Cisco VPN :: PIX 525 Routing To Wrong Interface?
May 2, 2011
PIX 525 6.3(4)120
I am trying to allow clients coming in from my "DMZ6" interface with source IPs from the subnet 192.168.2.0 /24 to ping and access hosts on my "DMZ1" interface with destination IPs in the subnet 10.5.11.0 /24. I think I have the associated static NATs and the ACLs set up to allow this to happen. What I have noticed from syslog messages is that the PIX is trying to build the TCP connection to the "Inside" interface, rather than to DMZ1. Even though the destination host (10.5.11.12) is directly connected on DMZ1, the PIX is still trying to send the traffic to the "Inside" instead. I tried adding a host route to force 10.5.11.12 /32 pointing to DMZ1 and the PIX still tries to send the packets Inside. This only seems to happen when I try to go from DMZ6 to DMZ1. If I try to access hosts located in DMZ3 for example, which is also a directly connected interface on the PIX, it appropriately builds the connection to DMZ3. Here are the pertinent rules. Why would the PIX want to build the connection to the Inside, even though it knows that the destination host IP is directly connected to DMZ1?
ip address DMZ1 10.5.11.1 255.255.255.0
ip address DMZ6 10.5.16.1 255.255.255.0
ip address inside 10.5.18.17 255.255.255.240
[Code].....
View 2 Replies
ADVERTISEMENT
Apr 17, 2012
We have an ASA5520 running ver 7.0(8), nat-control is disabled. On the "outside" interface we have a closed network which is publicly addressed i.e. no access to Internet. We also have two Vlan interfaces on a trunk connection i.e. "inside" interface (Vlan7) and "dmz" interface (Vlan802). Traffic from the "outside" to "inside" is statically NAT'd such that the public IP is translated to a private IP when accessing the "inside" interface. However, our OSS servers on the "dmz" interface need to be able to receive packets from the public IP addresses on the "outside" . All is okay with the outside to inside traffic and traffic initiated from the OSS servers on the "dmz" to the outside works okay (snmp gets etc) i.e. the servers receive reply packets from the public addresses of the outside devices.
However, traffic that originates on the "outside" interface (snmp traps etc) which is destined for the "dmz" is actually being routed to the "inside" interface and therefore the public source address is being NAT'd by the static NAT command. The access-list "in_on_outside" has relevant entries to allow connectivity from outside to dmz, we have tried a static nat command (outside, dmz) to maintain the public addressing but this made no difference and also a nat exempt. With ########nat-control disabled - do I still need a translation or NAT exempt for the "outside" <> "dmz" traffic flow, if so how should this look ?
View 11 Replies
View Related
Dec 21, 2010
What are the possible effects of assigning an invalid address like 172.22.0.0 255.255.255.252 to a router interface. The 1841 router accepted the address?
View 12 Replies
View Related
Nov 5, 2012
C1921, running version 15.1(4)M2, with licence for "IP base" feature set only.Trying to pass multicast via a PPTP VPN from a Windows XP machine to work around a non multicast-aware WAN link
1. With the IP Base feature set I am able to create a plain PPTP VPN without any encryption; the Windows XP machine can bring it up and unicast data passes through it OK in both directions.
2. But when trying to send multicast, only one-way traffic is observed:i. Windows XP host on far end of PPTP VPN and a local PC both running old Microsoft tool "MPING.EXE", sending and listening for traffic on the groiup 225.100.101.102i. The distant host receives and echoes back the packets received from the local machine + sending its own (confirmed with Wireshark running at the far end)ii. But the local machine directly connected to the C1921 router does not hear any packets from the far end; Wireshark shows only the ones it is sending.
