Cisco RV180 needs help..buyers beware.

Similar Messages

• Cisco 2811 - need help

  Hello,
  I am new to routers. I have one at work that I need to manage but with no knowledge. I have a Cisco 2811 router and it has been logging that one of its fans is not rotatin. Cisco suggest me to reboot the router to see if it fix the problem - so my first question is: how do you reboot the 2811.
  Cisco said if rebooting the router doesn't fix the problem, they will send my a replacement chassis. So, I need step-by-step instruction on what to do if I really have to remove all the cards and put it in the new chassis. How do I save the config file? How do I shutdown the router? How do I reload the config file without having to setup the router from scratch? I need step-by-step help.
  Thanks
  Kit

  Hi Kit,
  To reload the router :
  1.First do a " write mem " in your router after entering the privilege level
  2.You can do a soft reload by giving " reload " from the router# prompt or just by powering and power off the router.
  If reboot is not solving the problem , cisco would do a RMA and they would give you a chassis
  To do that
  1.Copy the configuration file to the flash disk in the router
  2.Have a copy of the same in the notepad also just for verification
  3.Shut down the router by removing the power
  4.Insert the cards that were present in the router in the same slots in the new chassis
  5.Insert the flash card to the new chassis that has the IOS and config file
  6.Reload the router
  7.Copy the configuration file from the flash to the running config
  8.Do a write mem
  9.Verify the config with your old config
  use it for ref:
  http://www.cisco.com/en/US/products/ps5854/prod_configuration_guide09186a00802c35d3.html#wp41215
  Pls let me know if you require any other details
  regards
  vanesh k

• EtherChannel between cisco devices need help

  Hello,
  At our company we use 2 asa 5525 firewalls in active/standby mode.
  Both of them are connected to a single cisco router.
  The goal is to have the cisco router to automatically send traffic to the active firewall (regardless which firewall is active at that point).
  To solve this would it be possible to create an EtherChannel with 2 ports on the cisco router and then have 1 link going to the active firewall and 1 link to the standby firewall.
  If the active firewall fails and the standby firewall takes over, will the standby firewall receive all the traffic that normally would go to the active firewall without any downtime?
  Will this work or does another solution exists for this? Its important for us that the hosts on the network suffer small to none downtime at all.
  The topology can be found in the following image.

  Hello
  "You could possibly use bridging on the router which would allow you to  have two interfaces on the same router in the same IP subnet and connect  one interface to the active firewall and one to the standby. But i  cannot say for sure this would work as i have never done it with ASAs"
  Please see below:
  ASA1
  ====
  .interface GigabitEthernet0
  nameif inside1
  security-level 100
  ip address 192.168.1.10 255.255.255.0
  ASA2
  ====
  .interface GigabitEthernet0
  nameif inside2
  security-level 100
  ip address 192.168.1.11 255.255.255.0
  router
  =====
  bridge irb
  bridge 100 protocol ieee
  bridge 100 route ip
  interface FastEthernet0/0
  Description Link to ASA1
  bridge-group 100
  interface FastEthernet0/1
  Description Link to ASA2
  bridge-group 100
  interface BVI100
  ip address 192.168.1.254 255.255.255.0
  R1#ping 192.168.1.10
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 12/34/72 ms
  R1#ping 192.168.1.11
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 8/38/88 ms
  asa1#  ping 192.168.1.11
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
  asa1#ping 192.168.1.254
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
  Success rate is 100 percent (5/5), round-trip min/avg/max = 10/34/50 ms
  NOTE:
  You can also NOT apply an ip address to the BVI interface and you would still be able to ping between the FW'S
  res
  Paul

• Connecting a 20mb fiber / ethernet point to point CISCO 1841 Need help

  Here is the remote router config

  Okay perhaps I am over thinking the situation but for some reason its not clicking, and maybe I am overlooking something. So my rule is if I spend more than 30 min on something and I cant get anywhere I start pulling resources ;-) So here goes.Currently we have 2 1841 routers configured between out two locations, these are connected through two T1 serial connections (Multilinked). QOS (as rudimentry as it is) is configured on the Multilink. See below.We recently went with a fiber connection (terminated via ethernet), the plan is to use the free FastEthernet (0/1) for the connection between the routers, and then disable/eliminate the T1 connections.Here is the current configuration for both routers. I Have added the new config for the ethernet connection and assigned them an IP address, and it seems that we can ping between the...
  This topic first appeared in the Spiceworks Community

