I'm running into and interesting issue concerning a twice NAT config.
We have a remote site that needs to connect to a server cluster on our end. Using ASDM I have created a NAT rule that uses PAT to map our server addresses to a single IP (this is due to constraints placed on us by the remote site). This in and of itself shouldn't be a problem. The issue is that the VPN tunnel won't come up unless I also map an address to the remote site's sever.
Original Packet:
Source Interface: inside
Destination Interface: outside
Source Address: Server_Cluster
Destination Address: Remote_Server
Service: any
Translated Packet:
Source NAT Type: Dynamic PAT (Hide)
Source Address: Mapped_Server_Cluster_Address
Destination Address: Mapped_Remote_Server_Address
Service: -- Original --
Within the Translated Packet section, if I set Destination Address to the actual remote server address nothing happens when I attempt to bring up the tunnel. However, if I map an address to the remote server, the tunnel begins to come up and then fails during phase two (as the mapped address doesn't match the addressing that has been defined in the remote end's connection profile).
Initially I thought the issue may be due to an IP addressing overlap since both sites are running similar numbers, but the default route statement on our ASA, should contend with this issue. Also, each time I change the NAT rule, I change the connection profile to match those changes.
So, ultimately, what I wish to accomplish is to allow connectivity between my site and the remote site without having to map another address to their remote server. How may I do this?
We have two offices in the US and one in Mexico. Our site in Mexico connects to our headquarters in the US over an AVPN/ MPLS circuit .Mexico has a separate Internet connection through TelMex. There is an ASA 5510 at headquarters and an ASA 5505 in Mexico. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. All Internet traffic in Mexico is supposed to be routed to the TelMex connection. All company traffic is supposed to be routed to the Cisco router. ASA is supposed to be last resort route. We have a fail over VPN set up in the ASAs for times when the MPLS circuit goes down. (Or at least we did until I had someone work on the configuration) Everything had been working fine for the last 4 years.
Yesterday when the MPLS went down, so did their Internet connection. I realized the Internet traffic is now coming through the MPLs circuit to head quarters and out our ASA. Obviously there is a problem with the configuration. I do not have enough experience to figure this out. I have attached the configs and the routes for both the ASA and the router.
I'm upgrading ASA firewalls from a 5510 (running 8.2.2 code) to a 5515-X (running 8.6.1 code). What is the best way to move the existing config to the new firewall? Can I simply copy it?
we are looking at having a 172.168.40.0 network on our LAN. BUT i want to tie it down to JUST accessing the internet!So i'm looking for some ideas on how that ACL would look like.i have an ASA 5510 as our firewall and i've attached a simple network diagram for reference.
We just changed over to Comcast Business and after changing the outside interface to new IP and setting static route. I have access to internet and everythig appears to be good, However asdm will never fully load, alway stuck at 17% or 77%, and I always see "parsing running config".
When I do a show run it will not fully load either, always stop at certain out put. 5 seconds after pulling the Comcast cable out both asdm and running config will load fine.
I m trying to set my friewall in my network. The network is very simple. I have my router in 192.168.16.1 255.255.255.0 (mac-address 58-98-35-2a-4c-39) I have my switch in 192.168.16.26 255.255.255.0 (mac-address 00-19-99-5d-1f-43) and i have my firewall ASA between the router and the switch in 192.168.16.250 255.255.255.0 (mac-address 64-9e-f3-ba-28-c9)
So i need to configure 3 interface in my ASA. - OUTSIE e0/0(I call it INTERNET) - INSIDE e0/1(I call it LAN) - MANGEMENT m0/0(I call it MANAGEMENT)
[Code]....
But with this config when I plug the firewall, i dont have access to internet anymore.
since our update of Cisco ASA 5510 (active/standby cluster) from version 8.22 to version 8.24 it isn't possible to transfer files from/to a sftp client. The request just times out. SSH from this client is possible.
If i connected the latop to brand new out of the box ASA 5505 through consloe cable and i have a config file on this laptop from other ASA5505, is there anyway i can upload that config file into startup-config of this new ASA5505 through console cable, without using TFTP or FTP?
