Cisco Transparent firewall and cisco switch issues.

Dears,
I have a very plain scenario
 LAN cisco switch <2 vlans>  ----------> cisco transparent firwall with bvi interface ------------>  crypto box ---------> cisco router ------ <remote/other site>
i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.

Well,
i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1 
moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
i have requested the client to verify his part. do let me know further tips if you have any.
[ moreover we cannot try to use packet-tracer from cli in transparent mode ]

Similar Messages

  • Recording for Cisco IP Phones and Cisco C90 Codec

    Hello
    We are looking for a solution that is capable to record both Cisco IP Phones and Cisco Codec C90.
    We are using CUCM 9.X for IP Phones and VCS 7.X for Cisco Codecs.
    Is their any third party solution available for both the requirements or do i have to go with TCS and any other third party recording solution.
    Thanks & Regards
    Aniket Patil

    My reply may be too late to be of any help to you, but for the benefit of others:
    Be sure you understand the different types of PoE out there. The Linksys PoE switch only supports the newer IEEE 802.3af PoE standard.
    The 7940, 7960, 7905 and other older Cisco phones only support Cisco pre-standard PoE and thus will not work with the 802.3af Linksys Switch.
    To use this switch, you will need to make sure you are using the newer 7070, 7961, 7941 phones with support both pre-standard and 802.3af PoE.
    All the best,
    John

  • Cisco Prime network and cisco prime infrastructure

    Hi,
    What is the difference between Cisco Prime Network and Cisco Prime infrastructure.
    Please advice.

    I assume you are asking about Cisco Prime LAN Management System (LMS) vs. Cisco Prime Infrastructure (PI).
    LMS is currently the leading Cisco offering for wired infrastructure management. It is the evolution of the earlier CiscoWorks LMS, CiscoWorks RWAN CiscoWorks 2000, CWSI, VLAN Director, original CiscoWorks classic etc. products going back almost 20 years.
    PI is the equivalent Cisco offering for wireless LANs and is the successor to NCS and WCS products.
    The overlap and confusion comes from the fact the Cisco is positioning PI as the overall wireless and wired management platform and gradually introducing wired network management features to make it equal (and eventually exceed) LMS's capabilities.
    There is a comparison table here that shows the current differences. A major new release of PI (2.0) is due out shortly which will close many (but not all) of the gaps on that table.

  • Different between cisco NAC agent and cisco Clean Access Agent

    Hi all,
    if anyone has idea about different between cisco NAC agent and cisco Clean Access Agent, please share your ideas.
    thank you

    In 4.6, the agent was overhauled and is now called the NAC agent.  Previous versions were referred to as the Clean Access Agent.  So pretty much, the 4.5 agent and 4.1.3.2 agents are Clean Access agents, and the 4.6.x and 4.7.x agents are called NAC agents.
    Some of the changes made were moving a lot of the agent configuration to an XML file, redesigning the GUI, adding a service portion (so that the stub agent is no longer required), and better agent logging.

  • Difference between cisco prime infrastructure and cisco WCS

    Can you explain me difference between cisco prime infrastructure and cisco WCS.. I'm little bit confuse...
    Thanks..

    Hi Hasan,
    In terms of features...You can say PI is more advanced version of WCS and NCS. All the stuff possible in WCS/NCS can be done on PI as well.
    But from the architecture perspective , there are differences. If I remember correctly , WCS is based on 32 bit OS while NCS and PI based on 64 bit OS. For the same reason you cannot do inline upgrade from WCS to PI via any path and will have to change the platform/Hardware itself before moving to PI. However , inline upgrade from NCS to PI is possible if we follow the correct path.
    Regards
    Dhiresh
    **Please rate helpful posts**

  • Cisco LAN Management Solution is required to support Cisco Nexus 5548P and 5596UP switches?

    Hi,
    Could someone help to know what Cisco LAN Management Solution is required to support Cisco Nexus 5548P switches and Cisco Nexus 5596UP switches?
    These new Cisco switches are being implementing on customer network and he ask us that he requires these equipments be supported on a LMS solution (customer currently is using LMS 3.2.1)
    Can someone help?
    Thanks in advanced,
    guruiz

    Some very limited Nexus support is present in LMS 3.2.1 - see the supported device table here.
    To get more complete support, including the 5596UP, they need to upgrade to LMS 4.x (e.g.  LMS 4.2.2 is the latest and is sold under the Cisco Prime Infrastructure 1.2 umbrella). The major upgrade from 3.x to 4.x requires purchasing an upgrade license.
    Some functions (namely User Tracking ) will not be available on the 5k due to non-support of the requisite MIB on the device. I believe LMS still doesn't let you do VLAN management on 5k's - you need to use DCNM for that if you want to do it from a GUI.
    See the table here for LMS 4.2 device support.

