I have created a VPN tunnel between a UC540 and ASA running software version 9.1, I am unable to ping from the outside from a network 192.168.10.0 / 24 coming in on the outside interface to the inside network 172.16.1.0 /24. I have tried various commands and some of them may not be necessary. [code]
View 3 RepliesI am attempting to allow traffic from one vlan to another.Vlan 1 is on Interface 0/2.vlan1Vlan 2 is on int 0/3.vlan2Each vlan can communicate inside it's own vlan, and the gateway on each responds to vlan specific clients My problem is that I am unable to communicate between the two vlans. Using the ASDM packet tracer tool, I find that packets are denied by the default rule (on the second Access List lookup). It appears as if the packet never reaches the other interface. The access rules are set up to allow traffic from one vlan to another (inbound), on both interfaces. Testing from either vlan to connect to the other fails. Below are the accee-rules for each vlans. Once I get basic connectivity working.
access-list aVlan1; 3 elements; name hash: 0xadecbc34
access-list aVlan1 line 1 extended permit ip any 192.168.151.64 255.255.255.192 (hitcnt=0) 0xeb0a6bb8
access-list aVlan1 line 2 extended permit ip any 192.168.151.128 255.255.255.128 (hitcnt=0) 0x3a7dfade
access-list aVlan1 line 3 extended permit ip any 192.168.151.0 255.255.255.0 (hitcnt=0) 0x93302455
access-list aVlan2_access_in; 3 elements; name hash: 0x6dc9adc7
access-list aVlan2_access_in line 1 extended permit ip 192.168.151.64 255.255.255.192 192.168.150.0 255.255.255.240 (hitcnt=0) 0x054508b7
access-list aVlan2_access_in line 2 extended permit ip 192.168.151.128 255.255.255.128 192.168.150.0 255.255.255.240 (hitcnt=0) 0xc125c41e
access-list aVlan2_access_in line 3 extended permit ip host 192.168.151.3 192.168.150.0 255.255.255.240 (hitcnt=0) 0x4adc114c
ASA 5510 running without issues for a while but we needed extra port so added a 4GE SSM.
Having installed the 4GE SSM we had some issues with the card not liking a connection to our switches and only working by plugging directly from the server into the firewall, not great as we wanted extra servers on the line in the future. So we upgraded the firmware and no are at an impasse.
We have upgraded to 8.0(4)3 and now we cannot get any traffic through the port, we can't even connect to an external DNS server. Running a packet trace I get an immediate error on the first step '(l2_acl) FP L2 rule drop', and it appears as though the outside connection is down.
I have some experience on setting up basic port forwarding and NAT for internet access, webservers, mail but this has thrown me.
Let's say I want to NAT 2.2.2.2 & 2.2.2.3 on wan interface to 192.168.1.1 on DMZ. I tried to add the static NAT with ASDM but got the following error:"The modified Static NAT Rule cannot be configured, as it overlaps with following existing rules"
View 1 Replies View Relatedwhat is the purpose of the "Permint all traffic to less secure networks".
Well I know the purpose and the technique to handle some sercurity level is nice. when I cannot add add a rule without deleting this implicit rule?
The technique of security level is then obsolete?
I accidentally setup two schedule rules both with the name of "Log". When I highlight either rule, and try to delete either, I get error "The rule is being used by another rule and cannot be deleted" How do I delete?
View 1 Replies View RelatedI am testing rogue on wire using 5508 WLC and , I have a dedicated AP configured as rogue detector and configured the switch port where the Rogue detector is connected as trunk. I have plugged in an autonomous AP with open authentication to the same switch so that it can act as a rogue. On the WLC, I can see that Autonomous AP as rogue on Wire. But along with that I am seeing another AP as rogue on wire, even though i have plugged in only one Autonomous AP to the switch.
