Cisco Switching/Routing :: Internet Traffic Not Routing Through VPN 891w?
Feb 21, 2013
I have an 891w as my edge device for my home office. I have a VLAN for family use (wired and wireless) that routes out to the internet just fine. I have a second VLAN assigned to a VPN tunnel that backhauls traffic to my corporate network (wired and wireless) and all of the traffic gets to the corporate network fine when I am on that VLAN.
However, while I am on the VPN VLAN, no traffic gets to the internet. I believe it is because I have the gateway of last resort (0.0.0.0) set to the WAN IP address provided by my ISP, so DNS is resolving against corporate, but because there is no specific route, it is trying to dump the traffic back out the WAN without traversing the VPN tunnel.
View 4 Replies
ADVERTISEMENT
Feb 26, 2012
I have a client that that is installing a new network. They have requested the use of an CISCO891W-AGN-A-K9 mostly to be consistent with upgrades perfomed at other sites. I agree with the use of this router, so that's OK. The issue is that they have requested that I use the integrated PoE available on this model. I'm also OK with this as it will make a much neater installation. However, I can't seem to find much information on how to get the integrated PoE. I need clarification as to whether I can get a kit to upgrade this router. I generally purchase from sites like newegg or cdw (I'm an independent contractor) and I can't seem to find one with it. I have found some information on 800-IL-PM-4 and 800-ILPM-4 (who could confuse those ). Are they the same or different? Which one is the correct one and does it include the AC power adapter and can if be retro'ed into a router without the PoE?
View 2 Replies
View Related
Mar 22, 2012
I believe I have the steps done at the IOS to config the WAN port for SSH, but I still can't connect to it. I have "logging console 7" on so I am able to see that the router is dropping my TCP session requests. I figure this is just the built-in zone-based firewall at work.
Is there a very straightforward process, via the IOS, to allow SSH inbound on the WAN port? I'm not very familiar with the IOS other than basics so while I know how to do things like "transport input ssh" and "login local" and such on the vty 0 4 line, I have no idea whatsoever on what I should do with the firewall stuff. I believce the WAN interface is already a member of the outside zone though so I imagine one just has to somehow include ssh (preferably on a non-standard port) in the exceptions on the firewall somehow.
I have been poking around for a step-by-step IOS guide for this but only find info on configuring SSH itself but not how to open the firewall to allow the connection for it through.
View 11 Replies
View Related
Sep 24, 2012
I am trying to allow RDP through my 891w.I have tried a few different yjing to no avail. [code]
View 23 Replies
View Related
Nov 6, 2011
I'm new to using Cisco Config Professional Express but a lot of things are just "off" with this utility. But my problem for this post is specifically the 891W's internal access point, or initial access to it.
My situation is that I have some 891W's. It's my first time working with them, as well as with CCP Express (2.5). After isolating the router and my PC to their own network, using the IP my PC got via DHCP frmo the router I opened a web broswer and connected to the router. The initiial configuration wizard came up and I went through the various screens. One of those screens had basic config info for the internal wireless AP which I provided. Somewhere in that screen it asked for a Hostname for the AP, and a password. It doesn't askfor a username though. To ensure I wouldn't run into confision, I made sure to set every password I ever get asked to configure as the same thing so the AP's password was also the same.
However after I finish with the wizard, the java-based CCP Express begins prompting me for first the main router credentials which I provide and it gets the router config, then it prompts mefor the username/password for the Access Point. First of all, the initial config wizard had never asked me for the username for the access point, only the hostname, and the password. I had assumed it was just going to use the main router username, or perhaps a blank username.
In any case, nothing I type ever works. I've used cisco/cisco, or a blank username with my new password, or the same username as the main router with the password ---- nothing. This is now the 4th time I have completely Reset the router to factory defaults and while I am learning the use of CCP Express through repetition, I'd also like to get this thing configured and out the door so my customer can use it.
