Cisco 5512 setup
Hi Guys,
Here is my basic setup
I have an ASA 5512 gig0 connects to the internet
G1 connects to the inside on 192.168.35.254 then plugs direct into a switch.
I'm confused on the setup to get the IPS running. do i need to set the IPS in the same range as my inside interface? and also what do i set the IPS gateway to 192.168.35.254 my inside ASA interface?
Once this is done done a need to setup a rule within the MPF to foward all traffic to it?
Thanks
James.
Also check these helpful ASA IPS config links
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/modules_ips.pdf
http://itzecurity.blogspot.co.uk/2013/12/configuring-cisco-asa-ips-module.html
p://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/modules_ips.pdf
http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_asa_ips.html
Similar Messages
-
ISE cannot push the profile to the cisco network setup assistant?
We have tried a few android devices with version 4.2+ but still got the error message ‘Unable to download profile.(Have you logged into the guest portal?)’ as shown at the bottom picture.
In fact, we are connecting the devices to an open SSID which performs MAC filtering, then redirect to CWA and login with AD credentials,
then redirect to Google play store and can successfully download the network setup assistant.
Could you please advise the possible reasons that would cause this error message and make ISE cannot push the profile to the cisco network setup assistant?Here's a snipit from the Android spw.log. I see that there is an error trying to verify the hostname. Is it possible that this is caused by a non-trusted certificate? I'm using the self-signed cert built into ISE. I have an entry in the public DNS for guest.domain.com that resolves to the IP of my ISE server accessible from the guest subnet. I'm allowing all traffic from the guest VLAN to the ISE vlan on the firewall and all traffic to/from the ISE server in the provisioning ACL I have applied by ISE on the WLC during native supplicant provisioning. I know that guests can communicate with the ISE server since regular guest portal redirection works, just not the network setup assistant. I've renamed the domain to domain.com in this snipit.
2014.07.20 23:44:48 INFO:verion :4.4.4 SDK Level : 19
2014.07.20 23:44:48 INFO:State :START
2014.07.20 23:44:48 INFO:Starting Discovery
2014.07.20 23:44:48 INFO:Starting ISEDiscoveryAsynchTask
2014.07.20 23:44:48 INFO:DHCP Stringipaddr 192.168.30.110 gateway 192.168.30.1 netmask 255.255.255.0 dns1 208.67.222.222 dns2 208.67.220.220 DHCP server 192.168.30.1 lease 3600 seconds
2014.07.20 23:44:48 INFO:DHCP ipaddress192.168.30.110
2014.07.20 23:44:48 INFO:DHCP gateway192.168.30.1
2014.07.20 23:44:48 INFO:Discoverng ISE http return code :200
2014.07.20 23:44:48 INFO:ISEServer =guest.domain.com
2014.07.20 23:44:48 INFO:session =0516a8c000001932f37acc53
2014.07.20 23:44:48 INFO:Discovered using gateway :18786496
2014.07.20 23:44:48 INFO:Discovered ise server = guest.domain.com
2014.07.20 23:44:48 INFO:Discovered client mac = 5C-0A-5B-FC-37-0F
2014.07.20 23:44:48 INFO:Server:Key=guest.domain.com:0516a8c000001932f37acc53
2014.07.20 23:44:48 INFO:Downloading config fromguest.domain.com
2014.07.20 23:44:48 INFO:checkServerTrusted call
2014.07.20 23:44:48 INFO:checkServerTrusted call
2014.07.20 23:44:48 ERROR:DownloadprofileAsynchTask
2014.07.20 23:44:48 ERROR:java.io.IOException: Hostname 'guest.domain.com' was not verified
2014.07.20 23:44:48 ERROR:Hostname 'guest.domain.com' was not verified
2014.07.20 23:44:48 INFO:Internal system error.
On the ISE side, here is the snippet of logs during the same time as when the android network setup assistant was run.
2014-07-20 23:41:38,586 INFO [DefaultQuartzScheduler_Worker-6][] cisco.cpm.infrastructure.utils.NodeGroupFWUtil -:::::- Applied Firewall rules for node group.
