I thought that in the past I had problems with my ASA5505 because I had to reboot a number of times, now that I have logging enabled I can see the following: -Deny traffic for protocol 17 src inside, licensed host limit of 10 exceeded.Does this mean that I can not have any more than 10 inside host going out of the outside interface at any time, if not what this means and how I can solve it.
View 16 Replies
I have the default license for a ASA 5505 and this last Friday I received the attached log for SSH sessions through this firewall; we want to be clear about this issue. This limitation has to be with the 10 Inside Host or the Total VPN Peers limitations in this license? This firewall exists only to agree with a PCI requirement between our router and a communication with a Payment Card Industry Brand, all of this in the same site.
ASA5505 <164>Sep 09 2011 10:42:08: %ASA-4-450001: Deny traffic for protocol 6 src DMZ:X.X.X.X/2479 dst DMZ1:X.X.X.X/22, licensed host limit of 10 exceeded.
I hope that the communications through 22 TCP port, are not countable for license propose.
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 10
Failover : Disabled
VPN-DES : Enabled
[code]....
when do we get Desteination host Unreachable and time to live exceeded while trying to ping .
From 10.1.1.1 icmp_seq=2 Destination Host Unreachable
From 10.1.1.1 icmp_seq=4 Destination Host Unreachable
From 10.1.1.1 icmp_seq=7 Destination Host Unreachable
I updated an ASA 5505 to 50 users, but I still can only connect 10 hosts. In Licensing it show 50 insides hosts. I also tried to update to ASA 8.4.5 but that did not work.
View 2 Replies View RelatedI am working on an ASA 5510 on 8.4 IOS and need to know how to limit icmp to just a single host? What I would like to do is be able to PING from the Inside interface 10.X.X.X to host 4.2.2.2 on the Outside, but thats it no other host would be PINGable.I tried MANY different access-list statements but the only way I can get icmp out and working is using the "fixup protocol icmp" but then everything is PINGable and the ASA does not block anything.
View 3 Replies View RelatedI have a hub and spoke network with over 100 remote sites that connect to me via ipsec vpn. One of these locations, the only one using FIOS coincidently, is initiating 200+ tunnels back to my side which is causing saturation issues on my DS3. (I can post config if requested), and how can I limit the number of active tunnels it's establishing?
View 1 Replies View Relatedwhy the ethernet 3,4,5 is not licensed here ?
View 3 Replies View Relatedis there a way to verify how much licensed features are used?If the usage is far or near to the limit?
View 4 Replies View RelatedI have two WS-C3750X-48T-S which is "IP BASE" licensed, which are connected as stack.I need to use Policy Based Routing (PBR) to direct Vlans to two different gateways, and command "ip policy route-map" which is supported only in C3750-IPSERVICES license.Do I need upgrade only master switch with Cisco IOS IP Services - product upgrade licenseMfg. Part#: L-C3750X-48-S-E, or both switches need to be upgraded?
View 20 Replies View RelatedBranch office has 881 VPN router. Services that ignore MSS in packets don't work. Adjusting MSS has no effect since the services are ignoring that setting.works fine, but some Yahoo sites don't.Found a workaround for exceeded MSS for PIX and ASA (link below), but can't find anything for VPN routers.
View 0 Replies View RelatedBranch office has 881 VPN router. Services that ignore MSS in packets don't work. Adjusting MSS has no effect since the services are ignoring that setting. Example: www.google.com works fine, but some Yahoo sites don't.
Found a workaround for exceeded MSS for PIX and ASA (link below), but can't find anything for VPN routers.url...
i had a client request to block ICMP request on their 1841 WAN link. i've got ACL hits for ACE 170 but not for 171.
how to test or simulate for ICMP time-exceeded? is this TTL related and is there a DOS command or any way to produce ping packet with a less TTL count that would hit the ACL log? below is the config.
interface FastEthernet0/0
ip address 202.42.x.y 255.255.255.252
ip access-group IDS_Fastethernet0/0_in_0 in
ip access-list extended IDS_Fastethernet0/0_in_0
[code]....
I have a host that can successfully connect to a PIX 515E (7.x OS) via VPN Client; however, I have no IP routing to the LAN from the remote host.The VPN IP pool works finem,The LAN default gateway is the inside interface on the PIX; the network is flat L2 behind it.The default route on the PIX points out; no other routes are defined,The VPN remote host can be pinged from LAN hosts, but the VPN remote host cannot ping any LAN host, not even the PIX inside interface.
