Cisco 3945 vs 3945E from VPN feature perspective
Hello everybody,
I have an issue understanding the difference between 3945 and 3945E from VPN support perspective.
If you check this link here:
http://www.cisco.com/en/US/products/ps10536/prod_series_comparison.html
You will see that the 3945E doesn't even have an ISM slot for a VPN ISM module and of course I could not find any ISM module for 3945E (I think this is obvious).
Nevertheless, the above mentioned page and
http://www.cisco.com/en/US/products/ps10749/index.html
say "Embedded hardware-accelerated VPN encryption for secure connectivity" for 3945E
What I should understand from here?
That the Cisco 3945E supports the same VPN features (including packet encryption / decryption in hardware) like a Cisco 3945 with VPN ISM card?
Any help will be appreciated (voted) !
Thank you!
Calin
Both versions are mentioned in the ISR G2 Performance Overview. Perhaps that helps:
https://supportforums.cisco.com/servlet/JiveServlet/download/3786419-138672/ISR_G2_Perfomance.pdf
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
Similar Messages
-
HI,
Which router can accomodated maximum no of fast ethernet port.
we have several offices connected thru LL. we need maximum no of ports to accomodate LL.
regards
rajatHi,
Plesae find below:
http://www.cisco.com/c/en/us/products/routers/3900-series-integrated-services-routers-isr/series-comparison.html
Now coming down to the questoin...if you read the below link you would decide to go with the 3945 router.
http://www.cisco.com/c/en/us/products/routers/3945-integrated-services-router-isr/index.html
3945e:
http://www.cisco.com/c/en/us/products/routers/3945e-integrated-services-router-isr/index.html
Only difference you see is that 3945e will have one extra port:-( 4 integrated 10/100/1000 Ethernet ports with 2 SFP ports ) were as 3945 will have 3 integrated ethernet port with 2 SFP.
HTH
Regards
Inayath
*Plz rate if this info is helpfull. -
With Namit Agarwal and Rahul Govindan
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
This is a continuation of the live webcast.
Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.
Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
Remember to use the rating system to let Namit and Govindan know if you have received an adequate response.
Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
Webcast related links:
Slides from the live webcast
Video Recording of the live webcast
Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcastHello Namit and Rahul,
Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
1) How is ASA CX different from other UTM solutions ?
2) How is dynamic application inspection of CX better than other inspection engines ?
3) What features or functionalities on the CX are available by default ?
4) what are the different ways we can run or install CX on the ASA platform ?
5) What VPN features are supported with multi context ASA in the 9.x release ?
6) What are the IPv6 Enhancements in the ASA version 9.x ?
Request you to please provide your responses to them individually.
Thanks. -
Unable to access/lan2lan ping from VPN Fortigate to Cisco ASA 5505
Problem : Unable to access user A to user B
User A --- router A (122, fortigate 80c) --- (Site to Site VPN between fortigate & cisco asa) --- router B (93, cisco Asa 5505{in front asa got cisco800[81] before to internet} ) --- User B
After using wizard to configure the cisco ASA site to site VPN, the site-to-site tunnel is up.
