Cannot ping/telnet/ssh to GigabitEthernet interface of Cisco AP2602

Similar Messages

• Can't ping, telnet, SSH or find APs in ARP, but associated to WLC & has clients

  Hi All,
  I have an interesting problem. I have a Cisco 2504 WLC, and six Access Points that are associated to it.  I can reach 4 of the access points, which are connected to Cisco 300 POE switches, but the other 2 I cannot ping, telnet, SSH or find in the ARP table on the network.  However, they are both associated to the WLC and as far as I can tell, they have clients associated to them.  If I reboot them from the WLC, they find their way back to the correct WLC, and the WLC sees them in CDP, but I still can't access them in any way.
  The two problem APs appear to be connected to ports 3 & 4 on the WLC, which are the POE ports. I read some documentation that says that those ports don't support Access Points but basically that you can still connect them and have it work, but don't expect any help from Cisco if you run into problems.  I've confirmed that POE is being supplied in the port configs, and I have other sites with WLC's that are configured identically with APs on ports 3 & 4 that are up and not having any issues.
  Wondering if anyone has had similar issues and if so, can you shed any light on this strange behavior?
  Thanks.

  please
  https://supportforums.cisco.com/discussion/11288621/2500-wlc-attach-ap

• Privileged Exec password works for telnet but not web interface on Cisco AP 1242

  I recently configured a Cisco AP 1242, software version 12.4, via the web interface using the default Cisco credentials. At that time I setup an administrator account with read/write access and changed the Cisco to a read only access. Now went I attempt to login to the web interface it won't accept the administrator password. It will except the administrator password in a telnet session however. So via the telnet session I setup another user with privileged exec level access and that wont work on the web interface either. The Login box keeps coming back requesting a password. Strangely enough, I can login to the web Interface using admin username, with the Cisco password; but I can't do anything, and I also can't view everything.
  I've tried the following:
  I've turned on SSH and created a certificate in the AP, but the login box continues to pop on the https://url.
  I've attempted to setup a user with a non-encrypted password, but have been unsuccessful.
  I've tried a different browser - login box continues to pop.
  I've made sure the web interface is activated in the AP
  I've tried a differnet computer
  I've tried disabling password-encryption service
  Reset the enable password
  I've successfully setup other 1240 APs but must have done something wrong on this one. Anyone know what I'm missing? Thanks.
  Solution: I was missing "ip http authentication local" in my config.

  Solution: I was missing "ip http authentication local" in my config.

• Cannot ping two devices through remote access-SSH

  one of our gold partner called me and advised that he cannot ping or SSh to two of the 4948 switch.however if he logged to the core switch the 6500 he can sub telnet to the 4900.but he cannot telnet directly through SSH to the 4900.i have checked the config for SSH on both device and this is configure correctly.can any one help and tell me why we cant ping or SSH to these two devices directly rather than telneting to the core device it self before telneting to the 4900s.This is very urgent

  Hi
  Just to clarify. This is how i understand what you have set up
  You have a management vlan for the switches. The layer 3 SVI for this vlan is on your core switch.
  The other switches you have all have IP addresses for management from the same management vlan.
  Each switch should have a default gateway set and this default gateway should be the Layer 3 SVI on your core switch. (If you are running a pair of core switches you may well be using HSRP so your switches default gateway would be the virtual IP.
  The vlan that your switch layer 3 management is in, is this the same vlan as the management vlan ie.
  what vlan interface is the default gateway in ?
  if you cannot ping the default gateway from the switch this sounds like you have your vlans messed up.
  Could you provide configs of the 4948, the core switch and another switch that works
  Jon