2014-07-20 23:42:35,251 INFO [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -:::::- In AbandonedTransactionReaper : MaxActive : 20
0 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 2
2014-07-20 23:42:39,394 INFO [AbandonedTransactionReaper][] com.cisco.epm.db.AbandonedTransactionReaper -::::PDPInitialization:- In AbandonedTransactionReaper
: MaxActive : 200 CurrentActive : 0 MaxIdle : 200 MinIdle : 0 CurrentIdle : 0
2014-07-20 23:42:49,765 INFO [DataSourceListener Thread][] api.services.persistance.dao.DistributionDAO -:::::- In DAO getRepository method for HostConfig Type
: ACTIVE
2014-07-20 23:42:56,805 INFO [PDP-Heartbeats-0][] com.cisco.cpm.clustering.MnTClient -::::pdpha:- Removing session 0516a8c00000196f2a95cc53
2014-07-20 23:42:56,806 WARN [PDP-Heartbeats-0][] cpm.nsf.session.impl.SystemStateManager -::::pdpha:- Session 0516a8c00000196f2a95cc53 not found at complete
2014-07-20 23:43:35,441 INFO [portal-http-844314][] cisco.epm.license.flexlm.FlexlmFileHandler -:::::- Is License Valid for seId [1] = true
2014-07-20 23:43:35,441 INFO [portal-http-844314][] com.cisco.epm.license.LicensingManager -:::::- License is valid [true] for SeriveType [1]
2014-07-20 23:43:35,750 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
ble to determine language. Defaulting to English
2014-07-20 23:43:35,768 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
ble to determine language. Defaulting to English
2014-07-20 23:43:35,768 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- initializing page definit
ion
2014-07-20 23:43:35,769 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- Created guest theme page
def
2014-07-20 23:44:18,090 WARN [portal-http-844315][] cisco.cpm.guestportal.actions.SelfProvisioningAction -:test:0516a8c000001932f37acc53::guest:- ***BYOD Regi
stration Data***
macAddress: 5C:0A:5B:FC:37:0F
portalUser: test
authStoreName: Internal Users
authStoreGuid: 78954c30-e0f0-11e3-af67-005056bf4689
2014-07-20 23:44:18,113 INFO [portal-http-844315][] com.cisco.epm.jms.AQMessgeHandler -:test:0516a8c000001932f37acc53::guest:- Publishing message for event [T
xnCommit / commit] and message class[class com.cisco.epm.pap.api.transaction.Transaction]
2014-07-20 23:44:18,167 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- --- GuestPortalUtils
: Unable to determine language. Defaulting to English
2014-07-20 23:44:18,168 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- initializing page de
finition
2014-07-20 23:44:18,169 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.CoAExecutorService -:test:0516a8c000001932f37acc53::guest:- Issue CoA reauth i
n 2000 milliseconds for sessionName 0516a8c000001932f37acc53
2014-07-20 23:44:18,171 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- --- GuestPortalUtils
: Unable to determine language. Defaulting to English
2014-07-20 23:44:18,172 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- initializing page de
finition
2014-07-20 23:44:18,173 INFO [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -:test:0516a8c000001932f37acc53::guest:- Created guest theme
page def
2014-07-20 23:44:20,171 INFO [pool-19-thread-4][] cisco.cpm.guestportal.utils.CoAReauthTask -:test:0516a8c000001932f37acc53::guest:- Running CoAReauthTask for
_sessionName 0516a8c000001932f37acc53
2014-07-20 23:44:20,194 INFO [pool-19-thread-4][] cisco.cpm.guestportal.utils.CoAReauthTask -:test:0516a8c000001932f37acc53::guest:- Issue Local CoA for sessi
on 0516a8c000001932f37acc53
2014-07-20 23:44:50,768 INFO [ContainerBackgroundProcessor[StandardEngine[Catalina]]][] cpm.admin.infra.action.SessionCounterListener -:::::- sessionDestroyed
- deducted one session from counter - Session ID - 0FFE9C73C9209D4EE2534558CB8F723B - Session Count - 0
2014-07-20 23:46:58,502 INFO [portal-http-844315][] cisco.epm.license.flexlm.FlexlmFileHandler -:::::- Is License Valid for seId [1] = true
