but it does not seem to work. Again if I take the cable from the outside interface and plug it into a laptop it works fine. The thing that makes me wonder is why can I connect to the outside interface and configure it just fine?
I used the GUI configuration tool for this ASA 5505. When I install it no traffic passes. I am wondering to verify my config. I have masked the usernames for VPN with xxxxxx and yyyyyy. [code]
A PC connected to a Cisco 877 router and 877 router is connected to another router (7301) via GRE tunnel,Cisco 7301 router is a NAS server and is being used as a PPPOE server.If user create a PPPOE connection on his computer and dial with a username/pass we want to send the PPPOE traffic to 7301 router, so 877 router should pass the PPPOE traffic to 7301 and user will be able to connect,User -> 877 -> 7301(PPPOE server).
I am trying to setup my very first ASA5505 and I cannot get it to pass traffic from the inside to the outside. I am not using NAT/PAT. Here is what I have done so far.
ASA5505(config)# interface Vlan 1ASA5505(config-if)# nameif insideASA5505(config-if)# security-level 100ASA5505(config-if)# ip address 33.46.132.34 255.255.255.248ASA5505(config-if)# no shut
[Code]....
Then from the asdm I permited everything from inside to go out but I cannot get any traffic through. I can ping the outside if I source the outside interface but not if I source the inside. The logs would not show me anything.
I did a packet tracer and it indicates the implicit deny rule at the end of the access-list is stopping my traffic eventhough I have allow rules above it?
I also checked the box in the asdm to allow traffic to pass without NAT
i read cisco document:[URL] pptp client is in inside,pptp server is in outside.when i donot use firewall, the pptp connection can establish successfully.but use pix 525 7.0(7) i config:
inspect pptp. pptp connection cannot setup. show connection in pix: pptp tcp 1723 is ok.
gre connection only one "E" flag, E means 'outside back connection'.i try second method:delete 'inspect pptp',permit tcp 1723 and gre traffic from outside to inside, and i have config static nat,but the pptp connection cannot work too.so i think there is a pptp bug exist in pix 7.0(7).
WAN1 <-> LAN traffic WAN2 <-> LAN traffic WAN1 <-> WAN2 traffic?
Say, it is set DISABLED, what is / isn't blocked?
It reads: Multicast Pass Through IP Multicasting occurs when a single data transmission is sent to multiple recipients at the same time. Using this feature, the Router allows IP multicast packets to be forwarded to the appropriate computers.
I am trying to use a ASA 5510 with AnyConnect as an in-line SSL VPN device. I have a separate firewall that NAT's 443 to the inside IP of the ASA, which is the only configured interface on the ASA. I can connect to the ASA from the WAN just fine and the AnyConnect client connects just fine, I get an IP lease across the VPN on my LAN, all looks well. The problem is that I cannot pass any traffic. The only device on my LAN that I can ping is the ASA, nothing else including the default gateway is accessibe. I have setup a static route on the ASA pointing 0.0.0.0 0.0.0.0 to the LAN gateway, but no dice.
We have an issue where by we connect to various customers and the Cisco IPSEC remote access works fine from our LAN through an ASA5505 to a customer site.We have 1 customer that we have some issues with. We can connect from the LAN through to the customers VPN, authenticate and establish a tunnel but in we cannot pass traffic. When we try from outside of the office on a public internet connection the VPN works fine. What could cause this issue?
I have a 7206 VXR router between a several Mikrotik routers on our backbone. We have the Mikrotiks on both sides of the CIsco 7206VXR setup for MPLS/VPLS. I need to simply setup the 7206 to pass the MPLS/VPLS tagged packets to the next router on the link. We are using OSPF as the routing protocol. I am told by our Mikrotik guy that I just need to enable LDP and VPLS tunnels 4:0 on the 2 gig interfaces on the 7206VXR to let it pass the MPLS/VPLS traffic. It sounds simple but I'm not sure how to do this.
Any commands I need to imput to allow this router to pass this MPLS/VPLS traffic.
we have a Cisco 3825 router which does not work well with a DSL modem(ISP provided). I have configured the Gi0/0 port of the router to plug into this DSL modem but it does not ping to the ISP gateway. If we do a shut/no shut on the interface then it work fine for about 30 secs. Sometimes even for 1 hr. Then the packets drop and we cannot pass any traffic through this interface.
Now, if the ISP connection is terminated on a computer it works fine. It works fine without dropping any packet.I have tried various options like using a straight/cross cable. I have tried to configure the interface negotiation for 100/full, 100/half, auto/auto and almost all the options.I have also tried to interconnect the devices using a L2 device like a HUB. Nothing works.
I recently upgraded from a Cisco 3900 series router to a Cisco ASR1k router. Since the upgrade, I have internal clients who claim they cannot connect to external VPNs. These internal clients are behind a NAT that routes a public IP address to a group of clients with private IP addresses.
How can I ensure that all VPN traffic is able to pass through the NAT?
