Configure vpn 3030 snmp for cisco works 2000
vpn 3030 snmp error in cisco works 2000
I want to monitor vpn3030 through vpn monitor,so do some config on vpn3030:
1)Configuration | System | Management Protocols | SNMP
enabled port 161
2)Configuration | System | Management Protocols | SNMP Communities
public
3)Administration | Access Rights | Administrators | Modify Properties
snmp modify config
I can telent & http vpn3030,but when I run test in in cisco works 2000(server
configuration|diagnostics|connectivity tools|management station to device)
it said:
Interface Status Test Results
172.16.8.1 DOWN SNMPR failed
sent: 5 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 91 protocol: snmp_get port: 161
SNMPW failed
sent: 0 recvd: 0 min: 0 max: 0 avg: 0 timeout: 2 size: 0 protocol: snmp_set port: 161
about my vpn3030
Monitoring | System Status Thursday, 10 October 2002 16:40:16
VPN Concentrator Type: 3030
Bootcode Rev: Cisco Systems, Inc./VPN 3000 Concentrator Series Version 2.5.Rel Jun 21 2000
18:57:52
Software Rev: Cisco Systems, Inc./VPN 3000 Concentrator Series Version 3.0.2.Rel Apr 05 2001
20:50:58
Up For: 6d 0:04:27
Up Since: 10/04/2002 16:35:49
RAM Size: 128 MB
There is only a 6509 between cisco works 2000 server and vpn3030,and no restrictions on tcp/ip
flow.
Please help me .thanks in advance.
I test it in cw2000 cdone.
This is really a strange question.
the cw2000 server ip address is 10.8.1.122
the vpn3030 's ip address is 172.16.8.1
between them is a 6509, ip address is 10.8.1.201
when I test connectivity between cw2000 server and 6509, everything is good,snmp is ok.
when i test connectivity between cw2000 server and vpn3030, everything is good,except snmp is not response,while use third party snmp program,snmp status is ok!
when I change the cw2000 server's ip address to 172.16.8.3 and connect it directly to vpn3030,test connectivity between cw2000 server and vpn3030 ,everything is good,snmp is ok.
Similar Messages
-
Hello! Could you tell me which configuration is the best for graphic works, like making large POSTERS or BANNERS (for instance 2800X500 cm)???
scorpiorey wrote:
I just create file and send it to printer-house.
Never done that size files (posters) before, so, didn't know it would be such problem.
Model Name: MacBook Pro
Model Identifier: MacBookPro8,1
Processor Name: Intel Core i7
Processor Speed: 2.8 GHz
Number of Processors: 1
Total Number of Cores: 2
L2 Cache (per Core): 256 KB
L3 Cache: 4 MB
Memory: 4 GB
Boot ROM Version: MBP81.0047.B24
SMC Version (system): 1.68f98
this is what i have. now i know that it's not enough
If that's what you're using and it actually works, albeit slowly, I'd suggest taking The hatter's advice and go with the 6 core Mac Pro with 24GB of RAM and the 5870 video card. The RAM could come from here: http://eshop.macsales.com/shop/memory/Mac-Pro-Memory#1333-memory -
Configure VPN access on a Cisco WRV210 wireless-G vpn router -range booster
Please help....
I need to configure a vpn on a Cisco WRV210 Wireless-G VPN Router - RangeBooster, i have five users that are going to connect to a file server. windows and Mac laptops will be connecting. The file server access is all set i just need a step by step document to configure the vpn screens on the router.thanksHi Robert
You can refer the below link in finding out the exact config to start with.
do make sure that your Cisco 831 box with the current IOS code installed in it supports the required feature to run the same..
http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html#anchor16
regds -
Cisco Work (LMS 2.6) Device Configuration
Hi,
Can anyone tell me where is the default location of device configuration ( Running conf ) saved in Cisco Work (LMS 2.6) Server.
