Cisco RV180 needs help..buyers beware.
So for a while now, we have used the Linksys (Cisco) RVS4000 Small BUsiness routers at our business and have had great success. We opened a new location, and went to buy more, only to find out, they no longer make them, and have been replaced by the Cisco RV180 routers. Figuring these will work as seemess as the others, we bought some.
Wow, was I wrong. Using mainly the default settings, we are having major connection issues, mainly by our programs that are somehow timing out and having read/write delays. I know it's the RV180 because I found an old backup RVS4000 Router, put it in place, and it works perfect. Seeing that the last firmware update on this router is June of 2012, and reading the number of posts and problems with this Router, Cisco obviously doesn't give a rip that they have a piece of SH** out there they are selling, with no plan to make fixes and update firmware. We have gone through these settings with a fine-toothed comb and turned off about every firewall and IPS setting there is, but no matter what we do, it still persists.
***EVERYONE, STAY AWAY FROM THIS ROUTER****
Until Cisco decides to get seious about their small business line, I will be buying D-link and Netgear routers, as they actually work.
Hello Tim,
If you have already reported this issue to Cisco SBSC, can you please share the service request number for this issue? We would like to track the issue and see if it is something to do with the configuration or system. If you have not reported this issue to the Cisco SBSC, could you please contact them and open a service request? We would like to investigate the root cause for the performance issue you are facing and find a resolution for the same.
Cisco SBSC contact information:
http://www.cisco.com/en/US/support/tsd_cisco_small_business_support_center_contacts.html
Thanks,
Nagaraja
Similar Messages
-
Hello,
I am new to routers. I have one at work that I need to manage but with no knowledge. I have a Cisco 2811 router and it has been logging that one of its fans is not rotatin. Cisco suggest me to reboot the router to see if it fix the problem - so my first question is: how do you reboot the 2811.
Cisco said if rebooting the router doesn't fix the problem, they will send my a replacement chassis. So, I need step-by-step instruction on what to do if I really have to remove all the cards and put it in the new chassis. How do I save the config file? How do I shutdown the router? How do I reload the config file without having to setup the router from scratch? I need step-by-step help.
Thanks
KitHi Kit,
To reload the router :
1.First do a " write mem " in your router after entering the privilege level
2.You can do a soft reload by giving " reload " from the router# prompt or just by powering and power off the router.
If reboot is not solving the problem , cisco would do a RMA and they would give you a chassis
To do that
1.Copy the configuration file to the flash disk in the router
2.Have a copy of the same in the notepad also just for verification
3.Shut down the router by removing the power
4.Insert the cards that were present in the router in the same slots in the new chassis
5.Insert the flash card to the new chassis that has the IOS and config file
6.Reload the router
7.Copy the configuration file from the flash to the running config
8.Do a write mem
9.Verify the config with your old config
use it for ref:
http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c35d3.html#wp41215
Pls let me know if you require any other details
regards
vanesh k -
EtherChannel between cisco devices need help
Hello,
At our company we use 2 asa 5525 firewalls in active/standby mode.
Both of them are connected to a single cisco router.
The goal is to have the cisco router to automatically send traffic to the active firewall (regardless which firewall is active at that point).
To solve this would it be possible to create an EtherChannel with 2 ports on the cisco router and then have 1 link going to the active firewall and 1 link to the standby firewall.
If the active firewall fails and the standby firewall takes over, will the standby firewall receive all the traffic that normally would go to the active firewall without any downtime?
Will this work or does another solution exists for this? Its important for us that the hosts on the network suffer small to none downtime at all.
