Cisco AT6400 Remote

My homes IPTV systems were just upgraded to a Microsoft Media Room system with Cisco set top boxes. My previous system also had Cisco set top boxes. The remotes (AT6400s) look the same for both systems except the old ones were a dark grey color and the new ones are black. From what I've found, the User Guide that comes with each is the same as well. My problem is this, on my old remote I was able to program the AUX button to run my RCA RT2906 Home Theater System, although the new remote has the same codes listed in the User Guide, I can't get it to recognize the RT2906. When I try to enter the some of the codes listed in the guide, the remote won't accept them. Instead of the AUX button flashing three times indicating the code was accepted, it just has one long blink indicating that the code was not entered correctly even though it was. I'm thinking that one of the codes the remote won't accept is the one I need for the RT2906. How can I get these codes entered? Or are the other codes I can try? The RT2906 is only one year old. It seem ridiculous to think that it's not supported by the remote.

If you have still valid warranty for your RV320 device, I would suggest you to address those issues directly to Small Business Support Center (SBSC) via their customer service system. As those are security related concerns AND device RV320 is not on EoL list in meantime, I hope that this could be addressed and fixed in future releases of firmwares for this device.
I am afraid, that nobody else on this forum could move forward your question here on forum as those options are not configurable (at least not officially) and must be fixed on firmware level only. You have to use official channels to make this corrected.

Similar Messages

Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1   172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C        10.2.2.2/32 is directly connected, Loopback0
C        10.10.7.0/24 is directly connected, FastEthernet0/1
L        10.10.7.1/32 is directly connected, FastEthernet0/1
C        10.10.8.0/22 is directly connected, FastEthernet0/1
L        10.10.10.1/32 is directly connected, FastEthernet0/1
      117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/22 is directly connected, FastEthernet0/1
L        172.16.0.1/32 is directly connected, FastEthernet0/1
      172.18.0.0/32 is subnetted, 1 subnets
S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, FastEthernet0/1
L        192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: giet-vpn, local addr 117.239.xx.xx
   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
   current_peer 49.206.59.86 port 50083
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x550E70F9(1427009785)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x5668C75(90606709)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550169/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x550E70F9(1427009785)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550170/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance....

Remote Access VPN - Unable to Access LAN / Inside Network

Hi,
I am facing a problem with Cisco ASA remote access VPN, the remote client is connected to VPN and receiving IP address but the client is not able to ping or telnet any internal network.
I have attached running configuration for your reference. Please let me know I miss any configuartion.
FW : ASA5510
Version : 8.0
Note : Site to Site VPN is working without any issues
Thanks
Jamal

Hi,
Very nice network diagram
Are you saying that originally the VPN Client user is behind the Jeddah ASA?
If this is true wouldnt it be wiser to just use the already existing L2L VPN between these sites?
In real situation I think the VPN Client would only be needed when you are outside either Head Quarter or Jeddah Network. And since you tested it infront of the ASA and it worked there shouldnt be any problem.
Now to the reason why the VPN Client isnt working from behind the Jeddah ASA.
Can you check that the following configuration is found on the Jeddah ASA (Depending on the software level of the ASA the format of the command might change. I'm not 100% sure)
isakmp nat-traversal To enable NAT traversal globally, check that ISAKMP is enabled (you can enable it with the isakmp enable command) in global configuration mode and then use the isakmp nat-traversal command. If you have enabled NAT traversal, you can disable it with the no form of this command.
isakmp nat-traversal natkeepalive
no isakmp nat-traversal natkeepalive
Syntax Description
natkeepalive
Sets the NAT keep alive interval, from 10 to 3600 seconds. The default is 20 seconds.
Defaults
By default, NAT traversal (isakmp nat-traversal) is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System
Global configuration
Command History
Release
Modification
Preexisting
This command was preexisting.
7.2(1)
This command was deprecated. The crypto isakmp nat-traversal command replaces it.
Usage Guidelines Network Address Translation (NAT), including Port Address Translation (PAT), is used in many networks where IPSec is also used, but there are a number of incompatibilities that prevent IPSec packets from successfully traversing NAT devices. NAT traversal enables ESP packets to pass through one or more NAT devices.
The security appliance supports NAT traversal as described by Version 2 and Version 3 of the IETF "UDP Encapsulation of IPsec Packets" draft, available at http://www.ietf.org/html.charters/ipsec-charter.html, and NAT traversal is supported for both dynamic and static crypto maps.
This command enables NAT-T globally on the security appliance. To disable in a crypto-map entry, use the crypto map set nat-t-disable command.
Examples
The following example, entered in global configuration mode, enables ISAKMP and then enables NAT traversal with an interval of 30 seconds:
hostname(config)# isakmp enable
hostname(config)# isakmp nat-traversal 30
- Jouni

Integration Of Cisco ACS and MS Active Directory !!!