• HELP!! Cisco RV180 Port Forwarding

  Someone please advise as to this is the first time I've tried to setup port forwarding using the Cisco RV180 Router. I have a Cisco RV180 Router, a Ruckus 7055 access point and a power distribution unit. I'd like to be able to access the router remotely and also the devices behind the router (the ruckus access point and the power distribution unit). I'm assuming that I'll need to assign the Cisco RV180 router a static IP address and I'm assuing that this static address should be assigned to the WAN port? I'd also like to configure port forwarding so that I can access the ruckus and the PDU remotely also. I've tried assigning a static IP address to the WAN port of the RV180 but I cannot ping this device remotely. Anyone have any advice on accessing the RV180 remotely? I've populated all of the correct fields for the WAN settings (ip, gateway, subnet, etc.) , and my static ip address is valid.Thank you in advance.

  Hello sirflex,
  As you have mentioned you need to configure a static nat for the devices which you have done when you configure a port forwarding.
  Have you configured access rules under firewall>access Rules. Add the access rules for the ping and the Http and Https services.
  Can you capture the packets at the WAN port while you are pinging the WAN port and the firmware version on the device.
  Which mode are you running the device gateway or router. You can check it under Netwroking>Routing>Routing Mode.
  Thanks,
  Prithvi
  Please mark answered and rate for helpful posts.

• I need helping!!! configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.

  I need helping configuring RDP access to my local server from a remote location on my Cisco ASA 5505 Firewall.
  I have attempted to configure rdp access but it does not seem to be working for me Could I please ask someone to help me modify my current configuration to allow this? Please do step by step as I could use all the help I could get.
  I need to allow the following IP addresses to have RDP access to my server:
  66.237.238.193-66.237.238.222
  69.195.249.177-69.195.249.190
  69.65.80.240-69.65.80.249
  My external WAN server info is - 99.89.69.333
  The internal IP address of my server is - 192.168.6.2
  The other server shows up as 99.89.69.334 but is working fine.
  I already added one server for Static route and RDP but when I try to put in same commands it doesnt allow me to for this new one. Please take a look at my configuration file and give me the commands i need in order to put this through. Also please tell me if there are any bad/conflicting entries.
  THE FOLLOWING IS MY CONFIGURATION FILE
  Also I have modified IP information so that its not the ACTUAL ip info for my server/network etc... lol for security reasons of course
  Also the bolded lines are the modifications I made but that arent working.
  ASA Version 7.2(4)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password DowJbZ7jrm5Nkm5B encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.6.254 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address 99.89.69.233 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  object-group network EMRMC
  network-object 10.1.2.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 192.168.11.0 255.255.255.0
  network-object 172.16.0.0 255.255.0.0
  network-object 192.168.9.0 255.255.255.0
  object-group service RDP tcp
  description RDP
  port-object eq 3389
  object-group service GMED tcp
  description GMED
  port-object eq 3390
  object-group service MarsAccess tcp
  description MarsAccess
  port-object range pcanywhere-data 5632
  object-group service MarsFTP tcp
  description MarsFTP
  port-object range ftp-data ftp
  object-group service MarsSupportAppls tcp
  description MarsSupportAppls
  port-object eq 1972
  object-group service MarsUpdatePort tcp
  description MarsUpdatePort
  port-object eq 7835
  object-group service NM1503 tcp
  description NM1503
  port-object eq 1503
  object-group service NM1720 tcp
  description NM1720
  port-object eq h323
  object-group service NM1731 tcp
  description NM1731
  port-object eq 1731
  object-group service NM389 tcp
  description NM389
  port-object eq ldap
  object-group service NM522 tcp
  description NM522
  port-object eq 522
  object-group service SSL tcp
  description SSL
  port-object eq https
  object-group service rdp tcp
  port-object eq 3389
  access-list outside_1_cryptomap extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 192.168.0.0 255.255.0.0
  access-list inside_nat0_outbound extended permit ip 192.168.6.0 255.255.255.0 object-group EMRMC
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-data
  access-list outside_access_in extended permit udp 69.16.158.128 255.255.255.128 host 99.89.69.334 eq pcanywhere-status
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ftp
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq ldap
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq h323
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq telnet
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 eq www
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 host 99.89.69.334 object-group SSL
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM522
  access-list outside_access_in extended permit tcp 69.16.158.128 255.255.255.128 192.168.6.0 255.255.255.0 object-group NM1731
  access-list outside_access_in extended permit tcp 173.197.144.48 255.255.255.248 host 99.89.69.334 object-group RDP
  access-list outside_access_in extended permit tcp any interface outside eq 3389
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333
  access-list outside_access_in extended permit tcp host 66.237.238.194 host 99.89.69.333 object-group rdp
  access-list outside_access_in extended permit tcp any host 99.89.69.333 object-group rdp
  access-list out_in extended permit tcp any host 192.168.6.2 eq 3389
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp 99.89.69.334 3389 192.168.6.1 3389 netmask 255.255.255.255
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 99.89.69.338 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  http server enable
  http 192.168.6.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto map outside_map 1 match address outside_1_cryptomap
  crypto map outside_map 1 set peer 68.156.148.5
  crypto map outside_map 1 set transform-set ESP-3DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 1
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config outside
  tunnel-group 68.156.148.5 type ipsec-l2l
  tunnel-group 68.156.148.5 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:f47dfb2cf91833f0366ff572eafefb1d
  : end
  ciscoasa(config-network)#

