New to Cisco

Similar Messages

• New to Cisco, ASA5505 Help

  Afternoon guys,
  I have decided I want to learn Cisco so made the decision to pick up a used ASA 5505 from ebay and use it as my main firewall/router. I have it installed and working but have a few questions about configuration, as some of what i have done seems like a very inefficient way of setting things up.
  My Basic config is this
  O2 ADSL Modem in bridge only mode  192.168.1.254 > ASA 5505 Public Static IP >ASA Inside 192.168.1.1 > Rest of internal LAN.
  I have spotted this blog post that details how to get to the modems WebUI through a Cisco router, But i am not sure how I would implement it in my network setup so would like advice on this.
  http://en.tiagomarques.info/2011/05/access-your-modem-webui-behind-a-cisco-router-bridged-configuration/
  O2 Modem IP: 192.168.1.254 ASA inside IP: 192.168.1.1Apple Airport: 192.168.1.2 (Wireless Bridge)LAN : 192.168.1.0/24 (VLAN 1)
  The other thing I would like to ask is about PAT, I have configured it to allow Ports 3074TCP/UDP and 88TCP inbound to my Xbox to allow Xbox live to work. But I would like to know if there is a better way to do this using object groups.
  This is currenlty how I set it up,
  object network xbox_udp_3074host 192.168.1.5nat (inside,outside) static interface service udp 3074 3074exitaccess-list acl_outside extended permit udp any object xbox_udp_3074 eq 3074object network xbox_tcp_3074host 192.168.1.5nat (inside,outside) static interface service tcp 3074 3074exitaccess-list acl_outside extended permit udp any object xbox_tcp_3074 eq 3074object network xbox_udp_88host 192.168.1.5nat (inside,outside) static interface service udp 88 88exitaccess-list acl_outside extended permit udp any object xbox_udp_88 eq 88
  What I would like to know is there a better more efficient way of setting this up as I have 3 network objects with 3 NAT statements and 1 ACL.
  Finally I have attempted to configure a Client VPN on the ASA and it works and connects but the problem is it only appears to let web traffic through. If i connect using the VPN built into my iPhone and try a ping using using Ping Lite app i dont get any responce's. but if you open safari and put in 192.168.1.4 I get the WebUI of my NAS device if i try to RDP to my home server the connection times out. If i drop the VPN and connect to Wifi i can ping and RDP from my phone ok so it must be a config problem.
  Below is my full config I have masked the password and cryptochecksum
  : Saved: Written by enable_15 at 02:08:45.939 GMT Sat Apr 21 2012!ASA Version 8.4(3) !hostname warrillow-asa1domain-name warrillow.localenable password (Masked) encryptedpasswd (Masked) encryptednames!interface Ethernet0/0 description physical connection to O2 Box IV switchport access vlan 2!interface Ethernet0/1!interface Ethernet0/2!interface Ethernet0/3!interface Ethernet0/4!interface Ethernet0/5!interface Ethernet0/6!interface Ethernet0/7!interface Vlan1 description to inside VLAN nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 !interface Vlan2 description to outside interface (O2 Modem) nameif outside security-level 0 ip address (Public Static IP) 255.255.254.0 !ftp mode passiveclock timezone gmt 0clock summer-time GMT recurringdns server-group DefaultDNS domain-name warrillow.localobject network obj_any subnet 192.168.1.0 255.255.255.0object service playOn service tcp destination eq 57331 object service service_xbox_udp_88 service tcp destination eq 88 object network HomeServer_tcp_57331 host 192.168.1.250object network xbox_udp_3074 host 192.168.1.5object network xbox_tcp_3074 host 192.168.1.5object network xbox_udp_88 host 192.168.1.5object-group icmp-type DefaultICMP description Default ICMP Types permitted icmp-object echo-reply icmp-object unreachable icmp-object time-exceededobject-group service xbox_live tcp-udp port-object eq 3074 port-object eq 88object-group protocol TCPUDP protocol-object udp protocol-object tcpaccess-list acl_outside extended permit icmp any any object-group DefaultICMP access-list acl_outside extended permit tcp any object HomeServer_tcp_57331 eq 57331 access-list acl_outside extended permit udp any object xbox_udp_3074 eq 3074 access-list acl_outside extended permit tcp any object xbox_tcp_3074 eq 3074 access-list acl_outside extended permit udp any object xbox_udp_88 eq 88 pager lines 24mtu inside 1500mtu outside 1500ip local pool vpnpool 10.0.0.2-10.0.0.200 mask 255.255.255.0icmp unreachable rate-limit 1 burst-size 1icmp permit any echo-reply outsideno asdm history enablearp timeout 14400!object network obj_any nat (inside,outside) dynamic interfaceobject network HomeServer_tcp_57331 nat (inside,outside) static interface service tcp 57331 57331 object network xbox_udp_3074 nat (inside,outside) static interface service udp 3074 3074 object network xbox_tcp_3074 nat (inside,outside) static interface service tcp 3074 3074 object network xbox_udp_88 nat (inside,outside) static interface service udp 88 88 access-group acl_outside in interface outsideroute outside 0.0.0.0 0.0.0.0 (Public Static IP) 1timeout xlate 3:00:00timeout pat-xlate 0:00:30timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolutetimeout tcp-proxy-reassembly 0:01:00timeout floating-conn 0:00:00dynamic-access-policy-record DfltAccessPolicyuser-identity default-domain LOCALaaa authentication ssh console LOCAL http server enablehttp 192.168.1.0 255.255.255.0 insideno snmp-server locationno snmp-server contactsnmp-server enable traps snmp authentication linkup linkdown coldstart warmstartcrypto ipsec ikev1 transform-set strong-des esp-3des esp-md5-hmac crypto dynamic-map dynmap 30 set ikev1 transform-set strong-descrypto map warrillow 65535 ipsec-isakmp dynamic dynmapcrypto map warrillow interface outsidecrypto isakmp identity address crypto ikev1 enable outsidecrypto ikev1 policy 11 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400telnet 192.168.1.0 255.255.255.0 insidetelnet timeout 30ssh 192.168.1.0 255.255.255.0 insidessh timeout 30console timeout 30threat-detection rate syn-attack rate-interval 600 average-rate 30 burst-rate 45threat-detection rate syn-attack rate-interval 3600 average-rate 80 burst-rate 160threat-detection basic-threatthreat-detection scanning-threat shun duration 3600threat-detection statisticsthreat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200webvpngroup-policy Warrillow internalgroup-policy Warrillow attributes wins-server none dns-server value 192.168.1.250 vpn-idle-timeout 120 vpn-tunnel-protocol ikev1 default-domain value warrillow.localusername mattw password (Masked) encrypted privilege 15tunnel-group Warrillow-VPN type remote-accesstunnel-group Warrillow-VPN general-attributes address-pool vpnpool default-group-policy Warrillowtunnel-group Warrillow-VPN ipsec-attributes ikev1 pre-shared-key *****!class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum client auto  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect rsh   inspect rtsp   inspect esmtp   inspect sqlnet   inspect skinny    inspect sunrpc   inspect xdmcp   inspect sip    inspect netbios   inspect tftp   inspect ip-options class class-default  user-statistics accounting!service-policy global_policy globalprompt hostname context no call-home reporting anonymoushpm topN enable
  EDIT: to remove public IP from config posted

  Hi,
  Adding the following configurations should allow ICMP through the ASA (for the echo-reply to come through also without using ACL)
  policy-map global_policy class inspection_default
      inspect icmp
  Unless you had already added this.
  You might also find the following documents/video helpfull. It shows off some of the common NAT configurations. This was mostly to help the people that were moving from the old to the new format. But it should be helpfull to you also. I know I sometimes double check there.
  Document: https://supportforums.cisco.com/docs/DOC-9129
  Video: https://supportforums.cisco.com/docs/DOC-12324 (also has a link to the above document)
  Regarding the NAT configurations for modem management, I cant guarantee this will work but the first configuration that came to mind is the following (kind resembles the NONAT configuration)
  Though I'm not really sure if this would work as the LAN network and the outside management IP is from the same network. But you can always try.
  object network LAN
    subnet 192.168.1.0 255.255.255.0
  object network MODEM-MANAGEMENT
  host 192.168.1.254
  nat (inside,outside) source static LAN LAN destination static MODEM-MANAGEMENT MODEM-MANAGEMET
  - Jouni

• New Features: Cisco Technical Support Mobile App v3.6

  Cisco Technical Support Mobile App v3.6 - New Features:
  On Monday, May 12th, a new version of the Cisco Technical Support mobile application was released with the following new features:
  Aggregated Content For More Than Six Thousand Products
  Select from one of more than six thousand models to access aggregated support documentation, software downloads, and Cisco Support Community content within "Product Information". It is like having your own personal library in the palm of your hand.  
  Pocket Integration
  Send In-App content to your Pocket (Read-It-Later) account for easy, synchronized access across all your devices. As Darren Murph describes on BGR.com, you can further enhance your experience with IFTTT to automate content archival from your Pocket account to several other channels including Evernote, Instapaper, Dropbox, and Box.net. 
  For more Information
  Pocket: http://www.getpocket.com
  IFTTT: http://www.ifttt.com
  IFTTT Pocket Recipes: https://ifttt.com/recipes?channel=pocket#popular​
  Support Contract Expiration Reminders
  With your permission, event reminders can be added to your calendar 90 and 60 days prior to your support contracts expiring. Keeping your contracts up to date ensures non interrupted access to Cisco TAC. 
  And there's more…
  Users with active support contracts can view, update and create support cases, track and initiate RMA Returns, and research software bug information. Stay up to date with the latest offerings from Cisco through several Video, Podcasts and RSS Feeds.
  How to Download the App
  The app can be found by searching for "Cisco Technical Support"in either the iTunes or Google Play App Stores. Direct links to the app are provided below:
  iOS: https://itunes.apple.com/us/app/cisco-technical-support/id398104252?mt=8
  Android: https://play.google.com/store/apps/details?id=com.cisco.swtg_android&hl=en

  Hi Jessica,
  On the iOS mobile app, communities with sub-communities are identified by a blue arrow next to the community.  If you tap on the community name you will be taken to the community, if you tap on the blue arrow you will be taken to the sub-communities within that parent community.  For Android tapping on the arrow next to the community name will expand that community to show any sub-communities underneath it.  I hope this helps.
  Thanks,
  Kent

• What's New in Cisco Active Advisor?

