Cisco VPN :: Adventures Implementing NEM Between 5520 And 5505
Feb 28, 2013
I have a 5520 acting as a VPN server... and 5505's acting as clients.The 5505's connect fine when using "client mode" but things go sideways when I try and use NEM.Namely, they never complete a connection.
debug vpnclient shows this repeating rather fast (this device is connected a Fios connection behind a gateway/router (it's my test environment and it does work when I have the device setup in "vpnclient mode client-mode".
Some of my remote sites are configured directly with a public IP (issued via DHCP) others are behind a 3rd party firewall/device that I have no control over... but again, these sites currently work as "vpnclient mode client-mode". [code]
View 1 Replies
ADVERTISEMENT
May 26, 2013
Site A:
ASA5520
VLAN data subnet 172.16.10.x/24
VLAN Voice subnet 10.0.0.x/24
Site B:
ASA5505 Base license
VLAN data subnet 192.168.10.x/24
VLAN Voice (restr) subnet 10.0.1.0/24
The callmanager is located on site A and needs to sent out DHCP-offers to site B through the VPN so the IP-phones can register to the callmanager. I got the VPN up and running for the data-subnet but i can't get traffic through the voice-subnet/VLAN.
Can the ASA's do the job or do I need to route traffic before the ASA's on both sides and sent it through the tunnel, configured both subnets as interesting traffic? Ofcourse the last situation I need to upgrade the license for the 5505 to gain more VLAN's.
View 4 Replies
View Related
Feb 12, 2013
is it possible to configure a webfiltering on ASA 5505,5510,5520 ? So if its possible can you provide us a configuartion template.
View 3 Replies
View Related
Mar 16, 2013
Is it possible with ASAVPNSERVER 5520 and an EasyVPN 5505 Client to have the client do split tunnel to a single public IP address? Both devices are on 8.2(5) 33. Could you possible provide sample config for split tunnel?
View 1 Replies
View Related
Nov 2, 2012
I have HQ side with ASA 5520 (8.4) & Branch Side with ASA 5505 Design
VPN LAN<------->ASA5520(8.4)----->Thomson Business TG628s----->Internet<--->ADSL Modem------>ASA5505(8.2)
Now on both modems UDP 500 & TCP/UDP 4500 ports are enabled I can ping from internal LAN of HQ to internal LAN of branch but I cant ping from internal LAN of branch to internal LAN of HQ
HQ ASA 5520 Side
ASA Version 8.4(3)
host name aljoaib-fw01
[ code]....
Branch side ASA 5505
ASA Version 8.2(5)
host name GTC- DMM- FIREWALL
domain-name ALJOAIB.COM
enable password 7pgp93AEPfHtDc5N encrypted
[Code]....
Both sides have static ip address.
View 22 Replies
View Related
May 17, 2011
I need to move the client machines off of the 3750 (and their DHCP dependency on it) to the SGE2010 and absolutely route their internet traffic out through the outside interface on the 5505. They must also be able to communicate back into the internal environment in order to communicate with the production servers.
The clients currently use .254 addressing through a dumb dell switch to the 3750 but I am trying to migrate them over slowly to the .253. I know that the 2010 will not do DHCP, so I am putting a DHCP server on that switch right now. The 5505 won't let me add an additional nameif statement onto one of the other eth0/x interfaces and I'm not sure if that has anything to do with it's capabilities to act as a DHCP server (it's not an option in the ASDM) or it's ability to serve as the internet gateway for the 2010 clients. (Side notes: The 5505 has a base license and is currently also connecting 1 site to site VPN. As is the 5520, so all of it's interfaces are used as well).
I statically assigned a moved client with a .253 address and plugged it into the 2010. I have tried giving the 2010 both a .4 address and a .253 address but neither will allow me to ping any of the addresses on the 5505. The 2010 shows automatic routes to the two subnets and I set it's default route to 253.1. The link between the 2010 and the 3750 works - clients receive a .254 address from the 3750 and can get out to the internet via the 5505 and reach the production servers as well.