Hi all,
We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
Thanks for your help
Regards!!!
Rafael Turriago

Hi,
If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
The Remote Agent is the application responsible to exchange data with the DCs.
You can find detailed information in the config guide:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Cisco Transparent firewall and cisco switch issues.

Dears,
I have a very plain scenario
LAN cisco switch <2 vlans> ----------> cisco transparent firwall with bvi interface ------------> crypto box ---------> cisco router ------ <remote/other site>
i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.

Well,
i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1
moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
i have requested the client to verify his part. do let me know further tips if you have any.
[ moreover we cannot try to use packet-tracer from cli in transparent mode ]

Install CUE 8.6.1

Hi,
I have an ISM module with the wrong image (SRSV instead of normal CUE)
I have downloaded "cue-vm-full-k9.SPA.sme.8.6.1.prt1" and I am using the command:
service-module isM 0/0 install url ftp://cisco:[email protected]/cue-vm-full-k9.SPA.sme.8.6.1.prt1
from the router global configuration mode.
I get the following question:
Delete the installed Cisco Survivable Remote Site Voicemail and proceed with new installation? [no]:
I press y
and then I see:
%Error: Couldn't open ftp://*****:*****@10.1.10.1/cue-vm-full-k9.SPA.sme.8.6.1.prt1.install.sre
Execution of script cue-vm-full-k9.SPA.sme.8.6.1.prt1.install.sre failed, installation aborted
From the log files from freeftpd I can see that the router successfully connected, what I don't understand is that it searches fro the file:
cue-vm-full-k9.SPA.sme.8.6.1.prt1.install.sre
Anyway how can I install CUE 8.6.1 ?
Thanks,
JH

OK, think I found it.
I need to download the zip file and use all files.
JH

How to view router/switch logs using LMS 3.2?

Of course I can log into each of my 100 routers and switches and peforms "sh loggin" to look for problems, but how do I use LMS 3.2 to consolidate all those logs into one location? Can I set up something so I can see those logs in more or less real time?
Thanks in advance.

>> Does LMS go get syslog messages periodically or does the device send a copy to LMS whenever it generates a new message?
The latter.
If for some reason, the devices cannot log directly to LMS, there're a few options: 1) Devices log to a central syslog server, which in turn exposes the syslogs to LMS' Syslog Analyzer, either via the Cisco-supplied Remote Syslog Collector or some unsupported methods such as NFS mount, or 2) Install Syslog-ng on the central syslog server, relay the logs to LMS, as described in this whitepaper: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/white_paper_c11-571038.html
>> What's the benefit of scheduling a report to run automatically? Is it saved somewhere that is easier/quicker to get to?
It's the usual benefits of automation. Scheduled syslog reports apparently write outputs to /var/adm/CSCOpx/files/rme/cri/archives/syslog/reports/output/[jobID_runID], on Solaris, for example. The structure inside is rather muddy. So it might be easier to have something like a VBscript to screen-scrape the LMS web GUI for the report outputs instead.
>> Can new syslog messages from devices be posted to an RSS feed?
That's a novel idea. Though obviously not from the devices directly, it most likely coud be done through some "syslog2rss" relay residing on the syslog server. I think the potential volumes of logs could be too much for RSS, unless careful filtering/deduplication takes place on the relay before posting to a feed.