  Unclear what did not work.  In your original post you include said some commands were added but don't work:
  static (inside,outside) tcp interface 3389 192.168.6.2 3389 netmask 255.255.255.255
  and later you state you add another command that gets an error:
  static (inside,outside) tcp 99.89.69.333 3389 192.168.6.2 3389 netmask 255.255.255.255
  You also stated that 99.89.69.333 (actually 99.89.69.233, guessing from the rest of your config and other posts) is your WAN IP address.
  The first static statement matches Cisco's documentation, which states that a static statement must use the 'interface' directive when you are trying to do static PAT utilizing the IP address of the interface.  Since 99.89.69.333 is the assigned IP address of your WAN interface, that may explain why the second statement fails.
  Any reason why you are using static PAT (including the port number 3389) instead of just skipping that directive?  Static PAT usually makes sense when you need to change the TCP port number.  In your example, you are not changing the TCP port 3389.

• Need help with setting up VPN on a Cisco EPC3925 Modem

  Hi everyone,
  I need help setting VPN on Cisco EPC3925 modem (I tried using Help and I have read the entire section in the manual but the manual is not the same as the window I get in my settings. For example in the manual they say I can choose "all" under Remote Secure Gateway but there is no option like that).
  When I go to the VPN section this is what I get:
  1. Does this mean that I can connect to my modem via VPN from some other location? I would like to be able to connect to this modem when I am not at home from some remote location from my computer in order to be able to use NAS-Storage.
  2. If the answer on the first question is yes, what settings I need to enter for the:
  Local Secure Group
  Remote Secure Group
  Remote Secure Gateway
  My ISP is using dynamic IP but I have DDNS.
  My router local IP is 192.168.0.1
  Subnet: 255.255.255.0
  Starting IP Address: 192.168.0.10
  Here is how the advanced settings looks like:
  Thanks in advance for your help!

  My problem similar too this. I create a tunnel between two epc3925 but impossible to send data between them.
  The status is connected.  What can I do? UPC tell me this router has only vpn client so i will doesn't work.

• I can't find and stet up the Cisco packet tracer program in my Macbook , i need help?

  i can't find and stet up the Cisco packet tracer program in my Macbook , i need help?

