I have a site to site vpn between a Cisco 1941 Router and a Watch guard XTM22 Router. The tunnel is up, and from the side with the Watch guard Router, I have full access to the LAN on the Cisco 1941 side.
However, I cannot access any of the devices on the LAN on the Watch guard side. If you had to guess, which router would you say is causing the problem? I really don't know where to start looking.
I am working for a company based in Sydney Australia, the company recently open an office in London UK, therefore we are going to get leased lined based on MPLS.We were advised that Customer Edge router will be CISCO1941/K9. We want to our UK client to access our web-based applications via MPLS network instead of internet. The UK office is using BT Business ADSL with 5 Static IP address (please note the modem IP address is actually dynamic), we are going to get a Cisco 857/K9 router which will be used for the entry for the UK client to access the MPLS network. My question will be how do I configure the Cisco 857 router to allow one of the public ip to access the MPLS network. It appears that there are two options, and I am not sure if this is going to work or which one is working better. I have attached two diagrams for clarification of my case.
Option 1 Cisco WAN interface get Dynamic IP (PPPoA) from BT LAN Interface (4 Port) get the assigned 5 Static IP addresses One of the five IPs (217.xx.xx.169) will be assigned to the FE1 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic) One of the five IPs to 217.xx.xx.170 will be assigned to the WAN interface of Sonicwall Firewall Router which also serve as Internet Access Gateway for LAN users, All trafiic destined for Sydney LAN will be using FE0 (Cisco 1941) as gateway
Option 2Cisco WAN interface get Dynamic IP (PPPoA) from BT LAN Interface (4 Port) will get 192.168.0.1, Cisco 857 router will be the default gateway for LAN users, using one to many NAT, also one to one NAT, One of the five IPs (217.xx.xx.169) will be forwarded to the FE0 (Cisco 1941), any traffic to 217.xx.xx.169 will be routed to the WAN interface of Cisco 1941 to access Sydney service (located in Sydney LAN, mostly http and https traffic)
I cannot telent to 1941 router from a Window 7 PC and I can a Window XP PC. Telnet is enabled on Win 7 PC. I upgraded 1941 to latest IOS.Compters running Windows XP can telnet to router and hit the internet. Computers running Windows 7 cannot hit the internet. I replaced the 1941 with a 1760 router and Win 7 computers can telnet to router and hit the internet. I used the same config from the 1941 on the 1760.
View 5 Replies View RelatedI have an IPSec tunnel configured on my Cisco 1941. The other device is an ZyXEL router.I can see the tunnel is up but there is no traffic.This comes out the show crypto ipsec sa
interface: Dialer1
Crypto map tag: CMAP_AVW, local addr 10.10.10.89
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.200.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.150.0/255.255.255.0/0/0)
current_peer 20.20.20.161 port 500
[code]....
We need to give TCP 3389 & 3399 priority over all other traffic between a Cisco 1941 and 2951.What is needed to do this?
View 6 Replies View RelatedHow I can prioritize Web Ex, Skype and some two websites on Cisco equipment. My set up is such that my 512kbps link goes to a Cisco 1941 router>Cisco ASA 5505>Cisco Catalyst Switch 2960>Computer.I want to be able to prioritize this on my network and test that it actually works.
View 1 Replies View RelatedWe have cisoc 2821 at one of branch and created five sub inetrfaces for different vlans.Output of Show interface shows very frequent increase in the input error count.I have changed the physical cable and switch port on the other side.But still error rate is increasing.When the traffic is less error rate is low but with high traffic it is increasing drastically.My router process is very less(4%) only.What could be possible reason. [code]
View 8 Replies View RelatedWe are looking to implement traffic shaping/policing primarily for P2P traffic. As natively the ASA5550 is only capable of p2p inspection if the traffic is tunneled via port 80 is the AIP-SSM the way forward? We have 2 5550s in active/active failover config. As a side note we are also looking to implement an IDS/IPS system so could this module cover all?Is this module going to provide the desired outcome or is there another module/device out there better suited for this? I would prefer to use the ASA5550s as opposed to implementing another product if only that we can make use of the investment we already made on these devices.