IOS EZVPN and VPN 3k using external groups

Hi folks , i was trying to configure IOS easyvpn with vpn
concentrator. i am using an external group which is configured on acs
server.the configuration for ios eazyvpn is
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto ipsec client ezvpn ezvpn_cfg
connect manual
group ezvpn key ezvpn
mode network-extension
peer x.x.x.x
interface FastEthernet0/0
ip address x.x.x.x x.x.x.x
crypto ipsec client ezvpn ezvpn_cfg inside
interface Serial0/0
no ip address
encapsulation frame-relay
interface Serial0/0.1 point-to-point
ip address x.x.x.x x.x.x.x
frame-relay interface-dlci 100
crypto ipsec client ezvpn ezvpn_cfg
I had configured the vpn concentrator with an external group eazyvpn.
i had configured the acs server with a user eazyvpn password
eazyvpn.the radius attributes configured for this user are
[3076\012] CVPN3000-IPSec-Sec-Association
ESP-3DES-MD5
[3076\013] CVPN3000-IPSec-Authentication
RADIUS
[3076\016] CVPN3000-IPSec-Allow-Passwd-Store
Allow
[3076\027] CVPN3000-IPSec-Split-Tunnel-List
split_tunnel_list
[3076\030] CVPN3000-IPSec-Tunnel-Type
Remote-Access
[3076\031] CVPN3000-IPSec-Mode-Config
On
[3076\034] CVPN3000-IPSec-Over-UDP
On
[3076\055] CVPN3000-IPSec-Split-Tunneling-Policy
Only tunnel networks in the list
[3076\064] CVPN3000-Allow-Network-Extension-Mode
Yes
now whenever i try to connect it says phase 2 failed.my quick mode is
unsuccesfull.
the error which comes on the router is below
12:19:43: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer
at 172.31.9.2
ezvpn-router#show crypto ipsec client ezvpn
Easy VPN Remote Phase: 2
Tunnel name : ezvpn_cfg
Inside interface list: FastEthernet0/0,
Outside interface: Serial0/0.1
Current State: SS_OPEN
Last Event: SOCKET_READY
Split Tunnel List: 1
Address : 10.1.1.0
Mask : 255.255.255.0
Protocol : 0x0
Source Port: 0
Dest Port : 0
Logs for the vpn conc. is as
Group [ezvpn] User [cisco]
PHASE 1 COMPLETED
324 07/11/2007 22:36:23.980 SEV=5 IKE/35 RPT=6 x.x.x.x
Group [ezvpn] User [cisco]
Received remote IP Proxy Subnet data in ID Payload:
Address x.x.x.x, Mask x.x.x.x Protocol 0, Port 0
327 07/11/2007 22:36:23.980 SEV=5 IKE/34 RPT=10 x.x.x.x
Group [ezvpn] User [cisco]
Received local IP Proxy Subnet data in ID Payload:
Address 10.1.1.0, Mask 255.255.255.0, Protocol 0, Port 0
330 07/11/2007 22:36:23.980 SEV=5 IKE/66 RPT=10 172.31.235.93
Group [ezvpn] User [cisco]
IKE Remote Peer configured for SA: ESP-3DES-MD5
331 07/11/2007 22:36:23.990 SEV=5 IKE/75 RPT=10 x.x.x.x
Group [ezvpn] User [cisco]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
333 07/11/2007 22:36:41.650 SEV=4 IKEDBG/97 RPT=4 x.x.x.x
Group [ezvpn] User [cisco]
QM FSM error (P2 struct &0x35e5aa4, mess id 0x91292e44)!
NOTE: the configuration works fine when i use CLIENT mode. IT fails
when i change to NEM

Refer to the document "Configuring the Cisco VPN 3000 Concentrator to a Cisco Router"
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009482e.shtml

Is my router effectively secured?

I was wondering if the following what I have done is the best possible, if there is any possible way to improve the security:
I have a WRT320N
SSID: just let it broadcast. Removing this broadcast will not improve overal security. SSID will be shown even if you diable periodic broadcasts.
Change Router default name to something that does not suggest it's location or brandname/type
change the default password (the one to access the router from your browser)
Disable remote management: don't want anyone using Wi-Fi to try to hack my router
disable Upnp, automatic configuration of router has possible security leaks.
use WPA2 personal (just choose the highest encryption) and use the longest, uppercase, lowercase numbers and letter combination you can think off.
mac filtering can be set to on, but hackers can clone MAC addresses, the extra security is doubtfull.
AP isolation: Prevent wi-fi users on my router from accessing eachother, isolate all wi-fi users from eachother.
enable SPI firewall: blocks incoming network packets that originate from the internet. And were not started by me: internet at port 80, my firefox tries to open a webpage, these kind of incoming packets will be alowed by the router to pass from internet to my computer.
use webfilter and prevent any network packet with java, proxy, activex to pass my router: at this moment I am blocking proxy. I am filtering webcasts.
Blocking any port except 20,21,25,53,80,110,443. (port range is from 0 to 65523)Blocking both UDP and TCP for all IP addresses 192.168.0 to 192.168.0.254 So only these mentioned ports are allowed to be used.
Thanks for helping out.
Solved!
Go to Solution.

