Cisco Transparent firewall and cisco switch issues.
Dears,
I have a very plain scenario
LAN cisco switch <2 vlans> ----------> cisco transparent firwall with bvi interface ------------> crypto box ---------> cisco router ------ <remote/other site>
i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.
Well,
i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1
moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
i have requested the client to verify his part. do let me know further tips if you have any.
[ moreover we cannot try to use packet-tracer from cli in transparent mode ]
Similar Messages
-
Recording for Cisco IP Phones and Cisco C90 Codec
Hello
We are looking for a solution that is capable to record both Cisco IP Phones and Cisco Codec C90.
We are using CUCM 9.X for IP Phones and VCS 7.X for Cisco Codecs.
Is their any third party solution available for both the requirements or do i have to go with TCS and any other third party recording solution.
Thanks & Regards
Aniket PatilMy reply may be too late to be of any help to you, but for the benefit of others:
Be sure you understand the different types of PoE out there. The Linksys PoE switch only supports the newer IEEE 802.3af PoE standard.
The 7940, 7960, 7905 and other older Cisco phones only support Cisco pre-standard PoE and thus will not work with the 802.3af Linksys Switch.
To use this switch, you will need to make sure you are using the newer 7070, 7961, 7941 phones with support both pre-standard and 802.3af PoE.
All the best,
John -
Cisco Prime network and cisco prime infrastructure
Hi,
What is the difference between Cisco Prime Network and Cisco Prime infrastructure.
Please advice.I assume you are asking about Cisco Prime LAN Management System (LMS) vs. Cisco Prime Infrastructure (PI).
LMS is currently the leading Cisco offering for wired infrastructure management. It is the evolution of the earlier CiscoWorks LMS, CiscoWorks RWAN CiscoWorks 2000, CWSI, VLAN Director, original CiscoWorks classic etc. products going back almost 20 years.
PI is the equivalent Cisco offering for wireless LANs and is the successor to NCS and WCS products.
The overlap and confusion comes from the fact the Cisco is positioning PI as the overall wireless and wired management platform and gradually introducing wired network management features to make it equal (and eventually exceed) LMS's capabilities.
There is a comparison table here that shows the current differences. A major new release of PI (2.0) is due out shortly which will close many (but not all) of the gaps on that table. -
Different between cisco NAC agent and cisco Clean Access Agent
Hi all,
if anyone has idea about different between cisco NAC agent and cisco Clean Access Agent, please share your ideas.
thank youIn 4.6, the agent was overhauled and is now called the NAC agent. Previous versions were referred to as the Clean Access Agent. So pretty much, the 4.5 agent and 4.1.3.2 agents are Clean Access agents, and the 4.6.x and 4.7.x agents are called NAC agents.
Some of the changes made were moving a lot of the agent configuration to an XML file, redesigning the GUI, adding a service portion (so that the stub agent is no longer required), and better agent logging. -
Difference between cisco prime infrastructure and cisco WCS
Can you explain me difference between cisco prime infrastructure and cisco WCS.. I'm little bit confuse...
Thanks..Hi Hasan,
In terms of features...You can say PI is more advanced version of WCS and NCS. All the stuff possible in WCS/NCS can be done on PI as well.
But from the architecture perspective , there are differences. If I remember correctly , WCS is based on 32 bit OS while NCS and PI based on 64 bit OS. For the same reason you cannot do inline upgrade from WCS to PI via any path and will have to change the platform/Hardware itself before moving to PI. However , inline upgrade from NCS to PI is possible if we follow the correct path.
Regards
Dhiresh
**Please rate helpful posts** -
Cisco LAN Management Solution is required to support Cisco Nexus 5548P and 5596UP switches?
Hi,
Could someone help to know what Cisco LAN Management Solution is required to support Cisco Nexus 5548P switches and Cisco Nexus 5596UP switches?
These new Cisco switches are being implementing on customer network and he ask us that he requires these equipments be supported on a LMS solution (customer currently is using LMS 3.2.1)
Can someone help?
Thanks in advanced,
guruizSome very limited Nexus support is present in LMS 3.2.1 - see the supported device table here.
To get more complete support, including the 5596UP, they need to upgrade to LMS 4.x (e.g. LMS 4.2.2 is the latest and is sold under the Cisco Prime Infrastructure 1.2 umbrella). The major upgrade from 3.x to 4.x requires purchasing an upgrade license.
Some functions (namely User Tracking ) will not be available on the 5k due to non-support of the requisite MIB on the device. I believe LMS still doesn't let you do VLAN management on 5k's - you need to use DCNM for that if you want to do it from a GUI.
See the table here for LMS 4.2 device support. -
Cisco Network Assistant, and Linksys Switches?
Hi all,
Given that Cisco owns Linksys, that CNA seems aimed at the small/medium business market, and that many of those businesses (like me) probably mix and match Linksys managed switches (like the SRW series) as leaf switches hanging off other higher end Cisco network gear, It seems to me that making CNA ccapable of discovering and managing those Linksys switches would make a lot of sense.
Is there any hope or plan for this in the future?
