Cisco WAN :: 2 BGP Routers With 1 NAT Entry 881 Configuration
Sep 26, 2012
I am trying to split traffic entering from the web for servers so everything goes over the ADSL link but time sensitive information such as Sharepoint (TCP80) go direct over the ESHDSL link, now the problem is traffic that enters through the ESHDSL hits the server, the server replies out of its default gateway which is the ADSL which doesnt know what to do since it does not have a NAT entry for its return path.
How can I make it so traffic can enter one router and exit the other?
The two routers have HSRP to provide fail over between the two, and BGP is setup so one BGP route goes ESHDSL-ADSL and the other ADSL-ESHDSL
The routers are a 877M-SEC-K9 and a 881-SEC-K9
View 1 Replies
ADVERTISEMENT
Oct 2, 2012
cisco 2651XM router
IOS: c2600-adventerprisek9-mz.124-15.T8.bin
if I do #sh arp in the terminal with this router I see a rogue entry thus:
Internet 192.168.0.4 0 Incomplete ARPA
My whole LAN operates on 172.16.x.x/16, there are no 192.168.x.x devices connected. In the past I've had 192.x.x.x devices running but for a long time and the router has been restarted since then. I've tried several clear commands in the terminal but this entry is stuck there and I've also seen it in a wireshark scroll on a pc when monitoring the routers' adsl traffic - it shows up an an SNMP entry and I do use SNMP on my router, but that data goes to a 172.16.x.x. machine. How can I clean this entry out?
View 8 Replies
View Related
Jun 5, 2011
I configure MHSRP at router Cisco 2901.
Router-B(config)#ip nat Stateful id 1Router-B(config-ipnat-snat)#redundancy SNAT1Router(config-ipnat-snat-red)#mapping-id 1 [code]...
when i write redundancy SNAT2 this error occur:
%Multi-redundancy entry not supported.
View 2 Replies
View Related
Apr 29, 2013
I have a RVS4000 and just received a log entry "Kris is unlocked".
View 1 Replies
View Related
Dec 26, 2011
I need to retrieve my password for the linksys router wrt54g
View 1 Replies
View Related
Jan 26, 2012
I have a requirement to NAT a spare address on the same subnet range as one of the firewall interface - however, because this is not allocated to a physical interface, there is no mac entry in the arp cache. the other end of the link from the firewall is connected to a router which has no idea how to reach this "virtual address" - again because there is no entry in the arp cache I have tried to put a static arp entry into the firewall but this doesn't appear to work either. Should I be using a mac address form a physical interface or can I create a dummy mac for this - If the router can't see the ip address, then users will not be able to target this address - so that the firewall can NAT to the real outside address.I have tried routes to null0 on the router and static arp entries on both devices but the user just times when trying to connect to 10.2.7.11 (nat to 10.2.32.11)
View 6 Replies
View Related
Sep 5, 2012
We have one business application, accessed across GCC region by having a single entry with individual computer hosts file, ie123.123.155.116 myappl.mycompany.com and other than Bahrain, all countries are able to successfully resolve the hostname (application only works against hostname (Oracle EBS)) against this entry with the hosts file. Now, prior contacting the ISP in Bahrain (where internet is regulated due to the current political situations) we need to know whether anything could be done from our end to resolve this issue.
View 2 Replies
View Related
Apr 29, 2011
an attacker have configured his PC with an static IP address but there is no such entry configured statically in switch, neither in DHCP snooping database.now when he want to generate traffic will switch block him? because there is no entry of his PC in the switch database.
View 2 Replies
View Related
Sep 1, 2011
Is it possible to use a DNS entry in an extended ACL instead of an IP address range?
View 2 Replies
View Related
Nov 16, 2011
I have a wap200 with a static ipaddress e.g. 192.168.249.205/24 (it is for management and is in vlan 1). Firmware of the wap is 2.0.4.0. No gw and no dns. (they are not necessary) I export the config . I have a second wap200 and import the config.bin to the new wap. ThenI like to change the static address and the name of the new wap, but - and this is the problem - it asks me to fill out the dns (the address for primary dns cannot be 0 and 255), but I absolutely don't want that because there is no dns or gw (management only). And if I fill it out I cannot go the the internet with the wap.
So I also have some other wap200 where I could import the config.bin and change the static ip without giving a dns (firmware 2.0.1.0). can I go back to a previous firmware (Europe) and where can I find it. Looked for it, but seeing only the last one 2.0.4.0 etsi.Or is there another method to skip the dns with a static ipaddress?