The topology can be found in the following image.Hello
"You could possibly use bridging on the router which would allow you to have two interfaces on the same router in the same IP subnet and connect one interface to the active firewall and one to the standby. But i cannot say for sure this would work as i have never done it with ASAs"
Please see below:
ASA1
====
.interface GigabitEthernet0
nameif inside1
security-level 100
ip address 192.168.1.10 255.255.255.0
ASA2
====
.interface GigabitEthernet0
nameif inside2
security-level 100
ip address 192.168.1.11 255.255.255.0
router
=====
bridge irb
bridge 100 protocol ieee
bridge 100 route ip
interface FastEthernet0/0
Description Link to ASA1
bridge-group 100
interface FastEthernet0/1
Description Link to ASA2
bridge-group 100
interface BVI100
ip address 192.168.1.254 255.255.255.0
R1#ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/34/72 ms
R1#ping 192.168.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/38/88 ms
asa1# ping 192.168.1.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
asa1#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/34/50 ms
NOTE:
You can also NOT apply an ip address to the BVI interface and you would still be able to ping between the FW'S
res
Paul -
Connecting a 20mb fiber / ethernet point to point CISCO 1841 Need help
Here is the remote router config
Okay perhaps I am over thinking the situation but for some reason its not clicking, and maybe I am overlooking something. So my rule is if I spend more than 30 min on something and I cant get anywhere I start pulling resources ;-) So here goes.Currently we have 2 1841 routers configured between out two locations, these are connected through two T1 serial connections (Multilinked). QOS (as rudimentry as it is) is configured on the Multilink. See below.We recently went with a fiber connection (terminated via ethernet), the plan is to use the free FastEthernet (0/1) for the connection between the routers, and then disable/eliminate the T1 connections.Here is the current configuration for both routers. I Have added the new config for the ethernet connection and assigned them an IP address, and it seems that we can ping between the...
This topic first appeared in the Spiceworks Community -
HELP!! Cisco RV180 Port Forwarding
Someone please advise as to this is the first time I've tried to setup port forwarding using the Cisco RV180 Router. I have a Cisco RV180 Router, a Ruckus 7055 access point and a power distribution unit. I'd like to be able to access the router remotely and also the devices behind the router (the ruckus access point and the power distribution unit). I'm assuming that I'll need to assign the Cisco RV180 router a static IP address and I'm assuing that this static address should be assigned to the WAN port? I'd also like to configure port forwarding so that I can access the ruckus and the PDU remotely also. I've tried assigning a static IP address to the WAN port of the RV180 but I cannot ping this device remotely. Anyone have any advice on accessing the RV180 remotely? I've populated all of the correct fields for the WAN settings (ip, gateway, subnet, etc.) , and my static ip address is valid.Thank you in advance.
Hello sirflex,
As you have mentioned you need to configure a static nat for the devices which you have done when you configure a port forwarding.
Have you configured access rules under firewall>access Rules. Add the access rules for the ping and the Http and Https services.
Can you capture the packets at the WAN port while you are pinging the WAN port and the firmware version on the device.
Which mode are you running the device gateway or router. You can check it under Netwroking>Routing>Routing Mode.
Thanks,
Prithvi
Please mark answered and rate for helpful posts. -
I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
I need to allow the following IP addresses to have RDP access to my server:
66.237.238.193-66.237.238.222
69.195.249.177-69.195.249.190
69.65.80.240-69.65.80.249
My external WAN server info is - 99.89.69.333
The internal IP address of my server is - 192.168.6.2
The other server shows up as 99.89.69.334 but is working fine.
I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
THE FOLLOWING IS MY CONFIGURATION FILE
Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
Also the bolded lines are the modifications I made but that arent working.
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password DowJbZ7jrm5Nkm5B encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.6.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 99.89.69.233 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group network EMRMC
network-object 10.1.2.0 255.255.255.0
network-object 192.168.10.0 255.255.255.0
network-object 192.168.11.0 255.255.255.0
network-object 172.16.0.0 255.255.0.0
network-object 192.168.9.0 255.255.255.0
object-group service RDP tcp
description RDP
port-object eq 3389
object-group service GMED tcp
description GMED
port-object eq 3390
object-group service MarsAccess tcp
description MarsAccess
port-object range pcanywhere-data 5632
object-group service MarsFTP tcp
description MarsFTP
port-object range ftp-data ftp
object-group service MarsSupportAppls tcp
description MarsSupportAppls
port-object eq 1972
object-group service MarsUpdatePort tcp
description MarsUpdatePort
port-object eq 7835
object-group service NM1503 tcp
description NM1503
port-object eq 1503
object-group service NM1720 tcp
description NM1720
port-object eq h323
object-group service NM1731 tcp
description NM1731
port-object eq 1731
object-group service NM389 tcp
description NM389
port-object eq ldap
object-group service NM522 tcp
description NM522
port-object eq 522
object-group service SSL tcp
description SSL
port-object eq https
object-group service rdp tcp
port-object eq 3389
access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
access-list outside_access_in extended permit tcp any interface outside eq 3389
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.6.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 68.156.148.5
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
tunnel-group 68.156.148.5 type ipsec-l2l
tunnel-group 68.156.148.5 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
: end
ciscoasa(config-network)#Unclear what did not work. In your original post you include said some commands were added but don't work:
static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
and later you state you add another command that gets an error:
static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface. Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive? Static PAT usually makes sense when you need to change the TCP port number. In your example, you are not changing the TCP port 3389. -
Need help with setting up VPN on a Cisco EPC3925 Modem
Hi everyone,
I need help setting VPN on Cisco EPC3925 modem (I tried using Help and I have read the entire section in the manual but the manual is not the same as the window I get in my settings. For example in the manual they say I can choose "all" under Remote Secure Gateway but there is no option like that).
