2950C Unable to ping destination port in monitor session
I have 2 Pix firewalls and a web filtering server running Surfcontrol. In order for Surfcontrol to filter web usage it has to see the traffic being sent to the firewall's. I have created a monitor session and have used the firewall ports as the source with transmit and receive, and the web filter server as the destination. However when I do this I am not able to ping the web filter server. The web filter is unable to function ie block websites based on the rules that we have setup if the destination port is unable to send packets to internal workstations.
Is there anything I can do to allow the destination port to be able to send packets to internal workstations ??
Hi Frined,
When you configure SPAN destination port , that port will just work as a monitoring port and will not work for general network traffic.
If you do " sh int" you will see line protocol down (monitoring)
Now if you want that port to monitor as well as take part into normal network also you have to enable ingress traffic on the destination port
"monitor session session_number destination interface interface-id [ingress vlan vlan id]"
Check this link for more details
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12119ea1/2950scg/swspan.htm#1218090
HTH
Ankur
Similar Messages
-
Monitoring destination port - port buffer overflow risk?
Hi All,
On a 6506-E I am using local span (the simplest version).
There is a possibility that 2Gb/s is duplicated to a 1Gb/s monitor destination port. Of course 50% of the traffic will drop, due to lack of bandwidth on the monitor destination port.
Environment(simplified):
Cisco 6506-E
24 x 1Gb/s SFP ports (WS-X6824-SFP)
IOS release 15.1(1)SY1
The case is, dropping packets is no issue on the monitor destination port. However, on the same module, a WS-X6824-SFP (24 SFP port) is also critical production traffic active.
This results in two questions:
-Are the output buffers on the WS-X6824-SFP, shared among all 24 ports?
-If so, can the oversubscribed monitor destination port use the largest portion of this shared buffer on the interface module?
Thanks in advance for any input on this.
Kind regards,
JorisDu fait de certains vi manquants je ne peux pas executer votre code, Parmis le nombre important de vi GET HTTP, savez-vous lequel est responsable de l'erreur ?, et est-ce toujours le même ?
L'erreur renvoyée concerne le port série, quelle est la configuration de ses buffers d'entrée / sortie (visible dans le gestionnaire de périphérique)
Cordialement,
Vincent.O
National Instruments France
#adMrkt{text-align: center;font-size:11px; font-weight: bold;} #adMrkt a {text-decoration: none;} #adMrkt a:hover{font-size: 9px;} #adMrkt a span{display: none;} #adMrkt a:hover span{display: block;}
Été de LabVIEW 2014
12 présentations en ligne, du 30 juin au 18 juillet -
ASA5520 AnyConnect SSL VPN Connected but unable to ping my inside LAN
Hi there, please forgive if I have missed any forum protocols as this is my first post.
I am trying to configure Anyconnect SSL VPN. I am able to connect to the VPN on a laptop, witch is able to download the anyconnect client from the ASA. I am unable to ping any of my IP's that are on the inside of my ASA. Before posting here I have spent many hours on forums and watching videos on anyconnect SSL VPN creation and I am following it to the T but still no ping. Any help would be very much appreciated.