  Hello folks,
  A new version of CAA is up, with a bunch of new features and bug fixes. Here’s a glimpse of the new features added recently.
  1) Delete devices
  Devices on your inventory list can now be deleted.
  Simply select the devices to delete and click the Trash icon at the top of the list.
  You will be asked to confirm your delete request.
  2) Enabled Features
  Quickly discover your devices’ enabled features using CAA! All IOS devices that enter your inventory list are now scanned for their enabled features.
  In the device’s window, you’ll find a new tab named ‘Enabled Features’
  Clicking this tab will show all the features that are enabled on your IOS device, ordered by Technology and Features.
  Clicking on the various Technology names will open up a new window that shows all available features under that category.
  3) Line cards and modules
  Good news! Now line cards and modules on your switches and routers will be discovered and displayed in CAA.
  In the inventory list, some devices will have the line card and modules icon
  This indicates that CAA has discovered line cards or modules on your chassis.
  Clicking this icon will lead you to the list of discovered modules. There you will see its status information, as well as relevant lifecycle data.
  When you go into the device overview window, click the same icon to see the line cards and modules list.
  Please note that there is a color code to the line cards and modules icon.
  Red indicates that CAA has found lifecycle alerts on one or more of your modules
  Blue indicates that no lifecycle alerts have been found.
  Please let us know what you think of these feature additions and of Cisco Active Advisor in general!
  We'd love to hear your thoughts and feedback!
  Thanks,
  The CAA Team

  Bug fixes.
  Type "ios 6.0.2" into the search bar at the top of this page by Support and read for yourself.

• AIRONET 1260 with new radius cisco ACS 4.x

  Hi, I have a new CISCO AIRONET 1260
  I have CISCO ACS 5.1 radius for VPN on ASA and tried to configure an NDG on it for AIRONET 1260 too and worked fine with IEEE 802.1x CISCO EAP-FAST authentication
  As I had some trouble to let users to authenticate only on VPN if are VPN users and only on CISCO AIRONET if need only WIFI AIRONET
  I tried exception policies rules but something not working. VPN was ok but not WIFI access denied for rule policy access
  I decided to install CISCO ACS 4.x on Windows 2003 that is on ACS 5 DVD
  I created NDG as done on ACS 5 put a shared secret , put on AIRONET too as done for ACS 5 but I receive an error against ACS 4.x
  To troubleshout it I tried
  http://www.cisco.com/en/US/partner/tech/tk722/tk720/technologies_configuration_example09186a00807bf3c8.shtml
  but not work ! I think to have done all fine owever on ACS 5 it worked in 5 minutes
  I searched log inside ACS 4 and found "Invalid message authenticator in EAP request" and I found this:
  https://supportforums.cisco.com/docs/DOC-3991
  Changed shared secret more times but ever not workign with ACS 4
  what's wrong?
  I need to have user and password prompt on client trying to authentincate on AIRONET WIFI and I need ACS INTERNAL USER no active directory, no LDAP , no external user database

  I have solved

• Fairly new to cisco ASA 5505 - Can someone look through my config?