When I go to the VPN section this is what I get:
1. Does this mean that I can connect to my modem via VPN from some other location? I would like to be able to connect to this modem when I am not at home from some remote location from my computer in order to be able to use NAS-Storage.
2. If the answer on the first question is yes, what settings I need to enter for the:
Local Secure Group
Remote Secure Group
Remote Secure Gateway
My ISP is using dynamic IP but I have DDNS.
My router local IP is 192.168.0.1
Subnet: 255.255.255.0
Starting IP Address: 192.168.0.10
Here is how the advanced settings looks like:
Thanks in advance for your help!My problem similar too this. I create a tunnel between two epc3925 but impossible to send data between them.
The status is connected. What can I do? UPC tell me this router has only vpn client so i will doesn't work. -
I can't find and stet up the Cisco packet tracer program in my Macbook , i need help?
i can't find and stet up the Cisco packet tracer program in my Macbook , i need help?
Check my post
http://rafavg77.wordpress.com/2013/09/07/como-empaquetar-packet-tracer-exe-a-una -app-nativa-en-mac-os-x/
I think it will help, sorry for my english -
Hi All,
I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
2811 having C2800NM-ADVIPSERVICESK9-M
2811 router connects to the Internet SW then connects to the Internet router.
Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
Below is router config for VPN & NAT
crypto keyring ISR_Keyring
pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
crypto isakmp profile isa-profile
keyring ISR_Keyring
self-identity user-fqdn [email protected]
match identity user vpn-proxy.websense.net
crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
set peer vpn.websense.net dynamic
set transform-set ESP-NULL-SHA
set isakmp-profile isa-profile
match address 101
interface FastEthernet0/1
description connected to Internet
ip address 216.222.208.101 255.255.255.128
ip access-group HVAC_Public in
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map GUEST_WEB_FILTER
access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
access-list 103 deny ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
access-list 103 permit ip 192.168.8.0 0.0.3.255 any
ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
ip nat inside source list 103 interface FastEthernet0/1 overload
ip nat inside source route-map nonat pool mypool overloadHow does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
Check
show crypto isakmp sa
show crypto ipsec sa
show crypto session
You'd better remove the preshared key from your post. -
I have installed the Cisco RV180 VPN at a customer location.
Because this customer makes credit card transactions over the Internet, their merchant account requires a third-party to perform a security scan on the gateway. When scanning, the third-party states they are not in compliance with this report:
THREAT REFERENCE
Summary:
TLS Protocol Session Renegotiation Security Vulnerability
Risk: High (3)
Port: 443
Protocol: TCP
Threat ID: misc_opensslrenegotiation
Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
06/11/12
CVE 2009-3555
Multiple vendors TLS protocol implementations are prone to a security vulnerability related to the session-renegotiation process which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context.
Information From Target:
Service: 443:TCP
Session Renegotiation succeeded on 443:TCP
They are using the QuickVPN Client to connect and must be able to connect from anywhere in the world. From my understanding, port 443 must be opened for the QuickVPN Client to function. How do I block port 443 from everyone except the QuickVPN Client? Or how do I configure the RV180 to satisfy the above threat?
Thanks in advance for any information you can provide.Hi,
following config is for cisco VPN client access with dynamic allocation and split-tunnel.
Hope this helps, please rate post if it does!
