Cannot ping/telnet/ssh to GigabitEthernet interface of Cisco AP2602
I have a Cisco 2602 (ios ver 15.0)
I can connect trough it's SSID normally but I can't access to the AP itself. From the AP cannot ping to gateway, even though the AP can be seen on cdp from the switch.
But my other AP Cisco 1140 (ios 12.4) can be accessed with the same configuration on the switch (switchport mode trunk, allowed vlan 1 & 2)
vlan 1 is for user, vlan 2 for management...
Below is the configuration of the gigabitethernet interface of the AP 2602
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface GigabitEthernet0.2
encapsulation dot1Q 2
ip address 10.32.2.98 255.255.255.0
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
interface BVI1
no ip address
no ip route-cache
ip default-gateway 10.32.2.1
please help
With autonomous access point, the management has to be the native vlan. The issue is that your vlan 1 is native and that is for users, but your management is on vlan 2 which is management. This will not work as it is a requirement to keep management on a native vlan. You would have to move the users to a different vlan since vlan 1 is typically tagged so that you can define on the trunk port on the switch that vlan 2 is native.
-Scott
Similar Messages
-
Can't ping, telnet, SSH or find APs in ARP, but associated to WLC & has clients
Hi All,
I have an interesting problem. I have a Cisco 2504 WLC, and six Access Points that are associated to it. I can reach 4 of the access points, which are connected to Cisco 300 POE switches, but the other 2 I cannot ping, telnet, SSH or find in the ARP table on the network. However, they are both associated to the WLC and as far as I can tell, they have clients associated to them. If I reboot them from the WLC, they find their way back to the correct WLC, and the WLC sees them in CDP, but I still can't access them in any way.
The two problem APs appear to be connected to ports 3 & 4 on the WLC, which are the POE ports. I read some documentation that says that those ports don't support Access Points but basically that you can still connect them and have it work, but don't expect any help from Cisco if you run into problems. I've confirmed that POE is being supplied in the port configs, and I have other sites with WLC's that are configured identically with APs on ports 3 & 4 that are up and not having any issues.
Wondering if anyone has had similar issues and if so, can you shed any light on this strange behavior?
Thanks.please
https://supportforums.cisco.com/discussion/11288621/2500-wlc-attach-ap -
Privileged Exec password works for telnet but not web interface on Cisco AP 1242
I recently configured a Cisco AP 1242, software version 12.4, via the web interface using the default Cisco credentials. At that time I setup an administrator account with read/write access and changed the Cisco to a read only access. Now went I attempt to login to the web interface it won't accept the administrator password. It will except the administrator password in a telnet session however. So via the telnet session I setup another user with privileged exec level access and that wont work on the web interface either. The Login box keeps coming back requesting a password. Strangely enough, I can login to the web Interface using admin username, with the Cisco password; but I can't do anything, and I also can't view everything.
I've tried the following:
I've turned on SSH and created a certificate in the AP, but the login box continues to pop on the https://url.
I've attempted to setup a user with a non-encrypted password, but have been unsuccessful.
I've tried a different browser - login box continues to pop.
I've made sure the web interface is activated in the AP
I've tried a differnet computer
I've tried disabling password-encryption service
Reset the enable password
I've successfully setup other 1240 APs but must have done something wrong on this one. Anyone know what I'm missing? Thanks.
Solution: I was missing "ip http authentication local" in my config.Solution: I was missing "ip http authentication local" in my config.
-
Cannot ping two devices through remote access-SSH
one of our gold partner called me and advised that he cannot ping or SSh to two of the 4948 switch.however if he logged to the core switch the 6500 he can sub telnet to the 4900.but he cannot telnet directly through SSH to the 4900.i have checked the config for SSH on both device and this is configure correctly.can any one help and tell me why we cant ping or SSH to these two devices directly rather than telneting to the core device it self before telneting to the 4900s.This is very urgent
Hi
Just to clarify. This is how i understand what you have set up
You have a management vlan for the switches. The layer 3 SVI for this vlan is on your core switch.
