I have a site that is connected to the internet via T1 into 2811 runing C2800NM-ADVENTERPRISEK9-M), Version 12.4(11)X. I have noticed that when i do a port scan on the outside nat pool i see well know ports in the closed state .ie...7,21,22,23,25,99,100,80,443. These pools for end users to access internet. Does this pose a security risk? What can i change to provide end user access to web but not let these well know ports open?
how many extra interface port can be plugged in to the 2811 router ,there are 2 fixed FE port on this router and i have 3 connection i.e one mpls link , one internet link and one sip trunk .. some body confirm me that i can insert module in 2811 ?
I have a 2811 router with a 9 port switch module and a four port ISDN module. The ISDN Module is our connection to the outside world. FE 0/0 and FE 0/1 are connected to separate networks and both route our the ISDN connections.We are getting a new satcom system that consists of a modem, antenna control unit (ACU), and an antenna. The ACU and the modem communicate accross Ethernet and are generally hooked to a switch. Anything computer hooked to the switch can simply use the modem IP as it's gateway and be surfing the Internet without much hassle (just need the correct DNS addresses).I'd like the networks behind FE 0/0 and FE 0/1 to be able to route out the satellite modem for their Internet connection -- when the satellite is available. Is it possible to put two switch ports in a VLAN (one for the modem and one for the ACU), give the VLAN an IP in the same subnet as the modem and ACU, and then tell the router to route traffic out the modem IP address ?
I have a 2960 and a 2811 with a hwic card I have one port set as 100 meg and another port set at 10 meg. Both are set to access mode. i need one port for failover (10 meg) . I can't do ether channel on the hwic. How do I prevent a loop when I connect my second connection. While having both connections up. Should I use bpdu guard? the goal is to have one port fail over if the 100 meg goes down. And I'm currently running ospf so it should take the faster connection.
We have a leased line from one office to a DR site which we use to back up our data. We are using Cisco 7204 and and OC3 circuit. The data is sent in blocks (SRDF) and we are sending changes only. However, we are getting requests from compliance to further secure this connection since it is a leased line. I guess I need to know how secure SRDF traffic is and then if required, how to secure it.
Can we create a simple VPN between the two routers without having to use a VPN concentrator or Firewall? If so, what IOS would be required? How much impact will the VPN have on current bandwidth?
In my building there are 2 wireless access points connected directly via switch into the router.So the problem is i dont want to set a password for the wireless but i want to be able to filter all computers that are connected wireless to my internet because many of them are mass-downloading torrents movies etc. and it slows the internet massively. What do i need to do to make it like a filter , which would be like a ISA server or something.
I have an ASA firewall and I have never configured an FTP server for a large scale network (well large in my opinion). I want to ensure we have the highest level of security available for the FTP and to limit only the specific users designated by an ACL. Would SFTP be the best available option for security measures? Should I only use Passive FTP and what range of ports above 1023 should I open for only 1 or 2 FTP clients at a time? Also if I use Passive mode do I need to use protocol inspection for FTP?Also, Currently I'm unsure of what files need to be accessed on our network but should the SFTP Server always only be installed within the DMZ?
Need securing a wireless environment in a hotel? The SSID has to be broadcast of course but how can we protect guests from man in the middle attacks, etc.? Currently the environment is all AP1200s with no hardware upgrades in the near future. There is also a 2811 router in place but nothing else. We would love to be able to force users to authenticate with a password in order to get out to the Internet as well.
Besides MAC address filtering, is there another good / easier way to keep visiting laptops etc from plugging in a CAT cable and accessing a LAN protected by a perimeter firewall?
I have 2800 series router which is directly connected to ISP. How can secure the router from outside access; I am totally new to the security concepts.
I have a VPN on my ASA 5510 between (A)192.168.255.0/24 and (B)172.20.2.0./24. The purpose of the tunnel is to send kerberos tickets from our domian controller on the A side, across to a server at B, and receive a respose. I want to lock down inbound traffic to the A network, but not sure of best method.
I initially tried using an ACL filtering on ports, but soon realised the incoming traffic uses a wide range of ports so this is not really possible.Seeing as the A side will always be initiating the conversation, I was wondering if I could use the 'established' option on the inbound ACL for the ASA at A side, so that it would block any flows that are not initiated by the A side.
I have run three computers on my wireless network for a few years now, and have an HP OfficeJet 6500 Wireless printer that has worked seamlessly on all computers. That is, until I secured my router. I had an open wireless connection that I changed to secure (WPA) a couple of weeks ago and have been unable to connect to my printer wirelessly to print. It will print if connected to USB. The first day I was able to enter in my WPA key just fine, but not since. It doesn't appear to be finding my connection. Oddly enough one of our computers (a laptop) is able to print to this printer so I am not sure. All computers are running Windows XP, I believe with SP3. I use a D-link wireless router. I have tried using the HP solutions to no avail and have checked in the documentation that came with the printer.As an aside, I now appear to also have another wireless connection which is a "computer-to-computer" connection, I believe an ad-hoc connection?
securing a back-toback connection using E1.The connection is between two cities, using 2x CISCO 1841 router + VWIC-1MFT-E1 interface at each city.
The E1 connections has been provided by our local telco, and they are completely private. The customer is a bank, and they asking me if this is a secure connection or not. If possible, we need to guarantee that no body can get access to the bank network even if they brought E1 modem at one of the ends (telco PoP).
