Customer has three 881 routers. FE0 connects to their WAN, FE4 connects to their LANs. Two VLANs are configured on FE4. Class-maps and Policy-map created to detect voice traffic:
class-map match-any VoIP-RTP-Trust
match ip dscp ef
class-map match-any VoIP-Control-Trust
[Code]....
Am applying a policy map to gig0/0interface vlan xIf i apply to either one only it is ok but if i apply it to the other interface it says ''configuration fail''.Am not also given the option to apply it to a particular interface as the one below
service-policy QoS_policy interface inside
Routers 1921
2801
I'm trying to apply the following policy route in my switch 4948, but it suddenly crash. Is anything wrong in my commands? The switch is rebooting with an error:
System returned to ROM by abort at PC 0x0
My commands are:
access-lists 7 permit 10.140.22.0 0.0.0.255
access-list 177 permit ip 10.140.22.0 0.0.0.255 100.220.24.0 0.0.0.255
access-list 177 permit ip 10.140.22.0 0.0.0.255 100.216.36.0 0.0.0.255
access-list 177 permit ip 10.140.22.0 0.0.0.255 100.216.38.0 0.0.0.255
[Code]......
I currently have a site to site VPN running connecting a branch office and the Main office using a ASA5510 and ASA 5505. currently PC's at the branch can access the network in the main office using interface 0/1, but we have added another ip range using interface 0/2 and I can't seem to route the traffic to both interfaces. I currently have 0/1 as inside 192.168.10.1 which works, and have added 0/2 as Inside2 192.168.20.1. I know I am forgetting something, any commands to route incoming VPN traffic so PC's at the branch office can connect to both IP ranges?
View 14 Replies View RelatedI have a client with a 3750x stack. We've upgraded it to IP Services. We have a simple PBR setup. One access-list to forward traffic from a specific LAN ip to another gateway on the network.
I go to vlan1 (default vlan) to apply the PBR and the command takes with no errors, but do a "show run" and it doesn't show up under the interface.
I go to vlan1 and apply a PBR that doesn't exist and the command takes with no errors, and is listed under the interface in the config
I can apply the PBR globally and appears to work, but we can't have it there based on other issues it creates.
config: (all tracks are up)
C3750_stack#show sdm prefer
The current template is "desktop routing" template.
[Code]....
c1900-universalk9-mz.150-1.M4.3
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1941/K9 FCZ1510C50V
Technology Package License Information for Module:'c1900'
----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
[code].....
I have applied for a dynamic dns service, but need applying in linksys E1000 settings
View 3 Replies View RelatedIn regards to QoS profiles on the WLC. I have applied a profile to a newly created WLAN and set the Per User Bandwidth to 512k and it seems to be kicking in on the ingress only, this is supposed to work ingress AND egress or is it just designed to work one way? I have a 4402-25 with Cisco 3500 AP's and am running the 7.0.98 code. If it is designed to work one way only is there a different way to apply it ingress and egress simultaneously off the WLC?
View 3 Replies View RelatedIs there a way to view changes made in ASDM before hitting apply button?
View 2 Replies View RelatedWe have two L3 3560's. One 3560 has an upstream MPLS router. The other 3560 has an upstream backup VPN router. Both of these 3560's are L3 switches with IP routing enabled. I created a PBR on both so that specific traffic routes through the MPLS router, while other traffic routes over the backup VPN router. I'm trying to apply the PBR to the SVI's, on each switch. However, when I do a "sh run", the PBR does not appear under either SVI. I've enabled the SDM Routing template, made sure that ip routing was enabled, and even verified that the IOS has the capability. Not sure what else to check for.
View 8 Replies View RelatedI have an issue with applying a patch to an ACS 1121 appliance running version 5.2.0.26. I have 5 units that needed updating and the first one is the unit with the problem. The subsequent ones updated with no issues.
When I do a show version the 5.2.0.26.10 does not show. When I try to do a reinstall I get back patch all ready exists. When I try to do an uninstall I get back patch does not exist.
Is there a command can wipe out patch 10, so I can start over? The CLI factory-reset only wipes the web configuration not the running-config or IOS.
I've enabled antispoof on all interfaces on asa 5510.If you start a traceroute to a network on the default route, everything works, since replies comes to an interface with route 0.0.0.0/0 defined.If you start a tracer route to a network that is NOT on the default route (let's assume coporate MPLS), you only get response from first carrier router, the other are discarded because of anti spoof violation.
I have ICMP inspection and icmp-error inspection enabled.
1841 - IPBASE 12.4.7d
We provide internet access for a number of clients sitting on our WAN, at present they have un-restricted access to the full bandwidth of our 1Gb internet pipe. As they are only paying for a proportion of that we want to set a Mbps limit on the clients, and idealy the device should be transparent between our router and the clients.
I have been trying to set up rate limits on a bridge on our 1841.