View 3 Replies
View Related
Feb 9, 2012
I am trying to configure the FE8 (WAN port) to connect to the Internet. We're swtiching ISP'ssoon so this router was set up at my office and has since been deployed at the client site. So far it is just plugged in and powered, with a console cable attached but no LAN cabling since this router will replace an existing one using the same addressing (except the WAN settings of course). So for now I am just focused on working on the WAN side since I have the ISP's cable modem attached . I had intiially used CP Express to config the wan port with an IP and mask and the various port forwarding options I intend to use. Now, connected via console cable, I tried pinging the IP of the wan port, which works. Beyond that, can't ping anyting (8.8.8.8 - a Google IP), also can't resovle any DNS names which makes sense with no apparent connectivity. Likely my config is just imcomplete. Nowhere in sh run do I see a Default Gateway, yet this ISP did specify one so I assume I need to enter it. Not sure what's the right way - I get confusing results on searches telling me either to use ip default-gateway or ip default-network. I want to think that it's as simple as entering in the IP but so far I've learned with the IOS that you never do anythign without knowing all the possible implications, which I don't. Also while I am at it, I don't know what I should have for DNS entries. This router will not be a DNS server for any internal systems that function will be managed by the two Windows 2008 R2 DNS machines. The ISP has also provided two IP's for their DNS servers. I thought it would be a simple matter of just adding two entrires via ip name-server command, which I did. So now I have four entries, first the two internal servers (inaccessible currently due to no LAN cabing to this router), and the two ISP servers. Can't ping those either, but again there's no default gateway.
View 39 Replies
View Related
May 27, 2012
I'm working with some 891W's that have the internal 800-series AP. I have this router set up initially using Cisco Config Express, then, using Cisco Config Professional 2.5 I set up the firewall and other featuress that CCE doesn't do. Overall this is a very simple router, meant to be a small business Internet gateway device but is currently in my lab.
The intended WLAN setup is very simple. One SSID, with broadcast enabled, using WPA2-Personal. Auth: open Encryption is both TKIP and AES-CCM.
However no matter what I do I cannot get thhis thing to broadcast . In the past I had sometimes run into issues where if I had more than one AP running independently it would cause a channel conflict and one or both would cancel each other's radio, so I disabled all other AP's in my vicinity.
Also I've had issues in the past where f I enabled both TKIP and AES, sometimes clients can't find the AP as a result. My solution had been to disable one of them leaving just the other - no change here however.
Via the IOS, ssid config shows mbssid guest-mode which I believce is default.
Interestingly, if I do the following:
ap# Config t
ap(config)# dot11 ssid <myssid>
ap(config - ssid)#guest-mode
end
I end up with both "guest-mode" and "mbssid guest-mode" in the sh run for the AP, and voila, my AP broadcasts the SSID. However clients end up joining without any security at all, no prompts for pre-shared key or anything.
View 7 Replies
View Related
Jan 26, 2012
I have an 891W router that requires a firmware update to fix a bug wth the internal AP where all you get when accessing it via the CP Express ("Launch Wireless Application", which is just opening another web browser to your AP) is an Enter button. This issue seems to be common so I found a thread, though for the 881W (but same process) where the fix is to update the AP's firmware.
So I downloaded ap801-rcvk9w8-tar.124-21a.JY.tar from cisco.com, set it up in my tftp server, and at the console ran the following from the router:
Router#service-module wlan-ap 0 session <enter>
This brings me to the AP.
I then type in:
InternalAP#archive download-sw /force-reload /overwrite tftp://192.168.0.71/filename.tar <enter>
It seems to go through the process of re-imaging the fw but the end result now after it is done is that I cannot access the ap at all and the hostname has been screwed up. So now when I go to the AP (via Router#service-module wlan-ap 0 session <enter>), this is what I see:
AP6400.f177.d0ee>
If I type "enable", I get no username prompt but I do get a password prompt, however my pw no longer works. Also the IP address of the AP (192.168.0.2=) is no longe rpingable.
