i have a query regarding the no. of isakmp policy priority creating..when i create a new policy in ASA 5500 firewall, i get the below error...i assume it will support only 20 nos, where as we can use between 1-65535.. can anyone from cisco confirm it...running version is 8.x & VPN Plus license.Policy limit reached. No more than 20 isakmp policies can be configured.”
View 2 RepliesI need to implement a DMZ in my office. Before talking about the configuration , i would like to know best practises of implementing DMZ.My questions are,is traffic from inside to DMZ is permit by default?,What about DMZ to Inside traffic ?,Is it necessary to do a NAT from inside to DMZ with the same IP as of inside,What is the use of " static (inside,dmz) 192.168.1.0 192.168.1.0 netmask 255.255.255.0 ? is it a no nat statement?,Is it necessary to permit traffic from DMZ to inside?,Suppose i have a web server in DMZ, for inside host whether it will take path through ASA or path through internet?
View 17 Replies View RelatedHow do you create a vlan? In enable mode, there is no "vlan" command.
View 4 Replies View RelatedIf i require ACS 5.3 in HA. Do i need to procure two ACS with the add-on licenses?
View 1 Replies View RelatedI need to create a DMZ zone in my network. One server need to be put in DMZ. I have a PIX 515E 6.3.3. It has free port to create DMZ.
1) Put a new switch for DMZ zone
2) Connect it to the DMZ port
3) Create a NAT for inside to DMZ with same IP as inside
4) Create ACL for permiting traffic to DMZ and apply it to outside interface
5) Create ACl for permitting traffic from DMZ to inside
6) Routing for DMZ in PIX
I inherited a PIX 506 with 6.3. I will admit my background is more towards switching/routing. But while I know it is dinosaur, I need to maintain for partner interoperability. I just want to confirm that what I am thinking is correct and inf not how I can correct it.My thought is that since the access-list command doesn't list "eq" at the end, all ports and protocols are allowed?The other thing I am not used to is that the access-list has not id/number included in the command, so I assume that access-group specifies this functionality.
Here is a snippet of the current config:
object-group network Ext_Net network-object 192.168.0.0 255.255.255.255
object-group network Int_Net network-object 10.0.0.0 255.255.240.0
object-group network DNS network-object 192.168.0.254 255.255.255.255 network-object 192.168.0.253 255.255.255.255
object-group network Servers network-object 192.168.0.25 255.255.255.255 network-object 192.168.0.62 255.255.255.255 network-
[code].....
We have subscribed for MPLS links from Service provider we have a DC where the core connectivity is 90 MB and Remote branch location Connectivity is 64 Kbps. We are in process of enabling QOS for our links with co-ordination with Service provider ; as per our finding the branches have more RX traffic (downloading) so after discussion with provider we were advised to mark traffic from the core end and give it to the provider.The provider at its PE will honor the marking and set some B/W percentages and prioroty based on the DSCP marking values.
We need to mark this traffic so it is feasible to mark the traffic at the core DC router which has the below H/W details,Cisco 7206VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory.
Processor board ID 36161439
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.11
or is it feasible to mark the traffic at the core switch.
I'm connected to my remote access vpn and am getting the below error, wierd thing i only get this error for ICMP, i can browse data on our network retrieve files etc, but pings fail for some reason
NAT-T is enabled
NAT rules are in place
ICMP is not blocked as can ping elsewhere
Where to being looking as to why only ICMP fails?
I have cisco switch model WS-C3750G-12S-D. It is in transparent mode. I am getting below error message when tried to create new vlan.
Proposed configuration exceeds the limit of 1005 VLANs that can be supported on this platform. Reduce the number of VLANs proposed to be within this limit.
After deleting few unnecessary vlans, it allowed me to create.
3750#sh vtp statusVTP Version : running VTP1 (VTP2 capable)Configuration Revision : 0Maximum VLANs supported locally : 1005Number of existing VLANs : 959VTP Operating Mode : TransparentVTP Domain Name : VTP Pruning Mode : DisabledVTP V2 Mode : DisabledVTP Traps Generation : DisabledMD5 digest : 0xBC 0xA7 0xEC 0xDE 0x36 0x6C 0x61 0xB4 Configuration last modified by 97.193.17.172 at 0-0-00 00:00:00
I confused with terms 'maximum supported vlans' and 'maximum locally supported vlans'. If switch is supporting vlans 1-4094 means it should also allow to create locally. Otherwise how they will pass through the switch trunks without local creation.