The other switches you have all have IP addresses for management from the same management vlan.
Each switch should have a default gateway set and this default gateway should be the Layer 3 SVI on your core switch. (If you are running a pair of core switches you may well be using HSRP so your switches default gateway would be the virtual IP.
The vlan that your switch layer 3 management is in, is this the same vlan as the management vlan ie.
what vlan interface is the default gateway in ?
if you cannot ping the default gateway from the switch this sounds like you have your vlans messed up.
Could you provide configs of the 4948, the core switch and another switch that works
Jon -
Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host
Hi:
Need your great help for my new ASA 5505 (8.4)
I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
ASA Version 8.4(3)
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.29.8.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 177.164.222.140 255.255.255.248
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name ABCtech.com
same-security-traffic permit inter-interface
object network obj_any
subnet 172.29.8.0 255.255.255.0
object service RDP
service tcp source eq 3389
object network orange
host 172.29.8.151
object network WAN_173_164_222_138
host 177.164.222.138
object service SMTP
service tcp source eq smtp
object service PPTP
service tcp source eq pptp
object service JT_WWW
service tcp source eq www
object service JT_HTTPS
service tcp source eq https
object network obj_lex
subnet 172.29.88.0 255.255.255.0
description Lexington office network
object network obj_HQ
subnet 172.29.8.0 255.255.255.0
object network guava
host 172.29.8.3
object service L2TP
service udp source eq 1701
access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended deny tcp any any eq 135
access-list inside_access_in extended deny tcp any eq 135 any
access-list inside_access_in extended deny udp any eq 135 any
access-list inside_access_in extended deny udp any any eq 135
access-list inside_access_in extended deny tcp any any eq 1591
access-list inside_access_in extended deny tcp any eq 1591 any
access-list inside_access_in extended deny udp any eq 1591 any
access-list inside_access_in extended deny udp any any eq 1591
access-list inside_access_in extended deny tcp any any eq 1214
access-list inside_access_in extended deny tcp any eq 1214 any
access-list inside_access_in extended deny udp any any eq 1214
access-list inside_access_in extended deny udp any eq 1214 any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any eq www
access-list inside_access_in extended permit tcp any eq www any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
89
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
tp
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
w
access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
tps
access-list outside_access_in extended permit gre any host 177.164.222.138
access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
01
access-list outside_access_in extended permit ip any any
access-list inside_access_out extended permit icmp any any
access-list inside_access_out extended permit ip any any
access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
.88.0 255.255.255.0
access-list inside_in extended permit icmp any any
access-list inside_in extended permit ip any any
access-list inside_in extended permit udp any any eq isakmp
access-list inside_in extended permit udp any eq isakmp any
access-list inside_in extended permit udp any any
access-list inside_in extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
nat (inside,outside) source static orange interface service RDP RDP
nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
lex route-lookup
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
WW
nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
_HTTPS
nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server Guava protocol nt
aaa-server Guava (inside) host 172.29.8.3
timeout 15
nt-auth-domain-controller guava
user-identity default-domain LOCAL
http server enable
http 172.29.8.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
crypto dynamic-map outside_dyn_map 20 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 173.190.123.138
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet 172.29.8.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside vpnclient-wins-override
dhcprelay server 172.29.8.3 inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
group-policy ABCtech_VPN internal
group-policy ABCtech_VPN attributes
dns-server value 172.29.8.3
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_Tunnel_User
default-domain value ABCtech.local
group-policy GroupPolicy_10.8.8.1 internal
group-policy GroupPolicy_10.8.8.1 attributes
vpn-tunnel-protocol ikev1 ikev2
username who password eicyrfJBrqOaxQvS encrypted
tunnel-group 10.8.8.1 type ipsec-l2l
tunnel-group 10.8.8.1 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 10.8.8.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
tunnel-group ABCtech type remote-access
tunnel-group ABCtech general-attributes
address-pool ABC_HQVPN_DHCP
authentication-server-group Guava
default-group-policy ABCtech_VPN
tunnel-group ABCtech ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group 173.190.123.138 type ipsec-l2l
tunnel-group 173.190.123.138 general-attributes
default-group-policy GroupPolicy_10.8.8.1
tunnel-group 173.190.123.138 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 remote-authentication certificate
ikev2 local-authentication pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
inspect ftp
inspect netbios
smtp-server 172.29.8.3
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:6a26676668b742900360f924b4bc80de
: endHello Wayne,
Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
Regards,
Julio
Security Trainer -
ASA5520 - Management0/0 Telnet/SSH/Ping Access
hey all, hope this is an easy one.