  Check my post
  http://rafavg77.wordpress.com/2013/09/07/como-empaquetar-packet-tracer-exe-a-una -app-nativa-en-mac-os-x/
  I think it will help, sorry for my english

• Need Help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect

  Hi All,
  I need help on Configuring the Site to Site VPN from Cisco 2811 to Websense Cloud for web Traffic redirect
  2811 having C2800NM-ADVIPSERVICESK9-M
  2811 router connects to the Internet SW then connects to the Internet router.
  Note- For Authentication am using the Device ID & Pre share key. I am worried as all user traffic goes with PAT and not firing up my tunnel for port 80 traffic. Can you please suggest what can be the issue ?
  Below is router config for VPN & NAT
  crypto keyring ISR_Keyring
    pre-shared-key hostname vpn.websense.net key 2c22524d554556442d222d565f545246
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp keepalive 10
  crypto isakmp profile isa-profile
     keyring ISR_Keyring
     self-identity user-fqdn [email protected]
     match identity user vpn-proxy.websense.net
  crypto ipsec transform-set ESP-NULL-SHA esp-null esp-sha-hmac
  crypto map GUEST_WEB_FILTER 10 ipsec-isakmp
  set peer vpn.websense.net dynamic
  set transform-set ESP-NULL-SHA
  set isakmp-profile isa-profile
  match address 101
  interface FastEthernet0/1
  description connected to Internet
  ip address 216.222.208.101 255.255.255.128
  ip access-group HVAC_Public in
  ip nat outside
  ip virtual-reassembly
  duplex full
  speed 100
  no cdp enable
  crypto map GUEST_WEB_FILTER
  access-list 101 permit tcp 192.168.8.0 0.0.3.255 any eq www
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.187 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.181 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 host 85.115.41.182 log
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.216.0 0.0.1.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 116.50.56.0 0.0.7.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 86.111.220.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 103.1.196.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 177.39.96.0 0.0.3.255
  access-list 103 deny   ip 192.168.8.0 0.0.3.255 196.216.238.0 0.0.1.255
  access-list 103 permit ip 192.168.8.0 0.0.3.255 any
  ip nat pool mypool 216.222.208.101 216.222.208.101 netmask 255.255.255.128
  ip nat inside source list 103 interface FastEthernet0/1 overload
  ip nat inside source route-map nonat pool mypool overload

  How does Websense expect your source IPs in the tunnel? 192.168.8.0 0.0.3.255 or PAT'ed 216.222.208.101 ?
  Check
  show crypto isakmp sa
  show crypto ipsec sa
  show crypto session
  You'd better remove the preshared key from your post.

• Help with Cisco RV180 VPN

  I have installed the Cisco RV180 VPN at a customer location.
  Because this customer makes credit card transactions over the Internet, their merchant account requires a third-party to perform a security scan on the gateway.  When scanning, the third-party states they are not in compliance with this report:
  THREAT REFERENCE
  Summary:
  TLS Protocol Session Renegotiation Security Vulnerability
  Risk: High (3)
  Port: 443
  Protocol: TCP
  Threat ID: misc_opensslrenegotiation
  Details: Multiple Vendor TLS Protocol Session Renegotiation Security Vulnerability
  06/11/12
  CVE 2009-3555
  Multiple vendors TLS protocol implementations are prone to a  security vulnerability related to the session-renegotiation process  which allows man-in-the-middle attackers to insert data into HTTPS  sessions, and possibly other types of sessions protected by TLS or SSL, by  sending an unauthenticated request that is processed retroactively by a  server in a post-renegotiation context.
  Information From Target:
  Service: 443:TCP
  Session Renegotiation succeeded on 443:TCP
  They are using the QuickVPN Client to connect and must be able to connect from anywhere in the world.  From my understanding, port 443 must be opened for the QuickVPN Client to function.  How do I block port 443 from everyone except the QuickVPN Client?  Or how do I configure the RV180 to satisfy the above threat?
  Thanks in advance for any information you can provide.

  Hi,
  following config is for cisco VPN client access with dynamic allocation and split-tunnel.
  Hope this helps, please rate post if it does!
  aaa new-model
  aaa authentication login userauthen local
  aaa authorization network groupauthor local
  username vpnc password 0 userpass
  crypto isakmp client configuration group vpncg
  key grouppass
  dns 4.2.2.1
  wins 10.59.2.10
  domain domain.com
  pool ip-pool
  acl 108
  crypto ipsec transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  crypto map clientmap client authentication list userauthen
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  interface FastEthernet0/0
  ip nat outside
  crypto map clientmap
  interface vlan1
  ip address 10.59.2.1 255.255.255.0
  ip nat inside
  ip local pool ip-pool 10.0.230.1 10.0.230.20
  access-list 108 remark VPN client split tunnel
  access-list 108 permit ip 10.59.2.0 0.0.0.255 10.0.230.0 0.0.0.255