• Need HELPS! ASA 5505 8.4 Cisco VPN Client cannot ping any internal host

  Hi:
  Need your great help for my new ASA 5505 (8.4)
  I just set a new ASA 5505 with 8.4. However, I cannot ping any host after VPN in with Cisco VPN client. Please see below posted configuration file, thanks for any suggestion.
  ASA Version 8.4(3)
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 2
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 172.29.8.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 177.164.222.140 255.255.255.248
  ftp mode passive
  clock timezone GMT 0
  dns server-group DefaultDNS
  domain-name ABCtech.com
  same-security-traffic permit inter-interface
  object network obj_any
  subnet 172.29.8.0 255.255.255.0
  object service RDP
  service tcp source eq 3389
  object network orange
  host 172.29.8.151
  object network WAN_173_164_222_138
  host 177.164.222.138
  object service SMTP
  service tcp source eq smtp
  object service PPTP
  service tcp source eq pptp
  object service JT_WWW
  service tcp source eq www
  object service JT_HTTPS
  service tcp source eq https
  object network obj_lex
  subnet 172.29.88.0 255.255.255.0
  description Lexington office network
  object network obj_HQ
  subnet 172.29.8.0 255.255.255.0
  object network guava
  host 172.29.8.3
  object service L2TP
  service udp source eq 1701
  access-list VPN_Tunnel_User standard permit 172.29.8.0 255.255.255.0
  access-list VPN_Tunnel_User standard permit 172.29.88.0 255.255.255.0
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended deny tcp any any eq 135
  access-list inside_access_in extended deny tcp any eq 135 any
  access-list inside_access_in extended deny udp any eq 135 any
  access-list inside_access_in extended deny udp any any eq 135
  access-list inside_access_in extended deny tcp any any eq 1591
  access-list inside_access_in extended deny tcp any eq 1591 any
  access-list inside_access_in extended deny udp any eq 1591 any
  access-list inside_access_in extended deny udp any any eq 1591
  access-list inside_access_in extended deny tcp any any eq 1214
  access-list inside_access_in extended deny tcp any eq 1214 any
  access-list inside_access_in extended deny udp any any eq 1214
  access-list inside_access_in extended deny udp any eq 1214 any
  access-list inside_access_in extended permit ip any any
  access-list inside_access_in extended permit tcp any any eq www
  access-list inside_access_in extended permit tcp any eq www any
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq 33
  89
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq sm
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq pp
  tp
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ww
  w
  access-list outside_access_in extended permit tcp any host 177.164.222.138 eq ht
  tps
  access-list outside_access_in extended permit gre any host 177.164.222.138
  access-list outside_access_in extended permit udp any host 177.164.222.138 eq 17
  01
  access-list outside_access_in extended permit ip any any
  access-list inside_access_out extended permit icmp any any
  access-list inside_access_out extended permit ip any any
  access-list outside_cryptomap extended permit ip 172.29.8.0 255.255.255.0 172.29
  .88.0 255.255.255.0
  access-list inside_in extended permit icmp any any
  access-list inside_in extended permit ip any any
  access-list inside_in extended permit udp any any eq isakmp
  access-list inside_in extended permit udp any eq isakmp any
  access-list inside_in extended permit udp any any
  access-list inside_in extended permit tcp any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool ABC_HQVPN_DHCP 172.29.8.210-172.29.8.230 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  asdm history enable
  arp timeout 14400
  nat (inside,outside) source static orange interface service RDP RDP
  nat (inside,outside) source static obj_HQ obj_HQ destination static obj_lex obj_
  lex route-lookup
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_WWW JT_W
  WW
  nat (inside,outside) source static guava WAN_173_164_222_138 service JT_HTTPS JT
  _HTTPS
  nat (inside,outside) source static guava WAN_173_164_222_138 service RDP RDP
  nat (inside,outside) source static guava WAN_173_164_222_138 service SMTP SMTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service PPTP PPTP
  nat (inside,outside) source static guava WAN_173_164_222_138 service L2TP L2TP
  object network obj_any
  nat (inside,outside) dynamic interface
  access-group inside_in in interface inside
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 177.164.222.142 1
  route inside 172.29.168.0 255.255.255.0 172.29.8.253 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server Guava protocol nt