View 2 Replies View RelatedASA 5510
Ver 8.2(5)
I have been looking all over the place for the answer of how to allow clients on an IPSEC VPN to ping from host to host.
I have had several complaints from around the firm where by mobile devices are being bumped off the PSK secured network (All other SSID networks are operating A-OK). Both Android and iPhone devices are being affected, the device will just loop until it reconnects, sometimes up to 20 minutes of trying to establish a connection. It will eventually connect so the key is not the issue.I've attached a debug of a device which fails to connect and then shortly after is successful.
Controller 5508 v7.0.116.0
AP 3502i IOS 12.4(23c)JA2
I am seeing the following log messages appear on our border edge 7600 router (SUP720-3BXL) The messages seem to appear when tag switching has been enabled on the interface, so somehow related I presume. The MPLS forwarding table is very small however. [code]
I can't see anything that is using up the ACL_TCAM HI BANK using "show tcam global acl" There aren't any ACL's applied to any of the interfaces, or policy-maps. The only ACL's in use are for SNMP, ntp, and VTY. These are very small any way. Interface Gi1/22, and 1/1 have tag switching enabled. [code]
The router has a full BGP routing table learned via an upstream (EBGP) peer neighbor, and an IBGP peer. The CPU utilisation seems fine, as is memory usage. CEF seems to be running okay. It's currently running [code] Are prefix lists part of TCAM? Is the router over-resourced holding a full bgp routing table?
I've just installed ACS 5.1 and noticed that it seems to count managed devices differently than previous versions.
I have a 500 count license which should be fine as I have about 100 devices which will use ACS for TACACS. On ACS 3.x and 4.x, I would set up AAA clients by using a wild card for the subnets that host our routers/switches, say 192.168.1.0/24, 172.16.1.0/24 and 10.1.1.0/24. when I do this with ACS 5, I get a Managed Device Count Exceeded error messasge becasue of the potential of more than 500 AAA clients. It seems to be counting every IP address in the subnet as a managed device, even if there are only a handful actually in use. Is there a way around this short of having to manually enter (and maintain) the exact IP Address of every managed switch and rotuer which will use the ACS server for TACACS?
I'm just wondering if its possible to ping an IPv4 host using the IPv6 host assuming that the NAT64 has already been implemented?
[code]...
I have an ASA 5520 running version 8.2(1) and I am having an issue with ASDM sessions.I can SSH into the ASA and have tried to clear the sessions but they do not clear as per below.
largoGW# sh asdm session0 dguselnx1 dguselnx2 dguselnx3 dguselnx4 dguselnxlargoGW# confi tlargoGW(config)# asdm disconnect 0largoGW(config)# asdm disconnect 1 largoGW(config)# asdm disconnect 2largoGW(config)# asdm disconnect 3largoGW(config)# asdm disconnect 4largoGW(config)# exitlargoGW# sh asdm session0 dguselnx1 dguselnx2 dguselnx3 dguselnx4 dguselnxlargoGW#
An interesting point: the host dguselnx is my linux based computer that I am using to SSH to the ASA. I do not connect via ASDM from this device so it is strange that the hostid for the asdm sessions is showing as my linux host and not my Windows laptop (that I am trying to connect via ASDM from).
I've just installed an SG300-28 (v01) switch configured in layer 3 mode with 1.0.0.27 firmware. It's working just fine except that when running a traceroute across the switch, it does not respond with an ICMP-11 time exceeded packet. Does this behavior persist in the current 1.2.5 firmware?
View 1 Replies View Related following errors.
Nov 7 21:34:50: %EARL_NETFLOW-SP-STDBY-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [99%]
Nov 7 21:44:44: %EARL_NETFLOW-SP-4-TCAM_THRLD: Netflow TCAM threshold exceeded, TCAM Utilization [91%]
I've already found this kinds of cases, in this community. So, It seems that Changing the current configuration to 'mls aging fast threshold ## time ## ' is most suitable in our situation.But, I don't know how to calculate the apt threshold value and time value.
[1] sh run | in mls
mls ip multicast flow-stat-timer 9
mls flow ip interface-full
no mls flow ipv6
no mls acl tcam share-global
mls cef error action freeze
[code]....