2014-07-20 23:46:58,502 INFO [portal-http-844315][] com.cisco.epm.license.LicensingManager -:::::- License is valid [true] for SeriveType [1]
2014-07-20 23:46:58,693 WARN [portal-http-844315][] cisco.cpm.guestportal.utils.GuestPortalUtils -::0516a8c000001932f37acc53::guest:- --- GuestPortalUtils: Una
ble to determine language. Defaulting to English
2014-07-20 23:46:58,702 INFO [portal-http-844315][] cisco.cpm.provisioning.cache.FlowStateCacheManager -::0516a8c000001932f37acc53::guest:- Deleted old flow st
ate session with device id 5C-0A-5B-FC-37-0F -
Cisco Network Setup Assistant Unable to install the certificate on Android KitKat
Greetings,
I'm having issues with deploying the CA. Although the Cisco app fails, the user cert (but no CA) appears to install and is accessible during wifi setup. I am running the latest version of Cisco Network Setup Assistant 1.2.42. The phone is running Android KitKat 4.4.4, not rooted, running stock T-Mobile rom. I'm able to authenticate with the guest side, and get as far as Installing Certificates... Reference the screen shots attached.
Error message cisco Network Setup Assistant: "Unable to install the certificate. Exit the application and run it again to continue to the installation."
I have ran the application several times, it keeps returning to this same message.
After failure of the Cisco app, I noticed there is a certificate manager with CA cert and key, and than subsequently one new key continues to loop after until I cancel (also in screenshots).
I have tried decryption, removing all security, and clearing credentials, yet the problem persists. Any help is appreciated.Greetings,
I'm having issues with deploying the CA. Although the Cisco app fails, the user cert (but no CA) appears to install and is accessible during wifi setup. I am running the latest version of Cisco Network Setup Assistant 1.2.42. The phone is running Android KitKat 4.4.4, not rooted, running stock T-Mobile rom. I'm able to authenticate with the guest side, and get as far as Installing Certificates... Reference the screen shots attached.
Error message cisco Network Setup Assistant: "Unable to install the certificate. Exit the application and run it again to continue to the installation."
I have ran the application several times, it keeps returning to this same message.
After failure of the Cisco app, I noticed there is a certificate manager with CA cert and key, and than subsequently one new key continues to loop after until I cancel (also in screenshots).
I have tried decryption, removing all security, and clearing credentials, yet the problem persists. Any help is appreciated. -
Cisco Network Setup Assistant with WIndows8
Hi, I'm trying to provisioning on Windows 8(Surface pro)
When the Cisco Network setup Assistant is on, it asks 'network password' while the ssid is wpa2-enterprise.
and I configured as it is on NSP.
Is it a bug ??Hi,
What version of ise are you on, also what is the windows native supplicant provisioning version? See if the release notes for 1.2 meet your current design.
http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html#wp378491
Thanks,
Tarik Admani
*Please rate helpful posts* -
This post needs to go across a few forums but I will start here first.
I have an 857W router which I want to replace my home ADSL router with.
I can setup the ADSL / routing no problem but I am struggling to find a good resource on setting up the wireless.
Can anyone guide me to some basic setup guides to securing the wireless on this box.
ThanksYou can find some good all round examples:-
http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/enetintr.html -
EA3500 Cisco Connect Setup problem?
So i recently resetted my Linksys EA3500 and i lost the CD so i download the Cisco Connect for the EA3500.I connected my EA3500 using the ethernet cable to my laptop,run the setup,and then on 25% it said that no wireless routers were found.I already connected it using an ethernet cable i dont understand why it is still not found.What should i do?