I have a Cisco 2811 router and when I turn of the router the running config is lost. I have to the following to get the router running of the start-up config settings.
I have 2 office buildings using Cisco 800 series routers with a L2L VPN between both. I'm upgrading the router to an ASA5505 at one of the offices but can't figure out the L2L VPN on the ASA. Specifically, can't figure out how to set the pre-shared key. On the Cisco 800 it's:That doesn't seem to work on the ASA. Here is my current config on the Cisco 800. [code]
My understanding from the old config file was that any traffic coming from source 10.130.101.2 to destination 10.132.102.0 would NOT be translated and this shall remain the same in 8.4.How can I rewrote the NAT commands?
How do I turn off "logging esm config"? I tried conft no logging esm config and that worked for the moment, but when the switch reboots, or I run reload, it comes back.What does that do anyway? This switch was giving an out of memory error and seemed to be flooded with messages, so I trying to turn logging off/lower the log level.
I have tried the config-register command and it is not available. Here is part of the show ver command. I want to change the config-reg from 0xF to 0x2102.I have run into this before but don't remember how to correct it.....I think I have to use the boot command but not sure. Here it the output show ver Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(25r)FX, RELEASE SOFTWARE (fc4)
System returned to ROM by power-on?System image file is "flash:c2960-lanbase-mz.122-25.FX/c2960-lanbase-mz.122-25.FX.bin"cisco WS-C2960-24TT-L (PowerPC405) processor (revision A0) with 61440K/4088K bytes of memory.last reset from power-on
I tried to deploy configuration templates with Cisco LMS Template Center, due to the 10 Cool LMS Tricks to better manage your network i am able to do it now.Just i don't know why, after deploying these templates the configuration is not save to the startup-config.another problem i have with the snmp-server location configuration. It seems my template does not support spaces in the textbox. Any way to put spaces in the snmp location?
<parameter name="snmp-location"> <description>SNMP Server Location</description>
I have run a netconfig jobs in LMS 4.2.1 with these settings: [code] After running the job the "Device Details" of the jobs say "Successful Devices" for all three switches:"Deploy successful (Primary Login Succeeded / Primary Enable Succeeded )" For the devices switch-1 and switch-2 I get the desired output: [code]. Why there is no output although the job is successful?
I’m currently training to take my CCNA, So for the reason I’m here, I have just been asked to take over the company network.And I need to know how I go about configuring some base level routers.I have 3 remote sites and 1 main site, all these routers are using 857’s, with a VPN tunnel between them, this is running all OK and working fine,But my boss has decided to have a second ADSL line installed in the main site for failover.How do I go about configuring this, ie how do the VPN’s terminate on the other router when the main one goes down?
If I have a PI 1.2 system that has multiple interfaces configured I can upgrade to PI 1.3 and both interfaces remain and I can see both under the admin webpage under appliance interfaces. But if I do a fresh install of PI 1.3 I can only configure one interface. The commands fail from the cli to configure anything but gigabitethernet 0. Are multiple interfaces not supported in PI?
I'm working on tweaking the config on a 2911 ISR G2 with a ZBF and am looking for some input. Our main issue right now is that the router is having performance issues once we hit certain troughput thresholds.
Right now, I have an inside-outside inspect set to look at all FTP, TCP, UDP, ICMP, DNS, SIP and HTTP (I know, its a bit redundant) traffic and do inspection on it then pass all other traffic. From a company policy, we are not filtering ANY traffic of any kind going outbound. (I know this isn't best practice but that's another battle for another day.)
Additionally, I have an outside-inside policy set to pass GRE traffic to an internal PPTP server (I know, not secure but its what we have.) then I have another inbound policy to inspect all traffic coming through that matches a specific ACL that defines all of the holes we're poking for hosting various functions on internal servers, etc.
could I, should I, why would or wouldn't I simply pass traffic that matches specific ACLs or whatever instead of how we are presently doing a lot of inspection?If I was to simply pass matching traffic instead of doing the inspect, would I see a substantial performance increase/workload decrease ont he 2911?
What are the security ramifications related to simply passing traffic instead of doing the inspection?