Why won't the 2010 see the 5505 as a gateway and allow clients to get to the internet and also traverse the 3750 when they need access to the production network?
The reason why I dont' just connect the two swtiches and call it a day is because I also need the production servers to ALWAYS go out/receive web requests via the 5520 outbound/outside interface. I'm having such a hard time wrapping my head around why i can't get my clients moved over to the new switch, I haven't even grasped how I'm going to do that yet.
View 1 Replies
View Related
Jun 5, 2012
The desktop team has asked me to set up multicast in our network with building PC's as they will be deploying a few hundred of them starting in two weeks. We currently do not have multicast set up, and the only experience I have with it was during my certification studies, so I have a lot to catch up on quick. They will be sending the build traffic from a single server. The network environment is simple: a 3750 stack as the router/distribution layer and mainly 3550's as access. The PC's that they will be imaging will be on one VLAN that is already designated for PXE builds. This VLAN is across multiple switches. Is it possible to just enable the multicast features on a single VLAN? I have been reading around but not finding much other that very in-depth Cisco papers.
View 5 Replies
View Related
Mar 15, 2012
We have backup and other traffic over our vpn which is affecting our ip phone service between two sites. Our consultant suggested implementing QOS over the VPN to give the phone traffic priority. Is this possible with the rvs4000. Is there any good source saying how to do it. Is the setup of the QOS on this router similar to another router where this has been discussed.
View 1 Replies
View Related
May 22, 2012
I have a problem implementing a NAR for a specific device group. I am running Cisco ACS 4.2 and it works fine for all the other stuff I do but this issue is perplexing me a bit.
I have a device group with Juniper devices in it and I authenticate using RADIUS (Juniper) as the radius setting. I have a Administration user group set up.
I placed a NAR into the group "Per Group Defined Network Access Restrictions" specific to the device group with * for port and address
I placed this group into both the Define IP-Based as well as the Define CLI/DNIS-based section.
No matter what I do I keep getting authenticated.
When I go to the passed authentications page I see my login and the group-name is identified correctly and the network device group is identified correctly too. The filter says "no filters activated". So how can I get this NAR to kick in? I would like to restrict one device group from a ACS user group.
View 12 Replies
View Related
Jul 24, 2011
I was able to successfully implement MS-PEAP authentication with 5508 WLAN controllers and Cisco ACS v4.2. However, when I integrated 4402 WLC with version code 7.0.116, it did not pass across any authentication requests. Did a debug aaa events enable and there was no output. Configured another SSSID with PSK to test that my controller was OK and aaa debug was working, and there were CLI messages when I associated an AP.
why the 4402 is not working as I have compared configs with the 5508 and there is no difference. The shared secret is configured on both ACS and Controller and CA is downloaded on the ACS.
View 5 Replies
View Related
Mar 25, 2012
I have to propose/design a network system. It has 350 computer terminals/workstations out of which 300 of them are divided into two separate networks while the other 50 are to be on another network. So I assume I'd need 3 networks (or LANs) I guess (all connected ofcourse)So far I've inferred it needs a mail server, a file server, a print server, a DHCP server to assign IP addresses (C class and private ones ofcourse) and a web proxy server. Also I thought a fast Ethernet LAN network might be ideal here but I'm not quite sure on that (nor have I ascertained what sort of topology or hardware to use).
View 5 Replies
View Related
Aug 12, 2012
Existing nework New Network
I have attached some diagram here, 2911 Router configured as a zone based firewall and it works fine. I need to put ASA 5510 as an internal Firewall in to the existing network. So I need to hand-over the NATing configuration from IOS FW to ASA 5510 , are there any special configs here? I have done this but it's not working, If i bypass IOS ZB FW and ASA directly connect to internet Its works fine, If NAT configurations keep in IOS ZB FW then it works fine.
I have attached IOS ZB FW current config file below.
