In our company we use ASA 5550 as a VPN server (failover pair, FW 8.2(5)). Long time we used Cisco VPN client (easyVPN) only and some time ago we started to use L2TP/IPsec VPN from Windows clients.From this time we can see strange behavior. Some ip addreses (we use ipv4 only) from local VPN ip pool are getting unusable for clients. When client gets this ip address the traffic from client to intranet is ok but the traffic from intranet to the client is blocked. This behavior affect both L2TP/IPsec and easyVPN clients with this ip address.The packet trace shows that the traffic will be blocked because implicit deny ACL but ACL for the connected user is created:
We use RADIUS for authentication and ACL. Failover to the standby ASA solves the problem but this terminates all L2TP/IPsec VPN connections.We use Cisco Anyconnect VPN too and when Anyconnect client gets this „strange“ ip address he can communicate normally without problems. It looks like that this problem is related to IPsec. how to discover why ASA uses -implicit deny- instead of user ACL?
CE IP - 172.18.10.10 /30PE IP - 172.18.10.9/30 I had configured some floating static route on the PE towards CE .The routes were installed correctly till PE - CE link was UP as next hop IP was showing as connected .Now the link has been removed and I am receiving a supernet of 172.16.0.0/12 from PE2 via MPBGP. Although the 1st static route for 10.10.0.0 is showing in routing table, the other 2 ( 172.17.0.0 & 172.24.0.0 ) donot show. I believe that as both the routes and next hop fall under the supernet , the static route is not installing. But I don't know why is this behaviour. I tried to remove the distance 250 from both the routes , but still the static route does not install. I tried this on GNS3 but got the same results .
We have a VOIP system from AT&T with T1 internet access. I have a RV042 setup as the default gateway for the network and the router randomly (usually over the weekend loses the internet). I have updated to the latest firmware and have check all logs on the server. When the internet access goes down we can still access the internal network. I have been power-cycling the router and then everything works fine. Is there a known issue with this router radomly blocking internet access in or out? This device should remain working at all times so that our remote users can access the company network.
We are suffering slow https traffic download. We have a CISCO ASA 5550, Cisco Adaptive Security Appliance Software Version 8.0(5)19. When we try to download some videos from an https server we have a data download rate of about 140 kbps, but if we bypass the firewall and put a laptop just after the border router, data rate increase up to 350-400 kbps.
We configured a new interface in the firewall and we connected a laptop directly to the port in the ASA 5550, with a new ACL permit ip any any, just for test purposes, but data rate is still the same, 140 kbps.
We have a new Cisco ASA 5550 that I am trying to configure. We are currently using a borderware firewall.
We have multiple external IP addresses and I can NAT traffic from all except for our external interface IP address.
When watching the packets in the ADSM monitor if the IP address is our external IP then I see nothing unless it is ICMP. I can ping the IP address just cannot do anything else with it.
All the rest of our provided IP addresses can be NATed and work correctly.
Traffic for our external interface IP does show up when we use the borderware firewall so we know the traffic is getting here.
I am trying to configure my ASA 5505 security plus through ASDM to receive two blocks of outside IPs (each of which is on a different subnet and a different gateway ip) to translate to my internal server giving it public access.I have searched for days (and maybe incorrectly) but I am finally asking for the configuration of the ASA to support this.
I have an ASA 5510 running 8.4(2) which has a site to site IPSec VPN to a 3rd party who run some form of Checkpoint. The VPN establishes and allows access to a server in our DMZ on all ports that we have tested (so far HTTP, SSL, RDP, FTP) except for SQL which doesn't even seem to reach the server. I've got Wireshark running on the DMZ server and if the 3rd party initiates a TCP conversation from their server on any of the working ports to the server I see all of the expected packets arrive with the correct IPs etc (no NAT takes place across the VPN) but when an ODBC client attempts to query the SQL server on our DMZ box the packets do not arrive at the server. What I can see is the RX byte count on the VPN increasing each time the query is run but definitely no SQL arriving at the server.
Also if I revert the ASA back to the old PIX it has replaced with the same VPN config but on version 7.x then it works just fine.