Is it possible to allow certain websites to bypass the web authentication pages, so that they do not need to authenticate to get to our own website, but do have to if they wish to go anywhere else?Looking at a 5508 model at the moment
We have an ASA 5505. 5505 comes with two default vlans 1&2 with each of them marked as inside & outside respectively.My query is , if i do not want to use vlans on 5505 and only want to use the Ethernet ports as pure physical layer 3 ports, is it possible?i.e. i want to assign a layer 3 ip address on eth0/0 and eth0/1 and make them as the inside & outside interfaces rather than vlans. is it possible to do away with vlans in 5505 & will it work otherwise?
Is there a way to associate spare firewall ports with another port that is being used..For example...int gi 0/2 is being used currently for my web dmz. Its ip is 192.168.10.1..Is there a way for me to associate gi 0/3 with the same layer 2 as gi 0/2 ?
In my webdmz I use 2 ACE 4710 proxys in FT mode. I used a layer 2 switch to connect firewall and proxys together.
I would like to eliminate this switch if possible..and connect both 4710's (layer 2) direct to firewall.If I could make gi0/2 - 4 part of the same vlan, then I would be good to go.
How many of the 881 switch interface ports can be used as router ports, have used the 877 etc where i can use 2 but need a low cost router that supports 3 for routing. (needs to be physical ports)
One of techs accidentally connected two access ports from different switches together. Since then, LMS is alerting them as being Link ports down. I tried to default the config and set them to access ports without any success. what I should do in LMS to recognize them as access ports?
My setup is ISP-2811-PIX 515E-LAN. Right now, I am doing a PAT for IPSEC tunnels to terminate on the PIX. Do you recommend I use the 2811 instead of PIX for VPN or keep things the way it is? Trying to determine the best box to use.
I want to upgrade LMS 3.2 to 4.1. But when I look to "Special Notes and Exceptions for Devices Supported" document ,It seems that 2811 have 2 SysID.
Why there are two IDs for the same hardware and under which ID will my 2811 routers be classified into inventory database. This information is important since customer want to have support of 2811 in CiscoView of LMS 4.1 (around 200 devices).
Looking to implement CoPP in our 2811 ISR. We currently have the base 256mb of DRAM in there. Will this bring our router to its knees? I've priced a RAM upgrade.
i have a branch router that connects to mpls WAN. Also has a second interface that is used for dmvpn failover in case WAN goes down.We want to use this second interface also as the primary internet circuit for the branch. I changed the default route to the next hop address on the other side of the second interface and expected this to work.But i was told i need to set up NAT for this to work, and set up an ACL for NAT to use. how to set up NAT?
I have a 2811 that I can remotely VPN to using Cisco VPN client however I cannot see the internal admin network (10.35.5.0).
Current configuration : 4845 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption
I have a particular site that is causing me trouble, this site is connected in a back to back configuration using 2811 at CO and 2621XM at CPE. The CO end is also the CO for 3 other sites so has a total of 4 wics installed (WIC-1SHDSL-v2), these other sites also have 2621XMs for the CPE.
The problem i am getting is when one site in particular transfers large files to/from client machines, the CPU on the 2811 jumps to 99%:
CPU utilization for five seconds: 99%/98%; one minute: 26%;
We have a cisco 2811 router with 2 ADSL interfaces. One dialer interface is used for internet and another dialer interface is used for VPN.
The dialer interface that is used for internet purpose is "Dialer 1" and the VPN is "Dialer 2".
The route looks like this: ip route 0.0.0.0 0.0.0.0 dialer 1
Basically, I am able to the ping the external IP address associated with the Dialer 1 interface, however, I cannot ping the external IP address associated with Dialer 2.
I have a Cisco 2811 with an additional HWIC-4ESW card. [code] I need to NAT anything heading out of the WAN port. [code] I can ping anything connected to my other private networks from my 10.0.24.0 network but nothing on the Internet. [code]
I just bought an additional router for my network and I'm in the process of setting it up.I have however hit a snag with enabling ssh on the device. It is a cisco router 2811 running IOS 15.0 (refer below to my attempts)
I want the below mentioned IOS image for backup purpose. But I am not finding it in cisco.com or anywhere in the in internet. where can I get this version of image other than my router.
I have a 2811 ISR configured to provide the following services to my network: Internet access to LAN usersCisco Call Manager ExpressSite-to-stie VPN to 3rd party networksVPN server to provide VPN access to remote usersSecurity Zone configurationsStatic NAT configurations.Now I recently just got the ASA5510 device and I am not sure how to go about with the setup, whether to put the ASA in between the internet and the ISR (Internet - ASA - ISR - LAN), or put the ISR in between the internet and the ASA (Internet - ISR - ASA - LAN)? While i know I can move most of the config unto the ASA, i know that the CME cannot be moved, hence I would like to do the setup such that users on the network still have access to CME.
I've setup a NTP service by using Cisco 2811 routers. This works fine at the moment, but in the end there are some questions left.
1. I'm using two 2811 Routers, one for primary, which is resceiving the time from PUBLIC NTP 1, and one for backup, which is resceiving the time from PUBLIC NTP 2. Is it possible to compare these to times an check if the match? And if not, generate an alarm via e.g. SNMP
2. Is it possible to check via SNMP, if the routers are reaching PUBLIC NTP 1 and PUBLIC NTP 2 for sync?