Thanks & Regds,
Lalitif you enable the so called shadow directory feature under: Admin -> Config Mgmt -> Archive Mgmt -> Archive Settings
then the defaut location is \CSCOpx\files\rme\dcma
Cheers,
Michel -
Hi Expertise,
Cisco works 2000 getting very slow during login time as well as browsing time. what could be the problem.
Thanks & rgds...
Ashish SinghThe issue may be due to Slow TCP connections due to cells being discarded in the ATM cloud which results in IP packets being discarded and in a high number of retransmissions. TCP itself believes this is due to congestion and will try to lower its transmitting window, resulting in a very slow TCP connection. This will affect all TCP-based protocols such as telnet or FT
-
I need to reset the admin password for Cisco Works. I've followed the online documentation and the different methods posted do not seem to work.
The first method I saw was to edit the cwpass file located at C:\Program Files\CSCOpx\lib\classpath\com\cisco\nm\cmf\servlet\cwpass and change the admin password back to the default.
You have to stop the Daemon, change the password back to defualt admin:0DPiKuNIrrVmD8IUCuw1hQxNqZc=::::F:: then restart the daemon.
After doing that I go to the url to access cisco works http://servername:1741/login.html where "servername" is the name of the server.
The new logon does not work.
I then found another doc that said to use the resetpasswd.exe file to reset the admin password. So. I stop the daemon, run the resetpasswd by issuing the command "resetpasswd admin". It prompts you to enter the new password twice. Then restart the daemon. I've checked the cwpass file and verified that the hash for the admin password changes when I reset it. But, I still can not logon.
Is there something else that needs to be restarted?You are probably still using external authentication. Try reverting to local mode first:
1. Stop daemons.
2. Go to NMSROOT\CSCOpx\bin\ in DOS.
3. Issue: perl ResetLoginModule.pl.
4. Restart daemons.
If you still cannot login, the original password file is located under NMSROOT\lib\classpath\com\cisco\nm\cmf\servlet\orig\. Try copying this one to the active file location: NMSROOT\lib\classpath\com\cisco\nm\cmf\servlet and then restarting daemons. -
Problem with Cisco Works Assistant 1.0
Good Morning
I'm just installed the version LMS 3.0 on my server SunSolari 10 following all the instructions on the installation guide.
At the end of the installation I connected the tool by Http and till now all was working fine.
When I tried to configure the "Server Setup" by Cisco Works Assistant I got this message : " Reachable(CiscoWorks Assistant does not support the installed Common Services version.).
Strange errors, because I have installed the LMS by Cisco DVD where the version of the applications should be the right one, infect I checked them found out that the Version of CM is 3.1 that is supported by CiscoWorks Assistant 1.0.
Can you help me because I'm not able to find a solution
Thanks so much in advanceTry the solution in this thread first:
http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&topicID=.ee71a02&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cbfbc4a -
Cisco works LMS 3.0.1 cannot archieve configuration for cisco 3000 series vpn concentrator
Hi All,
Our problem is, we have Cisco Works LMS 3.0.1. cannot archieve configuration for cisco 3000 series vpn concentrator.
Any help would be greatly appreciated.
Thanks in advance.
SamirMake sure you have filled out all of the HTTP/HTTPS credential data in DCR for these devices. RME will only use HTTPS to fetch VPN concentrator configurations.
-
Cisco Works - SNMP for Pushing instead of TFTP
Is there a setting in Cisco Works I can change for getting SNMP used instead of TFTP for pushing configuration changes? I recently did a push to over
4500 network devices (routers & switches) in my network and found that Cisco Works was using TFTP instead of SNMP. Is there a setting I can change
for getting SNMP used instead of TFTP?
Also when I look at running config on the devices, they do NOT show the name of the "profile (TACACS Account)" used to log into the device by Cisco Works. Thus the Audit function could not pickup the profile that made the changes.
Currenting using LMS 3.2.
ThanksLMS uses TFTP triggered by SNMP. There is no way to use SNMP exclusively to push config changes. LMS will use one of either SNMP/TFTP, SSH, telnet, or RCP. This is set under RME > Admin > Config Mgmt > Transport Settings.