- how can i setup the management interface so that we can ping to the mgmt interface from a subnet that is on a different subnet than the Management0/0 interface (source ip would be 192.168.100.0/24 which may conflict with the inside interface)
- i am able to telnet/ssh from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
- i am not able to ping the mgmt interface from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
- is a security level required on the mgmt interface? it does not work unless we put one. if so, what are you guys setting it to?
interface Ethernet0/0.101
description Outside
vlan 101
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0
interface Ethernet0/1.102
description Inside Cat3750-VM G1/0/24 (PRI) G2/0/24 (STB)
vlan 102
nameif inside
security-level 100
ip address 192.168.100.100 255.255.252.0
interface Management0/0
nameif mgmt
security-level 90
ip address 192.168.253.100 255.255.255.0
management-only
ssh 192.168.100.0 255.255.255.0 mgmt
telnet 192.168.100.0 255.255.255.0 mgmt
I try to add a static route but get an error:
ASA5520(config)# route mgmt 192.168.0.0 255.255.252.0 192.168.253.1
ERROR: Cannot add route, connected route existsHello Robert,
by default the Managment interface of an ASA is going to be used just for managment traffic only.
Now in order to be able to use it as any other interface you will need to use the following command:
- Interface managment 0/0
- no managment-only
And just to let you know it is imposible to ping a distant interface as an example from a inside subnet to the outside interface ip .This as security measure.
Regards,
Julio -
Not able to telnet or ssh to outside interface of ASA and Cisco Router
Dear All
Please help me with following question, I have set up testing lab, but still not work.
it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
Hub -- Juniper SRX
Spoke One - Cisco ASA with version 9.1(5)
spoke two - Cisco router with version 12.3
site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
When I tested it, of cause site to site vpn still up and running.
Thanks
YKHello YK,
On this case on the ASA, you should have the following:
CConfiguring Management Access Over a VPN Tunnel
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
To specify an interface as a mangement-only interface, enter the following command:
hostname(config)# management access management_interface
where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
You can define only one management-access interface
Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
SSH
- ssh 0 0 outside
- aaa authentication ssh console LOCAL
- Make sure you have a default RSA key, or create a new one either ways, with this command:
*crypto key generate rsa modulus 2048
Telnet
- telnet 0 0 outside
- aaa authentication telnet console LOCAL
Afterwards, if this works you can define the subnets that should be permitted.
On the router:
!--- Step 1: Configure the hostname if you have not previously done so.
hostname Router
!--- aaa new-model causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Step 2: Configure the router's DNS domain.
ip domain-name yourdomain.com
!--- Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
!--- Step 4: By default the vtys' transport is Telnet. In this case,
!--- Telnet and SSH is supported with transport input all
line vty 0 4
transport input All
*!--- Instead of aaa new-model, the login local command may be used.
no aaa new-model
line vty 0 4
login local
Let me know how it works out!
Please don't forget to Rate and mark as correct the helpful Post!