• I need help with Cisco IFS

  All,
  Background Information:
  I am a network engineer and I manage a small business network. The network consists of a couple of 3750G access switches and 2 6503-E switches (one of these also serves as an access layer switch). I am looking to upgrade my IOS on my external facing switch so that I can use a 16 port 10Gbe ethernet module. In this switch, I have a SUP-720 3B in slot 1, a 16 fiber port 10Gbe ethernet moduld in slot 2 (not online yet), and a 48 copper port 1Gbe ethernet module. In the SUP-720, I have one CompactFlash card in disk0.
  This is where I need help:
  Like I said, I'm trying to upgrade my IOS software in order to support my new ethernet line card. I know that the images are stored in flash memory. However the IFS on my switch seems to be confusing. He is a print out of the cd ? command:
  bootflash:
  cns:
  const_nvram:
  dfc#3-bootflash:
  disk0:
  disk1:
  flexwan-fpd:
  null:
  nvram:
  sup-bootdisk:
  sup-bootflash:
  sup-image:
  sup-microcode:
  syslog:
  system:
  tar:
  tmpsys:
  <cr>
  Can someone please tell me what all of these directories are used for???? I'm not sure where to store the IOS image. When I change directories to sup-bootflash: it looks like it has the same contents as sup-bootdisk. Also, when I list the contents in disk0:, sup-bootflash shows up in there. Is this just a soft link to that directory? I'm really confused and would like to know what all of these directories are used for. Does anyone know of a good white paper that explains the function of these directories?
  Thanks,
  Manny

  Manny
  I am not prepared to try to explain all the directories, which is a pretty good question. But I can answer the most important of your questions. Put the new image into sup-bootflash.
  HTH
  Rick

• NEED HELP PLEASE Setting up 2 VLANS and a redundant WAN connection

  I have a remote branch office which is actually a huge bar/lounge. The bar wants to enable patrons to access the Internet with their wireless laptops. I want to prevent those patrons from accessing our private network, and also prevent them from traversing our static VPN tunnel back to HQ.
  The bar processes all credit cards via the T1 connection, and this has caused us to lose money every time the T1 goes down while we're open, since there is no WAN redundancy right now.
  Here is my current hardware configuration:
  1) one PIX 501 50-user 3des.
  2.) two Dell 3024
  3.) one Aironet 1100(g) AP.
  Current LAN Network: 10.35.35.0
  (internal employees only, static VPN tunneled to remote HQ network)
  Current Wireless SSID's:
  SSID1=PRIVATESSID
  SSID2=PUBLICSSID (not currently in use, waiting to figure this out)
  Current WAN: one T1 connection.
  WHAT I WOULD LIKE TO DO AND NEED HELP FIGURING OUT:
  #1a) I want to create two separate VLAN's that are able to share the WAN connection, but not be able to "see" each other.
  #1b) These VLAN's would be mapped to their respective SSID's on the AP (PRIVATESSID>10.35.35.0 and PUBLICSSID>192.168.1.0).
  #1c) The 192.168.1.0 network should not be able to traverse the static tunnel between the branch site and HQ.
  #2) I would like to install a backup WAN connection such as a modem 56k dial-up to an ISP or a cable modem to an ISP. In case the primary T1 goes down, I would like the router to automatically dial out over the modem conection and route all Internet bound traffic over that backup WAN connection, until the primary comes back online.
  Question 1:
  I'm assuming I need a router to do the intervlan routing. Could this router also do the on-demand WAN backup dialing to an ISP via analog modem?
  What IOS version and flavor (IP base, IP+, etc.) would I need? What is the cheapest router I can do all that with (i.e. 2620/2621/1720/3600 series)? What WIC's or NM's would I need?
  Question Two:
  I would like to prioritize PRIVATESSID's traffic over PUBLICSSID's traffic, which I know I can do on the access point. Can I do this on the router so that any 10.35.35.0 traffic takes priority over any 192.168.1.0 traffic?
  Question Three
  If the primary T1 WAN connection goes down, I don't want the router to re-route the 192.168.1.0 traffic over the backup 56k dial-up WAN connection. That traffic can wait until the T1 comes back up.
  Any help you can provide would be very much appreciated.