I have a task for a config I have not done before. I'm replacing an older 831 and PIX with a Cisco 881 router with Firewall feature set. The router receives its public IP address dynamically and there is a static public IP range also assigned with a couple of NAT statements on the PIX for a few public IP's.I'm ok with the core router config but the range is where I'm a little stuck. Current setup is as follows
Internet ---------- Router( Public intf Dynamic IP----internal intf Range IP)Router-------------PIX (outside intf Range IP---------Inside intf private net)Pix-------
As per the aboive the PIX had a public IP address from the range on the outside interface with a default route to the Router inside interface which uses a public range addres.
With my proposed config I've setup the outside interface as dynamic and just created my nat statements for the Range IP's. I believe I'm correct that I do not need to actually have a Range IP address configured on the router?
suppose i have 2 hub location and one spoke and i want to config DMVPN between them and want to keep 1 HUB as active and 2nd HUb as passive then how its possible.
I have about 1400 devices in LMS for this one customer.
They have 1200+ IOS devices 200 + catos devices
My problem is we use 2 differnt change scripts in Config Editor for IOS and CATOS. I have a list of all of the IOS and CATOS devises in txt format.
Is there some magical way to just upload the txt files into Cisco works instead of searching for them during the Config Editor batch job creator? I find it takes hours to sort this batch job out
We have a new 4507R-E Switch which RME keeps reporting as "CONFIG_CHANGE" each evening. When you click to see the change, the only thing that has changes is the "ntp clock-period".
However, we have configured "ntp clock-period" as an exclude command in RME Config Managment.
I am using a couple cisco sg300 28P switches along with a sonciwall firewall/router. The sonicwall was already in place and working so they didnt want to replace it. I understand how to configure the vlan on the sonicwall, but could use some info on the cisco. I would basically like to create 3 vlans, 1 default for management, 2 for pc's on lan, and 3 for the cisco spa504g phones/'voip. Would i just go into the vlan managment, configure the 2 new vlans and give them two id's? These offices have one network drop, so the phones and pc's will be sharing the switch ports, however the phones have a setting to configure the vlan id so they know which one theyre on. Is there anything i need to do after that? I want to make sure that vlan 3 has the highest priority becuase its voice, is there some qos configurations i need to make on that switch as well? Also, the port that links the two cisco swtiches together, does that need to be set as "trunk" port? I understand what vlans are, but its just the first time ive run into these cisco models. .
I get stuck in one case. One of my customer has two FTTH lines. I have to config PPPoE in routers. In one line I config succesfully, but one line never up. I call to ISP they ask me to config extactly VLAN id 10 in the physical subinterface. But in subinterface there is no command "pppoe-client dial-pool-number". I check the old modem FTTH, they also config VLAN 10 in Wan interface. I tell ISP why we have the same two FTTHs, but two differrent config ways. ISP says because the two line run in two different infrastructure, two different devices. I don't know how to do now? stay in customer side or ISP side. Here is my PPPoE config:
interface FastEthernet0/0 no ip address duplex auto
WLAN Controller 4400 series connected to Catalyst 4506 on vlan 12. Access switches got managment vlan 5 and vlan 1 shutdown. what config is needed on ports were Access points are connected. Access switch is in vtp client mode.
I have a wireless deployment using a 5508 controller and 90+ LAP1142N lightweight access points.Everything is going relatively well, except I have about 3 that do not keep their config (hostname and AP group) past a reboot of the access point.When they do come up after a reboot, they go back to the default hostname of the mac address and are placed in the default-group AP group.
I'm used to using full blown cisco IOS/CLi and I'm new to the SG 300 switches. How you can default a port config? The 'default int ##' command doesn't exist on the CLi and I can't find anywhere in the web gui for this.Finding it very frustrating having to go into each port and get rid of all the commands.I can't default the switch as its live and was to reconfigure most of the ports which are now unused.
I configured a 1841 router that connects to a DSL modem. This DSL connection is our Internet connection for vendor and IT testing. I have connectivity to the Internet using nat and have configured the router to act as a DHCP server. It seems to be working fine. I just want to configure some best practices for securing the device from the outside access. Is there some standard best practices I should be configuring?