  Hi.
  Can some one tell me if I did the NAT part right? Both dynamic and static.
  To be able to reach one vlan from another I created a Nat between them, is this the right way to do it?
  I can still limit the access between the vlans based on the access list.
  I also getting slow throughput over the VPN tunnel. Is there something wrong with my config. I used the wizard to set it up. There is also a cisco asa5505 on the other end.
  If there is some thing else that seems wrong, please let me know.
  Any help would be greatfully appreciated!
  Config:
  : Saved
  ASA Version 7.2(2)
  hostname ciscoasa
  domain-name default.domain.invalid
  enable password x encrypted
  names
  name 192.168.1.250 DomeneServer
  name 192.168.1.10 NotesServer
  name 192.168.1.90 OvServer
  name 192.168.1.97 TerminalServer
  name 192.168.1.98 w8-eyeshare
  name 192.168.50.10 w8-print
  name 192.168.1.94 w8-app
  name 192.168.1.89 FonnaFlyMedia
  interface Vlan1
  nameif Vlan1
  security-level 100
  ip address 192.168.200.100 255.255.255.0
  ospf cost 10
  interface Vlan2
  nameif outside
  security-level 0
  ip address 79.x.x.226 255.255.255.224
  ospf cost 10
  interface Vlan400
  nameif vlan400
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  ospf cost 10
  interface Vlan450
  nameif Vlan450
  security-level 100
  ip address 192.168.210.1 255.255.255.0
  ospf cost 10
  interface Vlan460
  nameif Vlan460-SuldalHotell
  security-level 100
  ip address 192.168.2.1 255.255.255.0
  ospf cost 10
  interface Vlan461
  nameif Vlan461-SuldalHotellGjest
  security-level 100
  ip address 192.168.3.1 255.255.255.0
  ospf cost 10
  interface Vlan462
  nameif Vlan462-Suldalsposten
  security-level 100
  ip address 192.168.4.1 255.255.255.0
  ospf cost 10
  interface Vlan470
  nameif vlan470-Kyrkjekontoret
  security-level 100
  ip address 192.168.202.1 255.255.255.0
  ospf cost 10
  interface Vlan480
  nameif vlan480-Telefoni
  security-level 100
  ip address 192.168.20.1 255.255.255.0
  ospf cost 10
  interface Vlan490
  nameif Vlan490-QNapBackup
  security-level 100
  ip address 192.168.10.1 255.255.255.0
  ospf cost 10
  interface Vlan500
  nameif Vlan500-HellandBadlands
  security-level 100
  ip address 192.168.30.1 255.255.255.0
  ospf cost 10
  interface Vlan510
  nameif Vlan510-IsTak
  security-level 100
  ip address 192.168.40.1 255.255.255.0
  ospf cost 10
  interface Vlan600
  nameif Vlan600-SafeQ
  security-level 100
  ip address 192.168.50.1 255.255.255.0
  ospf cost 10
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 500
  switchport trunk allowed vlan 400,450,460-462,470,480,500,510,600,610
  switchport mode trunk
  interface Ethernet0/3
  switchport access vlan 490
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  passwd x encrypted
  ftp mode passive
  clock timezone WAT 1
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group service Lotus_Notes_Utgaaande tcp
  description Frim Notes og ut til alle
  port-object eq domain
  port-object eq ftp
  port-object eq www
  port-object eq https
  port-object eq lotusnotes
  port-object eq pop3
  port-object eq pptp
  port-object eq smtp
  object-group service Lotus_Notes_inn tcp
  description From alle og inn til Notes
  port-object eq www
  port-object eq lotusnotes
  port-object eq pop3
  port-object eq smtp
  object-group service Reisebyraa tcp-udp
  port-object range 3702 3702
  port-object range 5500 5500
  port-object range 9876 9876
  object-group service Remote_Desktop tcp-udp
  description Tilgang til Remote Desktop
  port-object range 3389 3389
  object-group service Sand_Servicenter_50000 tcp-udp
  description Program tilgang til Sand Servicenter AS
  port-object range 50000 50000
  object-group service VNC_Remote_Admin tcp
  description Frå oss til alle
  port-object range 5900 5900
  object-group service Printer_Accept tcp-udp
  port-object range 9100 9100
  port-object eq echo
  object-group icmp-type Echo_Ping
  icmp-object echo
  icmp-object echo-reply
  object-group service Print tcp
  port-object range 9100 9100
  object-group service FTP_NADA tcp
  description Suldalsposten NADA tilgang
  port-object eq ftp
  port-object eq ftp-data
  object-group service Telefonsentral tcp
  description Hoftun
  port-object eq ftp
  port-object eq ftp-data
  port-object eq www
  port-object eq https
  port-object eq telnet
  object-group service Printer_inn_800 tcp
  description Fra 800  nettet og inn til 400 port 7777
  port-object range 7777 7777
  object-group service Suldalsposten tcp
  description Sending av mail vha Mac Mail programmet - åpner smtp
  port-object eq pop3
  port-object eq smtp
  object-group service http2 tcp
  port-object range 81 81
  object-group service DMZ_FTP_PASSIVE tcp-udp
  port-object range 55536 56559
  object-group service DMZ_FTP tcp-udp
  port-object range 20 21
  object-group service DMZ_HTTPS tcp-udp
  port-object range 443 443
  object-group service DMZ_HTTP tcp-udp
  port-object range 8080 8080
  object-group service DNS_Query tcp
  port-object range domain domain
  object-group service DUETT_SQL_PORT tcp-udp
  description For kobling mellom andre nett og duett server
  port-object range 54659 54659
  access-list outside_access_in extended permit ip any any
  access-list outside_access_out extended permit ip any any
  access-list vlan400_access_in extended deny ip any host 149.20.56.34
  access-list vlan400_access_in extended deny ip any host 149.20.56.32
  access-list vlan400_access_in extended permit ip any any
  access-list Vlan450_access_in extended deny ip any host 149.20.56.34
  access-list Vlan450_access_in extended deny ip any host 149.20.56.32
  access-list Vlan450_access_in extended permit ip any any
  access-list Vlan460_access_in extended deny ip any host 149.20.56.34
  access-list Vlan460_access_in extended deny ip any host 149.20.56.32
  access-list Vlan460_access_in extended permit ip any any
  access-list vlan400_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_Utgaaande
  access-list vlan400_access_out extended permit tcp any host DomeneServer object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host TerminalServer object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host OvServer object-group http2
  access-list vlan400_access_out extended permit tcp any host NotesServer object-group Lotus_Notes_inn
  access-list vlan400_access_out extended permit tcp any host NotesServer object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host w8-eyeshare object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host w8-app object-group Remote_Desktop
  access-list vlan400_access_out extended permit tcp any host FonnaFlyMedia range 8400 8600
  access-list vlan400_access_out extended permit udp any host FonnaFlyMedia range 9000 9001
  access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host DomeneServer
  access-list vlan400_access_out extended permit tcp 192.168.4.0 255.255.255.0 host w8-app object-group DUETT_SQL_PORT
  access-list Vlan500_access_in extended deny ip any host 149.20.56.34
  access-list Vlan500_access_in extended deny ip any host 149.20.56.32
  access-list Vlan500_access_in extended permit ip any any
  access-list vlan470_access_in extended deny ip any host 149.20.56.34
  access-list vlan470_access_in extended deny ip any host 149.20.56.32
  access-list vlan470_access_in extended permit ip any any
  access-list Vlan490_access_in extended deny ip any host 149.20.56.34
  access-list Vlan490_access_in extended deny ip any host 149.20.56.32
  access-list Vlan490_access_in extended permit ip any any
  access-list Vlan450_access_out extended permit icmp any any object-group Echo_Ping
  access-list Vlan1_access_out extended permit ip any any
  access-list Vlan1_access_out extended permit tcp any host w8-print object-group Remote_Desktop
  access-list Vlan1_access_out extended deny ip any any
  access-list Vlan1_access_out extended permit icmp any any echo-reply
  access-list Vlan460_access_out extended permit icmp any any object-group Echo_Ping
  access-list Vlan490_access_out extended permit icmp any any object-group Echo_Ping
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_FTP_PASSIVE
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTPS
  access-list Vlan490_access_out extended permit tcp any host 192.168.10.10 object-group DMZ_HTTP
  access-list Vlan500_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan470_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan470_access_out extended permit tcp any host 192.168.202.10 object-group Remote_Desktop
  access-list Vlan510_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan480_access_out extended permit ip any any
  access-list Vlan510_access_in extended permit ip any any
  access-list Vlan600_access_in extended permit ip any any
  access-list Vlan600_access_out extended permit icmp any any
  access-list Vlan600_access_out extended permit tcp any host w8-print object-group Remote_Desktop
  access-list Vlan600_access_out extended permit tcp 192.168.1.0 255.255.255.0 host w8-print eq www
  access-list Vlan600_access_out extended permit tcp 192.168.202.0 255.255.255.0 host w8-print eq www
  access-list Vlan600_access_out extended permit tcp 192.168.210.0 255.255.255.0 host w8-print eq www
  access-list Vlan600_access_in_1 extended permit ip any any
  access-list Vlan461_access_in extended permit ip any any
  access-list Vlan461_access_out extended permit icmp any any object-group Echo_Ping
  access-list vlan400_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list outside_20_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list outside_20_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.77.0 255.255.255.0
  access-list Vlan462-Suldalsposten_access_in extended permit ip any any
  access-list Vlan462-Suldalsposten_access_out extended permit icmp any any echo-reply
  access-list Vlan462-Suldalsposten_access_out_1 extended permit icmp any any echo-reply
  access-list Vlan462-Suldalsposten_access_in_1 extended permit ip any any
  pager lines 24
  logging enable
  logging asdm informational
  mtu Vlan1 1500
  mtu outside 1500
  mtu vlan400 1500
  mtu Vlan450 1500
  mtu Vlan460-SuldalHotell 1500
  mtu Vlan461-SuldalHotellGjest 1500
  mtu vlan470-Kyrkjekontoret 1500
  mtu vlan480-Telefoni 1500
  mtu Vlan490-QNapBackup 1500
  mtu Vlan500-HellandBadlands 1500
  mtu Vlan510-IsTak 1500
  mtu Vlan600-SafeQ 1500
  mtu Vlan462-Suldalsposten 1500
  no failover
  monitor-interface Vlan1
  monitor-interface outside
  monitor-interface vlan400
  monitor-interface Vlan450
  monitor-interface Vlan460-SuldalHotell
  monitor-interface Vlan461-SuldalHotellGjest
  monitor-interface vlan470-Kyrkjekontoret
  monitor-interface vlan480-Telefoni
  monitor-interface Vlan490-QNapBackup
  monitor-interface Vlan500-HellandBadlands
  monitor-interface Vlan510-IsTak
  monitor-interface Vlan600-SafeQ
  monitor-interface Vlan462-Suldalsposten
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-522.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (vlan400) 0 access-list vlan400_nat0_outbound
  nat (vlan400) 1 0.0.0.0 0.0.0.0 dns
  nat (Vlan450) 1 0.0.0.0 0.0.0.0 dns
  nat (Vlan460-SuldalHotell) 1 0.0.0.0 0.0.0.0
  nat (Vlan461-SuldalHotellGjest) 1 0.0.0.0 0.0.0.0
  nat (vlan470-Kyrkjekontoret) 1 0.0.0.0 0.0.0.0
  nat (Vlan490-QNapBackup) 1 0.0.0.0 0.0.0.0 dns
  nat (Vlan500-HellandBadlands) 1 0.0.0.0 0.0.0.0
  nat (Vlan510-IsTak) 1 0.0.0.0 0.0.0.0
  nat (Vlan600-SafeQ) 1 0.0.0.0 0.0.0.0
  nat (Vlan462-Suldalsposten) 1 0.0.0.0 0.0.0.0
  static (vlan400,outside) 79.x.x.x DomeneServer netmask 255.255.255.255
  static (vlan470-Kyrkjekontoret,outside) 79.x.x.x 192.168.202.10 netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.x NotesServer netmask 255.255.255.255 dns
  static (vlan400,outside) 79.x.x.231 TerminalServer netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.234 OvServer netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.232 w8-eyeshare netmask 255.255.255.255
  static (Vlan490-QNapBackup,outside) 79.x.x.233 192.168.10.10 netmask 255.255.255.255 dns
  static (Vlan600-SafeQ,outside) 79.x.x.235 w8-print netmask 255.255.255.255
  static (vlan400,outside) 79.x.x.236 w8-app netmask 255.255.255.255
  static (Vlan450,vlan400) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
  static (Vlan500-HellandBadlands,vlan400) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
  static (vlan400,Vlan500-HellandBadlands) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (vlan400,Vlan450) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (vlan400,outside) 79.x.x.252 FonnaFlyMedia netmask 255.255.255.255
  static (Vlan462-Suldalsposten,vlan400) 192.168.4.0 192.168.4.0 netmask 255.255.255.0
  static (vlan400,Vlan462-Suldalsposten) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (vlan400,Vlan600-SafeQ) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
  static (Vlan600-SafeQ,vlan400) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  static (Vlan600-SafeQ,Vlan450) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  static (Vlan600-SafeQ,vlan470-Kyrkjekontoret) 192.168.50.0 192.168.50.0 netmask 255.255.255.0
  static (Vlan450,Vlan600-SafeQ) 192.168.210.0 192.168.210.0 netmask 255.255.255.0
  static (vlan470-Kyrkjekontoret,Vlan600-SafeQ) 192.168.202.0 192.168.202.0 netmask 255.255.255.0
  access-group Vlan1_access_out out interface Vlan1
  access-group outside_access_in in interface outside
  access-group outside_access_out out interface outside
  access-group vlan400_access_in in interface vlan400
  access-group vlan400_access_out out interface vlan400
  access-group Vlan450_access_in in interface Vlan450
  access-group Vlan450_access_out out interface Vlan450
  access-group Vlan460_access_in in interface Vlan460-SuldalHotell
  access-group Vlan460_access_out out interface Vlan460-SuldalHotell
  access-group Vlan461_access_in in interface Vlan461-SuldalHotellGjest
  access-group Vlan461_access_out out interface Vlan461-SuldalHotellGjest
  access-group vlan470_access_in in interface vlan470-Kyrkjekontoret
  access-group vlan470_access_out out interface vlan470-Kyrkjekontoret
  access-group vlan480_access_out out interface vlan480-Telefoni
  access-group Vlan490_access_in in interface Vlan490-QNapBackup
  access-group Vlan490_access_out out interface Vlan490-QNapBackup
  access-group Vlan500_access_in in interface Vlan500-HellandBadlands
  access-group Vlan500_access_out out interface Vlan500-HellandBadlands
  access-group Vlan510_access_in in interface Vlan510-IsTak
  access-group Vlan510_access_out out interface Vlan510-IsTak
  access-group Vlan600_access_in_1 in interface Vlan600-SafeQ
  access-group Vlan600_access_out out interface Vlan600-SafeQ
  access-group Vlan462-Suldalsposten_access_in_1 in interface Vlan462-Suldalsposten
  access-group Vlan462-Suldalsposten_access_out_1 out interface Vlan462-Suldalsposten
  route outside 0.0.0.0 0.0.0.0 79.x.x.225 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  username x password x encrypted privilege 15
  aaa authentication ssh console LOCAL
  http server enable
  http 192.168.210.0 255.255.255.0 Vlan450
  http 192.168.200.0 255.255.255.0 Vlan1
  http 192.168.1.0 255.255.255.0 vlan400
  no snmp-server location
  no snmp-server contact
  snmp-server community public
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map outside_map 20 match address outside_20_cryptomap_1
  crypto map outside_map 20 set pfs
  crypto map outside_map 20 set peer 62.92.159.137
  crypto map outside_map 20 set transform-set ESP-3DES-SHA
  crypto map outside_map interface outside
  crypto isakmp enable outside
  crypto isakmp enable vlan400
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 62.92.159.137 type ipsec-l2l
  tunnel-group 62.92.159.137 ipsec-attributes
  pre-shared-key *
  telnet 192.168.200.0 255.255.255.0 Vlan1
  telnet 192.168.1.0 255.255.255.0 vlan400
  telnet timeout 5
  ssh 171.68.225.216 255.255.255.255 outside
  ssh timeout 5
  console timeout 0
  dhcpd update dns both
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan1
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface outside
  dhcpd address 192.168.1.100-192.168.1.225 vlan400
  dhcpd option 6 ip DomeneServer 81.167.36.11 interface vlan400
  dhcpd option 3 ip 192.168.1.1 interface vlan400
  dhcpd enable vlan400
  dhcpd address 192.168.210.100-192.168.210.200 Vlan450
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan450
  dhcpd option 3 ip 192.168.210.1 interface Vlan450
  dhcpd enable Vlan450
  dhcpd address 192.168.2.100-192.168.2.150 Vlan460-SuldalHotell
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan460-SuldalHotell
  dhcpd option 3 ip 192.168.2.1 interface Vlan460-SuldalHotell
  dhcpd enable Vlan460-SuldalHotell
  dhcpd address 192.168.3.100-192.168.3.200 Vlan461-SuldalHotellGjest
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan461-SuldalHotellGjest
  dhcpd option 3 ip 192.168.3.1 interface Vlan461-SuldalHotellGjest
  dhcpd enable Vlan461-SuldalHotellGjest
  dhcpd address 192.168.202.100-192.168.202.199 vlan470-Kyrkjekontoret
  dhcpd option 3 ip 192.168.202.1 interface vlan470-Kyrkjekontoret
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan470-Kyrkjekontoret
  dhcpd enable vlan470-Kyrkjekontoret
  dhcpd option 3 ip 192.168.20.1 interface vlan480-Telefoni
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface vlan480-Telefoni
  dhcpd address 192.168.10.80-192.168.10.90 Vlan490-QNapBackup
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan490-QNapBackup
  dhcpd option 3 ip 192.168.10.1 interface Vlan490-QNapBackup
  dhcpd address 192.168.30.100-192.168.30.199 Vlan500-HellandBadlands
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan500-HellandBadlands
  dhcpd option 3 ip 192.168.30.1 interface Vlan500-HellandBadlands
  dhcpd enable Vlan500-HellandBadlands
  dhcpd address 192.168.40.100-192.168.40.150 Vlan510-IsTak
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan510-IsTak
  dhcpd option 3 ip 192.168.40.1 interface Vlan510-IsTak
  dhcpd enable Vlan510-IsTak
  dhcpd address 192.168.50.150-192.168.50.199 Vlan600-SafeQ
  dhcpd option 6 ip 81.167.36.3 81.167.36.11 interface Vlan600-SafeQ
  dhcpd enable Vlan600-SafeQ
  dhcpd address 192.168.4.100-192.168.4.150 Vlan462-Suldalsposten
  dhcpd option 6 ip DomeneServer 81.167.36.11 interface Vlan462-Suldalsposten
  dhcpd option 3 ip 192.168.4.1 interface Vlan462-Suldalsposten
  dhcpd enable Vlan462-Suldalsposten
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  prompt hostname context
  Cryptochecksum:x
  : end

