Cisco CSS11503 and ace question

Similar Messages

• Cisco CSS and ACE study guide

  Hi,
  Im ready to kick start Cisco CSS and ACE load balancers. I found that 642-972 DCASD and 642-975 DCASI are the relevant exams for that. But, they are expired now. And, I couldn't even find the old materials for those. Could you please anyone assist me in getting started with this?

  Hi Kanwal,
  Thanks for your reply. BTW, wasn't there any specific study guides for 642-972 DCASD and 642-975 DCASI from Cisco? The reason behind this question is, I want to go step by step starting from how load balancing works, the basics and terminologies of load balancing and its various options and operations etc. I have been working with Network Security and just stepping in to DC operations.

• I want to integrate SMS gateway to Cisco ISE 1.2 and my question is SMS notifications are supported for Guest self−registration

  I want to integrate SMS gateway to Cisco ISE 1.2 and my question is 
  SMS notifications are supported for Guest self−registration Services ? or it should be done by Sponsor 

  I'm not sure I understand the question.  Do you want to log in to the Sponsor Portal using AD credentials?
  Create an Identity Source Sequence using AD as an Authentication Source.  Go to Administration > Identity Management > Identity Source Sequences.  Either Edit or +Add a Sequence and choose from the Authentication Sources shown.
  Then choose that Identity Source Sequence by going to Administration > Web Portal Management > Settings.  Double-click Sponsor from the Left Menu and click Authentication Source.  Choose the Identity Source Sequence.  Click Save.
  I hope this helps.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• Cisco ISE and SecurID Integration Questions

  I'm looking for some clarity trying to understand something conceptually. I want to integrate Cisco ISE with RSA SecurID, the idea being that if the user authenticates with RSA SecurID they end up on one VLAN, however, if they don't authenticate with (or don't use, or don't have) SecurID they'll end up on another VLAN. Note that I'm not using SecurID for wireless access...all PCs are wired to Ethernet.
  We have been using RSA SecurID for a while and are currently on version 8.0. Our users are authenticating via the RSA Agent typically on Windows 8.1. Instead of the usual Windows login prompt, the RSA Agent first prompts for the username and passcode (they use an app on their smartphones to get the passcode), then after a moment or two, it prompts for their Windows domain password.
  We have recently installed Cisco ISE version 1.3. With the help of a local Cisco engineer and going through the "Cisco Identity Services Engine User Guide", I have it set up and running along with a few 'test' ports on our Cisco 6809 switch, it basically works...as a test it's simply set up that if they authenticate they're on one VLAN, if not, they end up on another (this is currently without using RSA...just out-of-the-box Windows authentication).
  The Cisco engineer was unable to help me with RSA SecurID, so pressing on without him, out of the same user guide I have followed the directions for "RSA Identity Sources" under the "Managing Users and External Identity Sources", and that went well as far as ISE is concerned; I am now ready to get serious about getting ISE and SecurID working together.
  My mistake in this design so far was assuming that the RSA agent on the Windows client PCs would communicate with Cisco ISE...there doesn't seem to be a way to have them point to a non-RSA SecurID server for authentication. The concept I'm missing is what, or how, the end-user machine is supposed to authenticate taking advantage of both ISE and SecurID.
  I have dug deeper into the Cisco ISE documentation but it seems heavily biased towards Wi-Fi and BYOD implementations and it's not clear to me what applies to wired vs wireless. Perhaps it's a case that I'm not seeing the forest for the trees, but I'm not understanding what the end-user authentication looks like. It apears that as I learn more about ISE, it should become the primary SSO source, that SecurID becomes just an identity source and the PC clients would no-longer directly communicate with the SecurID servers. That being the case, do I need to replace the SecurID client on the PCs and something else Cisco-ish fills this role? An agent for ISE? How do they continue to use their passcode without the RSA agent?
  Thanks!

