Cisco 5512-x v9.1 help

Similar Messages

• Cisco 5512 setup

  Hi Guys,
  Here is my basic setup
  I have an ASA 5512 gig0 connects to the internet
  G1 connects to the inside on 192.168.35.254 then plugs direct into a switch.
  I'm confused on the setup to get the IPS running. do i need to set the IPS in the same range as my inside interface? and also what do i set the IPS gateway to 192.168.35.254 my inside ASA interface?
  Once this is done done a need to setup a rule within the MPF to foward all traffic to it?
  Thanks
  James.

  Also check these helpful ASA IPS config  links
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/modules_ips.pdf
  http://itzecurity.blogspot.co.uk/2013/12/configuring-cisco-asa-ips-module.html
  p://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/modules_ips.pdf
  http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_asa_ips.html

• Cisco ASA 5505 Configurations. Help... Beyond Frustrated

  Hello All,
  I'm fairly new to Cisco products and Network management in general. At my place of employment, I was hired as an IT Tech- Repair and Building computers, most aspects of Physical networking, and software refresh/upgrades as well as solving compatibility issues among a plethora of other things. I've configured APs, a couple Catalyst switches, a router or two, and that is about the breadth of my Cisco knowledge. I was kind of thrown into a project which is to update the current inventory of computers which all run Windows XP Professional. We are making a capital purchase of 20 Laptops and 40 Desktops all of which will run Windows 7. This means the outdated PIX they were using is now useless. I purchased a Cisco ASA 5505 (Version 8.2(1)) because it is compatible with Windows XP and Windows 7. I have spent several days and sleepless nights trying to figure out how to configure this thing. I was hoping to use SSL for the VPN. I did some basic configurations just to get started but like I said, I have no real experience with Adaptive Security Appliances and I am so frustrated right now. I tried using the Wizard to no avail. I did a write erase using CLI and tried to configure that way but I'm doing something wrong as far as I can tell. The configurations were mostly pulled from here, the Cisco Community, and a couple other web sites.
  I’m connecting the ASA 5505 to a cable modem (gateway 24.39.245.33) and to our Netvanta for VPN purposes. Here are the commands/what I have configured so far:
  hostname AMDASA
  domain-name asa.(mydomain).com
  enable password (encrypted)
  passwd (encrypted)
  interface Ethernet0/0
  description TWCoutside
  switchport access vlan 2
  no shutdown
  write mem
  exit
  interface Ethernet0/1
  description Port1inside
  switchport access vlan 1
  no shutdown
  write mem
  exit
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.0.250 255.255.255.0
  write mem
  exit
  interface Vlan2
  nameif outside
  security-level 0
  ip address 24.39.245.36 255.255.255.240
  write mem
  exit
  object-group icmp-type DefaultICMP
  description Default ICMP Types permitted
  icmp-object echo-reply
  icmp-object unreachable
  icmp-object time-exceeded
  write mem
  exit
  ftp mode passive
  write mem
  clock timezone EST -5
  clock summer-time EDT recurring
  write mem
  exit
  dns server-group DefaultDNS
  domain-name asa.adcmotors.com
  write mem
  exit
  access-list acl_outside extended permit icmp any any object-group DefaultICMP
  access-group acl_outside in interface outside
  access-list acl_inside extended permit icmp any any object-group DefaultICMP
  access-group acl_inside in interface inside
  write mem
  exit
  write mem
  That is the extent of the configurations I made via CLI. I don't know how to set the DNS lookup from a static port and I have no idea what else I'm supposed to do after the above configurations I have done. Is there a place to actually obtain ALL of the configurations needed to VPN in? Is there an easier way to make this thing work? I've seriously grown a patch of gray hair because of this device. Please help me if you can!!!!!!