Re SSID broadcast.
1. Correct. Even with SSID broadcast disabled the router will still broadcast a periodic beacon which means a wireless scanner will immediately pick up the existence of a wireless network.
2. The SSID is transferred in plain text during association with the router. Any network sniffer will learn the SSID at the moment a (legitimate) device connects to your network.
3. By sending some rogue packets to the AP it is easily possible to disassociate any connected wireless device forcing a re-association. This way you can learn the SSID immediately.
1-3 means that a SSID of a wireless access point with SSID broadcast disabled is unknown as long as no wireless device is connected to the router because there is no way to force an association request of a legitimate device. Some people therefore believe the disabled SSID broadcast is a important means for increased security, in particular when the wireless is not used very often. Of course, if you don't need the wireless for most of the time you should turn it off completely.
On the other hand, disabling the SSID broadcast technically breaks the 802.11 standard and is known to cause connectivity and stability problems with some wireless cards. Therefore, I usually recommend not to disable the SSID broadcast.
Re "router default name". If you mean the SSID, of course, changing it is important. Mostly to prevent your wireless devices to connect to your neighbor's router who still uses the default SSID.
Changing the "router name" on the main setup is not necessary. It's only necessary for the internet connection and only if required by your ISP.
Changing SSID or "router name" won't change the MAC address on the wireless. The first half of that MAC address will reveal the manufacturer (Linksys or Cisco)
Re remote management. Disabling remote management is good. Of course, verify that it really works. Some routers had a firmware bug which opened the web interface to the internet regardless of that setting.
Re UPnP. Correct. It should be disabled at all times.
Re WPA2 Personal with AES only encryption and a strong passphrase is the best wireless security you can have at this time. Passphrase can be up to 63 characters long.
Re wireless mac filter: MAC addresses are always transferred unencrypted (even with WPA2) and are easily cloned. Thus a simple network sniffer will be able to pick up MAC addresses of legitimate devices which you can use to connect.
Re AP isolation. Can be used if no wireless-wireless connections are required. Of course, if an intruder hacked into your wireless network he can try to hack into your router from there. The protection of the web interface on the LAN side is quite weak.
Re SPI firewall. Must be on. It protects the router from the internet.
What you write on that subject is the "protection" due to NAT, i.e. because you use private IP addresses. NAT technically does not block unsolicited incoming traffic. It simply drops unsolicited incoming traffic because it does not know what to do with it, i.e. it does not know where to deliver it to unless you configure port forwarding or similar. By design, NAT is not a security mechanism as its design goal is to allow connections and not to block them. Some (older) NAT implementations tried to deliver unsolicited incoming traffic by some heuristics. Some (older) NAT implementations had FTP helper functionality (to make FTP work properly through a NAT router) which made it possible to get any port opened on the router.
Re webfilter: depends. Will cause trouble with HTTPS web sites as HTTPS requires secure end-to-end security.
Re blocking all ports except 20,21,25,53,80,110,443. Well depends again. In your list for instance, you block port 995 (POP3S) and only accept 110 (POP3). Depending on your mail client and the pop server this may lead to an unencrypted connection between the client and the server because port 995 is not accessible. Similar with port 25 (SMTP). Some web servers run on port 8080 or other ports which won't work or work only partially (because some content is on a web server with different port number).
So technically, your block list will probably more affect you and your ability to use the most secure protocol which might be currently on your block list. In addition, as most people have ports 80 and 443 open for outgoing traffic most malware uses it to talk to the outside. Thus, your list although the idea sounds good probably won't help you.
Thus I would say that in most home networks such a blocking list based on a list of a few excempt ports won't really help your security and mostly will cause problems for you and nothing else. Such a list will work in a corporate setup where you can narrow down the legimite traffic very well. But for home use and general browsing habits it won't really work.
In addition, I think you cannot set up such a list on a Linksys router. You can only block ports but not all ports except a few.
Another, extremely important point missing from your list: Always change the router default password (admin) to a strong password. But I guess you already did that, too.
Overall, I would say you have got everything right...