If you are not using telnet or SSH to do config management (i.e. archive, Netconfig, etc.), then the running config will not relfect a username logging into LMS to make config changes. -
Cisco works LMS 3.0.1 does not archiever configuration for cisco 7201 router
Hi All,
We have Cisco works LMS 3.0.1 and it does not archiever configuration for cisco 7201 router.
Any help would be appriciated.
Thanks in advance
SamirHi,
*** Device Details for d0151-100 ***
Protocol ==> Unknown / Not Applicable
Selected Protocols with order ==> TFTP,SSH,HTTPS
Execution Result:
Unable to get results of job execution for device. Retry the job after increasing the job result wait time using the option:Resource Manager Essentials -> Admin -> Config Mgmt -> Archive Mgmt ->Fetch Settings
This is the error while doing syn archieve.
I am not sure about Rtr7000 version but we have latest Rtr7000.
Waiting for your kind reply.
Samir -
Need help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 8.2(1)
Need urgent help in configuring Client to Site IPSec VPN with Hairpinning on Cisco ASA5510 - 8.2(1).
The following is the Layout:
There are two Leased Lines for Internet access - 1.1.1.1 & 2.2.2.2, the latter being the Standard Default route, the former one is for backup.
I have been able to configure Client to Site IPSec VPN
1) With access from Outside to only the Internal Network (172.16.0.0/24) behind the asa
2) With Split tunnel with simultaneous assess to internal LAN and Outside Internet.
But I have not been able to make tradiotional Hairpinng model work in this scenario.
I followed every possible sugestions made in this regard in many Discussion Topics but still no luck. Can someone please help me out here???
Following is the Running-Conf with Normal Client to Site IPSec VPN configured with No internat Access:
LIMITATION: Can't Boot into any other ios image for some unavoidable reason, must use 8.2(1)
running-conf --- Working normal Client to Site VPN without internet access/split tunnel
ASA Version 8.2(1)
hostname ciscoasa
domain-name cisco.campus.com
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
interface GigabitEthernet0/0
nameif internet1-outside
security-level 0
ip address 1.1.1.1 255.255.255.240
interface GigabitEthernet0/1
nameif internet2-outside
security-level 0
ip address 2.2.2.2 255.255.255.224
interface GigabitEthernet0/2
nameif dmz-interface
security-level 0
ip address 10.0.1.1 255.255.255.0
interface GigabitEthernet0/3
nameif campus-lan
security-level 0
ip address 172.16.0.1 255.255.0.0
interface Management0/0
nameif CSC-MGMT
security-level 100
ip address 10.0.0.4 255.255.255.0
boot system disk0:/asa821-k8.bin
boot system disk0:/asa843-k8.bin
ftp mode passive
dns server-group DefaultDNS
domain-name cisco.campus.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network cmps-lan
object-group network csc-ip
object-group network www-inside
object-group network www-outside
object-group service tcp-80
object-group service udp-53
object-group service https
object-group service pop3
object-group service smtp
object-group service tcp80
object-group service http-s
object-group service pop3-110
object-group service smtp25
object-group service udp53
object-group service ssh
object-group service tcp-port
object-group service udp-port
object-group service ftp
object-group service ftp-data
object-group network csc1-ip
object-group service all-tcp-udp
access-list INTERNET1-IN extended permit ip host 1.2.2.2 host 2.2.2.3
access-list CSC-OUT extended permit ip host 10.0.0.5 any
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq www
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq https
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ssh
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq ftp
access-list CAMPUS-LAN extended permit udp 172.16.0.0 255.255.0.0 any eq domain
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
access-list CAMPUS-LAN extended permit tcp 172.16.0.0 255.255.0.0 any eq pop3
access-list CAMPUS-LAN extended permit ip any any
access-list csc-acl remark scan web and mail traffic
access-list csc-acl extended permit tcp any any eq smtp
access-list csc-acl extended permit tcp any any eq pop3
access-list csc-acl remark scan web and mail traffic
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 993
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq imap4