Ping is unsuccessful from user A to user B
Ping is successful from user B to user A, data is accessable
After done the packet tracer from user A to user B,
Result :
Flow-lookup
Action : allow
Info: Found no matching flow, creating a new flow
Route-lookup
Action : allow
Info : 192.168.5.203 255.255.255.255 identity
Access-list
Action : drop
Config Implicit Rule
Result - The packet is dropped
Input Interface : inside
Output Interface : NP Identify Ifc
Info: (acl-drop)flow is denied by configured rule
Below is Cisco ASA 5505's show running-config
ASA Version 8.2(1)
hostname Asite
domain-name ssms1.com
enable password ZZZZ encrypted
passwd WWWW encrypted
names
name 82 B-firewall description Singapore office firewall
name 192.168.1.0 B-inside-subnet description Singapore office internal LAN IP
name 192.168.200.0 A-inside-VLAN12 description A-inside-VLAN12 (fortinet)
name 192.168.2.0 fw-inside-subnet description A office internal LAN IP
name 122 A-forti
interface Vlan1
nameif inside
security-level 100
ip address 192.168.5.203 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 93 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name ssms1.com
object-group network obj_any
network-object 0.0.0.0 0.0.0.0
access-list inside_nat0_outbound extended permit ip any 80 255.255.255.240
access-list inside_nat0_outbound extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
access-list outside_cryptomap extended permit ip fw-inside-subnet 255.255.255.0 B-inside-subnet 255.255.255.0
access-list Outside_nat-inbound extended permit ip A-inside-VLAN12 255.255.255.0 192.168.5.0 255.255.255.0
access-list Outside_nat-inbound extended permit ip host A-forti 192.168.5.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.5.0 255.255.255.0 A-inside-VLAN12 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-631.bin
no asdm history enable
arp timeout 14400
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http B-inside-subnet 255.255.255.0 inside
http fw-inside-subnet 255.255.255.0 inside
http 0.0.0.0 255.255.255.255 outside
http 0.0.0.0 0.0.0.0 outside
http 192.168.5.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer A-forti
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer B-firewall
crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption aes-192
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.5.10-192.168.5.20 inside
dhcpd dns 165 165 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
username admin password XXX encrypted privilege 15
tunnel-group 122 type ipsec-l2l
tunnel-group 122 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
class-map outside-class
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
policy-map outside-policy
description ok
class outside-class
inspect dns
inspect esmtp
inspect ftp
inspect h323 h225
inspect h323 ras
inspect icmp
inspect icmp error
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
service-policy global_policy global
service-policy outside-policy interface outside
prompt hostname context
Cryptochecksum: XXX
: end
Kindly need your expertise&help to solve the problemany1 can help me ?
-
Cisco ASA 5505 AnyConnect SSL VPN problem
Hi!
I have a small network, wiht ASA 5505, 8.4:
Inside network: 192.168.2.0/24
Outside: Static IP
I would like to deploy a SSL AnyConnect setup.
The state:
-I give the correct IP from my predefined VPN pool (10.10.10.0/24).
But, could not reach any resource, could not ping too. My host has given 10.10.10.1 IP, and I had a GW: 10.10.10.2. Where is this GW from?
Could you help me?
Here is my config (I omitted my PUBLIC IP, and GW):
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname valamiASA
domain-name valami.local
enable password OeyyCrIqfUEmzen8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 12
interface Vlan1
description LAN
no forward interface Vlan12
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
description WAN
nameif outside
security-level 0
ip address MY_STATIC_IP 255.255.255.248
interface Vlan12
description Vendegeknek a valamiHotSpot WiFi-hez
nameif guest
security-level 100
ip address 192.168.4.1 255.255.255.0
management-only
ftp mode passive
clock timezone GMT 0
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup guest
dns server-group DefaultDNS
name-server 62.112.192.4
name-server 195.70.35.66
domain-name valami.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.2.0 255.255.255.0
object network guest-net
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.128_25
subnet 192.168.2.128 255.255.255.128
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool valami_vpn_pool 10.10.10.1-10.10.10.10 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
object network inside-net
nat (inside,outside) dynamic interface
object network guest-net
nat (guest,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 MY_STATIC_GW 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_valami_VPN internal
group-policy GroupPolicy_valami_VPN attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
default-domain value valami.local
webvpn
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default anyconnect timeout 30
customization none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group valami_VPN type remote-access
tunnel-group valami_VPN general-attributes
address-pool valami_vpn_pool
default-group-policy GroupPolicy_valami_VPN
tunnel-group valami_VPN webvpn-attributes
group-alias valami_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d54de340bb6794d90a9ee52c69044753
: endFirst of all thanks your link.
I know your notes, but i don't understand 1 thing:
if i check nat exemption in the anyconnect wizad, why should i make nat exemption rule?
