Cisco :: Evaluation Of ISE Using 2940 Switch Or ASA 5505 Firewall?
Mar 23, 2011
I have downloaded the 90 day ISE evaluation to a vmware platform I have it successfully authenticating local user(s) onto a Cisco 2940 device (12.1) IOS I am trying to follow a TrustSEC design guide [URL] but my LAB 2940 does not support many of the commands shown in this document What I want to try to do is be able to familiarise and demonstrate in the lab the use of ISE to control access to the network using 802.1X and or VPN access from remote vpn clients?
I'm trying to configure a 2940 switch to trunk. I just can't get it to work.On the interface I have added: switchport mode trunk The default is encap for this switch is dot1q, so there is no need, or ability to add/change the encap mode. Also all vlans are being allowed by default. I still can't get any port to trunk. Need to get G0/1 to trunk, have also tried to trunk f0/6 to the switch in my office. Also can't find the command to change the management VLAN. I do not use vlan 1 for management. Can I change the Mang VLAN on this switch?
I am trying to find out if its possible to use an existing CISCO 2940 Switch that we have here at our office as a hub? Im sure that borders on insane however, let me break down what we have currently and what I'd like to do.
We currently have a very nice setup here at work, with no problems whatsoever, however; we hired a new person and brought in some new printers and we are running out of wall jacks. Rather then run all new cabling and adding new outlets/faceplates etc... We were just gonna go purchase a simple Netgear 5 port switch/hub from the Local Comp store here in town. We found in our server room a what appears to fully functional and operational cisco 2940 8 Port Switch with a Gigabit port.
All IPs in the office are assigned via DHCP, so....on to the meat of my question -- I tried to plug this into our network and I can't get any connectivity out at all. All the ports light up green etc when I plug in the comps but they aren't pulling valid IPs.
I want to reset this thing and start from the ground up, I am not scared of going into the IOS and modifying what needs to be done...as long as I got a good enough walk through.
I have a Cisco 2940 switch and a Cisco 1841 router. I want to build two different VLAN networks on the switch, which do not have to communicate one with each other, but those VLANS should communicate with the router.
I read a lot of articles, i tried to configure properly the switch and the router but i still don't get them work.
I set on the switch, the GigabitEthernet 0/1 port to Trunk port and i had to set it a native VLAN. The problem is that only from that native VLAN, i can ping the router.
Having an issue with two Cat 2940, they have fiber 100Base-TX. Added a new Cat switch (the second on the VLAN), the existing Cat switch drops the fiber connection.
setting up an ASA 5505 to be used as a firewall between a BT internet router(BTNet service) and a Cisco 3560 Lan switch. BT have presented me with a cisco 3800 series router with the following details:
Network Address Network Mask BTnet NTE Router LAN Address
There are 2 Gigethernet ports on the back of the router port Ge0/0 is connected to the BT NTE and the status light is flashing green. Int ge0/1 is connected into port int e0/1 of the ASA but i am unable to get any connection.
I am connecting the inside interface to an upstream switch and therefore will need to assign a static IP address to the inside address as I did below:
#sho int ip brief Vlan1 123.123.123.123 YES manual up up
I will also use this to manage the ASA. I am having a problem with the network configuration of the inside interface as I can't ping the gateway and/or the in IP of the inside interface.Do I need to add any routes?
I planned to create 5 vlans in my cisco 3560 switch. these 5 vlans needs to have internet and needs to access Site-B.
I will write on dafault route to firewall in my cisco 3560 switch. Is ASA 5505 supports this scenario??? If it is then how to configure ASA 5505 firewall.
I have a pair of 5505's in transparent mode and connected them to C2960S. The inside interface (which is VLAN5 on the switchport) keeps dropping, going in to error state. There is no log reference in the switch and the interface shows as UP. The standby ASA has no problem, both interfaces on the switch is up. As soon as I failover the units over, the active node inside interfaces drops.
Can I configure the Port at the ASA 5050 from Mode: access Port to trunk during the FW is running in a production area without console access ?As I know at the 5505 ist should work?
I have a Cisco Catalyst 2940 switch, eight ports. Ports 1-4 are connected to a media converter A. Ports 5-6 and 7-8 goes to two separate servers, B and C. Let's say I want traffic from B->5->1->A then through some equipment (which just pushes the data) and back through A->2->6->C without the data just recognizing a shorter path B->5->6->C and thereby skipping the equipment in between. Is this possible without a router? Ridiculous set-up? Yes, though the switch is the only means I have to connect to the media converter in this case.