Inside 192.168.1.254/24
Outside dhcp
VPN Pool 192.168.250.1-50/24
Inside LAN 192.168.1.0/24
: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.128
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpn_pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,any) source static any any destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25 no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable 4433
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_anyconnect internal
group-policy GroupPolicy_anyconnect attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username test password JAasdf434ey521ZCT encrypted privilege 15
tunnel-group anyconnect type remote-access
tunnel-group anyconnect general-attributes
address-pool vpn_pool
default-group-policy GroupPolicy_anyconnect
tunnel-group anyconnect webvpn-attributes
group-alias anyconnect enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:24bcba3c4124ab371297d52260135924
: end :: Saved
ASA Version 8.4(4)1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface GigabitEthernet0/1
nameif inside
security-level 99
ip address 192.168.1.254 255.255.255.0
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 99
ip address 192.168.100.1 255.255.255.0
ftp mode passive
dns server-group DefaultDNS
domain-name dock.local
same-security-traffic permit inter-interface
object network inside-network-object
subnet 192.168.1.0 255.255.255.0
object network management-network-object
subnet 192.168.100.0 255.255.255.0
object network NETWORK_OBJ_192.168.250.0_25
subnet 192.168.250.0 255.255.255.0
object-group network AllInside-networks
network-object object inside-network-object
network-object object management-network-object
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit icmp any any echo-reply
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool Anyconnect-pool 192.168.250.1-192.168.250.100 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-647.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic AllInside-networks interface
nat (inside,outside) source static inside-network-object inside-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
nat (inside,outside) source static management-network-object management-network-object destination static NETWORK_OBJ_192.168.250.0_25 NETWORK_OBJ_192.168.250.0_25
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.100.2 255.255.255.255 management
http 192.168.100.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 192.168.100.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-3.1.03103-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_Anyconnect_VPN internal
group-policy GroupPolicy_Anyconnect_VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value split_tunnel
default-domain value dock.local
username sander password f/J.5nLef/EqyPfy encrypted
username aveha password JA8X3IiqPvFFsZCT encrypted privilege 15
tunnel-group Anyconnect_VPN type remote-access
tunnel-group Anyconnect_VPN general-attributes
address-pool Anyconnect-pool
default-group-policy GroupPolicy_Anyconnect_VPN
tunnel-group Anyconnect_VPN webvpn-attributes
group-alias Anyconnect_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email
[email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4636fa566ffc11b0f7858b760d974dee
: end: -
"Unable to determine destination partition, disk or drive" when Media deployment is used
We are heavy users of MDT 2013's "media" deployments -- in fact, once we finish testing a new image build on our lab server, media is created and is the sole method we use to deploy new systems due to many limitations.
We ran into the following issue lately when using USB sticks or hard drives for our deployment media. Deployment of an OS image fails at the "Inject Drivers" stage. The hard disk inside the computer is formatted properly, but the TS fails with
the error "Unable to determine destination partition, disk or drive".
I dug into the logs, and it appears that "Inject drivers" does a check for where the \Drivers folder should be placed. The problem is that most USB hard disks and many higher-end USB sticks show up as "hard drives" rather than "removable
media" when plugged into the machine. Adding another physical disk that appears as a fixed disk with an NTFS partition apparently confuses MDT and you get this error message. I think any "ReadyBoost enabled" USB stick has to show up on the system
as a fixed disk rather than removable, so if you use these you might have this problem.
The only workaround is to explicitly specify the disk number and partition number to use when you invoke "Install Operating System." The drivers step must take this information when determining where to put the driver store.
Is there any other explanation for why this would be happening? We're stuck with media deployment for the foreseeable future, and until Microsoft fixes the problem with handling of split WIM files, we have to use NTFS formatted disks/sticks...this might
be making it harder for the MDT logic to determine where to put the OS.MDT should be smart enough to know that it should Skip USB drives.
However if you have a USB 3 Hard DIsk (not a USB Flash Disk), that might be the problem
1. Try using only Flash Drives.
2. Try plugging the USB Hard Drive into a USB 2.0 port
3. Additionally try not to use USB Hard Drives that are *Larger* that the internal hard drive.
If you still have problems, can you copy your Bdd.log file to a public site like OneDrive and share the link?
Keith Garner - Principal Consultant [owner] -
http://DeploymentLive.com -
Unable to ping IP address from SG300 -10p switch
i have two core switches, we have configured the vlan 70 in both core switch
sh run int vlan 70 --ip address: 182.94.177.34/28
configured the HSRP in both routers.
we have configured port in vlan 77 in access switch 4507R-E , we are able to ping the ip address.
again we have installed on Cisco SG300 10p switch case cading to Cisco 4507R-E access switch.
we have give below commands
switch manangement IP :
switch38cbaf(config)int vlan1
switch38cbaf(config-if)#ip address 124.4.67.47 255.255.255.0
switch38cbaf(config)#vlan database
switch38cbaf(config-if)vlan 70
switch38cbaf(config)#int gigabitethernet1
switch38cbaf(config-if)#switchport mode access
switch38cbaf(config-if)#switch access vlan 77
Trunk Configuration
switch38cbaf(config)#int gigabitEthernet9
switch38cbaf(config-if)#description << Trunk | connected to access switch 4507R-E | Fa4/1 >>
switch38cbaf(config-if)#swtichport mode trunk
switch38cbaf(config-if)#switchport trunk allowed vlan 77
problem:
i am assigned the ip address 182.94.177.44 to our desktop and connected to port Gi1
I am able to ping 182.94.177.33, 34 and 35 Ip Address but unable to ping 182.94.177.44Some things to check/verify -
a) is there a typo in your configuration above ie. you have created vlan 70 according to your configuration but the actual vlan you are using is vlan 77
b) does the trunk link between the access 4500 and the core switch allow vlan 77
c) try pinging from the client and not to it as there may be a firewall on the PC.