A tried creating a roule, but it is wrong.
My steps (on ASDM):
1: create network object (10.10.10.0/24), named VPN
2: create nat rule: source any, destination VPN, protocol any
Here is my config:
Result of the command: "show running-config"
: Saved
ASA Version 8.4(4)1
hostname companyASA
domain-name company.local
enable password OeyyCrIqfUEmzen8 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 12
interface Vlan1
description LAN
no forward interface Vlan12
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
description WAN
nameif outside
security-level 0
ip address 77.111.103.106 255.255.255.248
interface Vlan12
description Vendegeknek a companyHotSpot WiFi-hez
nameif guest
security-level 100
ip address 192.168.4.1 255.255.255.0
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup outside
dns domain-lookup guest
dns server-group DefaultDNS
name-server 62.112.192.4
name-server 195.70.35.66
domain-name company.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-net
subnet 192.168.2.0 255.255.255.0
object network guest-net
subnet 192.168.3.0 255.255.255.0
object network NETWORK_OBJ_192.168.2.128_25
subnet 192.168.2.128 255.255.255.128
object network WEBSHOP
host 192.168.2.2
object network INSIDE_HOST
host 10.100.130.5
object network VOIP_management
host 192.168.2.215
object network Dev_1
host 192.168.2.2
object network Dev_2
host 192.168.2.2
object network RDP
host 192.168.2.2
object network Mediasa
host 192.168.2.17
object network VOIP_ePhone
host 192.168.2.215
object network NETWORK_OBJ_192.168.4.0_28
subnet 192.168.4.0 255.255.255.240
object network NETWORK_OBJ_10.10.10.8_29
subnet 10.10.10.8 255.255.255.248
object network VPN
subnet 10.10.10.0 255.255.255.0
object network VPN-internet
subnet 10.10.10.0 255.255.255.0
object-group protocol DM_INLINE_PROTOCOL_3
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_3 any any
access-list AnyConnect_Client_Local_Print extended deny ip any any
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any any eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any any eq netbios-ns
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_2 any any
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu guest 1500
ip local pool company_vpn_pool 10.10.10.10-10.10.10.15 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (any,any) source static any any destination static VPN VPN
nat (inside,outside) source static inside-net inside-net destination static VPN VPN
object network inside-net
nat (inside,outside) dynamic interface
object network guest-net
nat (guest,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
access-group global_access global
route outside 0.0.0.0 0.0.0.0 77.111.103.105 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa local authentication attempts max-fail 16
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable inside
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_company_VPN internal
group-policy GroupPolicy_company_VPN attributes
wins-server value 192.168.2.2
dns-server value 192.168.2.2
vpn-tunnel-protocol l2tp-ipsec
split-tunnel-policy tunnelall
default-domain value company.local
webvpn
anyconnect ssl rekey time 30
anyconnect ssl rekey method ssl
anyconnect ask enable default anyconnect timeout 30
customization none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
wins-server none
dns-server value 62.112.192.4 195.70.35.66
vpn-tunnel-protocol ssl-client
default-domain value company.local
username test password P4ttSyrm33SV8TYp encrypted
tunnel-group company_VPN type remote-access
tunnel-group company_VPN general-attributes
address-pool company_vpn_pool
default-group-policy GroupPolicy_company_VPN
tunnel-group company_VPN webvpn-attributes
group-alias company_VPN enable
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
address-pool company_vpn_pool
default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
group-alias VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:33ee37a3722f228f9be9b84ef43f731e
: end
Could you give me a CLI-code?
(or ASDM steps). -
Want to playback archived webcast recorded using Cisco webex recording. Downloaded Cisco webex meeting software from apple download page but still cannot play recording
You will probably find better support about the features of the Webex app on their support page here: http://www.webex.com/products/web-conferencing/mobile-iphone-ipad-faq.html
Doesn;t look like it's listed as a feature of the iPad app. -
Asa 8.2 access files share on outside network from VPN Client.
please help me
I have cisco asa 5505 with 8.2
outside is 111.22.200.51
inside is 192.168.1.0/24 dhcp
vpnpool is 192.168.10.1-192.168.10.30
configured split tunnel to vpn client to access web
I was able to connect from outside via vpn.