I did save the log of the console session for the (failed??) firmware upgrade process - the only odd thing I recall was that it seemed like it was trying to enter part of the update process commands but instead the router was interpreting them as a DNS lookup or something. Kind of stupid process it seems but anyway I am quite lost. Don't know what it'ssuch a challenge to update firmware.
View 9 Replies
View Related
Oct 12, 2012
I have had trouble to verify the support wireless speed and band that CISCO891W-AGN-A-K9 supports. I saw on a vendor website that it supports a max wireless transmission speed of 54Mbps but this seems low for what is supposed to be the current model wireless router which is supports 802.11n. What the maximum supported wireless speed and whether 5Ghz is supported? Plus I am thinking about purchasing it for my home wireless network (upgrading from an 871W).
View 1 Replies
View Related
Jan 6, 2013
I have an 891w that started acting up recently. Radio dot11 0 is reporting its a b radio. When it is actually an n 2.4 radio. Of course that radio is not allowing any clients to connect to it at this time. I have tried updating the firmware to the latest, tried a hardware reset but still a nogo.
sh interface output.
Dot11Radio0 is up, line protocol is down
Hardware is 802.11B Radio, address is 0000.0000.0000 (bia 0000.0000.0000)
MTU 1500 bytes, BW 11000 Kbit/sec, DLY 1000 usec,
[Code].....
View 6 Replies
View Related
Mar 15, 2011
I have an 891W that I initially configured using CCP Express (2.5). So it has a WAN IP set, and through CCP Express I had enabled via the checkboxes the various default settings for security. This includes zone-based firewall. I then added a number of NAT entries in the setup wizard.
What never occured to me at the time was that I should have added entries that allow for remote access. So it seems I've locked myself out of accessing the router via the WAN interface even though I know it's IP. I'm sure it's just a matter of adding port exceptions for SSH and/or whatever port(s) CCP uses.
So I"m wondering what the proces woudl be. In the IOS while showing the running config., I see pages and pages of class-map stuff which at present I don't know enough about to risk editing anything directly. But maybe I don't have to? What would be the best way to, for example, enable SSH access through the firewall? I already have transport input ssh set on the interface itself so I believe it's ready to allow the connection, just that I can't get to it via WAN int. so I assume it's the firewall.
View 3 Replies
View Related
Nov 24, 2011
At one of my field offices I want to redirect internet traffic down a separate DSL connection instead of having it ride the T1 back to the main office then going out. At this office I have a 2600 router, 3560 switch, with a Fortigate firewall in between DSL connection and LAN, Fa0/0 on router and firewall are both plugged in to switch. I have seen posts that mention PBR or static routes which is the reccomended method for dealing with this?
View 6 Replies
View Related
Nov 5, 2012
We run a workers camp here and we currently have around 2500-3000 people using our 100MB internet pipe. We are upgrading the pipe to 200MB soon but I still would like to limit how much bandwidth everyone is using.
We allow streaming media such as Netflix, youtube, apple TV and of course .So it gets full pretty fast. We have QOS implemented although I wasn't here when it was done so I don't know a lot about it. I would like to limit IPs to a certain amount of bandwidth. [code]
View 1 Replies
View Related
Aug 3, 2012
I have a Cisco C3560CG which is running C3560c405ex-UNIVERSALK9-M), Version 12.2(55)EX2.The switch has vlan 1 and vlan 50 configured, vlan 50 should have access to a limited number of host in vlan 1.The following acl has been applied on the inbound to vlan 50:
10 permit tcp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq 137 138 139 445
20 permit udp 10.16.30.0 0.0.0.255 host 192.168.15.243 eq netbios-ns netbios-dgm netbios-ss 445
25 permit icmp 10.16.30.0 0.0.0.255 host 192.168.1.243
26 permit ip 10.16.30.0 0.0.0.255 host 10.16.30.254
30 permit ip 10.16.30.0 0.0.0.255 host 192.168.15.254
[code]....