  Hi our desperate friend .
  First I would suggest to use the Cisco VPN client instead of SSL VPN (AnyConnect). The configuration is a bit simpler and for the SSL VPN you would need to install the client on the ASA and purchase additional license if you plan to have more than 2 clients. The VPN Client usually comes with the ASA. If you dont have it or dont have access to download it from cisco.com go to the person from which you purchased your ASA and ask him how to get it.
  That said, I also think that your ASA lacks of some basic configuration as of now.  If you are planning to use this in replacement for your current PIX. You would need to configure a default route and some basic NAT:
  route outside 0.0.0.0 0.0.0.0 24.39.245.33
  global (outside) 1 interface
  nat (inside) 1 192.168.0.0  255.255.255.0
  Now regarding the VPN Client configuration you would need to something like this:
  Create an isakmp policy:
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha    
  group 2
  lifetime 86400
  Create a couple of ACLs that we will use later:
  access-list nonat permit ip 192.168.0.0 255.255.255.0 192.168.100.0 255.255.255.0
  access-list split_tun standard permit 192.168.0.0 255.255.255.0
  Create a Pool for the VPN Clients to use:
  ip local pool TestPool 192.168.100.1-192.168.100.20 mask 255.255.255.0
  Create a Group Policy:
  group-policy TEST internal
  group-policy TEST attributes
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split_tun
  Create a group:
  tunnel-group TEST type ipsec-ra
  tunnel-group TEST general-attributes
  address-pool TestPool
  authentication-server-group ABTVPN
  default-group-policy TEST
  tunnel-group TEST ipsec-attributes
  pre-shared-key cisco123
  Create crypto map and do a NAT 0:
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto dynamic-map Outside_dyn_map 10 set transform-set ESP-3DES-SHA
  crypto map Outside_map 10 ipsec-isakmp dynamic Outside_dyn_map
  crypto map Outside_map interface outside
  nat (inside) 0 access-l nonat
  Finally create a user that you will use to connect:
  username test password test123
  Then you would need to configure your VPN Client to connect with the ASA.
  Here is a config Example of VPN clients to the ASA. It uses an external server for the authentication but just skip those parts. For the initial config you might want to keep the authentication local.
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806de37e.shtml
  I hope this helps. Feel free to ask if you have any questions. Also it would very usefull if you could upload the current config (show run) of the ASA in case you need to ask something else.
  Have fun.
  Raga

• How to implement XP Cisco VPN client. Please help!!!

  Hi,
  I am trying to configure remote access for XP desktops using CVPN client software and a Cisco 805 router with IOS IPSec capable( authentication should be local). The remote desktops are behind adsl router wich does nat translations but allow IPSes passthrough.
  I have configured it but does not working.
  Can you please help me?
  Thanks in advance
  David

  Hi guys, Solved.
  This very useful link:
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=General&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd7d54c/0
  David

• Cisco ip phones and cme help

  Hi,
  Ina company which uses cisco call manager express with ip phones 7931, 7945 ,7975, 7911,7962…….
  1- i want the configuration in which the user dial a pin code befor doing an outside call...?
  2- i want to change the defalt configuration for the ip phones of days backlight not active to thursday and friday and the backlight in duration to 1:30.?
  i did the followings commands but it doesn`t take an effect.
  Router(config)# telephony-service
  Router(config-telephony)# service phone daysBacklightNotActive 6
  Router(config-telephony)# service phone backlightOnDuration 1:30
  Router(config-telephony)# service phone backlightIdleTimeout 01:00
  Router(config-telephony)# create cnf-files
  Router(config-telephony)# reset all
  3- i have ringtones files in the flash (sh flash attached) , i want all the ringtones appear on all the ip phones when i press settings then user prefrences and then rings- i can only see two ring tones.
  thanks for your help

  My reply may be too late to be of any help to you, but for the benefit of others:
  Be sure you understand the different types of PoE out there. The Linksys PoE switch only supports the newer IEEE 802.3af PoE standard.
  The 7940, 7960, 7905 and other older Cisco phones only support Cisco pre-standard PoE and thus will not work with the 802.3af Linksys Switch.
  To use this switch, you will need to make sure you are using the newer 7070, 7961, 7941 phones with support both pre-standard and 802.3af PoE.
  All the best,
  John

• Cisco catalyst 2960 booting garbage, help on restore IOS

  Dear All,
  This is my first time on terminal access of Cisco Catalyst 2960 (2960TC-L), normally would use the web configuration for most task.
  Now the switch has an issue with the web interface and when I try to access through terminal, I was greeted with garbage upon the booting of the switch, I searched for the terminal boot process and it wasn't what I was expected for my switch. I was a bit dumbfound now of how can I recover the firmware to its default stage, now that I cannot even boot through its terminal console.
  Any help is highly appreciated. Thank you for your time.

  Hi,
  I just verified with my colleague of whom have done quite a few bits before I took over his task.
  His reply was he actually did an IOS flash before, though I'm not sure how he did it, but according to him, it was actually a success and the web interface still works for few times before it become like this.
  As I tried another time to goes into root mode (or Admin mode??) for the switch, the steps as I performed below:
  1. Refer to cisco-2960-putting-setting.jpg for the settings. I press Open and it does display the console Window, no issue there.
  2. I hold the "mode" button on the switch and turn on the switch power, and after few seconds the screen display as such (refer to cisco-2960-putty-output2.jpg), the SYST L.E.D. did flash with following pattern: Green (blink ~15 times) then Orange-Green (repeat blink twice) then Green (stable light), for this I was expecting it to goes off after few seconds but it didn't, I wait about a minute before I let go the "mode" button.
  3. After I let go the "mode" button, it goes to the screen (refer cisco-2960-putty-output3.jpg), and the SYST still blinking, possibly infinitely... with the console output screen stays like that... and whatever I entered display weird/garbage characters instead, I can't do anything on it.
  Each tries display different weird characters, as the SYST still blinking infinitely.
  I'm unsure if I'm giving enough details for online troubleshooting, I'll try my best to give as per instructed.
  Thank you for your time.