David Castro,
Regards, -
I can SSH from the outside but cannot ping ISP gateway from 2911
Hello all,
I came across a rather strange issue. I am able to SSH to the device from my home but while I am consoled in, I cannot ping the ISP gateway or any other IP's. As expected, all trace-routes fail without hitting the gateway as the first hop. I have been reading about the NVI0 interface and I decided to use it. Most of the sample cofigs on here use the "old" ip nat inside / outside on the appropriate interfaces. What do you guys suggest?
Here is the running config. It is rather simple since i did not add all the access-lists except the ones I thought necessary to test the circuit. Please point out any mistakes or errors. Thanks in advance!
Current configuration : 1679 bytes
! Last configuration change at 04:05:17 UTC Fri Sep 12 2014
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname StandbyGZ-2911
boot-start-marker
boot-end-marker
enable secret 5 $1$BRaM$igChPMXLeHjgYR7EGk/Nb/
no aaa new-model
no ipv6 cef
no ip source-route
ip cef
no ip domain lookup
ip domain name StandbyGZ.local
ip name-server 211.136.20.203
ip name-server 211.139.136.68
multilink bundle-name authenticated
license udi pid CISCO2911/K9 sn FGL174410H9
username StandbyGZ secret 5 $1$CXWC$m6kqTGbf0HDLCvkfU7.RA/
ip ssh version 2
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
interface GigabitEthernet0/1
description UPLINK TO CHINA MOBILE
ip address 183.x.x.x 255.255.255.128
ip access-group REMOTE-ADMIN-ACL in
no ip redirects
ip nat enable
duplex auto
speed auto
interface GigabitEthernet0/2
description CONNECTION TO LAN SWITCH 3650-CORE
ip address 10.10.1.254 255.255.254.0
no ip redirects
ip nat enable
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat source list LAN-NAT-ACL interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 183.x.x.x
ip access-list standard LAN-NAT-ACL
permit 10.10.0.0 0.0.1.255
ip access-list extended REMOTE-ADMIN-ACL
permit tcp host 68.107.195.213 any eq 22 log
control-plane
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
logging synchronous
login local
transport input ssh
transport output ssh
scheduler allocate 20000 1000
end
StandbyGZ-2911# sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0 unassigned YES NVRAM administratively down down
GigabitEthernet0/1 183.x.x.x YES NVRAM up up
GigabitEthernet0/2 10.10.1.254 YES NVRAM up up
NVI0 183.x.x.x YES unset up up
StandbyGZ-2911#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 183.233.184.129 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 183.233.184.129
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.0.0/23 is directly connected, GigabitEthernet0/2
L 10.10.1.254/32 is directly connected, GigabitEthernet0/2
183.233.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 183.x.x.x/25 is directly connected, GigabitEthernet0/1
L 183.x.x.x/32 is directly connected, GigabitEthernet0/1Hi Chris,
That is what how I am used to configure the NAT, but IOS 12.3 and on introduced interface NVI0, which according to cisco documentation should make applying the NAT statements "easier". IP nat enable has to be enabled on all interfaces and then NVI0 makes the "inside" and "outside" decisions. I was hoping that someone could clarify the real use of that NVI0 interface and if it causes problems. Apparently it cannot be removed from the config. -
Cannot ping or telnet to new 2948G switch
I just installed a new 2948G switch and assigned the me1 interface an IP address... it's working fine (except for a small blip yesterday due to a duplicate IP address - oops)
I cannot ping the switch's IP address, nor can I telnet to it from the same subnet. if I console into the switch, i cannot ping anything FROM the switch. If I issue a "show arp" command I get NOTHING.
this doesn't make any sense. The switch is running CatOS4000.make sure the default gateway is correct . Also you cannot have both the SC0 interface and the ME1 interface active at the same time and the Sc0 is the active one by default because that is what most people use . Shutdown the SC0 interface if it is still active and make sure the ME is up . "set interface sc0 down" . A show interface command will show you the status of both these interfaces. "set int me1 up"
Also by using the me1 interface you are limiting the switch ,below is a little blurb out of the catos config guide.
