Cisco Switching/Routing :: Firewall On 1921 K9 Blocking UDP Traffic?
Apr 18, 2012
I have a 1921 K9 with a 4 port 10/100/1000 EHWIC switch.
Interface 0/1 = 192.168.1.0
EHWIC = 192.168.5.0
I have Active Directory setup on the 192.168.1.0 network. When I attempt to join the domain from 192.168.5.0 it joins but I get errors. After some troubleshooting using portqry I have found that the services related to class map DomainTrafficUDP are being reported by portqry as being filtered regardless of policy map settings (currently set to allow).
Building configuration...
Current configuration : 18833 bytes
!
! Last configuration change at 11:20:25 NewYork Thu Apr 19 2012 by dave
! NVRAM config last updated at 13:56:45 NewYork Wed Apr 18 2012 by dave
!
[Code].....
View 2 Replies
ADVERTISEMENT
Apr 19, 2012
I have a 1921 k9 router that has several DHCP pools configured. Before implementing the firewall they were all working. After implementing it they stopped working. I messed around and got the routed port GE0/1 handing out IP addresses and left it alone. Somehow it quit handing out IP addresses yesterday.I dont know if its a quick fix or not (getting DHCP working on the interfaces) but if any article that will walk me through getting DHCP working on all of the interfaces. [code]
View 10 Replies
View Related
Sep 24, 2012
I inherited a Cisco ASA 5505 and am trying to piggy back the device off of an established Network. Here is the basic layout:
192.168.10.1 (Core Router - Handles DHCP/DNS)
192.168.10.9 (ASA 5505 - Piggy backing off of Network)
192.168.40.x (ASA 5505 - VLAN)
I'm able to get onto the Internet without any problems. Devices from the 192.168.10x Network can not ping the inside VLAN1 (192.168.40.x). However, I would like traffic going from the inside VLAN to the Outside VLAN to be blocked, except for 192.168.10.1 and 192.168.10.9. I've tried using ACL's but end up killing my Internet connection. 192.168.10.1 is the default route and is how I get out to the Internet. Is this possible? Essentially, I'm trying to set up a small Network that guests can connect to. The idea is that they can get to the Internet, but that is it. They can't get to internal resources on the 192.168.10.x Network
Here is the config:
ASA Version 8.2(1)
!
hostname ciscoasa
enable password EeCsulrpu.9LalEE encrypted
[Code].....
View 5 Replies
View Related
Oct 5, 2012
We want to puchase new Cisco ISR 1921/K9 . i want to know does it support the following sample IP-SLA commands
ip sla 2icmp-echo 172.16.1.2timeout 500frequency 1ip sla schedule 2 life forever start-time now
track 10 rtr 1 reachability
delay down 1 up 1
!
track 20 rtr 2 reachability
delay down 1 up 1
ip route 0.0.0.0 0.0.0.0 192.168.1.2 track 10ip route 0.0.0.0 0.0.0.0 172.16.1.2 track 20
Im asking above question because we will need to enable ip-sla on the mentioned router. as i read on the cisco webside, it says Cisco-ISR-1921/K9-IP Base support only IP-SLA RESPONDER feature nothing else. If Cisco-921/K9 does not support the above commands , should i go for ordering Cisco-1921-SEC/K9 ?
View 4 Replies
View Related
Feb 26, 2013
We purchased a cisco 1921 router to replace a software firwall not long ago. The router was sold as a firewall with the suggestion that an ASA would be unnecessary.Unfortunately a router does not replace/do the jobs a firewall does, so I looked online and noticed that Cisco do offer firweall security features in one of their IOS.How do I tell if this is implemented on my router?If not, does my IOS support this, or do I need to buy an extension/another version of the IOS?,The version of the IOS I have is: c1900-universalk9-mz.SPA.151-4.M4.bin.
View 3 Replies
View Related
Feb 15, 2013
networking but can understand with a bit of explanation.. I own a restaurant and provide free WiFi for my customers with a Cisco E2500, I am gettign bills that are through the roof, I contacted my ISP and was told users were accessing P2P downloads(uTorrent, etc.). How can I block these applications?
View 1 Replies
View Related
Oct 14, 2012
I have a LAN with several linux boxes (Fedora 17, both 32 and 64 bits), as well a a WInXP box. All of these are connected to the same switch, which is connected to the inside port of my PIX 515.
For a few sites (mozilla.org happens to be one of them), for http access, the tcp connection is established, but the "GET" request - or anything else for that matter - will not go through the PIX (from inside to wan). I have verified this by first, using wireshark to watch the packets being sent out from the client box, then by using the trace function in the PIX to see that the packets ARE arriving at the inside interface, but ARE NOT sent out of the wan interface.