View 2 Replies
View Related
Feb 15, 2012
I'm attempting to configure Classification and Marking on our access switches using the MQC model. The Switches are 3750's running IPBase Version 12.2(35)SE. For some reason when I activate the policy-map on an interface, no traffic is being tagged, i've used the 3750 QoS configuration examples (url) for reference.
View 5 Replies
View Related
Oct 12, 2012
I want to implement VoIP on my client network, currently the data network is using SG300-28P small business switches for user access. According to my design the IP Phones (Cisco 9971 and 7942G IP Phones) are to connect to the small business access switches while the user PCs connects to the IP Phones.
My concern is I really don't understand how the small busness switches will advertise the voice VLAN to the IP Phones. I understand that the switches are suppouse to use LLDP/CDP for this but it seems the model I have can only do LLDP. The IP Phones and the PCs connected to them will be recieving IP addresses from an uplink L3 managed switch.
how LLDP works (particularly regarding this scenario)? Does it matter if the small business switch is in L2 or L3 mode for the VoIP implementation?
View 4 Replies
View Related
Apr 30, 2013
Need to configure Cisco 1142 N access Point togetherwith the Cisco Switch . I have a POE Switch 4510 and Cisco 1142 N Cisco AP . I have one management vlan 5 & User VLAN for WIFI VLAN 10 . The problem is when i make the POE port which is connected to the AP as trunk port means : [code]I am not able to ping the management IP allotted from VLAN 5 . However when i make it as access i am able to ping the managament IP . But for both the VLANs to work it should be in trunk mode & in cisco i can either assign the port as access or trunk .Post this i would configure the 1142 N with Cisco SG300-10P POE Switch . I guess if issue with my 4510 gets resolved the same way i can configure SG300-10P as well .
View 6 Replies
View Related
Jan 3, 2013
We have two 2100 WLC's that support 12 access points. One has been sitting in a box for some time, but we're at the point where we need to add additional access points that will put us in excess of the 12 limitation. What is the best way to go for installing the second WLC?
View 2 Replies
View Related
Apr 25, 2012
I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.
I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely?Is this possible?
View 8 Replies
View Related
Apr 14, 2013
I am facing problem in implementing NAT on Cisco 8.4 . the scenario is
Inside interface network 10.10.10.0/24 and 10.118.0.0/16 is also routed towards inside network
Other network 192.168.10.0/24 is routed via outside interface.
My requirement is to NAT the 192.168.10.2(real IP) to 10.10.10.2(mapped ip) so that when users from inside network (10.118.0.0/16) will come they will access the 10.10.10.2 instead of the real Ip(192.168.10.2)
So I used nat (inside,Extra net) source static obj-10.118.0.0 obj-10.118.0.0 destination static obj-10.10.10.2 obj-192.168.10.2 but the connection is not working but with show nat I am getting hits on the NAT statement.
cap test Ethernet-type arp interface inside real-time
1: 23:29:05.684199 arp who-has 10.10.10.2 tell 10.10.10.1
2: 23:29:09.687998 arp who-has 10.10.10.2 tell 10.10.10.1
I have also enabled the proxy arp on the inside interface but still the connection was not working.
Packet tracer output
[Code] .........
View 11 Replies
View Related
May 15, 2011
With IPv6 Coming i've been tasked with implementing M-BGP on our 7200VXR running 12.4.
View 5 Replies
View Related
Sep 30, 2012
After implementing TACACS, one of our routers takes about 8 seconds to response to any CLI command. We have no problems with other devices in the same location with the same AAA configuration. The router is talking to the ACS server (ACS 5.3) and the logs on the ACS server look normal for the router as well.
View 5 Replies
View Related
Dec 16, 2012
implement VOIP on my router 3825 I have Ip phone 7905G and 7960.
View 2 Replies
View Related
Oct 29, 2012
I have a ASA 5510 and planning to implement multiple context in a 2 tier security level and vrf-lite. meaning I have 2xASA facing the internet and below that a 2x3560 switch for our extranet and below that is another 2xASA for intranet. See diagram below. In this kind of network I want to know how it would impact the total throughput and resources of the ASA using multiple context?