  Assuming your access points can place SSID into separate vlans and support 802.1q trunks then I can attempt to answer your questions. There are seperate secuity issues with both SSID for protection and VLANs for seperation but in your case in may be minimal.
  q1
  Any cisco router that will run 802.1q trunking will work. Since you are looking at older routers you will need IP+ to get it. Even 2610's will support 802.1q on their 10m ethernet at the correct code level but 10m and 802.1q is sorta nonstandard. Since your backup is only 56k you can use the internal modem port as a dial backup. A wic-2a/s will also work if you prefer not to use the modem port. You will need some wic to run your t1 line. If you are planning to leave the t1 on another router it makes the next 2 questions much harder.
  q2
  This is fairly simple and depends on your ios level. "priority queing" is supported on even the older software. I assume you do not control the far end of the t1 line since it sounds as if this goes to a ISP.
  You will need to have them do the QoS since most issues with the internet are inbound and not outbound. You can only control outbound traffic.
  q3
  If the T1 is on the same router then this is fairly simple. You can just put a floating static default route in that will cause the dialer to come up if the the t1 goes down. There is no easy way to protect against the line being up but no traffic passing. This is also why it would be best to have the t1 on the same router. If its not you will need to get very creative to solve this. You could build a GRE tunnel to a remote location and montior the tunnel or run a routing protcol over the tunnel. In the newest software you could use SAA and policy routing to force the traffic over the dialer but the router must support ios 12.4.
  3a. You mentioned a cable modem as a backup. That can be much easier sometimes since it is all routing and no dialer interfaces with nasty modem issues. This does not make the issue of the t1 not on the same router easier.

• 802.1x EAP-PEAP over Ethernet need help !!!

  I am trying to get wired 802.1x EAP-PEAP to work and after spending about 8 hours
  troubleshooting this, I am not sure what else to do.  Need help.  Here
  is the scenario:
  - Cisco Catalyst 3350 switch running IOS versionc3550-ipservicesk9-mz.122-44.SE6.bin,
  - Steelbelted/JUniper Radius Server version 6.1.6 on a windows 2003 server
  with IP address of 129.174.2.7.  This device is connected to the same switch above.
  Firewall is OFF on the server, allow ALL,
  - Windows 2003 Enterprise Server supplicant with the latest Service pack and patches.  Again,
  Firewall is OFF on the server, allow ALL.  Juniper has verified the configuration settings
  on the Supplicant machine.  The supplicant has a static IP address of 129.174.2.15, same subnet
  as the radius server, I just want enable EAP-PEAP so that user is forced to authenticate before
  the port is activate to be "hot".
  - Juniper TAC has verified the configuration on the Steelbelted radius for eap-peap
  and that everything is looking fine,
  I have verified that the switch can communicate fine with the radius server.
  - Configuration on the switch for 802.1x:
  aaa new-model
  aaa authentication dot1x default group radius
  radius-server host 129.174.2.7 auth-port 1812 acct-port 1813 key 123456
  interface FastEthernet0/39
    description windows 2003 Supplicant
    switchport access vlan 401
    switchport mode access
    dot1x port-control auto
    no spanning-tree portfast (does not matter if this is enable or disable)
  lab-sw-1#
  .May 20 07:52:47.334: dot1x-packet:Received an EAP request packet from EAP for mac 0000.0000.0000
  .May 20 07:52:47.338: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1  data:
  .May 20 07:52:47.338: EAPOL pak dump Tx
  .May 20 07:52:47.338: EAPOL Version: 0x2  type: 0x0  length: 0x0005
  .May 20 07:52:47.338: EAP code: 0x1  id: 0x2  length: 0x0005 type: 0x1
  .May 20 07:52:47.338: dot1x-packet:dot1x_txReq: EAPOL packet sent out for the default authenticator
  lab-sw-1#
  lab-sw-1#sh dot1x interface f0/39
  Dot1x Info for FastEthernet0/39
  PAE                       = AUTHENTICATOR
  PortControl               = AUTO
  ControlDirection          = Both
  HostMode                  = SINGLE_HOST
  Violation Mode            = PROTECT
  ReAuthentication          = Disabled
  QuietPeriod               = 60
  ServerTimeout             = 30
  SuppTimeout               = 30
  ReAuthPeriod              = 3600 (Locally configured)
  ReAuthMax                 = 2
  MaxReq                    = 2
  TxPeriod                  = 30
  RateLimitPeriod           = 0
  lab-sw-1#
  I am at a complete lost here.  don't know what else to do.  Someone with expertise in this realm please
  help me how to make this work.
  Many thanks in advance,

