Cisco WAN :: Internet Interface Protection On ASR 10001 Router?
Apr 30, 2013
I want to provide some outside interface protection on an ASR 10001 router. The Internet facing interface is the ingress for all remote access home users that have created a DMVPN. I want to protect the network from the Internet but, at the same time protect against breaking the tunnels created from the home users.We are running EIGRP between the home users and the HQ router. How would you build the access-list applied to the outside interface and what protocols would you allow through?
View 2 Replies
ADVERTISEMENT
Sep 21, 2011
how to enable protection path in GSR 12404 router Gigi interface connected to mux port. Like we configure APS group for POS interfaces.
View 1 Replies
View Related
Oct 14, 2009
I'm about fed up with with having this issue that no one can seem to solve. It dates back to when I owned a WRT54G router. I started experiencing random disconnects with the router, both wired and wireless. I only owned the router a year and figured it was going bad.
So I purchased this WRT120N router late August. Soon after I set the router up, low and behold the same problem started. I've called my ISP a couple occasions and they tell me that everything is fine from their end. I've spoken with Linksys tech support on 3 seperate occasions. I have changed the MTU to 3 different values and upgraded the firmware. The 2nd support tech suggested that I do those two things. To my surprise this worked for 2 or 3 weeks with no problem. The same problem started again just last night disconnecting intermittingly. I spoke with another support tech and they suggested that disable the SPI Firewall protection and Anonymous internet request. That did not work for the brief time I had this disabled.
More into the problem, when it disconnects the modem seems fine but the activity light on it stops as it should. The router itself appears to reboot, then when it comes back up the connection restores. What could possibly cause this? I currently have version 1.0.02.This is getting very frustrating and I am getting very near not using Linksys/Cisco products any longer.
View 9 Replies
View Related
Mar 19, 2013
I am using Avaya VPN client & when I am getting connected succesfully to IPSec VPN Server, it is showing in status that IP NAT-Transversal is active on port 10001. In this case my IP is behind the NAPT router. When I am checking the logs, it shows that the request from my IP has gone through port 10001 (UDP) & hist server IP on port 10001 (UDP).But in some cases when the request from my IP is going through any other port than 10001 & hit server on port 500, I am not getthing authenticated for VPN. So, I am understanding that for my VPN connection, the requested has to be go on port 10001 of VPN Server and port 10001 of client.
how I can force every IPSec request to my VPN server to hit on port 10001 (UDP) so that i will not face any issue.
View 1 Replies
View Related
Mar 7, 2012
-1x Cisco ASA5540
-1x Catalyst 3750x-48T (L3 Core Switch)
Id like to seek expertise on validating a simple firewall setup.
Do i trunk core switch traffic to the cisco ASA OR assign L3 link instead? It is basic understanding that the Cisco ASA is usually use for protection from our internet zone.A typical Cisco ASA setup would consist of outside, inside, dmz zone.
L3 core switch consist of 20 VLANS20 vlan needs to be blocked from each other. Eg Wireless Vlan does not have access to Server Vlan etc etc.
what is the best practise to filter ip address within vlan from reaching each other.Should i trunk all my vlan to the Cisco firewall? (For easy vlan restrictions: but is that best practise?)Or do ACL on the core switch itself? but what if i have tons of servers ip that needs specific ports blocking or etc.How would i be able to manage all my ACL on the core switch.
View 1 Replies
View Related
Jan 29, 2012
I accidentally deleted the network protection key from my laptop and now can't access the internet. I have tried re-entering it but still can't connect to the internet.
View 10 Replies
View Related
Jun 6, 2012
I am trying to upgrade/migrate my WCS license file, via XML export, through the Cisco licensing portal and I keep getting the error listed above.
View 1 Replies
View Related
Aug 12, 2011
So, I have this router at home a WRT150N. I put in access restrictions so my siblings won't stray onto unwanted pages.I enabled SPI Firewall Protection and what do you know, it worked. The next day though, we didn't have an internet connection.I checked everything with the modem (power cycles, etc.) and then I tried the router. Upon disabling SPI Firewall Protection, the internet connection came back.I tested it yet again, to see if it really was the SPI. Enabled and bam, no internet access again. I made sure to select "Allow" in the Access Restrictions for "Internet access during selected days and hours" making sure also that "Everyday" and "24 Hours" are selected.Now my question is, what do I need to do in order to enable my Access Restrictions without having to lose internet connection via the SPI Firewall?