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq 465
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq www
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq https
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq smtp
access-list INTERNET2-IN extended permit tcp any host 1.1.1.2 eq pop3
access-list INTERNET2-IN extended permit ip any host 1.1.1.2
access-list nonat extended permit ip 172.16.0.0 255.255.0.0 172.16.0.0 255.255.0.0
access-list DNS-inspect extended permit tcp any any eq domain
access-list DNS-inspect extended permit udp any any eq domain
access-list capin extended permit ip host 172.16.1.234 any
access-list capin extended permit ip host 172.16.1.52 any
access-list capin extended permit ip any host 172.16.1.52
access-list capin extended permit ip host 172.16.0.82 host 172.16.0.61
access-list capin extended permit ip host 172.16.0.61 host 172.16.0.82
access-list capout extended permit ip host 2.2.2.2 any
access-list capout extended permit ip any host 2.2.2.2
access-list campus-lan_nat0_outbound extended permit ip 172.16.0.0 255.255.0.0 192.168.150.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu internet1-outside 1500
mtu internet2-outside 1500
mtu dmz-interface 1500
mtu campus-lan 1500
mtu CSC-MGMT 1500
ip local pool vpnpool1 192.168.150.2-192.168.150.250 mask 255.255.255.0
ip verify reverse-path interface internet2-outside
ip verify reverse-path interface dmz-interface
ip verify reverse-path interface campus-lan
ip verify reverse-path interface CSC-MGMT
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (internet1-outside) 1 interface
global (internet2-outside) 1 interface
nat (campus-lan) 0 access-list campus-lan_nat0_outbound
nat (campus-lan) 1 0.0.0.0 0.0.0.0
nat (CSC-MGMT) 1 10.0.0.5 255.255.255.255
static (CSC-MGMT,internet2-outside) 2.2.2.3 10.0.0.5 netmask 255.255.255.255
access-group INTERNET2-IN in interface internet1-outside
access-group INTERNET1-IN in interface internet2-outside
access-group CAMPUS-LAN in interface campus-lan
access-group CSC-OUT in interface CSC-MGMT
route internet2-outside 0.0.0.0 0.0.0.0 2.2.2.5 1
route internet1-outside 0.0.0.0 0.0.0.0 1.1.1.5 2
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
http server enable
http 10.0.0.2 255.255.255.255 CSC-MGMT
http 10.0.0.8 255.255.255.255 CSC-MGMT
http 1.2.2.2 255.255.255.255 internet2-outside
http 1.2.2.2 255.255.255.255 internet1-outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map internet2-outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map internet2-outside_map interface internet2-outside
crypto ca trustpoint _SmartCallHome_ServerCA
crl configure
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca xyzxyzxyzyxzxyzxyzxyzxxyzyxzyxzy
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as a67a897as
a67a897as a67a897as a67a897as a67a897as a67a897as
quit
crypto isakmp enable internet2-outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
telnet 10.0.0.2 255.255.255.255 CSC-MGMT
telnet 10.0.0.8 255.255.255.255 CSC-MGMT
telnet timeout 5
ssh 1.2.3.3 255.255.255.240 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet1-outside
ssh 1.2.2.2 255.255.255.255 internet2-outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy VPN_TG_1 internal
group-policy VPN_TG_1 attributes
vpn-tunnel-protocol IPSec
username ssochelpdesk password xxxxxxxxxxxxxx encrypted privilege 15
username administrator password xxxxxxxxxxxxxx encrypted privilege 15
username vpnuser1 password xxxxxxxxxxxxxx encrypted privilege 0
username vpnuser1 attributes
vpn-group-policy VPN_TG_1
tunnel-group VPN_TG_1 type remote-access
tunnel-group VPN_TG_1 general-attributes
address-pool vpnpool1
default-group-policy VPN_TG_1
tunnel-group VPN_TG_1 ipsec-attributes
pre-shared-key *
class-map cmap-DNS
match access-list DNS-inspect
class-map csc-class
match access-list csc-acl
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class csc-class
csc fail-open
class cmap-DNS
inspect dns preset_dns_map
service-policy global_policy global
prompt hostname context
Cryptochecksum: y0y0y0y0y0y0y0y0y0y0y0y0y0y
: end
Neither Adding dynamic NAT for 192.168.150.0/24 on outside interface works, nor does the sysopt connection permit-vpn works
Please tell what needs to be done here, to hairpin all the traffic to internet comming from VPN Clients.