• Cisco Aironet ap1141n-e-k9 help configuration

  Hi all,
  i have just got a brand new aironet access point belonging to 1140 series (1141n-e-k9), it has been a while since i worked last time with cisco devices and i really need few help to configure this AP. (also useful link is appreciated)
  I've an existing (wired) network with a dhcp server that provides IPs for the following class: 192.168.1.0/24 (default gw 192.168.1.254)
  I would like to configure this new AP with ip 192.168.1.253 on gigabit ethernet while radio interface would have ip 192.168.2.1 and act as a dhcp server for following class: 192.168.2.0/24
  Maybe it could be configured in another way but it's important for me to have client connected to ap in a subnet (i.e. 192.168.2.0/24) different from existing one (192.168.1.0/24), is it possible?
  I read the manual with the title: "Cisco IOS Software Configuration Guide for Cisco Aironet Access Points" but i really can't figure out how to accomplish this simple(i guess) task.
  Any help (links,tips or tricks) would be really appreciated (since my brain is about to blow up )
  TIA,
  Antonio

  Hi Scott,
  thanks for your answer and for links you provided , however i have a problem with that.
  is it possible to find a solution for this problem internally to the AP? (sorry if my question would sound stupid)
  atm i can't "put my hands" on the device the ap is connected to (it's a customer's requirement, unfortunately) and i don't know either if the switch would be a cisco device, is there a solution (maybe without vlan) to solve my problem?
  since ap has an gigabitethernet interface and a radio one, couldn't i setup an ip belonging to class 192.168.1.0 to ethernet and an ip belonging to class 192.168.2.0 to radio dot11 and setup a bridge between this two interfaces?
  thanks for your answer and your time,
  Antonio

• Cisco MDS Kernel Error -- Need Help

  #Booting bootflash:/m9100-s2ek9-kickstart-mz.4.1.3a.bin ... #
  #Automatic boot of image at addr 0x00000000                    #
  #Starting kernel...                                                            #
  #  Entered kgdb_console_init:1960                                   #
  #Oops: Exception in kernel mode, sig: 4 [#1]                    #
  #wdt_log_count = 0: Exception in kernel mode (sig 4)       #
  # wdt_log_non_blocking is not defined                             #
  How can i solve that ???

  Not sure what actions have been done on this switch. downgrading/upgrading may help. Better to let Cisco TAC work on that if the problem has not been solved yet

• How to implement Cisco best Pratice with the help of Ciscoworks

  Hi:
  We have received a large number of required changes to various Cisco routers and switches of different models. For example we need to configure
  "no IP unreachables"   under more then 1000 cisco  devices and under every interface in each device. Is there some method using Ciscowrks   where I provide the command to be entered , and Ciscoworks looks at every router and switch and alone know to make the change under every interface in the equipment? Any given device can have a number of interfaces which I don't know ahead of time and which is of different types ( fast, giga, tera , etc) so I can't create a general job or a template. Going manually is endless but it seems that the requirements of Ciscoworks are also very restrictive so as not to enable a general job to be created.
  I thank anyone for any help
  We have RME, CS and CM installed , so the tools are here.
  Mickey

  You can use RME's baseline compliance feature for this.  This feature can be found under RME > Config Mgmt > Archive Mgmt.  The exact location will depend on your version of RME.  A template like the following will do what you want.
  Sub-mode: interface [INTF]Body:+ no ip unreachables
  When deployed, that will add "no ip unreachables" to all interfaces that do not already have the command.