Goal is access fileserver(on window) on 111.22.200.21 from vpn clients.
internal client can access the share folder
vpn client cannot access ther share on 111.22.200.21
============================
names
name 192.168.1.1 ciscogw
name 111.21.200.1 umgw
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
switchport access vlan 5
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 5
interface Ethernet0/6
switchport access vlan 5
interface Ethernet0/7
switchport access vlan 5
interface Vlan1
nameif inside
security-level 100
ip address ciscogw 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 111.22.200.51 255.255.255.0
interface Vlan5
no nameif
security-level 50
ip address dhcp setroute
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name vpn.nmecsc.org
access-list RAteam_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.192
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpnpool 192.168.10.1-192.168.10.30 mask 255.255.255.224
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 111.22.200.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
quit
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.5-192.168.1.50 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
dhcpd wins 111.22.210.65 111.22.210.61 interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
group-policy DfltGrpPolicy attributes
banner value WARNING: Unauthorized access to this system is forbidden and will be prosecuted by law. By accessing this system, you agree that your actions may be monitored if unauthorized usage is suspected.
group-policy RA_SSLVPN internal
group-policy RA_SSLVPN attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value team
group-policy RAteam internal
group-policy RAteam attributes
wins-server value 111.22.210.65
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RAteam_splitTunnelAcl
default-domain value vpn.nmecsc.org
username teamssl2 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
username teamssl2 attributes
vpn-group-policy RA_SSLVPN
username team2 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
username team2 attributes
vpn-group-policy RAteam
username teamssl1 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
username teamssl1 attributes
vpn-group-policy RA_SSLVPN
username team1 password 5ZBa0qXxwLBPpvoR encrypted privilege 0
username team1 attributes
vpn-group-policy RAteam
tunnel-group team type remote-access
tunnel-group team general-attributes
default-group-policy RA_SSLVPN
tunnel-group team webvpn-attributes
group-alias team enable
group-url https://111.22.200.51/team enable
tunnel-group RAteam type remote-access
tunnel-group RAteam general-attributes
address-pool vpnpool
default-group-policy RAteam
tunnel-group RAteam ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:680b9059ca6ca6610857bab04d855031I just upgrade asa to 9.3
add access-list but still no luck. I attached the diagram.
name 192.168.1.1 ciscogw
ip local pool vpnpool 192.168.10.1-192.168.10.50 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address ciscogw 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 111.22.200.51 255.255.255.0
boot system disk0:/asa923-k8.bin
ftp mode passive
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.10.0_26
subnet 192.168.10.0 255.255.255.192
access-list ipsec_group_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list ipsec_group_splitTunnelAcl standard permit host 111.22.200.21
access-list ipsec_group_splitTunnelAcl standard permit 111.22.200.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static NETWORK_OBJ_192.168.10.0_26 NETWORK_OBJ_192.168.10.0_26 no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 111.22.200.1 1
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
tunnel-group-list enable
group-policy ssl_vpn internal
group-policy ssl_vpn attributes
vpn-tunnel-protocol ssl-clientless
webvpn
url-list value carino
group-policy DfltGrpPolicy attributes
group-policy ipsec_group internal
group-policy ipsec_group attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ipsec_group_splitTunnelAcl -
Cisco Prime Infrastructure deployment through Cisco 3945 ISR
Dears,
I have Cisco 3945 ISR include module for the Cisco prime infrastructure.
I need to deploy the prime but when I connected monitor on the module I saw that it is looking for DHCP only.
Please can anyone support me with procedure to install the prime?
Should I install the ESXi on this module by make it boot from external device (USB, or CD drive)?
Your support is highly appreciated,
Regards,Duplicate post.