On the ASA running the 8.4.4.1 code in transparent mode. Can I create sub interfaces in different vlans and attach them to different BVI groups?
switch---trunk---ASA---Trunk---switch
Gig0/1.1 vlan 100 bridge-gr1 Gig0/2.1 vlan 101 bridge-gr1
Gig0/1.2 vlan 200 bridge-gr2 Gig0/2.2 vlan 201 bridge-gr2
I could not find any report in ACS 5.3 which gives details on user creation and deletion in ACS. This feature was there in ACS 4.x but it seems not provided in 5.3 version.
View 3 Replies View RelatedI am having an issue with a specific server that is not reachable from other sub nets. Every other device on the same sub net as the server is reachable via the other sub nets. This server is special because it's NAT'd to an external IP address and has several site-to-site VPN's set up. The firewall is a Cisco ASA 5510.
This is the error I see on the ASA syslog when I try to ping the server from another sub net: 3 Dec 05 2012 10:58:49 10.0.15.101 regular translation creation failed for icmp src inside:10.0.20.8 dst inside:10.0.15.101 (type 0, code 0)
The problem server is on sub net 10.0.20.0/24 and the server IP address is 10.0.20.8. Every device on the 10.0.20.0/24 sub net can hit the server, but devices on other sub nets cannot. For instance, a device on 10.0.15.0/24 cannot reach 10.0.20.8, but can reach other devices on 10.0.20.0/24.
I am setting up a Linux apache and bind server to test the behaviour of Windows XP,Vista, 7 and Mac OS X.I have setup a apache and bind already and they were tested individually. I used Firefox and IE to access the apache page by type in the IPv6 address and the page was showed correctly. And I have tried to query the AAAA record of a local zone "testing.com" in my Bind server using nslookup and the result is good too.However, it is strange that I cannot get it work if I type in the FQDN "http://testing.com" in Firefox and IE. I tried to capture the IPv6 traffic in Wireshark (Attached in this post) and there are no DNS query when I try to access the page. Is there anything that I have to set to get it work properly?(Actually I have tested the same thing on Mac OS X and Vista too but the result is the same)Below is my Windows 7 network setting and some nslookup query:
C:Usersvmware>ipconfig /all
Windows IP Configuration"
Host Name . . . . . . . . . . . . : vmware-PC
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
[code]....
I am in the process of planning our new network. Our business is changing from hosting its own data centre, to moving it to a professional facility. We have 120 users, over 100 servers (physical and virtual) and three sites (main premise, data centre, dr site). The new network will connect all three. Our new WAN links are almost ordered. We will be making use of a managed MPLS IP VPN, with a 100M access rate at each site. I am currently focusing on the desing of the network at the main business premise. We have a significant investment in Cisco 2960 & 3750 switches and Fortinet firewall appliances. I plan to re-use these in the design.
Our current LAN is very flat and I want to segment the network. My plan is to create a number of VLANs, enable the Inter VLAN routing on the 3750 and then attach the 3750 to the Fortinet appliance which will provide stateful firewalling and traffic policin based on the VLAN (subnet) addresses. It is important that the traffic be routed as quickly as possible from this site to our prod and dr data centres.The 2960's act as the access layer, the 3750 as the distribution layer. The 2960's will connect via port channels (layer 2) to the 3750's and the VLAN interfaces will be configured on the 3750.
I was then planning on creating a VLAN on the 3750 to connect to the Fortigate appliance with a /29 address to limit the addresses used whilst also providing some flexibility for any future design changes.I want to implement a little security between the VLANs on the 3750 switches. I have a question about this coming up.I then plan to use the Fortigate appliance to do basic traffic policing based on source/destination addresses.
The WAN routers will connect to the Fortinet appliance on a Gigabit copper interface. The WAN routers will run HSRP between themselves and only one router will be active at any one time. The failover will be managed by the Fortigate and Cisco routers.I plan to define those addresses hosted at the other data centres and associate them with the interface associated with the WAN.I will then define the routing on the firewall for the two other data centres through summary routes for each of the sites. We will run static routing from the Cisco 3750 to the Fortigate and Fortigate to WAN router. We have no other networks/sites and won't have any others in the future.
I have a wireless network with WLC and WCS and ACS integrated for user authentication.Web login has been enabled on the WLC and authentication of Username is done through ACS.
Q1. For specific SSID (TEST) specific username (Tom) is used for authentication,where as Tom cannot be used for authentication for any other SSID.
Q2. Weblogin page pushed by WLC is https on virtual IP 1.1.1.1 want it to be pushed through http protocol.
We have Cisco 7609 Router and one 6 Mbps link which is on ethernet . When we are trerminating on Gigaethernet of 7609 router it is not coming up. While same link is showing up and working fine on other routers which is having Ethernet interface.