Jon -
WRT54G Incoming Log Destination Port 520
I am trying to understand why an [Incoming Log Table] entry that recurs, i.e. in the page that presents itself when I navigate to the [Administration] Panel / [Log] Tab, and then click the [Incoming Log] button:
=================================
Incoming Log Table
Source IP = 178.33.xxx.yyy
Destination Port Number = 520
=================================
After I clear the Log (i.e. turn it off, save settings, turn it on again, save settings) the entry will reappear after a few days.
I have never seen any other incoming log entry.
Since it has been pressed into service several years ago, my WRT54G has been configured to block any and all incoming connections. The settings as they continue to appear (under the [Security] Panel / [Firewall] Tab) are:
=================================
Checked (Yes) = [Block Anonymous Internet Requests]
Checked (Yes) = [Filter Multicast]
Checked (Yes) = [Filter Internet NAT Redirection]
Checked (Yes) = [Filter IDENT (Port 113)]
=================================
I continue to have disabled all port forwarding, port triggering, the DMZ, and QoS, via the applicable tabs under the [Applications & Gaming] Panel. The WRT54G continues to be configured to operate as a Gateway (via the [Settings] Panel/[Advanced Routing] Tab). No static routes are defined. The routing table show four entries, none of which are remarkable or match in anyway the partial address identified above.
So I am under the impression that my WRT54G should be ignoring everything from the WAN-side.
Even pinging the WAN-side of my router from the outside internet times out.
My WRT54G ver 6 is at firmware level 1.02.8, which, as far as I can tell is the latest issued by Cisco.
I am completely perplexed how such a connection is being established, and do not know if it is or has the potential of causing any harm. My own research indicates port 520 is typically used for RIP protocol, but I have almost zero knowledge of such.
I certainly appreciate any elucidation.
My thanks for your attention.bonski wrote:
Forgive me if I seem flippant, but I am not sure what kind of "glitch" you are looking to correct. If performing a factory reset procedure were already known to correct a specific problem, then I would seriously consider it. If performing a factory reset did not run the risk of injecting more problems through the process of having to redo firmware updates and settings, then I would seriously consider it. I am truly seeking insight into understanding the nature of the symptoms, and why they may be occurring. I am not looking for trial and accidental success.
Thank you for you thoughts.
Hi bonski,
The log means that the IP: 178.33.xxx.yyy (which is from your ISP) sends logs to port 520. Port 520 is your router. I believe it is saying that you ISP simply sends data to your router. This is normal since your router gets internet connection from the ISP. This is by the way base on my understanding about the research I've made.
This might help:
http://www.pc-library.com/ports/tcp-udp-port/520/
http://www.auditmypc.com/udp-port-520.asp
http://www.iss.net/security_center/advice/Exploits/Ports/520/default.htm -
Hello,
I have a new setup I'm trying to build with a WLC2106 and 4 1142n's (currently just trying to get 1 working). I have the WLC running 7.0.98.0. I built a new VLAN on our core network (3560g) and have the ap-manager, management interfaces ip'ed in that vlan. I also have the AP plugged into the PoE port on port 8 and it ip'ed in the same VLAN. The AP associates to the WLC, i am able to configure it from the WLC, but i cannot ping it, from the WLC or from anywhere. I cannot ping anything from console on the AP either.
My assumption is once, i get ip connectivity established, the AP will be able to communicate to our network DHCP server and issue out IP's. I just can't figure out what is wrong with the network setup. I have the trunk configured properly on the core switch from the WLC, i can ping other hosts on the other vlans that are allowed.
