Cisco VPN :: Catalyst 2911 - S2S VPN Only Works In One Direction
Jun 5, 2012
I'm very new to cisco devices but we recently acquired a catalyst 2911 device for our co-lo cabinet and I am trying to get a site-to-site vpn connection working between the facility and my offices network as well as a remote access VPN for me to use in case I have to fix something while outside of the office.
The office's gateway is 66.119.163.2 and the device is a TZ210 with it's LAN network being 192.168.1.0 /24
The co-los gateway is 204.244.50.254 and the device is an ASR 2911 with it's LAN network being 10.0.10.0 /24
The S2S VPN connection is up between the two locations and the 2911 device and the servers within it's LAN can ping and RDP to the office's machines. The office network can only ping the LAN interface IP on the 2911 which is 10.0.10.1 but not the servers in the network. the site-to-site VPN was set up with the CCP wizard.
How can I allow the 192.168.1.0/24 network to see the 10.0.10.1/24 network and why do I only currently see the gateway?
If need be I can post my running-config file with the preshare keys redacted.
View 8 Replies
ADVERTISEMENT
Aug 2, 2012
I have a IPSec tunnel that is working in one direction. Below is the router config from the side that can connect to the other side perfectly. I believe the issue is with this router as while I was waiting on delivery for the ASA I had an SRP527W sitting in it's place and had exactly the same problem.On one side I have a 887VA router and the other an ASA5505.The network behind the 887VA can access the remote site perfectly, backup services are traversing the link as are web interfaces for applications. In the other direction I can ping hosts but cannot connect. What else is interesting is if from the remote site I attempt to connect to a particular device that performs a port redirect the remote site browser gets so far as being redirected to port 5000 but then hangs.
I am seeing some very generic packet drop debug notices on the 887va on the NAT-ACL access list but I think this is as it should be as it is dropping the tunnel traffic from the NAT'ing.The config for the router is here, I will post the ASA config when I get to the other site shortly but I am convinced the issues is on this device, all the crypto configurations match.I have looked at the MTU's on each side, the path MTU on both sides is 1492. The asa does say the media MTU is 1500 but I believe that is the ADSL link so shouldnt matter?I even went so far as installing CCP and testing the VPN. It says the tunnel is up. It did state a failure:A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets. [code]
View 1 Replies
View Related
Jun 1, 2012
For the purpose of a remote backup between 2 QNAP NAS devices, I have setup a site to site VPN using 2 Cisco RV220W routers. Although VPN connects just fine, I can only access Network B from network A, but not the other way around. I believe it could be related to ip ranges/subnets.IPSec VPN connects successfully (IPSec SA Established)From network A I can connect to any device on network B (qnap smb, ssh, cisco web interface, printer, laptops, etc)From network B, I can ping any device on network A, I can access the cisco web interface from network A, and nothing else. If I try to access the web interface for the qnap on network A from a device in network B, no luck, it seems to hang. I also tried issuing a wget command from the qnap (ssh) on network B to fetch the web interface of the qnap on network A, and it says connected, but then hangs. I've tried lots of different settings (creating static routes, dynamic routes, changing subnets, etc), but without any luck.
View 0 Replies
View Related
Jan 16, 2013
We have a PBR configured on a 2911 router (15.1-4.M2). The PBR is being used to send specific traffic across a S2S VPN instead of an MPLS connection. If ip cef is enabled, the router sends the traffic across the MPLS. If ip cef is disabled, the traffic goes across the S2S VPN. I checked to see if there were any bugs in the code they are running about this and nothing came up. It almost like CEF enabled PBR isn't working on this device, even though it should be enabled by default when ip cef is turned on.
View 3 Replies
View Related
Sep 4, 2012
how this switch module works in 2911 router? I have two 2911 routers in HSRP configuration for redundancy with crossover cable between switch modules. OSPF running on routers.If active router loses its power and then comes back again, it boots first, its internal link to switch module comes up and it starts to forward packets to switch module. The switch module starts to boot only after router is ready. So I have outage of about 3-4 minutes. For our real-time applications it is way too long.
any way to start booting of the switch module before router gets ready?I understand I can boot it manually, but it is only after router is ready. Only way to get around it I found is to disable internal link and use router interface to connect to the switch module.
View 1 Replies
View Related
Mar 13, 2012
We have configure a L2L vpn between Asa and 1841 router. We are facing this issue.The tunnel is not getting up from the 1841 site never. When we are trying to generate traffic from the ASA site the tunnel is up and we can see decryps and encryps packets.
Router 1841 Config:
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key * address 213.249.XX.XX
[code].....