  aaa-server Guava (inside) host 172.29.8.3
  timeout 15
  nt-auth-domain-controller guava
  user-identity default-domain LOCAL
  http server enable
  http 172.29.8.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_VPN_Set esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set Remote_vpn_set esp-3des esp-md5-hmac
  crypto ipsec ikev2 ipsec-proposal AES256
  protocol esp encryption aes-256
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES192
  protocol esp encryption aes-192
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal AES
  protocol esp encryption aes
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal 3DES
  protocol esp encryption 3des
  protocol esp integrity sha-1 md5
  crypto ipsec ikev2 ipsec-proposal DES
  protocol esp encryption des
  protocol esp integrity sha-1 md5
  crypto dynamic-map outside_dyn_map 20 set ikev1 transform-set Remote_VPN_Set
  crypto dynamic-map outside_dyn_map 20 set reverse-route
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set peer 173.190.123.138
  crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5
  ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ES
  P-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
  crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
  crypto map outside_map interface outside
  crypto ikev2 policy 1
  encryption aes-256
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 10
  encryption aes-192
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 20
  encryption aes
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 30
  encryption 3des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 policy 40
  encryption des
  integrity sha
  group 5 2
  prf sha
  lifetime seconds 86400
  crypto ikev2 enable outside
  crypto ikev1 enable outside
  crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 43200
  crypto ikev1 policy 10
  authentication crack
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication rsa-sig
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 40
  authentication crack
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 50
  authentication rsa-sig
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 60
  authentication pre-share
  encryption aes-192
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 70
  authentication crack
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 80
  authentication rsa-sig
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 90
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 100
  authentication crack
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 110
  authentication rsa-sig
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 120
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 130
  authentication crack
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 140
  authentication rsa-sig
  encryption des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 150
  authentication pre-share
  encryption des
  hash sha
  group 2
  lifetime 86400
  telnet 192.168.1.0 255.255.255.0 inside
  telnet 172.29.8.0 255.255.255.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside vpnclient-wins-override
  dhcprelay server 172.29.8.3 inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  group-policy ABCtech_VPN internal
  group-policy ABCtech_VPN attributes
  dns-server value 172.29.8.3
  vpn-tunnel-protocol ikev1
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value VPN_Tunnel_User
  default-domain value ABCtech.local
  group-policy GroupPolicy_10.8.8.1 internal
  group-policy GroupPolicy_10.8.8.1 attributes
  vpn-tunnel-protocol ikev1 ikev2
  username who password eicyrfJBrqOaxQvS encrypted
  tunnel-group 10.8.8.1 type ipsec-l2l
  tunnel-group 10.8.8.1 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 10.8.8.1 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  tunnel-group ABCtech type remote-access
  tunnel-group ABCtech general-attributes
  address-pool ABC_HQVPN_DHCP
  authentication-server-group Guava
  default-group-policy ABCtech_VPN
  tunnel-group ABCtech ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group 173.190.123.138 type ipsec-l2l
  tunnel-group 173.190.123.138 general-attributes
  default-group-policy GroupPolicy_10.8.8.1
  tunnel-group 173.190.123.138 ipsec-attributes
  ikev1 pre-shared-key *****
  ikev2 remote-authentication pre-shared-key *****
  ikev2 remote-authentication certificate
  ikev2 local-authentication pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map global_policy
  class inspection_default
    inspect pptp
    inspect ftp
    inspect netbios
  smtp-server 172.29.8.3
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:6a26676668b742900360f924b4bc80de
  : end