View 3 Replies View RelatedI am facing problem while connecting my VPN server configure at UC540 device. this device is behind my ISP router. i applied port forwording of IPSEC traffice to my cisco device which configured as vpn server. now if i try to connect with my Live IP i get the following error. [code] I test if i connect using 192.168.0.116 internally it works but if i try to connect using my Live IP it trying and trying but not connect..
View 3 Replies View RelatedI currently have a UC540 system with 12x aironet 1130 APs. Seamless roaming does not seem to work, and the recommendation seems to be to introduce a WLAN controller.
View 4 Replies View Relatedi need supports for how can config SLM224P with UC540.
View 1 Replies View Relatedsetting up a link between a Head Office UC540 and a remote SR520 which I want to use a PC and an IP Phone from. This remote site is the first of several.I've found several examples of site to site IPsec VPNs, but none with references to voice and data VLANs, do I need to worry about this or will the phone just work.
View 5 Replies View RelatedI have a client that just got a second public IP (x.x.x.252) for a new program. I've setup that second IP on their UC540 on the public-facing port and it's accessible all day long from the outside, no problem. The problem comes in where users from within the LAN can't see the new public IP at all; however, they CAN get to the original public IP x.x.x.250. I've looked at the rules every which way and can't see anything that either 1) only allows LAN traffic to get to the original public IP, or 2) a NAT rule that only allows the same thing.
[Disclaimer: I just inherited this client and their setup, so other than me adding the IP and opening ports to it, I didn't program it.]
Here is the port configuration:
!
interface FastEthernet0/0
description $FW_OUTSIDE$
ip address 63.234.195.252 255.255.255.248 secondary
ip address 63.234.195.250 255.255.255.248
ip access-group 106 in
no ip redirects
no ip (code )
I can't figure out why .250 is internally-accessible, but .252 isn't. .252 is in the routing table as a directly-connected address, but I also added ip route 63.234.195.252 255.255.255.255 FastEthernet0/0 to the routing table and it still won't go. Everything is controlled by the UC540: The internal servers do not run DNS or DHCP or even a domain. There are no NAT outside rules.
How could i make a vpn tunnel between a router SA520 and a central UC540.
View 3 Replies View RelatedWe have a new deployment where we have 5 total 7921G wifi phones connected via 2 AP541n access points, one connected to a ESW520p switch and then to the UC540 and the other connected directly to the UC540. The wifi phones are intermittently giving no audio when calling each other, however, calls to the PSTN consistently do have 2 way audio. Is this a security issue perhaps? We are running the latest CCA software pack as this is a brand new deployment, also the AP's were upgraded to the latest firmware.
View 14 Replies View RelatedWe are setting up a new phone system using the UC540 with a VPN connection between 2 buildings using 2 Cisco ASA 5505's at either end.The problem I am having is getting the phones at the remote site to connect to the UC540 at the main site.
Phones/Computers (10.0.1.0/24) -- ASA -------------VPN Tunnel------------- ASA -- UC540 -----------Data Vlan1 (10.0.0.0/24)
|------Voice Vlan100 (10.1.1.0/24)
What i am told by UC500 support is that the phones at the remote site will connect if they have connectivity to the TFTP subnet on the UC540, which is 10.1.10.0/30 I added the static route on the ASA and I can ping the 10.1.10.1 TFTP server on the UC540 from the ASA, but not for any other device on the 10.0.0.0/24 network, such as the DC. I added the static route there and was able to ping, so something in the ASA seems to be preventing it.
I also can't seem to get the ASA at the remote site to ping 10.1.10.1. I've tried adding the static route there in hopes it would forward it through the VPN tunnel.