The in-band (sc0) management interface is connected to the switching fabric and participates in all of the functions of a normal switch port, such as spanning tree, Cisco Discovery Protocol (CDP), and VLAN membership. The out-of-band management interfaces (me1 and sl0) are not connected to the switching fabric and do not participate in any of these functions. -
897VAW: Cannot add Allowed vlans to Trunk on WLAN-GigabitEthernet interface
Hi,
I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
switchport trunk allowed vlan 1-3,1002-1005
or
switchport trunk native vlan 2
I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
Is there something I am doing wrong or is this a bug in the IOS?
To save making this post long, my latest running configs are on my blog:
Router: http://www.thingsgeeky.walker.uk.com/?p=3781
AP: http://www.thingsgeeky.walker.uk.com/?p=3781
Many Thanks
W.Hi,
I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
switchport trunk allowed vlan 1-3,1002-1005
or
switchport trunk native vlan 2
I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
Is there something I am doing wrong or is this a bug in the IOS?
To save making this post long, my latest running configs are on my blog:
Router: http://www.thingsgeeky.walker.uk.com/?p=3781
AP: http://www.thingsgeeky.walker.uk.com/?p=3781
Many Thanks
W. -
Bringing up a third interface - cannot ping servers
Hi All,
I have a CSS 11503 that already had 2 interfaces up and running fine. The frontend is on vlan 26 and backend server vlan is on vlan 836. Now, I have some servers on vlan 301 that needed load balancing and brought up the third interface.
Here is my config
interface 1/1
bridge vlan 836
interface 1/2
bridge vlan 26
interface 2/1 (this is the new interface)
bridge vlan 301
circuit VLAN836
ip address 10.10.235.5 255.255.255.128
circuit VLAN26
ip address 10.10.26.5 255.255.255.0
circuit VLAN301
ip address 10.44.0.5 255.255.252.0
Here is the "show ip route" output
BCMDC-CSS1# sh ip route
prefix/length next hop if type proto age metric
10.1.20.0/22 10.1.22.150 2 mgmt local -- --
0.0.0.0/0 10.10.26.1 1022 remote static 5342983 0
10.44.0.0/22 10.44.0.5 1021 local local 7122 0
10.10.26.0/24 10.10.26.5 1022 local local 5343307 0
10.10.235.0/25 10.10.235.5 1023 local local 5343288 0
Show arp contains all the servers I want to ping and here is the arp table on the CSS
10.44.0.1 00-00-0c-07-ac-1f dynamic 2/1
10.44.0.2 00-d0-02-f3-a8-00 dynamic 2/1
10.44.0.3 00-09-12-ed-6f-00 dynamic 2/1
10.44.0.20 00-11-25-9d-e4-98 dynamic 2/1
10.44.0.21 00-11-25-9d-ee-d7 dynamic 2/1
10.44.0.30 00-11-25-9d-e6-86 dynamic 2/1
10.44.0.31 00-14-5e-3c-71-38 dynamic 2/1
10.44.0.32 00-11-25-4a-82-a1 dynamic 2/1
10.44.0.33 00-14-5e-3e-60-e1 dynamic 2/1
10.44.0.34 00-11-25-9e-e5-ce dynamic 2/1
10.44.0.35 00-11-25-9c-66-c9 dynamic 2/1
10.44.0.40 00-1a-64-4f-21-bc dynamic 2/1
10.44.0.41 00-1a-64-4f-23-6e dynamic 2/1
10.44.0.50 00-1a-64-4f-2f-74 dynamic 2/1
10.44.0.51 00-1a-64-4f-22-72 dynamic 2/1
10.44.0.60 00-1a-64-4f-1c-ba dynamic 2/1
10.44.0.61 00-1a-64-4f-13-06 dynamic 2/1
I cannot ping any of the 10.44.0.x address. The interface is up and it is connected to a 6509 switch as an accessport on vlan301 and it shows up and up.
There are no ACLs configured. I am just trying to ping the servers before I can write the content rules.