  Hello Wayne,
  Can you use a different subnet range than the internal interface, this could cause you a LOT of issues and hours on troubleshooting, so use a dedicated different Ip address range...
  I can see that the local Pool range is included into the inside interface Ip address subnet range, change that and the related config ( NAT,etc, ) and let us know what happens,
  Regards,
  Julio
  Security Trainer

• ASA5520 - Management0/0 Telnet/SSH/Ping Access

  hey all, hope this is an easy one.
  - how can i setup the management interface so that we can ping to the mgmt interface from a subnet that is on a different subnet than the Management0/0 interface (source ip would be 192.168.100.0/24 which may conflict with the inside interface)
  - i am able to telnet/ssh from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
  - i am not able to ping the mgmt interface from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface
  - is a security level required on the mgmt interface? it does not  work unless we put one. if so, what are you guys setting it to?
  interface Ethernet0/0.101
  description Outside
  vlan 101
  nameif outside
  security-level 0
  ip address 101.1.1.100 255.255.255.0
  interface Ethernet0/1.102
  description Inside Cat3750-VM G1/0/24 (PRI) G2/0/24 (STB)
  vlan 102
  nameif inside
  security-level 100
  ip address 192.168.100.100 255.255.252.0
  interface Management0/0
  nameif mgmt
  security-level 90
  ip address 192.168.253.100 255.255.255.0
  management-only
  ssh 192.168.100.0 255.255.255.0 mgmt
  telnet 192.168.100.0 255.255.255.0 mgmt
  I try to add a static route but get an error:
  ASA5520(config)# route mgmt 192.168.0.0 255.255.252.0 192.168.253.1
  ERROR: Cannot add route, connected route exists

  Hello Robert,
  by default the Managment interface of an ASA is going to be used just for managment traffic only.
  Now in order to be able to use it as any other interface you will need to use the following command:
       -     Interface managment 0/0
       -     no managment-only
  And just to let you know it is imposible to ping a distant interface as an example from a inside subnet to the outside interface ip .This as security measure.
  Regards,
  Julio

• Not able to telnet or ssh to outside interface of ASA and Cisco Router

  Dear All
  Please help me with following question, I have set up testing lab, but still not work.
  it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
  Hub -- Juniper SRX
  Spoke One - Cisco ASA with version 9.1(5)
  spoke two - Cisco router with version 12.3
  site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
  Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
  Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
  When I tested it, of cause site to site vpn still up and running.
  Thanks
  YK

  Hello YK,
  On this case on the ASA, you should have the following:
  CConfiguring Management Access Over a VPN Tunnel
  If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
  To specify an interface as a mangement-only interface, enter the following command:
  hostname(config)# management access management_interface
  where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
  You can define only one management-access interface
  Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
    SSH
  - ssh 0 0 outside
  - aaa authentication ssh console LOCAL
  - Make sure you have a default RSA key, or create a new one either ways, with this command:
      *crypto key generate rsa modulus 2048
  Telnet
  - telnet 0 0 outside
  - aaa authentication telnet console LOCAL
  Afterwards, if this works you can define the subnets that should be permitted.
  On the router:
  !--- Step 1: Configure the hostname if you have not previously done so.
  hostname Router
  !--- aaa new-model causes the local username and password on the router
  !--- to be used in the absence of other AAA statements.
  aaa new-model
  username cisco password 0 cisco
  !--- Step 2: Configure the router's DNS domain.
  ip domain-name yourdomain.com
  !--- Step 3: Generate an SSH key to be used with SSH.
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 3
  !--- Step 4: By default the vtys' transport is Telnet. In this case, 
  !--- Telnet and SSH is supported with transport input all
  line vty 0 4
  transport input All
  *!--- Instead of aaa new-model, the login local command may be used.
  no aaa new-model
  line vty 0 4
    login local
  Let me know how it works out!
  Please don't forget to Rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• I can SSH from the outside but cannot ping ISP gateway from 2911