  The external db not operation indicates that there is no communication between ACS and RSA. Did you fetch the package.cab file to analyse the auth.log file?
  Have you already gone through the below listed link?
  http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html
  Regards,
  Jatin Katyal
  - Do rate helpful posts -

• Cisco ASA 5505 - 2 questions - VPN Licensing; Routing

  Hi,
  I have a client that has a Cisco ASA 5505 security appliance.  Currently it is setup as a "proof of concept" for clientless browser-based SSL VPN.  The device came with 2 licenses for this service, and we need to increase that somewhere between 10-25 users.  25 users is the max on this device I believe.
  I have searched Cisco.com and tried Googling the ASA 5505 for licensing but I can't find the correct license that I need for this.
  The second question I have is routing capability.  We have a WAN connection to another branch of the computer from this location where the ASA 5505 is located.  A Cisco 2851 is used for this connection.  We are wanting to bring in a high speed Internet connection for the VPN access and Internet access.  What I need to know is can we put the WAN and Internet connections behind the ASA 5505 and have that route appropriately to the branch WAN for that traffic and all other traffic to the Internet?
  Thanks!
  --Kent

  Hi Kent,
  Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main (http://forums.cisco.com/eforum/servlet/NetProf?page=main) This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.
  Regards,
  David Dunlap
  SBSC Engineer

• Cisco wireless and Apple Mac woes

  Hello all,
  I've been working with Cisco wireless and WLC's for a couple of years now but the recent onslaught of Apple Mac's is giving me heart burn.  I've seen this at numerous sites now and need to throw it to eht community for guidance.
  Basically we have had a number of instances where the Macs just fall off the wifi.  Sometimes it's when they wake from sleep and other times when roaming between AP's (1131s with same SSID's).  Our standard install is WPA2 and per ap local authentication.  PC's work fine and never an issue.
  We have completed a survey with a spectrum analyser and no RF interefence is present nor errors on the radio interface.
  Questions:
  - Is there a preferred Cisco config/setup for Mac's to work reliably?  I've heard loads of rumors but nothing concrete and nor can I find anything specific.
  - Should I be setting up WDS in case there is an authenticating issue.
  - For those who are Mac gurus and happen to be reading. What Mac options we should look at?
  This has all come to a head because the clients IT company who recommended the Macs (different from us doing the network infrastructure) are insisting that the problem is Cisco incompatibility and that we should rip out the Cisco kit and install airports (what tha!!!).
  Thanks in advance for any pointers.
  For those who like a config here it is .... Vanilla stuff really
  Building configuration...
  Current configuration : 2236 bytes
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname AP4
  no logging console
  enable secret xxxxxxxxxxxxxxxxx
  no aaa new-model
  dot11 syslog
  dot11 ssid Home
     vlan 1
     authentication open
     authentication key-management wpa
     guest-mode
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxx
  dot11 ssid avnet
     vlan 2
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii xxxxxxxxxxxxxxxx
  username abcd password 1234
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1 mode ciphers tkip
  encryption vlan 2 mode ciphers tkip
  ssid Home
  mbssid
  speed  basic-1.0 basic-2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
  channel 2412
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  bridge-group 2 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  hold-queue 80 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  interface FastEthernet0.2
  encapsulation dot1Q 2
  no ip route-cache
  bridge-group 2
  no bridge-group 2 source-learning
  bridge-group 2 spanning-disabled
  interface BVI1
  ip address 192.168.10.54 255.255.255.0
  no ip route-cache
  ip default-gateway 192.168.10.1
  no ip http server
  no ip http secure-server
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end

  Yeah!! even i have come across multiple issue with MAC and Cisco.. these are the below settings which i normally do on the cisco gears and most of the times this solved the issue..
  on the IOS AP disable Aironet Extentions and set the poer local and ofdm to max
  no dot11 extension aironet
  power local cck max
  power local ofdm max
  end
  On the WLC, disable Aironet IE..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• The difference of the IEEE802.1x Auth between Cisco Routers and Catalyst switches

  Hello
  I am investigating the difference of the IEEE802.1x Auth between Routers and Switches.
  Basically dot1x auth is availlable on Catalyst Switches. however if I want to check to
  PortBased Multi-Auth , MAC address Auth and any certification Auth with this feature,
  Is it possible to integrate into Cisco Router such as Cisco 891F ?
  In my opinion Cisco891F is also available to use basic IEEE802.1x but if it compares with Catalyst switches such as Cat3560X
  I think there might be any unsupported feature on Cisco 891F.
  I appreciate any information. thank you very much in advance.
  Best Regards,
  Masanobu Hiyoshi

  Many time in interviews asked comaprison between cisco  routers and switches that i was answerless bcoz i dont have much knowledge about that.Can anyone provide me the compariosin sheet of the same.how are the cisco devices differ with each other how much Bandwidth each routres support and Etc...
  Ummmm ... The most common question I get is "what is the difference between a router and a switch".
  However, if you get a question like this, then my impression to this line of questioning are:
  1.  The candidate they are looking for has in-depth knowledge of routers and switches.  And I mean IN-DEPTH!;
  2.  They are not looking for a candidate.  They just want to stroke their ego.  There is not alot of people who can give you the "names and numbers" of routers and switches at a snap of a finger.  And if you do happen to know the answer, then and there, then expect a tougher follow-up question. 

