Cisco WAN :: 3560G Layer 3 - Getting The Configuration For ASA5510?
Apr 19, 2013
I am currently working on my first ASA5510 configuration and am running into some issues. The ASA is running 8.2(5). The network setup is as follows:Layer 3 switch with 4 VLANs with ip routing enabled.All systems are pointing to the 3560 as their default gateway. ip route 0.0.0.0 0.0.0.0 10.20.100.30 (asa)The ASA is directly connected to the L3 switch on one of the VLANs. The other VLANs are not established on the ASA, but static routes have been created for them on the ASA.I am able to ping the ASA from the switches, etc.I am able to ping the switches from the ASA When connected to VPN Client to ASA, I am unable to reach anything behind it. When at the office, I am unable to reach the internet from the ASA.The following NAT configuration is in place on the ASA;
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
View 1 Replies
ADVERTISEMENT
Apr 12, 2013
Configuring OSPF on a catalyst 3560G Switch to connect to our building next door by way of fiber. The other two switches in the other building are running OSPF, I am trying to connect to the other building and access a server which is on a switch running OSPF. I am trying to configure the switch here to run OSPF and be able to see the neighbor, but currently can't although I've identified the networks. Maybe I'm missing something, I've followed the instructions but something is not right.
View 15 Replies
View Related
Feb 12, 2012
i am using Cisco ASA5510 Firewall on my network at the distrubution Layer . The Private IP Address is in the network for Users and PAT is use.I have a client who has configured the RDP on port2000. when the Users behind the Firewall in my Network tried RDP it does not work it shows configuring remote Desktop only. i am able to telnet the Client said server with port 2000 but unable RDP.Is any changes required on my firewall as a tesult the RDP works.
View 8 Replies
View Related
Jun 13, 2011
If there is C6509E as core switches and C3750 Switches running layer 3 at the User dept uplink to the C6509E Switches, what will be the multicast command that should be implemented at both end? CGMP or IGMP or do not need to implement this snooping as well?
Users (IPTV) -> C3750 (Access Switch) -> C6509E (Core Switch) -> C6509E (Server Farm Switch) -> IPTV Servers
Do we need to configure multicast at C3750 Switches (Access Level) at the User dept? Let's say the IPTV Mulitcast is 239.1.1.1. How can we build up this multicast configuration based on this scenario?
View 5 Replies
View Related
May 23, 2012
I been practicing with the configuration of layer 3 etherchannel configuration and i am facing a problem here. I have two 3560 switches and i want a layr 3 ether channel configuration setup between the first 2 ports of bothe the switches. I assign IPs to the Port-channel 1 of both the switches "10.1.1.1 /24 and 10.1.1.2 /24" but i am unable to get a successful ping. what am i doing wrong. below are the configs for bothe of my switches.
3560_1
Building configuration...
Current configuration : 1274 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
[code].....
View 2 Replies
View Related
Apr 29, 2013
I've turned up a new layer 2 WAN link between two data centres and i'm having some trouble trying to logically figure out how things should be configured.As you can see from the diagram i've created, I have the link connected on port 13 on one switch and port 14 on the other. Both ports have an IP address assigned to them and they can both ping each other..
The problem comes when I need to add routes in order to get traffic flowing over the link.I added an IP address to switch 2 on the link interface (port 14) as: 192.168.4.10
I then added an IP address to switch 1 on the link interface (port 13) as:
192.168.1.10
192.168.2.10
When I tried to add 192.168.3.10, it said "192.168.3.0 overlaps with VLAN2626". This would be correct as Vlan 2626 has an IP address of 192.168.3.15.
However, if I remove the IP address from vlan 2626 and add 192.168.3.10 to vlan 2 (the link port VLAN), I would surely lose remote access to the switch. (I'm telnetting into the switch from a machine on vlan 2626).
I started to tinker with this by manually adding a route to a server in each location and seeing if I could get traffic to flow:
On server 1: route add 192.168.4.0 MASK 255.255.255.0 192.168.1.10 METRIC 1
On server 2: route add 192.168.1.0 MASK 255.255.255.0 192.168.4.10 METRIC 1
If I try to tracert 192.168.1.20 from server 2, the first hop is the default gateway instead of 192.168.4.10.