• I setup a Cisco Home Network and Need help Logging into It

  Hello, I have four 2521 routers and three 2954 switches.  I connected my ISPs modem from the ethernet port and plugged it into port 24 of one of my switches.  I also configured the switch for VTY access and gave it a login password.  I would like to log into the switch to configure it and telnet into all the other devices from a remote location.  But I am unable to ping the public address assigned to me by my ISP.  So I can't even telnet to the switch.  Help

  With help from elsewhere, I have learned how to change the colors and figured out a few other things. I have another question, though.
  I want to put a Twitter widget and a comment box on my website. I have the widget code from Twitter, but it is HTML and javascript or something. Can I just put these codes into the modules of the flash template? If you look at the template, you should see that it has modules that have editable HTML  text areas, but I don't know if it is limited to text or something, or if it will function correctly if I put other HTML codes in it such as script codes, etc in it.
  Also, if that works, does anyone know where I can get a code to put the comment box in one of the modules? I don't mean a contact box, I mean a widget where people can leave comments and the comments display on the page, like on a myspace profile. Just something simple that allows a visitor to leave a name and a text-only comment. I would also like to be able to selectively delete comments in case of spammers, etc.
  I found this, which might be what I am looking for, just a simple comment box, but this one is flash:
  http://activeden.net/item/commenting-with-no-database/69183?sso?WT.ac=search_item&WT.seg_1 =search_item&WT.z_author=flashBrian
  Message was edited by: ESJoeProductions

• Cisco router wrt54gs2 v1 need help

  bought router at wal mart. girlfreind thru box away but have disc. we installed disc on her new laptop and we left my desk top hard wired. i ve got dsl. so i thought thats all we had to do. do i have to install disc on my desk top for router to work???  it worked for alil while that but now its not. and when it did work it wasnt working well. cuss i was in trouble because her game. (W.O.W) wasnt working. now im no techno guy. so i really need some help with this.

  Well it seems that your router is not configured properly.
  Who is your internet service provider?
  In case if you are uisng cable connection then follow this link and for DSL connection follow this link .

• Cisco ASA 5512, IP NVR port forwarding

  Hi,
  i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
  please help me how to configure port forwarding in cisco asa in CLI?
  I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
  thank you so much.

  ASA#
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   94.56.178.222   255.255.255.255 identity
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0x7fffa2969000, priority=0, domain=permit, deny=true
          hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=OUTSIDE, output_ifc=any
  Result:
  input-interface: OUTSIDE
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  please advise 

• Cisco Jabber for Windows Voicemail issue

  At this I'm in processing of implementation Cisco Jabber UC solution for big Company.
  I use CUCM 9.1.2, Cisco IM and Presence 9.1.2, CUC 9.1.2, Cisco Jabber for Windows 9.6.1.
  I have issue in Cisco Jabber with VoiceMail Integration - when I leave voice message for any user,
  than this message is arrived only him Cisco IP Phone, but not in him Cisco Jabber.
  From Cisco Jabber Connectivity status in help menu I see that VoiceMail service is successfully connected
  and I see VoiceMail button in Cisco Jabber.
  How can I resolve this issue?

  Have you configured the UC Service profile on CUCM with both Voicemail server and mailbox servers?

• Cisco Jabber for Windows - Anti-Virus Software

  Hello,
  Cisco Jabber for Windows could not resolve outlook contacts, when a client has installed McAffee Anti-Virus Software.
  Is there any documentation available, how to setup a Anti-Virus Software, to get Cisco Jabber for Windows running?
  Cisco Jabber for Windows Version 9.2.4 Build 4528
  Outlook 2013
  Thanks
  Alex

  this is all what we mention about antivirus;  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/jabber/Windows/9_2/JABW_BK_J6915A59_00_jabber-windows-server-setup/JABW_BK_J6915A59_00_jabber-windows-server-setup_chapter_00.html
  Some antivirus or firewall applications, such as Symantec EndPoint Protection, block inbound CDP packets, which disables desk phone video capabilities. You should configure your antivirus or firewall application to allow inbound CDP packets. See the following Symantec technical document for additional details about this issue: Cisco IP Phone version 7970 and Cisco Unified Video Advantage is Blocked by Network Threat Protection.
  with that being said; we probably would like to get the jabber process excluded from the antivirus list so that it allows for inbound MAPI communication as that is what is used for quering for the outlook contact.
  The only process that ever runs from Jabber for windows is "CiscoJabber.exe" which is located in the following path:
  C:\Program Files (x86)\Cisco Systems\Cisco Jabber
  i hope this helps.

