Debug IP Policy on Cisco 4451-X ISR Router

Similar Messages

• Simple remote connection using Cisco AnyConnect and ISR router

  Hi all,
  I am just wondering what the easiest and simplest method would be to make remote PCs (running Cisco AnyConnect) establish a VPN IPsec to a Cisco ISR (881/887, 1900s,2900s series). I used to use EasyVPN method (simple and fast to configure and no need for special licences other than crypto licence) but since Cisco VPN Client is no longer supported I had to resort to WebVPN which requires a licence depending on the number of clients to support (SSL licences for 10,20 users and so forth). I've read a bit about FlexVPN but I can't find an easy example to what I want to do. The closest is this one (FlexVPN and Anyconnect IKEv2 Client Configuration Example):
  http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115941-flexvpn-ikev2-config-00.html
  But that example makes use of RADIUS. Is there a way to make use of local database (users configured on the router) instead of RADIUS?
  Basically what I am after is the following
  - Remote users install Cisco AnyConnect to establish a VPN connection to HQ
  - HQ ISR (880s, 1900s, 2900s) terminates that VPN connections and allows access to local resources (shared drives, applications...).Authentication method would be local database on the router. No need of RADIUS/ACS as this is for very small companies with no IT resources to maintain and configure a RADIUS/ACS server.
  I think what I need is this AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example:
  http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html
  But the example is too highlevel for me to follow, basically I don't know how to generate such certificates and distribute it to remote clients.
  Any help as to how to create such certificates or how to configure FlexVPN to just requiring the user to enter usr/pass (using local database not RADIUS nor ACS) would be highly appreciated.
  Cheers
  Alvaro

  If you insist .. try this:
  http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116032-flexvpn-aaa-config-example-00.html
  http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html
  http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-ios-ca-ios.html

• Can we download ISE Pofile Policy from Cisco?

  The ISE comes with certain  profile policies. Can we download the profile policy from Cisco as new devices come into the market?

  Yes, you can.  jan.nielson is correct that the Profile Feed Service will allow for this.  Be advised that the Feed Service does require a Plus license for activation.  Here is a snippet from the ISE 1.3 Admin Guide:
  To activate the Feed Service, go to Administration > Feed Service > Profiler.  Enable the checkbox for Enable Profiler Feed Service, fill out the rest of the options (optional) and click Save.
  Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question.  Otherwise, feel free to post follow-up questions.
  Charles Moreton

• MPLS CE support on Cisco 2800 ISR router

  Hi all, could I ask you for some hints about MPLS CE support on Cisco 2800 ISR router today? I`m finding restrictions and recommendations for feature implementation. Do you have any cisco web site about them?
  Thank you for your advice and/or hints.
  Peter

  Thanks for an answer. I need to use multi-VPN model on CE router, but with QoS on one physical CE-PE connection (e.g. Frame-Relay DLCI).However, all VPNs on CE router must be secured for each one. The solution is Multi-VRF service feature, but, however, with multi-DLCI model on Frame-Relay and QoS per DLCI. Now, I`m finding a scenario to provide multi-VPN model on CE router with single-DLCI model and single QoS per one DLCI for all VPNs. And that, MPLS CE feature on C2800 could be used, if possible.
  So, I don`t know more about MPLS CE on C2800 and I don`t know make a result to propsed solution...

• DMVPN Configuration with ASA 5510 In Front of Cisco 877-K9 HUB Router

  Hi Guys,
  I'm in a mess, I have  Cisco 877-K9 router which sits behind an ASA 5510 FW.
  The Design :
  Cisco 877-K9 DSL router (DSL with Static IP) ( DMVPN HUB )
  ||
  ASA 5510 Firewall (Outside INT with Static IP / Inside INT LAN) (PAT & ACL)
  ||
  Switch
  ||
  LAN
  Now my problem is, My Dmvpn configuration works just fine, I'm able to ping from my Cisco 877 to any Spoke & vise versa.
  I'm also able to Ping from my LAN to any Spoke Tunnel IP, but Im not  able to ping any LAN IP at Spoke site nor am I able to ping my LAN from  any Spoke site.
  I've googled alot but have come at designs where the ASA's are behind the Cisco Routers and not infront.
  Any help in this regards is highly appreciated. I really need this to work. Attached are the config files....
  Thanks,
  Aj.