The ultimate goal is to add the static routes to the Layer 3 router/firewall, but before I do that, I need to be sure of what to add to that router (It's a manged firewall from the data centre, so I don't have access to it and I need to raise firewall change requests to get the work done, so want to ensure it's right first time.
View 9 Replies
View Related
Jul 9, 2012
how to configure IPSEC VPN, but unsuccessfully.At my office are two uplinks - LAN and Backup, both are connected to ASA5510 (with static IP) and I would like to create ipsec to data center where I have another ASA5510 with one uplink.
View 7 Replies
View Related
Apr 25, 2012
I have 30 IP cameras with a private IP address: 10.1.1.1 – 10.1.1.30. I have a Cisco ASA 5510 firewall. I want to be able to use one public IP address, example, 50.50.50.50
With a specific port to go to a different internal camera,
Example
50.50.50.50:3001 should be NATTED to camera 10.1.1.1
50.50.50.50:3002 should be NATTED to camera 10.1.1.2
[code]....
How do I do this? I know how to create NAT… just not like this.
View 5 Replies
View Related
Mar 18, 2012
I want to setup VLAN with the switches SG300 and SLM2024. What is the suggestion to connect these 2 switches. We have the Juniper net screen.
View 1 Replies
View Related
Nov 15, 2011
I have a question if I Stack a Catalyst 3750 L3 with a Catalyst just L2, will we able to use all L3 capabilities?
Switches are
WS-C3750G-24TS-E1U
WS-C3750V2-24PS-S
View 4 Replies
View Related
Aug 21, 2011
Is there a document that explains how the configurations are updated to the standby ASA and what needs to be manually added tot he ASA? I have two ASA 5510 running ASA ver 8.3(2) and ASDM 6.4(1). When I add static routes to the primary ASA the routes are not sent to the failover ASA. Is this to be expected or do I have a bug?
View 10 Replies
View Related
May 29, 2011
Have a 5510 in Routed mode, simple Static NAT to interface two networks (inside_1 is my private space, and outside_1 the larger intranet that hosts heavy traffic). outside_2 faces internet via pppoe just for VPN purposes.
It was operating fine for one year then one port broke (outside_2, internet), leaving no vpn. We followed RMA service replacement and the new unit came with upgraded SW (8.0.4) than the one the original config was created on (8.0.2).
To ease the replacement, I did downgrade the sw boot image. Then I did restore the config by tftp to the startup-config and then a reload. Everything seems to load fine.
Problem is that testing reveals some sort of issue: I can ping some of the intranet hosts but can't reach gateway, thus larger segment of hosts become unreachable. It seems as if the NAT mechanism can't find the next gateway where to hop. For debug practice, I've enabled all the icmp stuff so ping wasn't being blocked by the device.
Being given the fact that this config was up and running prior to the replacement, I've no reason to suspect any mysconfigured items (ie routes, NAT, access-list), but obviously I'm obfuscated and can't see what else I'm missing.
How is that possible that the PING only reaches certain hosts? Pinging to 10.15.5.90 works (Route is 0.0.0.0 0.0.0.0 to 10.15.5.126 (gw)), but pinging to the gateway itself doesn't (10.15.5.126) and even worse, hosts like 10.15.167.210 do not respond either.
View 2 Replies
View Related
Aug 17, 2011
I'm having a cow of a time trying to implement a NAT configuration after having upgraded our ASA5510 recently from IOS 8.2 to 8.4. The upgrade went fine, however we now have a need to add a new NAT rule and I'm not sure whether it's possible.
The upgraded NAT rule and access list works fine at allowing external access to a web server.
However we now need to NAT the SOURCE address (either to a pool or single address) of incoming http requests before forwarding the request to the server. Hence the server will see all requests as originating from a pool with a route heading back to the ASA. The basic issue is that the severs default gateway does not return to the ASA, so "tagging" the source address of external requests to an address or interface associated with the ASA should allow the server to return the traffic to the ASA. I know we shouldn't be doing it this way but we can't see any alternative.