I have this strange problem with my Macbook pro, when I connect it to my cisco 2940 8 port switch then I can reach my ISP (websites eg. google.com) in like 2 minuttes, then something is happening on my router, because suddenly I can´t reach my ISP
This is what I have found out so far:
1. when I lose connection to my ISP then I can only ping internal ip addresses eg. another computer in my network
2. if I renew my ip address on the Macbook then it works again in 2 minutts, then the same happens again. This is my network setup:
Router -> Switch 1 -> Switch 2
I also know that it is not the Macbook, because it have got a new motherboard, and it have been reinstalled also if I use the Macbook on a other network then it works fine.
All my other computers ( windows and linux ) works fine, no problems.
To me it looks like it is a Nat and/or DNS problem, but I can´t fine out what it is.
I would like to install the LMS 4.1 (EVAL-LMS-41), the evaluation one, and want to know what are the minimum and recommended requirements for a Windows machine.
I'm running LMS 4.0 as an evaluation and I'm only discovering 86 devices, using the auto discovery. I've added a seed and although it sees lots of neighbours on that seed it only goes on to discover devices off a particular range. All the devices are set up the same way (standard config) so it should see them as well.
I know it has a limit on the number of managed devices of 100, and I could understand if it hit 100 and then stopped. We have around 500 devices in total (not including phones, DMPs, etc).
I've just added the seed and selected cdp as discovery method and set the snmp target as *.*.*.*. Is there anything else I should be doing?
I have two switches (sanitized configs attached) and I am trying to bond int gi0/1 and gi0/2 between the two. Then I need int gi0/3 back to the main LAN switches. These are new Vlans created 982 and 983 for these switches. Question #1: do the configurations look correct? I haven't placed any laptops on the interfaces to test interconnectivity yet but I am wondering if it will work with no default routes.
The admin team needs these switches at location A for setup then they will be moved to Location B. The only thing that sucks for me is that the network admin before me created gateway interfaces for all the local Vlans on a main router as sub interfaces. For example, for these two subnets, I need to create subinterfaces below (at location A), which is why a gave the Vlan on the switches, ip addresses.
interface GigabitEthernet0/0.982 encapsulation dot1Q 982 ip address 10.98.2.1 255.255.255.0 ip flow ingress no cdp enable service-policy input mark-mplsqos-in
interface GigabitEthernet0/0.983 encapsulation dot1Q 983 ip address 10.98.3.1 255.255.255.0 ip flow ingress no cdp enable service-policy input mark-mplsqos-in
When I move the subnet to location B, I will also move the gateway. These two switches will be used mainly for a VMWare and HyperVisor environment so Vlan 982 is for VMA network and Vlan 983 is for management. The admin tells me the software needs to tag the packets, I am not sure if I care as the switches should handle that also.
I've setup a Cisco Secure ACS server 5.1 in VMware ESXi everything seems to be working fine, however under the options for Policy Elements > Authorization and Permissions > Device Administration > Command Sets there is a command called "DenyAllCommands" that was there when i first installed the ACS. Is there any way to remove this? When I try to remove it i get an error that thats it can't be removed or modified. I'm writing a report on the Cisco ACS for university, if this is a limitation of the evaluation licence I will need to reference it. If this is a limitation and provide a link to a cisco page that confirms this.
Cisco release the Cisco Prime LMS 4.1 on Aug. 2011. I download the lms4.1 from cisco and install it, but the lms4.1's evaluation license expire date is Oct. 28 2009. So my license already expired after I install the LMS4.1.
we have installed an evaluation version of Cisco Works LMS 4.0.1. Now we have purchased a license, but the evaluation period is over and I can't start the application anymore. Is there any possibility to install the license file after the evaluation period?
I want to turn on EIGRP functionality on my layer 3 3750 stack. I noticed I was only running an IPBASE license. When I do show license all I notice I have an evaluation of IP SERVICES image (see output below). Can I use this evaluation license? Would it be same as the full license or would it have limited functionality? Also, how do I make it the active license?
Q9-Switch#sh license all License Store: Primary License Storage Store Index: 0 Feature: ipbase Version: 1.0 License Type: Permanent License State: Active, In Use License Priority: Medium License Count: Non-Counted
License Store: Evaluation License Storage Store Index: 0 Feature: ipservices Version: 1.0 License Type: Evaluation License State: Active, Not in Use, EULA not accepted Evaluation total period: 8 weeks 4 days Evaluation period left: 8 weeks 4 days License Priority: None License Count: Non-Counted
I have 50 SSL Premium licenses on my ASA 5520 running 8.4. I want to run Anyconnect on IPAD- and IPHONE-devices but it seems that this requires a Mobile-license on top of the premium-license. Is it possible to receive an evaluation-license for this? It will take a few days to receive permanent licenses and I want to user this now.