View 2 Replies
View Related
Jan 31, 2012
I wondering whether the Linksys e1200 and/or e1500 offer any kind of Denial of Service (DoS) protection?I'm currently looking for a new router and would love some info.
View 4 Replies
View Related
Mar 1, 2013
Yesterday I upgraded my SG300-10P to firmware 1.2.7.76. I was curious about the new SYN Protection feature, but it seems to do nothing on my installation.
The switch is running in Layer 2 mode. I have ACLs in place and DoS prevention is not enabled. I also tried clearing ACLs and enabling DoS prevention. As I understood the Admin Guide enabling DoS in the Security Suite Settings is not necessary for using the SYN Protection.
In my firewall I see about 300 pps with SYN flags only arriving. What "they" do is sending me SYN packest to port 80 from forged IPs, so that my system should send SYN-ACKs to the victim system. In this case it is the Arab Bank. They are down at the moment...I think that is called a spoofed SYN flood attack.
So I thougt the SYN Protection feature should exactly solve that problem but it does not and does not show any "Last Attack" entries.
If I put a SYN filter in place it works, even if I put SYN Rate Protection in place. But that is just a dirty workaround. My firewall blocks those SYN packets with a SNORT rule.
View 1 Replies
View Related
Apr 25, 2011
My taskbar is telling me I have no AVG security for my e-mails
View 1 Replies
View Related
Aug 23, 2011
We have implemented Cisco Protectlink Web Protection on our network.
By choosing the categories that we want to block everything worked well until we have noticed that when users try to browse social networking sites like [URL] this site is blocked but when users type in [URL] users that go directly to facebook.
and also with youtube if they add https:// users can then bypass our network block.
Is this somewhat a bug on the Protectlink Categories blocking?
View 3 Replies
View Related
Jul 26, 2011
what is the function of anti static protection
View 1 Replies
View Related
Mar 19, 2011
I have multiple questions about the PIX 525 software version 8.0(2) ASDM 6.0 (2)I am a windows network admin that is new to Cisco and routing in general. I have read through the forums and the Cisco documentation, but have not been able to fully understand the topics discussed within.
1. Anti-Spoofing Attack Protection
2. Scanning Threat Detection - Auto Shun
3. NTP Sync Verification
4. QoS implementation5. IOS and ASDM Backup
This option is currently DISSABLED for all interfaces.I know what ip address spoofing is, but what is the functionality of these options specifically? How does it work and should I enable it and for which interfaces? Second Question: Scanning Threat Detection - Auto Shun
I found this option in ASDM under: Configuration --> Firewall --> Threat Detection.Enable Basic Threat Detection and Enable Scanning Threat Detection are both currently ENABLED, but Shun Hosts detected by scanning threat is currently DISABLED. Also, the Networks Excluded from Shun field is empty. I know what the shun command does. I have used it many times when I have been fortunate enough to catch some piece of **** trying to spam my mail server or gain access to it.
What I am asking specifically is how does the Auto Shun work? Should I enable it and what are the potential consequences? Also, what exactly is a scanning attack?
I am not familiar enough with the PIX and with the topics discussed in the document to successfully apply the info within. Plus, I'm not sure it covers the kind of basic, all-inclusive bandwith cap I would like to put in place.
The goal is to cap the maximum internet (outside) bandwidth that inside5 can use to a reasonable percentage while allowing the other interfaces to have the remainder.
How would I go about this implementation? 2. Is there a way to allow inside1 - inside4 to use max bandwidth when there is no traffic on inside5?
I am probably, at least, the third owner of this device and I do not have an account with Cisco nor can my tiny (perhaps non-exsistant given the current economic state) IT budget afford any form of support or software licensing with them.My goal is to backup the IOS and ASDM data in the event that I have to replace the device due to a hardware failure.
I found a file transfer function within ASDM which allowed my to copy the files pix802.bin, asdm-602.bin and tfp from flash to my desktop computer. I also have a copy of the activation key info and my current configuration.
1. Have I backed up all the data/info I would need to restore this software and ASDM to another unit.
2. The activation key screen also has a serial number field. Is this the hardware serial number or is it for the software? and is it tied to this device specifically or can I use it to restore another unit if necessary?
3. Is there anything else I should do or be aware of regarding backup and restore for the PIX?
4. What is the tfp file?
View 1 Replies
View Related
Apr 28, 2012
does a spanned drive have any protection against disk failures?