• Exchange 2007 account - trouble connecting at times and a question

  Hi all, so, I have my Ex change 2007 account setup on my MacBook Pro but I seem to keep having an issue. WHen the account was initially setup, I was connected to my company via the Cisco VPNClient and the connection worked great - mail, iCal & AddressBook all connected and accessed data fine.
  Now, I find that if I drop my VPN and then reconnect, Mail will not connect to the server and I get the Yield or tilde icon next to the account. In console, I'm getting these messages:
  9/1/09 9:21:49 AM Mail[1349] -[SOAPParser:0x1163a34e0 parser:didStartElement:namespaceURI:qualifiedName:attributes:] Type not found in SOAPDocument for HTML (HTML)
  Now, it seems that if I disconnect the VPN, quit Mail and leave it for a while (sorry, nothing scientific here yet) it will reconnect to the server after I have the VPN back up.
  One point to make, I can't seem to get the Apple IPSec support to connect to my company's Cisco concentrator, hence the reason I keep using the Cisco sw.
  So, that's my one problem - now for the additional questions: Is the Exchange support in SL Exchange Activesync or a different implementation? The reason I ask is that if it's exchange Activesync, there should be no reason I cannot connect to my Exchange front-end server without a vpn connection and sync mail, calendar & addressbook - right?
  That doesn't seem to work, however which leads me to think it's not EAS.
  Another question - is there any documentation on how to configure the advanced mail account options - External Server Path, for instance?
  Thanks in advance...
  Dave

  I had the exact same issue. Found nothing in the console logs other than "can't refresh account". Turns out my problem was wrong e-mail address with the exchange server. I used the exact e-mail address that this particular exchange expected and it added it to the panel on the left.
  Our setup is a bit weird cause we have 2 exchange servers, but I let iCal figure out everything itself using the "old" exchange server and then afterwards went and edited the server settings to use the "new" server, and it kept working with these settings.
  Just a bit annoying that iCal was so vague about what the problem was... Also didn't help that I upgraded and moved to the "new" server and changed my password all at once, so don't know what cause the problem in the first place.

• Uploading YouTube videos/urls into Cisco Show and Share

  We've just purchased the DMM 5.2 and the Show and Share appliance to host internal company videos but there are some YouTube videos out there that we want to pull into our Show and Share system as well. How can we do this? I've tried every possible combination of youtube url and embedded url that is out there, at least nothing that I've tried has worked thus far. I'm able to pull in other internal URLs of different videos (wmv format) without any trouble. Is this an issue with YouTube or perhaps with flv formatted video that YouTube uses (which should work according to the manual).
  I know this is a new product, but is there anyone that can help?
  Thank you in advance,
  Chris