I sure the above would work, but for some reason some of the packet counter are not incrementing but the traffic is being blocked. But I would like to see the counter increment.Also I have that I may beed to use VACL wouls this be the case?
View 26 Replies
View Related
Jan 14, 2012
i have a strange issue with an HSRP Setup. I have two (S1+S2) 3560 as Core/Distribution Layer. Inter-vlan routing are enabled on both Switches. S1 and S2 are connected with an ether channel over four fibre ports. S3 -S5 are the (L2) access layer.
Gi0/1 on S1 and S2 are L3 ports, connect to a Linux Firewall.
HSRP is enabled, S1 is the active router and the STP root bridge.
But, my monitoring via cacti show me, that the Gi0/1 on S2 is active, too! But it should not be active? Only if S1 fails, should S2 the active switch.A client from the access ports on S3 - 5 gets traffic from the Internet via Gi0/1 from S2. Gi0/1 on S1 is active too, but will send mostly traffic to the Internet. Why is S2 active and why route it traffic from the Internet to the client?
View 15 Replies
View Related
Nov 7, 2012
I have an ASA 5510, with Ethernet0 connected to Internet via a T1 line, Ethernet1 connected to LAN1, and Ethernet2 connected to LAN2. LAN1 & LAN2 are independant, but share the Internet connection, via the T1 line. On LAN2, I have another router that connects to the Internet, via a Comcast line. I wish to route some of the traffic on LAN2 (10.38.77.0) to the other Router, on LAN2 (10.38.77.12) (connected to the Comcast line). I have entered the following lines:
route inside2 10.11.0.0 255.255.0.0 10.38.77.12 1
route inside2 10.252.0.0 255.255.0.0 10.38.77.12 1
route inside2 172.22.6.0 255.255.255.0 10.38.77.12 1
I can trace the routes from the ASA 5510 (1st hop is to 10.38.77.12), but not from anything else on LAN2.
View 7 Replies
View Related
Apr 2, 2012
We're in the process of swapping in a new pair of ASA5520s and Catalyst 3750s to support two separate business units. We want Firewall A and Switch A to handle traffic for Org A (VLAN 100). Similarly, firewall B and Switch B should handle traffic for Org B (VLAN200). But we want to be able to fail traffic over in case of firewall or switch failure. Traffic between the two Orgs is being routed at the switch level. [code]
The uplink interface on each switch is currently a routed port with a static address on the uplink subnet. This works fine in a normal state. However, when we fail over one of the firewall contexts to the other chassis, this results in the inability to route internal traffic because the internal interface is now physically connected to a different switch with a different IP port address (obvious in hindsight). The question is, rather than a routed port, what would be the proper way to handle traffic between the switches and firewalls in a failover scenario? If I make the uplink ports into trunks, won't this cause all packets destined for either firewall to hit both both? Seems like that's not the way to go either? [code]
View 0 Replies
View Related
Oct 3, 2010
We've got a cisco 2821 router which periodically stops routing all traffic. It seems to happen about once every 2 weeks, and I can't find anything that could be causing it. There are no entries in the log and the router stays up and running but requires a restart to begin processing traffic again. We're running 12.4(13r)T11.Any thoughts, or troubleshooting steps to track this down?
View 7 Replies
View Related
May 29, 2012
We have a Catalyst 6509 switch, and we hope to use policy based routing to redirect http traffic to my proxy server, where I can find the configuration example?
View 11 Replies
View Related
Sep 2, 2012
I have just set up a Cisco ASA 5510. It basically only contains the settings provided in the startup wizard. It however does not let through traffic from the internal interface to wan 2 (wan 1 is not connected yet but traffic should also be able to go there).
