I have new DIA Internet service coming in and unlike the last vendor who provided a router, I am configuring my own. This is my first full Cisco config - I've been looking at this for 3 days now. I have SIP signalling, rtp and default traffic on a (3) t1 multilink (4.5mb). My lan and firewall uses dscp tags and passes them to the 1841 for outbound. The ISP only prioritizes by destination address so I just need the 1841 to respect the tags internally. Inbound, I have only port numbers to go by to differentiate voice traffic and I want to tag EF and CS3 accordingly for use by the 1841 and the rest of my network.
Below is part of my proposed config. I have read tons of Cisco docs and looked at all the queuing methods and this one I understand the best. I am getting the error: "CBWFQ : Can be enabled as an output feature only", so I presume that something is wrong on an input definition somewhere. For now all the firewall functions are done at the actual firewall (Sonicwall NSA) so other than limiting ports to the PBX everything else is just pass-through. Any changes required. IOS is 12.4(4)T1.
I've got a Cisco 1841 with 2 FastEthernet ports here. My Cisco isn't great, and I've been given a problem I don't seem to be able to crack.Essentially, I have one network with two sides. I've connected these to fe0/0 and fe0/1 on the router, and put them interfaces into a bridge group which as far as I can tell, essentially makes the router a 2 port switch...I know this won't make a lot of sense from a normal network point of view, but what we need to do is allow all traffic from fe0/0 to fe0/1, but not allow any traffic in the reverse direction. The traffic allowed to flow from fe0/0 to fe0/1 must include broadcast traffic (infact that is the most important traffic, its how the silly theatre application works). None of the traffic is IP addressed.... ie, each of the devices on the network assign themselves an IP address, and then throw broadcast traffic out on to the "dedicated physical network" that exists between them for communication[CODE]
I am trying to unravel a ASA 5550 config that has been created over several years, by multiple people, some who used ADSM, some who used CLI.
None of them ever removed any lines from the configuration, and none did any documentation. When examining the actual configuration from a CLI perspective:
1. Does an ADSM- created access list end with any specific ADSM- added suffix? 2. When ANY access list is created in an ASA 5550, does it HAVE to be included in the access-group command to be functional? Can it also be functional if referenced in a "nat" command? 3. If the access list does meet either of the criteria specified in question #2, is it completely non-functional? 4. If an access list is applied to a logical or physical port that is shut down, is the access list functional?
I am using a Pix 515 with IOS 8.0(3).I have in my access list on the outside interface.......access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo access-list outside_access_in extended permit icmp any 12.23.34.0 255.255.255.0 echo-reply.......in order to allow ping requests and ping replies into my inside network. This certainly works since I can ping the inside from outside and vice versa, but in the ASDM display of access rules, the hit count for these two lines is always zero. If I run 'show access-list', the hit count for these lines is non-zero.
Why doesn't the hit count show up in the ASDM gui display?Also, I have read that the PIX does not treat ICMP in the same way as TCP or UDP and there is no stateful behaviour towards ICMP. However, if I set up a continuous ping from outside to inside and then disable the above access list rule allowing echo requests towards the inside, the ping continues whereas I would expect it to stop.
In the config there is 'timeout icmp 00:00:02' if there is no stateful connection for ICMP, why is there a timeout value for it?
I have started to use ip extended access-lists on several 3750X-switches to filter inbound and outbond traffic on the VLANs. But it seems that the use of object-groups is not supported, is this correct? Is it really no way to group different ip-addresses into groups and then use these groups in the access-lists?
I have been told that if an access list is created with the suffix _access_in, that if the preifx is the name of an interface, then that access list is automatically bound to that interface, even if there is no explicit command doing that. I looking at the config of an ASA 5550.
example:
Interface is Production access list is called Production_access_in.
Is that access list automatically bound to the Production interface, even though it does not show up in any other commands?
Yesterday, I configured ASA via CLI for Static PAT and created some entries in an access-list. I will be testing that setup this evening.
However on a quick double check of the settings on the device via ASDM I could not see the acess-list settings. I searched every tab and found nothing so I PuTTYed into the device and checked the running config. The rules I created were right there. Is this something I should expect? If so doesn't it defeat the point of having a GUI if it does not show a complete running config?
My network topology consists of 3 directly connected routers where the central router contains sensitive data and i need to block traffic from ENTERING the LAN adjoined to that router. My issue is creating an access list to DENY traffic from entering the network connected to Fa0/1 but ALLOW traffic to exit from that network. I am using one class C network which is subnetted 7 times to provide me with the required LAN's.