Any ideas?OK. I figured out that I cannot ping the servers. But, I cannot ping the circuit vlan 301 IP from the router which is 10.44.0.5.
However, I can ping vlan 836 circuit IP like 10.10.235.5 Here is the ping result from the router where the css is connected to
gw1>ping 10.10.235.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.235.5, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
gw1>ping 10.44.0.5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.44.0.5, timeout is 2 seconds:
Success rate is 0 percent (0/5) -
Smartcare cannot ping cimc interface
Hi All
Smartcare applicance can ping everything defauolt route etc but not cimc interface
Not a local route issue ?Duplicate posts. :P
Go here: https://supportforums.cisco.com/discussion/12140361/smartcare-cannot-ping-cimc-interface -
Hi all,
I have decided to add a separate vlan/wlan to the network. This interface uses port 1 (My management interface uses port 2). I have connected the port to a router, which is connected to a gateway.
I checked and the routing is done correctly. When I connect a pc to the router, I have access to internet. However, when I connect to the wlan that's associated with the vlan on port 1, I not only cannot access internet, but also cannot ping the router.
I can ping the interface when I connect to the wlan. However, I cannot ping the router.
The same thing happens when I connect my pc to the router. I cannot ping the interface as well.
Is there something that I am missing? It seems that there is a connectivity issue in the connection between port 1 and the router. Should I try using a crossover cable and see if it solves my problem?
Thanks!
TibetYour diagram is very clear. You have few options here
Option 1
WLC port 1 & Router LAN port onto your switch (rather directly connecting router to WLC). In this way WLC connected switch port should be configured as trunk port & router connected switchport should be configured as access port for the vlan belongs to 10.0.0.0/24 network.
If you are thinking about creating multiple WLANs (in futrue) with your router as LAN gateway, then you should configure router connected switchport as trunkport & subinterface on your router LAN interface.
Option 2
Aggregate WLC port 1-2 into one single port channel & create a single trunk link between WLC & Switch. In this way you will get more bandwith for your user traffic.(usually mgt does not want dedicated 1G link). Then configure Router LAN interface connected switchport as access port (if you only require single WLAN) or trunk port (if you require multiple WLAN)
I prefer option 2 because of its flexibility & scalability. Let us know your choice & then accordingly we can help you to get this done.
Also post your WLC "show sysinfo" as well.
HTH
Rasika
**** Pls rate all useful responses **** -
LAN Switches cannot be accessed by Telnet, SSH or console in native vlan
Hi to all of you:
I do have a question about tagging the native vlan.
In our network we do have about 90 L2 and L3 switches, 2950 the oldest, 2960, 2960S, 3560 PoE, 3750 and 4503E, and we are running VTP, and 43 vlans within the entire network.
our Native VLAN is still vlan 1, and there are many corporative applications running in this vlan.
We have upgraded the IOS for the switches to the latest IOS version about 6 months ago, and after that we started to have issues on the switches, related to accessing the switch, either by telnet, ssh, or even console. However, the switch is still working fine, I mean, doing all bridging and switching traffic.
I have to reset or reload (power cycle) if I want to access the switch.
I have read that having the native vlan can be a problem.
Could you please let me know if you have gone through this problem?
Thanks in advance for your help.
Javier F. Berthin H.Hi Karhtick:
I guess you have the best answer, you suggested the memory command and I am attaching you as result.
Next step should be to downgrade the IOS?, because we did the upgrade just in order to have the latest IOS published by Cisco.
If you need the config please let me know, for complementary comments.
Thanks for your help.