Interfaces on WLC:
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
ap-manager 1 5 10.108.5.3 Static Yes No
management 1 5 10.108.5.2 Static No No
office-vlan-2 1 2 10.108.111.96 Dynamic No No
virtual N/A N/A 1.1.1.1 Static No No
AP Config:
infraspawap2#show capwap ip config
LWAPP Static IP Configuration
IP Address 10.108.5.5
IP netmask 255.255.255.240
Default Gateway 10.108.5.1
I've been staring at this for days and just can't figure it out (so it's probably just something simple i've missed). Any help is greatly appreciated.
Thanks,
BenSo i may have solved this, or at least provided a work-around. I made the new Vlan for MGMT and AP interfaces native on the switch and changed the config on the WLC to untagged. I also disabled DHCP proxy. This allowed clients to retrieve DHCP from our network server and get connected to the LAN, however i was still unable to ping the AP.
I then moved everyhting into a different VLAN (already existing) and had the same results. I then moved the AP off of the WLC and used a power brick to connect it directly to the backbone switch. This rectified the issue. I am now able to ping accross all vlans to/from the AP. My only question really is why not from the switch on the WLC? what was/ wasn't i doing that prevented this when directly connected to the WLC? -
Ingress command for SPAN Destination Port - 3550
Hi,
I use this command on two identical switches to enable ingress traffic on destination monitor port:
monitor session 1 destination interface fa0/37 ingress vlan 1.
This works to allow remote connect via the LAN to a portable using sniffer software on one of the switches but on the other switch the portable is using Ethereal and cannot be connected to via the LAN.
The portable using Sniffer has NIC with enhanced drivers from software developer of Sniffer; the other portable has no special drivers.
Question: what is going on with the second switch with the portable that I cannot connect to via the LAN?
Thanks in advance for the help.ingress feature would allow the PC being used to take sniffer capture to participate in the traffic, in your case vlan 1 traffic. The issue sounds to me like an issue with the Ethereal where it might not be able to allow the NIC to do both caopturing and rx/tx regular traffic for the PC/Laptop. One thing you can do to make sure this is the case, is to swap the connection of the device with Sniffer and device with Ethereal, if the issue follows the Etereal, then that will confirm it has to do with Ethereal, you might have to tweak it. Have you tried having the Ethereal in promiscuos mode? I am not familiar with Ethereal, so you might have to paly with it.
-
Keep getting invalid destination port message every 30 sec in Console
Hi, this is my first post so be easy on me. I have been checking up on a possible attack on my website and looking for things that may have caused visits/dowloads to blow out.
While do this I looked at my Console app on my iMac 2.4 Ghz Intel Core 2 Duo running 10.6.8 and notice that every 30 seconds there is a dual message:
6/09/11 4:39:38 PM imagent[161] Unable to create APS daemon connection: (ipc/send) invalid destination port
6/08/11 4;39:38 PM imagent[161] Unable to set enabled topics: (ipc/send) invalid destination port
This action then repeats itself every 30 seconds non stop. Every now and then the odd "normal" error will appear with various apps but this is constant.
The bottom of the Console window reads 4001 messages from 5/09/11 12:30:21 tp 6/09/11 4:57:08 PM
I have looked on the web to try and find out what the 161 refers to and what meaning of the phrases are, but none address 161 specifically and most seem to be in foreign languages.
Your help will be greatly appreciated
MattThanks for that. I had a look at Facetime and had vitually forgottten about it having never used it. I tired about 8 months ago and coould never log in. All I ever got was the spinning wheel at log in, which is exactly what I have just got know as I tried to open it again.
I am wondering if it has been going throogh this process ever since.
Anyway I looked into the ~/Library/LaunchAgents and the nearest I can find are com.apple.apsd-ft.plist, com.apple.FTMonitor.plist, which may relate to Facetime and then there is com.apple.imagent.plist
which is the one that seems to be causing the problem.
Now when I read your reply and did the search using your parameters and the very first reply said that:
"As you probably know, you can get FaceTime invitations even if you have quit FaceTime. That feature is provided by "imagent".
Unless you have configured the FaceTime > Preferences... > FaceTimesetting to "OFF", you are still using "imagent" (and a couple of other support processes) even if you have "Quit" Facetime.
Once you set the preference to "OFF", imagent will go away, but you will not be able to receive any incoming FaceTime invitations until it is turned ON again."