That is I need clients conected via VPN tunnel, when connected to internet, should have their IP's NAT'ted against the internet2-outside interface address 2.2.2.2, as it happens for the Campus Clients (172.16.0.0/16)
I'm not much conversant with everything involved in here, therefore please be elaborative in your replies. Please let me know if you need any more information regarding this setup to answer my query.
Thanks & Regards
maxsHi Jouni,
Thanks again for your help, got it working. Actually the problem was ASA needed some time after configuring to work properly ( ?????? ). I configured and tested several times within a short period, during the day and was not working initially, GUI packet tracer was showing some problems (IPSEC Spoof detected) and also there was this left out dns. Its working fine now.
But my problem is not solved fully here.
Does hairpinning model allow access to the campus LAN behind ASA also?. Coz the setup is working now as i needed, and I can access Internet with the NAT'ed ip address (outside-interface). So far so good. But now I cannot access the Campus LAN behind the asa.
Here the packet tracer output for the traffic:
packet-tracer output
asa# packet-tracer input internet2-outside tcp 192.168.150.1 56482 172.16.1.249 22
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.0.0 255.255.0.0 campus-lan
Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.150.1 255.255.255.255 internet2-outside
Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group internnet1-in in interface internet2-outside
access-list internnet1-in extended permit ip 192.168.150.0 255.255.255.0 any
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT-EXEMPT
Subtype: rpf-check
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: DROP
Config:
nat (internet2-outside) 1 192.168.150.0 255.255.255.0
match ip internet2-outside 192.168.150.0 255.255.255.0 campus-lan any
dynamic translation to pool 1 (No matching global)
translate_hits = 14, untranslate_hits = 0
Additional Information:
Result:
input-interface: internet2-outside
input-status: up
input-line-status: up
output-interface: internet2-outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
The problem here as you can see is the Rule for dynamic nat that I added to make hairpin work at first place
dynamic nat
asa(config)#nat (internet2-outside) 1 192.168.150.0 255.255.255.0
Is it possible to access both
1)LAN behind ASA
2)INTERNET via HAIRPINNING
simultaneously via a single tunnel-group?
If it can be done, how do I do it. What changes do I need to make here to get simultaneous access to my LAN also?
Thanks & Regards
Abhijit -
LMS 3.2 - unknow SNMP error for Cisco XR12406
Hi ,
I got a RME job alert which describes SNMP RW community verification failure in Device Credentials Verification for Cisco XR12406 router, I have double checked on the credential configured in LMS and it is correct.
The configuration that i tried in XR12406:
snmp-server community T3lBruRW RW <acl> ---> not working
snmp-server community T3lBruRW RW SystemOwner <acl> ---> not working
Anyone can help!!!Hi Nael, here it is:
#sh ver
Sun Nov 28 15:43:14.648 BNT
Cisco IOS XR Software, Version 3.8.2[00]
Copyright (c) 2009 by Cisco Systems, Inc.
ROM: System Bootstrap, Version 12.0(20060713:113510) [sunnaik-31s5th 1.16dev(0.1)] DEVELOPMENT SOFTWARE
Copyright (c) 1994-2006 by cisco Systems, Inc.