Having read a huge amount of examples we can access the server with the above config (or Object NAT), and we can NAT incoming traffic,however we can't combine the two by having all external http requests Source Natted before forwarding to the server.
View 8 Replies
View Related
May 21, 2012
We are replacing our EOL Watchguard X1000 Firewall(s) with Cisco ASA 5510 unit - ASA Version 8.4(3). Following is the static NAT I have build and the corresponding access list.
nat (FW2Inside,FW2Outside) source static BW_XSP1_Private BW_XSP1_Public destinat
ion static BW_XSP1_Private BW_XSP1_Public
access-list FW2Outside_access_in extended permit tcp any object BW_XSP1_Public object-group DM_INLINE_TCP_1
Unable to access the server on the inside interface via the public NAT address. Can you point me in the right direction as to what I might be missing to make this work?
View 1 Replies
View Related
Mar 2, 2011
One of our ASA5510s lost VPN site-to-site connectivity (ASA v8.2(2); ASDM v6.2(5)53) to one of our other sites last night. The checkbox for Access Interfaces on the Site-to-Site area in Connection Profiles lost its checkbox for the external interface.
View 1 Replies
View Related
Mar 8, 2011
I Changed my old firewall by an ASA5510, since that change my internet connexion is slower.Some websites takes longer to display.I would like to know if there are some specific configuration about TCP connection or DNS to setup?
I just configured the ISP DNS :
Dns server-group DefaultDNSname-server 194.2.0.20 name-server 194.2.0.50
View 4 Replies
View Related
Jan 18, 2012
I'm trying to track down the installation and configuration procedures for the common criteria EAL4 evaluated ASA5510 but not having any joy.
The ASA Release 8.3.2 certification report [URL] identifies the required configuration documentation as the "Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform Common Criteria Operational User Guidance and Preparative Procedures" but I can not find any reference to this on the Cisco web site.
So far I've only been able to locate the proceedures for the older 7.0 release. [URL]
How to locate the correct documentation needed to configure an ASA5510 to achieve the common criteria EAL4 evaluated configuration.
View 2 Replies
View Related
Oct 3, 2011
When I try to save the configuration it displays the following error.Is it due to insufficient memory?
MPF-ASA#wr mem
ERROR: % Unrecognized commandMPF-ASA(config)# wr memBuilding configuration...Cryptochecksum: 81c514b8 9e95ee97 8b512148 b31377a4
[Code]...
View 1 Replies
View Related
Aug 15, 2011
I try to setup a ASA5510, but without success. Actually, I have Cisco1800(192.168.96.1/21) from my ISP connected to a Cisco 3825 (via port with IP 192.168.96.2) all is working good. Now I want to insert a asa firewall between ISP router and 3825.
For that, I tried a more simple config :
ISProuter (192.168.96.1/21) ---- ASA outside port(192.168.96.2/255.255.255.248) ASA INSIDE port (192.168.100.1/255.255.255.0) --- a pc with IP 192.168.100.2, netsmask 255.255.255.0, gateway 192.168.100.1
From my ASA, I can ping 192.168.96.1. but a "ping INSIDE 192.168.96.1" fail
from py pc, can ping 192.168.100.1, but not 192.168.96.1
Here, my ASA config :
ASA Version 7.0(8)host name cisco asa
enable password 8Ry2YjIyt7RRXU24 encrypted
password 2KFQnbNIdI.2KYOU encrypted
names dns-guard
!
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
[code]....
View 1 Replies
View Related
Apr 3, 2012
I am taking an introduction class to CCNA and we are focusing on the Application Layer,and I'm having some difficulty in understanding what is an Application Layer Service. Is the Application Layer Service the same as Application Layer Software?
View 3 Replies
View Related
Jun 6, 2012
ASA 5510 have two model Bun-K9 and Sec-Bun-K9 from the datasheet find out difference Port related and Redundancy. My questions is : Have any major difference for Security service between two model ?
View 3 Replies
View Related
Sep 11, 2011
I have cisco 3560G with C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(53)SE1 Image. I want to configure it for EEM feature so that when my Gig 0/7 port goes on it will automatically shutdown the port Gig 0/1.