We have 2 IP blocks from my ISP. We have been using just one a /30 block with one IP address used on the outside interface of the device. The new block is a /29 range and I would need to use just two of those IP addresses. Here is the situation I am facing.A company we partnered with wants to set up a VPN, they will send us 2 Cisco 861s to put behind our ASA. Is it possible to assign these 861's with public IPs from the block that we are not currently using? (the /29 range)? I know that it might require an upgrade to the Security Plus.
I have an ASA that is logging the message %ASA-3-321007: system is low on free memory blocks of size 2048. I ran the "show blocks" command and the "Cnt" value for the 2048 blocks is 0. How do I reclaim these blocks and what are they used for?
I am trying to get up to speed on this topic as quickly as possible.
Here is my issue:
1) We are able to access the webiste
2) We are able to upload data packets
3) We allow the website to time out while we are uploading data packets
4) When we attempt to re-access the website the ip is blocked a) this includes pinging and trace
5) After an undertermined period of time the ip is unblocked and we are allowed to access it again.
The ASA 5505 router is the last forward facing stop before entering the VPN tunnel. We have tested by circumventing the ASA and we are unable to duplicate the disconnect. We have reviewed the config file and have not been able to identify what rule/settings could be affecting this.
when tracing port usage, the actions use 2 tcp ports and 1 udp port, the 2 tcp ports open and close by each transaction, when the ip block occures the 2 tcp ports are "dead" the udp port remains open (appearhently sending the remainder of the data packets)
My ISP is changing out all the ADSL routers in our area and they have blocked the Default Gateway Address, so we can not access it via Web Browser. This is frustrating because they changed our Wi-Fi password, instead of just keeping what we had like an Einstein. They said they did it because of Hackers
My internet connections drop frequently am still able to go on the router website when the internet drops is the router timing me out or what i have a net gear ive tried disabling passphrases?
I ride the trains often and I have noticed that I can't stream anything or play any music over the web. Not even Youtube or Netflix. I read somewhere that Amtrak provides there wifi via cellular networks in the area and they block any kind of streaming so they can limit the use of bandwidth across the train. way to change this so I can at least watch some you tube videos?
i have with my Edimax router. I could not make any progress with Edimax personnel in Taipei.
If i connect my vista box directly w/o the router, i can see that port 21 (Filezilla) is open, using WhatsMyIP.org | Port Scanners/Sniffers
When I insert the Edimax br6215srg router, the port is in timeout as reported by aforementioned site (guess the port scanner gets no synack nor reset back to the syn it sends)
The router is set to "disable firewall" or to "enable firewall and DMZ enabled" with as client's ip the one that is configured in the router's dhcp table for the vista box. The NAT module is set to forward port 21 to the same ip. ipconfig confirms that i do get the ip programmed in the router's dhcp table.
I do not want to believe that this edimax box is unable to forward connections!
I have tried to setup access control by setting up a policy that restricts certain MAC addresses during a period during the day from certain websites. I set up the website filter and a schedule and selected them for the policy. Instead of blocking just the websites on the filter list during the time setup in the schedule, it blocks all websites all the time.I made sure that I setup the policy to 'block some access' NOT 'block all access'.The only thing that seems to work is that only the computers with the MAC address selected are effected.
I have a simple set-up: a DIR-655 with 2 devices plugged in to it. The Plex Media Server runs on Ubuntu Linux and acts as the DLNA server to a PS3 DLNA client. Both are hard-wired with ethernet cables to the DIR-655. In this set up the PS3 has trouble discovering the PLEX server via DLNA. A 'search for DLNA devices' on the PS3 fails to return the PLEX. Eventually, after some strange time interval ranging from 2-30 minutes, the PLEX server will show up on the PS3's list.
I attached a simple ethernet switch to the DIR-655 and then attached the PS3 and Plex/linux server to it. The PS3 now finds the Plex DLNA server INSTANTLY ... without even having to scan for servers.
It appears that the DIR-655 is trying to be 'useful' in some way by filtering some sort of traffic; multicast/igmp I assume. There don't appear to be any settings in the GUI to alter the Multicast/IGMP/DLNA/UPnP behavior in the LAN ... other then "turn UPnP on."
Note that this is hardware B1 and firmware 2.00NA.