I'm trying to setup an ASA and a UC540 side by side, to utilize the ASA for data networking and the UC540 for voice. This 'should' work fine, I just seem to be having an issue where the ASA seems to be blocking traffic from the voice network as it passes through.So here is the LAN setup:ASA: 1.1.1.1UC540: 1.1.1.2The UC has a voice vlan 10.1.1.1/24 and a service module at 10.1.10.1/30My PC uses the ASA as its default gateway, 1.1.1.1The ASA then has static routes to the UC networksRoute 10.1.1.1/24 1.1.1.2Route 10.1.10.1/30 1.1.1.2Ping from PC to the UC networks works fine. However, ping from the UC networks to PC fails. ASA logs show traffic being denied due to not having an established connection or something.My guess is that the traffic is being blocked because the egress and ingress paths are different? Traffic from the PC goes to the ASA, then gets routed to the UC and it works. However in the other direction, traffic from the UC is going directly to the PC and bypassing the ASA, because its a directly connected network and doesn't have to route through the ASA to get to the PC. The reply traffic from the PC DOES go through the ASA following its route table, thus the issue of the ASA not seeing the established connection?Same-security inter and intra interface is enabled.So I think I see the issue, I just don't know how to fix it. Is there something I can configure on the ASA to allow for this? My only other option would be to configure a /30 on a new vlan to handle the routing between the UC and ASA or something, but that seems like its going to make this simple setup way too complicated with extra networks, vlans, trunks, etc.I am running ASA version 8.4.5?
View 1 Replies View RelatedI am currently configuring a Cisco 881 router and am having some vpn connection issues:I can connect with one user (me) and all other connection attempts form other users are denied. When I disconnect, other users can connect - the scenario is that only one user can connect at any given time.
Here is my config:
Building configuration...
Current configuration : 11423 bytes
!
! Last configuration change at 13:11:23 PCTime Fri Jul 27 2012 by zephyr1
! NVRAM config last updated at 13:25:30 PCTime Fri Jul 27 2012 by zephyr1
!
version 15.0
[code]....
I configured my ACS 5.1 correctly, but I get an "Access is denied to NCS" at the web login page. In the ACS i see a successful authentication.
View 14 Replies View Relatedhow to debug an ACL I've created on a 4404 WLC, specifically I want to monitor what packets are being denied by the ACL as something that should be working isn't
I've created an explicit deny statement at the end of the ACL and verified that the counter increases each time I try the problem software update.
What I can't work out is how to get the WLC to tell me what packets are being denied by the explicit deny statement, all I can find are 'show acl' commands which just give me the counts.
The equivalent on a router would be debug ip packet acl and adding the log keyword onto an ACE. I suppose I could configure a SPAN session on the WLC uplink to the switch but that seems overkill?
I consider the NAT mechanism to be quite straight forward, but although the firewall ACLs allow the traffic, it is being denied. The ASDM log and packet-tracer indicate the problem being an ACL.
# the internal resource
object network mabe-mbp
host 10.0.0.36
!
# these are ALL of the rules on the outside/inside interfaces
access-list outside_access_in extended permit tcp host 1.2.3.90 any eq 12380 log disabled
access-list outside_access_out extended permit ip any any log
access-list inside_access_in extended permit ip any any log
access-list inside_access_out extended permit ip any any log (code)
I was changing the computer name on a group of networked computers but forgot to go to - Manage - Users - Administrator and set a password. I accessed Computer - System Properties - Clicked the "Change" button for "To rename this computer, click Change" and selected the "Workgroup" as opposed to the "Domain" option. When I restarted the computer the computer will not allow me to enter the administrator password to allow me access the computer.
View 2 Replies View RelatedNETWORK CONNECTION PROBLEMPOPUP ERROR states"\<name> is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Access denied."When trying to View the two PCs through My Network Places> View workgroup Computers in MSHOME?I was able to map the shared folder manually.
View 1 Replies View RelatedI have a computer with windows 2003 server installed on it. There is one shared folder. The computer's name is SERVER. The shared folder's name is OFFICE.Whenever I type \SERVEROFFICE in a windows explorer window, I get a pop up window with a message that says that Windows does not find \SERVEROFFICE.I mean, I should be able to see the folder in this way because this OFFICE folder is shared and I am doing this from the same computer and not from another computer in the LAN.