  Chris,
  The YouTube videos are typically Flash content.
  The key here is that you need to download the Flash content
  yourself and then Upload to the Show and Share.
  Use the DIRECT URL of the Flash Content on YouTube to download
  the FLV to you Personal device.  After file successfully download, simply
  upload the file to Show and Share.
  For example:
  Cisco Show and Share Flash Demo
  http://www.youtube.com/watch?v=ZzquCVvS0qQ
  * this link is the actual Dashboard URL not the video link
  http://v4.lscache8.c.youtube.com/videoplayback?ip=0.0.0.0&sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3AU0dWRlRRVF9FSkNNNl9MS1hB&fexp=904405%2C901902&algorithm=throttle-factor&itag=34&ipbits=0&burst=40&sver=3&expire=1271466000&key=yt1&signature=1E65C92607546EA03DE0D1082884574D3F58AD0F.93FF9FDB00B10B44BBB52F31AADF3EB50FCEB7CC&factor=1.25&id=673aae095bd2d2a4&
  * Actual URL of Video Content
  ========================================================
  FOR THOSE THAT ARE USING OSX & SAFARI:
  ======================================
  If you need to download FLASH Content for TESTING in your DMS Solution, You
  can download Flash Videos from YouTube.
  Note: The Video Quality is NOT HD or even SD...  it is ID (Internet Definition)
        Also, the downloaded file will be a .flv Flash File.
  1. Open a Video on YouTube, Google Video etc.
  2. Press "Alt+Cmd(Apple-Key)+A" - A window opens named "Activity".
  3. Select the ".flv" file (looking on filesize helps) and press "Cmd(Apple-Key)+C" to copy.
     Paste with "Cmd(Apple-Key)+V" the URL to your Adress Bar and press Enter.
  4. If you need a different video format such as MPEG, WMV, or SWF; you will need to convert
     the downloaded ".flv" file with VisualHub or VLC
  If this answers your question, Please take time to mark this
  discussion answered & rate the response. 
  Thank You!
  T.

• Is there any documentation to deploy federation between Cisco IM and presence and Lync 2010 sister companies?

  Hello All,
  Company A – Using Cisco IM and Presence
  Company B – Using Microsoft Lync 2010
  We would like to establish federation between Company A and Company B and also looking for the documentation which has the step by step instruction.
  Please let us know overall steps or provide us the documentation.  Thank you in advance.
  Thanks

  For Federation between Lync and Cisco IM, you can check below link and this
  document
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/interdomain_federation/9_0_1/CUP0_BK_IAAE17D8_00_integration-guide-interdomain-federation-90/CUP0_BK_IAAE17D8_00_integration-guide-interdomain-federation-90_chapter_01.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Uploading Youtube Vid. URL to Cisco Show and Share failed

  Uploading Youtube Vid. URL to Cisco SnS failed. I get error msg. : Connection to video server failed

  Chris,
  The YouTube videos are typically Flash content.
  The key here is that you need to download the Flash content
  yourself and then Upload to the Show and Share.
  Use the DIRECT URL of the Flash Content on YouTube to download
  the FLV to you Personal device.  After file successfully download, simply
  upload the file to Show and Share.
  For example:
  Cisco Show and Share Flash Demo
  http://www.youtube.com/watch?v=ZzquCVvS0qQ
  * this link is the actual Dashboard URL not the video link
  http://v4.lscache8.c.youtube.com/videoplayback?ip=0.0.0.0&sparams=id%2Cexpire%2Cip%2Cipbits%2Citag%2Calgorithm%2Cburst%2Cfactor%2Coc%3AU0dWRlRRVF9FSkNNNl9MS1hB&fexp=904405%2C901902&algorithm=throttle-factor&itag=34&ipbits=0&burst=40&sver=3&expire=1271466000&key=yt1&signature=1E65C92607546EA03DE0D1082884574D3F58AD0F.93FF9FDB00B10B44BBB52F31AADF3EB50FCEB7CC&factor=1.25&id=673aae095bd2d2a4&
  * Actual URL of Video Content
  ========================================================
  FOR THOSE THAT ARE USING OSX & SAFARI:
  ======================================
  If you need to download FLASH Content for TESTING in your DMS Solution, You
  can download Flash Videos from YouTube.
  Note: The Video Quality is NOT HD or even SD...  it is ID (Internet Definition)
        Also, the downloaded file will be a .flv Flash File.
  1. Open a Video on YouTube, Google Video etc.
  2. Press "Alt+Cmd(Apple-Key)+A" - A window opens named "Activity".
  3. Select the ".flv" file (looking on filesize helps) and press "Cmd(Apple-Key)+C" to copy.
     Paste with "Cmd(Apple-Key)+V" the URL to your Adress Bar and press Enter.
  4. If you need a different video format such as MPEG, WMV, or SWF; you will need to convert
     the downloaded ".flv" file with VisualHub or VLC
  If this answers your question, Please take time to mark this
  discussion answered & rate the response. 
  Thank You!
  T.