I want to configure accesslists on my Catalyst 3750X-switches to protect different VLANs/networks. Any best-practices about inbound versus outbound accesslists? In my head it is more readable and easier to understand the config when accesslists are assigned outbound on the VLAN to protect instead of assigning them inbound on all possible source-VLANs. But of course, from a performance point-of-view it is better to use inbound access-lists to avoid un-necessary routing etc.
upgrading our small office network. We currently have about 75 employees with probably 125 devices on the network. I'd like to create about 10 vlans for the different departments and then configure intervlan routing as needed. Currently we have all unmanaged switches and it's just a huge broadcast storm on the network. We are upgrading our Cisco 800 router to an ASA5505 sec. Plus license. I need some recommendations on switches. Of course, this needs to be done as cheap as possible.... Is there a way to use the ASA to configure all the vlans and intervlan routing and access lists and use a cheaper switch to provide the access layer to hosts?
I have one 2621 router i want to creat time base access list so that one of my subnet user(10.128.194.0 255.255.255.128) use only internet between 11am to 2pm.
I have noticed that under the Device Change Audit list under the configuration dashboard. LMS lists the wrong user for the last change. For example. User ABC performed a change on a switch yesterday but switch shows user XYZ has performed the change.
e.g.
SwitchA
! Last configuration change at 16:27:06 AEST Mon Aug 15 2011 by ABC
User XYZ then performs changes on switchB, switchC. These show up correctly. but the change on switchA shows user XYZ instead of ABC.
User XYZ has never logged into the switchA in question.
I was able to configure the cisco to accept VPN connections from clients. But when i am connected i can not access the VPN LAN. My cisco VPN client shows all the time Packet Decrypted: 0 when connected. I tried the split tunneling configuration based on the example on cisco.com for split tunneling.
I include config for better understanding. The outside interface is fa0/1 with ip 10.0.0.2 w LAN 10.0.0.0 Inside interface fa0/0 with ip 192.168.10.9 w LAN is 192.168.10.0
I have a branch office connected to the Head Office through a VPN Tunnel in cisco 1841 Router. If i enable Internet for any pc in Branch Office through cisco router i cannot access it remotely from Head Office. [code]
I have a 1841 router with two wan access from two different ISP:throught dialer with fixed ip obtained from dhcp - ATM interface,thought fastethernet 0/1 with fixed ip and a specific gateway - can be use for Internet traffic if dialer is down.I can't manage to make them accessible at the same time (ping and ssh).In a second time I would like to have a VPN client access on one wan and site to site VPN on the other, instead of having the two on one wan.
I have a Cisco 1841 router that is connected to a switch. I have WAN/LAN configured on the router and the switch is handing out internal IP's. The issus that none of the client machines can access the Internet. From within the router console, I am able to ping external domain names, my ISP DNS servers.
Once the client machines picks up an IP they are unable to ping any external domain names or IP's and not even the ISP DNS servers, but they can ping the Cisco router IP. As a note I have tried my ISP DNS servers and as a test Google's DNS servers, but neither will allow access to the Internet.
Below is the current running config:
Building configuration...
Current configuration : 1440 bytes ! version 12.4 service timestamps debug datetime msec
I'm working on setting up a couple of new WAN sites with 256K frame relay circuits back to our main building. Each new site has a new PVC, and both are pointing back to a PVC on a T1 at the main building. The main site has a 2801 with a single CSU/DSU WIC, and each new site has a 1841 with a 3560 connected to fa0/1. At both sites, I'm able to get the circuit up, and the serial interfaces at both new sites show up/up, and the subinterfaces at the main site also show up/up for both sites. Routing is being done by EIGRP, and both sites are able to establish the 2801 as an EIGRP neighbor, and I'm able to ping/tracert anywhere on our network by name or IP, so routing and DNS appear to be working. I can also ping both new routers from the main site. However, that's about all I can do. I'm not able to access any resources on our network (email/shares/internet/intranet/etc) from the two new sites. I can ping the new routers/switches from the main site, but can't ssh to them. I can ssh to them locally. There are no firewalls in the equation, and I don't think there are any ACL's in the picture either.