MPLS_WAN_NET#show event manager versionEmbedded Event Manager Version 3.20Component Versions:eem: (v320_throttle)2.1.50eem-gold: (v320_throttle)1.0.4eem-call-home: (v320_throttle)1.0.4Event
[Code]....
View 2 Replies
View Related
May 23, 2011
I am facing an issue with setting up dhcp server on a 3750G-24PS-S,IOS : c3560-ipbasek9-mz.122-58.SE.bin,the switch configuration is below,interface Vlan100 description ***Data Segment*** ip address 192.168.102.1 255.255.255.0 no shut!ip dhcp excluded-address 198.168.102.1 198.168.102.10! ,ip dhcp pool datalan network 198.168.102.0 255.255.255.0 default-router 198.168.102.1 dns-server 192.168.40.11,!,interface GigabitEthernet0/1 switchport access vlan 100 switchport mode access spanning-tree portfast.
View 2 Replies
View Related
Feb 17, 2011
I am not a network person, but I am not sure our Network Team is qualified either. For a long time we have been using a dying Cisco 2950 100/MB switch for imaging our computers using GhostCast. Multicasting on the 2950 was never an issue other than it was flooding the switch and making all the other ports unusable. But at least the multicast portion was imaging with decent times. We had two Intel Pro NICs teamed to get 200 MB/s and a typical multicast session was about 6.5 minutes. When using only 1 NIC, it takes about 8.5. Running two concurrent unicast or multicast sessions, well that is a different story. It then triples or quadruples the time.
Now we have a 3560G setup. A single session takes a little over 3 minutes. If we multicast off of this switch, the time is about 12.5 minutes. That is 4 minutes longer than the 2950! If I run 3 concurrent unicast sessions, it takes all of them between 3.5 to 4 minutes. So obviously there is an issue with multicasting.
The switch is in a lab separate from the production network. The server with our ghost images is plugged directly into the switch and so are the computers we are imaging. From what I was told from the Network Team is that IGMP snooping is on, but multicasting is off. He said that multicasting does not need to be turned on since all traffic is going through the local switch. Probably true since our old switch didn't have multicast turned on either, but it still imaged using multicast faster.
Below are some screen shots of the imaging. The first one is the 2950 using multicast to 3 laptops. The second one is the 3560 using multicast to 3 laptops. Finally is the 3560 using 3 unicast sessions to the same 3 laptops.
View 19 Replies
View Related
Feb 1, 2012
Where can the following information be found?
1. CEF table capacity (maximum)
2. Route table capacity (maximum)
I can issue "show ip cef sum", "show ip route sum" to see the current usage.
View 2 Replies
View Related
Jun 8, 2011
I have IAS set up on my organization's AD domain controller. Multiple policies set up for various authorization scenarios, authenticating based on Windows user groups and client IP, authorizing by passing "shell:priv-lvl=#" where #=desired privilege level. On my IOS devices I have:[code]
This identical configuration operates correctly on a Cisco 3825 and a Catalyst 4506. On the 24 port Cat 3560G PoE running 12.2SE (do not recall exact IOS version, but I know it is in that release train) that I am currently working on, every attempt to login via ssh passes authentication but fails authorization, displaying %Authorization Failed on the terminal and a message stating that "No appropriate privilege level found for user" in the debug statement from RADIUS.I have verified correct server addresses, correct source-interfaces, and that configs between the three devices match exactly with regards to aaa.
View 1 Replies
View Related
Dec 4, 2011
I am opening a small branch office in another state and the equipment we purchased is as follows:
ASA5505
3560G.
We'll use a site to site vpn but just in case there's connectivity issues I'd like to use the ASA as DHCP. So far I have a scope defined in the ASA and if I plug a laptop directly in I get an applicable IP address. I trunked the port on the switch that goes to the ASA but not the one on the ASA itself (license restriction) The VLAN that I'm using for my PC's has an ip helper address that is assigned to the inside IP of the ASA.