[OK] Site to Site IPSec + GRE = success, no problems. [OK] IPSec remote access = success, no problems. [NO] SSL VPN = remote users can successfully connect to all internal systems. Cannot pass traffic to the Internet.
Hardware: Cisco 2811, Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(22)T5, RELEASE SOFTWARE (fc3) . Software: Cisco Any Connect Secure Mobility Version 3.1.01065
Single hub router terminating IPSec+GRE site to site, IPSec remote access, and SSLVPN remote access VPN services. All services currently configured and running successfully with the exception of the SSLVPN service. Remote users can initiate and successfully establish SSL VPN sessions. While established, connectivity to all internal systems/resources are successful. Only when the remote access client tries to connect to "Outside" Internet resources does traffic not pass successfully. Troubleshooting has pointed to a NAT related issue (I believe).
When connecting from a remote access workstation, utilizing IPSec remote access client (built-in Cisco IPSec client from Mac OS), the session establishes and the client works flawlessly. Examining the Cisco 2811 router, you see the /32 host route from the remote access session get installed, and you see the corresponding NAT translation entries created when the client accesses outside (Internet) resources. Appropriate configuration to implement "hair pinning" have been included to handle the in and right back out (with NAT translation) needed for remote clients to access the Internet.
Configured the 2811 for SSL VPN, and remote access clients can successfully connect and access all internal network resources. Examining the Cisco 2811, the /32 host route for the remote access client is installed, pointing to SSLVPN-VIF0 interface with a next hop of 0.0.0.0 When checking the NAT translation table, there are NO entries for the remote access client address created which leads me to believe the hair pinning/NAT function is not being invoked for SSLVPN clients.
Originally, the IPSec remote access VPN local pool was 10.0.100.0 /24. To keep from having to adjust the existing NAT translation, PBR Route-MAP for the hair pinning function - I took the 10.0.100./24 and broke it into a pair of /25 networks. Bottom half for the IPSec remote access VPN pool (10.0.100.0 /25); upper half for the SSL VPN pool (10.0.100.128 /25). By utilizing SSL VPN, is the traffic somehow bypassing the DIALER1 interface where both the crypto map (and more importantly: IP NAT OUTSIDE, and PBR configuration for the hair pinning function)? I cant explain why NAT translation entries are not being created for SSLVPN client sessions.
Cisco 2811 Configuration has been included. IPSec & SSL VPN Remote Access Sessions Captures (performed from same remote client) have been included.
We are attempting to setup RRAS on Windows 2008R2 using L2TP. Server is on the inside of the network at 10.10.10.20 our ASA is 10.10.10.1 its outside interface is 68.0.0.0.3/28.
I set a static NAT rule to allow all traffic pointed at 68.0.0.4 to be directed to 10.10.10.20 and have ACLs allowing the following. esp, ah, udp/500, udp/4500, udp/1701
Mac Clients have no issues with but windows clients seem to hang and never connect. I know the ASA configuration is somehow to blame, if I attempt to connect to LAN IP (10.10.10.20) from withn the same network every thing works fine (making sure all the Windows Issues are covered).We have 2 other IPSEC tunnels established to teh ASA from our COLO and a Satalite office, not sure if this makes it any harder.
due to upcoming changes to our network I'd like to be able to pass vlans across the FE ports of a Cisco 1841 router.1 port would go to a managed switch and then to local devices on different VLANs.the 2nd port would go upstream to a Cisco 3825 at a different location which would then connect to the internet.due to monitoring behind the Cisco3825 we would like all NAT to occur on the 3825.
what I would like to happen is this example device connected to port 7 on managed switch gets an IP (10.0.7.10) from the Cisco 1841 in VLAN 7 (10.0.7.0/24).traffic from that device goes to the switch, then in f0/1 on the 1841 and out f0/0 still with the same IP info, no NAT occuring.traffic is received on the 3825 port 0/1 and then NAT occurs and out port 0/0 to the internet.
|_voip PBX___|-----|__3650___|------fiber-------------|__3650_____|------|_voipphone__| I have a case where voipphone is registered on the voippbx but peaple on both end can't hear each other . No ACL on both 3650 , no firewalls between them , distance is about 2 miles . I tried to make telnet x.x.x.x 1720 or 1719 or 1721 (h323 ports) to opposite switch -connection refused . How can test if ports are open on the 3650 ? Is it coorect If I create allowing acl and apply it on both 3650 on the interfaces connected one switch to voippbx "IN" , second switch on the interf connected to voipphone "IN" ?
I have a new 3560G to set up a small network for a remote site. I configured the vlan and an SVI as the gateway. The switch is also the DHCP server for the LAN. I configured Gi0/2 as L3 port, connecting to the nearest neighbor. My network runs EIGRP so i advertised the routes into the EIGRP process. The switch forms EIGRP neighbors and learns all routes in the enterprise network. The problems I'm having now are: 1. The switch learns all routes in my enterprise LAN and can ping devices in the enterprise LAN, but I can’t ping any interface on the switch from the enterprise LAN. 2.