#
bridge 1 protocol ieee
bridge 1 route ip
bridge 1 bridge ip
[Code].....
I have tried many combinations but can't get this to limit the traffic, the client still draws as much as they can.
Does rate limit work on bridged interfaces? or am I going to have to try it routed instead?
I will be supporting a new ASA 5585X running 8.4 and I was wondering if it's possible to apply an ACL globally instead of it as an access group that is applied to a specific interface as in or out ... below are the interfaces and ACl.
View 2 Replies View RelatedI am managing a firewall over remotely in my LAN itself. I started a continous ping to the Firewall IP and the response is less than 1 ms.
While applying some access control list to the firewall via putty ...Suddenly the latency is going hing and it is hitting xxxx ms. And also the acl are getting pasted on the screen by word by word. Sometimes i used to get some RTO for the Firewall IP Address inth eping response.
find the Firewall Version:
Cisco ASA 5510
Version : 7.2
Having more than 600 ACL's.
i have 7206VXR with trunk interface toward customers, now i'm trying to configure CBWFQ on one of the sub-interfaces for specific customer,while trying to apply parent policy which includes child policy i'm getting the following message:Must remove traffic-shape configuration first.
here is the configured policy:
ip access-list extended ACL_TEST_SRV
permit ip any host 192.168.10.1
permit ip host 192.168.10.1 any
!
class-map CM_TEST_SRV
match access-group name ACL_TEST_SRV
[code]....
I have tried to apply system image(present on local system )to a remote system using file sharing with imagex.exe , but it dint work.
View 2 Replies View RelatedHow do I apply the connection parameter map in a configuration like this to the service policy int827? Do I need to define the traffic? Can I specify only one source destination flow to apply the set tcp half-closed TCP normalization against?
policy-map type loadbalance first-match wss-1100-l7slb
class class-default
sticky-serverfarm sticky-srcip-1100
policy-map type loadbalance first-match wss-1101-l7slb
class class-default
sticky-serverfarm sticky-srcip-1101
[code].....
This isn't a big deal as the rest of the ACL works fine, but this is an annoynace since the web auth redirects to our company website (internal for now) after successful login.We have a Cisco WLC that provides access to our production and guest wireless environments. The guest environment of course is in a separate vlan (10.10.50.0/24). So I created this ACL:
access-list 107 permit udp any host 10.10.2.13 eq bootpc <----internal DHCP server
access-list 107 permit udp any host 10.10.2.13 eq bootps
access-list 107 deny ip any 10.10.0.0 0.0.255.255 <---all internal networks
access-list 107 deny ip any 172.28.16.0 0.0.0.255 <----DR Network
access-list 107 permit ip any any
int vlan 50
Desc "Guest wireless network"
ip access-group 107 in
This ACL basically gives the wireless guests access to an internal DHCP server and full access to the internet. For the 10.10.50.0/24 scope, the DHCP server assigns Internet DNS servers and my rationale is that wireless clients would access it via the external IP address but I suppose it doesn't work quite like that with the website being behind the same router as the client machines.
We apply a new anyconnect mobile license to our primary asa 5520 and the failover feature went into an off state. WE have now applied a second purchased anyconnect mobile to our secondary asa but the failover is still inactive/off.
bcoh1fw50# sh failover state
State Last Failure Reason Date/Time
This host - Primary
Disabled Ifc Failure 14:43:21 EST Jan 30 2013
[Code].....
Verizon recently sent an e-mail to a friend of mine suggesting that she modify the server settings in her Windows Mail (her OS is Vista -- ugh!) to use SSL. It's an easy change (have to change the POP3 port to 995 and the SMTP port to 465, and choose SSL/TLS for encryption).I know nothing about encryption protocols and what advantages they provide over unencrypted e-mail. For example, earlier this week, she received a hacker e-mail (the infamous "shipping confirmation" that appears to come from Amazon.com, but all the links open "redpouch.com", which immediately tries to upload malware to your computer). She (and I) have no idea how the hacker got her e-mail address -- or those of a dozen other addressees all of whom have the domain "verizon.net".It would appear the hacker got into Verizon's server and stole the addresses. Would using SSL make that impossible to do? If not, what extra security does it provide?
View 5 Replies View RelatedI have Cisco ASA5510 OS version 8.4(1), when i try to apply static command, this command is not found, the NAT issues used nat(inside,outside).
So why i can't found this command ?
I have been trying to figure out a NAT issue on my 2811 and the inspect engine.I have 'ip inspect FW out' on my outside interface. If I turn it off, I also have to remove the access-list applying to inbound traffic on that same interface. Why is that? This whole thing centered around SIP registrations from devices on my LAN to my provider. The provieder is showing that I am registering from a high end port (1024 or something crazy). He said that it sounds like some type of SIP ALG or something on my router. For the life of me, I can't figure out what would be causing it. I am just using a standard route-map that points to the outside interface using 'overload'.