  • Cisco Network Assistant, and Linksys Switches?

    Hi all,
    Given that Cisco owns Linksys, that CNA seems aimed at the small/medium business market, and that many of those businesses (like me) probably mix and match Linksys managed switches (like the SRW series) as leaf switches hanging off other higher end Cisco network gear, It seems to me that making CNA ccapable of discovering and managing those Linksys switches would make a lot of sense.
    Is there any hope or plan for this in the future?
    -Kyle

    I would like to see this as well.  I have nine Linksys SRW2024 units and it is a pain to go into each one seperately.  I am used to the Cisco Network Assistant and it would greatly help if they could talk to LinkSys smart switches.  Please!
    -Milt Hull

  • Cisco Sensor 1040 and Cisco Prime Collaboration Assurance 9.0

    Hey Guys,
    We have setup Cisco Prime CA and trying to hook a Sensor onto it. The sensor is searching for a few.cnf files over tftp. Where can i find these files ?
    PS: if this is the wrong place please tell me where to post this.
    Thanks
    Varadarajan.R

    Hello Varda,
    It seems as the 1040 sensors are not finding the TFTP server. The TFTP server list should not contain the ipaddress with values 32 or 92 in their octets,
    1. The 1040 needs to learn of the TFTP by DHCP option 150.
    2. Please make sure that it is set on your DHCP server. 
    3. To confirm that the 1040 sensor is receiving the TFTP IP open a web browser and type http://  and see if the TFTP address field is showing the IP. 
    4. If it is then you might also need to restart the TFTP service on the CUCM so that the 1040 can download the cnf and image files.
    Attached is the userguide for 1040. Go through it and this should be able to resolve your issue.
    This is a other  method to check the  sensor  is fine
    Fist step install  download winagents tftp server ,
    enter a Service Monitor Server   Configuration / sensor1040 and in TFTP server  enter    ip address(winagents tftpserver) and go to SETUP
    in setup   put you ip address in PRIMARY SERVICE MONITOR  and push OK   you look the server write file in (TFTP server )
    Next STEP
    Go to MANAGEMENT   and  add new sensor you need mac address remember second port in sensor is span port you can make a sencond file in the tftp server
    Next STEP
    go to service monitor server and copy  file *.img CSCOpx/
    Next STEP
    Search  you dhcp server switch     option 150 in put your ip address tftp server when sensor power off  and power on the sensor search tftp server and search files to autoconfig and register to service monitor when test is ok
    its time to upload change winagent tftp server to  callmanager tftp server
    Hope this helps
    Thanks & Regards,
    Venkitesh

  • Transfer VOIP Calls Between Cisco Desk Phone and Cisco Jabber For IPhone 9.5

    Does anyone know how to transfer an active voip call from a Cisco IP Desk Phone to Cisco Jabber for IPhone?  I can transfer a call from Cisco Jabber for IPhone to my Cisco IP Desk Phone no problem.  I put the call on hold and then click "Resume" on my Cisco IP Desk Phone.  However I cannot do the same but the other way around.  If I put the call on hold on my Cisco IP Desk Phone, I see "no active call" on my Jabber client.  The only information I could find slighlty relevant was using the Mobility Key/Remote Destination Profile feature however this defeats the object as this will forward to an external number, e.g. mobile and I just want to transfer the call within the VOIP environment between the two devices that are using the same directory number.
    I am using Cisco Call Manager 9.1(2), Cisco Presence 9.1 and Cisco Jabber for IPhone 9.5.
    Any help would be greatly appreciated.
    Kind Regards,
    Paul Parker.

    Did you ever find an answer to this ?
    I am seeing the same behavior and trying so see if I can put calls on hold and pick them up both ways also.
    The only answer I seem to have found is to use park instead
    That would/should work but I would just prefer to hold/unhold
    Just not sure why we would not be able to hold/unhold on what is essentially a "shared" line
    Does anyone have this working for them ?

