I just purchased thie Cisco 2921 router and have all the configuration completed except the Firewall and NAT. We have 4 supnets at our location on the router each with a DHCP handed from the router to our network. Any examples for the Firewall and Nat configurations?
View 6 RepliesWe are setting up an old office building as an offsite data center. The network cosists on a PIX 501 firewall and a 2811 router. I am attempting to setup a GRE tunnel over IPsec back to the main office. The main office consists of a PIX515, a 2821 router, and a 2921 router.
There is also an ASA5510 in our main office that is used as our primary connection for all of our external services and as a GRE endpoint for our other offices. The PIX515 is used to connect our main office clients to the internet and we would like traffic between it and our offsite data center to go across it as well. The default route is to use the ASA. We used policy based routing on the 2821 and 2921 routers to direct the appropriate traffic to the PIX515. Right now I am not able to get the tunnel setup. It appears that the offsite datacenter is sending packets but is not receiving any when I issue the “show crypto ipsec sa” commands on both firewalls. I will show the output of that command below.
Main Office The external address 198.40.227.50. The loopback address 10.254.10.6 The tunnel address 10.2.60.1
Offsite Datacenter The external address 198.40.254.178 The loopback address 10.254.60.6 The tunnel address 10.2.60.2
The main office PIX515 Config :
PIX Version 7.2(2)
!
interface Ethernet0
mac-address 5475.d0ba.5012
nameif outside
security-level 0
ip address 198.40.227.50 255.255.255.240
[code]....
I have one interface setup to a Cisco 2921 router connected to a Cable modem.DHCP is on the 2921.when I connect to the ssid for my guest i'm redirected to the authentification portal 1.1.1.1 .i'm putting valide credential and when pressing the submit button .. it just go anywhere.
I have setup another SSID with a psk and it's working fine.. getting ip and able to browse internet.From what i have read... it's apparently DNS issue on my router.. but what should I check.
I am configuring a 2921 with enhanced security using the CCP. I have found a behavior that seems strange to me and I'm not sure if I'm misunderstanding something or missing a setting. It seems that if I create a firewall rule to "allow" traffic through, that traffic gets dropped, but if I set the action to "Inspect", the traffic comes through fine. I can actually reproduce this at will by setting up a rule from out-zone to self to allow traffic and I cannot telnet into it from an external ip, but if I change that rule to "inspect" i can connect fine (i dont want that rule set up permanently, was just using it to test the firewall).
If I set the allow rule to log, I see the following line in the application security log:
(target:class)-(ccp-zp-out-self:user-fw-ccp) Passing telnet pkt 1.1.1.1:58141 => 2.2.2.2:23 with ip ident 0
(where 1.1.1.1 is the external laptop and 2.2.2.2 is my WAN IP address of the 2921)
So it looks to be passing the traffic, but that traffic is getting dropped somewhere because the connection is unsuccessful.
Is this the expected behavior of "Allow" action? Is there something I can do to make sure "allow" traffic actually gets through?
I would like to know both Cisco 2901 or 2921 router and Cisco 5505 ASA can build site to site VPN.
1) what is the different to build site to site VPN between router and firewall ?
2) which is the best choice if using in site to site VPN connection ?
we just bought a 2921 with the following modules: 4 port clear channel T1/E1 HWICSM-ES3G-24-P: EtherSwitch.I read some CISCO documents, and not be able to find what I need. I would prefer all instructions from you are for CLI interface.This is my first time to deal directly with T1, WIC and 2921 etc. The following is what I get from ATT, IP masked IP Address Block IP Address: 20.20.20.136/29 WAN Link Details: WAN Link IP Address:13.13.13.92 AR Serial INT IP Address:13.13.13.93 CR Serial INT IP Address:13.13.13.94 WAN Link Subnet Mask:255.255.255.252
A: how do I configure T1, what does "AR, CR" stands for, and do I need to use both IP addresses? What is the WAN Link IP for?
B: We have two T1 lines, so I should plug them both to the WIC, say port 0 and port 1, how to configure them?
C: how do I access the firewall from the command line?
D: I followed T1/E1 HWIC installation guide, and as soon as I add channel-group to the controller t1, the serial interface went down?
I need to configure the access list on the outbound internet port to accept the following:
ip access list 10
access-list 10 permit PPTP vpn any xxx.xxx.xxx.xxx
access-list 10 permit RDP any xxx.xxx.xxx.xxx
access-list 10 permit FTP any xxx.xxx.xxx.xxx
access-list 10 permit Postgresql any xxx.xxx.xxx.xxx
access-list 10 permit MacARD any xxx.xxx.xxx.xxx
This method does not work on the Cisco 2921 router with FW
OK, I have a 2921 on 15.3-2T. ZBFW is working from the inside to the outside, but the DMZ is not being blocked at all to the inside. I am currently running with subinterfaces. All interfaces have zones attached. I have policies from inside to outside and DMZ to outside, those work fine. Without any policy from DMZ to inside, it can pass traffic freely from DMZ to inside. I have tried making an explicit policy to drop all to inside, still passes. I ended up just having to put an ACL on the interface
I already tried upgrading the IOS, that is how I ended up on the newest version. This is connected to a 2960S with a trunk port. Everything else works perfectly except for the DMZ security. I haven't had time to try to lab it up yet, but wanted to see if any reasons this shouldn't work, as all documentation says it should drop all traffic unless you make a policy to pass traffic.