View 6 Replies View RelatedI'm using ASDM 6.2 with a FWSM on a 6500.
At the moment everytime I want to make a change to firewall rules I click apply and the rules are applied Immediately. I have to make multiple changes during the working day which I don't like to do.
What I would like to do is make changes during the day but not apply them until out of hours (some sort of batch mode). Like I can do in my check point firewalls.
I have a situation where two of my CGS-2520-16S-8PC switches are not applying POE power to the copper ports, but showing power inline, two ports are showing power applied. Shutting down the port and re-enabling it will return the port to normal and the phone will connect.
I'm running cgs2520-lanbasek9-mz.122-58.EY2 after using 122-58-se1. Happening on both, but i have more switches running EY2 with no issues at the moment. Using DC power supply averaging around 53v.
Having issues with HTTPS sites being very slow after applying KB2585542? Once you remove this Microsoft patch everything returns to normal. It appears that the CSS does not handle the split-ssl requests properly. I have opened a TAC case but am not really getting anywhere as we seem to be the only company that is having this issue.
View 2 Replies View RelatedAbout to apply a patch for the first time on the ACS 5.3 tonight. Ihave tftp'd it onto a directory i have created on the server. However my support hints i may havre to rename the file ? copy the latest patch file you got from Cisco – you may need to rename as gpg) Current filename is 5-3-0-40-7.tar.tar
So would i need to rename this as 5-3-0-40-7.tar.gpz . If so i will rename it on my pc and redownload it on tftp
I have a question, it is possible to have two WAN interfaces to configure a cisco 892 router with an ip 255.255.240.0 84.197.167.111 adderess of the first interface and a different ip address 84.197.174.182 255.255.240.0 on the second interface
View 5 Replies View RelatedI'm trying to set up an 1801 router with two WAN interfaces, fastethernet0 and fastethernet1. On the LAN side, I have two subnets. One subnet's internet traffic should be routed over fastethernet0, the other over fastethernet1.I've setup some route maps to accomplish this. I can surf the internet using subnet 192.168.2.0/24 fine, all traffic goes out of fastethernet0. However, and this is where the problem is, if I try to reach the internet using subnet 192.168.3.0/24, all packets go out interface fastethernet0 with the source address of fastethernet1!When I'm surfing the internet, from subnet 192.168.3.0/24, packets should be going out fastethernet1, now they're going out fastethernet0.
View 8 Replies View Relatedconfiguring my Cisco 2951 router. There are three routed interfaces that I need to configure: one for the internal LAN, the second for another private subnet that connects to a Data Centre and the third for the WAN connection. I have configured the Ge0/0 interface as the LAN interface with the internal network 10.17.0.0/24. I have also configured my WAN interface Ge0/1 for internet connectivity. Now, I need to configure the third interface Ge0/2 that will connect to the Data Centre. This will be a private point to point switched ethernet link. The Data Centre will host a secondary domain controlller. So, I want it to be on the same network as the internal LAN, i.e., 10.17.0.0/24. I want to be able to see all other devices that will be located at the Data Centre just like I would see all devices connected to the internal LAN.The problem I am facing is that Cisco 2951 does not allow me to configure two routed interfaces to be on the same subnet. Is there any way to work around this problem and configure both the internal LAN and the Data Centre private network to be on the same subnet.
View 6 Replies View RelatedI have a 1921 with 3 interfaces. One for the LAN and the other 2 are wan each with a public address. The 2 wan interfaces are used for redundancy. I would like to know how I can static nat the same port and inside address on both wan interfaces.So if the request comes in on one or the other it works. I know if I do a static nat to one of the wan interfaces and then add the same port and inside address to the other wan interface it replaces the previous configure.
View 5 Replies View RelatedI have a Cisco 2811 router with 2 ADSL interfaces and we have 2 internet lines associated with it. One is with Telstra and one is with iiNet. All internet traffic from inside the office is routed through Telstra line. The iiNet line is used for incoming emails, establishing VPN etc. The problem is that we are not able to "PING" the iiNet's IP address from the outside world however, PING works for Telstra IP. What do I need to configure on the router if I want to PING and Putty in the router using both Telstra's and iiNet's IP from outside world?
View 1 Replies View RelatedWe have just installed our first 2951 router, and were suprised to see in our Netflow collector that Tunnel interfaces appeared even though we did not configure any, I have seen other posts talking about PIM tunnel when using Multicast, but we dont use multicast and the tunnel is GRE questions are, where do these interfaces come from? how do they pick up an IP address? can we shut them down? IOS is 150-1.M4 loopback interface ip address is 172.16.224.238 ( tunnel source) see output from sh int below
Tunnel0 is up, line protocol is up Hardware is Tunnel Interface is unnumbered. Using address of Tunnel1 (172.16.0.1) MTU 17912 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 99/255, rxload 1/255 Encapsulation TUNNEL, loopback not
[Code]......