Metro Ethernet VLANs

Hello!
I've been digging through metroe best practices, but all I can find is ISP points of views on creating a metroe WAN rather than from an internal business standpoint. My company is getting a metroe circuit in two weeks so I'm labbing up a WAN in GNS3 and my configurations aren't working. The MetroE will be a point-to-point connection. The main site will have the MetE circuit going into a Cisco 3750 and the remote site has a 3750 as well. I am going to use 802.1q trunks for the metroe traffic. My problem is I can ping the gateway for the vlan 3 at the remote site (192.168.201.1) from corporate, but I can't ping the PCs. This could be a GNS3 limitation or a screwed up Metro VLAN design all together. Any input here would be much appreciated. Here is the configuration for the Cisco 3750 at corporate:
*output omitted*
vlan 200
name MetE-Point-to-Point
interface fa0/1
description Trunk2MetE
switchport mode trunk
interface vlan 200
ip address 10.10.200.1 255.255.255.252
ip route 192.168.201.0 255.255.255.0 10.10.200.2
Cisco 3750 Remote Site:
*output omitted*
vlan 3
name Comp-LAN
vlan 200
name MetE-Point-to-Point
interface fa0/1
description Trunk2MetE
switchport mode trunk
interface fa0/2-24
switchport access vlan 3
interface vlan 3
ip address 192.168.201.1 255.255.255.0
interface vlan 200
ip address 10.10.200.1 255.255.255.252
ip default-gateway 10.10.200.2
ip route 0.0.0.0 0.0.0.0 10.10.200.1

Correction on the remote site:
vlan 200's ip is 10.10.200.2 not 10.10.200.1 like the config shows.

L2 Etherchannel Port Suspended issue

Hi All,
We're using 2 P2P link from different providers ( one 30 Mb and second 20 Mb) from Main POP to Remote POP.
We required load balance between both the P2P links with failover, but one of the port in suspended mode while channel-group apply.
Remote POP- Cisco 3400ME
Remote-POP-3400ME#sh int gi0/1
GigabitEthernet0/1 is up, line protocol is down (suspended)
Hardware is Gigabit Ethernet, address is 0016.9d26.5101 (bia 0016.9d26.5101)
Description: *** P2P-1 ***
MTU 9000 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 3/255, rxload 14/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000BaseTX SFP
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:29, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 5681000 bits/sec, 757 packets/sec
30 second output rate 1306000 bits/sec, 531 packets/sec
127102505 packets input, 144344310802 bytes, 0 no buffer
Received 4570664 broadcasts (2231603 multicasts)
0 runts, 0 giants, 0 throttles
10 input errors, 10 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 2231603 multicast, 0 pause input
0 input packets with dribble condition detected
interface GigabitEthernet0/1
description *** P2P-1 ***
port-type nni
switchport trunk allowed vlan 1,3-4094
switchport mode trunk
load-interval 30
channel-group 21 mode active
end
Remote-POP-3400ME#sh int fas0/23
FastEthernet0/23 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 0016.9d26.5119 (bia 0016.9d26.5119)
Description: *** P2P-2 ***
MTU 1546 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 4/255, rxload 28/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:24, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 11147000 bits/sec, 1390 packets/sec
30 second output rate 1944000 bits/sec, 1112 packets/sec
5404734 packets input, 1041290192 bytes, 0 no buffer
Received 4924815 broadcasts (2259127 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 2259127 multicast, 0 pause input
0 input packets with dribble condition detected
interface FastEthernet0/23
description *** P2P-2 ***
port-type nni
switchport trunk allowed vlan 1,3-4094
switchport mode trunk
load-interval 30
channel-group 21 mode active
end
====================================================================
MAIN POP- cisco 3750
MAIN-POP-3750-STACK#sh int gi2/0/7
GigabitEthernet2/0/7 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0019.e78b.c607 (bia 0019.e78b.c607)
Description: *** P2P-1 ***
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
reliability 255/255, txload 6/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000BaseTX SFP
Media-type configured as connector
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 3/75/0/0 (size/max/drops/flushes); Total output drops: 103937
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 2660000 bits/sec, 2181 packets/sec
30 second output rate 27366000 bits/sec, 2723 packets/sec
31887654718 packets input, 10045858003774 bytes, 0 no buffer
Received 467095011 broadcasts (214841125 multicasts)
0 runts, 27 giants, 0 throttles
22 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 214841125 multicast, 406425160 pause input
interface GigabitEthernet2/0/7
description *** P2P-1 ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3-4094
switchport mode trunk
speed 100
load-interval 30
channel-group 21 mode active
MAIN-POP-3750-STACK#sh int gi2/0/10
GigabitEthernet2/0/10 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0019.e78b.c60a (bia 0019.e78b.c60a)
Description: *** P2P-2 ***
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000BaseTX SFP
Media-type configured as connector
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2449
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 2000 bits/sec, 4 packets/sec
30 second output rate 55000 bits/sec, 62 packets/sec
13820128 packets input, 4202349171 bytes, 0 no buffer
Received 2375120 broadcasts (810650 multicasts)
0 runts, 0 giants, 0 throttles
15 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 810650 multicast, 478680 pause input
0 input packets with dribble condition detected
28535531 packets output, 16494317102 bytes, 0 underruns
0 output errors, 0 collisions, 2 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
interface GigabitEthernet2/0/10
description *** P2P-2 ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3-4094
switchport mode trunk
load-interval 30
channel-group 21 mode active
Please advise me to fix the issue and we are able to achieve and use with load-balance via etherchannel.
Thanks in ADV,