View 1 Replies View RelatedI am testing limit bandwith using my ASA 8.2, i am trying to limit internet access for certains users , i order to save Bandwith for the important things but i can´t get any limitation
My configuration is the following, the acces list is just for my pc in order to test, and the service policy is applied to outside interface (called internet in my case) for incoming traffic
access-list Internet_mpc_1 extended permit ip host 172.16.127.70 any class-map Internet-class-TEST match access-list Internet_mpc_1 policy-map Internet-policy-web class Internet-class-TEST police output 1024000 1500
service-policy Internet-policy-web interface Internet
With show service policy i can´t see any activity on the policy , but if i do a similar configuration for inside interface outgoing traffic i can see packets allowed and dropped
I have an ASA 5520 with the below config
Gi0/0: outside (Internet)
Gi0/1: inside (Internal users)
Gi0/2: DMZ (web servers, ftp, Mail etc..)
I have a SMTP relay deployed on the DMZ for mailing. I have also a mail servers installed in the internal lan,
I want to allow trafic from dmz to reach internal lan, and i want normally also allow stmp relay from dmz to reach Internet.
How can i block trafic from DMZ to reach Internal Lan (instead of smtp) if the to allow trafic from dmz to internet i must put ANY in the policy?
For allowing trafic from DMZ to reach Internet, the policy must be DMZ -----> ANY ----->Services., this policy means DMZ can implicity reach Internal Lan?
We have a Cisco 2811 running ITP IOS. On that router we run the SMPP service. A client on the network connects to this service, and we need to capture the traffic for debug.
I've tried traffic-export, but I cannot see any outbound traffic.I'm guessing that this is due to the fact that the outbound SMPP traffic is not transit traffic as it is generated by the router itself.
Is there any way to capture the outbound traffic?
I am trying to come up with the best way to traffic shape traffic with 3750 Me switches. the traffic will be coming from a 6504 Sup-7203b downstream and going out the wan. Core---L3---->6504--intvlan80--trunkport to--->3750Me---g/1/1/1-trunkport to---MetroE network--->int f0/0.80--branch router. The idea is to use the 3750 to traffic shape the traffic going towards the wan/branch to 500 to match the contracted rate and then to use qos on shaped rate. I tried to apply it to g1/1/1 using port based policies but it did not shape the traffic. I changed everything to IP interfaces and it worked. I need to break up the metroe into different vlans so I can bring branch offices in on different vlans.c
View 3 Replies View RelatedI have a Cisco 1941 which has several Cisco VPN clients connecting to it which all works fine. The details of the LAN and VPN clients are as below:
Cisco 1941 LAN : 172.16.1.0 255.255.255.0
VPN Clients : 192.168.5.0 255.255.255.0
As mentioned this works fine but I'm about to setup a point to point VPN with from the above Cisco to another site which isn't controlled by myself and the remote side of this point to point VPN will only allow connections from the "172.16.1.0" subnet to communicate with it.
The issue I have is that the Cisco VPN clients also need to communicate with the remote side of this point to point VPN but they are obviously coming from the "192.168.5.0" subnet. Is this possible and where to start with this that would be fantastic.
I got 2 DC Cisco MWR 1941 and 3600, I do not know the reason why when I set up IP NAT to 1941 does not work but if I do it in the 3600 if it works.
View 13 Replies View RelatedI have a problem with my routers (cisco 1941)I'm running a DMVPN network (Hub and spoke)All the hubs are connected to the 2 hubs. With 4 tunnels. (each hub has 2 interfaces to the spokes. the spokes only have one interface to the hubs, so I splitted them and so I now have 4 dmvpn tunnels). one of the interfaces on a hub malfuntioned and because of that the customers had problems with logging in and sending packets. I made this kind of structure because of when one of the tunnels failed the spoke could use the 3 others... BUT, what happened here was that the spoke still tried to use all 4 of the tunnels and because of that I had 25% package loss!So this didn't work. Now I read about IP SLA, but I was wondering of this could work? (I cannot test it on spare routers, and I don't want to implement it and risking a total network failure...) and how to configure it. Should I make 4 different sla processes which I should all 4 track? And when I make the ip routes, how should I make or configure it so that 1 of the tunnels/interfaces fails that the spoke would addapt the routes?