CRTH uptime is 8 weeks, 2 days, 20 hours, 45 minutes
System image file is "disk0:c12k-os-mbi-3.8.2/mbiprp-rp.vm"
cisco 12406/PRP (7457) processor with 2097152K bytes of memory.
7457 processor at 1266Mhz, Revision 1.2
3 Cisco 12000 Series SPA Interface Processor-601/501/401
2 Cisco 12000 Series Performance Route Processors
6 Management Ethernet
12 PLIM_QOS
4 TenGigE
15 GigabitEthernet/IEEE 802.3 interface(s)
1018k bytes of non-volatile configuration memory.
1998M bytes of compact flash card.
2048800k bytes of disk0: (Sector size 512 bytes).
65536k bytes of Flash internal SIMM (Sector size 256k).
Boot device on node 0/0/CPU0 is mem:
Package active on node 0/0/CPU0:
c12k-k9sec, V 3.8.2[00], Cisco Systems, at disk0:c12k-k9sec-3.8.2
Built on Wed Oct 28 19:00:47 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-lc, V 3.8.2[00], Cisco Systems, at disk0:c12k-lc-3.8.2
Built on Wed Oct 28 16:27:50 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-fwdg, V 3.8.2[00], Cisco Systems, at disk0:c12k-fwdg-3.8.2
Built on Wed Oct 28 16:26:44 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-admin, V 3.8.2[00], Cisco Systems, at disk0:c12k-admin-3.8.2
Built on Wed Oct 28 16:25:55 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-base, V 3.8.2[00], Cisco Systems, at disk0:c12k-base-3.8.2
Built on Wed Oct 28 16:24:15 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-os-mbi, V 3.8.2[00], Cisco Systems, at disk0:c12k-os-mbi-3.8.2
Built on Wed Oct 28 16:19:12 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
Boot device on node 0/1/CPU0 is mem:
Package active on node 0/1/CPU0:
c12k-k9sec, V 3.8.2[00], Cisco Systems, at disk0:c12k-k9sec-3.8.2
Built on Wed Oct 28 19:00:47 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-lc, V 3.8.2[00], Cisco Systems, at disk0:c12k-lc-3.8.2
Built on Wed Oct 28 16:27:50 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-fwdg, V 3.8.2[00], Cisco Systems, at disk0:c12k-fwdg-3.8.2
Built on Wed Oct 28 16:26:44 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-admin, V 3.8.2[00], Cisco Systems, at disk0:c12k-admin-3.8.2
Built on Wed Oct 28 16:25:55 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-base, V 3.8.2[00], Cisco Systems, at disk0:c12k-base-3.8.2
Built on Wed Oct 28 16:24:15 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-os-mbi, V 3.8.2[00], Cisco Systems, at disk0:c12k-os-mbi-3.8.2
Built on Wed Oct 28 16:19:12 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
Boot device on node 0/2/CPU0 is mem:
Package active on node 0/2/CPU0:
c12k-k9sec, V 3.8.2[00], Cisco Systems, at disk0:c12k-k9sec-3.8.2
Built on Wed Oct 28 19:00:47 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-lc, V 3.8.2[00], Cisco Systems, at disk0:c12k-lc-3.8.2
Built on Wed Oct 28 16:27:50 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-fwdg, V 3.8.2[00], Cisco Systems, at disk0:c12k-fwdg-3.8.2
Built on Wed Oct 28 16:26:44 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-admin, V 3.8.2[00], Cisco Systems, at disk0:c12k-admin-3.8.2
Built on Wed Oct 28 16:25:55 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-base, V 3.8.2[00], Cisco Systems, at disk0:c12k-base-3.8.2
Built on Wed Oct 28 16:24:15 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-os-mbi, V 3.8.2[00], Cisco Systems, at disk0:c12k-os-mbi-3.8.2
Built on Wed Oct 28 16:19:12 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
Configuration register on node 0/4/CPU0 is 0x2102
Boot device on node 0/4/CPU0 is disk0:
Package active on node 0/4/CPU0:
c12k-k9sec, V 3.8.2[00], Cisco Systems, at disk0:c12k-k9sec-3.8.2
Built on Wed Oct 28 19:00:47 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-rout-3.8.2.CSCti62211, V 1.0.0[SMU], Cisco Systems, at disk0:c12k-rout-3.8.2.CSCti62211-1.0.0
Built on Sat Aug 28 15:36:26 BNT 2010
By edde-bld1 in /vws/afz/builds/smu_r38x_3_8_2/workspace for c4.2.1-p0
c12k-rout, V 3.8.2[00], Cisco Systems, at disk0:c12k-rout-3.8.2
Built on Wed Oct 28 16:28:36 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-lc, V 3.8.2[00], Cisco Systems, at disk0:c12k-lc-3.8.2
Built on Wed Oct 28 16:27:50 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-fwdg, V 3.8.2[00], Cisco Systems, at disk0:c12k-fwdg-3.8.2
Built on Wed Oct 28 16:26:44 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-admin, V 3.8.2[00], Cisco Systems, at disk0:c12k-admin-3.8.2
Built on Wed Oct 28 16:25:55 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-base, V 3.8.2[00], Cisco Systems, at disk0:c12k-base-3.8.2
Built on Wed Oct 28 16:24:15 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-os-mbi, V 3.8.2[00], Cisco Systems, at disk0:c12k-os-mbi-3.8.2
Built on Wed Oct 28 16:19:12 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
Configuration register on node 0/5/CPU0 is 0x2102
Boot device on node 0/5/CPU0 is disk0:
Package active on node 0/5/CPU0:
c12k-k9sec, V 3.8.2[00], Cisco Systems, at disk0:c12k-k9sec-3.8.2
Built on Wed Oct 28 19:00:47 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-rout-3.8.2.CSCti62211, V 1.0.0[SMU], Cisco Systems, at disk0:c12k-rout-3.8.2.CSCti62211-1.0.0
Built on Sat Aug 28 15:36:26 BNT 2010
By edde-bld1 in /vws/afz/builds/smu_r38x_3_8_2/workspace for c4.2.1-p0
c12k-rout, V 3.8.2[00], Cisco Systems, at disk0:c12k-rout-3.8.2
Built on Wed Oct 28 16:28:36 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-lc, V 3.8.2[00], Cisco Systems, at disk0:c12k-lc-3.8.2
Built on Wed Oct 28 16:27:50 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-fwdg, V 3.8.2[00], Cisco Systems, at disk0:c12k-fwdg-3.8.2
Built on Wed Oct 28 16:26:44 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-admin, V 3.8.2[00], Cisco Systems, at disk0:c12k-admin-3.8.2
Built on Wed Oct 28 16:25:55 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-base, V 3.8.2[00], Cisco Systems, at disk0:c12k-base-3.8.2
Built on Wed Oct 28 16:24:15 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0
c12k-os-mbi, V 3.8.2[00], Cisco Systems, at disk0:c12k-os-mbi-3.8.2
Built on Wed Oct 28 16:19:12 BNT 2009
By edde-bld1 in /auto/srcarchive3/production/3.8.2/c12k/workspace for c4.2.1-p0 -
Certificate authentication for Cisco VPN client
I am trying to configure the cisco VPN client for certificate authentication on my ASA 5512-X. I have it setup currently for group authentication with shared pass. This works fine. But in order for you to pass pci compliance you cannot allow aggresive mode for ikev1. the only way to disable aggresive mode (and use main mode) is to use certificate authentication for the vpn client. I know that some one out there must being doing this already. I am goign round and round with this. I am missing some thing.
I have tried as I might and all I can get are some cryptic error messages from the client and nothing on the firewall. IE failed to genterate signature, invalid remote signature id. I have tried using different signatures (one built on ASA and bought from Godaddy, and one built from Windows CA, and one self signed).