INTERNET
| |
| |
2811A 2811B
| |
| | (OUTSIDE)
ASA_A-------ASA_B
| | (INSIDE)
| |
3560A---------3560B
| |
| | (INSIDE)
ASA_C--------ASA_D
| |
| | (OUTSIDE)
3560C----------3560B
| |
INTERNAL NETWORK
View 3 Replies
View Related
May 2, 2011
i have the following scenario that i'm requesting you guys verify if it will work.I have a 3550 catalyst switch running EMI and an auotomous 1131AG aironet ap, i have two dhcp pools already setup on the switch one for the LAN and the other for the wireless clients.There are two vlans on both the switch and ap for LAN and wireless clients.I have already setup multiple SSID's to be broadcasted from the AP, is there a way i can bind one SSID to the lan dhcp pool and the other to the wireless clients dhcp pool?
View 1 Replies
View Related
Oct 2, 2011
I have a major problem regarding implementing IP Multicast in an ADSL network. The diagram of our network is attached. In every Access Network , there is only IP DSLAMs which are connected via Metro ethernet links ( L2 links) to the main site. So there is no Router or Layer 3 Link to the main site. In the main site there is an Aggregator router which is an PPPOE server which terminates subscriber's PPPOE sessions. All the Access networks and subscribers are just connected to one Aggregator and they use that one as PPPOE server. It is an Cisco 3845 Router. Then the Aggregator is connected to Core network and behind the Core network is an Streaming server which streams in Multicast. IP Multicast Routing is configured in Spars-Dense mode in all routers in Core network and also the Aggregator and it is working properly. So the sucscribers are able to join the multicast stream and the very last router in the path toward the subscribers( which is the Aggregator) does the Multicast replications.
There are two problems we faced:
1- Since all the subscribers from different Access Network use the same Aggregator in the central site as PPPOE Server, all the connection are terminated on that router. The goal is to use the uplink bandwidth of the Access networks to the central site more efficiently and if e.g 20 subscribers watches the same channel, it just consumes as the amount of one channel due to doing IP Multicast.Now the problem is that when for example 2 subscribers of the same Access Network (in the same POP site) connect to the same stream, the amount of bandwidth used between the central site and the Access network is double. It happens because the aggregator activates IGMP on every virtual-access lines for every PPPOE subscribers who wants to joint the stream. So it can not recognized these two subscribers are from the same Access network. Therefore, the result is that although it is doing Multicast, it does not save the bandwidth because it activates IGMP group on every subscriber's virtual access line for his PPPOE connection. So is there any solution to this problem? Something came to my mind that we need to implement a separate aggregator for every Access network which means that we have to place a router for every access site and it will be expensive for us. But I think in that case every local aggregator can do IP Multicat routing and it saves the bandwidth definitely. Any better solution that may solve our problem using the same topology?
2- Another problem is that when the subscriber's CPE are configured in bridge mode and subscribers set-up a PPPOE connection on their PCs, they are able to join the multicast stream properly. But when they put their CPE in router mode and have their ADSL modems as PPPOE client, they are not able to join the Multicast stream. i.e the ADSL modem is doing NAT and routing and it connects to PPPOE server using username/password credentials. I also tried a feature in ADSL modems called "IGMP support" when I wanted to create the WAN settings. But it did not work. I am not sure but I think that we need "IGMP Proxy" feature on subscriber's CPE.
View 4 Replies
View Related
Dec 9, 2012
I have a task to compare different approaches to implement InterVLAN routing in campus network. Google suggests only Cisco technologies for such query. But what I need is also other companies solutions (like Dell, HP etc), cost of the implementations, pros and cons.
View 1 Replies
View Related
Oct 13, 2011
We have customer with implementation ACS5.2 in Windows environment. Now they want to implement IP phones in the network.