View 2 Replies
View Related
Mar 2, 2011
I want to make use of the SPI Firewall and DoS Protection features of the WAG320N. What are these for? How do you configure them on WAG320N?
View 1 Replies
View Related
Jul 26, 2012
I'm doing a large-scale snmpwalk against an ASR9k (with IOS-XR v4.2.0) running as a provider edge router (full bgp table) and pulling the full contents of the BGP route table. On other routers, this completes within my timeout window, but not on the ASR9k.Figuring that this has to do with CoPP rate-limits, I've adjusted the rate-limits to ridiculously high values.
But still, the walk doesn't complete in an acceptable amount of time. Manual snmpwalks display a rate slower than even 7600s, with occassional stutters. CPU on the box doesn't even register that anything extraordinary is going on (@ 2 - 3%), and "show lpts pifib hardware police location" shows that there are 0 drops against SNMP.I haven't turned yet - either some traffic shaping mechanism or some combination of process scheduling/priority with SNMP.
View 1 Replies
View Related
Jan 20, 2012
I have a network where if an end user attaches an hub to the network, or rather one of those cheap unmanaged 8-port mini-switches and then plugs the two ends of the same cable into two ports of that mini-switch, all the network goes down. Loops are generated and many uplinks are shut down in err-disable state due to the loopback reason.
I know I could discourage the use of those mini-switches using port security. I even have NAC (cisco) deployed on the network, but there are cases where that mini-switches are allowed by the managment.In those cases, is not possible to exactly know wich hosts (mac addresses), and even how many of them will attach the network concurrently.As I know, they could even chain many mini-switch one to another. Of course, when even a single mini-switch is allowed on the network, it raises as a security hole.
Is there a way to allow the use of those devices without the risk of network outages? Some STP protection method? The best would be to have the Cisco access switch to get aware of the loop on its affected switchport (where the mini-switch is attached), immediately shutting down that port (to avoid loops on the network) and maybe sending an SNMP trap or a syslog message.
We are using Cisco Catalyst 2950 and 2960 for our access layer.
View 5 Replies
View Related
Feb 19, 2012
we recently had on our network a simple layer 2 loop problem, with big effects.Here is the situation: we have a C3750 switch, with STP activate on all ports.We don't have total control on this switchs, and for some reasons, it is possible that people connect a 2d switch on it (Cisco or non-Cisco).What happened several times is a classic case: a person interconnect 2 ports of this 2d switch, creating a loop. As the loop is created on the 2d switch only, the 1st switch detect no loop, the the uplink port keeps up.Afer this loop created, a broadcast storm occurs through the link between 1st & 2d switch .. and the storm propgates all over the LAN.I try to find some solutions to avoid that. One thing I would like to do is to find a mecanism on the first switch, which can permit to block the uplink port on the 1st switch if it sees the same MAC address as source in the 2 directions.Note that storm control, even configured to a quite low value (ie: 2Mbps) is not efficient enough to protect equipment (we have had big CPU impact on LAN equipments).
View 3 Replies
View Related
Apr 17, 2012
Do Cisco Catalyst (IOS) and specially Cisco SG300/500 support a similar feature to HP's Loop Protection or DLINK's Loopback Detection? This is an interesting feature to avoid loops caused by unmanaged switches.
View 6 Replies
View Related
Jan 23, 2013
I have verizon fios business line with 5 static IP addresses and am configured for ethernet wan. I can use EA6500 as the router instead of using Verizon's own router, however I can't figure out how to assign all 5 static IP addresses on internet interface. I have already assigned first IP to internet interface but don't see a way to add more IPs either in internet interface or from NAT section where I can create static NAT.
Is this even possible with EA6500? If so, how?
View 3 Replies
View Related
May 9, 2012
i have a 1841 cisco router and i recently purchased a 1 port HWIC wan interface card. My problem is that I cannot see the interface in my config file. Is there something i am missing?
View 8 Replies
View Related
Mar 27, 2011
disable protection sharing win server 2000
View 1 Replies
View Related
Dec 13, 2011
network access protection agent service is not running
View 1 Replies
View Related
Apr 9, 2011
Is it possible to set up a WAN interface on a FastEthernet interface of a Cisco 877 Adsl Router ?Due to my ISP, i've to use an external VDSL modem and must connect it to my cisco 877 router (and leave it's adsl interface unused).But i don't know how to set up a wan port, other than the adsl interface itself (dialer0), on my cisco.