View 2 Replies
View Related
Jan 17, 2013
I have two Cisco 7606 routers using BGP to connect our customers to the internet. Recently we added a new 1G circuit in addition to an existing 1G circuit and all traffic inbound is now on this new 1G circuit. We would like to shift some of the inbound traffic over to the other 7606. Our Tier provider has the same AS number for both paths. One path goes directly to New York and the other goes to Boston then New York.
View 1 Replies
View Related
Feb 18, 2013
I have a 3560X switch with interfaces 36-48 on the same LAN. All interfaces are switchports. Hosts on 38, 39 and 40 are multicast senders: all sending to the same single multicast address. Hosts on 36 and 37 are receivers, having joined that multicast group. I created an SVI for the LAN and put it in ip pim passive. (That is the only PIM mode allowed for an SVI with my IOS.) Show ip igmp snooping groups shows that 36 and 37 are the only interfaces in this group. I attach a laptop to interface 42 and Wireshark, and the laptop is receiving the multicast traffic. The laptop does not join the group. I expect it would not see the traffic.
View 4 Replies
View Related
Jul 14, 2010
Got servers in vlan 10 ip range 10.0.0.0 and servers in vlan 20 ip range 20.0.0.0 at the same layer 3 switch. (c6509 sup720)I would like to block TCP traffic initiated from Vlan 20 to Vlan 10. But the servers in Vlan 10 needs to be able to open an TCP connections to Vlan 20 did test with the ACL thats blocking (ack/established/syn) but unable to get it to work.Or it works both directions or is works non directions.
View 4 Replies
View Related
Jan 31, 2013
i want to apply a QOS for my trafic LAN, in my ASR 1001 , the LAN is connected with ge0/0/0 interface and it configured with the service instance to bridge vlan 1 ( i do that for OTV ) i put service policy in "service instance 1" to marking data with ef31 but i noticed that the class "plateform_datacenter" match the trafic and the ACL associate to this class not mach any trafic trafic !
tha policy-map march trafic for Datacenter :
sh policy-map interface gigabitEthernet 0/0/0 service instance 1
GigabitEthernet0/0/0: EFP 1
Service-policy input: MARKING-OTV
Class-map: Platforme_DC (match-any)
[code].....
View 9 Replies
View Related
Nov 15, 2011
I have a 2911 router. One interface is configured external (WAN) and two interfaces are configured on separate internal private subnets. What is the configuration to allow all traffic in both directions between the two internal subnets?
View 21 Replies
View Related
Jan 29, 2013
I have two switches (2960S's) both with IP Phones on VLAN100..We need to monitor voice traffic via a monitor port on SW1 of all VLAN100 traffic on both switches.The following is what we have configured, but we cannot see VLAN100 traffic on SW1
According to Cisco doco you cannot have a SPAN and RSPAN on the same session, however since these are two sessions on SW1, I would have thought it to be OK.
View 4 Replies
View Related
Apr 16, 2013
Is there a way to block lan to lan traffic (except lan to gateway/gateway to lan traffic of course) on a Cisco 2960?
View 9 Replies
View Related
Mar 10, 2012
I have the attached setup. now i would like to limit my ftp transfer to 10 mb from a specific vlan to ftp server on the STM-4 (622) link. what would be the best way to limit ftp traffic to 10 mb .
following is my switch deatils
Video_Main#sh verCisco IOS Software, IOS-XE Software, Catalyst 4500 L3 Switch Software (cat4500e-UNIVERSAL-M), Version 03.02.00.SG RELEASE SOFTWARE (fc4)Technical Support:
[URL]
Cisco IOS-XE software, Copyright (c) 2005-2010 by cisco Systems, Inc.All rights reserved. Certain components of Cisco IOS-XE software arelicensed under the GNU General Public License ("GPL") Version 2.0. Thesoftware code licensed under GPL Version 2.0 is free software that comeswith ABSOLUTELY NO WARRANTY. You can redistribute and/or modify suchGPL code under the terms of GPL Version 2.0. For more details, see thedocumentation or "License Notice" file accompanying the IOS-XE software,or the applicable URL provided on the flyer accompanying the IOS-XEsoftware.