Well as I can't log into Facetime I can't get to Preferences, to turn it off. Now bear in mind I am new to this type of thing, but I have heard some people say that you can throw plist's in the trash and that the application regenerates a new problem free version.
Is this what you suggest I do and if so which of the above three would be the one(s) to delete?
And thank you very much for the very quick reply, much appreciated
Matt -
PIX 501 unable to ping vpnclient
Hi,
Here is the topology:
vpnclient ------->Internet---->Broadband router (with port forwarding) -----> PIX-------->Internal network
vpn client is able to establish VPN connection with PIX. VPN client can ping internal network machines (which i wasn't able to do until i used nat-treverse command). but PIX is unable to ping vpnclient's IP addresses or inside address of PIX.
++VPN Client getting this++
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : abc.com
Link-local IPv6 Address . . . . . : fe80::b940:3053:3f6f:a4c1%23
IPv4 Address. . . . . . . . . . . : 10.10.10.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
PIX> en
Password: *****
PIX# sh run
: Saved
PIX Version 6.3(5)
interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 9jNfZuG3TC5tCVH0 encrypted
hostname PIX
domain-name cisco
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list in2out permit ip 172.16.0.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 172.16.0.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool clientpool 10.10.10.10-10.10.10.20 mask 255.255.255.0
pdm location 172.16.0.26 255.255.255.255 inside
pdm location 192.168.0.0 255.255.255.0 outside
pdm location 172.16.0.27 255.255.255.255 inside
pdm location 10.10.10.0 255.255.255.224 outside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list in2out
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 172.16.0.26 255.255.255.255 inside
http 172.16.0.27 255.255.255.255 inside
http 172.16.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server outside 192.168.0.6 configpix
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
crypto dynamic-map ipsec_map 1 set transform-set myset
crypto map outside_map 10 ipsec-isakmp dynamic ipsec_map
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp log 25
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes-256
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
vpngroup remoteClient address-pool clientpool
vpngroup remoteClient dns-server 172.16.0.1
vpngroup remoteClient default-domain abc.com
vpngroup remoteClient split-tunnel in2out
vpngroup remoteClient split-dns abc.com
vpngroup remoteClient idle-time 1800
vpngroup remoteClient password ********
telnet 0.0.0.0 0.0.0.0 outside
telnet 172.16.0.0 255.255.255.0 inside
telnet timeout 15
ssh 0.0.0.0 0.0.0.0 outside
ssh 192.168.0.0 255.255.255.0 outside
ssh timeout 60
management-access outside
console timeout 0
dhcpd address 172.16.0.20-172.16.0.40 inside
dhcpd dns 194.168.4.100 194.168.8.100
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15Hi all,
Thanks all for the valueable reply's.
last time i have done modification with following commands to access cisco pix 515e from telnet from outside interface:
access-list outside_access_in permit icmp any any
access-list outside_access_in permit ip any any
access-list inside_access_out permit ip any any
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.168.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list outside_cryptomap_30 permit ip 192.168.1.0 255.255.255.0 192.168.80.0 255.255.255.0
access-list 100 permit tcp any eq telnet host PIX_inside eq telnet
access-list 100 permit tcp any eq telnet host pix_outside eq telnet
access-list 100 permit tcp any eq telnet host 182.73.110.160 eq telnet
after adding the above commands i am facing this, my internet link is up and working fine, but not able to get ping reply from internet isp or dns server ip, i.e- 202.56.230.5. -
Can I 'monitor session' trunk ports to a Cisco IDS?
I ran across an existing config that has two trunk ports on a 3560 being port monitored to another port which is plugged in to a port on an ids 4515. Will the IDS be able to interpret that trunk traffic? The customer is complaining that they aren't able to see events on a local network (VLAN 1) and this is suppose to be the port they get that traffic from.
Not sure why they chose to monitor trunk ports and I'm not sure it's even possible. I want to change the monitored port to some other local VLAN port that makes sense.
Here are the existing lines:
interface G0/47
switchport turn encap dot1q
switchport mode trunk
interface G0/48
switchport turn encap dot1q
switchport mode trunk
monitor session 2 source interface Gi0/47 - 48
monitor session 2 destination interface Gi0/20
...port 20 goes to the ids.There are 3 modes of sensing supported on the sensors: promiscuous, inline interface pair, and inline vlan pair.