View 3 Replies
View Related
Apr 30, 2012
When I try to add new MAC entrys to the WLC I get the following message unable to add mac entry to database, reached max size the problem is when I look at the stats there is only 386 MAC entry and the databse size was set to 1024 entry..The work around was to increase the size of the database to 2048.Is there any why to clean up the database?
View 2 Replies
View Related
Mar 17, 2011
Using CCP I am trying to create a NAT entry for a range of ports. CCP window for a new NAT has only one entry for the port #. Is it possible to set uf port ranges in 877 router?
View 2 Replies
View Related
Sep 13, 2011
In my environment, VPN users are connecting to corparate network via ASA 5540 and using 3.5.1, 4.8, 5.0 (32 bit) and 5.0(64 bit) VPN clients.After they have built VPN connection, they use program that generates traffic to a bradcast address (x.x.x.255) inside corparate network.
There is no problem with users who are using 3.5.1 and 5.0(64 bit), but 4.8 and 5.0 (32 bit) vpn clients can not add ARP entry to Windows machines ARP table. If i add ARP entry for x.x.x.255 on VPN interface, they can work.
View 1 Replies
View Related
Jul 17, 2012
I am having peculiar issue in my setup. I recently replaced my ASA 5505 (8.2.1) with ASA 5510 (8.4.3). Everything works fine for a while suddenly I see some of the servers will not be reachable from the LAN all the servers gateway is my switch. If I check on my Dell switch the particular server's arp entry on the connected port is same as ASA physicall MAC. If im reverting to 5505 ASA everything goes smooth without any issue.
View 6 Replies
View Related
Feb 24, 2011
Everytime I start one of my two Windows machines, I need to go to the control panel network adapter and enter the static IP address in the IPV4 properties. It is always blank after a shutdown.I have two machines that are networked for flight simming.One of the machines must have a static IP so I configured both static. Not sure if this has anything to do with my problem.
View 5 Replies
View Related
May 3, 2012
I have a 5510 using AnyConnect VPN clients. I have a DNS name for my router to accept connections ie cisco.mydomain.com..I can ping the address by hostname from the clients machine ok but when the AnyConnect client opens it has my hostname ie (cisco.mydomain.com) but says "invalid host entry" I have to type in my IP address for it to connect.I have the hostname in my AnyConnectProfiles.xml.
View 1 Replies
View Related
Dec 16, 2011
I'm configuring up aa ASA-5510, and I have several interfaces, some of which include:
interface Ethernet0/0.200
vlan 200
nameif SITECORP
security-level 90
ip address 10.1.4.1 255.255.254.0
!
[code]....
This definitely confuses me, because SITECORP has an inbound access-list of permit ip any any.
View 5 Replies
View Related
Jan 22, 2012
We're replacing our older catalyst switches with new SG300 family switches and have a Microsoft NLB cluster for some services that run in multicast balancer mode.
We currently do L3 routing to the network with the cluster and have the following IOS configuration line in the specific switch to let users on other subnets to access the services.
arp 10.20.1.226 03bf.0a14.01e2 ARPA
How do we replicate this using the SG300 series in L3 mode? Whenever I try to add a manual ARP entry I get an error message that says that the MAC address is not a valid unicast address?
View 4 Replies
View Related
Feb 19, 2013
through asa webvpn we need to provide our user remote destkop access; we would not use static rdp:// bookmarks for this accomplishmet as this would grow too much management effort with bookmarks updating. Our strategy would be to give users the "url entry" bar where they can input the resource name (example: "pc-flavio.mydomain") so the management effort is outplaced to the guys who manage the dns server. This stated, we noticed that most end-users would get in troubles because of the default-ing "url-protocol" is http://, so they don't change it to the correct rdp:// from the drop-down list and don't have the java-rdp applet started. There is a chance to admin the default protocol for URL Entry Functions? Our setup is asa 5510 ver 9.1, act/stb failover.
View 2 Replies
View Related
Jan 12, 2011
I have a client in a workgroup environment. They are a small company with perhaps twenty systems. Their infrastructure consists of a Dell Switch, a Cisco ASA-5505 which hands out the DHCP and a router. And that's that.They have been using an external IP as their DNS Server to get out to the Web. However, they now want to add an internal Linux-based DNS server.In looking through the ASA-5505 today I noticed a field for DNS enteries. Is this where the IP for this new internal DNS Server (in the secondary DNS field) would go?If so, would it be necessary to reboot the ASA-5505 for this change to take effect?