Javier
Core_Toldos#
Core_Toldos#
Core_Toldos#sh processes memory sorted
Processor Pool Total: 57114592 Used: 42061488 Free: 15053104
I/O Pool Total: 12582912 Used: 9397428 Free: 3185484
Driver te Pool Total: 1048576 Used: 40 Free: 1048536
PID TTY Allocated Freed Holding Getbufs Retbufs Process
0 0 56706116 14325484 38372056 0 0 *Init*
197 0 4506712 2363500 1463652 0 0 Auth Manager
0 0 0 0 1443720 0 0 *MallocLite*
0 0 577244636 370831296 916016 12457311 3203234 *Dead*
236 0 532808 46152 507068 0 0 IP ARP Adjacency
303 0 1335768 890528 450448 0 0 ADJ resolve proc
230 0 27640244 15996 378344 10152 0 CDP Protocol
77 0 368260 14413456 377820 0 0 EEM ED ND
102 0 385848 232 362236 0 0 HLFM address lea
404 0 3397428 3069392 334928 0 0 hulc running con
192 0 307492 21604 294808 0 0 HL2MCM
193 0 356552 70624 294744 0 0 HL2MCM
357 0 265100 0 275260 100548 0 EEM ED Syslog
365 0 126849404 86726456 255248 0 0 EEM Server
87 0 569060 274864 244984 0 0 Stack Mgr Notifi
203 0 753032 492440 164316 0 0 DTP Protocol
201 0 737920 526656 159424 0 0 802.1x switch
13 0 505129716 504972016 156620 0 0 ARP Input
Core_Toldos# -
ACE 4700 - Cannot Ping the Alias
I cannot ping my alias addresses. I can ping the actual interface addresses but not the alias. When I look at the ARP entry on the switch it's connected to for the alias, it comes up INCOMPLETE.
Below is my config.
interface gigabitEthernet 1/1
description Fault Tolerant Port
ft-port vlan 990
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
switchport trunk allowed vlan 10,112,200,254
no shutdown
resource-class RC1
limit-resource all minimum 20.00 maximum unlimited
limit-resource sticky minimum 8.00 maximum unlimited
boot system image:c4710ace-mz.A1_7b.bin
hostname atl-ace-01
access-list ALL line 8 extended permit ip any any
class-map type management match-any PING
2 match protocol icmp any
class-map type management match-all SNMP-ALLOW_CLASS
2 match protocol snmp source-address 10.150.100.202 255.255.255.255
class-map type management match-any remote_access
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any
policy-map type management first-match AllowICMP
class PING
permit
policy-map type management first-match SNMP-ALLOW_POLICY
class SNMP-ALLOW_CLASS
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 200
ip address 10.10.200.110 255.255.254.0
alias 10.10.200.120 255.255.254.0
peer ip address 10.10.200.111 255.255.254.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input SNMP-ALLOW_POLICY
service-policy input AllowICMP
no shutdown
ft interface vlan 990
ip address 192.168.254.1 255.255.255.0
peer ip address 192.168.254.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 250
heartbeat count 10
ft-interface vlan 990
ip route 0.0.0.0 0.0.0.0 10.10.201.254
context Exchange-CAS
allocate-interface vlan 112
allocate-interface vlan 254
member RC1
ft group 1
peer 1
priority 200
peer priority 190
associate-context Exchange-CAS
inserviceNevermind. I found an old Context on the redundant ACE with overlapping info.
Maybe you are looking for
-
Not sure why Message is not working on my ipad.
Not sure why message is not work on my iPad. It works find on my iPhone.
-
Santa Rosa MBP - DVI to VGA Projector problems
When hooking up a Sharp PG M20X using a [DVI toVGA cable] and a [VGA to DVI adaptor] the MBP sees the projector, but the projector cannot see the computer. This is a problem because, I may find myself in situations where this is the only configuratio
-
Greetings everyone. So, I've recently purchased and AppleTV and while most everything is turning out perfectly, I'm having a major issue with getting my Aperture photos to stream to the AppleTV and I was hoping that someone here could should some lig
-
How do I convert a PDF to JPEG???
-
I find that the tiny image in the top left of my vCard (the one with the account icon) somehow has a randam photo from iPhoto. I don't know how it got there. I would now like to edit this "picture" to use a snapshot portrait from Photo Booth. I've fo