• Ask the Expert: Packet Capture Capabilities of Cisco Routers and Switches

  With Rahul Rammanohar 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about packet capture capabilities of Cisco routers and switches.
  In May 2013, we created a video that included packet capture capabilities across multiple Cisco routers and switches. For each product, we began with a discussion about the theory of the capabilities, followed by an explanation of the commands, and we concluded with a demo on real devices. In this Ask the Expert event, you’re encouraged to ask questions about the packet capture capabilities of these Cisco devices:
  •       7600/6500: mini protocol analyzer (MPA), ELAM, and Netdr
  •       ASR9k: network processor capture
  •       7200/ISRs: embedded packet capture
  •       Cisco Nexus 7K, 5K, and 3K: Ethanalyzer
  •       Cisco Nexus 7K: ELAM
  •       CRS: show captured packets
  •       ASR1K: embedded packet capture
  More Information
  Blog URL: Packet Capture Capabilities of Cisco Routers and Switches
  Watch the Video:  https://supportforums.cisco.com/videos/6226
  Hitesh Kumar is a customer support engineer in the High-Touch Technical Services team at Cisco specializing in routing protocols. He has been supporting major service providers and enterprise customers in routing, Multiprotocol Label Switching (MPLS), multicast, and Layer 2 VPN (L2VPN) issues on routing platforms for more than three years. He has more than six years of experience in the IT industry and holds a CCIE certification (number 38757) in service. 
  Rahul Rammanohar is a technical leader with the High-Touch Technical Support Team in India. He handles escalations in the area of routing protocols and large-scale architectures for devices running Cisco IOS, IOS-XR, and IOS-XE Software. He has been supporting major service providers and large enterprise customers for routing, MPLS, multicast, and L2VPN issues on all routing platforms. He has more than 13 years of experience and holds a CCIE certification (number 13015) in routing/switching and service provider.
  Remember to use the rating system to let Hitesh and Rahul know if you have received an adequate response.  
  Because of the volume expected during this event, Hitesh and Rahul might not be able to answer each question. Remember that you can continue the conversation in the Service Provider, sub-community forum shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.

  Hello Erick
      Thanks for the topology. The trigger will be different for labelled  packet as you would need to mention the values of labels too in the  trigger.
       Below are two examples of one or two labels being  used, it depends on where you are capturing the packet in mplsvpn  scenario which will decide teh number of labels being imposed on the  packet.
  Trigger for one label. (if the router on which you are capturing the packet PHP is being performed)
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x88470162 0xE0000000 0 0 0x00006F6F 0x6F6F 7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
  Trigger for two labels. (for other core routers)
  IGP label - 1234
  VPN label - 5678
  Source Address - 111.111.111.111
  Destination Address - 123.123.123.123
  show platform capture elam trigger dbus others if data = 0 0 0 0x8847004D 0x20000162 0xE0000000 0 0 0x00006F6F 0x6F6F7B7B 0x7B7B0000 [ 0 0 0 0xffffffff 0xf000ffff 0xf0000000 0 0 0x0000ffff 0xffffffff 0xffff0000 ]
      You can check the labels being used (by using show ip cef <> details) and covert their values to hex and change the trigger accordingly.
       I have changed the colors for better understanding. If you notice carefully in the trigger the values for ip address, labels have just been converted to their respective hex values which could be replaced.
       Please let me know if this helps.
  Thanks & Regards
  Hitesh & Rahul

• Integration Of Cisco ACS and MS Active Directory !!!

  Hi all,
  We have and Cisco ACS v4.2 on a Cisco Appliance, and we need to integrate it with Active Directory. Can you help me??
  Thanks for your help
  Regards!!!
  Rafael Turriago

  Hi,
  If you have ACS SE and you want to integrate with MS AD, then you need to install Cisco ACS Remote Agent on a PC that belongs to the domain.
  The ACS SE does not "speak" directly to the DCs, but rather to the ACS Remote Agent.
  The Remote Agent is the application responsible to exchange data with the DCs.
  You can find detailed information in the config guide:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp353636.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco 871w and LAN (What did I get myself Into!)