Hi geraldicg , make sure that the wireless switch on your computer is turned on. I recommend that you try another laptop (if available). If no luck, configure the router manually by accessing 192.168.1.1 or myrouter.local. Check this out:
Title: Accessing your Linksys Smart Wi-Fi Account through a web browser -
Cisco Connect setup stuck at 90% Linksys E900
Hi,
Today evening i had to restart my routers settings and I also formatted (don't know if it's a good word in english, i mean recovering operating system) my disk and now i can't install Cisco Connection Again on my laptop (win8). The setup process is always stuck at 90% (after few or more minutes there's message that configurating failed...), what's wierd is that i can explore the internet and use settings of router in web browser ( http://192.168.1.1 ) when setup is stuck. After getting "FAIL message" i cant use internet anymore.
I beg for your help! ;<
Thanks in advance.Do you want to use the Cisco Connect software? If not, then you can always go for manual troubleshooting. Linksys designe cisco connect as a tool to help manage the router. If you need to use it, I suggest that you download the software from the linksys website and start all over again. Before you run the software, reset the router first for 10 seconds, reboot the router and once it's ready run cisco connect.
Just make sure that you do not have any firewalls enabled or antivirus software that may interfere with the setup process. Again if you don't need the software jsut go with manual troubleshooting. You always have different options. -
Cisco vlan setup w a windows 2003 dhcp server help
Can anyone give me some tips or point me to some documentation on setting up a catalyst 4500 series w vlans and a windows 2003 server w associated dhcp scopes? Just for curiosity, what is a good vlan design for a college. I was thinking a student, a staff, a faculty, and a guest and or mgmt vlan. Also, on the guest vlan how would I setup an outbound acl to only allow port 80 traffic? Thanks in advance.
Hi
Try to limit the number of users per vlan to no more than a class C subnet if you can. We use half a class C /25 network in our offices.
If you can break up the vlans to match the different type of users then that would be a good start. It means you can further down the line apply different security policies to the different vlans which in your situation you may well want to do. Don't worry if for example you need to use 2 or 3 vlans for students it's not a problem.
Attached is a link for 4500 configuration. You need to look at the following chapters primarily
1) Configuring VLAN's VTP & VMPS.
2) Configuring Layer 3 interfaces. Look at the section on logical layer 3 SVI's.
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sg/configuration/guide/conf.html
On the guest vlan you would need something like (assuming guest vlan subnet range is 192.168.1.0/24
access-list 120 permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list 120 deny ip 192.168.1.0 255.255.255.0 any
and apply it on the inbound vlan interface. ie. if your vlan for guest users is vlan 20
switch(config)# vlan 20
switch(config-if)# ip access-group 120 in
As for the W2003 server, not done much with windows. You will need DHCP manager which should be under admin tools. Make sure you exclude the addresses for each subnet that you allocate to the 4500 layer 3 interfaces ie
switch(config)# vlan 20
switch(config-t)# ip address 192.168.1.1 255.255.255.0
In your DHCP scope 192.168.1.1 will be the default gateway for your clients and you should exclude this from the scope.
Hope this is enough to get you started
Jon -
Cisco Error: Setup failed to launch installation engine
When launching the CSA installation, I am getting an error that says "Setup failed to launch installation engine. Access denied." This agent kit has been deployed to hundreds of servers with no problems. Has anyone see this problem before or know of a solution?
Check your access rights and the version of Installshield on the server. I've seen a conlict with newer versions (1/3/2003 or newer) of Ikernel.exe left over from other installations.
-
Can anyone tell me how I would set up dsl on my soho router, The config I have seen has the atm0 setup and also a dialler interface setup, Is this the way it must be done , cant you just set it up on the atm interface ?
Carl,
How are you connecting to your ISP, PPPoE, PPPoA or neither? There are different ways to configure you Soho 97. The dialer interface is used mostly for authentication purposes as is the case with some connection methods, again dependent upon what protocol you are using with your ISP.