View 4 Replies
View Related
Jan 16, 2012
I'm using a couple of ASA5510's since a few years in a few datacenters, and I wonder about the following:
Usually the ASA's are positioned with the connectors facing to the back of the 19" cabinets, so one can easily connect the device to other networking-hardware. In many datacenters nowadays, cold-coridors are used, which results in a forced airflow through the cabinet, which is empowered by the fans in the servers itself. But the ASA's are permanently blowing air in the opposite direction, and are also taking the air from the part of the cabinet where the air is as hot as it gets.
Is it a good practice to open up the ASA and flip the fans 180 degrees to solve this?
View 3 Replies
View Related
Aug 19, 2012
I have to replace a 1230 with an 1262 AP.
All antennas have to be in the same direction on the AP and I guess when the old 1230 is working well the 1262 will be only better . Attached u see how I plan to mount the new AP versus the old one...
View 7 Replies
View Related
Jan 14, 2013
I have lots of 857's routers in the field with mostly the latest OS - 12.4(15)T17 making ezVPN connections to a 2951 with 15.1(4)M5.All the 857's have lookback and vlan interfaces similar to :
interface Loopback0
ip address 50.43.8.1 255.255.255.255
ip tcp adjust-mss 1452
end
[code]....
Now lately for some or other reason we have instances where I can ping either the VLAN or the LOOPBACK interface, but not both. Or I have instances where the 2951 can ping all the interfaces on the 857, but the 857 can not ping the 2951. Or I have instances where the 2951 can not ping the 857, but the 857 can ping the 2951.The way I have been fixing this is either to add crypto ipsec client ezvpn SMS_VPN inside to the loopback interface, or if it is there already to remove it. This usually works for a few days, but then suddenly I have to reverse this again. If that does not work then I usually do lots of clear crypt sess and/or clear crypt ipsec client ezvpn on the 857, or clear crypt sess remote 857_ip_address from the 2951 and then suddenly it starts working again.
View 1 Replies
View Related
Apr 11, 2013
Using packet tracer I get an error saying:
Config
nat(inside) 1.0.0.0.0.0.0.0.0
match ip inside andy inside any
dynamic translaion to pool 1 (matching global)
translate_hits=45236,untranslate_hits=0
I cannot access my polycom unit on 172.20.16.8 via 10.20.60.8 below is my results of show run Result of the command: "show run"
: Saved
:
ASA Version 8.2(2)
!
hostname ciscoasa-stt
domain-name stt.vidol.gov
enable password qXcSIHaSa9B75GQC encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
[code]....
View 1 Replies
View Related
Jul 20, 2013
If a copy a file from my desktop to my laptop, the speed is usually 3 or 4 times faster than if I go in the other direction.
Desktop is connected to the router by a cable, laptop is wifi.
If I connect the laptop with a cable, speeds are fast both directions.
Router is a wrt54gl with dd-wrt. Both machines running Win7
Why would this happen? How can I identify the problem and fix it?
View 2 Replies
View Related
Aug 15, 2011
We are experiencing a high amount of retries in one direction between two 1310 bridges with external yagi antennas. What would this indicate? Here is a copy of the linktest:
POOR (102% retries) Time Strength(dBm) SNR SNR Retries
msec In Out In Out In Out
Sent :5000, Avg 5 - 66 - 64 31 45 Tot: 56 10149
[Code]....
View 2 Replies
View Related
Dec 27, 2011
I know some business routers need to be registered to have certain functions work. I have gone through the knowledge base and there seem to be a few with my issues. Sadly I have been doing IT since 86 and playing with larger Cisco boxes for over a decade. So that's a little of my back ground, I also have a MCSE (W2K), A plus, Net Plus etc... so I know its got to be something stupid that I missed or something wrong with router. It was purchased new just before the holidays and I tried calling the posted Cisco number and the auto phone wanted a PO agreement before it would connect me. OK so alI need to do is Port forward two ports (3389, and 82) same ports internal and wan side. The internal is being sent to two different IP address, one per port config. So I did set up the UPNP, set up the service as enabled, and really looked in the knowledge base to see if I was missing something. So I left the site although just before I left I set up the remote admin login from the wan side. This does not even pick up, There is no other firewall between the device and the internet except for the T1 dmark.
This is a RV 08 new router so need a phone number for small business cisco for new products. I miss those good ole days where everything you needed to open and forward a port was located in one area in a router firmware setup.