  I was just wondering if this is the way to do the "connection" between vlans.. or should it be routed?
  The traffic between the vlan is working as intended. There are not much traffice only some RDP connection and some printing jobs.
  But i'm getting some of these errors: (not alle like this, but portmap translation creation failed)
  305006    192.168.10.200 portmap translation creation failed for udp src Vlan460-SuldalHotell:192.168.2.112/59133 dst Vlan490-QNapBackup:192.168.10.200/161
  I did the sh interface commends:
  Result of the command: "sh interface"
  Interface Vlan1 "Vlan1", is down, line protocol is down
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.200.100, subnet mask 255.255.255.0
    Traffic Statistics for "Vlan1":
      0 packets input, 0 bytes
      0 packets output, 0 bytes
      0 packets dropped
        1 minute input rate 0 pkts/sec,  0 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  0 bytes/sec
        5 minute output rate 0 pkts/sec,  0 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Vlan2 "outside", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 79.x.x.226, subnet mask 255.255.255.224
    Traffic Statistics for "outside":
      1780706730 packets input, 1221625431570 bytes
      1878320718 packets output, 1743030863134 bytes
      5742216 packets dropped
        1 minute input rate 558 pkts/sec,  217568 bytes/sec
        1 minute output rate 803 pkts/sec,  879715 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 621 pkts/sec,  482284 bytes/sec
        5 minute output rate 599 pkts/sec,  428957 bytes/sec
        5 minute drop rate, 1 pkts/sec
  Interface Vlan400 "vlan400", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.1.1, subnet mask 255.255.255.0
    Traffic Statistics for "vlan400":
      1093422654 packets input, 1191121436317 bytes
      784209789 packets output, 374041914789 bytes
      11465163 packets dropped
        1 minute input rate 751 pkts/sec,  870445 bytes/sec
        1 minute output rate 462 pkts/sec,  116541 bytes/sec
        1 minute drop rate, 11 pkts/sec
        5 minute input rate 474 pkts/sec,  415304 bytes/sec
        5 minute output rate 379 pkts/sec,  197861 bytes/sec
        5 minute drop rate, 7 pkts/sec
  Interface Vlan450 "Vlan450", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.210.1, subnet mask 255.255.255.0
    Traffic Statistics for "Vlan450":
      139711812 packets input, 27519985266 bytes
      202793062 packets output, 233679075458 bytes
      12523100 packets dropped
        1 minute input rate 68 pkts/sec,  9050 bytes/sec
        1 minute output rate 83 pkts/sec,  88025 bytes/sec
        1 minute drop rate, 6 pkts/sec
        5 minute input rate 145 pkts/sec,  15068 bytes/sec
        5 minute output rate 241 pkts/sec,  287093 bytes/sec
        5 minute drop rate, 6 pkts/sec
  Interface Vlan460 "Vlan460-SuldalHotell", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.2.1, subnet mask 255.255.255.0
    Traffic Statistics for "Vlan460-SuldalHotell":
      177971988 packets input, 161663208458 bytes
      193137004 packets output, 137418896469 bytes
      4003957 packets dropped
        1 minute input rate 13 pkts/sec,  2295 bytes/sec
        1 minute output rate 14 pkts/sec,  15317 bytes/sec
        1 minute drop rate, 2 pkts/sec
        5 minute input rate 4 pkts/sec,  794 bytes/sec
        5 minute output rate 1 pkts/sec,  477 bytes/sec
        5 minute drop rate, 2 pkts/sec
  Interface Vlan461 "Vlan461-SuldalHotellGjest", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.3.1, subnet mask 255.255.255.0
    Traffic Statistics for "Vlan461-SuldalHotellGjest":
      332909692 packets input, 351853184942 bytes
      312038518 packets output, 156669956740 bytes
      583171 packets dropped
        1 minute input rate 0 pkts/sec,  6 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  6 bytes/sec
        5 minute output rate 0 pkts/sec,  0 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Vlan462 "Vlan462-Suldalsposten", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.4.1, subnet mask 255.255.255.0
    Traffic Statistics for "Vlan462-Suldalsposten":
      33905 packets input, 14303320 bytes
      28285 packets output, 27536357 bytes
      10199 packets dropped
        1 minute input rate 0 pkts/sec,  6 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  6 bytes/sec
        5 minute output rate 0 pkts/sec,  0 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Vlan470 "vlan470-Kyrkjekontoret", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.202.1, subnet mask 255.255.255.0
    Traffic Statistics for "vlan470-Kyrkjekontoret":
      12176257 packets input, 4305665570 bytes
      10618750 packets output, 5982598969 bytes
      974796 packets dropped
        1 minute input rate 2 pkts/sec,  770 bytes/sec
        1 minute output rate 1 pkts/sec,  861 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 2 pkts/sec,  708 bytes/sec
        5 minute output rate 1 pkts/sec,  980 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Vlan480 "vlan480-Telefoni", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.20.1, subnet mask 255.255.255.0
    Traffic Statistics for "vlan480-Telefoni":
      246638 packets input, 43543149 bytes
      10 packets output, 536 bytes
      226674 packets dropped
        1 minute input rate 0 pkts/sec,  126 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  56 bytes/sec
        5 minute output rate 0 pkts/sec,  0 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Vlan490 "Vlan490-QNapBackup", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.10.1, subnet mask 255.255.255.0
    Traffic Statistics for "Vlan490-QNapBackup":
      137317833 packets input, 6066713912 bytes
      223933623 packets output, 263191563744 bytes
      531738 packets dropped
        1 minute input rate 0 pkts/sec,  135 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  68 bytes/sec
        5 minute output rate 0 pkts/sec,  0 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Vlan500 "Vlan500-HellandBadlands", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.30.1, subnet mask 255.255.255.0
    Traffic Statistics for "Vlan500-HellandBadlands":
      30816778 packets input, 4887486069 bytes
      42403099 packets output, 47831750415 bytes
      948717 packets dropped
        1 minute input rate 3 pkts/sec,  707 bytes/sec
        1 minute output rate 3 pkts/sec,  3459 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  23 bytes/sec
        5 minute output rate 0 pkts/sec,  31 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Vlan510 "Vlan510-IsTak", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.40.1, subnet mask 255.255.255.0
    Traffic Statistics for "Vlan510-IsTak":
      1253148 packets input, 245364736 bytes
      1225385 packets output, 525528101 bytes
      161567 packets dropped
        1 minute input rate 0 pkts/sec,  6 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  6 bytes/sec
        5 minute output rate 0 pkts/sec,  0 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Vlan600 "Vlan600-SafeQ", is up, line protocol is up
    Hardware is EtherSVI
      MAC address 001d.453a.ea0e, MTU 1500
      IP address 192.168.50.1, subnet mask 255.255.255.0
    Traffic Statistics for "Vlan600-SafeQ":
      1875377 packets input, 1267279709 bytes
      1056139 packets output, 290728055 bytes
      521943 packets dropped
        1 minute input rate 0 pkts/sec,  165 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  178 bytes/sec
        5 minute output rate 0 pkts/sec,  9 bytes/sec
        5 minute drop rate, 0 pkts/sec
  Interface Ethernet0/0 "", is up, line protocol is up
    Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.453a.ea06, MTU not set
      IP address unassigned
      1782670655 packets input, 1256666911856 bytes, 0 no buffer
      Received 95709 broadcasts, 0 runts, 0 giants
      1978 input errors, 1978 CRC, 0 frame, 0 overrun, 1978 ignored, 0 abort
      0 L2 decode drops
      17179928790 switch ingress policy drops
      1878320261 packets output, 1778955488577 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
  Interface Ethernet0/2 "", is up, line protocol is up
    Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.453a.ea08, MTU not set
      IP address unassigned
      1790819459 packets input, 1783854920873 bytes, 0 no buffer
      Received 27571913 broadcasts, 0 runts, 0 giants
      614 input errors, 614 CRC, 0 frame, 0 overrun, 614 ignored, 0 abort
      0 L2 decode drops
      19768 switch ingress policy drops
      1547507675 packets output, 991527977853 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops
  Interface Ethernet0/3 "", is up, line protocol is up
    Hardware is 88E6095, BW 100 Mbps
      Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
      Available but not configured via nameif
      MAC address 001d.453a.ea09, MTU not set
      IP address unassigned
      137318166 packets input, 9176625008 bytes, 0 no buffer
      Received 290030 broadcasts, 0 runts, 0 giants
      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
      0 L2 decode drops
      335 switch ingress policy drops
      223933623 packets output, 267222625073 bytes, 0 underruns
      0 output errors, 0 collisions, 0 interface resets
      0 babbles, 0 late collisions, 0 deferred
      0 lost carrier, 0 no carrier
      0 rate limit drops
      0 switch egress policy drops