  Hey all,
  Little background info:
  - Took the CCNA1-4 via college course about 3 years ago, haven't used the knowlege since
  - most of my experience in the real world has been non-managed networks, but taking care of Windows Terminal Servers.
  - basically I think I need to re-educate myself
  Current Network:
  Windows Domain
  45 workstations
  4 buildings
  Breakdown
  Head Office:
  - Main Distribution point
  - WAN: Cisco Router and DSL modem owned by provider
  - Firewall: WatchGuard Firewall (/w 5 VPN connections)
  - 1 x 48 port Managed Switch (acting as simple switch)
  - Windows SBS 2003 server with Exchange, SQL, and using VPN here as well
  - We have about 6 other switches that are not managed in the build
  - 1 cable run through building. At the end of this building is a fiber connection to the next building
  - 15 workstations
  BUilding 2:
  - Fiber connection from Head Office
  - 1 single CAT 5e from Fiber switch to Unmanaged Switch (Switch 1)
  - 1 single CAT 5e from unamanaged switch to half-way point of building where we have another unmanaged switch (Switch 2)
  - 1 single CAT 5e from from Switch 1 to another small building (building 4) with a small unmanaged switch and 2 workstations
  - 1 single CAT 5e from Switch 2 - to end of building, underground to building 3
  - 1 Workstation attached to Switch 2
  Building 3:
  1 x 24 port Managed Switch with connection from Building 2 (this switch being used as a normal switch)
  25 workstations in here, various distances with small workstation switches throughout.
  Working with new equipment:
  - we upgraded DSL (cheaper) to a 5 Static IP package, this is a seperate circuit for now - so I can configure everything and
  not disrupt current services.
  - using test PC and connection on this DSL to make sure most everything is working.
  - Purchased 871w to replace their router and to replace our Firewall which has a faulty nic and is limited in functionality.
  - 6 months from now, adding Fortigate 100A Appliance
  - over next 2 years - all switches will be managed
  First question: Anyone have a real good resource on how inside local, inside global, outside local, outside global works for ACL's? Isn't there something similar for NAT/PAT?
  Second Question: Just looking for some best practice solutions. Should I bother with VLAN's at this time, just leave everything on VLAN since
  there can be no real seperation throughout the company. Suggestions?
  Outside Services required:
  - Webmail - using OWA:
  - host header: webmail.companyname.com
  - can the router block all requests to this that are made via port 80 and allow the HTTPS ones through?
  - since i have 5 statics, using NAT can I have one of the external IP's used for webmail... this can be done using static NAT and firewall rules?
  - Exchange Server forwards all SMTP requests to ISP mail server.
  - No RDP directly to network resources without vpn activity - taken care of implicet deny.
  - Will it be possible to use my other 4 static IP's, say I create a DNS entry for ftp.companyname.com. I assume a static entry in NAT will take care of sending all requests to another network box.
  VPN:
  Will require VPN connections, there seems to be a ton of different ones. What is the easiest to create for a few home systems
  that the VPN client can be installed and configured? Can this be managed with a push policy, can different user accounts be
  created with different policies:
  i.e: * Steve logs in via VPN, can RDP to a desktop to access server resources but I don't want him to be able to connect to \\serverip\share
  * Bob is a user, bob currently vpn's and obtains an IP 10.0.0.249, bob shares a printer that we use to print to. I don't want bob to be able to access any other resources on our network, but users can print to Bob's remote printer.
  I'm over thinking all this, and getting confused - a nice simple step approach required - I feel like I'm drowning -lol

  try the following links
  inter vlan
  http://www.cisco.com/en/US/products/hw/switches/ps672/products_configuration_example09186a00800941b4.shtml
  NAT
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080881718.shtml
  how NAT works
  http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml
  VPN
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080235197.shtml
  useful vpn links
  http://www.cisco.com/en/US/products/sw/secursw/ps2308/prod_configuration_examples_list.html
  good luck
  Please, if helpful Rate

• Sharing a VLAN between FWSM and ACE (Routed Mode)

  Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
  I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
  I wanted to configure it like this.
  firewall vlan group 10 <FWSM only vlans>
  firewall vlan group 20 <shared FWSM and ACE vlan>
  or
  svclc vlan group 20 <shared FWSM and ACE vlan>
  svclc vlan group 30 <ACE only vlans>
  The design hides the client side network and the server side network for the ACE behind the FWSM module.
  Layout:
  |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
  So allocation on the 65xx would be like this.
  firewall module n vlan-group 10,20
  svclc module n vlan-group 20,30
  Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
  FWSM and ACE will be in routed mode.
  Thanks for reading...
  Roble

  Never mind...
  Just found the perfect answer for this in a another posting from Syed.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
  Roble