3. Group status ("show ip igmp membership") as far as the C1921 is concerned shows both ends (192.168.50.10 (local end) and 192.168.50.201 (distant end via the PPTP VPN)) joined to the group [code]
4. But "show ip mroute" for that group shows an error; for the source on the far end of the PPTP VPN (having the IP address 192.168.50.201), the source interface is incorrectly shown as GigabitEthernet0/0 (should be Virtual-Access2.1 for that PPTP VPN) and the outgoing interface is shown as Virtual-Access2.1 [code]
5. I have tried adding static mroutes and messing about with parameters for the virtual-template interface for the PPTP VPN, but the problem remains. And if I put another local PC onto a different Ethernet port of the router, the multicast traffic does flow both ways - so the issue is solely with the PPTP VPN.After a week of head-scratching I am getting more and more convinced that it's a bug... but wonder if it is already-known, has a workaround, or a fix in newer firmware?
View 1 Replies
View Related
Feb 27, 2012
I currently have a wired router (Cisco RV042), a wireless router (Cisco WRT110), and a switch for my network. I have the RV042 on a 192.168.5.1 subnet, and that is where my server and other local resources are. I wanted to add wireless for guests, but do not want the guests to have access to local resources, so I plugged the wireless router into RV042 and configured it for a 192.168.1.1 subnet. I can get internet access, but when I connect with a laptop to the wireless router, I end up being assigned an IP in the 5.1 subnet. I set up the VLAN setting in the RV042 for the correct port, but for some reason I am still being assigned the wrong IP, and I can hit local resources on the wireless.
View 1 Replies
View Related
Feb 15, 2011
I tried to find a suitable firmware for it & found this, Wireless Router, but when I upgrade the device with this firmware , every thing go wrong .. no english language cant upgrade anymore I tried to reset the device to its factory defaults by pressing the reset botumn but the nothing changes
View 8 Replies
View Related
Mar 17, 2011
I inadvertantly copy the wrong image on to a 35609-X switch and now it gets stuck in a particular mode.
The original image was: c3560e-universalk9-mz.122-53.SE2/c3560e-universalk9-mz.122-53.SE2.bin and I replaced it with: c3560e-universalk9npe-mz.122-55.SE1.bin ( this is what the download site identifies as the image for 3560X-24P-S)
It now sticks at: Front-end Microcode IMG MGR: Programming device 0...rrrrrrwssssssssssssssssssspssssssssssssssss
How can I get back on to delete this image? It ignores the break key.
View 5 Replies
View Related
Oct 26, 2011
I just upgraded my power supply's from 2500Watts to 4000watts, however the show power still shows 2500watts.how do i make the 6513 recongize the change? I do have 250volts at 30 amps connected to each power supply.
system power redundancy mode = redundant
system power total = 2331.00 Watts (55.50 Amps @ 42V)
system power used = 1741.74 Watts (41.47 Amps @ 42V)
system power available = 589.26 Watts (14.03 Amps @ 42V)
[code]...
View 1 Replies
View Related
Sep 21, 2011
I have a problem connecting SRP541W to my ISP (L2TP). Connection is established, but default routing table is wrong: instead of gateway I see Server IP: [code]
In similar situations other users of my ISP with Cisco routers (IOS) solved this problem by adding command no peer neighbor-route but i can't do it through the WEBgui...
View 3 Replies
View Related
Dec 29, 2011
Setup is like this: Poly com IP phones -> Cisco 2960 switches -> Cisco 2621XM router running 12.28(r). A Windows 2003 server running on HP Proliant DL380 G4 with the correct DHCP scope is configured for the IP phones, also sitting on a Cisco 2960 switch.
A typical port config on the 2960 is:
interface FastEthernet0/1
switchport mode access
switchport voice vlan 60
mls qos trust cos
auto qos voip trust
spanning-tree portfast
spanning-tree bpduguard enable
Relevant section of the config on the 2621XM router:
interface FastEthernet0/0
no ip address
no ip redirects
no ip proxy-arp
ip pim sparse-dense-mode
[Code] .......
This used to work on a Windows 2000 server which sat on different piece of hardware, but stopped immediately after the migration to Windows 2003 server was done. There was no change on the router or switches prior to or after the server migration. I see DHCP server log on the 2003 server giving DHCP NACK because the phones are apparently asking for IP's in the data VLAN.