Since the change from TeamViewer 6.x to TeamViewer 7.x my router's (WRVS4400N V1.1, latest firmware V1.1.13-ETSI from 2009-02-24 and latest IPS definitions 1.50 from 2011-08-09) IPS blocks its connections to my remotely supported computers claiming a "P2P Vagaa connection attempt - 2". This is not happening with TV 6.x.Who does the error, TeamViewer or Cisco?
Currently I have an asa 5510 set up with one block of outside IP addresses. Everything is working fine in regards to my initial setup. However we needed to purchase additional IPs from our provider and ended up being a whole complete different block. Where I am getting stuck is getting the new IPs to NAT to inside addresses.
I try to insert a picture, to make the situation easily understandable.
The problem: After I have connected one more PC to the unmanaged switch, it cannot connect to network neither by DHCP IP, nor Static IP. (Physical Link is Ok, but no communication)
Tests made:
- PC1 turned off, to test connection, but PC2 cannot connect
- portfast has been turned off on the port of Cisco (which connects to Mediaconverter), but PC2 cannot connect
- PC2 has been reinstalled, replaced, other network adapter has been inserted, but cannot connect.
- the unmanaged switch has been replaced to a new one, but no success.
PC2 can connect to Cisco only if connected directly to RJ45 port of D-link Mediaconverter. But this is not a solution, because in that office, I would need for both of the PCs.
running config of the switch:
System image file is "flash:c2900XL-c3h2s-mz-120.5.2-XU.bin" cisco WS-C2924C-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byt es of memory. Model number: WS-C2924C-XL-EN #sh run Building configuration... Current configuration:
I have a sip gateway connect to the LAN side of RV180 router which has ALG enabled. I have no problem to make and receive calls but sometime I see the router does not forward the 'Bye' message from the VOIP service provider to the sip gateway.
[Code]....
In the capture frame 4292, a 'Bye' message reaches the WAN of RV180 but it never forward the 'Bye' to the sip gateway with internal ip. All settings in RV180 are default with only ALG enabled. I tried to setup Access Rule or Port Forward but none seems to work. Not sure if they are over-ruled by ALG? With ALG enabled, is it possible to have individual Access Rule? If there are conflicts between ALG and Access Rule, which has higher priority?
I have an ASA5510 running version 8.4. ICMP is blocked from the internet to the outside interface of our firewall but now our ISP is requesting us to allow ICMP from their network to the outside of our ASA. I need to allow ICMP from three blocks of IP Addresses?
anything I put into my hosts file, will not go through the Cisco RV220W router. This is part of the set up:
192.168.1.10 << RV220W 192.168.1. 15 << A client machine 192.168.1.99 << Internal DNS with forwarder to OpenDNS (208.67.222.222 & 208.67.220.220) + a laptop that's not on the internal network at all.
Now, the client machine and the laptop both have an entry in their hosts files: 174.156.12.81 insight.hello.com
From the laptop, I can both browse to insight.hello.com, and I can ping it in Xterm.
From the client machine (192.168.1.15) which is behind the Cisco Router/FW, I can ping insight.hello.com, but I can not browse to it. This is especially strange since the ping goes through the Router every bit as much as the http traffic does, so why is the router giving me a DNS error on that, but the ping goes through just fine?
The hosts file is supposed to supercede any other information from anywhere, so it out to not be a problem for the router either. Yet, it obviously is.
I have tried to disable the internal DNS server as well as OpenDNS and just run the ISP's DNS servers, but no change - I still get that blue DNS error screen from the CIsco router.
Above IP's & hosts are fictitious.
The hosts file doesn't get blocked in a sense, but what happens is that if you have "Content Filtering" checked - even without any rules - the router can not verify that 174.156.12.81 is in fact insight.hello.com in this case, since it doesn't exist in the public DNS system.
So, I unchecked Content Filtering and now it works as it should.
I have two complete networks in my office. I want to access my printer from both the networks. Condition: With the Firewall I can't access computer of one network from another how can I access the printer from both the LANs. I am not allowed to play with Firewall.