This is for the linux boxes ONLY. When I do the same thing with my WinXP box, all works: in the PIX trace, I see the packets arrive at the inside interface, and leave the wan interace. And access to these sites are okay.
(What's a bit weird, although somewhat expected, when I connect my android phone to my LAN via WiFi, it too is unable to reach those sites - but then again, android is linux, right?)
In addition to the tracing, I have narrowed this problem down by connecting a linux box directly to my DSL router, then replacing the PIX with a simple router/gateway. Both of those solutions work.
Some background:
I have been using this PIX for about 10 years now, with the same configuration (except IP addresses). Only in the last several months has this problem started to show up.
I got this pix from a dead company at a really great price (free), so I'd like to keep it, and not have to spend money on something else. I don't have any support license, and have not been able to get any software upgrades. Here is its version info:
taz(config)# sho ver
Cisco PIX Firewall Version 6.2(2)
Cisco PIX Device Manager Version 2.0(2)
Compiled on Fri 07-Jun-02 17:49 by (code)
Serial Number: 405200362 (0x1826ddea)
Running Activation Key: 0x38ac31f3 0x0630df47 0x9a77b805 0x8bc39a60
PS: Since this PIX is at its end of life, I was wondering if any of the software upgrades would be now available without a license?
View 2 Replies
View Related
Apr 22, 2013
OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.
View 5 Replies
View Related
Oct 25, 2012
I have a cisco ASA5505, it runs a wide site to site VPN network and has 4 servers connected to it
10.50.15.4 > fileserver
10.50.15.5 > domain controller (exchange)
10.50.15.6 > terminal server
10.50.15.7 > terminal server
Now yesterday i removed 10.50.15.6 and replaced it with a new terminal server with the same ip address, ever since the ASA is blocking traffic between it and the domain controller (example)
2Oct 27 201214:51:0510600710.50.15.655978DNSDeny inbound UDP from 10.50.15.6/55978 to 10.50.15.5/53 due to DNS Query What has me baffled is the only thing different between today and yesterday is the new server is windows server 2008 and the old one was windows server 2003. The new server has the same LAN ip address as the old one to make the changeover seamless for the users.
why all the sudden my ASA has decided to block the traffic between those machines? all the other machines can talk to it fine just not the domain controller, and seeing that this is a terminal server naturally you can see the problem i face!
this router has worked flawlessly for 2 years now without any config changes and i cant work out why its blocking traffic between those 2 machines.
View 15 Replies
View Related
Aug 21, 2011
I just made a move from a PIX 506 to an ASA 5540. I have a user that currently logs into a web portal and runs a job. It is now erroring out. When I run the test it gives me the following message:
Testing ports...
Port 1433: Failed
Port 1150: Success
Port 80: Success
Port 443: Success
One or more tests have failed
The computer we access this site from is on the inside network and the ACL says permit ip any any from the inside out so I am not sure why it is failing. Under the ASA Home screen I see the Top 10 Protected Servers under SYN Attack and it appears that the ASA thinks this is some sort of attack.
View 1 Replies
View Related
Apr 5, 2013
I have a RV110W that's been in service since Dec 2012. All Everything is working fine except every month or so the firewall starts blocking all inbound traffic. It does not respond to remote management access. If I reboot the firewall (pwr off/on) everything works correctly for the next month or so and then it begins blocking all inbound traffic again. Local access to the Internet and VPN tunneling are not affected. When it's working, all my rules and port forwarding work correctly.
View 2 Replies
View Related
Jan 7, 2012
Previous attempts to set up these NAT rules has been met with minimal success. We have been able to get the NAT rules created, and able to ping our inside servers and receivers from a different outside network, but every time we get that far our internal network crashes. Running the Packet Trace utility via the ASDM shows that internal traffic from the servers to the workstations is being blocked by the default implicit rule under the access rule heading that states "any to any, service being ip, action= deny". Reverse traffic from the workstations to the servers is being allowed though. In an effort to start over again, the Cisco ASA has been Factory Defaulted via the CLI, and has had it's Inside network, and Outside IP address set back up. DHCP pool has been setup for a minimal amount of addresses on the inside network, since most of our equipment will always be assigned statics. We reset our static NAT policies, and seem to be having the same problem. My partner and I have been working on this for some time now, and have ourselves so frustrated that I know we are missing something simple. [code]
View 10 Replies
View Related
Apr 2, 2012
My internet link is connected on Internet Router & below downwards Cisco ASA 5520 is connected.ASA is connected with core switch cisco 4510 on downwards. our web based mail [URL] is hosted outside.