  Hello all,
  I came across a rather strange issue. I am able to SSH to the device from my home but while I am consoled in, I cannot ping the ISP gateway or any other IP's. As expected, all trace-routes fail without hitting the gateway as the first hop. I have been reading about the NVI0 interface and I decided to use it. Most of the sample cofigs on here use the "old" ip nat inside / outside on the appropriate interfaces. What do you guys suggest?
  Here is the running config. It is rather simple since i did not add all the access-lists except the ones I thought necessary to test the circuit. Please point out any mistakes or errors. Thanks in advance!
  Current configuration : 1679 bytes
  ! Last configuration change at 04:05:17 UTC Fri Sep 12 2014
  version 15.1
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname StandbyGZ-2911
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$BRaM$igChPMXLeHjgYR7EGk/Nb/
  no aaa new-model
  no ipv6 cef
  no ip source-route
  ip cef
  no ip domain lookup
  ip domain name StandbyGZ.local
  ip name-server 211.136.20.203
  ip name-server 211.139.136.68
  multilink bundle-name authenticated
  license udi pid CISCO2911/K9 sn FGL174410H9
  username StandbyGZ secret 5 $1$CXWC$m6kqTGbf0HDLCvkfU7.RA/
  ip ssh version 2
  interface GigabitEthernet0/0
   no ip address
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   description UPLINK TO CHINA MOBILE
   ip address 183.x.x.x 255.255.255.128
   ip access-group REMOTE-ADMIN-ACL in
   no ip redirects
   ip nat enable
   duplex auto
   speed auto
  interface GigabitEthernet0/2
   description CONNECTION TO LAN SWITCH 3650-CORE
   ip address 10.10.1.254 255.255.254.0
   no ip redirects
   ip nat enable
   duplex auto
   speed auto
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip nat source list LAN-NAT-ACL interface GigabitEthernet0/1 overload
  ip route 0.0.0.0 0.0.0.0 183.x.x.x
  ip access-list standard LAN-NAT-ACL
   permit 10.10.0.0 0.0.1.255
  ip access-list extended REMOTE-ADMIN-ACL
   permit tcp host 68.107.195.213 any eq 22 log
  control-plane
  line con 0
   exec-timeout 0 0
   logging synchronous
  line aux 0
  line vty 0 4
   exec-timeout 0 0
   logging synchronous
   login local
   transport input ssh
   transport output ssh
  scheduler allocate 20000 1000
  end
  StandbyGZ-2911# sh ip int br
  Interface                            IP-Address        OK?   Method      Status                  Protocol
  GigabitEthernet0/0         unassigned        YES    NVRAM     administratively  down down
  GigabitEthernet0/1         183.x.x.x             YES    NVRAM     up                         up
  GigabitEthernet0/2         10.10.1.254       YES    NVRAM     up                         up
  NVI0                                 183.x.x.x             YES    unset          up                         up
  StandbyGZ-2911#sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 183.233.184.129 to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 183.233.184.129
        10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        10.10.0.0/23 is directly connected, GigabitEthernet0/2
  L        10.10.1.254/32 is directly connected, GigabitEthernet0/2
        183.233.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        183.x.x.x/25 is directly connected, GigabitEthernet0/1
  L        183.x.x.x/32 is directly connected, GigabitEthernet0/1

  Hi Chris,
  That is what how I am used to configure the NAT, but IOS 12.3 and on introduced interface NVI0, which according to cisco documentation should make applying the NAT statements "easier". IP nat enable has to be enabled on all interfaces and then NVI0 makes the "inside" and "outside" decisions. I was hoping that someone could clarify the real use of that NVI0 interface and if it causes problems. Apparently it cannot be removed from the config. 

• Cannot ping or telnet to new 2948G switch

  I just installed a new 2948G switch and assigned the me1 interface an IP address... it's working fine (except for a small blip yesterday due to a duplicate IP address - oops)
  I cannot ping the switch's IP address, nor can I telnet to it from the same subnet. if I console into the switch, i cannot ping anything FROM the switch. If I issue a "show arp" command I get NOTHING.
  this doesn't make any sense. The switch is running CatOS4000.

  make sure the default gateway is correct . Also you cannot have both the SC0 interface and the ME1 interface active at the same time and the Sc0 is the active one by default because that is what most people use . Shutdown the SC0 interface if it is still active and make sure the ME is up . "set interface sc0 down" . A show interface command will show you the status of both these interfaces. "set int me1 up"
  Also by using the me1 interface you are limiting the switch ,below is a little blurb out of the catos config guide.
  The in-band (sc0) management interface is connected to the switching fabric and participates in all of the functions of a normal switch port, such as spanning tree, Cisco Discovery Protocol (CDP), and VLAN membership. The out-of-band management interfaces (me1 and sl0) are not connected to the switching fabric and do not participate in any of these functions.