This is the error message I am getting on our ACS 5.1 appliance - is there anyway to purge the database or compact the file?
View 1 Replies View RelatedI am planning to buy a router for my hotel and I would like to know is it possible to limit the bandwidth limit to the guests? And the admin computer can utilize the maximum speed? it it possible to create a login page paper when some one enters my wifi connection?
View 7 Replies View Relatedneed to know the OSPF best design. I have a customer currently running their OSPF only in two area. Area 0 is provider reside and area 1 reside 700 hundred over of router including HQ router and remote branch router connecting to metro-E 10Mbps networks. Is this design have any weakness? Area 1 about 800 hundred router reside in, the HQ model is cisco router 7200 and remote end is cisco router 1841.Let's say they want a solution, for 3G remote router connect back to the HQ using Lease line with a fixed IP. Using DMVPN and OSPF communicating back to HQ. What should we aware when designing and implementing for the OSPF best practice. They have 700 hundred over remote branch need to terminate back to their HQ. I read cisco recommend an area should not be more than 50 router and per-area no more than 28 area.
View 4 Replies View RelatedI get on-line, and the internet all-of-a sudden starts to show that I've downloaded my limit of 250MB. Now, I am on Hughesnet for internet service, can not get on DSL, wont happen already asked. Now, I am running a router, only way my wife and son can access the internet. They have laptops windows 7 and build-in Wireless Cards. I have a desktop windows 7. My updates are scheduled in the morning hours about 5AM so their is no reason for the computer to update. Same goes for my wife and son, their are set for early morning hours as well. I get an error message as soon as I click on my webpage that I want to browse, Internet Can Not Display The Webpage or something to that effect.
View 8 Replies View RelatedI am learning to write ACL's along with a billion other Cisco things. The internet is not clear on how to do this exactly. At least in my research.
I have two host on the same subnet and I want to block all except RDP TCP port 3389 from one host to another.
I want to apply that Access-group to a switchport interface on my 3750 that belongs to the computer I want to protect from the other.
Host A: 10.1.1.10/24 -- I need to block all TCP and UDP traffic except for port 3389tcp
Host B: 10.1.1.60/24 -- I need to allow only TCP port 3389 from Host A to this one.
This is on the same switch so I can use an extended ACL like 101 or whatever.
This is almost starting to make sense to me but im still weak on extended ACL. I got basics down pretty well.
I'm going through the CCNA training and I'm setting up my DHCP server on my 871 router. I have my cable modem into the WAN port on my router and have 1 host plugged directly into Fastethernet 1. I can ping any IP I want from the IOS prompt but I only have local access from the host. [code]
View 4 Replies View RelatedI tried to ping from the "online host" PC to the outside,it succeeded. However, I can't ping from outside to the "online host" PC.
View 2 Replies View RelatedI'm receiving a lot of logs on my FW about host cannot receive correct IP address and get APIPA addresses (169.254.x.x).
Is there a way to locate them on network? From my core switch i cannot see them
I test all devices using ping command, from ASA to router was fine (on both interface) but not to Host , and host to router was fine, but only on directly interface(F1/0), and to ASA was not success. am i miss something in my configuration?
View 5 Replies View Relatedconfigure my Cisco ASA5510 (asa version 8.3.1) so that one of the host (e.g.192.168.8.20) behind management interface can ping to the other host (e.g. 192.168.2.246) behind OUTSIDEinterface. I tried modifying the ACLs, NATs and ICMP statement, but still failed[CODE]
View 19 Replies View RelatedI have 2 web servers that replicate between them (two different internal ip). My idea is that if one of them will not work, the other to do the relay.I have a Cisco ASA 5505 I can do a nat for each machine. How should I set ?
View 3 Replies View RelatedI want to create a VPN between two PC's, (the server "Data" and "Remote Desktop" check the topology below), the Router Clabeck (cisco 2811 ) is connected to the internet through int f0/0 using a PPPoE connection and connects all the LAN PC's by PAT to the internet (you can see all the configurations in the Show Run below), the "Remote Desktop" is any PC with internet connection.
F0/1 F0/0
DATA--------------------SW-------------------ROUTER(Cisco 2811)---------------------INTERNET---------------REMOTE DESKTOP
192.168.1.51 192.168.1.254 201.122.53.177 192.168.1.1
Current configuration : 2116 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
[code]....