View 1 Replies View RelatedI'm trying to get two Cisco 1941 routers with HWIC-1T and HWIC-3G-HSPA interfaces to use the 3G interfaces if the frame is down (as it is right now).In the lab, I was not able to get these to use the 3G interfaces as a backup (i.e. backup interface cell 0/1/0) and I've not been able to workout the correct incantation for static routing either.
kununurra#show ip int br d1
Interface IP-Address OK? Method Status Protocol
Dialer1 172.31.2.94 YES IPCP up up
[Code]....
I have been breaking my head over a problem with my new 1941W ISR since about two weeks now.When I restart the router, the service-module wlan-ap0 is not working.After a restart of the router, when I ask a service-module wlan-ap2 status, I get:Service Module is Cisco wlan-ap0Service Module supports session via TTY line 67Service Module is waiting for registration messageService Module reset on error is disabledService Module heartbeat-reset is enabledService Module is in fail openService Module status is not available
After a while it changes to Service Module is failed.If I restart the module with service-module wlan-ap2 reset, it works. Is this a technical error?
We bought a CISCO1941 K9 router. To enabled IPSec feature, I need the PAK to active IPSec on 1941. Where I can buy a valid PAK? Could it be done via on-line support?
View 5 Replies View RelatedI have got a Cisco 1941 router and would like to activate my SSL VPN license on it. How do i go about it?
View 6 Replies View RelatedWhat is the processor available in cisco 1941 router? is it RISC?
View 4 Replies View RelatedHow do i configure SSL VPN on a Cisco 1941 router? I would very much want a howto guide that does step by step. I have not found one my self so far.
View 1 Replies View RelatedOn our Cisco 1941, we have 2 gigabit ethernet ports and a 4 port fast ethernet switch EHWIC card configured as follows:
GigabitEthernet0/0 131.x.x.81 255.255.255.248 - internal
GigabitEthernet0/1 131.y.y.234 255.255.255.252 - WAN
Vlan2 192.168.0.249 255.255.255.0 - LAN2, NAT inside
[Code]....
I have tested using some UDP packet sending/receiving software (which works through another router), and the packets just aren't getting through. Likewise trying to telnet into the external IP on port 80 doesn't get through to the destination server.
It feels like the route doesn't exist between the Vlan 100 and Vlan 2 when it's coming in, or maybe there's an ACL needed for the incoming traffic?
We have a Cisco 1941 Router with two single HWIC cards supporting two T1 lines 3Mbps total bandwidth. We have a distance learning lab that takes atleast 2mb connection when in use so it realy kills our bandwidth. I was looking to possible add a thrid T1.
My question: Can I just buy a double wide HWIC card and replace the single port one. Would this require re-configuration or it's simply plug n play?
What other options can I try for more bandwidth instead of adding thrid T1.
I've got some 1941 ciscos set on every branch.We have native L2 between this offices and I want to use external ip addresses on gig 0� interfaces anfdf local ip addresses on lo 0 interfaces, and use lo 0 for vpn connections.
I do:
int gig 0/0
ip add 192.168.181.14 255.255.255.0
ip nat outside
I can ping it from local network behind giga 0/1 but i can't ping it fro outside, how can i do this?
I have recently gotten a cisco 1941 router running version 15.1(3)T, and am trying to configure the router as a PPPoE server for access via a vlan on one of the gigabit ethernet ports.I currently have a cisco 2620 router (version 11.3(2)XA4) with the following relevant configurations:
vpdn enable
vpdn multihop
vpdn domain-delimiter @ suffix
!
vpdn-group pppoe
[code]....