Hi Inayath,
Remote POP - Cisco 3400
%EC-5-CANNOT_BUNDLE2: Fa0/23 is not compatible with Gi0/1 and will be suspended (MTU of Fa0/23 is 1500, Gi0/1 is 9000)
FastEthernet0/23 is up, line protocol is down (suspended)
Hardware is Fast Ethernet, address is 0016.9d26.5119 (bia 0016.9d26.5119)
Description: *** P2P-2 ***
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:11:15, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 56000 bits/sec, 65 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
658410 packets input, 573817450 bytes, 0 no buffer
Received 202028 broadcasts (92075 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 92075 multicast, 0 pause input
0 input packets with dribble condition detected
333031 packets output, 77587439 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
GigabitEthernet0/1 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is 0016.9d26.5101 (bia 0016.9d26.5101)
Description: *** P2P-1 ***
MTU 9000 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 3/255, rxload 30/255
Encapsulation ARPA, loopback not set
Keepalive not set
Full-duplex, 100Mb/s, link type is auto, media type is 10/100/1000BaseTX SFP
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:16, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
30 second input rate 12136000 bits/sec, 1230 packets/sec
30 second output rate 1557000 bits/sec, 921 packets/sec
3730111 packets input, 4532149684 bytes, 0 no buffer
Received 189538 broadcasts (88491 multicasts)
0 runts, 7 giants, 0 throttles
20 input errors, 13 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 88491 multicast, 0 pause input
0 input packets with dribble condition detected
2663637 packets output, 494552940 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out

Does this work with ReadyNas?

I have a Netgear ReadyNas Duo RND2150, it supports "SqueezeCenter", "iTunes Streaming Server", "ReadyDLNA", & "Home Media Streaming Server". Will this work with the Linksys Player, Conductor & Director work with it? Will there be any limitations?
Also, does the director function standalone or does it need the conductor or director?
Thanks,
Stephen

Yes is the simple answer to the first question. The ReadyNas needs to have the UPNP media server running and correctly configured. There are no limitations I am aware of and have each of these running on Twonky Media Server on XP and Linux, Buffalo's Linkstation Media server (Linux) and Cisco's own media server running on XP.
In addition you can control the whole setup from a laptop, Nokia N95, Iphone, Ipod Touch, the Cisco Touchscreen remote DMRW1000 and each player component can operate standalone without requiring a director or conductor in the network, the only requirement is some sort of UPNP media server.
The whole setup is now working nicely since the last firmware update

Tacacs per vrf no supported on my router, does a gre tunnel would work?