-KyleI would like to see this as well. I have nine Linksys SRW2024 units and it is a pain to go into each one seperately. I am used to the Cisco Network Assistant and it would greatly help if they could talk to LinkSys smart switches. Please!
-Milt Hull -
Cisco Sensor 1040 and Cisco Prime Collaboration Assurance 9.0
Hey Guys,
We have setup Cisco Prime CA and trying to hook a Sensor onto it. The sensor is searching for a few.cnf files over tftp. Where can i find these files ?
PS: if this is the wrong place please tell me where to post this.
Thanks
Varadarajan.RHello Varda,
It seems as the 1040 sensors are not finding the TFTP server. The TFTP server list should not contain the ipaddress with values 32 or 92 in their octets,
1. The 1040 needs to learn of the TFTP by DHCP option 150.
2. Please make sure that it is set on your DHCP server.
3. To confirm that the 1040 sensor is receiving the TFTP IP open a web browser and type http:// and see if the TFTP address field is showing the IP.
4. If it is then you might also need to restart the TFTP service on the CUCM so that the 1040 can download the cnf and image files.
Attached is the userguide for 1040. Go through it and this should be able to resolve your issue.
This is a other method to check the sensor is fine
Fist step install download winagents tftp server ,
enter a Service Monitor Server Configuration / sensor1040 and in TFTP server enter ip address(winagents tftpserver) and go to SETUP
in setup put you ip address in PRIMARY SERVICE MONITOR and push OK you look the server write file in (TFTP server )
Next STEP
Go to MANAGEMENT and add new sensor you need mac address remember second port in sensor is span port you can make a sencond file in the tftp server
Next STEP
go to service monitor server and copy file *.img CSCOpx/
Next STEP
Search you dhcp server switch option 150 in put your ip address tftp server when sensor power off and power on the sensor search tftp server and search files to autoconfig and register to service monitor when test is ok
its time to upload change winagent tftp server to callmanager tftp server
Hope this helps
Thanks & Regards,
Venkitesh -
Transfer VOIP Calls Between Cisco Desk Phone and Cisco Jabber For IPhone 9.5
Does anyone know how to transfer an active voip call from a Cisco IP Desk Phone to Cisco Jabber for IPhone? I can transfer a call from Cisco Jabber for IPhone to my Cisco IP Desk Phone no problem. I put the call on hold and then click "Resume" on my Cisco IP Desk Phone. However I cannot do the same but the other way around. If I put the call on hold on my Cisco IP Desk Phone, I see "no active call" on my Jabber client. The only information I could find slighlty relevant was using the Mobility Key/Remote Destination Profile feature however this defeats the object as this will forward to an external number, e.g. mobile and I just want to transfer the call within the VOIP environment between the two devices that are using the same directory number.
I am using Cisco Call Manager 9.1(2), Cisco Presence 9.1 and Cisco Jabber for IPhone 9.5.
Any help would be greatly appreciated.
Kind Regards,
Paul Parker.Did you ever find an answer to this ?
I am seeing the same behavior and trying so see if I can put calls on hold and pick them up both ways also.
The only answer I seem to have found is to use park instead
That would/should work but I would just prefer to hold/unhold
Just not sure why we would not be able to hold/unhold on what is essentially a "shared" line
Does anyone have this working for them ? -
Difference between Cisco Prime Infrastructure and Cisco Prime NCS
Dear All,
I am currenctly confused in choosing what type of Cisco Prime.
1.Which one should I choose? should I order Cisco Prime NCS or directly purchase Cisco Prime Infrastructure (since Cisco Prime Infrastructure has the feature of NCS)?
2, Why does Cisco not just remove the Cisco Prime NCS ordering Part Number since Cisco Prime Infrastructure already cover the NCS?
Please advice meHortono,
I started to write a long and lengthy msg about my experience with this, but instead, let me direct you to the horses mouth. There have been weekly webinars in regards to Cisco Prime (many differnt products under this headline) including Infrastructure. I believe the Cisco PI is actually scheduled for Thursdays, so hopefully you'll look at this in time to catch it and ask your questions from the gurus.
https://ciscosales.webex.com/ciscosales/j.php?J=200462944&PW=NMzhhNjM5OGU3
Looks like this may be the last week, catch it if you can. -
Cisco Unified Presence and Cisco CCX Integration.
Hi,
Please suggest how to integrate Cisco Unified Presence with Cisco UCCX. What are the configuration are to be done on Cisco Unified Presence and CCX.
Any good documents..
Appreciate your response.
Regards,
Manish.Hi,
The easiest thing to do is get CUPC working with the agent's credentials. Once that is working, you know that the CUPS piece is right. The document supplied previously shows the very limited CAD configuration that is required. This should go fine once you get CUPC working with the agent's information.
Keep in mind that CUPC is not the same as CAD and there are important differences:
1. You need to add an Inbound ACL to the CUPS server to allow connections from the CAD PCs as CAD does not support Message Digest as CUPC does. This is CSCtb50109.
2. CAD does not escape special characters in the password, so use a password without special characters. This is
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
CSCtf25959. -
Cisco WLC5760 Fail and Cisco NAC Guest v2.0
Hello,
I have a problem to use an Cisco WLC5760 v3.3.1SE and an Cisco NAC Guest v2.0.