I am trying to duplicate this (all but IP addresses) on the new router, but there are some options that do not seem to exist in this particular software/hardware combination. Specifically,
vpdn-group pppoe
accept-dialin
protocol pppoe
does not accept "pppoe" as a protocol, only allowing l2tp. What has changed, and what the proper configuration is.
We purchased this router with the cisco IOS software installed. I've installed the Vista driver on my win 7 box. I believe that should work. I installed Putty to termainl in and I'm using a USB connection. I cannot even log into the router. I thought I was going to see some kind of setup wizard using the CISCO software so I would use a GUI and get things moving. I've got loads of reference material with command etc. but I just can't connect to the router to make it happen.
View 3 Replies View RelatedI currently purchased, Cisco 1941/K9 with 2 onboard GE, 2 EHWIC slots, 1 ISM slot, 256MB CF default, 512MB DRAM default, IP Base.
Questions
1. With IP Base License, will I be able to run Frame Relay? I really need reference on what works and what doesn't between these different technology package licenses ? Actually frame relay is running on it right now, hope it doesn't suddenly stop after 60 days...
2. As I understand in order to run MPLS, I will need to upgrade to Data License "SL-19-DATA-K9". Since, I already have a Cisco 1941 to upgrade it, I need to order a spare license / paper PAK?
3. Does the IP Base License support site to site IPSEC VPN or do I need to purchase a security license "SL-19-SEC-K9"
4. Can I have both security and data license activated on the same device ?
5. If I do activate security or data license will I be able to use the IP Base features at the same time?
6. If I purchase a new Cisco 1941 with Data or Security License do I need to purchase the IP Base License then upgrade the license?
7. Is the 1941 suited for voice application routing ?
I was wondering about the folling witch i found in a Cisco 1941 running config
View 2 Replies View RelatedMy ISP is going to provide internet with dual path , for auto changover he (isp it admin) is planing for bgp implimentation.
is 1941 is supportable for bgp protocol ? Is it possible to create bandwitdh rate limit based on ip address on access list (be cause we are getting some 10 Ip address from isp , out of 10 ip address , 3 ip addres has to go 3 diffrent departments) , i want restrict theese 3 ip address with 1 mb traffic as 1:1.
We would like to describe our scenario as follows. We hosted our internet gateway at a service provider which is away from our site about 10 km distance. The total internet b/w is 8Mbps. To connect the internet service provider, we have two lastmile connectivity with two different service providers each 4mb as a last mile. Both put together it will be 8Mbps. The lastmile by the service providers are through ethernet.
Our main objective is to utilise both last mile connectivity by bundling or through any other optimum method. There are common perception that the ethernets cannot be bundled. The router model we use is 1941
I am trying to configure TZO DDNS on my 1941. The DDNS lines in the configuration file were provided one year ago by TZO support for a 1811W router, which was working befor i migrated to the 1941. I have attached a config file and a debug file. The unusual part of the debug file is session id 0x95. I thnk this is the format the router would use if it had been configured using CCP. I had tried CCP initially but it didnt work, so I deleted it from the configuration and used CLI instead. Session ID 0x96 is the call the router is making using the CLI configuration, as seen in the attached config file.
I am not sure where the problem is here. it appears to be logging on to TZO. It also appears that the router name is being added to the logon ID in session 0x95...ie instead of myname.net the router is sending cisco1941.myname.net ---not sure if this is relevant or not. It also appears that the update happens? At least that'w what I can garner from the log file.
I apply extended ACL on my router cisco 1941, but it didn't work. So I tried to apply standard ACL, it's work. I'm not sure about my cisco 1941 IOS is support extended ACL. My cisco IOS is
Cisco CISCO1941/K9
c1900-universalk9-mz.SPA.151-4.M1.bin
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
data None None None
[code].....
Is it IOS bug or limit feature on hardware.
I need to unlock IPSec to my 1941 router but I'm not sure which license(s) to purchase.
View 1 Replies View Related