Go HERE. -
Hi,
I am having Cisco 3945 router and is having image "c3900-universalk9-mz.SPA.150-1.M1.bin" , and now want to check if SRST can be enabled on the same or not.
I have checked it with command output "show callmanager fallback" and "show call-manager fallback all", attaching the output of the same. Please confirm id SRST already configured on it or not?
And if not configured how to configure it.Hi Chris,
Thank you for your reply. I have one more query on this.
After creating new Device Pool for SRST, we need to move remote Ip phones from their original Device Pool and map them into newly created Device pool. So in the scenario of calls working through WAN link,will those phones work? as we have removed them from their original Device Pool. -
Cisco 3945 Policy Base Routing
I have a Cisco 3945, it has on it two DS3 lines which I like to treat independent from each other.
I can ping both Serial interfaces from the internet, and I can ping only GIG 0/0 from the internet. but since the router is configured with one static route, GIG 0/1 can't be ping from the outside
Any help would be greatly appreciated
This is my current config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname MOVLABT3-CA-ES
boot-start-marker
boot-end-marker
card type t3 1
card type t3 2
enable secret 4 oMCBqgRTCeX5XeEW3HsBW6zI763Fibuq/UrLhF/91Rs
no aaa new-model
no ipv6 cef
ip source-route
ip cef
multilink bundle-name authenticated
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1015775704
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1015775704
revocation-check none
rsakeypair TP-self-signed-1015775704
crypto pki certificate chain TP-self-signed-1015775704
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303135 37373537 3034301E 170D3132 30393237 31383132
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313537
37353730 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810097B2 EE9BF6EF F19DDD93 71CA6D5B D672A749 6997BB7E 81256BFA A2BE8B0F
E8EC5D36 F8618878 88C7016D D8998B95 293DE6F3 C0BB5CFE F2356AFD 26645A29
F3BB69C9 46B6959B 98F35193 9729499A 8C9097FE BD0A80A4 727C87F8 963200CE
E852DD3E 1F9F3B97 1DA1902D 7B352FAE 4FA08D32 95362373 887C6D02 6209152F
73850203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BCCEA0 AF8EBDF2 05F01968 14CAE720 A41AE8FE EA301D06
03551D0E 04160414 BCCEA0AF 8EBDF205 F0196814 CAE720A4 1AE8FEEA 300D0609
2A864886 F70D0101 05050003 81810066 18505A9D 0D3C4C8F 0C90108D F0606014
0EAE4129 2908928E D4DA7FDC 17D2A21A 4B2689F3 AF6CA062 82A5E7EF 1A0EDA37
297AE79B 65F7182E ED4A57D7 081EC729 A85F2AFB 5A46136A F0F91853 46C89FA7
A1D9F67F 83961EFF E92D7363 D2862517 D1214501 84D675A0 8561891F 4E791F32
6E67990A 9A7B49F9 8D1A8CA0 51AAF2
quit
license udi pid C3900-SPE150/K9 sn FOC16313DE8
hw-module sm 1
hw-module sm 2
controller T3 1/0
cablelength 75
controller T3 2/0
cablelength 75
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip nat outside
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
endThis is what it looks like now, and I still can't ping gig 0/1 from the internet
interface GigabitEthernet0/0
ip address 207.168.4.49 255.255.255.240
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 206.135.120.114 255.255.255.240
ip virtual-reassembly in
ip policy route-map pbr
duplex auto
speed auto
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
interface Serial1/0
ip address 206.135.100.202 255.255.255.252
ip virtual-reassembly in
dsu bandwidth 44210
interface Serial2/0
ip address 205.214.40.6 255.255.255.252
ip virtual-reassembly in
encapsulation ppp
dsu bandwidth 44210
ip local policy route-map PBR
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 206.135.100.201
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 permit ip 206.135.120.112 0.0.0.15 any
route-map pbr permit 10
match ip address 101
set ip next-hop 205.214.40.5
snmp-server community RO-N1mS0ft RO
control-plane
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
scheduler allocate 20000 1000
end -
Poor Network Performance from VPN sites
We are experiencing poor network performance when connecting from hardware VPN sites. VPN sites have Cisco Hardware VPN client 3002 which terminates to Cisco 3005 VPN concentrator. Geting upload/download speeds of 355/484kbsp from VPN to surewest.com. If I remove the VPN and connect laptop directly to dsl modem, speeds are 3mb up and 1mb down. Any ideas what could be causing this?