• 897VAW: Cannot add Allowed vlans to Trunk on WLAN-GigabitEthernet interface

  Hi,
  I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
  In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
  switchport trunk allowed vlan 1-3,1002-1005
  or
  switchport trunk native vlan 2
  I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
  Is there something I am doing wrong or is this a bug in the IOS?
  To save making this post long, my latest running configs are on my blog:
  Router: http://www.thingsgeeky.walker.uk.com/?p=3781
  AP: http://www.thingsgeeky.walker.uk.com/?p=3781
  Many Thanks
  W.

  Hi,
  I am trying to configure the Access Point module on my Cisco Router (897AVW), however I am unable to route / ping between the router and the AP.
  In a few examples I've seen, the wlan-GigabitEthernet interface has the command:
  switchport trunk allowed vlan 1-3,1002-1005
  or
  switchport trunk native vlan 2
  I have tried both and although the router doesn't error, show-ing the config, neither commands have taken.
  Is there something I am doing wrong or is this a bug in the IOS?
  To save making this post long, my latest running configs are on my blog:
  Router: http://www.thingsgeeky.walker.uk.com/?p=3781
  AP: http://www.thingsgeeky.walker.uk.com/?p=3781
  Many Thanks
  W.

• Bringing up a third interface - cannot ping servers

  Hi All,
  I have a CSS 11503 that already had 2 interfaces up and running fine. The frontend is on vlan 26 and backend server vlan is on vlan 836. Now, I have some servers on vlan 301 that needed load balancing and brought up the third interface.
  Here is my config
  interface 1/1
  bridge vlan 836
  interface 1/2
  bridge vlan 26
  interface 2/1 (this is the new interface)
  bridge vlan 301
  circuit VLAN836
  ip address 10.10.235.5 255.255.255.128
  circuit VLAN26
  ip address 10.10.26.5 255.255.255.0
  circuit VLAN301
  ip address 10.44.0.5 255.255.252.0
  Here is the "show ip route" output
  BCMDC-CSS1# sh ip route
  prefix/length next hop if type proto age metric
  10.1.20.0/22 10.1.22.150 2 mgmt local -- --
  0.0.0.0/0 10.10.26.1 1022 remote static 5342983 0
  10.44.0.0/22 10.44.0.5 1021 local local 7122 0
  10.10.26.0/24 10.10.26.5 1022 local local 5343307 0
  10.10.235.0/25 10.10.235.5 1023 local local 5343288 0
  Show arp contains all the servers I want to ping and here is the arp table on the CSS
  10.44.0.1 00-00-0c-07-ac-1f dynamic 2/1
  10.44.0.2 00-d0-02-f3-a8-00 dynamic 2/1
  10.44.0.3 00-09-12-ed-6f-00 dynamic 2/1
  10.44.0.20 00-11-25-9d-e4-98 dynamic 2/1
  10.44.0.21 00-11-25-9d-ee-d7 dynamic 2/1
  10.44.0.30 00-11-25-9d-e6-86 dynamic 2/1
  10.44.0.31 00-14-5e-3c-71-38 dynamic 2/1
  10.44.0.32 00-11-25-4a-82-a1 dynamic 2/1
  10.44.0.33 00-14-5e-3e-60-e1 dynamic 2/1
  10.44.0.34 00-11-25-9e-e5-ce dynamic 2/1
  10.44.0.35 00-11-25-9c-66-c9 dynamic 2/1
  10.44.0.40 00-1a-64-4f-21-bc dynamic 2/1
  10.44.0.41 00-1a-64-4f-23-6e dynamic 2/1
  10.44.0.50 00-1a-64-4f-2f-74 dynamic 2/1
  10.44.0.51 00-1a-64-4f-22-72 dynamic 2/1
  10.44.0.60 00-1a-64-4f-1c-ba dynamic 2/1
  10.44.0.61 00-1a-64-4f-13-06 dynamic 2/1
  I cannot ping any of the 10.44.0.x address. The interface is up and it is connected to a 6509 switch as an accessport on vlan301 and it shows up and up.
  There are no ACLs configured. I am just trying to ping the servers before I can write the content rules.
  Any ideas?

