I am looking for a config, as per the attached diagram, if the traffic comes from FE01 it should go via FE03 for the internet and when the traffic comes from FE02 it should go via FE04 for the internet.
View 1 Repliesi have a stack of 3750x, with minimal configuration. there are two vlans, and two vlan interfaces with IP addresses. when i ping out from this switch to another host, it picks vlan1's ip address as the source automatically. i tested this by doing two pings with extended options using each vlan's interface as the source, and got different results. how the switch decided to use the first vlan's ip address as a source.
View 11 Replies View RelatedI have configured the ip telnet source-interface Loopback 0 command on a Nexus7010, but when I telnet to another device and do a show users, the ip address is of the closest interface to the device I telnet to, not the ip address of the Loopback. All interfaces are in vrf default. I am running 5.1(6) NXOS.
View 6 Replies View RelatedPlatform:
cisco6509-E with FWSM
Supervisor Engine 32 PISA 8GE
sup-bootdisk:s32p3-adventerprisek9_wan-mz.122-18.ZY2.bin
command:
(config)#ip nat inside source static tcp 10.10.8.147 14029 interface g7/8 14029
(config)#no ip nat inside source static tcp 10.10.8.147 14029 interface g7/8 14029
#clear ip nat tran *
(config)#ip nat inside source static tcp 10.10.8.147 14029 interface g7/8 14029
%Port 14029 is being used by system
Or %Static entry in use, cannot change
But when I perform "sh ip nat tran" command,There is nothing
A customer has an ASA5520 and 2 ISP routers with one WAN link each, and wants to split the load over both routers based on source IP ("natted" IP on ASA). I found this excellent doc on the topic: {URL}. Using PBR to achieve this is an option I was looking at, but I have come across a possible loop doing this with 2 routers. Setup:
-----------CE-1---------ISP-1
| |
| |
ASA55020---- HSRP |
| |
| |
-----------CE-2---------ISP-2
Both Routers receive default routes via BGP, and customer networks are propagated via BGP as well (i.e. the customer can specify the return path for the traffic). The ASA5520 forwards traffic to a HSRP virtual IP for redundancy purposes. If one router or ISP fails, all the traffic should use the other router/ISP. The customer wants to specify which traffic is sent over which link, by defining nat rules on the ASA. e.g. traffic sourced from the network 10.10.1.0/24 will always use ISP 1, and traffic sourced from the network 10.10.2.0/24 will always use ISP 2.
My problem: if I use route-maps on both routers (CE-1 and CE-2), sending part of the traffic to the other, and one ISP link fails, in my opinion I have a loop, since part of the traffic will get sent back to the router it came from. Is there any other was to achieve my goal without using PBR? I have looked at CEF and GLBP, but I cannot seem to find a way to load share via source IP.
I have a customer with a Sonic wall that I want to replace with a 521.He currently has port forwaring setup so that only 3 ip addresses can access the port forward. Everyone else is dropped. Is there a way to do something similar?I can make it work for a single one via the DMZ tab with a source ip address. but there is not a way I can find to add the allow for the other two remote connections.
View 1 Replies View RelatedI have a requirement to select a farm based on source IP address. I tried creating a match all class-map that matches on the virtual-address and source address but I get this message.LB01/Admin(config-cmap)# match source-address x.x.x.75 255.255.255.255 Error: Only one match virtual-address is allowed in a match-all class-map and it cannot mix with any other match type To me this is the only place where it makes sense to set the source match criteria.
View 2 Replies View Relatedi don't know why cu need this feature, he want stickiness based on source ip and source port. Does CSS 11500 support stickiness based on source IP and source port?or is there any other method to support stickness based on source ip and sourceport?
View 12 Replies View Related2 ISP's connected to a 4507, both with seperate public IP blocks. Based on some source IP addresses on the LAN they would either use ISP-A or ISB-B's connection based on what I define.
View 3 Replies View RelatedWe have an ASA that has 3 IPSEC VPN tunnels and standard interenet trafic coming in on Int E0/0 that I need to have go out Int E0/1. E0/1 is directly connected to a Steelhead Riverbed 2020. The Traffic will need to come back out of the Steelhead Riverbed 2020 and into the ASA to Int E0/2. From here it needs to go out either Int E0/3 which is connected to a Catalyst 3560 Switch or back out Int E0/0 though one of the VPN tunnels. I attached a PDF with a diagram if that works.