Can ping and tracert just fine anywhere on our network (from both the 1841, a PC plugged into the 3560, or a PC plugged directly into the fa0/1 port on the 1841), including out to the internet, by name or ip.Can ssh to local router, but not to anything that isn't localDNS is workingDHCP not working using ip helper pointing to DHCP scope on server at main site, have to use static IPCan't rdp to anythingCan't get emailCan't browse windows sharesCan't get to any websites, external or intranet. IE says "Website found, waiting for reply..." but eventually times out.
I did some testing for communication over certain port numbers using telnet and nmap, and found the following:
Can telnet to url.. and local intranet webserver on port 80 (http)Can telnet to two of our Exchange Servers on port 25 (SMTP)If I run an nmap scan on url...com, or our intranet webserver, it confirms that 80 and 443 are open, but the pages will not load. I am able to telnet (port 23) to a state mainframe via the internet that some of our employees use, and I do get the expected login screen. I tried erasing the config one of the new routers, and just added back the bare minimum config to get the circuits up (serial/ethernet interface configs, eigrp), but saw the same symptoms.
One other thing to note: the 2801 at the main site has three other frame relay sites connected to it on the same WIC as the new sites, all of which are working fine.
I just don't understand why I can ping everywhere I need to be able to ping, and port scans show that communication is open over needed ports, but the applications don't work.
I have setup a remote access on our 1841 device, with split tunnel.
now i am able to connect via the vpn tunnel, and even ping and telnet into the cisco device, but when i try to ping any device past the 1841, the ping fails and no traffic is even been encrypted to go over the vpn traffic (looking at the vpn client statistics).
From the ciscos side, pings to the vpn client is failing, yet i see the vpn client in the routing table.
Here is my config:
cisco1841#sh run Building configuration... Current configuration : 7682 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname cisco1841!boot-start-markerboot-end-marker!logging buffered 51200
I try access with Serial cable blue DB09 / RJ45 on console port and serial ports on PC using putty or hyperterminal but any connection can not be done. The screen stay black and not show any text.
The computer found the port COM1 but i csn not access any information from Cisco router model 1841
I have a problem in my Cisco 1841 in Virtual-Access Interface all interfaces is UP Except Virtual Access is Down . [code]
when i want recover the virtual access to up ,should i do shut & no shut to the ATM interface.What is the cause of the problem, and how I can solve this issue?
Is there an easy way to allow specific websites access in cisco router 1841? I am trying to allow a website through access list 102 but not working. I am using access-list 102 permit ip host 192.168.21.20 host www.website.comIf i allow all websites then it works fine.
I have an 1841 between my firewall and the ISP. Three interfaces - multilink to ISP, FA to my firewall, and FA to my inside network. I use the inside interface for configs aand snmp access, etc. Only my ISP-assigned fixed address block will get routed to the multilink by the ISP but I am nervous about the inside interface sitting on my LAN. I know I can remove it, but if I keep it there, how can I set up an ACL so that all traffic from the multilink interface is denied to the inside interface? I suppose another way to think about it that the inbound iface can only accept traffic from its own outside, not from the router.I think this is fairly simple but I don't want to knock down the traffic if I get it wrong.
Users behind a Cisco 1841 are not able to connect to a network using the Cisco Systems VPN Client. Transport is IP sec over UDP (NAT/PAT). Connection just times out.
Which ports should be allowed in the access list? Or do you have an link to a article for this?
I am trying to set up Remote access vpn in 1841 router. The vPN client is connecting to router, but cannot ping to remote LAN Here is the config.
Current configuration : 3625 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption
[code]....
I am not getting any hit on the deny statement of 102 when i try pinging to client ip address (10.0.0.10).
configured Ezvpn Server/client with client mode configuration on IOS router with ver advipservicesk9-mz.124-15.T3.bin of ISR 1841 routers. Only my main issue is that once the tunnel is up I cant access the server side local LAN. However I could each site my icmp traffic is encrypt or decrypt but not both at the same time. However I can ping from the server to the client ip address which is assigned by the pool (int loopback10000)
Also once the tunnel is up I could also see there's static route towards the client side via virtual-access interface and also static route on client side. I have already configure SPLIT ACL on server side allowing the required network access.Attached is the configuration of both server and client with all required show output.
I can ping across the tunnel from the pc's on either end of the tunnel, but I can't ping across the tunnel from the routers. If i ping using the source command using the LAN interface, the ping is successfull.
The reason i need this is for the remote router to be able to lookup the head office server for dns wins and ldap.
I have configured Cisco 1841 router. My problem is what if every first time a user opens the browser will display a web page server. My web server ip address is 10.10.1.5. [code]