Lets suppose ISP pool is 4.4.4.0/28.suppose owa server is Static natted on ASA with 4.4.4.4. my machine traffic is going to internet with same ISP with PAT on Cisco ASA & internet is working on my machine. if i want to access {URL} or ip base for mail access, its not working & also it is not pinging. i suppose to ASA is blocking for returning traffic.
is there any way to traffic will go via same Firewall & comeback on same firewall port?
View 1 Replies
View Related
Nov 26, 2012
I am attempting to block outbound traffic for a specific PC on my LAN using the ASDM.
View 2 Replies
View Related
Jan 23, 2013
I have the following config using a Cisco 1921. I am trying to get devices on the the native VLAN to get internet access via the gateway x.x.x.73.Any thing being routed from the other Vlans 15/20/30 can get access, but nothing from an internal IP address. Is there something I am missing.
The Xs replace the same 3 octets for each interface.I am trying to route from VLANs 15/20/30 to see VLAN 5. I have tried a few things, in terms of adding extra ip routes, but can't get anything to work. Each of those Vlans have another router on the other side of them, which I have also tried adding ip routes too, but nothing. One of the routers (Vlan15 is a Draytek 2830). [code]
View 5 Replies
View Related
Aug 1, 2012
I will be installing two Cisco 1921 Routers to connnect a T1 between two offices. We are changing out our current AdTran routers as we would like to bridge three VLAN's across the T1 link. I followed the instructions at (URL) shtml to the best of my ability and my two Gigabit Ethernet ports are tied into a bridged virtual interface (BVI1). I then assigned a IP to BVI1 and another to my Serial0/0/0 then made a route to get to the other side of the T1 and a defualt route out our proxy. What I want to do now is setup QoS to make sure my voice data gets priority.
I setup a QoS ACL called "Voice" with the TCP and UDP source and destination ports that our phone system uses. I then setup a QoS policy on the Serial0/0/0 outgoing interface called "VoiceTraffic" and under the "match" list I match DSCP 46 or my "Voice" access rule. For the action I turned on "Queuing" and set it up for LLQ at 50%. Does this sound about right? Is there anything els eI can setup? I tried ot setup something else on the ethernet side but because they have the BVI I can't. I read some article sin this forum that said I could still apply QoS to the GigabitEthernet ports even if they are in the bridge group but it doens't let me do that.
View 10 Replies
View Related
Jan 24, 2013
How do I set a password? new Cisco 2911 router, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4 ?
View 6 Replies
View Related
Apr 30, 2012
I am setting up a new 1921 for a public library and I am running into a problem and I bet I am missing something simple. All the internal stuff works and I can ping the outside IP on the 1921 but can't go any further to the internet. The 1921 has the 2 gig ethernet ports, 0/0 is connected to a DSL getting DHCP settings fine from the DSL modem. The other gig ethernet port 0/1 is running the inside network and its function fine, I have a server on it and other clients and they can ping and get dhcp settings etc.I've pasted the config output below and IP addresses of the main actors. [code]
View 1 Replies
View Related
Dec 18, 2012
How I can upgrade the iOS from CISCO 1921 ISR? Without losing my configurations.
View 3 Replies
View Related
Oct 5, 2012
I have already ordered a Cisco ISR 1921/K9. but as i read on Cisco website, it is written that Cisco 1921/K9 only support (IP SLA Responder) feature.
I don't know actually what is sla- responder. but our requirement is we will connect that Router 1921/K9 into 2-ISP links and i want to enable IP- SLA probes on that router so that it can track both the routes into those isp links. so my question is does CISCO 1921/K9 have the support for what i need ?How about Cisco 1921-SEC/K9 ?
View 1 Replies
View Related
Feb 23, 2011
I'm attempting to set up a Cisco 1921 router running IOS15, and am having trouble with the NAT - it might be that what I am attempting is not possible. The only traffic going across the router is UDP, and the outside of the network canot be changed.
View 1 Replies
View Related
Jul 9, 2011
I can telnet to the router and ping places on the inside and outside. However when I connect a laptop to the inside interface I can ping to the outside for a bit but can't open a web page and then connectivity is gone all together. At first I thought it was a NAT issue but I know I am good on that front. I have attempted to change the speeds and duplex settings on the outside interface but it does not seem to work. Again if I take the cable from the outside interface and plug it into a laptop it works fine. The thing that makes me wonder is why can I connect to the outside interface and configure it just fine?
View 4 Replies
View Related
Nov 20, 2012
I need to set up a L2 llink between my LAN and this 1921 router. I though IRB would do it but its not working yet. Here is the topology- I dont want to see another hop on this 1921 rtr so I hope I can just trunk it or something with IRB. Not working.
View 6 Replies
View Related
Mar 27, 2012
I have recently configured a cisco 1921 router for internal routing on my network. Here is what i am trying to accomplish:
Main network 10.65.1.0 mask 255.255.255.0- all office devies and computers.