Each mode interacts with vlan headers slightly differently.
Promiscuous:
A promiscuous sensor is fully capable of analyzing 802.1q trunk packets. The vlan will also be reported in any alerts generated.
The trick when monitoring using a trunk is to ensure the span (or vacl capture) configuration is correct on the switch to get the packets you are expecting.
Many types of switches have special caveats when a trunk is a source or destination port in the span.
We also even support Vlan Group subinterfaces on the promiscuous interface.
This allows sets of vlans on the same monitoring port to be monitored by different virtual sensors.
So you could take vlans 1-10 and monitor with vs0, and then take vlans 11-20 and monitor with vs1, etc....
However, to use this feature the switch must be very consistent in how packets are sent to the sensor. When monitoring a connection the sensor needs to see both client and server traffic. And when using Vlan Groups the sensor needs to see the client and server traffic ON THE SAME VLAN. It is this on the same vlan requirement that is not always possible with some span configurations when the switch itself is routing between vlans. Most switches are deployed with routing between vlans by the switch, and so in many cases you won't see the client and server traffic on the same vlans. This is very switch code dependant so you would need to do some research on your specific switch.
Inline Interface Pair:
With an inline interface you are pairing 2 physical interfaces together. A common deployment is to place the inline interface pair in the middle of an existing 802.1q trunk port. Interface 1 would be plugged into the switch, and interface 2 plugged into the other switch or other type of device (like router or firewall).
In this setup the sensor is fully capable of monitoring these packets with 802.1q headers.
However, there is something to keep in mind in these deployments. Often that other device (router, firewall, or switch) will route packets between vlans. So a packet going through the sensor on vlan 10 could be routed right back through the sensor again on vlan 20. Seeing the same packet again can cause TCP tracking confusion on the sensor (especially when the other device is doing small modifications to the packet like sequence number randomization).
To address these we have 2 features.
On InLine Interface Pairs we have the same Vlan Group feature as I discussed above in Promiscuous mode. (Do not confuse Vlan Groups with InLine Vlan Pairs discussed later in this response).
So with Vlan Groups you could separate the vlans across virtual sensors. So if the packet gets routed back into the sensor you could configure it so that packet gets monitored by a separate virtual sensor and it will prevent the sensor confusion with state tracking.
However, there will still be some situations where the packet may still need to cross the same virtual sensor twice. For this deployment scenario we have a configuration setting where you can tell the sensor to track tcp sessions uniquely per vlan. So long as the return packet is on a different vlan this should prevent the tcp tracking confusion. BUT there is a bug this code right now. It should be fixed in an upcoming service pack. The workaround is to go ahead and create a unique Vlan Group for each vlan (one vlan per group instead of multiple vlans in a group), and assign all of the Vlan Groups to the virtual sensor(s).
And then you InLine Vlan Pairs:
With InLine Vlan Pairs the monitoring interface Must be an 802.1q trunk port.
Instead taking packets in one interface and passing to the next interface, the sensor actually takes packets in on one vlan and then sends it back on the other vlan of the pair on the same interface. It does this by modifying the vlan number in the 802.1q header. -
Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port
Hi all
I have 2 switches Cat6509E. each with IDSM module
I have on first switch this commands
intrusion-detection module 7 data-port 1 capture
intrusion-detection module 7 data-port 2 capture
intrusion-detection module 7 data-port 1 capture allowed-vlan 4,6,16,17,66
intrusion-detection module 7 data-port 2 capture allowed-vlan 68,70,74,134,145
And when I trying to put the same on second switch I will get this error message
Intrusion-detection-module 7 data-port 2: Capture not allowed on a SPAN destination port
What does it mean?
Output "sh monitor" is the same on both switches
Session 1
Type : Service Module Session
Modules allowed : 1-9
Modules active : 1,7
BPDUs allowed : Yes
Session 2
Type : Local Session
Source VLANs :
Both : 4
Destination Ports : analysis-module 8 data-port 1
PeterHi Peter,
The first switch that you mention is configured (judging from the "intrusion-detection" commands) to use the VACL capture method of sending traffic to the IDSM-2 for inspection. You can read about this method here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030828
In short, you configure a VACL to define the traffic you want to capture and apply it to the appropriate VLANs. When traffic matches the VACL, it's copied to the IDSM-2 ports that have been configured with the "intrusion-detection module 7 data-port 1 capture" commands.