View 2 Replies
View Related
May 21, 2013
I have NM-16ESW card installed in one of my 3845 router. Below is the sh inventory output
NAME: "16 Port 10BaseT/100BaseTX EtherSwitch", DESCR: "16 Port 10BaseT/100BaseTX EtherSwitch"
PID: NM-16ESW , VID: V01 , SN: FOC11482484
NAME: "Gigabit(1000BaseT) module for EtherSwitch NM", DESCR: "Gigabit(1000BaseT) module for EtherSwitch NM"
PID: GE-DCARD-ESW , VID: V01 , SN: FOC11454FW6
Is the Gig port available here can be used for uplink?I found following comment at
[URL]...
"GE-DCARD-ESW: This optional 1000BaseT Gigabit Ethernet port for NM-16ESW and NMD-36-ESW can be used for a gigabit connection for a file server or for intra-chassis stacking of the Cisco EtherSwitch module. Stacking is supported in Cisco IOS release 12.2(11)T and beyond"
View 1 Replies
View Related
Nov 15, 2012
I have 1x Cisco 6509 with Sup2 and MSFC2 and it is running on IOS (c6k222-jk9sv-mz.122-17d.SXB11). I have following policy map :
Policy Map VOIP
Class IP PHONE
priority percent 75
and the following command on each interface: service-policy output VOIP those configuration are working fine on SUP2 with MSFC2 but last week I tried to upgrade the SUP2 to SUP32 on the switch and upgrade the IOS to the latest version (s3223-adventerprisek9-mz.122-33.SXJ4) but when I try to put service-policy output VOIP on each physical interface I am getting the following error:
"Priority command is not supported in output direction for this interface" and when I try to add service-policy output VOIP on a V LAN interface I am getting following error:
MQC features are not supported in output direction for this interface. Will I need to change something after upgrading to SUP32..
View 3 Replies
View Related
Dec 25, 2011
I am having one router CISCO2911/K9 (Cisco 2911 w/3 GE,4 EHWIC,2 DSP,1 SM,256MB CF,512MB DRAM,IPB). But now my management asking me to upgrade this router as CISCO2911-SEC/K9.
What will be the BOM for this up gradation.
View 2 Replies
View Related
Jun 4, 2013
Are there any best practices for preventative maintenance on Catalyst Chassis switches. Looking to build a PMI schedule for a customer. Or is there evidence not to perform it at all. Things like re-seating line cards, cleaning fan exhausts, etc.
View 1 Replies
View Related
Apr 6, 2011
this computer was working on this router no problem. computer crashed and noiw computer is fine i connected it to my cable from ny desk top comutyer and works fine. It just cannot hook up to the wireless connection?
View 1 Replies
View Related
Jan 28, 2011
I am looking at this doc to use an ASA + 2911 to do Policy Based Routing with multiple ISPs.From the linked doc, under the PBR scenario, what should the IP addresses be for the routers connection to the ISPs? It isnt labeled.
View 4 Replies
View Related
Dec 21, 2011
What specific commands are needed to configure qos on a router?
Two sites:
Cisco 2911 (site 1 ) Cisco 2911 (Site 2)
Data Vlan
Management Vlan
I want to configure QOS on Site 1 where the Data Vlan traffic is always marked higher than the management Vlan coming from Site 1.
View 1 Replies
View Related
Dec 27, 2012
I have one router 2911 with the following image c2900-universalk9-mz.SPA.151-4.M4.bin I have two IPS on this routers and I tried to configure the IP SLA on this and I`m not able to do it and I don´t know why. I can configure almost everything but not the IP SLA command.this is the config:
track 10 ip sla 1 reachability
delay down 10 up 1
!
track 20 ip sla 2 reachability
delay down 10 up 1
!
[code]....
What I need to do in this case? or why cannot configure the IP SLA?
View 5 Replies
View Related
Oct 13, 2011
I have a cisco 2911 router that is located in my head office LAN and I use this router to connect to my branch networks. I want to configure IP SLA Monitor on this router to track my WAN Links but it does not support the command IP SLA Monitor. My IOS VERSION is c2900-universalk9-mz.SPA.151-2.T1.bin. how I can configure IP SLA on my router.
View 4 Replies
View Related
Feb 12, 2013
I have a router Cisco 2911 with two possible Wan interfaces out and a backup configuration using IP SLA. When the Primary Interface goes down the traffic is automatically rerouted through the Backup Interface, but the problem I have is that when the traffic is going through the Backup Interface (because the Primary is down) if the Backup Interface also goes down, if the Primary goes up, the traffic is not automatically rerouted to the Primary Interface. And it looks to me like it keeps trying to goes out the Backup Interface and cannot see that the Primary is down. I guess that the pings are going out the backup Interface and as it is down the router doen't receive any anwer to the ping and doesn't change to the Primary.
The main configuration related to the IP SLA is this:
!
track 1 ip sla 1 reachability
!
interface GigabitEthernet0/0
description backup Interface
ip address 175.xx.xx.10 255.255.255.252
ip nat outside
[Code]....