  • Difference between Cisco Prime Infrastructure and Cisco Prime NCS

    Dear All,
    I am currenctly confused in choosing what type of Cisco Prime.
    1.Which one should I choose? should I order Cisco Prime NCS or directly purchase Cisco Prime Infrastructure (since Cisco Prime Infrastructure has the feature of NCS)?
    2, Why does Cisco not just  remove the Cisco Prime NCS ordering Part Number since Cisco Prime Infrastructure already cover the NCS?
    Please advice me

    Hortono,
    I started to write a long and lengthy msg about my experience with this, but instead, let me direct you to the horses mouth.  There have been weekly webinars in regards to Cisco Prime (many differnt products under this headline) including Infrastructure.  I believe the Cisco PI is actually scheduled for Thursdays, so hopefully you'll look at this in time to catch it and ask your questions from the gurus.
    https://ciscosales.webex.com/ciscosales/j.php?J=200462944&PW=NMzhhNjM5OGU3
    Looks like this may be the last week, catch it if you can.

  • Cisco Unified Presence and Cisco CCX Integration.

    Hi,
    Please suggest how to integrate Cisco Unified Presence with Cisco UCCX. What are the configuration are to be done on Cisco Unified Presence and CCX.
    Any good documents..
    Appreciate your response.
    Regards,
    Manish.

    Hi,
    The easiest thing to do is get CUPC working with the agent's credentials. Once that is working, you know that the CUPS piece is right. The document supplied previously shows the very limited CAD configuration that is required. This should go fine once you get CUPC working with the agent's information.
    Keep in mind that CUPC is not the same as CAD and there are important differences:
    1. You need to add an Inbound ACL to the CUPS server to allow connections from the CAD PCs as CAD does not support Message Digest as CUPC does. This is CSCtb50109.
    2. CAD does not escape special characters in the password, so use a password without special characters. This is
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-fareast-font-family:"Times New Roman";
    mso-fareast-theme-font:minor-fareast;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;}
    CSCtf25959.

  • Cisco WLC5760 Fail and Cisco NAC Guest v2.0

    Hello,
    I have a problem to use an Cisco WLC5760 v3.3.1SE and an Cisco NAC Guest v2.0.
    Can anyone help me to synchronise Cisco WLC5760 v3.3.1SE and Cisco NAC Guest v2.0. ?
    Thanks you for help.

    Hi Adoncamille,
    I have the same problem with my 5760 and NAC Guest Server. Did you fixed the problem?,
    Best Regards,
    Marco Muñoz

  • Connectivity Issue between ASA 5520 firewall and Cisco Call Manager

    Recently i have installed ASA 5520 firewall, Below is the detail for my network
    ASA 5520 inside ip: 10.12.10.2/24
    Cisco Switch 3560 IP: 10.12.10.1/24 for Data and 10.12.110.2/24 for Voice
    Cisco Call Manager 3825 IP: 10.12.110.2/24
    The users and the IP phone are getting IP from the DHCP server which configured on cisco 3560 Switch.
    the Default Gateway for Data user is 10.12.10.2/24 and
    for the voice users is 10.12.110.2/24
    now the problem is that the users is not able to ping 10.12.110.2 call manager. please if somebody can help in this regard. i will appreciate the prompt response against this issues.