HTH ~ Joel -
Hey folks,
I have blown the dust of my Cisco 1801 and looke the books out to put a decent router on my network now I am running my own server however I have hit a few bumps but totally stick now. Any help?
DHCP is disabled and I can't remember the subnet.
Connected with the console cable but finding my admin password isn't accepted
Running the password recovery but unable to access ROMMON using special command > break
I should get this but the ATA monitor libray just loads and I get stuck on the password screen.
*** System received an abort due to Break Key ***
signal= 0x3, code= 0x500, context= 0x813ac158
PC = 0x802d0b60, Vector = 0x500, SP = 0x80006030
rommon 1 >
From what I gather (still green behind the ears) the ROMMON command has been disabled.
Any way to get into my Cisco or do I need to reload the IOS on the flash card?
Here is my event log/putty output
Event log
2012-11-09 19:59:47 Opening serial device COM6
2012-11-09 19:59:47 Configuring baud rate 9600
2012-11-09 19:59:47 Configuring 8 data bits
2012-11-09 19:59:47 Configuring 1 data bits
2012-11-09 19:59:47 Configuring no parity
2012-11-09 19:59:47 Configuring no flow control
2012-11-09 19:59:52 Starting serial break at user request
2012-11-09 19:59:52 Starting serial break at user request
Putty Output
System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled
Upgrade ROMMON initialized
boot: unsupported boot device "c180x-adventerprisek9-mz.124-6.T2.bin"
System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled
Upgrade ROMMON initialized
program load complete, entry point: 0x80012000, size: 0xc0c0
Initializing ATA monitor library.......
program load complete, entry point: 0x80012000, size: 0xc0c0
Initializing ATA monitor library.......
program load complete, entry point: 0x80012000, size: 0x11b8f98
Self decompressing the image : ########################################################################################################################################################################################################################################################################################################################################################### [OK]
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 12.4(6)T5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by Cisco Systems, Inc.
Compiled Fri 06-Oct-06 17:18 by kellythw
Image text-base: 0x80012124, data-base: 0x820F0000
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 1801 (MPC8500) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FCZ113812MC, with hardware revision 0000
9 FastEthernet interfaces
1 ISDN Basic Rate interface
1 ATM interface
63488K bytes of ATA CompactFlash (Read/Write)
Installed image archiveCheers folks, removing the USB to seriel cable and going direct from the com port on my server has solved it.Now I am to load a new IOS to the flash card?
My putty output in case it helps others
Password reset
monitor: command "boot" aborted due to user interrupt
rommon 1 > confreg 0x42
You must reset or power cycle for new config to take effect
rommon 2 > reset
After password reset
System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled
Upgrade ROMMON initialized
boot: unsupported boot device "c180x-adventerprisek9-mz.124-6.T2.bin"
System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled
Upgrade ROMMON initialized
boot: cannot open "flash:"
boot: cannot determine first file name on device "flash:"
System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled
Upgrade ROMMON initialized
boot: cannot open "flash:"
boot: cannot determine first file name on device "flash:"
System Bootstrap, Version 12.3(8r)YH8, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 2006 by cisco Systems, Inc.
C1800 platform with 131072 Kbytes of main memory with parity disabled
Upgrade ROMMON initialized
rommon 1 > -
Hi Guys,
I need some help/advise on the configuration below. As I want to configuration port forwarding to separate devices internally to serve external parties. I have only one WAN IP which already assigned to the firewall outside interface...
External User ---->ASA------>Server, NAS
Pls help i having difficulties to make it working..Hi Eddy,
Thanks for reply. I tried the above command but it's not working...do i have to add any acl?