Try this
Adjust the MTU and MSS size in concentrator and client.
Try these link for more info:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a008015ce0e.html#1223423
http://www.cisco.com/en/US/products/hw/vpndevc/ps2286/products_user_guide_chapter09186a00803ef6c5.html -
Dear Support Community ,
previously we have cmm model on core now we are upgrede the E1 on Cisco 3945 router .
under "voice service voip" on cmm model its configure as " fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback cisco"
but on 3945 router its taken as " fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none" little change from cisco to none does its work fine shall i need to configure as "
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw .
and even in the dial
on CMM model
dial-peer voice 54 voip
destination-pattern xxxx
voice-class h323 1
session protocol sipv2
session target ipv4:x.x.x.x
dtmf-relay rtp-nte
codec g711ulaw
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback cisco
no vad
on router 3945
fax protocol t38 ls-redundancy 0 hs-redundancy 0 fallback pass-through g711alaw.
so please advice which one we need to configure for the fax services none or pass-through g711alaw because cmm we use as cisco now its not available .
highly appricated for your fast response.
Thanks
Syed
orJust adding root cause: The PVDM3 modules in the ISR G2 hardware no longer support proprietary [legacy] Cisco Fax Relay. They only support fax passthrough or T.38 fax relay.
As Paolo stated, assuming everything is behaving and supports T.38 (more on that in a moment) you should be fine since they will negotiate T.38. If something doesn't cooperate they will not have compatible fallback options and the fax would fail at that point. The most common example of a device that supports ONLY passthrough is the ATA-186. It didn't have the CPU capacity to run relay, cisco or T.38.
Since the older CMM and 3800 hardware also supports g711ulaw fax passthrough I suggest updating the config on the legacy hardware to do that for fallback instead of cisco fax relay.
Please remember to rate helpful responses and identify helpful or correct answers. -
DMVPN in Cisco 3945 output drop in tunnel interface
I configured DMVPN in Cisco 3945 and checked the tunnel interface. I found out that I have output drop. How can I remove that output drop? I already set the ip mtu to 1400.
CORE-ROUTER#sh int tunnel 20
Tunnel20 is up, line protocol is up
Hardware is Tunnel
Description: <Voice Tunneling to HO>
Internet address is 172.15.X.X./X
MTU 17878 bytes, BW 1024 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.15.X.X (GigabitEthernet0/1)
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/1
Set of tunnels with source GigabitEthernet0/1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport multi-GRE/IP
Key 0x3EA, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1438 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "tunnel_protection_profile_2")
Last input 00:00:01, output never, output hang never
--More-- Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 7487
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
48007 packets input, 4315254 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
42804 packets output, 4638561 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
interface Tunnel20
description <Bayantel Voice tunneling>
bandwidth 30720
ip address 172.15.X.X 255.255.255.128
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 20
no ip split-horizon eigrp 20
ip nhrp authentication 0r1x@IT
ip nhrp map multicast dynamic
ip nhrp network-id 1002
ip nhrp holdtime 300
ip tcp adjust-mss 1360
tunnel source FastEthernet0/0/1
tunnel mode gre multipoint
tunnel key 1002
tunnel protection ipsec profile tunnel_protection_profile_2 sharedHi,
Thanks for the input. If the radio is sending out the packet but client did not receive, not output drop should be seen since packet is sent out, right?