• SQL Questions (New to Cisco)

  Hello. I work for Clarian Health in Indianapolis and am trying to learn as much as possible about the SQL databases, both AWDB and HDS so that I can handle the reporting for our Revenue Cycle Customer Service.
  I am currently working my way through the Database Schema Handbook for Cisco Unified ICM /Contact Center Enterprise & Hosted. I’m also reviewing the explanation pages that are available for the reports on WebView. During my reviews, I have noticed a few things that confuse me.
  My questions are:
  1. Why do a majority of the tables on our SQL Server start with “t_”?
  2. Why do some of the tables have data on the AWDB server but not on the HDS server, and vice versa? (Examples: t_Agent and t_Agent_Team and t_Agent_Team_Member and t_Person are blank on the HDS database but not blank on the AWDB database; but the t_Agent_Logout is blank on the AWDB database and not blank on the HDS database)
  3. When data is moved to the HDS server every 30 minutes, is it also removed from the corresponding AWDB table?
  4. In review of the agent26: Agent Consolidated Daily Report syntax info located on the WebView, 1 of the calculations uses the LoggedOnTimeToHalf from the Agent_Half_Hour table while the remaining calculations uses the same field from the Agent_Skill_Group_Half_Hour table. Can you please tell me why this is? Why would all of the percent calculations not use the data from the same table? (The % of time Agent paused and/or put a task on hold uses the Agent_Half_Hour Table. All other % calculations uses the same field from the Agent_Skill_Group_Half_Hour Table.)
  5. Also in reviewing the agent26: Agent Consolidated Daily Report syntax info, I noticed that it contains the Skill_Group table, the Agent_Half_Hour table and the Media_Routing_Domain table. Both the Skill Group table and the Agen_Half_Hour table contain links to the Media_Routing_Domain table. Which relationship/join is actually utilized for this report?
  6. Why doesn't the LoggedOnTimeToHalf field on both the Agent_Half_Hour table and the Agent_Skill_Group_Half_Hour table have the same value in them?
  7. On the agent_26: Agent Consolidated Daily Report syntax explanation page, the Agent State Times: Log on Duration says that it is derived using the Agent_Half_Hour.LoggedOnTimeToHalf field, but when i convert this field to HH:MM:SS, it does not match the actual WebView report. But, when I use the Agent_Skill_Group_Half_Hour.LoggedOnTimeToHalfHour, it does match. Which one is correct?
  8. On the agent_26: Agent Consolidated Daily Report, why does the Completed Tasks: Transfer Out contain both the TransferredOutCallsToHalf and the NetTransferredOutCallsToHalf fields? What's the difference between the two? What Transfer out data writes to each field?
  Thank you.
  Angie Combest
  Clarian Health
  [email protected]

  You need to be careful when looking at the three databases - Logger, AW, HDS - which use the same schema. But many of what appear to be tables in the AW are really views into the t_ tables in the HDS - the data is not there in the AW DB. You are right to look at the schema - but check with SQL Enterprise to understand a bit more.
  In essence, the AW DB is for configuration data and real-time data. The HDS is for historical data. You can query the AW DB for (say) Call_Type_Half_Hour data and join with the Call_Type table to resolve the call type ID into its name - but the data is really in the HDS through the view.
  The DB design is quite complex and sophisticated - many things are not obvious.
  Keep up your research.
  Regards,
  Geoff

• New C40 cisco codec

  Hi,
  I'm working for Industry Canada and we just received a new video conference system.  It is connected to a DSL line.  The video conferencing work perfect when we dial out.  But I have a issue when a external person try to dial me in, it can't connect.  I think there is a problem with local IP (modem) and dedicated IP (public IP).  I try to config. the modem but still experiencing problem with receiving calls.  
  Anybody can help?          
  Thank you    

  For incoming call to Endpoint behind the FW/Router, you need to configure 1:1 NAT or port forwarding.
  If firewall/router is H.323 awareness and support ALG, then you won’t need configure each port but most of home router will require manual port forwarding configuration.
  For H.323 connection with C-series Endpoint, following ports will be use
  Gatekeeper Discovery (RAS) – Port 1719 – UDP (not necessary for this case as not registering on GK).
  Q.931 call Setup – Port 1720 – TCP
  H.245 – Port Range 5555-6555– TCP
  Video – Port Range 2326-2485 – UDP
  Audio – Port Range 2326-2485 – UDP
  Data/FECC – Port Range – 2326-2485 – UDP
  Please note H.245 ports range is from 5555 to 6555 while port allocation configured as "Static".
  If port allocation configured as "Dynamic", then port range is from 11000 to 20999.
  If you modify port configuration (Static/Dynamic), codec must restart to affect configuration change.
  Default RTP/RTCP port range for media is 2326 to 2485.
  However this is configurable by "RTP Ports Range Start" and "RTP Ports Range Stop".