• Ask the Expert: ISE 1.2: Configuration and Deployment with Cisco expert Craig Hyps

  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to deploy and configure Cisco Identity Services Engine (ISE) Version 1.2 and to understand the features and enhanced troubleshooting options available in this version, with Cisco expert Craig Hyps.
  October 27, 2014 through November 7, 2014.
  The Cisco Identity Services Engine (ISE) helps IT professionals meet enterprise mobility challenges and secure the evolving network across the entire attack continuum. Cisco ISE is a security policy management platform that identifies users and devices using RADIUS, 802.1X, MAB, and Web Authentication methods and automates secure access controls such as ACLs, VLAN assignment, and Security Group Tags (SGTs) to enforce role-based access to networks and network resources. Cisco ISE delivers superior user and device visibility through profiling, posture and mobile device management (MDM) compliance validation, and it shares vital contextual data with integrated ecosystem partner solutions using Cisco Platform Exchange Grid (pxGrid) technology to accelerate the identification, mitigation, and remediation of threats.
  Craig Hyps is a senior Technical Marketing Engineer for Cisco's Security Business Group with over 25 years networking and security experience. Craig is defining Cisco's next generation Identity Services Engine, ISE, and concurrently serves as the Product Owner for ISE Performance and Scale focused on the requirements of the largest ISE deployments.
  Previously Craig has held senior positions as a customer Consulting Engineer, Systems Engineer and product trainer.   He joined Cisco in 1997 and has extensive experience with Cisco's security portfolio.  Craig holds a Bachelor's degree from Dartmouth College and certifications that include CISSP, CCSP, and CCSI.
  Remember to use the rating system to let Craig know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through November 7, 2014. Visit this forum often to view responses to your questions and the questions of other community members.
  (Comments are now closed)

  1. Without more specifics it is hard to determine actual issue. It may be possible that if configured in same subnet that asymmetric traffic caused connections to fail. A key enhancement in ISE 1.3 is to make sure traffic received on a given interface is sent out same interface.
  2. Common use cases for using different interfaces include separation of management traffic from user traffic such as web portal access or to support dedicated profiling interfaces. For example, you may want employees to use a different interface for sponsor portal access. For profiling, you may want to use a specific interface for HTTP SPAN traffic or possibly configure IP Anycast to simplify reception and redundancy of DHCP IP Helper traffic. Another use case is simple NIC redundancy.
  a. Management traffic is restricted to eth0, but standalone node will also have PSN persona so above use cases can apply for interfaces eth1-eth3.
  b. For dedicated PAN / MnT nodes it usually does not make sense to configure multiple interfaces although ISE 1.3 does add support for SNMP on multiple interfaces if needed to separate out. It may also be possible to support NIC redundancy but I need to do some more testing to verify. 
  For PSNs, NIC redundancy for RADIUS as well as the other use cases for separate profiling and portal services apply.
  Regarding Supplicant Provisioning issue, the flows are the same whether wireless or wired. The same identity stores are supported as well. The key difference is that wireless users are directed to a specific auth method based on WLAN configuration and Cisco wired switches allow multiple auth methods to be supported on same port. 
  If RADIUS Proxy is required to forward requests to a foreign RADIUS server, then decision must be made based on basic RADIUS attributes or things like NDG. ISE does not terminate the authentication requests and that is handled by foreign server. ISE does support advanced relay functions such as attribute manipulation, but recommend review with requirements with local Cisco or partner security SE if trying to implement provisioning for users authenticated via proxy. Proxy is handled at Authentication Policy level. CWA and Guest Flow is handled in Authorization Policy.  If need to authenticate a CWA user via external RADIUS, then need to use RADIUS Token Server, not RADIUS Proxy.
  A typical flow for a wired user without 802.1X configured would be to hit default policy for CWA.  Based on successful CWA auth, CoA is triggered and user can then match a policy rule based on guest flow and CWA user identity (AD or non-AD) and returned an authorization for NSP.
  Regarding AD multi-domain support...
  Under ISE 1.2, if need to authenticate users across different forests or domains, then mutual trusts must exist, or you can use multiple LDAP server definitions if the EAP protocol supports LDAP. RADIUS Proxy is another option  to have some users authenticated to different AD domains via foreign RADIUS server.
  Under ISE 1.3, we have completely re-architected our AD connector and support multiple AD Forests and Domains with or without mutual trusts.
  When you mention the use of RADIUS proxy, it is not clear whether you are referring to ISE as the proxy or another RADIUS server proxying to ISE.  If you had multiple ISE deployments, then a separate RADIUS Server like ACS could proxy requests to different ISE 1.2 deployments, each with their own separate AD domain connection.  If ISE is the proxy, then you could have some requests being authenticated against locally joined AD domain while others are sent to a foreign RADIUS server which may have one or more AD domain connections.
  In summary, if the key requirement is ability to join multiple AD domains without mutual trust, then very likely ISE 1.3 is the solution.  Your configuration seems to be a bit involved and I do not want to provide design guidance on a paper napkin, so recommend consult with local ATP Security SE to review overall requirements, topology, AD structure, and RADIUS servers that require integration.
  Regards,
  Craig