I recently bought a new laptop (lenovo G560e) running win 7. when i turn it on it disables our old laptop also win 7 my android and console. If i turn on old laptop first everything is fine its so annoying.
i will paste ipconfig/all Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:UsersMikey>ipconfig/all
I purchased a Epson Artisan 835, which I am runnung wireless. When I try to check the ink levels from my laptop they are all greyed out. Epson tech said the Dir-655 was the problem and that I needed to get the router to give permission for the ink levels to go through.
I recently bough for a home lab a sg300-10 switch. I have enabled layer 3 routing on it and have come across a puzzling issue. The switch is the default gw on this network, and in front of the switch there is a cable modem (ip route 0.0.0.0 0.0.0.0 192.168.0.7).
I am having trouble with our ASA5510. After upgrading the internal memory from 256 MB to 1 GB and upgrading the firmware to 8.4.2 we are experiencing that the ASA is running out of 1550 byte blocks. When that happens it is not possible to connect to the ASA by ADSM or SSH and new VPN IPSEC tunnels are not coming up. The only way I know how to fix this is to reload the ASA. This is happening every 2 to 3 days.
In the free blocks graph one can see that there is a loss of about 20 blocks per 10 minutes.
i cannot send emails to outside, i have an access rule on interface inside permit source: inside destination: any servic: tcp/smtp and when i make paket tracer it shows me that the packet is dropped but i cant see through which rule!!
I work for a small pharmacy that uses a Cisco RV120W router to separate hospital VPN traffic from general internet traffic. The VPN traffic is redirected to a dedicated T1 line (Or T-something, I wasn't involved in the actual setup of the VPN) connecting our store directly to the local hospital, and general internet traffic gets redirected to a ZyXel PK5000Z DSL modem (We have Qwest/CenturyLink 7m/768k). The DSL modem is running the latest version of our ISP's custom firmware.
Prior to installing the VPN and RV120W, LAN traffic was handled with a basic D-Link DI-604 wired router. The router itself was configured with an IP of 10.100.100.254 (With all LAN clients assigned DHCP IPs in the 10.100.100.XXX range) and "WAN" IP of 192.168.0.4, and the modem configured with a LAN IP of 192.168.0.1. The router was connected from it's WAN port to one of the LAN ports on the modem.
The modem has it's own built-in router, but the store owner wished to have an "extra layer of protection", so to speak, and had the D-Link router installed to serve that purpose. Prior to connecting the VPN, a second router was admittedly redundant and unnecessary. However, now that we have the hospital VPN, a second router is REQUIRED to properly separate the VPN traffic from other internet traffic, since the router built into the DSL modem doesn't have the capabilities to perform this task (We had already attempted to operate the VPN over DSL...it failed miserably and spectacularly. A dedicated T1 was the only reliable option).Anyway, when installing the RV120W, we duplicated every possible setting from the old router, including configuring it with a LAN IP of 10.100.100.254 and a "WAN" IP of 192.168.0.4 and connecting it in exactly the same fashion as the old router (Modem LAN to Router WAN). Essentially, the RV120W was set up exactly the same as the old D-Link router, just with the added VPN functionality.
The problem is this: ever since installing the RV120W, we are no longer able to access the DSL modem's administration page (http://192.168.0.1). We were able to do this without any trouble whatsoever with the old D-Link router, but the RV120W seems to be blocking it somehow. Any attempt to load the modem administration page just forever sits at "Waiting for 192.168.0.1...". It never times out, it never shows any error messages. It just sits there, forever trying to load the page, showing nothing but "Waiting for 192.168.0.1..." at the bottom of the screen.
Now, we know for a fact that it is NOT a problem with the modem, because if we connect a computer directly to it via ethernet (Completely bypassing the RV120W), the administration page loads perfectly fine. And, admittedly, we could configure the modem in this manner whenever required. HOWEVER, the modem is located in a rather inconvenient location (In the ceiling, sitting on top of a ceiling tile), and having the ability to remotely manage it like we could before would definitely be something we want to be able to do again...especially since there are plans in motion to install new pharmacy equipment that will require us to do a ton of "trial and error" configuration to the modem.The RV120W has been updated with the latest firmware, yet the problem still persists.
I want to understand - if 10G ports of 4948E (4 x 10Gb) they are block or non-blocks? I want to connect this switches with 20 GB (lag) to my BB switches and i need to prepare my infrastructure to 17.5GB troughput of video traffic.