• New to Cisco Lobby Ambassador

  I want to be able to tie the registering users into the visitor registration section of a segregated guest network. I want to have a link that would appear in the front end after you register a visitor which would direct you to this program which is the lobby ambassador. Any non guest user could be able to register a guest and be provided a temp logon for the guest for a period of time.
  Anyone has an idea of how I can achieve this using a Cisco lobby ambassador

  You should be able to expand it to something bigger.  On the controller go to Security, AAA, General.  Increase this number, it will require a reboot.  I'm not sure the maximum you can increase it to (could be controller dependent).

• New installation - Cisco Prime from OVA on VMWare

  Hi,
  I have just imported Cisco Prime OVA and followed the setup and entered the IP Address, hostname, DNS, Gateway etc etc... When I attempt to enter via the URL https://CicsoPrime01 it doesn't accept the connection. I'm able to ping to the CiscoPrime machine, but can't get in.
  I searched and saw some troubleshooting steps such as ncs status, ncs start....
  Result:
  /opt/CSO01umos/bin/wcsadmin.sh no such file or directory....
  Any help?
  Thanks,

  if an ncs status returns :::: /opt/CSO01umos/bin/wcsadmin.sh no such file or directory...::::
  I would bet your installation is no good.
  Please redeploy the OVA

• Management VLAN -- New to Cisco

  I've been working on configuring VLANs for my network and I came across something that confuses me. Under practical tips in this docuemnt http://www.cisco.com/warp/public/473/189.html#tips it states:
  Separate the management VLAN from the user or server VLAN, as in this diagram. The management VLAN is different from the user or server VLAN. With this separation, any broadcast/packet storm that occurs in the user or server VLAN does not affect the management of switches.
  Do not use VLAN 1 for management. All ports in Catalyst switches default to VLAN 1, and any devices that connect to nonconfigured ports are in VLAN 1. The use of VLAN 1 for management can cause potential issues for the management of switches, as the first tip explains.
  I understand the concept, and i've made my managment VLAN 10. However, when I connect a computer to the switch it doesn't default to VLAN1 it defaults to VLAN10 which puts the computer by default in the management VLAN.
  What's the point of creating a different VLAN ID for management if the workstations are going to default to it anyhow? I understand once I configure the ports it will take them out of the management VLAN, I'm just wondering why I couldn't use VLAN1 as the management domain.
  Regards,
  David

  To support an inband management VLAN, you'll have to configure trunking (802.1Q) between switch uplinks allowing your management vlan (VLAN 10) traffic to traverse the trunk in addition to the user vlan (lets say vlan 20). To trunk, you must utilize a unique VLANs per subnet. I like to force trunking (switchport encap dot1q, switchport mode trunk, switchport nonnegotiate) so as not to utilize DTP (dynamic trunking protocol).
  For user access, you need to configure the vlan on the switch and enable switchport mode access along with switchport access vlan 20 (user vlan).
  Keep in mind, inband management works well for user access; however, for data center server access trunking is not recommended.
  With all that said, you still may have to use VLAN 1 in certain scenarios. For instance, an IBM Blade center management module required the use of vlan 1 to manage the blade center.

• Cisco Identity Services Engine (ISE) Version 1.2: What's New in Features and Troubleshooting Options

  With Ali Mohammed
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about what’s new in Cisco Identity Services Engine (ISE) Version 1.2 and to understand the new features and enhanced troubleshooting options with Cisco expert Ali Mohammed.
  Cisco ISE can be deployed as an appliance or virtual machine to enforce security policy on all devices that attempt to gain access to network infrastructure. ISE 1.2 provides feature enrichment in terms of mobile device management, BYOD enhancements, and so on. It also performs noise suppression in log collection so customers have greater ability to store and analyze logs for a longer period.
  Ali Mohammed is an escalation engineer with the Security Access and Mobility Product Group (SAMPG), providing support to all Cisco NAC and Cisco ISE installed base. Ali works on complicated recreations of customer issues and helps customers in resolving configuration, deployment, setup, and integration issues involving Cisco NAC and Cisco ISE products. Ali works on enhancing tools available in ISE/NAC that are required to help troubleshoot the product setup in customer environments. Ali has six and a half years of experience at Cisco and is CCIE certified in security (number 24130).
  Remember to use the rating system to let Ali know if you have received an adequate response.
  Because of the volume expected during this event, Ali might not be able to answer each question. Remember that you can continue the conversation on the Security community, sub-community shortly after the event. This event lasts through September 6, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

  Hi Ali,
  We currently have a two-node deployment running 1.1.3.124, as depicted in diagram:
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_010.html#ID89
  Question 1:
  After step 1 is done, node B becomes the new primary node.
  What's the license impact at that stage, when the license is mainly tied to node A, the previous primary PAN?
  Step 3 says to obtain a new license that's tied to both node A & node B, as if it's implying an issue would arise, if we leave node B as the primary PAN, instead of reverting back to node A.
  =========
  Question 2:
  When step 1 is completed, node B runs 1.2, while node A runs 1.1.3.124.
  Do both nodes still function as PSN nodes, and can service end users at that point? (before we proceed to step 2)
  Both nodes are behind our ACE load balancer, and I'm trying to confirm the behavior during the upgrade, to determine when to take each node out of the load balancing serverfarm, to keep the service up and avoid an outage.
  ===========
  Question 3:
  According to the upgrade guide, we're supposed to perform a config backup from PAN & MnT nodes.
  Is the config backup used only when we need to rollback from 1.2 to 1.1.3, or can it be used to restore config on 1.2?
  It also says to record customizations & alert settings because after  the upgrade to 1.2, these settings would change, and we would need to  re-configure them.
  Is this correct? That's a lot of screen shots we'll need to take; is there any way to avoid this?
  It says: "
  Disable services such as Guest, Profiler, Device Onboarding, and so on before upgrade and enable them after upgrade. Otherwise, you must add the guest users who are lost, and devices must be profiled and onboarded again."
  Exactly how do you disable services? Disable all the authorization policies?
  http://www.cisco.com/en/US/docs/security/ise/1.2/upgrade_guide/b_ise_upgrade_guide_chapter_01.html#reference_4EFE5E15B9854A648C9EF18D492B9105
  ==================
  Question 4:
  The 1.1 user guide says the maximum number of nodes in a node group was 4.
  The 1.2 guide now says the maximum is 10.
  Is there a hard limit on how many nodes can be in a node group?
  We currently don't use node group, due to the lack of multicast support on the ACE-20.
  Is it a big deal not to have one?
  http://www.cisco.com/en/US/customer/docs/security/ise/1.2/user_guide/ise_dis_deploy.html#wp1230118
  thanks,
  Kevin

• How to do it in CISCO

  I have the following setup:
  Private network <-> SW <-> CISCO VPN <-> ISP MODEM
  I have configured VPN part and is working correctly. I have a computer in the private network at static address 192.168.1.100  and an application is running on it on 8100 tcp port for clients.
  Now I need to connect from the Internet to the application on 192.168.1.100 on port 8100.
  How to configure CISCO router to forward traffic coming in tcp port 8100 to machine 192.168.1.100??
  ISP Modem is going to handover all the traffic to CISCO device.
  Thank You