On the second switch it appears that there is a monitor session setup SPANing traffic to the IDSM-2 port. This is an alternative method of sending trafic to the IDSM-2 for inspection and is mutually exclusive with the VACL method on a particular IDSM-2 interface. You can read about the SPAN method here:
http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_idsm2.html#wp1030816
This method, in short, simply involves configuring a SPAN session with the IDSM-2 interface as the desination.
You'll need to choose one method or the other for configuring the second switch. If you want it to match the configuration on the first switch, simply remove the monitor (SPAN) session that's currently configured.
Best Regards,
Justin -
Unable to ping from mz to virtual interface of asa
Dear All,
one of my SNMP server 10.242.103.42 sits in MZ zone,and ACE 4710 is connected to core switch,coreswitch is connected to firewall asa.
Now iam trying to ping from MZ zone SNMP server to loadbalancer ip 10.242.105.1,iam unable to ping my LB interface to discover SLB on my SNMP server.
plese help me
srinivasIs your device seeing the mac-address of the ASA in order to send the packets? What do the logs show on the firewall itself? Can you see the ARP entry on the ASA firewall for that host?
Mike -
Unable to PING VM Server after Install
Hi Guys
I am a typical WIndows guys, and new to Oracle /Linux etc.
However I am trying to setup a VM server, and finally got my head around the setup part of it, i.e the pieces to make the puzzle and how they all fit.
So I have just installed a fresh install of VM Server on raw iron ( blank server), and the installation has completed and said it was sucessful, however I set up my IP , DNS, host name etc manually, but after the installation I am unable to ping the VM Server, nor can I ping any pc in the network that its connected to.
Does anyone have any suggestions? As I dont want to go ahead and try install a virtual Oracle Linux Enterprise edition on it, if I cant get the networking side of it to work yet.
Anybody have any tips, suggestions? Learning I should have done before attempting this lol.
ThanksThat didnt work , any of those :(.
I checked the anaconda log, and it said that in debugging it was ignoring the NIC's as it siad " unknown device driverless" so I have to assume it doesnt have the drivers for the network card, so have posted another post on how to install a kernal, so that I can build the drivers :S. -
Unityconnection Port Staus Monitor Not Working
Hi ,
Port status monitor is not working. unityconnection version 7.1.5.
We enabled the port status monitor & given the PC IPaddress.
Enable Remote Port Status Monitor Output
IP Addresses Allowed To Connect For Port Status Monitor Output (comma-separated)I'm assuming you have an IP addressed filled in and it's just not on your screen shot...
What version of rPSM?
rPSM uses port 5000 to communicate with Connection (this is noted in the help but I should probably put some static text to this effect on the login form for clarity). Make sure it's not being blocked between your client and the Connection server.
Beyond that there's not much that can go wrong - it's simply getting text streaming off that port once your client has been registered (Connection wont talk to any client that doesn't have an IP that matches in the list there).
No DB or other connections are needed or are in use.
Maybe you are looking for
-
I connected my iPhone 4 to my PC to sync all my new info to iTunes/PC, but it said it was not able to recognize it and needs to do a complete restore! How do I retrieve photos from my iPhone 4 before a complete restore! It'stuck on a "connect to iTu
-
How can I take minutes from mysql date format
how can I take minutes from mysql date format?? example 10:30:00 is stored in my sql and I want to create 3 variables which will store hours, minutes and seconds.. Cheers..
-
Ichat wont recognize my logitech webcam
hi-please help! my boyfriend bought me this logitech webcam that is compatible with macs...supposedly. however, it won't work with ichat. i dont think the cable is firewire, so can someone tell me whether or not it's compatible and if so, why won't i
-
Inexplicable Object Required error in status bar? Crazy.
Hope someone can help. Firstly, I'm developing in Classic ASP, DW8.0.2. I am receiving an inexplicable "Object Required" error in my status bar on the following page of a website I am developing: http://www.moviegossip.co.uk/movie-reviews.asp?m=1 Wh
-
How do I make mine look like Steve Job's??
How do I get my contacts to have pictures next to them in the contacts menu like Steve's? I can't figure this one out...