interface GigabitEthernet0/0
nameif outside
security-level 0
pppoe client vpdn group gcmjp
ip address pppoe setroute (1.1.1.1)
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface GigabitEthernet0/2
nameif WiFi
security-level 50
ip address 192.168.3.1 255.255.255.0
interface GigabitEthernet0/3
nameif Phoneline
security-level 90
ip address 192.168.4.1 255.255.255.0
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network JP_LAN
subnet 192.168.2.0 255.255.255.0
object network SG_LAN
subnet 192.168.1.0 255.255.255.0
object network Synology1
host 192.168.2.155
object network Synology2
host 192.168.2.243
object network BackupServer
host 192.168.2.11
object network JP
subnet 192.168.2.0 255.255.255.0
object network WiFi
subnet 192.168.3.0 255.255.255.0
object network NAS5006
host 192.168.2.155
object network Server3389
host 192.168.2.11
object service RDP3389
service tcp source eq 3389 destination eq 3389
object service NAS5003
service tcp source eq 5003 destination eq 5003
object-group service RDP tcp
port-object eq 3389
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu WiFi 1500
mtu Phoneline 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static JP_LAN JP_LAN destination static SG_LAN SG_LAN no-proxy-arp route-lookup
nat (inside,outside) source dynamic JP_LAN interface
nat (WiFi,outside) source dynamic WiFi interface
object network Synology1
nat (inside,outside) static interface service tcp 5003 5003
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside -
I am trying to install an 1100 series AP, it gets a IP addres from DHCP. when I try to get to that IP address from the web to configure the AP, it will not connect. What am I doing wrong?
nevermind i have the wrong AP,
thanks!
-James -
Hi all, When setting up a proper 3 layer model, i.e core,distribution,access what do they normally do, would you put the vlans on the distribution and have them routed there, or routed at the core ?
The Core Layer :
The core layer provides an optimized and reliable transport structure by forwarding traffic at very high speeds. In other words, the core layer switches packets as fast as possible. Devices at the core layer should not be burdened with any processes that stand in the way of switching packets at top speed. This includes the following:
Access-list checking
Data encryption
Address translation
The Distribution Layer :
The distribution layer is located between the access and core layers and helps differentiate the core from the rest of the network. The purpose of this layer is to provide boundary definition using access lists and other filters to limit what gets into the core. Therefore, this layer defines policy for the network. A policy is an approach to handling certain kinds of traffic, including the following:
Routing updates
Route summaries
VLAN traffic
Address aggregation
Use these policies to secure networks and to preserve resources by preventing unnecessary traffic.
If a network has two or more routing protocols, such as Routing Information Protocol (RIP) and Interior Gateway Routing Protocol (IGRP), information between the different routing domains is shared, or redistributed, at the distribution layer.
The Access Layer :
The access layer supplies traffic to the network and performs network entry control. End users access network resources by way of the access layer. Acting as the front door to a network, the access layer employs access lists designed to prevent unauthorized users from gaining entry. The access layer can also give remote sites access to the network by way of a wide-area technology, such as Frame Relay, ISDN, or leased lines.
HTH,
Thanks
Raj -
Cisco ASA 5512, IP NVR port forwarding
Hi,
i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
please help me how to configure port forwarding in cisco asa in CLI?
I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
thank you so much.ASA#
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.222 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2969000, priority=0, domain=permit, deny=true
hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
please advise
Maybe you are looking for
-
Email names are appearing incorrectly in my mail
Email names are appearing incorrectly in my mail inbox. The from names are incorrect or missing the full name, some from names have commas around them when others don't, some are coming through with 'test' in the subject line on my phone but if I vie
-
Ipod Freeze - Black screen with Apple keeps appearing
Recently my Ipod starting to randomly "freeze" while playing a song. (The black screen with the white apple shows up) It doesn't happen all that often, but enough that it bugs me. My Ipod is pretty new, I bought it in August. Anyone know what's wrong
-
How do I get a WSSE UserToken header for my ourgoing SOAP message when using a Webservice reference in APEX 3.0? Message was edited by: user479463
-
I have downloaded an app where I need to connect to another iPad to enable.....please list step by step what to do as I have been unable to do this successfully.
-
Can't open illustrator with OS 10.9.5
Ever since I updated my Illustrator yesterday (with Creative cloud), I haven't been able to open Illustrator because of software version clashes between Illustrator and my Mac's OS version (10.9.5). Does anyone have info on this? Should I just update