  Hi Karthik,
  I need this to work so that
  outside users should be able to access 192.168.1.100:8100 using http://PublicIP:8100 without using VPN at all
  And VPN users should be able to access using http://192.168.1.100:8100
  I am new to CISCO and committed to setup this for a customer. I got the VPN configured correctly by reading help. If I can do this last configuration, I am saved.
  Thank you for your time
  My Router Configuration Follows
  sh run
  Building configuration...
  Current configuration : 5416 bytes
  ! Last configuration change at 17:58:55 CSTime Mon Aug 20 2012 by csi
  ! NVRAM config last updated at 17:58:24 CSTime Mon Aug 20 2012 by csi
  version 15.0
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname Router
  boot-start-marker
  boot-end-marker
  logging buffered 51200 warnings
  enable secret 5 $1$KJWP$wujENW/75bJnnoUxGXYJE0
  aaa new-model
  aaa authentication login default local
  aaa authentication login vpn_xauth_ml_1 local
  aaa authentication login sslvpn local
  aaa authorization network vpn_group_ml_1 local
  aaa session-id common
  memory-size iomem 10
  clock timezone CSTime -6
  clock summer-time CSTime date Mar 11 2012 2:00 Nov 4 2012 2:00
  crypto pki trustpoint TP-self-signed-986700165
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-986700165
  revocation-check none
  rsakeypair TP-self-signed-986700165
  crypto pki certificate chain TP-self-signed-986700165
  certificate self-signed 01
    3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 39383637 30303136 35301E17 0D313230 38313631 38353134
    375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3938 36373030
    31363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    A4AD22DF ECCB9372 C3E88024 318D7181 C2BE73E1 DB6F0B70 4A2781FF A0AB108D
    FEDD1EE5 C9C761A6 A9738299 684F25AC FC56F107 4FD43297 4D0D248B C431D0E2
    1A53D9B3 B0BCF9CF 7DF157FD 517594D0 B05FCD98 681D5A66 B48265FE BF353F47
    84FDA0C5 1A46E55D 40429810 B0A0D3A8 153FAD0A 78538AE0 657467FD FD44E6ED
    02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
    11041B30 19821750 69636179 756E652E 796F7572 646F6D61 696E2E63 6F6D301F
    0603551D 23041830 16801491 5CACBE40 0996DFCE 1B9C67C3 9316041C 40FB8130
    1D060355 1D0E0416 0414915C ACBE4009 96DFCE1B 9C67C393 16041C40 FB81300D
    06092A86 4886F70D 01010405 00038181 003F26CD 9FA486C5 F71250F6 FC7E44F8
    CC1C15AC 1364CCA1 2E23CACA D123F78B F4B933EB 73648D75 A2C0B17A 28FAAC18
    7CAAB60E 9E5A49C3 50217868 BEFA30F5 6F36A04B BE41FE65 7C684DB9 10320AA1
    77D0BBC4 7216C6F6 20564AE2 8F46A06B 85AED401 9DB59ABF 6B360531 153BA6E1
    ECBF1F55 D4AF489A 70276D39 D13AF574 C5
          quit
  ip source-route
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 192.168.1.1 192.168.1.25
  ip dhcp excluded-address 192.168.1.100
  ip dhcp excluded-address 192.168.1.222
  ip dhcp excluded-address 192.168.1.254
  ip dhcp pool ccp-pool
     import all
     network 10.10.10.0 255.255.255.248
     default-router 10.10.10.1
     lease 0 2
  ip dhcp pool Internal_Network
     network 192.168.1.0 255.255.255.0
     default-router 192.168.1.254
     dns-server 192.168.100.1
  ip cef
  ip domain name yourdomain.com
  ip name-server 192.168.100.1
  no ipv6 cef
  license udi pid CISCO881-K9 sn FTX1604828M
  username csi privilege 15 secret 5 $1$G4wK$PRgc9k9omH9X8s1u37lkh1
  username RemoteUser secret 5 $1$EWRQ$vPW7kG3jNhqwHTiL8IsBx0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp policy 2
  encr 3des
  hash md5
  authentication pre-share
  group 2
  crypto isakmp client configuration group RemoteAccessSupport
  key Router_WWTP
  pool VPN-Pool
  acl VPN-Access-List
  crypto isakmp profile vpn-isakmp-profile-1
     match identity group RemoteAccessSupport
     client authentication list vpn_xauth_ml_1
     isakmp authorization list vpn_group_ml_1
     client configuration address respond
     virtual-template 2
  crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
  crypto ipsec profile VPN-Profile-1
  set transform-set encrypt-method-1
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  ip address 192.168.100.3 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface Virtual-Template2 type tunnel
  ip unnumbered FastEthernet0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile VPN-Profile-1
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 192.168.1.254 255.255.255.0
  no ip redirects
  no ip unreachables
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  ip local pool VPN-Pool 192.168.1.101 192.168.1.150
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list 100 interface FastEthernet4 overload
  ip route 0.0.0.0 0.0.0.0 192.168.100.1
  ip access-list extended VPN-Access-List
  permit ip 192.168.1.0 0.0.0.255 any
  access-list 23 permit 10.10.10.0 0.0.0.7
  access-list 23 permit 192.168.1.0 0.0.0.255
  access-list 100 remark Used for Internet access to Internal N/W
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  no cdp run
  control-plane
  banner motd ^C----------  Router VPN Router ----------^C
  line con 0
  exec-timeout 30 0
  logging synchronous
  no modem enable
  line aux 0
  line vty 0 4
  access-class 23 in
  privilege level 15
  password 7 124A50424A5E5550
  transport input telnet ssh
  scheduler max-task-time 5000
  end

• New Dial plan & Voice policies not taking effect with Polycom CX 600 Desktop Phone in production deployment, Worked fine in Testing

  Hi,
  We are in the process of Migrating Cisco CUCM & Voice Gateway (From another vendor to Cisco).
  The requirement is all internal calls between Cisco IP Phones & Lync to be flown through CUCM. Means internal extension to extension. Remaining all calls like Mobile, National, International, Toll Free, Emergency, Shared numbers calling to be routed
  to Cisco Voice Gateway.
  We created the test dial plan, Voice policies, Route and assigned it to couple of user from Lync (2 extensions) and from Cisco side we have taken 2 IP Phones which is pointed to new CUCM. We tested all below scenarios,everything was working fine.
  Lync to Lync Call using internal Extension number – Routed through Cisco new CUCM
  Lync to Cisco Call using internal Extension number – Routed through Cisco new CUCM
  Cisco to Lync Call using internal Extension number – Routed through Cisco new CUCM
  Lync to Hotline Numbers (66XX, 68XX Numbers) – Routed through Cisco Gateway
  Lync to Shared Numbers starting with 600 (Verified the number 600535353) - Routed through Cisco Gateway
  Lync to Emergency numbers & Toll Free Numbers (Not verified the emergency Number as we decided to do it at end) - Routed through Cisco Gateway
  Lync to Landline Numbers – Any 7 digit numbers - Routed through Cisco Gateway
  Lync to National Numbers – Starting with 3,4,6,7,8 followed by 7 digits - Routed through Cisco Gateway
  Lync to Mobile Phones – Starting with 05 contains exactly 10 digits - Routed through Cisco Gateway
  Lync to International Numbers – Starting 00 contains at least 11 digits - Routed through Cisco Gateway
  All Incoming calls – From Landline, Mobiles, International Numbers - Routed through Cisco Gateway
  Call Transfer – To another Lync Extension, Cisco Extension, Landline, Mobiles, International Number
  Conference – with another Lync Extension, Cisco Extension, Landline, Mobiles, International Number
  Call Forwarding – To another Number, Voice mail
  Response Groups
  Click to call – As if user try to place a call by directly click the number from Outlook, Websites will be in E.164 format
  Dial in meeting – Conference calls are works fine
  But when we roll out to the production we are facing issues listed below
  1) The phones we used during testing are working which is using same dial plan, Voice policy, Route, PSTN Usage. But from production most of the phones are not working (using the same dial plan, voice policy, Route). Also Problem is only with external calls
  as the internal calls are working fine between Cisco & Lync even in production (Routed through CUCM) NOTE: All incoming calls are working fine (From international, local, national, extension)
  2) How long its going to take for Lync to push the new voice policies, Dial plans to the Phones?
  3) Is there a way to forcefully update the policies, dial plans to the Phone?
  4) Also the environment is using over 100 dial plans, so I just copied and pasted the Normalization rules that we tested and working fine.  Most of the dial plans are assigned to individual users as every dial plan contains a normalization rule for
  international calling with Unique Prefix (Example: User John international Normalization rules says #1234#00#CountrycodePhonenumber, means if John has to place the international call he need to dial #1234# followed by 00 and then country code, then actual
  phone number). In this case how long its take for the users / phones to get updated with new dial plans? 
  6) Is it recommended to use multiple dial plans ? What are the best practices?
  5) Also calls are working fine one & failing on subsequent tries. Means when I dial first 1 or 2 times. Call fails, but when I try 3rd time and subsequently it works. After some again there will be failure during 1 or 2 attempts. Why is it so?
  6) After updating the dial policies, voice Route, Voice policies If i reboot all the phones from Switch, Will the changes take effect immediately?
  7) Also when some one calling from mobile or external number to Lync extensions they cant here any Dial tones or caller tunes? Its working fine when they call Cisco Extensions. Also to Lync its working if we dial in E.164 Format, if we dial like 023XXXXX
  format its not working. Any guess about this issue?
  Waiting for some one to help, 
  Best regards
  Krishna
  Thanks & Regards Krishnakumar B

  Hi,
  1.  As all incoming call worked normally, please double check outgoing ports for Lync FE Server and Mediation Server.
  You can refer to the link of “Ports and protocols for internal servers in Lync Server 2013” below:
  http://technet.microsoft.com/en-us/library/gg398833.aspx
  2.  When an administrator makes a change to Lync Server (for example, when an administrator creates a new voice policy or changes the Address Book server configuration settings) that change is recorded in the Central Management store.
  In turn, the change must then be replicated to all the computers running Lync Server services or server roles.
  So it may not replication completely immediately.
  3.  You can run the following cmdlet with Lync Server Management Shell on FE server to
  forcibly replicate information to a computer: Invoke-CsManagementStoreReplication
  4.  As you used over 100 dial plans, it may be the issue of multiple dial plans. Would you please tell us why you created different dial plan for individual user with unique prefix?
  5.  Multiple dial plans and undue normalization rules may cause call fail. You can double check the normalization rule.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• I am loosing configuration when I power off my Cisco 857 router