  Thanks to both of you guys for replying. I should've been more descriptive in my initial post, but just thought of getting more ideas.
  All the troubleshooting was done before posting the problem, and to clearify the things, Please find below the results.
  1) what RProtocol r u using?
  a) It's OSPF
  2) if ur using OSPF, try show ip route on the hub and spoke to verify the hub/spoke routes are learned via OSPF
  a) I did the "show ip route" and bothe the HUB and Spokes get their routes defined
      (on the HUB if I used "network 192.9.201.0 255.255.255.0 area 0" I coudln't get routes advertised on spokes)
      (I changed to "redistribute static subnests" and I was able to get Hub routes advertised")
  3) are your tunnels config correctly? try show crypto ipsec sa
  a) They are as they should be and "show crypto ipsec sa" comes up with proper in/out encrypted data
  4) on your hub'spoke do a debug ip icmp
  a) Did that as well, and If I do a debug on a Spoke and ping from my HUB to that spoke on the tunnel IP, I get proper src/dest results, but If I ping from HUB to Spoke on a client IP behind the Spoke, It pings but does not show any result on the Spoke debug.
  I'm able to ping all the Spoke's Tunnel IPs and clients behind the Spokes from the HUB router, but not from either the ASA nor the clients on my LAN.
  Additional to the info above, Please also note :
  I did notice something that, from my HUB router, which is also my DSL Modem, I'm unable to ping any clients behind the ASA.
  So I guess I'm stuck on the point that My Cisco HUB is unable to talk to  my LAN, If I can get the HUB to talk to the internal LAN, I would be  able to ping clients on LAN from any Spoke or clients behind Spokes.
  From HUB router I'm able to ping clients behind Spokes.
  Does that give any Ideas ?
  Thanks in Advance.
  Aj.

• ISR router EIGRP Route Tag

  Hi,
  Wondering any one has successfully set route tag for EIGRP routes?
  What I am trying to achieve here is to set route tag for the summary routes of the connected interfaces and subnets of some other connected interfaces.
  Let's say an ISR router R1 with IOS 15.1(4)M3 has three interfaces running with EIGRP.  
  Interface Gi0/0 
  ip add 172.16.0.1/24
  summary-add 172.16.0.0/16
  Interface Gi0/1 
  ip add 172.16.1.1/24
  summary-add 172.16.0.0/16
  Interface Gi0/2 
  ip add 192.168.2.1/24
  I am having difficulty to set route tag for summary add 172.16.0.0/16 and 192.168.2.0/24 before they get advertised to another router.
  Any idea please?
  Thanks
  Cedar

  Duplicate posts.  
  Go here:  https://supportforums.cisco.com/discussion/12256521/isr-router-eigrp-route-tag

• ISR Router Official Throughput Datasheet

  Dear Sir,
  Where can find official throughput datasheet for ISR Router.
  Best Regards,
  Satavee

  I hope that it is your want it
  http://www.cisco.com/application/pdf/en/us/guest/products/ps5854/c1650/cdccont_0900aecd80169b0a.pdf

• EEM ON ISR router

  I want to configure the ISR router to Send the top 10 CPU and Memory Utilization every two hours to my email addess, I went through too many documents and I found a lot of solutions which are confusing me some of them using cron job, some of them Using OID and others using TCL Scripts.
  Please assist me in the easiest way.
  Thanks

  This EEM Tcl policy should do what you want.  Before installing it, you will need to set some environment variables, though:
  # mem_cpu_time      : Number of seconds between executions of this policy.## mem_cpu_num_lines : Number of lines to include in the output.## _email_server     : SMTP server used to send email.## _email_from       : Email address from which email will be sent.## _email_to         : Email address(es) to which email will be sent.## _email_cc         : (optional) Email address(es) to which email will be#                     carbon copied.
  For example, in "config t" mode:
  event manager environment mem_cpu_time 7200event manager environment mem_cpu_num_lines 10event manager environment _email_server 10.1.1.1event manager environment _email_from [email protected] manager environment _email_to [email protected] manager environment _email_cc [email protected]
  That configuration will run the policy every two hours, and send the top 10 lines of "show proc mem sorted" and "show proc cpu sorted" via email to [email protected] and [email protected]

• Welcome to the Cisco CSR (Cloud Service Router) Discussion Forum

  Welcome to the Cisco CSR (Cloud Service Router) Discussion Forum!
  This forum helps CSR users interact, share knowledge and build communities with one another.
  We hope you enjoy participating in the CSR discussion forum!
  Best Regards,
  Cisco CSR Product Team

  hi,I have a question on sql database high availability. I have tried using database mirroring, where I am using sql standard edition, in this database mirroring of synchronous mode is the only option available, and it is giving problem, like sql time out errors on my applicatons since i had put in the database mirroring, as asynchronous is only available on enterprise version, is there any suggestions on this. thanks ---vijay

• Cisco or Linksys DSL router that will work with Windows XP Pro?