[code]....
View 2 Replies
View Related
Feb 23, 2013
We have a lot of IPX traffic flowing through a switched network and we are being asked to filter it from a network standpoint. At one point they were using IPX in their network, but no longer need to, so they still have a lot of machines spewing out IPX traffic. We have removed the IPX routing commands from our distribution switches, (Cisco 6500), but after running a short 10 minute Wireshark capture I'm still getting a good bit of IPX traffic from a lot of different devices.
View 2 Replies
View Related
Nov 21, 2012
I have two servers on one subnet that each need to replicate to a single server on another subnet. They also need to replicate to each other. This replication is unidirectional so I will refer to the 2 server subnet as the source subnet and the single server subnet as the destination subnet. In order to keep this replication running without killing the MPLS links on either end, we are trying to use a policy-map that limits bandwidth from the source subnet.The Problem:We have created a policy that polices traffic during specific times of day and limits the bandwidth as prescribed, however, bandwidth is also being limited between the 2 servers on the source subnet which is not needed or desired.Class 512K set dscp ef police 1024000 bps 1024000 byte conform-action transmit exceed-action dropClass Map match-any 512K (id 4) Match access-group name DAGExtended IP access list DAG 10 permit ip host 10.20.0.3 host 10.20.0.10 time-range DAG-REP (active) (22793 matches) 20 permit ip host 10.20.0.4 host 10.20.0.10 time-range DAG-REP (active) (14156 matches)The service policy is applied on the input side of the 2 interfaces on which our devices are connected.As you can see, the access list identifies the interesting traffic as traffic from two specific hosts to one specific host. The problem we are having is that bandwidth is also being throttled between the two source hosts even though it is not defined to do so.What can I do to limit traffic from the two source devices to the single destination device without limiting bandwidth between the two source devices?
View 1 Replies
View Related
Apr 10, 2012
I tried to put QoS in a WS-C3560CG-8TC-S version 12.2(55)EX2.It shows 0 traffic in class-map. Here is the config My question is why I can not see the traffic via class-map?it should in the default Q if incorrect mark.I erased the config and config with the autoQoS, shows the same result.
class-map match-any VoIP description Voice IP Phone RTPmatch access-group 157
class-map match-any WEB description Internal Web, SSL Web, DNS query, Pinnaclematch access-group 153
!
policy-map QOSMARK
class VoIP set dscp ef
class WEB set dscp cs3
class class-default set dscp default
[code].....
View 3 Replies
View Related
Dec 6, 2012
i want to to ask about redirecting in MLS 7600 .assume the user a has an ip x.x.x.xand that user requested url...i want to to redirect his request to url...the users that have to pay the monthly bills , i want to give thim an ips and redirect all the http requests from this to a special local webpage .is is applicable to to it on router cisco 7600 ??or is it applicable on router 7206 npeg2 ? also i have siwtch 2960g.i dont want to do it by proxy server.
View 4 Replies
View Related
Feb 24, 2012
The top device of my network is cisco router 7609. There are two part subnet of my network, each part use same device type, same running-configs and same network topple: sw6506(to campus)--->sw3560(to buildings)<--->linksys sr324(to offices). IP addresses for manager vlan is 192.168.1.0/24.Suppose we name two part subnet as A and B. the problem is from 7609 I can telnet to every device of part A quickly, but when telnet to each sw3560 of part B,it responses very slowly. And only sw3560 of part B are response slowly, other devices of part B are ok.If I telnet to linksys sr324 first, then from linksys sr324 telnet to the current sw3560, it's ok.I try to capture packets of manage vlan, but there seems no strange things in it.No users of part B report problems, it seems the network is running well. Compare two sw6506s, the only diffirent thing is, there are "overrun" count at each interface in use of part B's sw6506. Each interface traffic is far less than it's capability, but it's "overun" count still increasing at working hours everyday.
View 1 Replies
View Related