View 1 Replies View RelatedI have a Linksys RV042 and I came aceoss the setting " Dynamic IP+Domain Name(FQDN) authentication" setting under the Local Security Gateway type. How this option actually works. I tried googling but couldn't find a proper link.
View 1 Replies View RelatedInterface Utilization report displays the interface utilization data for each device polled for the Interface Utilization template. The information is presented using the percentage specifier.
For eg its displayed % (Rx Max%,Rx Avg%,RxMin%,
Tx Max%,Tx Avg%,TxMin%)
I wants report should have the data(interface utilization In Bytes of data)Can we display the data instead of the percentage?
After adding a NAT rule on Friday morning, I'm now getting a bunch of "portmap translation creation failed" messages from my ASA5520. (It's currently running 8.4(3).) The failure errors appear to have nothing to do with the change that was made. [code] I have very similar rules in place for other vendors to access other machines. The only difference between this new one and those old ones is the use of the objects in the rule instead of the direct IP addresses. This is also the first one that invovles a range instead of a specific address or network. [code]
View 4 Replies View RelatedTwo Vlans (ID1 and 100)are on a Cat 4500, which connects to an ASA, interface DMZ. On 4500, there is default route point to the ASA DMZ interface Issue, server on vlan 100 cannot ping a server on Vlan 1, vice verse. When I enable the realtime log, it gives me a “Translation creation failed” message, please see the attached files.
View 1 Replies View RelatedI have site-to-site VPN and IPsec VPN installed on ASA 5505. VPNs work OK except few stranges:I can't ping 192.168.17.104 from remote ip 192.168.17.138 - 305006 192.168.17.138 regular translation creation failed for icmp src OLD-Private:192.168.17.104 dst OLD-Private:192.168.17.138 (type 0, code 0) in the same time I able to ping 192.168.17.104 from my network 192.168.10.0 and can ping from ASA No firewall at 192.168.17.104?How to fix it?
There is my config:
ASA Version 8.2(2)
!hostname ASA5505domain-name domainenable password password encryptedpasswd password encryptednames!interface Vlan1 description INTERNET mac-address 0000.0000.0001 nameif WAN security-level 0 ip address a.a.a.a 255.255.255.248 standby a1.a1.a1.a1 ospf cost 10!interface Vlan2 description OLD-PRIVATE mac-address 0000.0000.0102 nameif OLD-Private security-level 100 ip address 192.168.17.2 255.255.255.0 standby 192.168.17.3 ospf cost 10!interface Vlan6 description MANAGEMENT mac-address 0000.0000.0106 nameif Management security-level 100 ip address 192.168.1.2 255.255.255.0 standby 192.168.1.3 ospf cost 10!interface Vlan100 description LAN Failover Interface!interface Ethernet0/0!interface Ethernet0/1 shutdown!interface Ethernet0/2 shutdown!interface Ethernet0/3 shutdown!interface Ethernet0/4 shutdown!interface
[code]....
See the error below on my ASA5510.
305006 200.200.0.34 53 portmap translation creation failed for udp src inside:192.168.1.4/1047 dst outside:200.200.0.34/53
The first two computers work normally( IP 2 and 3) , but the third computer gets ip does not work on the Internet.
I was unable to telnet in to a SQL server on port 1433 to test the connection from the client PC.the application could connect and this alone verifies it is working on port 1433 for sql.My question is how can a telnet command on a specific port be blocked ?
View 3 Replies View RelatedI think I know what I'm talking about here, I just need someone to confirm that what I want to do is possible, and the way Im planning on doing it will work..Basically, I have a sky router (sagem model), and the wireless is weak upstairs in my house.So, I have ordered a new access point.What I want to do is keep the same wireless ssid and key etc, so my devices just connect.
View 6 Replies View RelatedIs it possible to find out the IP address of a PC connecting via Remote Desktop Connection.Running XP Pro on a network,I have admin rights to the PC's, but no direct access to the servers.Event viewer shows some details, but no IP address.
View 3 Replies View RelatedMy backup userid, password, privi 15 on all our company routers Say around 300 routers, it is difficult to log in each router and create a backup account, i heard from one of my friend that i can create a backup account and can upload thru the kiwicat tool and it will automatically creates my backup account on all the routers. Procedure to create this.
View 6 Replies View Relatedi have acs 5.2 i need to create a network admin policy to our nx-os devices such as nexus switches, how this will be done on acs 5.2?