The reason we are doing this is we have Riverbed's at all our locations and they need to talk to each other to optimize traffic. Is this routing possible any other way than PBR (Policy Based Routing)? I am of the understanding that PBR is not supported on the ASA or PIX.
Is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ? here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP (Public IP)
View 1 Replies View RelatedI have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
View 3 Replies View RelatedHardware version: A1
Firmware version: 1.01
Basically, I cannot connect to any game servers when I am connected through this router. I used my Android to tether into 3G internet and was able to connect without any issues so it's not OS-side at all. I've tried many settings arbitrarily one at a time, checking each time to no avail. Is there a particular setting that is screwing with this game? I've got the ports (27000-27100 TCP/UDP) forwarded and I've used a Port Checker tool to verify that they are open. Obviously it's something in the router that is blocking the connection..but what else is there to try?
Should I finally flash the 1.13NA firmware?
Is it possible to establish PBR rules that set the ip next-hop to point directly to the inside interface of the ASA5550?Or, do I need to direct this PBR traffic first to a directly connected router interface and then default route to the ASA?At a high level, here's what we have:
ISP 1 - with /21 IP PrefixNo BGP Routing3845 Edge Router - Default Route to ISP 1PIX535 Firewalls (HA) - Default Route to Edge RouterLAN Core/Distribution - Default Route to PIX535 Inside InterfaceAll applications/services use this egress path for PAT/NAT/DMZ/VPN/Etc.
Here's what we are adding:
ISP 2 - with /24 IP PrefixNo BGP Routing3925E Edge Router - Default Route to ISP 2ASA5550 Firewalls (HA) - Default Route to Edge RouterSame connectivity to LAN Core/Distribution
Goals:Maintain ISP 1 for nowMigrate only end user Internet traffic to ISP 2No disruptions to applications/services using current DefGW to PIX535
Question: how to best use PBR to selectively direct traffic to the ASA inside interface?
I'm stuck with some NAT issues. I've got an 800-series router wich connects to the internet via a PPP connection (dialer0). On the inside the router has 192.168.0.253/24 as IP address, the outside is negotiated with the ISP
My mailserver has the ip address of 192.168.0.1 but with default gateway of 192.168.0.254 (primary internet connection). If I use plain NAT (ip nat inside source static tcp 192.168.0.1 25 interface Dialer0 80) the packets arriving on the mailserver do have a public IP address as source address.
Would it be possible to rewrite those packets (source address) so they have 192.168.0.253 as source address. This way the mailserver won't send the replies to it's default gateway but back to the cisco router.
Any problem/issue with using 28VDC to power the 2811 router. The spec calls for a 24VDC power.
View 1 Replies View RelatedI was able to setup my router c819 with Verizon 3G but there is one minor thing that on the console it keeps saying:
Aug 7 21:04:30.067: %LINK-5-CHANGED: Interface Cellular0, changed state to reset
Aug 7 21:04:35.111: %LINK-3-UPDOWN: Interface Cellular0, changed state to down
Aug 7 21:06:18.423: %LINK-3-UPDOWN: Interface Cellular0, changed state to up
The interface Cellluar0 is connected to Verizon 3G network and I'm able to ping and get to the internet just fine. I did few research and some people said it was access list. My ACL is below but I can't find anything wrong with it.
!
!
interface Cellular0
ip address negotiated
[Code].....
Q. Does the Supervisor 720 support all existing Cisco Catalyst 6500 series interface and services module, protecting customer investments?
View 1 Replies View RelatedI've got email logging for a few specific syslog messages working and sending to an email server on the inside network. However, the source IP ends up being the DMZ interface. Is there a way to force it to use the inside IP instead?
ASA Code Version 7.22
Inside Interface IP: 10.104.36.4 Mask:255.255.255.0
DMZ IP: 10.100.20.1 Mask:255.255.255.0
SMTP Server IP: 10.100.10.100
Logging commands in config:
logging enable
logging list email-alerts message 106100
logging mail email-alerts
logging from-address ASA@xyz.com
logging recipient-address tgw@xyz.com level debugging
customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 3 Replies View Relatedi have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 6 Replies View RelatedI want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone. I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.