View 0 Replies
View Related
Mar 21, 2013
We currently have 3* offices located in London, Reading and Oxford which have a (ISP) VPLS service to interconnect all sites.I am using RIPv2 for intersite routing between all offices. We plan on implementing a backup circuit at the Oxford office for resiliency.There are 2* Core 4500 Switches, Core 1 is uplinked to the Primary circuit and Core 2 will be uplinked to the Backup circuit.At the moment Core 2 learns all of its routes from Core 1.My question is, if the Primary circuit goes down, how do we get the Routing on the Core Switches to than point out of the backup circuit?
View 1 Replies
View Related
Aug 19, 2012
Can I implement MACsec betwen two Cisoc 3750X using the C3KX-NM-1G? 3750x (C3KX-NM-1G) -------------------MMF------------------(C3KX-NM-1G) 3750x.
View 1 Replies
View Related
Jan 16, 2013
I am implementing QoS on our MPLS network. Our environment exists of a mix of Cisco 2960 and 3560 switches. The IPT system is Avaya CM with Avaya phones.The WAN network is a MPLS network.Ports are configured for access and voice vlan (no trunking), one vlan for voice, one for data (vlan 1 is disabled).I dont have Qos coonfigured on LAN just wanted to configure on WAN Router where my Mpls link is connected.I have 45 Mb Mpls links on all sites connected to each other.
I have multiple sites connected via MPLS and i have control at both sides.Current config is mentioned below in which DSCP marking is not done for signaling. What is the best config with example.Current Config on all Cisco Router where MPLS link is terminated at all sites. [code]
View 10 Replies
View Related
Apr 15, 2012
I am having difficulties implementing Mac-auth on selected ports between an HP ProCurve 2510 and Cisco ACS 5.3.The 802.1x works just fine, but for selected ports I need to implement port-access with MAC-based authentication instead of regular 802.1X (yeah, I know, but this line of ProCurve switches only support one auth-mechanism per port!).The switch successfully forwards interesting MAC-auth requests for authentication to the ACS with CHAP/MD5, but the ACS reports this:
Logged At:
April 16,2012 1:20:48.080 PM
RADIUS Status:
Authentication failed : 22056 Subject not found in the applicable identity store(s). NAS Failure:
Username:
002655886b3d MAC/IP Address:
00-26-55-88-6b-3d Network Device:
[code].....
The ACS is configured to use the Internal Hosts database, where the client computer is configured like this;MAC-address: 00-26-55-88-6B-3D
View 1 Replies
View Related
Apr 16, 2013
The server team has asked me to implement jumbo frames on a single VLAN, the one they use for v motion. We have two pairs of 5548s, each pair running VPC for most connections. I am aware of many postings that describe how to enable jumbo frames globally, like this:
policy-map type network-qos jumbo
class type network-qos class-default
[code].....
I am not clear how I can extend this principle to one VLAN only.
Also, I am aware of a posting [URL], that shows some pitfalls of implementing jumbo frames in a VPC configuration. Pretty well all my connections are VPC, including all the FEXes, which are all dual-homed. In many cases, the VPC extends through to the servers so that the servers run port.channels across two FEXes. I am unclear whether the pitfalls are still valid, or whether I have to wait until my next maintenance slot (6 months away) to implement jumbo frames. Can jumbo frames be implement safely on the fly? How does enabling jumbo frames fit in with "conf sync" mode?
View 2 Replies
View Related
Feb 27, 2013
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
View 5 Replies
View Related
Apr 2, 2013
I am using the Site to Site Wizard on an ASA 5520 and ASA 5505 from the ADSM. Both are using 8.4(5). When you create the configurations. Do you have to follow up the wizard configurations with manual ACL's to allow for traffic from each connected subnet to talk to each other? Or are they automatically generated in the configuration file? Have not been to school yet to properly understand how to create the VPN tunnels from the CLI and what to look for.
View 2 Replies
View Related