I have a D610 Laptop with integrated Bluetooth and Wifi. The evaluation period has expired. Please obtain a license for this version of Bluetooth Stack for Windows by Toshiba."
I had called Gold Support last week and was asked to download/install the driver from the support downloads site and then download/install the patch as well. The bluetooth manager does not come up when this popup shows.
Any known issues connecting an ASA to a Juniper switch?
We have a remote site where we have an ASA 5505 installed set up running EzVPN. We do not have not have control/access to the internet connection or the internal infrastructure. We basically have an office within their building. Our ASA has one of their external IP addresses and is connected to thier Juniper switch. Our pc's/printers are patched to another Juniper switch which is uplinked to our ASA. The issue we are having is that the connection is intermittently dropping where we cannot ping the pc's/printers at the remote site through the VPN tunnel but we are still able to ping the external IP address of our remote ASA. The strange thing is that we cannot manage the ASA via SSH or ASDM using the outside interface but can ping it when this occurs. For the most part the VPN tunnel does not drop when we check the sessions at the headend although it occasionally will.
We were having a discussion of ios firewall vs. asa for smaller clients(less than 50). On using ios firewall(zbf or cbac)and an asa 5505/5510. One of the arguments brought up on using ios firewall on the router is that a router will do an ip sla failover. I have configured a number of isr's for this and i know it works good.
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
I'd like to see some REAL LIFE comparisons of ASA firewall throughput (a bit like this one for ISR G2 Routers - [URL].
The reason I ask is that I recently upgraded a firewall from an ASA5505 to an ASA5520 on a small network where the only outside connectivity was a single 10meg Internet circuit with an IPSEC VPN (not landed on the firewall but on a router) to another site.
When I swapped out the firewall the users noticed a big improvement. The firewall is not doing anything out of the ordinary - no IPS or VPN, just standard state full inspection.
I have been working with ASA 5510,20,40,80 but not with 5505 this vlan and its interfaces are quite confusing.Just want to know how it works and its connectivity to Cisco Switch.Do i have to put the interface of the switch in the same vlan as i am creating the interface vlan in firewall ?Now the switch port connecting to this Eth1 interface should also be in the same vlan ? i.e vlan3 ?? or it will be in trunk ? The default configuration shows the eth0 with no access vlan and interface eth1 with access vlan 2... does it mean the eth0 is in vlan1 ? (Nativ Vlan ) ???
I have a cisco asa 5505 firewall. Is it possible to block secure websites in it like [URL]? I have already tried regular expression filtering but it filters only http traffic.
I am trying to configure our ASA 5505 so that our users can access our ftp site using [URL] while inside the firewall. Our ftp site is setup so that you can reach it by either browsing to the above url or by browsing to ftp://99.23.119.78 but we are unable to access our ftp site from either route while inside the firewall. We can access our ftp site using the internal ip address of 192.168.1.3.
Here is our current confguration:
Result of the command: "show running-config" : Saved:ASA Version 8.2(1) !hostname ciscoasaenable password qVQaNBP31RadYDLM encryptedpasswd 2KFQnbNIdI.2KYOU encryptednames!interface Vlan1nameif insidesecurity-level 100ip address 192.168.1.1 255.255.255.0 !interface Vlan2nameif ATTsecurity-level 0pppoe client vpdn group ATTip address pppoe setroute !interface Ethernet0/0switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!ftp mode passiveobject-group service DM_INLINE_TCP_1 tcpport-object eq ftpport-object eq ftp-dataport-object eq wwwaccess-list ATT_access_in extended permit tcp any host 99.23.119.78 object-group DM_INLINE_TCP_1 access-list ATT_access_in extended permit tcp any interface ATT eq ftp access-list ATT_access_in extended permit tcp any interface ATT eq ftp-data access-list ATT_access_in extended permit tcp any interface ATT eq www access-list 100 extended permit tcp any interface ATT eq ftp
New to the ASA 5505 8.4 software version, but here is what I'm trying to do:
-Single static public IP: 16.2.3.4 -Need to PAT several ports to three separate servers behind firewall -One server houses email, pptp server, ftp server and web services: 10.1.20.91 -One server houses drac management (port 445): 10.1.20.92 -One server is the IP phone server using a range of ports: 10.1.20.156
Basically, need to PAT the ports associated with each server to the respective servers behind the ASA 5505. Is anything missing from this config? Do I need to include a global policy for PPTP and SMTP? [code]