View 14 Replies
View Related
Feb 12, 2013
- Incoming frames on three of a blade's four switchports are being put into VLAN 1 even though the ports are either in other access VLANs, or are configured as trunks with different VLAN IDs being tagged by the server. - When the ports go down the access VLAN is removed from the port.
Switch stack: 4x WS-CBS3120X-S, 12.2(58)SE1
HP blade: HP BL460c Gen8
This combination has been used successfully elsewhere.
Switchport configuration:
!
interface GigabitEthernet1/0/13 -------> THIS PORT IS OK
switchport mode trunk
[Code].....
View 1 Replies
View Related
Oct 20, 2012
it seems that i made a mistake when typing the BAUD rate of a 2960-Switch in rommon.I can't start the switch now, because there is no image on it (because I deleted it before) and the baud-rate has wrong settings. When connecting via console cable i can't see anything (except some strange hieroglyphics) when starting. I tried all the speeds in teraterm... without success.what can i do, to recover the switch back?
View 8 Replies
View Related
May 1, 2012
I have a Cisco ASA 5505 and I have my internal and external interfaces configured but I currently cannot ping from the inside to an IP Address on the outside. I had this setup and working and I have another set of equirement that I am replacing that is working with my service provider so I know it is a configuration issue. When I ping 4.2.2.2 for example I get:
Destination host unreachable
Do I need to add a static route from my inside interface to my outside interfaces?
: Saved
:
ASA Version 8.2(5)
!
hostname pxasa
[Code].....
View 2 Replies
View Related
Mar 12, 2013
Quick question here. Using 3750E series switches with multiple VLANS configured. These switches serve as our 'core'. I have SVIs configured for the different VLANs and add inbound ACLs in each of the SVIs to control traffic between VLANS. This switch also terminates a P2P Ethernet link which connects to our Colo facility. The port used for this is configured as an L3 port. I noticed today that I was able to send traffic across this L3 link that I thought should have been blocked by an ACL I had in place but it wasn't. So the traffic flowed from a port in say VLAN 20 across this L3 link (assigned with an IP address). Would this traffic flow not cause traffic to be checked against an ACL applied in the inbound direction on the SVI of VLAN 20 (int vlan 20)? Traffic does get checked when routing between SVIs. Why would it not get checked when routing between SVI and L3 interface?
View 2 Replies
View Related
Mar 7, 2012
On a pair of my CISCO7609-s (engine:sup720-3B IOS Version:12.2(33)SRD4),some interfaces is configured as routing interface but also them are attend MSTP caculation and i really caught BPDU packet go out from these ports. [code]
View 1 Replies
View Related
Feb 26, 2013
We got a layer3 switched network, with one vlan for every switch, routed by a cat4006. [code] So can we put some ports on different switches in, let`s say vlan 50, with different ips? For example, Port 0/3 on Switch 1 and 0/8 on Switch 2, but keeping the ip of the "old" vlan? Or is it necessary to configure a specified vlan interface with ip-adress for every vlan if i want to route it?
View 4 Replies
View Related
Jan 7, 2012
I am a recent student to Cisco products and I have purchased some (what I thought was good) lab equipment to learn with on a budget. What I have is a 2948G switch and a 2620 router. My issue is this: the router has only one fast Ethernet port. Is it possible to use V LAN's and V LAN Interfaces on the router and switch to somehow emulate a second interface to connect to a WAN or sub net?
View 11 Replies
View Related
Jan 6, 2011
I have a CME on the other end of my MPLS network. When troubleshooting phone issues i setup a phone on the CME system in question and point its TFTP server to the address of the CME router. Now, i need to point this phone to another CME but it keeps registering with the previous one no matter what i do (the TFTP server is pointed to the new CME). I have tried turning off the auto register, and i have deleted the ephone and its mac address all together but it always registers with the wrong CME.