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username vpnc password 0 userpass
crypto isakmp client configuration group vpncg
key grouppass
dns 4.2.2.1
wins 10.59.2.10
domain domain.com
pool ip-pool
acl 108
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
ip nat outside
crypto map clientmap
interface vlan1
ip address 10.59.2.1 255.255.255.0
ip nat inside
ip local pool ip-pool 10.0.230.1 10.0.230.20
access-list 108 remark VPN client split tunnel
access-list 108 permit ip 10.59.2.0 0.0.0.255 10.0.230.0 0.0.0.255 -
All,
Background Information:
I am a network engineer and I manage a small business network. The network consists of a couple of 3750G access switches and 2 6503-E switches (one of these also serves as an access layer switch). I am looking to upgrade my IOS on my external facing switch so that I can use a 16 port 10Gbe ethernet module. In this switch, I have a SUP-720 3B in slot 1, a 16 fiber port 10Gbe ethernet moduld in slot 2 (not online yet), and a 48 copper port 1Gbe ethernet module. In the SUP-720, I have one CompactFlash card in disk0.
This is where I need help:
Like I said, I'm trying to upgrade my IOS software in order to support my new ethernet line card. I know that the images are stored in flash memory. However the IFS on my switch seems to be confusing. He is a print out of the cd ? command:
bootflash:
cns:
const_nvram:
dfc#3-bootflash:
disk0:
disk1:
flexwan-fpd:
null:
nvram:
sup-bootdisk:
sup-bootflash:
sup-image:
sup-microcode:
syslog:
system:
tar:
tmpsys:
<cr>
Can someone please tell me what all of these directories are used for???? I'm not sure where to store the IOS image. When I change directories to sup-bootflash: it looks like it has the same contents as sup-bootdisk. Also, when I list the contents in disk0:, sup-bootflash shows up in there. Is this just a soft link to that directory? I'm really confused and would like to know what all of these directories are used for. Does anyone know of a good white paper that explains the function of these directories?
Thanks,
MannyManny
I am not prepared to try to explain all the directories, which is a pretty good question. But I can answer the most important of your questions. Put the new image into sup-bootflash.
HTH
Rick -
NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection
I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.
The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.
Here is my current hardware configuration:
1) one PIX 501 50-user 3des.
2.) two Dell 3024
3.) one Aironet 1100(g) AP.
Current LAN Network: 10.35.35.0
(internal employees only, static VPN tunneled to remote HQ network)
Current Wireless SSID's:
SSID1=PRIVATESSID
SSID2=PUBLICSSID (not currently in use, waiting to figure this out)
Current WAN: one T1 connection.
WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:
#1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.
#1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).
#1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.
#2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.
Question 1:
I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?
What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?
Question Two:
I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?
Question Three
If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.
Any help you can provide would be very much appreciated.Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.
q1
Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.
q2
This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.
You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.
q3
If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.
3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier. -
802.1x EAP-PEAP over Ethernet need help !!!
I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
troubleshooting this, I am not sure what else to do. Need help. Here
is the scenario:
- Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
- Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
with IP address of 129.174.2.7. This device is connected to the same switch above.
Firewall is OFF on the server, allow ALL,
- Windows 2003 Enterprise Server supplicant with the latest Service pack and patches. Again,
Firewall is OFF on the server, allow ALL. Juniper has verified the configuration settings
on the Supplicant machine. The supplicant has a static IP address of 129.174.2.15, same subnet
as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
the port is activate to be "hot".
- Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
and that everything is looking fine,
I have verified that the switch can communicate fine with the radius server.