I have a IOS firewall on a 2921 router, zone-based config. The remote and main sites have Cisco WAAS , running 4.4.1 software. I am using WCCP redirection on the WAAS/router combination. If I leave it off the firewall passes SSH correctly to the devices on the other side of the firewall. If I enable WCCP the SSH connections fail. The SSH to the router itself is fine, I am not using the self zone for router protection. I had seen a few posts on WAAS but the only one mentioning a config statement in the firewall was on 4.0 WAAS and the command is no longer on the IOS firewall. Is this supposed to work transparently or am I missing a config?
View 2 Replies View RelatedI am pretty new to the configuration of a DMZ and I have the task of setting one up.I have a Cisco 2811 Router running Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 12.4(24)T1, RELEASE SOFTWARE (fc3), 2 FE interfaces.One FE is connected to the WAN, with a loop back interface configured with the public IP for Internet access in the office.The other FE has 2 sub interfaces configured, one for data and the other for voice traffic.Users within the office are configured to use the data VLAN to access the internet through the WAN.
Now we are setting up some new services and we require to have DMZs setup.I want to setup 3 zones now that the different servers would reside in. How can i achieve this using the existing infrastructure I have?I have an idea to create more subinterfaces and assign them to the zones, but I am still not sure how this would play out. I have been on this for the whole day and unable to make significant progress.
I need a router to connect to our ISP by BGP and in a future to a second ISP. Our ISP is going to provide us about 300.000 route entries by BGP. So router 2921 would be enough??? or should i go to a higher model?We are going to have 100Mbps with this ISP and probably in 3 months we'll have to double it. Also we'll need IPv6 support.I saw router performance [URL]f and it's has 480.000 PPS and 245 Mbps but for 64 bytes lenght packages. If the packets are bigger the throughput should be best I suppose... 1500 bytes about 5,5 Gbps. In the case you consider the model is sufficient, the flash or RAM should be increased?
View 4 Replies View RelatedWe have a setup of a firewall in between my Cisco 1841 router and Switch.
Cisco Router --> Meraki Firewall--> Switch
Client VPN is configured on the Meraki Firewall but then for the outside users to client vpn in to the network, I have to port forward or open the ports 500 and 4500 to the IP address of the Meraki Firewall 192.168.1.90. [code]
Is there a recommended number of GRE tunnels that Cisco 2921 ISR router with default configuration (512MB DDR2 ECC DRAM) can support?
View 5 Replies View RelatedI am installing a security license on Cisco 2911 Router for the first time. It already has a temporary license installed on it which is expiring soon. Cisco has already mailed me the procedure for installation. I want to know if i need to uninstall the previous license before installing the new one.
View 2 Replies View RelatedWe recently acquire a cisco 2921/K9 router to interface 2 networks
Network 1 : 169.254.XXX.XXX/16 on GigabitEthernet0/0 interface
Network 2 : 192.168.1.XXX/24 on GigabitEthernet0/1 interface
On the network 1 side there is a multicast source (169.254.200.200 destination : 225.0.0.1) on the network 2 side there is 1 receiver which is not multicast capable(old) but i want it to receive the multicast stream for the moment we configure the ip multicast-routing and each interface each interface with ip pim sparse-dense-mode then configure the GigabitEthernet0/1 in order to join the multicast group (using ip igmp static-group 225.0.0.1) and wireshark confirm that the multicast stream on the network 2 side from 169.254.200.200 -> 225.0.0.1 of course the receiver don't the stream, but if i force a "multicast to unicast" process inside the router it shall be ok.. after many hour of internet browsing i found 2 solution :
- NAT, [URL]
- multicast service reflection (Cisco documentation)
The NAT example don't work ,what is the best way to do this task.
I need to configure cisco router 2921 for snmp v3,
View 5 Replies View RelatedWe have a 2300 RPS with single 1150WAC power supply (C3K-PWR-1150WAC) which is connected to one 2921 Router. But it is not backing the rotuer.
Router 2921 running IOS
c2900-universalk9-mz.SPA.152-2.T1.bin
I am getting the following logs:
*** External Redundant Power Supply is present, but type is unknown or not supported.***
%ENVMON-1-POWER_WARNING: : RPS Online Insertion and Removal is not supported.
Do we required any configuration to be done on Router end.
Note: The RPS is backing 2960 Switch.
I contact you due that I’m currently configuring a Router Cisco 2921 with an Etherswitch module. The specific inventory of Router Cisco 2921 is:
Router#show inventory,NAME: "CISCO2921/K9 chassis", DESCR: "CISCO2921/K9 chassis"
PID: CISCO2921/K9 , VID: V06 , SN: XXXXXXXXXXX
NAME: "High Speed WAN Interface Card - 1 Port Gigabit Ethernet on Slot 0 SubSlot 0", DESCR: "High Speed WAN Interface Card - 1 Port Gigabit Ethernet"
PID: HWIC-1GE-SFP , VID: V01 , SN: XXXXXXXXXXX"
[Code]....