View 8 Replies
View Related
Aug 5, 2012
We have 2911 with HWIC-4ESW. System image file is "flash0:c2900-universalk9-mz.SPA.152-1.T1.bin"_2911#sh inv NAME: "CISCO2911/K9 chassis", DESCR: "CISCO2911/K9 chassis" PID: CISCO2911/K9 , VID: V05 , SN: FGL16011005
[Code]....
The problem was that HWIC-4ESW no longer pass traffic although showing that the interfaces are up rebooting the router solved the problem. What IOS is more stable and not subject to this problem?
View 3 Replies
View Related
Mar 2, 2012
Recently i attempted to build a LAN 2 LAN VPN tunnel from an Asa to a 2911 running zone based firewall. This was a standard IPSec psk tunnel nothing fancy. I got the tunnel to establish but i could only get traffic to encap on the Asa side and decap on the 2911 side. I couldn't get return traffic.I followed this doc here for classic IPSec in the last example. URL
And I am sure the Asa is right I built a ton of those but I am new to zfw. I did not see anything about a NAT exempt rule. But since everything uses real IPs instead of NAT I wasnt sure and I could not find any info. Do I need to do NAT exempt? If so do you use a route map on the end of you NAT overload config line like in the past?
Also I have a zone-pair to "self" and I was not sure if I needed anything there to be able to ping the inside interface of the 2911 when the tunnel is up from the remote end.
View 7 Replies
View Related
Mar 26, 2013
I have to build HA environment, at the moment we have only one R1 and WAN1 but company wants to buy R2 + WAN2 and have HA between the routers, in case R1 or WAN1 goes down the other router will take over.
What would be standard methodology nowadays to do that - does HSRP will do what I need or it is better do some other way?
View 7 Replies
View Related
Jan 17, 2012
I am trying to add some APC UPS Devices into CiscoWorks LMS 4.1. For example i have three APC Smart UPS 5000 RT RMXLI with management cards AP9619, i have chosen Device Type as "Smart-UPS RT 5000 XL" in Nom-Cisco Devices list, but when i am creating Invetory collection job, i`m getting status failed for this devices and the error is: "RICS0001:Internal Error,unable to process the collected data from the device"
View 1 Replies
View Related
Jun 26, 2011
I’ve set VPN up between two sites using Cisco ASA 5505 and Wizard. Unfortunately VPN works only one way From 8.2 (2) to 8.3 (1) and after spending one day trying to resolve the issue. Logs shows that ping leave ASA 8.3 but never hits ASA 8.2 – opposite way everything works perfectly. [code]
View 2 Replies
View Related
Apr 29, 2013
SM-ES3-16-P works as a layer 3 module which means that the uplink which connects to router ( Internally ) is a layer 3 interface . Is there a way we can use it as a layer 2 switch and connect the uplink as a trunk port ?
View 1 Replies
View Related
Mar 11, 2013
What are the max number of T1's that can be bundled on a 2911 router?
View 0 Replies
View Related
Apr 19, 2011
I need a interface v.35 on 2911 router, but it does not have WIC slot, it has EHWIC. Could some one told me if there are a card with V.35 interface that I can install in this model of router?
View 2 Replies
View Related
Apr 26, 2012
I have the following setup where the Cisco ME 3400 provided by the ISP.
My Cisco 2911 is configured as below:
CORE_Router#sh run
Building configuration...
Current configuration : 6075 bytes
[Code].....
View 6 Replies
View Related
Aug 1, 2012
I have a problem I am running into... I replaced a 2621 with a 2911. The 2911 has three interfaces and I need to use all of them... Description:
gige0/0 dhcp static IP from ISP, public IP, they assign me 4 more usable public IPs gige0/1 broken into four VLANS, 108, 109, 120, 127, ip nat on 109 for them to get to the internet, and a static translation on 127 for the phone system to get to the internet gige0/2 assigned another public IP. A tenent has a linksys router on this interface, they want a public IP.
The problem is that this setup worked, but when we moved to the 2911, some nat translations are failing, and we would like to figure out how to minimize the number of public IPs we use (right now it is three + the static assigned dhcp). The nat that is not working is the nats to the 2001-3001 range. I am not sure why it is failing, but the router seems to indicate it thinks some of these overlap. This router is also doing a vpn to an asa... that seems to be working fine.
Current config:
Current configuration : 6072 bytes
!
! Last configuration change at 14:31:44 UTC Thu Aug 2 2012
! NVRAM config last updated at 14:31:50 UTC Thu Aug 2 2012
[Code]....
View 7 Replies
View Related