  #1:  dot1x system-auth-control is already in the switch configuration
  #2:  Not sure if you're already aware, the minute I entered "dot1x port-control auto", the command "dot1x pae authenticator" automatically appears on the interface configuration
  The case is being worked on by Cisco TAC.  One of the issues is the windows 2003 server supplicant refuses to work.  Windows XP supplicant uses machine-authentication instead of user-authentication.  Cisco TAC is looking into this issue.

• Need help with modifying IDS Sensor in WLC; Null Probe Response problem.

  I need help in figuring out how to handle a NULL Probe Response report we are getting from our WCS.
  We are getting the following alert from our WCS:
  1. Message: IDS 'NULL probe resp 2' Signature attack cleared on AP 'XXXAP_#2' protocol '802.11b/g' on Controller '161.201.97.8'. The Signature description is 'NULL Probe Response - No SSID element'. - Controller Name: XXX-XXXX-XX
  And
  1. Message: IDS 'NULL probe resp 2' Signature attack detected on AP 'XXXAP#2' protocol '802.11b/g' on Controller '161.201.97.8'. The Signature description is 'NULL Probe Response - No SSID element', with precedence '3'. The attacker's mac address is 'ac:86:74:1e:15:5f', channel number is '5', and the number of detections is '1'. - Controller Name: XXX-XXXX-XX.
  Is this something to be concerned with in terms of a potential attack, or should I ignore these types of emails?
  According to a previous post here: https://supportforums.cisco.com/discussion/10731846/wireless-system-has-detected-possible-intrusion-attack-signature    I need to modify my IDS Signature folder in the WLC. I have no idea how to modify the file itself into the format needed to prevent these intrusions. Could somebody please help me correctly enter the right format needed for this file, or correct me in my thinking. I assume I'm in the right direction but if anyone has further information that could be helpful it would be greatly appreciated. Thanks in advance.

  The IDS signatures are stored in a file called wlc-sig_std.sig. That file can be edited via GUI by navigating to Security > Wireless Protection Policy > Standard Signatures. The links that you shared contain links to Cisco documentation that leave out the important parts of the documentation. The only way to get that documentation is to pull the existing signatures from the WLC using Commands > Upload File. Read that file for details on the syntax, then adjust your values in the GUI. I've attached a text document with the standard signature file.

• Need help for access list problem

  Cisco 2901 ISR
  I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
  I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
  Anybody can help?
           DENY       10.25.0.1 – 10.25.0.255
                            10.25.1.1 – 10.25.1.255
  Permit only 1 host for Internet
                  10.25.7.136  255.255.255.192 ------ TMG Server
  Using access-list.
  ( Current configuration  )
  object-group network IP
  description Block_IP
  range 10.25.0.2 10.25.0.255
  range 10.25.1.2 10.25.1.255
  interface GigabitEthernet0/0
  ip address 192.168.2.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in max-fragments 64 max-reassemblies 256
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description ### ADSL WAN Interface ###
  no ip address
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface ATM0/0/0
  no ip address
  no atm ilmi-keepalive
  interface Dialer1
  description ### ADSL WAN Dialer ###
  ip address negotiated
  ip mtu 1492
  ip nat outside
  no ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
  ip nat inside source list 101 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.25.0.0 255.255.0.0 192.168.2.1
  access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  access-list 105 deny   ip object-group IP any
  From the 4500 Catalyst switch
  ( Current Configuration )
  interface GigabitEthernet0/48
  no switchport
  ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
  ip route 0.0.0.0 0.0.0.0 192.168.2.3

  Hello,
  Host will can't get internet connection
  I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  and change the configuration ....      ip access-list extended 101
                                                              5 permit ip host 10.25.7.136 any
  In this case I will allow only host 10.25.7.136 but it isn't work.
  No internet connection from the TMG Server.