View 1 Replies View RelatedI have a 2911 router connected to two different ISP. Is it posible to route traffic based on what interface the traffic came first?Lets say I have the deault route to use interface gig0/0(ISP1), but a certain ip packet reach the router by interface gig0/1(ISP2). Is there any way (if possible without using source NAT) that I could route traffic back to that ip address using interface gig0/1. The source Ip addresses are not fixed, so I can not use Policy Based Routing.
View 1 Replies View Relatedthis is my first time configuring a cisco router. For instance, a cisco router 1700 with 2 ethernet WICs and 1 LAN port. We have 2 ISPs one more stable than the other. We use an RDP session to an external host identified by lets say IP address 200.1.1.2 using ISP2 to get to this computer. We use ISP1 for all the internet usage, web pages, youtube etc. We are thinking of using this cisco router 1700 to make the packet filtering and routing of this RDP session to the correct ISP2 since we only have 1 NIC per computer on the LAN side.
The main idea would be:
| YES -----> ----------- then use ISP2
LAN---------> Are the packets RDP ?
| No--------> ----------- then use ISP1
Does this can be achieved using packet filtering using extended ACLs and to be router from the lan interface to route rdp (port 3389) packets to ISP2 WAN interface?
Can i do sub-interface in cisco 891 or 881 series router ? 1900 and 2900 series router support sub-interface ?
View 1 Replies View RelatedI have configured Cisco 870 router ATM interface with following configuration
interface atm 0
ip address public ip 255.255.255.254
ip nat outside
pvc 0/38
encapsulation aal5snap
no shutdown
But when I check ATM interface it is still down and line protocol is down. how to make it up and up so that internet service could be used.Also I want to know that the provider has also given username and password for internet in their device.We want to replace that device with the router and facing problems.
does the Cisco 7600 Series SPA Interface Processor-600 (7600-SIP-600-DC) only support a single SPA, e.g. 1 x SPA-OC192POS-XFP?
The 10Gbps through put on the 7600-SIP-600-DC and [URL]to show that this is the case.
Sure this is a simple one. New to the 1900 series routers, have a 1921 with IOS 15.1. Noticed that there is a standard interface labeled Embedded-Service-Engine0/0. What the purpose of this is? Cannot seem to find any detail on it. See extract from default config below.
View 5 Replies View RelatedI have autonegotiation disable on my interfcae what should be duplex setting on other end?
Router#sh run int Gi0/3/0
Building configuration...
Current configuration : 334 bytes(code)
I have to bridge 1400 series which in the virtual interface has a CRC errors, i don´t the reason, maybe the link (point-point bridge) is misaligned.
View 3 Replies View RelatedIs there a router (1900-3900 series router) that will support a 100FX fiber connection. We use to use 2800-3800 and 2600-3700 series routers with FX fiber interface now these routers are no longer available and our need for 100Mbps FX is still a requirement.
View 3 Replies View RelatedWe are facing an issue with a customer where a Cisco 4400 Series controller is blocking the 802.11a/n Radio Interface of a 1250 AP. The radio shows as down on the controller GUI. The error message on the GUI is that the 'Regulatory Domain' is not supported. This can be seen from the attached screenshot. Also relevant parts of the WLC configs are attached. WLC: Cisco 4402 WirelessWLC Country: SADevice: Cisco Lightweight Access Point 1250 (LAP) is controlled through the 4402 Cisco Wireless LAN Controller (WLC)The operating system version of the LAP: c1250-k9w8-mx.124-18a.JA version of the WLC: Software Version 5.2.178.0 The problem is that the controller shows that the 802.11a/n Radio Interface in Radio Slot # 1 is always down , the customer tried to manually 'no shut' the AP interface from the console and it worked , but obviously this solution would not work as the configuration cannot be saved (LW AP).
View 12 Replies View Relatedwe have cisco 6500 series switch and configured port channel on both switches with 2 gig interfaces on both switches.
When we enable the port channel mode to as desirable to the interfaces on both side and applied the port channel to physical interfaces switch will go down and if we remove on any one side switch will come up. we have enabled globally the following commands. [code]