From my understanding, output drop is related to congested interface. Outgoing interface cannot take the rate packets coming in and thus droping it. What I don't understand is input and output rate has not reached limit yet. Also input queue is seeing drop of packet as well even though input queue is empty.
Any idea? -
Can Cisco Configuration Professional to use IPS feature ?
Dear Expert
Hello.
Could you tell me about Cisco Configuration Professional.
I'd like to try the IOS-IPS on Cisco2901-SEC/K9.
I was search in CCO about Cisco Configuration Professional.
The Cisco2901-SEC/K9 does not support SDM.
But, The Cisco2901-SEC/K9 supported the Cisco Configuration Professional.
Can Cisco Configuration Professional to use IPS feature like SDM?
Regards,
Takuro.Hi,
yes, you can configure IOS IPS from Cisco Configuration Professional.
CCP has a wizard to guide you through the process, this is a link for that :
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd8066d265.html
i hope this helps you.
Mashal -
Cisco 3945- boot up fails with no error
Greetings,
Just throwing it out there to see if anyone throw some ideas my way. I recently sent a working/tested Cisco 3945 ISR router out to a office for redundancy. Before I did that, I removed WLAN controller and slot module, 1xVWIC2 T1 and 1xVIC2 FX0 modules. I did however leave the PVDM3 64ch and 1x VWIC t1 modules and flash card, which had a v15 IOS loaded and basic config. Upon delivery they said it doesn't work, "it hangs" and no damage externally or failed hardware (power supplies/fans). These things always make me wonder, cause hangs is so vague and do not really see Cisco routers do this unless they are taking larger than normal packets or someone turned on debugging without turning it off.
Here's my thinking and hope someone can chime in and throw some ideas at me before I get on a call with them on Monday. I attached a screen shot they sent of the boot up and looks to me that its trying to initialize the current config file which which may be trying to initialize the voice channels. Could this be as easy as killing the current config loaded, going into rommon and setting it back to default maybe? Or just removing the PVDM card maybe?
I hate to say something is just broke, I rarely see this and being I powered it up and tested the hardware, I don't want to involve tac until I can rule out the obvious. I did, however, test and powered down the router before removing the additional hardware. Would this current config on the router that may have lingering hardware (which I removed) in the config cause this to happen as well?
Side note: The flash cleared and below were the contents of the flash before sending out the router.
Router#sho flash
-#- --length-- -----date/time------ path
1 55277232 Jul 07 2014 07:51:20 c3900-universalk9-mz.SPA.150-1.M3.bin
201228288 bytes available (55279616 bytes used)
Thanks in advanceRemove all modules and boot.
Another thing, your IOS is very old. VERY.
If you want to stick with 15.0(1)M-series then go to M10 but don't just "sit" in an old M3.
Maybe you are looking for
-
Problem with customized "List of GR/IR Balances" Program
Hi Guru, My company has developed a program which is adopted from Transaction MB5S: List of GR/IR Balances. This new program has been developed to have one more field which is delivery date field on the filter page. However, when users run this pro
-
Multiple accounts on same base station
Can I set up 2 different ISP accounts (access numbers, etc...) on one Airport base station? Once formatted, I could choose which ISP I choose to access at any given time. If so, how is this done? Thanks to anyone who can lend a hand! I am trying to d
-
Firefox 11 beta is having issues loading Flash and HTML content, shows plain text instead of images
I'm not sure what is causing the problem but it has been happening since beta 10 and now its also in beta 11. Randomly when I load any web page the page is displayed in plain text leaving all the HTML or flash content blank. Yes I have the most recen
-
I am already follwoing this weblog for my requirement I am following weblog which is what i exactly need: /people/narendra.jain/blog/2005/12/30/various-multi-mappings-and-optimizing-their-implementation-in-integration-processes-bpm-in-xi but i am ge
-
OSO opportunities with future date not showing up
When you search organization and click on opportunites you can all the opportunities loaded with close date of 30jun2011 (fiscal year end) not the onles after this date. How and where do I need to look for thsi set up update to display opportunites f