The phone is a 7962 with a 7914 expansion module.
View 10 Replies
View Related
Jul 16, 2011
I have a 2003 server that is doing something wrong. When I show the mac address table I can see that the server is assigning a bad mac address to several IPS. The server assign a non-existent mac address to some IPS for this reason the server stobut I would like to solve the problem
- I ran my antivirus an no virus was found.
- I updated the network driver.
View 4 Replies
View Related
Mar 11, 2013
I am having issues (nothing new there) I have a bad IOS on a switch module, and the config is set to boot to that IOS, and as such I get a nasty boot loop, I am trying to figure out how to get into rommon but all the documentation I can find for this just says go into rommon and never tells me how to get there on a switch module that thinks it has a good IOS. (The IOS is for our normal service module but this one is an odd-ball switch)
View 4 Replies
View Related
Jun 21, 2011
i have a cisco router that has dhcp configured, the router ip address is 10.10.10.***. all computer that attached to the router are using static ip and works fine but when i am connecting my laptop using wireless in gets an 192.168.1.*** address.
View 17 Replies
View Related
Jan 24, 2012
I have run into a major issue with an autonomous Cisco 1142AP. We were in the midst of a firmware upgrade when something went wrong and caused the AP to reboot in an error mode. Basically the unit was flashing Blue, amber, red. We unmounted the unit from the wall, connected to the console, and it would now only flash red over and over. We pulled out the cisco guides and performed a factory reset on the unit. This still does not work. and the contents of our flash directory is empty. All we get is a ROMMON AP prompt on the unit. If I issue a set command, I can see the default settings for IP, netmask, etc.
I cannot access the unit via the network, even after setting IP info and matching it up to my laptop. Since I have no network connectivity, I can't TFTP a new IOS file to the unit. I am stumped. How to get the config as if it was out of the box, or an alternate way to TFTP to the unit? [code]Notice the lines in red, I must have typed someting incorrectly.Now once the unit boots after being reset, I cannot even type in the CLI. Someting majorly screwed up here. Can the bootstrap be reinitialized?
View 3 Replies
View Related
Jun 11, 2013
I updated an AP1121 accidentally with the LWAPP version of an AP1130ag.
View 1 Replies
View Related
May 3, 2012
WLC-4402-25-K S/W - Primary and Secondary Controllers were running 4.2.130 to begin with. Customer upgraded remotely using NCS - Primary to 4.2.209 and then to 7.0.230 and all that went fine and is in Production.
Then customer upgraded Secondary also using NCS also from 4.2.130 to 4.2.209 in preparation to upgrade to 7.0.230 and he lost contact with the controller. Sent a technician to site to troubleshoot by connecting to Serial Port. Technician #ESCAPED out of the boot sequence and from the BOOT MENU tried to boot the Primary Image and it failed with CRC error on Flash. He then tried to boot the Backup image and had the same problem. He then tried to manually load 7.0.230 - ER (Boot Software) using TFTPD32.EXE and that went fine. He then tried to load 7.0.230 "aes" S/W - The big over 70 MB file and went through most of the file transfer but failed saying:
ERROR: Transfer Failed.
TFTPD32.EXE said something like "Data Packet too Short or some such thing". Sorry did not write down what TFTPD32.EXE said.
Then we thought "may be" a power cycle of the unit is required after the ER Boot Loader Image was loaded. When we did that the unit died. That is - no communication with the Serial Port. We don't think we have any choice other than RMA - Do we?
Customer says he did read and follow this link - especially Table 10-1. {URL}. He said he used NCS to do the Upgrade. I a not familiar with NCS.
View 2 Replies
View Related
Nov 21, 2012
I have many 1262N and 1031AG APs. when the client is connected to the AP 1262N the performance is slower than it is connected to AP 1031AG (with more clients) in 2.4GHz.