    Actually i don't wana to insert new subnet and complicate the nework. i need a simple way to solve the problem. below is the details for the asa 5520 config.
    ASA Version 8.2(1)
    name x.x.x.x Mobily
    interface GigabitEthernet0/0
     nameif inside
     security-level 99
     ip address 10.12.10.2 255.255.255.0
    interface GigabitEthernet0/1
     nameif outside
     security-level 0
     ip address x.x.x.x 255.255.255.252
    object-group service DM_INLINE_SERVICE_1
     service-object tcp-udp
     service-object ip
     service-object icmp
     service-object udp
     service-object tcp eq ftp
     service-object tcp eq www
     service-object tcp eq https
     service-object tcp eq ssh
     service-object tcp eq telnet
    access-list RA_VPN_splitTunnelAcl_1 standard permit Inside-Network 255.255.255.0
    access-list RA_VPN_splitTunnelAcl standard permit Inside-Network 255.255.255.0
    access-list inside_nat0_outbound extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
    access-list inside_nat0_outbound extended permit object-group DM_INLINE_SERVICE_1 10.12.10.16 255.255.255.240 Inside-Network 255.255.255.0
    access-list inside_nat0_outbound_1 extended permit ip Inside-Network 255.255.255.0 10.12.10.16 255.255.255.240
    pager lines 24
    logging enable
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu mgmt 1500
    ip local pool VPN-Pool 172.16.1.1-172.16.1.30 mask 255.255.255.0
    ip local pool VPN-Users 10.12.10.21-10.12.10.30 mask 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image disk0:/asdm-641.bin
    asdm history enable
    arp timeout 14400
    global (inside) 2 interface
    global (outside) 1 interface
    nat (inside) 0 access-list inside_nat0_outbound_1
    nat (inside) 1 Inside-Network 255.255.255.0
    route outside 0.0.0.0 0.0.0.0 Mobily 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    http server enable
    http Mgmt-Network 255.255.255.0 mgmt
    http Inside-Network 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 10
     authentication pre-share
     encryption 3des
     hash sha
     group 2
     lifetime 86400
    crypto isakmp policy 30
     authentication pre-share
     encryption 3des
     hash md5
     group 2
     lifetime 86400
    telnet Inside-Network 255.255.255.0 inside
    telnet timeout 5
    ssh Inside-Network 255.255.255.255 inside
    <--- More --->              ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy RA_VPN internal
    group-policy RA_VPN attributes
     dns-server value 86.51.34.17 8.8.8.8
     vpn-tunnel-protocol IPSec
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value RA_VPN_splitTunnelAcl
    username admin password LPtK/u1LnvHTA2vO encrypted privilege 15
    tunnel-group RA_VPN type remote-access
    tunnel-group RA_VPN general-attributes
     address-pool VPN-Users
     default-group-policy RA_VPN
    tunnel-group RA_VPN ipsec-attributes
     pre-shared-key *
    class-map inspection_default
     match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
     parameters
      message-length maximum 512
    policy-map global_policy
     class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny 
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip 
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:e5a64fa92ae465cd7dabd01ce605307d
    : end

  • Cisco SG300 - IGMP and multiple switches

    Hi all,
    I have read through various Cisco documents and tried various configurations and i have been unsuccessful
    Here is the network layout
    Cisco SG300-10 in Layer 3 mode, managing all VLANS created and inter-vlan traffic is working fine
    Ports 1-4 are in LAG 1 with LACP enabled, Ports 5-8 are in LAG 2 again with LACP enabled, port 9 is connected to the ASA 5505 (Trunk port, all VLANS) and port 10, again a trunk port I use for management
    LAG 1 and 2 are connected to Cisco SG300-52 switches
    again traffic between the switches is working ok, what we would like to do is the following
    on VLAN 7, we have multiple devices streaming using UDP multicast, what we would like to do is allow PC's on VLAN 5 to be able to pick up these streams as and when they need to, the devices broadcast on their own unique UDP ranges
    Could someone please explain to me what I need to configure on the Layer 3 switch and the other two Layer 2 switches in order for this to work?
    If i put a port into VLAN 7 and can view the stream without a problem, also if there is any fine tuning to be done once this is working
    Thanks
    Andy

    Jason,
    The only advantage you would get from using SFPs (fiber tranceivers) in the GBIC slots would be if you needed to make a run of over 100m between the switches.  Unless you have a very large property with switches at either end you are just as well to use the copper ports in the setup you described.  There is also nothing wrong with chaining the SG100s together if necessary to free up a port on the RV320.  The only other thing to consider is if you are using VLANs.  Each unmanaged SG100 will only pass a single VLAN so if you need segregated distribution coming from the RV320 you would need to put each SG100 on its own port.  Or, you could run a trunk from a port on the RV320 to your SG200 and then split off your untagged VLANs from there.  Hope this answers your question and have a nice day.
    Regards,
    Mike.V

  • RPS and Cisco Catalyst 2950 and 3550 switches

    We are doing experiments with RPS and CC 2950 and 3550. When we unplug the main power, the RPS takes over and feeds the switch with power. But when we plug the main power back again, the switch contiues to take power from the RPS. How is the power reduncancy achieved with CC 2950 and/or 3550s?
    Thanks in advance,
    Dardan

    You will need to press the active/standby button on the RPS for the internal power supply in the switch to take over. Note that this can cause the switch to reload and do it in your maintenance window if this switch is in production.
    http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCdx81023

Maybe you are looking for