View 5 Replies
View Related
Nov 27, 2011
I want to select catalyst 3560G for my network. But IOS SLB need to be implemented in my network. I only know catalyst 6500 series can support this feature and i am not sure whether 3560G can support this feature. what platform and IOS version i need to implement IOS SLB?
View 1 Replies
View Related
May 20, 2012
I'm responsible for designing the network for a LAN party that will be held in October. There will be up to 400 participants and 25-30 crew members. 10 table rows, 40 participants and one 48-port gigabit switch on each table. Core network will be a couple of Cisco 3560G or similar. There will be 2xGbit between the table and core switches.So, how to set up VLANs and subnets for a 400+ people network?
1) Everything on one /23 subnet, or
2) Participants on one /23 subnet, separate subnets for servers, crew and wireless, or
3) Participants on two /24 subnets, separate subnets for servers/crew/wireless, or
4) Separate /26 subnets for each table switch and for servers/crew/wireless?
As far as I can see, the main disadvantage of all participants on one subnet is troubleshooting and isolating network problems - and the main disadvantages of separate subnets is more complex setup and that people cannot browse LAN games other than those on the same switch.
View 19 Replies
View Related
Sep 4, 2012
Is SSH v2 feature is supported on cisco 3560G switch for below image if no what is the latest image .
c3560-ipbase-mz.122-35.SE5/c3560-ipbase-mz.122-35.SE5.bin)
View 11 Replies
View Related
Jul 19, 2011
My environment has a Cisco 3560G switch which does DHCP with a VLAN for wireless clients, connected to this switch is a Cisco WLC4402 to manage all wireless access points which are Cisco 1130 and 1140 series. We recently purchased an HP LaserJet pro CP1525nw color printer which we have connected with an Ethernet cable to the Cisco switch on a port in the same VLAN as the wireless clients. The printer will pick up a valid IP address from the switch and if I connect a laptop with an Ethernet cable to the switch I can ping the IP of the printer and print to it once I install the driver, if I unplug the laptop from the switch and go over the wireless my laptop gets an IP in the same range as the printer and I can ping the printer IP address as well as open the web interface for the printer but cannot print, once I open the print queue on my laptop I see error printing and nothing prints out. I always add the printer as an IP port and supply the IP address when I install the driver to test. I have also gone through the manual for the WLC4402 but did not find anything for printing. There has to be a setting on the controller that is preventing me from printing but I don't know what it could be. On the laptop I use to test I also installed LPR and LPD and I even tried using another printer that I know works fine in its place and still could not print, so I don't think it's the printer.
View 2 Replies
View Related
Sep 27, 2010
a customer purchased a ESW-520-24p to be used in a VoIP project. Today we had difficulties connecting it to a Catalyst 3650G switch; We've tried setting the port to trunk, general, customer and access and changed all sorts of VLAN settings on the 3560G switch to no avail: the switches just wont interconnect. While sniffing we saw that ARP requests are even not answered, so something is wrong on a low level, probably with VLAN-ing.if these switches should be able to be interconnected and if yes, what needs to be done to do so?
Secondly; voice will be on seperate VLAN and the client will use SPA942 phones, which have an internal switch that allows to connect a PC to it. I've used this phoned successfully with Catalyst Express switches and I didn't have to do anything for VLAN-ing, this worked "out of the box". Can these phones work with the Small Business switches as well?
View 4 Replies
View Related
Feb 2, 2012
I have a 3560G switch with c3560-advipservicesk9-mz.122-46.SE and 2 routers. The switch has vlans defined. I want to route all traffic on vlan 25 out of one of the routers exclusively. Here is what I have attempted:
-Set the SDM template to routing & reload
-Define an access-list for the v lan traffic
-Define the route-map
-Apply the route-map to the vlan interface
When I attempt the last step I receive the following syslog error:
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map RM_IMDGuest not supported for Policy-Based Routing
Also, the route-map is removed from the vlan interface after this error is thrown. Im 99% confident that PBR is supported on this switch (am I wrong?). Here is the relevant show output:...
access-list 125 permit ip 192.168.25.0 0.0.0.255 any
route-map RM_IMDGuest permit 10
match ip address 125
set ip next-hop 192.168.5.3
[code]....
View 2 Replies
View Related