  OK. I figured out that I cannot ping the servers. But, I cannot ping the circuit vlan 301 IP from the router which is 10.44.0.5.
  However, I can ping vlan 836 circuit IP like 10.10.235.5 Here is the ping result from the router where the css is connected to
  gw1>ping 10.10.235.5
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.10.235.5, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
  gw1>ping 10.44.0.5
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 10.44.0.5, timeout is 2 seconds:
  Success rate is 0 percent (0/5)

• Smartcare cannot ping cimc interface

  Hi All
  Smartcare applicance can ping everything defauolt route etc but not cimc interface
  Not a local route issue ? 

  Duplicate posts.  :P
  Go here:  https://supportforums.cisco.com/discussion/12140361/smartcare-cannot-ping-cimc-interface

• Cannot ping an interface

  Hi all,
  I have decided to add a separate vlan/wlan to the network. This interface uses port 1 (My management interface uses port 2). I have connected the port to a router, which is connected to a gateway.
  I checked and the routing is done correctly. When I connect a pc to the router, I have access to internet. However, when I connect to the wlan that's associated with the vlan on port 1, I not only cannot access internet, but also cannot ping the router.
  I can ping the interface when I connect to the wlan. However, I cannot ping the router.
  The same thing happens when I connect my pc to the router. I cannot ping the interface as well.
  Is there something that I am missing? It seems that there is a connectivity issue in the connection between port 1 and the router. Should I try using a crossover cable and see if it solves my problem?
  Thanks!
  Tibet

  Your diagram is very clear. You have few options here
  Option 1
  WLC port 1 & Router LAN port onto your switch (rather directly connecting router to WLC). In this way WLC connected switch port should be configured as trunk port & router connected switchport should be configured as access port for the vlan belongs to 10.0.0.0/24 network.
  If you are thinking about creating multiple WLANs (in futrue) with your router as LAN gateway, then you should configure router connected switchport as trunkport & subinterface on your router LAN interface.
  Option 2
  Aggregate WLC port 1-2 into one single port channel & create a single trunk link between WLC & Switch. In this way you will get more bandwith for your user traffic.(usually mgt does not want dedicated 1G link). Then configure Router LAN interface connected switchport as access port (if you only require single WLAN) or trunk port (if you require multiple WLAN)
  I prefer option 2 because of its flexibility & scalability. Let us know your choice & then accordingly we can help you to get this done.
  Also post your WLC "show sysinfo" as well.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• LAN Switches cannot be accessed by Telnet, SSH or console in native vlan

  Hi to all of you:
  I do have a question about tagging the native vlan.
  In our network we do have about 90 L2 and L3 switches, 2950 the oldest, 2960, 2960S, 3560 PoE, 3750 and 4503E, and we are running VTP, and 43 vlans within the entire network.
  our Native VLAN is still vlan 1, and there are many corporative applications running in this vlan.
  We have upgraded the IOS for the switches to the latest IOS version about 6 months ago, and after that we started to have issues on the switches, related to accessing the switch, either by telnet, ssh, or even console. However, the switch is still working fine, I mean, doing all bridging and switching traffic.
  I have to reset or reload (power cycle) if I want to access the switch.
  I have read that having the native vlan can be a problem.
  Could you please let me know if you have gone through this problem?
  Thanks in advance for your help.
  Javier F. Berthin H.