View 3 Replies
View Related
Jul 5, 2011
I've noted a number of traps reported correctly but with the wrong SSID in the detail on 7.0.116.0
View 1 Replies
View Related
Aug 31, 2012
I am having trouble with getting a copier that I have networked to stay registered in the system. When connecting all the equipment back for the new year I was having trouble getting this one specific copier back online properly. I used to have it assigned with a static IP because the person that was here before me had all the computers map the printer using the IP instead of Hostname but that was causing IP conflicts so I removed it and mapped the printer through Hostname which is made "MPF-TOSHRM328"So now for the actual problem, after the copier got the new dynamic IP of 10.8.214.151 i thought it would be fine and everything would click in because it was mapped to the host name and not the IP. But when I do a tracert on the hostname it still shows up with the old IP. and now that the old ip has been reassigned it actually points to a physical machine now. Weird. All attempts to flush the DNS have not resolved the issue. I even tried going in and deleting the entries in manually. No luck. As a point of reference here is the result from the tracert.Tracing route to MFP-TOSHRM328.78B450.nycboe.org [10.8.214.126] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms SLS330W09 [10.8.214.126]Trace complete. I should also mention that this server is only here in the sense that it is the DC for the computers on this floor. There is a whole other system that assigns the IP's and handles the DNS. I do not have access to it, it is run by the main network people at the central offices.
View 9 Replies
View Related
Feb 25, 2012
My folks have Time Warner (Roadrunner) Internet service. They power-down their Dell every night. When they shut down last night they had no problems and were running Time Warner (Roadrunner). When they booted the computer this morning the computer is trying to connect to Adelphia.
They changed nothing. The wiring to the computer was not compromised in any way.
Time Warner tried to "ping" their modem and could not "see" the modem. They think it is a line problem - but the fact that the computer is looking to connect to an alternate service provider makes me think that it is possibly a problem with a setting in the computer.
View 1 Replies
View Related
Feb 24, 2013
I'm having sporadic trouble with both Google Chrome and Internet Explorer 8. The first thing I noticed was that the icons on my bookmark bar are wrong. The CNN icon make actually be Amazon and Twitter may be Webster's Dictionary. Sometimes, for example, CNN won't come up at all and then it will display later. Many websites will intermittently come up without graphics and in a plain font.I have done restarts and cleared browser histories and checked extensions. I have performed cleaning with Winferno and McAfee comes up clean
View 3 Replies
View Related
Dec 24, 2011
I have more than 10 PC om my Workgroup, using DHCP on network, but I have one PC alwaws got wrong IP (auto from dhcp), and can't connect even using static IP (status connect, but can't ping to gateway and other IP)Here "ipconfig /all" on one of PC that work. [code]
View 5 Replies
View Related
Nov 29, 2011
At times when my laptop is running a dianostic it says maybe your DNS is haveing a problem. I don't know what a is DNS
View 2 Replies
View Related
Jun 2, 2011
I flashed my WRT54GL with firmware for a WRT54G and now when I go to the configuration page all I see is this: url...I have tried doing a hard reset by doing the 30/30/30 and by using tftp to try and send the correct firmware. The hard reset does not work and the tftp keeps timing out and not sending anything.
View 1 Replies
View Related
Feb 21, 2013
I tried to update our production switch over the weekend with a newer unmanaged Gigabit switch. Everything was fine after the change and the network had a noticeable change in speed.But when I came back in on Monday the Internet was down. So I tried trouble shooting the switch to see if there was a loop or something like that and put it into managed mode so I could look at the config page and take advantage of the STP function. When trying to get to the config page I entered the default IP into my browser and a logon appeared so I tried to login and it failed then I noticed that the title of the browser tab said RVS4000. So out of curiosity I entered the creds for the router and lo and behold it let me in to the router. The router has a static IP and is using a different subnet then the default IP of 192.168.2.1 that the switch has. I have put the old switch back and removed the new one from production but can still get to the router with either IP, it's static address and the 2.1 address.
View 4 Replies
View Related