Can some one provide the instructions on seting this up (asdm or cli). Can this even be done? I would love to just use the AnyConnect client but I believe you need licensing for that since our system states only 2 allowed. Thank you for your help.Dear Doug ,
What is asa code your are running on ASA hardware , for cisco anyconnect you need have Code 8.0 on your hardware with cisco anyconnect essential license enabled .Paste your me show version i will help you whether you need to procure license for your hardware . By default your hardware will be shipped with any connect essential license when you have order your hardware with asa code above 8.0 .
With Any connect essential you are allowed to use upto total VPN peers allowed based on your hardware
1) What is the AnyConnect Essentials License?
The Anyconnect Essentials is a license that allows you to connect up to your 'Total VPN Peers" platform limit with AnyConnect. Without an AnyConnect Essentials license, you are limited to the 'SSLVPN Peers' limit on your device. With the Anyconnect Essentials License, you can only use Anyconnect for SSL - other features such as CSD (Cisco Secure Desktop) and using the SSLVPN portal page for anything other than launching AnyConnect are restricted.
You can see your limits for the various licensing by issuing the 'show version' command on your ASA.
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 150
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 2
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 750
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Enabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
Any connect VPN Configuration .
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808efbd2.shtml -
i have an Airport Extreme wireless router, HP Folio laptop (company supplied) and a Canon PIXMA MX882 wireless printer,copier, scanner and fax.
when i am VPN's in thru CISCO VPN to my company Intranet site I cannot print wirelessly. i have to turn off VPN, priint and log back into the company intranet site. is there a way to configure the router so that it is not blocking the signal?
TxThe problem is not the router.. the issue is the vpn has put your computer in a different IP range with a different gateway. When you turn off the vpn the computer returns to local lan and can print.
Some vpn software allows you to set gateway to use local net instead of remote gateway or access to other webistes or local lan.
Read up the issue.
http://stevejenkins.com/blog/2010/01/using-the-local-default-gateway-with-a-wind ows-vpn-connection/
Cisco vpn client..
https://supportforums.cisco.com/thread/239113
I did not search much.. just grabbed the first article I could find that explains the issue.
The whole point of the vpn is whilst it is connected your computer is NOT part of the Local Lan .. it is part of the Remote LAN via the vpn tunnel.
It is also a security risk using split tunnelling so often it will not be allowed.
Plug the printer directly into the computer via usb or whatever.. Local connection will work.. not local lan. -
What's "SAVE" configuration command for Cisco switch/ router?
What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well,
but so long, any other command that easy to remenber?What's "SAVE" configuration command for Cisco switch / router? I know Switch#copy running-config startup-config works well, but so long,
any other command that easy to remenber?
yes, here: Switch#write,and want to know more about the Cisco switch, please visit:http://www.3anetwork.com/cisco-switches-price_c1
Maybe you are looking for
-
RESTFUL WebSevice in APEX 4.0, how to do
I have setup a restful webservice using NetBeans and Glassfish. I can access the webservice using browser with this address: http://testserver1:8081/SampleDB/resources/emps and it gives me reply: <?xml version="1.0" encoding="UTF-8" standalone="yes"
-
Hi all. My program consists of 2 files: 1.) run.exe 2.) classes.zip The second (.zip) file contains java classes. How can I gain a full path to any package in this .zip file? I tried MyClass.class.getPackage().getName() but it returned only somethig
-
Convert a purchase requistion to purchase order
Hi all, can anyone tell me how to convert a purchase requistion to purchase order I have the purchase requistion number with me i need to convert it to a Purchase order. I tried using ME59 , i wasn't succesfull Let me know
-
Resources assigned to a Work Center
Hi Experts , Is there any Function Module to get the 'Person Responsible' and the Resources assigned to a Work Center ? Thanks, Radhika.
-
What is the actual use of T180 table????
Hi Sap Gurus, We hav an requirement that instead of using transaction codes VL01,VL01N,VL02,VL02N,VA01,VA02,, we need to use T180 table. So what is actual use of T180?. Why we use this table? Thanks in advance. Regards.....Kumar