  I bought new Cisco 857 router from the shop. Router must have been used before as I couln't go in with default username/password cisco/cisco.
  Well I followed instruciton and reset password to username and password. Now I finally connected to the Cisco CP express over my IE browser.
  I found out that somebody was using a router from the shop so this is why I coun't log to it in the first place. Anyway problem is that when I changed configuration and applied settings it remembers it until I power it off. When I power it on again it remembers all settings from that shop.
  It reverts everything back: IP address, previous level 15 account and password - everything like after password reset.
  I tried it again and it again lost settings. So I found following instruction:
  http://www.cisco.com/en/US/products/hw/routers/ps233/products_tech_note09186a00800a65a5.shtml
  I followed it and changed again all settings on the router. My settings are again lost after power off/on. I noticed that when I do first bit it does show
  0x2102 not 0x2142 like they think that is password reset mode.
  Here is my output from Hyper Terminal:
  =============================
  Cisco#enableCisco#show startUsing 3359 out of 131072 bytes!version 12.4no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Cisco!boot-start-markerboot-end-marker!logging buffered 51200 warningsenable secret 5 $1$hpKF$Rc1tl6r45J8iHG7EN5jSk.!no aaa new-model!crypto pki trustpoint TP-self-signed-3185909327 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3185909327 revocation-check none rsakeypair TP-self-signed-3185909327!!crypto pki certificate chain TP-self-signed-3185909327 certificate self-signed 01 nvram:IOS-Self-Sig#5.cerdot11 syslogno ip dhcp use vrf connectedip dhcp excluded-address 10.10.10.1!ip dhcp pool ccp-pool   import all   network 10.10.10.0 255.255.255.248   default-router 10.10.10.1   lease 0 2!!ip cefno ip domain lookupip domain name molinary.com!!!username admin privilege 15 secret 5 $1$jD3j$r6ROikgGsIlcMTGjkxFQ6.username username privilege 15 password 0 password!!archive log config  hidekeys!!!!!interface ATM0 no ip address shutdown no atm ilmi-keepalive dsl operating-mode auto!interface ATM0.1 point-to-point description $ES_WAN$ ip nat outside ip virtual-reassembly pvc 0/38  encapsulation aal5mux ppp dialer  dialer pool-member 1 !!interface FastEthernet0!interface FastEthernet1!interface FastEthernet2!interface FastEthernet3!interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$ ip address 10.10.10.1 255.255.255.248 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452!interface Dialer0 ip address dhcp encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname [email protected] ppp chap password 0 netgear01 ppp pap sent-username [email protected] password 0 netgear01!ip forward-protocol nd!ip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000ip nat inside source list 1 interface ATM0.1 overload!access-list 1 remark INSIDE_IF=Vlan1access-list 1 remark CCP_ACL Category=2access-list 1 permit 10.10.10.0 0.0.0.7dialer-list 1 protocol ip permitno cdp run!control-plane!banner exec ^C% Password expiration warning.-----------------------------------------------------------------------Cisco Configuration Professional (Cisco CP) is installed on this deviceand it provides the default username "cisco" for  one-time use. If you havealready used the username "cisco" to login to the router and your IOS imagesupports the "one-time" user option, then this username has already expired.You will not be able to login to the router with this username after you exitthis session.It is strongly suggested that you create a new username with a privilege levelof 15 using the following command.username <myuser> privilege 15 secret 0 <mypassword>Replace <myuser> and <mypassword> with the username and password youwant to use.-----------------------------------------------------------------------^Cbanner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C!line con 0 login local no modem enableline aux 0line vty 0 4 privilege level 15 login local transport input telnet ssh!scheduler max-task-time 5000endCisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#Cisco#show versionCisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARECisco uptime is 20 minutesSystem returned to ROM by power-onSystem image file is "flash:c850-advsecurityk9-mz.124-15.T12.bin"This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)Configuration register is 0x2102Cisco#Cisco#Cisco#Cisco#endTranslating "end"% Unknown command or computer name, or unable to find computer addressCisco#reloadProceed with reload? [confirm]*Mar  1 01:19:27.786: %SYS-5-RELOAD: Reload requested  by username on console. Reload Reason: Reload Command.System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARETechnical Support: http://www.cisco.com/techsupportCopyright (c) 2006 by cisco Systems, Inc.C850 series (Board ID: 2-149) platform with 65536 Kbytes of main memoryBooting flash:/c850-advsecurityk9-mz.124-15.T12.binSelf decompressing the image : ############################################## [OK]              Restricted Rights LegendUse, duplication, or disclosure by the Government issubject to restrictions as set forth in subparagraph(c) of the Commercial Computer Software - RestrictedRights clause at FAR sec. 52.227-19 and subparagraph(c) (1) (ii) of the Rights in Technical Data and ComputerSoftware clause at DFARS sec. 252.227-7013.           cisco Systems, Inc.           170 West Tasman Drive           San Jose, California 95134-1706Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_teamImage text-base: 0x8002007C, data-base: 0x814E7240This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately.A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.htmlIf you require further assistance please contact us by sending email [email protected] 857 (MPC8272) processor (revision 0x400) with 59392K/6144K bytes of memory.Processor board ID FCZ140792J5MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x104 FastEthernet interfaces1 ATM interface128K bytes of non-volatile configuration memory.20480K bytes of processor board System flash (Intel Strataflash)no ip dhcp use vrf connected               ^% Invalid input detected at '^' marker.SETUP: new interface NVI0 placed in "shutdown" statePress RETURN to get started!*Mar  1 00:00:03.952: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Initialized*Mar  1 00:00:03.960: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0  State changed to: Enabled*Mar  1 00:00:07.244: %LINK-3-UPDOWN: Interface FastEthernet0, changed state toup*Mar  1 00:00:08.413: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up*Mar  1 00:00:08.821: %SYS-5-CONFIG_I: Configured from memory by console*Mar  1 01:19:27.072: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up*Mar  1 01:19:27.352: %SYS-5-RESTART: System restarted --Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2010 by Cisco Systems, Inc.Compiled Fri 22-Jan-10 14:46 by prod_rel_team*Mar  1 01:19:27.352: %SNMP-5-COLDSTART: SNMP agent on host Cisco is undergoinga cold start*Mar  1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar  1 01:19:27.436: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF*Mar  1 01:19:27.540: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to down*Mar  1 01:19:28.072: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up*Mar  1 01:19:28.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up*Mar  1 01:19:28.484: %LINK-5-CHANGED: Interface ATM0, changed state to administratively down*Mar  1 01:19:28.848: %LINK-5-CHANGED: Interface NVI0, changed state to administratively down*Mar  1 01:19:28.932: %LINK-3-UPDOWN: Interface FastEthernet3, changed state toup*Mar  1 01:19:28.936: %LINK-3-UPDOWN: Interface FastEthernet2, changed state toup*Mar  1 01:19:28.940: %LINK-3-UPDOWN: Interface FastEthernet1, changed state toup*Mar  1 01:19:29.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0, changed state to down*Mar  1 01:19:29.932: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet3, changed state to down*Mar  1 01:19:29.936: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2, changed state to down*Mar  1 01:19:29.940: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1, changed state to down*Mar  1 01:19:29.948: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to upAuthorized access only!===========================================
  Please help me as I am stuck and can't go any further....

  Hi David White,
  Alternatively, after password recovery you can modify the configuration to be what you want, and then issue:
     write memory
  to save the configuration.  You can then verify that your changes have been saved to the startup config by issuing:
     show startup-config"
  The only good thing is that when I switch off a router it erase configuration except my new password which I created after password reset. Everything else is getting vanished (ADSL settings, DHCP, routing ) everything. Even new admin accounts I created.
  Well have a question to your above comments. I am new in Cisco so please put as much detail as you can for me to understand. When you say modify configuration do you mean to go to Cisco CP Express graphical interface and then connect router to hyper terminal and execute above commands?
  Why router doesn't remember this anyway. There must be some option to change in configuration to make thing permanent when I hit apply changes in Cisco CO Express otherwise it is pointless to heve it.
  Phillip
  write memory
  is
  copy running-config startup-config"
  Can't this be done via Cisco CP Express or set up router to copy this every time I change this in graphical interface rather going to command line to achnoledge it?
  I understand your concern about this router and somebodie's configuration details as you want things to be un-used when you buy them - true. ADSL details belongs to the shop which sold me the router so that is why I don't make a big problem about this. We take most of hardware from this shop and have discount and many good deals with them so I think they have been just testing it and forgot to erease their config. It might be that someone has returned router to the shop and they have repaired it and tested it.
  I hope this is a normal behaviour of this router as I have option to replace it in case this is a fault.
  Could you please write me step by step guide how can I make changed options stay permanently on router?
  thank you
  Dragan