View 7 Replies
View Related
Jul 1, 2011
url...I discovered that it would be possible to be protected from portscan, i mean when someone scan our nework/host from outside, the attacker will see all the 65535 ports as "open" (in that way it will be more difficult for an attacker to perform customized attacks...)So I have follow the setup in that link: policy-map global_policy class class-defaults set connection embryonic-conn-max 15 per-client-embryonic-max 3 service-policy global_policy global . The problem is that I don't have the exepected result..If i do a portscan over Internet from an external host to my hosts the portscan is successfully working and I can view my open ports...I have also tried to set this through a "match" in an access-list but without any sucess.
View 3 Replies
View Related
Apr 11, 2013
Region : Netherlands
Model : TL-WR1043ND
Hardware Version : Not Clear
Firmware Version :
I installed my brand new TP-Link router and both wired and wireless internet connection work perfectly fine. But when I tried to secure the wifi with a password (I followed the instructions on last page of installation guide) I can not connect to the internet any more. After entering the correct password, both iphone and mac-book simply say "unable to join the network". I selected WPA2-PSK-personal as recommended. For now I switched off the security settings, but I live in a building with many neighbours and they are now consuming most of my bandwidth (apparentlyI am surrounded by illegal downloaders
View 2 Replies
View Related
Jul 24, 2011
It is understood that sub-50 ms ERPS convergence can be achieved with certain HW/SW combinations.
1) What are the platforms supported (and with what FW/SW) has this been tested ?any results that can be shared?
2) Link failure detection in GigE on Copper is slower compared to GigE over "pure" Fibre; so no sub-50ms would be possible with Copper ring ports.is sub-50ms convergence achievable with "combo SFP ports" ?
View 1 Replies
View Related
Nov 21, 2011
I have a problem with my home network/internet - I have a working wireless network that I have used for some time now and it works just fine. the problem is that internet restrictions where I live require me to register each unit to the building network before I can gain access to the internet. My caretaker told me today that normally, I only should register my primary computer and the wireless router to be able to use the internet freely. However when a new laptop appears( I have a guest), I can easily connect it to my own wireless, but it can't use the internet, as if it needed to be registered again. I ran out of registration codes and I really would like to have freedom i connection opportunities. The caretaker said that the system gives every registered unit a "fake" IP, so after giving it to mu router, all other units connected through that router should have unlimited access. Is my network configured in a wrong way? I don't know how to ask this in a more simple way... I just want to be able to connect a friends laptop to the net with just my local password, which isn't happening.
View 3 Replies
View Related
Apr 16, 2013
I have a router asr1002 and I need that my loopback interface will be accessible from internet ISP adderss space I have
46.xx.x.64 255.255.255.192
interface TenGigabitEthernet0/2/0.301
description -=ISP=-
encapsulation dot1Q 301
ip address 46.xx.x.66 255.255.255.248
[code]...
packets transmitted 9received 0packet loss 100 %time 8063 ms
View 1 Replies
View Related
Sep 20, 2011
I recently install xp pro and update all necessary drivers for the computer.I also plug-in another network card, this nic is working but seem browsing the web is slower than the original network card comes with the motherboard. Before both network cards show up in (my network places). Now the network card comes with the motherboard doesn't show up, only the network card connection just installed.
I check the device manager both of the network adapters are there, check both of box that say place LAN on taskbar.This could be i have find and install revised intel chipset and lastest BIOS for the pc, now the hard drive activity LED doesn't lit and the ethernet controller has issue. Note when I plug in the cable to ethernet port (one built with pc) there's show both activity light and connection light, but can't connect to the internet.
pc info:
winxp pro sp3
pentium celeron
256 mb of memory
manufacturer: gateway
View 1 Replies
View Related
Mar 9, 2011
administrator wants to manage ASA 5500 using inside interface.{telnet or ssh].Allowed telnet and ssh in ASA 5500 but unable to get access from administrator PC..Is there a way to do it without enabling NAT on the ASA? Will a specific rule on ASA allow adminstrator to access ASA 5500 inside interface via ssh or telnet?
View 2 Replies
View Related
Jan 3, 2012
so i have a ASA 5510. The ASA is Connect with the Internet through PPOE DSL MODEM
The outside Interface get an IP. The Inside Interface get through DHCP from the ASA the Internet DNS SERVER (T-Online) But the HOST do not connect to the Internet because the DNS Server is timed out
Code...
View 10 Replies
View Related