View 3 Replies View RelatedI'm trying to solve a disastrous networking (via workgroup nightmare) and I cannot enable the DNS Client on my Windows 7 PC. I go to cntrl panel, admin services, dns client, and try to change it to automatic and it says "access is denied"
View 1 Replies View RelatedNetwork access denied for a particular folder
View 1 Replies View RelatedXP desktop hard wired to router. XP and Vista laptops wireless. Vista has SP1 and both XPs are SP3. All computers can see each other. Vista can access the XP drives. The 2 XP computers can access each other. The 2 XP computers cannot access the VISTA. Access is denied. Firewalls are off on all computers. I have tried permissions on both sharing and security tabs with no luck.
View 14 Replies View RelatedI'm configuring ASA 8.4 for SSLVPN allowing Web Portal access with group-url. I've noticed that if I put certain keywords after slash mark on group-url, client access would be denied by http 404 error.
Here's my configuration:
tunnel-group test type remote-access
tunnel-group test general-attributes
default-group-policy test
[Code].....
We are trying to add an additional LAN-to-LAN IPsec VPN to our network. We currently have one remote office connected, when we configure the second VPN matching the first the tunnel never begins to establish. There is an ACL that is dening the static IP for our remote office.
The layout is as follows:
Main office = ASA 5520
Remote Office A = ASA (Unknown Model)
Remote Office B = Adtran Router
All devices have static IP addresses.
We used the ASDM VPN wizard to create both VPN's.
We have created a rule allowing all traffic from our remote office IP, and that had no effect on the VPN aside from eliminating the following message from our logging:
4 Mar 19 2012 15:18:01 106023 67.50.19.230 50234 TWT-hq-e 31326 Deny udp src TWT-outside:67.50.19.230/50234 dst inside:TWT-hq-e/31326 by access-group "outside-in" [0x0, 0x0]
We have verified that both sides are configured the same however the VPN never is initiated so as of right now the ASA is simply blocking all attempts from our remote office to connect.
I configured an ASA 5505 a couple of weeks ago. Every thing is working properly except it sends irritating messages to the syslog server. Her is an example of the message:
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/252 flags PSH ACK on interface outside
%ASA-2-106001: Inbound TCP connection denied from 195.215.221.56/80 to 10.70.13.90/2252 flags ACK on interface outside.
I'm having problem getting ICMP echo monitoring on outside interface to work. I've set: icmp permit host monitoring_station_adress outside but I still get:
%ASA-3-313001: Denied ICMP type=8, code=0 from monitoring_station_adress on interface outside. I'm trying to directly monitor ip on ASAs interface outside.
I have access-group tied to "in" direction on interface outside. Do I still have to put "permit icmp" rules despite the fact that icmp permit outside command is set?
I have a website that is hosted by our company, but when the staff goes to the outside address of th website it gets denied by ACL thus page not found.
3Feb 20 201211:25:23192.168.3.5752928our Extrenal IP80TCP access denied by ACL from 192.168.3.57/52928 to inside: our External IP/80,OUr external ip is also the ip of the 5505.
Is there anyway to monitor netflow on RV042G. We have a network at a small school that will get bogged down during the day.
View 1 Replies View RelatedI have 2 ASA 5505, with a site-2-site vpn, I need to reach a server on network A on port 7887 from Network B.The 2 boxes are both on a public net and has a private net inside.When initiating a telnet session from a Host on network B, to a ip 172.210.210.56 /24 (which is defined as my remote network in the connection profile)I can see the trafic arriving on the ASA on network A, but the trafic gets rejected with the following.
Built local-host outside:VPN-TEST_172.210.210.5602: VPN-TEST_172.210.210.56 7887 Teardown TCP connection 398765 for outside:VPN-TEST_x.x.x.x/16698 to outside:VPN-TEST_172.210.210.56/7887 duration 0:00:00 bytes 0 Flow is a loopback03: Teardown local-host outside:VPN-TEST_172.210.210.56 duration 0:00:00.I'm a newbee with the ASA 5505, and connot figure out why this is a loopback ?