  Any suggestions for a CISCO or LINKSYS DSL router to replace a Zyxel (Century Link) PK5001Z? System is Windows XP Pro, 20 wireless and wired devices connected (including 6 CISCO WVC210 IP cameras ). The Zyxel forwards as many ports as I want, but will only open a limited number of the ports. This limits my access thru the internet (local network sees all cameras). Zyxel support is unable to help.                  

  Hi Edward, if you're looking for a modem/router combo device, Cisco offers the SRP500 series. However this product is EOS/EOL. The small business product line does not have any other DSL termination router aside the SRP series. If your goal is to use a DSL modem and then have a router, you may want to consider RV325 router as it is very feature rich and quite robust.
  -Tom
  Please mark answered for helpful posts

• Web filtering on Cisco 867 VAE K9 router

  Hi,
  how do I enable web filtering on Cisco 867 VAE K9 router with 15.1(4)M4 release? i have a message on the router : Content Filter unvailable ....
  thanks.

  Anthony,
  Yes it does https inspection and the portal also block based on categories (Social Networking, Gamblin; to tell a few samples), IP address and domain name.
  Get in touch with your Cisco Account Team or Cisco Partner/Reseller and get an evalution.
  HTH
  Luis Silva
  "If you need PDI (Planning, Design, Implement) assistance feel free to reach us"
  http://www.cisco.com/web/partners/tools/pdihd.html

• Urgent!!! Cisco ACE and asymetric routing assistance needed

  I am wondering if someone can give me pointers on the cisco ACE
  and asymetric routes. I've attached the diagram:
  -Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
  -Firewall External interface is 192.168.15.1/24,
  -Firewall Internal interface is 192.168.192.1/24,
  -F5_BigIP External interface is 192.168.192.4/24,
  -F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
  -host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
  -Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
  pointing to the F5_BigIP,
  -host_y is dual-home to both VLAN_A and VLAN_B with the default
  gateway on host_y pointing to VLAN_A which is 192.168.196.1,
  -host_x CAN ssh/telnet/http/https to both of host_y IP addresses
  of 192.168.196.10 and 192.168.197.10.
  In other words, from host_x, when I try to connect to host_y
  via IP address of 192.168.197.10, the traffics will go through VLAN_B
  but the return traffics will go through VLAN_A. Everything
  is working perfectly for me so far.
  Now customer just replaces the F5_BigIP with Cisco ACE. Now,
  I could not get it to work with Asymetric route with Cisco ACE. In
  other words, from host_x, I can no longer ssh or telnet to host_y
  via IP address of 192.168.197.10.
  Anyone knows how to get asymetric route to work on Cisco ACE?
  Thanks in advance.

  That won't work because ACE uses the vlan id to distinguish between flows.
  So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
  Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
  You would need to force your host to respond on the same vlan the traffic came in.
  This could be done with client nat on ACE using different nat pool.
  Gilles.

• Cisco RV320 DUAL WAN router USB setup with Telstra 4G MF823

  I am trying to setup Cisco RV320 DUAL WAN router to work with my prepaid Telstra 4G MF823 device. Could you please assist. My settings are as follows: InterfaceUSB2Connection Type:3G/4G PIN Code:Confirm PIN Code:USB Connection Status:3G/4G modem is not available.Access Point Name:telstra.internetDial Number:Username:Password:Enable DNSDNS Server (Required): 8.8.8.8DNS Server (Optional): 8.8.4.4MTU:AutoManualB

  Hi oz000,
  Unfortunately we don't have anyone here to assist with this particular issue. Our team here provides assistance for the device standalone, we ensure that the 4G device connects to the network and functions correctly on its own.
  -Matt W
   

• 1841 ISR Router and Client VPN

  Hi,
  CAn I terminate VPN clients on a 1841 ISR Router? What are the requirement for that e.g IOS version DRAM or Flash?
  Plz Help
  Regards

  sanjay
  You should certainly be able to terminate VPN client sessions on an 1841 router. For 1841 you need either 12.3T or 12.4 code. For feature set you need something like Advanced Security or Advanced IP Services. these require 128 MB memory and 32 MB flash which is the default amount of memory and flash that ship with the router.
  HTH
  Rick

• Billing in ISR router 2821

  Hi,
  Is it actually possible to do the billing on an ISR router without using CME, like terminating the VOIP traffic on 2821 router and then sending it to Voice PRI. I will only need billing there wont be any CME. Please also suggest any billing software.

  Hi,
  Actually i wont be using be using CME. I will only be terminating the voice traffic from WAN link and sending it to PSTN. Can i still use third party billing software for that purpose.