Can anyone help me to synchronise Cisco WLC5760 v3.3.1SE and Cisco NAC Guest v2.0. ?
Thanks you for help.Hi Adoncamille,
I have the same problem with my 5760 and NAC Guest Server. Did you fixed the problem?,
Best Regards,
Marco Muñoz -
Connectivity Issue between ASA 5520 firewall and Cisco Call Manager
Recently i have installed ASA 5520 firewall, Below is the detail for my network
ASA 5520 inside ip: 10.12.10.2/24
Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
Cisco Call Manager 3825 IP: 10.12.110.2/24
The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
the Default Gateway for Data user is 10.12.10.2/24 and
for the voice users is 10.12.110.2/24
now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
ASA Version 8.2(1)
name x.x.x.x Mobily
interface GigabitEthernet0/0
nameif inside
security-level 99
ip address 10.12.10.2 255.255.255.0
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp
service-object ip
service-object icmp
service-object udp
service-object tcp eq ftp
service-object tcp eq www
service-object tcp eq https
service-object tcp eq ssh
service-object tcp eq telnet
access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu mgmt 1500
ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-641.bin
asdm history enable
arp timeout 14400
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 1 Inside-Network 255.255.255.0
route outside 0.0.0.0 0.0.0.0 Mobily 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http Mgmt-Network 255.255.255.0 mgmt
http Inside-Network 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet Inside-Network 255.255.255.0 inside
telnet timeout 5
ssh Inside-Network 255.255.255.255 inside
<--- More ---> ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy RA_VPN internal
group-policy RA_VPN attributes
dns-server value 86.51.34.17 8.8.8.8
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value RA_VPN_splitTunnelAcl
username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
tunnel-group RA_VPN type remote-access
tunnel-group RA_VPN general-attributes
address-pool VPN-Users
default-group-policy RA_VPN
tunnel-group RA_VPN ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
: end -
Cisco SG300 - IGMP and multiple switches
Hi all,
I have read through various Cisco documents and tried various configurations and i have been unsuccessful
Here is the network layout
Cisco SG300-10 in Layer 3 mode, managing all VLANS created and inter-vlan traffic is working fine
Ports 1-4 are in LAG 1 with LACP enabled, Ports 5-8 are in LAG 2 again with LACP enabled, port 9 is connected to the ASA 5505 (Trunk port, all VLANS) and port 10, again a trunk port I use for management
LAG 1 and 2 are connected to Cisco SG300-52 switches
again traffic between the switches is working ok, what we would like to do is the following
on VLAN 7, we have multiple devices streaming using UDP multicast, what we would like to do is allow PC's on VLAN 5 to be able to pick up these streams as and when they need to, the devices broadcast on their own unique UDP ranges
Could someone please explain to me what I need to configure on the Layer 3 switch and the other two Layer 2 switches in order for this to work?
If i put a port into VLAN 7 and can view the stream without a problem, also if there is any fine tuning to be done once this is working
Thanks
AndyJason,
The only advantage you would get from using SFPs (fiber tranceivers) in the GBIC slots would be if you needed to make a run of over 100m between the switches. Unless you have a very large property with switches at either end you are just as well to use the copper ports in the setup you described. There is also nothing wrong with chaining the SG100s together if necessary to free up a port on the RV320. The only other thing to consider is if you are using VLANs. Each unmanaged SG100 will only pass a single VLAN so if you need segregated distribution coming from the RV320 you would need to put each SG100 on its own port. Or, you could run a trunk from a port on the RV320 to your SG200 and then split off your untagged VLANs from there. Hope this answers your question and have a nice day.
Regards,
Mike.V -
RPS and Cisco Catalyst 2950 and 3550 switches
We are doing experiments with RPS and CC 2950 and 3550. When we unplug the main power, the RPS takes over and feeds the switch with power. But when we plug the main power back again, the switch contiues to take power from the RPS. How is the power reduncancy achieved with CC 2950 and/or 3550s?
Thanks in advance,
DardanYou will need to press the active/standby button on the RPS for the internal power supply in the switch to take over. Note that this can cause the switch to reload and do it in your maintenance window if this switch is in production.
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdx81023
Maybe you are looking for
-
Retail: Maintain pricing conditions at general article level in PO
Hi, I create a seasonal purchase order. In this purchase order I enter a general article with several variants. Is there a possibility to maintain pricing conditions at the header item level which will be copied to the variants. NB: these surcharges
-
Save dialog customized folders
Hi! Is there any possibility to work with the vista 64 save-dialog in photoshop? My problem is: I often have to click through a lot of folders to get to the one I need and there's no chance to put individual folders at the save-dialog on the left sid
-
Last week I paid for 2tv episodes and watched them outside yesterday tried same using my projector and wasn't allowed. Same show? Can still watch old ones?
-
Ifs9i with 8.1.7
hello, is it possible to run ifs9i with 8.1.7 database? need i a patch for this config? if yes, what is the url to find this patch. regards antonia erni
-
Dowload error occurs when downloading adobe ps
in trying to install adobe ps and an error occurs it says download fails