  Hi Karhtick:
  I guess you have the best answer, you suggested the memory command and I am attaching you as result.
  Next step should be to downgrade the IOS?, because we did the upgrade just in order to have the latest IOS published by Cisco.
  If you need the config please let me know, for complementary comments.
  Thanks for your help.
  Javier
  Core_Toldos#
  Core_Toldos#
  Core_Toldos#sh processes memory sorted
  Processor Pool Total:   57114592 Used:   42061488 Free:   15053104
        I/O Pool Total:   12582912 Used:    9397428 Free:    3185484
  Driver te Pool Total:    1048576 Used:         40 Free:    1048536
  PID TTY  Allocated      Freed    Holding    Getbufs    Retbufs Process
     0   0   56706116   14325484   38372056          0          0 *Init*
  197   0    4506712    2363500    1463652          0          0 Auth Manager
     0   0          0          0    1443720          0          0 *MallocLite*
     0   0  577244636  370831296     916016   12457311    3203234 *Dead*
  236   0     532808      46152     507068          0          0 IP ARP Adjacency
  303   0    1335768     890528     450448          0          0 ADJ resolve proc
  230   0   27640244      15996     378344      10152          0 CDP Protocol
    77   0     368260   14413456     377820          0          0 EEM ED ND
  102   0     385848        232     362236          0          0 HLFM address lea
  404   0    3397428    3069392     334928          0          0 hulc running con
  192   0     307492      21604     294808          0          0 HL2MCM
  193   0     356552      70624     294744          0          0 HL2MCM
  357   0     265100          0     275260     100548          0 EEM ED Syslog
  365   0  126849404   86726456     255248          0          0 EEM Server
    87   0     569060     274864     244984          0          0 Stack Mgr Notifi
  203   0     753032     492440     164316          0          0 DTP Protocol
  201   0     737920     526656     159424          0          0 802.1x switch
    13   0  505129716  504972016     156620          0          0 ARP Input
  Core_Toldos#

• ACE 4700 - Cannot Ping the Alias

  I cannot ping my alias addresses. I can ping the actual interface addresses but not the alias. When I look at the ARP entry on the switch it's connected to for the alias, it comes up INCOMPLETE.
  Below is my config.
  interface gigabitEthernet 1/1
  description Fault Tolerant Port
  ft-port vlan 990
  no shutdown
  interface gigabitEthernet 1/2
  shutdown
  interface gigabitEthernet 1/3
  shutdown
  interface gigabitEthernet 1/4
  switchport trunk allowed vlan 10,112,200,254
  no shutdown
  resource-class RC1
  limit-resource all minimum 20.00 maximum unlimited
  limit-resource sticky minimum 8.00 maximum unlimited
  boot system image:c4710ace-mz.A1_7b.bin
  hostname atl-ace-01
  access-list ALL line 8 extended permit ip any any
  class-map type management match-any PING
  2 match protocol icmp any
  class-map type management match-all SNMP-ALLOW_CLASS
  2 match protocol snmp source-address 10.150.100.202 255.255.255.255
  class-map type management match-any remote_access
  2 match protocol xml-https any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
  9 match protocol snmp any
  policy-map type management first-match AllowICMP
  class PING
  permit
  policy-map type management first-match SNMP-ALLOW_POLICY
  class SNMP-ALLOW_CLASS
  policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
  permit
  interface vlan 200
  ip address 10.10.200.110 255.255.254.0
  alias 10.10.200.120 255.255.254.0
  peer ip address 10.10.200.111 255.255.254.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  service-policy input SNMP-ALLOW_POLICY
  service-policy input AllowICMP
  no shutdown
  ft interface vlan 990
  ip address 192.168.254.1 255.255.255.0
  peer ip address 192.168.254.2 255.255.255.0
  no shutdown
  ft peer 1
  heartbeat interval 250
  heartbeat count 10
  ft-interface vlan 990
  ip route 0.0.0.0 0.0.0.0 10.10.201.254
  context Exchange-CAS
  allocate-interface vlan 112
  allocate-interface vlan 254
  member RC1
  ft group 1
  peer 1
  priority 200
  peer priority 190
  associate-context Exchange-CAS
  inservice

  Nevermind. I found an old Context on the redundant ACE with overlapping info.