Hi,
Basically the problem is that I am working with old routers, checked already on feature navigator an the following commands are not supported on the router to communicate to a TACACS server that resides on a vrf:
Configuring Per VRF for TACACS+ Servers: Example
The following output example shows that the group server tacacs1 has been configured for per VRF AAA services:
aaa group server tacacs+ tacacs1
server-private 10.1.1.1 port 19 key cisco
ip vrf forwarding cisco
ip tacacs source-interface Loopback0
ip vrf cisco
rd 100:1
interface Loopback0
ip address 10.0.0.2 255.0.0.0
ip vrf forwarding cisco
Basically I can not support all the above, however I was thinking of bypassing the command creating a GRE tunnel, I just need a confirmation if the following would work, if not I would appreciated that someone can point me into a better direction:
ON BRANCH ROUTER:
int l0
ip add 1.1.1.1 255.255.255.0
no shut
int tun10
ip add 2.2.2.1 255.255.255.0
ip vrf forwarding cisco
tun so l0
tun dest [ip add of router directly connected to tacacs server]
ip tacacs source-interface l0
tacacs-server host 10.10.10.1
tacacs-server key 7 cisco
ON REMOTE ROUTER:
int l0
ip add 3.3.3.3 255.255.255.0
no shut
int tun10
ip add 2.2.2.2 255.255.255.0
ip vrf forwarding cisco
tunn so l0
tunn dest [ip add of branch router]
Attached is some real information, the ip address of the real tacacs server is 10.20.30.61.

Thanks for the response but I post the question after knowing that, I already checked on Feature Navigator that THIS IS NOT SUPPORTED for my router, at the end of my configuration I am purposing a workaround using a tunnel to bybass the nonsupported configuration.
My question to you is, does a configuration with gre with vrf can work instead of the nonsupported configuration?
I know that the alternative is to run Radius but it is more paperwork to do than trying to implement a solution with the current IOS.
Thanks and sorry if I didn't make self clear at the beginning of my first post.

UCCE - JTAPI gateway - anyone using custom JavaRunTimeOptions ?

The JTAPI gateway settings are in PG\CurrentVersion\JGWS\jgw1\JGWData\Config. The defaults for JavaRunTimeOptions include "-Xms32m -Xmx256m".
This defines the default min stack size as 32MB and the default max stack size as 256MB.
I'd like to increase the min stack size and max stack size. Sun recommend server components should have these pretty high, and the same. There's 4GB of RAM in the PG and it's only using 1.3GB. I'm thinking min 256MB and max 512MB, or something like that.
The reason is the customer's network management system gets a lot of noise from the continual reporting by the JTAPI gateway that the JVM on 1 of the PGs has less than 50% free memory. This fills up the log and hides more important things.
Sure, you can restart the gateway and it will be Ok for a while, but that's not a solution.
Quite frankly, these settings look a bit low to me when there are close to 1000 IP phones being observed.
Have any of you bumped these up? I'm not expecting any problems if I do that, but am looking for your experiences.
Regards,
Geoff

Hi Sefjelstad,
You can refer the section "How Cisco IPCC Remote Agent Option Works with an Analog Phone" from page 70 onwards in the below link,
http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/icm_enterprise/icm_enterprise_7_5/user/guide/ipcc75mag.pdf
Note: I have not done any of these implementations yet.
Thanks,
Anand
Pls rate helpful posts !!

Cant send anonymous smtp

Hi, I sold a rv220w to a customer. I've configured it but it seems that the router doesn't allow anonymous smtp. I've configured outlook on a computer with authentification request and it's working fine.
There is a software on a computer that I'm unable to change the authentification and it's not working ( Not able to send message )
I've search in the router and I've disabled these rule :
"Block Anonymous ICMP Messages"
It still the same..... I've tried to setup an email account without the authentification and I get this error :
"Relaying not allowed"
I searched on google and on the cisco forum but I've found nothing that can help me.
Someone esle have this bug?

Good morning
Hi Jeff, thank you for using our forum, my name is Johnnatan I am part of the Small business Support community, I apologize for the inconvenience, in this case you can check couple of things to verify if the router is running correctly.
   1. You can check the last firmware update for this model, the last release is 1.0.4.17 also you             can download this
         firmware here
After that, you can create a      backup from your configuration and then perform a factory reset.
Also you can check the Firewall >      Access Rules to verify if there is any rule blocking SMTP, also for      ports 465 and 587.
Also check that “Block Wan      request” is disabled, you can check this in Firewall>Access      Rules.
You can check additional      information regarding this device here,      in chapter ”Administering Your Cisco RV220W “ > Remote      Logging Configuration> Page 180
I hope you find this answer useful,
*Please mark the question as Answered or rate it so other users can benefit from it"
Greetings,
Johnnatan Rodriguez Miranda.
Cisco Network Support Engineer.

Cisco AT6400 Remote

Similar Messages

Maybe you are looking for