I have a Cisco 2921 Router,with 3 giga interfacesi have a leased line for the internet with a public ip address and i want to configure this router as NAT /PAT gateway, so that users in my network can ue the internet by the router,my wan interface is g0/0 - ip 122.xx.xx.xx lan is g 0/1 -- 192.168.1.1 /24 . i have tried doing nat once but i was not able to make the wan port up.using cisco CP when i test the interface it givves error and i dont get internet to my users.
View 10 Replies View RelatedI have a trouble with PPTP VPN between Windows clients and Cisco 2921 router with RADIUS (IAS) authorization. When I try to connect to Cisco 2921 from Windows 7 using MS-CHAP v2 I receive error 778: it was not possible to verify the identity of server . Then I use PAP - everythig is OK. On Windows XP the same situation.
Cisco config:
version 15.0
service timestamps debug datetime msec
[Code].....
I just got a brand new Cisco 2951 router that has built-in 3 gigabit interfaces cards. We want to add additonal 2 GE EHWIC-1GE-SFP-CU card to it. When it booted up and type show inventory, it did not detect the presence of the card. There was light on at the back of it. I have checked the compatibility on Cisco. The card is compatible with this router. Do we have to install the card with special instructions in order for the router to see it?
View 1 Replies View RelatedI have installed a VWIC2-1MFT-G703 module into cisco 2921 router, I can verify the card by show inventory command. but in show run, I do not see the E1 controller card there. this card is used for TPG lease line for data only. Those card is compatible with new 2921 router? or need some extra command to bring it up?
View 2 Replies View RelatedI am getting the following errow message while trying to create a VPN tunnel between an ASA5520 and a 2921 router. [code]
View 9 Replies View Relatedi m planning to use the 2921 router for both mpls and internet connection , to 2 different isp also am planning to use bgp with a public providor independant
i m planning to buy sla for the mpls link
I have one new cisco 2921 router but after first login into the new router . I have made some configuration but forget to change the default password . Now i am unable to login into the router after first log off but iam not able to recover password because the router don't have any external flash memory.
View 4 Replies View RelatedIf Cisco Router 2921 base load supports NAtting? I am looking to order a Router and want to make sure the new 2900 routers support Natting.
View 2 Replies View RelatedI am configuring a vpn ipsec tunnel with cisco isr 2921 router and Watchguard edge 1250e. I have the watchguard configured so I just need to make sure I have everything setup on the cisco side. At this point, there is no communication as I am not sure if I configured it correctly. Should I do the crypto map on g 0/0 or dialer 1?
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
[code]......
What I’m looking to do is setup a net-flow monitor for traffic going across a PIX firewall. I know unfortunately I can’t do this directly from the PIX because it does not support net-flow.
I do have a 2921 router on the same network that I have net-flow enabled to monitor traffic across the MPLS Connection.
Since the traffic for the MPLS is going out a direct interface I have applied the IP Flow egress/ingress commands to that interface to obtain the net-flow data I need. The PIX firewall however is not a direct interface so this can’t be done. I have done a little reading and believe I could use a policy map to create a “filter” so that any traffic that meets the ACL associated with the Policy-Map would get sent to net-flow monitor.
My question is how do I set that up so that so I can have the two net-flow data “streams/sources” go to separate net-flow ports so that I can monitor them independently of each other or is that not possible?
Both devices are connected to a 3750X switch; however neither is connected to a 10GB port. To my understanding that means I can’t run net-flow on the switch itself.
I want to connect 2 ISP links into one Gigabit-interface on my Router 2921, can any one tell me how to do that ? sub-interface creation is not possible on cisco 2921
View 1 Replies View RelatedI have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
View 1 Replies View Relatedthe cisco 2921 Router has a default ip hhtp access class command found in it. Just i changed the default IP to the new ip i will use.The Router is accessable from the LAN only but not from the internet configured the Public ip . I think this is due to the standard access list 23 . how will i access the Router from the Internet using the Public IP.
View 6 Replies View RelatedI have 2 links to 2 different departments switch with an up link of 10mb. I want to guarantee that both departments get at least 5mb, but can use part of the other 5mb that not in use. Is this possible?
View 3 Replies View RelatedI have a 2921 router with 1 etherswitch module installed. I haven't done it before and was trying to change the baud rate to 115200 for installing an IOS on the etherswitch module which had been deleted. I ended up "unsetting" the baud rate on the etherswitch and rebooted. Now, when I try to session into the etherswitch, its opens the connection but I can no longer see any text on the screen. Im using Teraterm. I've tried different baud rate settings for my serial port in TeraTerm but still cant see any text on the screen. I dont know of any commands from the router prompt. Any suggestions to fix this? If can start seeing the text, then I can probably configure and set up the etherswitch module.
View 1 Replies View Related