View 12 Replies
View Related
Sep 25, 2012
We have a site and on that site we have a server which is down form last two days. However , to manage these devices we are not using any tools. We are not able to find this server that where it is located and on which switch it is connected to.
I want to know that the timer for mac address is 5 minutes and arp timeout is 4 hours . Is there any way to find out the mac address of the server . I feel like this can we done with cef ? Is it true or not I am not sure. I am running 3750 stacks and 2811 routers. 3750 stacks are working as layer 3 devices. They are also running the pretty new IOS 12.2(53)SE.
According to my understanding now a days CEF entry does not expire if we are not using them. They remain in cache as we are running with destination base CEF.
View 4 Replies
View Related
Dec 3, 2012
We have a pair of 6509's with duplicate ACL lists & entries.
1 = Version 12.2(33)SXI4a
2 = Version 12.2(18)SXF15a
I wanted to remove some logging that was on an entry on one of our extended ACL's. On 1 this worked fine with the no 400
400 <acl rule without log>
However on 2 it lets me carry out the no 400 command but when i go to add the 400 <acl rule without log> i get the error % Duplicate sequence number.sure enough when i perform the 'Show access-lists <Name>' it is still there!
I have tried the following:
Adding a duplicate ACL entry before it (399) without log and i still get hits on line 400Adding and removing the duplicate created line 399 (without logging) with no issues.Adding and removing a dupliacte ACL (without Logging) after (line 401) with no issues
It looks like it is just this line it seems to think it has removed but hasn't?!
I understand an option is to duplicate the ACL in a text editor remove line, delete the ACL and put the edit back in .....however i wondered if this is something known (bug).
View 11 Replies
View Related
Oct 20, 2011
I would like to capture packets which are going through an IPSEC tunnel. The packets originate in the appliance (syslog) and are sent to the remote via a VPN. I can see the encapsulated packets going out to the peer and I can see the ISAKMP packets to and from the peer. Because the packets originate within the appliance, they do not appear on any interface to be captured.
Is there some way to capture these packets before they are encapsulated?I attempted to capture packets on the asa-dataplane, but they are in a format that I cannot decode, and I cannot put a filter on the capture.
Hardware is ASA-5520
Software is version 8.3(2)
View 2 Replies
View Related
Aug 19, 2011
Does PBR with deny ACL entries on a 3750 are still punted to the CPU? I found this article: URL
High CPU Due to Policy Based RoutingPolicy Based Routing (PBR) implementation in Cisco Catalyst 3750 switches has some limitations. If these restrictions are not followed, it can cause high CPU utilization. You can enable PBR on a routed port or an SVI. The switch does not support route-map deny statements for PBR. Multicast traffic is not policy-routed. PBR applies only to unicast traffic. Do not match ACLs that permit packets destined for a local address. PBR forwards these packets, which can cause ping or Telnet failure or route protocol flapping.
Do not match ACLs with deny ACEs. Packets that match a deny ACE are sent to the CPU, which can cause high CPU utilization.
In order to use PBR, you must first enable the routing template with the sdm prefer routing global configuration command. PBR is not supported with the VLAN or default template
I checked the latest config guide, and those same guidelines are still listed. If that limitation is still there, are those packets switched at the process level (ip_input) or the interrupt level?
View 8 Replies
View Related
Jul 16, 2012
My network looks like this:
[RADIUS] --- [C881] --- [SG200 Switch] ---[WinXP]
One of SG200 interfaces is set as a Supplicant ant it authenticates in RADIUS (FreeRADIUS) server via C881 router. WinXP and other PC clients authenticate in RADIUS via SG200. Now: Authentication works perfectly. Ports open as they're supposed to. I'm able to reach RADIUS from SG200 and vice versa but there is a problem with WinXP. When i connect it to SG200 it authenticates, port opens and I'm able to reach RADIUS or any host on the left hand side but only for 300 seconds. After that period of time C881 looses WinXP from its ARP table and any communication fails. I cant even reach C881's interface facing SG200. Then i type:
c881(config-if)#dot1x port-control force-authorized
C881 learns WinXP's MAC and IP again and all gets back to normal. When I type
c881(config-if)#dot1x port-control auto
after 300 seconds C881 forgets WinXP again and communication brakes down.
How is it possible that a router forgets MAC of host its continuously "talking" with?
Have you ever seen this kind of behaviour? I tried with two other software revisions on C881 and resoult is always the same. Bug or feature?