Second network 10.65.2.0 mask 255.255.255.0 - All plant equipment machinery and production lines
i have configure gig 0/0 for my company network and gig 0/1 for my plant network. I can ping the router from both networks but am unable to route traffic betwenn them. what am i missing?
View 8 Replies
View Related
Dec 6, 2012
Im having some major issues with my new setup. I have a Cisco Router (1921ISR) that is connected to the internet through a t1. In addition to that is another cable modem. Each of these are connected to my firebox through an external interface.My router is on the 10.1.10.X network. My internal network is 192.168.1.X I have several NAT statements on my router pointing to 10.1.10.X addresses. These addresses are defined on my firebox as seconday external addresses and I am SNAT'ing them to 192.168.1.X addresses on my local LAN.This is mostly working well for everything. However, there is an FTP I am connecting to through the a VPN on the cisco that will not connect. The source is a 192.168.1.X address.
View 1 Replies
View Related
Feb 18, 2012
The router passes the Interface test for the WAN port in CCP but it still we cannot access the internet. Here is my configuration:
Building configuration...
Current configuration : 3663 bytes
!
! Last configuration change at 09:29:52 Chicago Mon Feb 20 2012 by fbcpekin
version 15.1
[Code].......
View 5 Replies
View Related
May 30, 2011
I am facing a problem with transmitting of VoIP traffic through VPN.
I have a 1921 router in my end where two ISP's terminate and load balancing is done over the ISP'S. I also have a site-to-site IPSEC VPN connection to remote location. Also I am having to analog phones connected to the network through an ATA. My Call manager is in the peer end and has public IP assigned to it. The IP phones get registered when coonected to general inernet connection.
The loadbalancing and VPN is working fine. Now I need to transmit the VoIP traffic over the VPN. I have configured the same but seems not working. [code]
View 5 Replies
View Related
Apr 2, 2012
The Cisco 1921 router has two routed adapters. One is GE0/0 which I am using for my WAN interface. It is working properly. The 2nd interface is GE0/1 which is being used as my internal adapter. It is running NAT. When I attempt to reach the internet it fails while checking the exit interface. Here is the report.
AttributeValueRouter ModelCISCO1921/K9Image Namec1900-universalk9-mz.SPA.151-3.T.binIOS Version15.1(3)THostnameBulldog
Interface Details
AttributeValueInterfaceGigabitEthernet0/1IP address192.168.1.1DescriptionNOC Link Test Activity Summary
[Code].....
View 1 Replies
View Related
Nov 29, 2012
I have a brand new 1921 router that I can't login to using cisco/cisco. Is there a new password?
[URL]
I don't have physical access so I can't reboot it until Monday. Just wanted to get it working today.
View 8 Replies
View Related
Mar 7, 2013
I am trying to decipher the differences between the two models of the 1921 router. One has an IP Base IOS and the other has a Security IOS. I have an ASA so I don't think I need all the Security IOS bells and whistles on an internal router. Although, does the IP Base IOS allow for trunking and sub interfaces? I definitely need that and on CDW's website it says that the 1921-Sec/K9 w/ Security IOS includes 802.1Q and that spec is not listed on the 1921/K9 IP Base IOS model.
View 3 Replies
View Related
Feb 29, 2012
How can I implement this with Zone-based Firewall on my 1921?
I'm looking for something as simple as the port triggering function on a Linksys or Netgear router.
View 4 Replies
View Related
Nov 28, 2012
We recently got a 1921 for our main office and we have a dedicated 15/15 connection. We're running on an 1871 right now that is not under my control so I can't even see it's running config. OK! So when I set my gateway to be the 1871, we can get our upload to over 6mbit (we have 8 branches, so won't ever get full 15 since they're using it too). With the gateway set as the 1921, it seems like we're stuck at 1.5. I haven't seen it go higher than that. I've looked over the config but can't see anything that would imply some kind of bandwidth limit but I have copied the config here.
Building configuration...
Current configuration : 6688 bytes
!
! Last configuration change at 10:59:47 PCTime Thu Nov 29 2012 by admin
! NVRAM config last updated at 10:04:31 PCTime Thu Nov 29 2012 by admin
! NVRAM config last updated at 10:04:31 PCTime Thu Nov 29 2012 by admin
version 15.1
[code]....
View 3 Replies
View Related
Apr 17, 2013
I bought a cisco router last week. The reseller said it is a brand new one. However, when I try to set it with console cable connecting to PC, the default password does not work. I tried to use control+break to get access to rommon for password recovery. The tera term pro displayed nothing at all! In thin case, what should I do to setup the router? Dose the reset button in the back work to restore the router to factory setting(which means i can use default username and password)?
View 1 Replies
View Related