- Configuration on the switch for 802.1x:
aaa new-model
aaa authentication dot1x default group radius
radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
interface FastEthernet0/39
description windows 2003 Supplicant
switchport access vlan 401
switchport mode access
dot1x port-control auto
no spanning-tree portfast (does not matter if this is enable or disable)
lab-sw-1#
.May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
.May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1 data:
.May 20 07:52:47.338: EAPOL pak dump Tx
.May 20 07:52:47.338: EAPOL Version: 0x2 type: 0x0 length: 0x0005
.May 20 07:52:47.338: EAP code: 0x1 id: 0x2 length: 0x0005 type: 0x1
.May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
lab-sw-1#
lab-sw-1#sh dot1x interface f0/39
Dot1x Info for FastEthernet0/39
PAE = AUTHENTICATOR
PortControl = AUTO
ControlDirection = Both
HostMode = SINGLE_HOST
Violation Mode = PROTECT
ReAuthentication = Disabled
QuietPeriod = 60
ServerTimeout = 30
SuppTimeout = 30
ReAuthPeriod = 3600 (Locally configured)
ReAuthMax = 2
MaxReq = 2
TxPeriod = 30
RateLimitPeriod = 0
lab-sw-1#
I am at a complete lost here. don't know what else to do. Someone with expertise in this realm please
help me how to make this work.
Many thanks in advance,#1: dot1x system-auth-control is already in the switch configuration
#2: Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
The case is being worked on by Cisco TAC. One of the issues is the windows 2003 server supplicant refuses to work. Windows XP supplicant uses machine-authentication instead of user-authentication. Cisco TAC is looking into this issue. -
Need help with modifying IDS Sensor in WLC; Null Probe Response problem.
I need help in figuring out how to handle a NULL Probe Response report we are getting from our WCS.
We are getting the following alert from our WCS:
1. Message: IDS 'NULL probe resp 2' Signature attack cleared on AP 'XXXAP_#2' protocol '802.11b/g' on Controller '161.201.97.8'. The Signature description is 'NULL Probe Response - No SSID element'. - Controller Name: XXX-XXXX-XX
And
1. Message: IDS 'NULL probe resp 2' Signature attack detected on AP 'XXXAP#2' protocol '802.11b/g' on Controller '161.201.97.8'. The Signature description is 'NULL Probe Response - No SSID element', with precedence '3'. The attacker's mac address is 'ac:86:74:1e:15:5f', channel number is '5', and the number of detections is '1'. - Controller Name: XXX-XXXX-XX.
Is this something to be concerned with in terms of a potential attack, or should I ignore these types of emails?
According to a previous post here: https://supportforums.cisco.com/discussion/10731846/wireless-system-has-detected-possible-intrusion-attack-signature I need to modify my IDS Signature folder in the WLC. I have no idea how to modify the file itself into the format needed to prevent these intrusions. Could somebody please help me correctly enter the right format needed for this file, or correct me in my thinking. I assume I'm in the right direction but if anyone has further information that could be helpful it would be greatly appreciated. Thanks in advance.The IDS signatures are stored in a file called wlc-sig_std.sig. That file can be edited via GUI by navigating to Security > Wireless Protection Policy > Standard Signatures. The links that you shared contain links to Cisco documentation that leave out the important parts of the documentation. The only way to get that documentation is to pull the existing signatures from the WLC using Commands > Upload File. Read that file for details on the syntax, then adjust your values in the GUI. I've attached a text document with the standard signature file.
-
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server.
Maybe you are looking for
-
WE60 - Error while generating the xml schema
Hi Using the transaction WE60 I am trying to generate an XML schema for the BASIC type : DEBMDM06, Segment release - 7 and record type version - 3. Following error message is displayed. "Structure of segment E1T023W is unknown". Kindly let me know ho
-
I have an advanced table with Export button in seeded Oracle Page. But when i click on export, it exports data into a .txt file. How can i make it export data in excel or say pdf or even xml. Any suggestions are greatly appreciated. Thanks, Abhishek
-
PDF viewable in iPod on iPhone?
iTunes can import and view PDF files (they are displayed by Preview or Adobe Reader on the computer when opened within iTunes), so are those PDF files viewable on an iPhone after it is synced with the computer? I am a scientist and I'm trying to find
-
Dynamically setting Processing order in SSAS using AMO script
Hi, I am looking for a AMO script to set the processing order (sequential or parallel) while processing the cube.We have the AMO script to process the cube with all options.This is a additional feature,which I am trying to add. I am not finding any m
-
Programs quitting because of kern invalid address
I have 2 programs FileMakerPro 8.5 and Printer Utility for Canon Pixma printer (that I know of so far) that crash because of FileMakerPro.... Date/Time: 2007-08-25 16:43:22.519 -0400 OS Version: 10.4.10 (Build 8R218) Report Version: 4 Command: FileMa