View 5 Replies
View Related
Nov 12, 2012
I've attached a document showing how this network is designed. A client on a guest vlan behind the ASA, nat'd to one address on the public subnet, needs to be able to get out to the internet, and still come back in for specific services, such as OWA, via the IP which the mail server is nat'd to. The drawing is pretty explanatory. Do I simply need to create a NAT statement and ACL to allow that client out and back in, or do I need to set up hairpinning? I'm working with a Cisco ASA 5505 Version 8.4(4)3.
Note: The drawing has public IP's substituted with 1.1.1.x with final octet being accurate.
View 18 Replies
View Related
Jul 26, 2011
I'm setting up two vlans and I would like all of vlan 2 to only have access to the WAN router on vlan1 at 192.168.30.1.
VLAN1 192.168.30.x
VLAN2 192.168.31.x
I've setup the VLANS and static routes and I'm able to access the WAN router at 192.168.30.1 from the 192.168.31.x network and everything is fine.
I'm getting an error setting up the IPv4 based ACL that is designed to allow the 192.168.31.x network access to only the 192.168.30.1 WAN router.
The first rule I setup is to permit source 192.168.31.0 / 0.0.0.255 dest 192.168.30.0/0.0.0.255 to allow all traffic to from the 192.168.31. net to access the 192.168.30.x net. Then I was going to deny the dest of 192.168.30.1-255 but I'm not sure of the wildcard to use for that.
I'm not clear on the wildcards but I'm also getting the following error when I setup the first ACE rule:
"MIB Index is out of range.Index must be bigger then 0 and Existing ifindex.."
I suspect the error is related to how I'm using the wildcards?
View 4 Replies
View Related
Jul 1, 2012
Thinking of getting one of those 8-port 2960 for a CCNP study. Is the difference between the C2960-8TC-S and the C2960-8TC-L models in Hardware, or in IOS? or both? And if it's in IOS, is the S upgradable to L?
View 7 Replies
View Related
Dec 26, 2011
I plugged an IP device into a 2960 Catalyst switch. The port is up, but there is no MAC address learned on it:
TNSWAGCS01002(config-if)#do sh mac add int fa0/16
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
TNSWAGCS01002(config-if)#
TNSWAGCS01002(config-if)#do sh int fa0/16
FastEthernet0/16 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0064.40ee.f510 (bia 0064.40ee.f510)
Description: --- STC ---
[code]....
I read that it may be a L1/L2 issue. We tried with another ethernet cable. We also tried with another IP device of the same model. That did not solve the issue.
View 2 Replies
View Related
Dec 31, 2012
I am getting very frustrated trying to modify/create ACL's on my SG300-20 switch.I have the switch in L3 mode. I have created several VLAN's and ACL's for each VLAN controlling their access to each other. After the initial setup, I have started trying to create more VLAN ACL rules to allow more access between the VLAN's. The problem I keep running in to is that when I go to modify the ACE's in the ACL, I keep getting the error message "Entry already exists". For example, I go to modify the port ranges to tighten them up, and try to save the ACE after modifying it, and I get that error message.
View 7 Replies
View Related
Feb 24, 2011
I have a clientless VPN configured for webmail on an ASA 5510. However for some reason it also displays in the drop down of the Anyconnect client, and consequently if you try and connect you do not get redirected to the webmail page. Does any know how i can either remove the entry from the drop down of the Anyconnect client, or force the webpage to open if connection is granted via the AnyConnect client?
View 1 Replies
View Related
Dec 4, 2011
I have some error messages in the Nexus 7000 log, after searching i cannot find an adequate explanation, pretty much the only thing i can find is below and i don’t think it is very relevant to my situation. The device is in production and so reloading and pulling card willy nilly is the last resort.
Device = Nexus 7018
IOS version = 5.1(2)
Log messages=
2011 Dec 2 14:52:35 IAS01LVSWIPC01 %OC_USD-SLOT8-2-RF_CRC: OC2 received packets with CRC error from MOD 6 through XBAR slot 1/inst 1 and slot 2/inst 1 and slot 3/inst 1
[code]....
View 3 Replies
View Related
Jul 14, 2011
ASA is the server, 2651 is the client. Phase 1 is negotiating, after entering XAUTH on the 2651, the ASA is showing:
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 10.250.2.0/255.255.255.0/0/0 local proxy 10.10.3.0/255.255.255.0/0/0 on interface Outside
Not sure what this means in this instance, the maps are setup the same as the article below. I guess I more expected that sort of error if this was a static tunnel and there was an ACL issue. I don't have a lot of knowledge on the Easy VPN with the ASA. [code]
View 1 Replies
View Related