View 0 Replies View RelatedI would like to be able to query the dot1dStpPortState obect on the Catalyst 2960-S on our LAN . Im running firmware c2960s-universalk9-mz.122-55.SE2.bin and according to the Cisco SNMP Object Navigator the object is supported (via the BRIDGE-MIB).However when i query using snmpwalk from my workstation :snmpwalk -v 2c -c bic-zua-ro 10.u.y.x 1.3.6.1.2.1.17.2.15.1.3 I receive and error .SNMPv2-SMI::mib-2.17.2.15.1.3 = No Such Instance currently exists at this OID For the sake of comparison, querying our 4700 :snmpwalk -v 2c -c bic-zua-ro 10.u.y.x 1.3.6.1.2.1.17.2.15.1.3 returns (as expected, cropped)
SNMPv2-SMI::mib-2.17.2.15.1.3.1 = INTEGER: 5
SNMPv2-SMI::mib-2.17.2.15.1.3.3 = INTEGER: 5
SNMPv2-SMI::mib-2.17.2.15.1.3.40 = INTEGER: 5
SNMPv2-SMI::mib-2.17.2.15.1.3.67 = INTEGER: 5
SNMPv2-SMI::mib-2.17.2.15.1.3.104 = INTEGER: 5
SNMPv2-SMI::mib-2.17.2.15.1.3.257 = INTEGER: 5
SNMPv2-SMI::mib-2.17.2.15.1.3.258 = INTEGER: 5
SNMPv2-SMI::mib-2.17.2.15.1.3.259 = INTEGER: 5
Is there some special configuration i need to do on our 2960's. The only snmp related settings i can see in the running config is snmp-server community. In this case :
snmp-server community bic-zua-ro RO
We have a PIX with 3 interfaces. Inside, Outside,DMZ.
On my DMZ we have some clients that come in and remotely connect back to there office via MSPPTP. I setup the ASA with this to get rid of the error message: regular translation creation failed for protocol 47 src
policy-map global-policy
inspection_default
inspect pptp
Now when the dmz client tries to connect back to there PPTP server I get the following error.
172.31.10.204 0 24.172.85.162 37624 Teardown dynamic GRE translation from dmz:172.31.10.204/0 to outside:24.172.85.162/37624 duration 0:01:30
172.31.10.204 1069 173.188.74.155 1723 Deny TCP (no connection) from 172.31.10.204/1069 to 173.188.74.155/1723 flags PSH ACK on interface dmz
172.31.10.204 173.188.74.155 63767 Teardown GRE connection 8393958 from dmz:172.31.10.204 to outside:173.188.74.155/63767 duration 0:01:08 bytes [ code]...
I have a query regarding the deletion and creation of one of my SVI interface on 6513 ,The reason behind it as follows.My traffic get to Internet in this manner
proxy(external int.)[IP:192.168.1.30] --> Gi0/9[6513 in VLAN 170] --> SVI VLAN 170[IP:192.168.1.10] --> Gi0/10[In VLAN 170] -->ASR[IP:192.168.1.20],I need to assign this VLAN ie 170 to my inside interface of firewall but it was mentioned in books like this "Assign the VLAN for the FWSM before it is applied to the MultilayerSwitch Feature Card (MSFC)." so I am thinking the following steps to assign VLAN 170 to firewall group first before creating SVI Interface for it
1.Remove all currently assign ie Gi 0/9 & Gi0/10 interfaces from this VLAN and then delete this VLAN.
2.Create the same SVI ie VLAN 170[IP:192.168.1.10] by this way the issue can be resolved.
As in part of my configuration PBR is define like this .
interface Vlan170
description "PUBLIC IP VLAN"
ip address 192.168.1.20. 255.255.255.0
ip policy route-map NAT
route-map NAT permit 10
match ip address 101
set ip next-hop 192.168.1.10
I need to clearify what impact it may have on PBR part if I delete and create the VLAN 170.Will the traffic move to the inside interface of FWSM.
We have an ASA 5540 with 8.2(5)
Last three days in early afternoon we start getting these errors in the log and webpages either won't load or pages only half load.
3|Mar 22 2013|13:22:24|305006|184.73.105.115|443|||portmap translation creation failed for tcp src inside:10.10.176.114/58217 dst outside:184.73.105.115/443
3|Mar 22 2013|13:22:24|305006|54.243.129.71|80|||portmap translation creation failed for tcp src inside:10.35.54.37/1517 dst outside:54.243.129.71/80
[Code].....
Kerio Control with AD, DNS."Failed to send DNS query to server 127.0.0.1: 10049".
View 1 Replies View RelatedI wanted to know how, if there are any script which will send an alert once a file has reached a destination over an TCP network.
View 3 Replies View Related