Problem: IPv6 w/ PPPoE on Cisco 2901
Folks: I have this Cisco 2901 configured with PPPoE and IPv6 and connect it through a CO (DSLAM) to an Actiontec xDSL router. PPPoE connections are on FE0/0/0, through virtual template.
The Actiontec router gets NA and PD addresses succesfully and LAN PC connected to Actiontec router can surf the IPv6 Internet w/ no problem. However, Cisco 2901 can't reach the Actiontec router by its NA or TA public IPv6 address. A 'stupid' workaround is to manually add a route w/ the virtual access. It is stupid cuz each new connection will bring up a different virtual acess.
I guess this is a bug on 2901, but want to confirm with you guys first. Now the whole config:
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname AEI_SV_Cisco_2091
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
no aaa new-model
ipv6 unicast-routing
ipv6 dhcp pool HE
prefix-delegation pool HE-48
address prefix 2001:470:1F05:7A::/64
ipv6 cef
ip dhcp pool default
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
ip dhcp pool dslam1
network 10.11.11.0 255.255.255.0
default-router 10.11.11.1
dns-server 10.11.11.1
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
multilink bundle-name authenticated
vpdn enable
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3962993046
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3962993046
revocation-check none
rsakeypair TP-self-signed-3962993046
crypto pki certificate chain TP-self-signed-3962993046
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393632 39393330 3436301E 170D3131 31313232 31363132
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39363239
39333034 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E6AF 1640A998 F13E9F8B EB9E404C F0D6E105 8DE05E45 9C9C525A 5AAEAF59
456A4578 1C0E283C 39B3751D 3F362D64 13FACD69 A92C31BA 6D2EEFBE 52BCC70C
73359968 2F76B830 A978BD5F 9A86903F C12BB00B C35C47D1 BADBE727 773E205D
A839969D FE3854B3 26E93F21 63DC4E57 D4C44821 FBE88BAA 4A1D5565 DA416138
3A7D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BA6DEA 79E4742D 4878C88E D014C7A3 8022546A FE301D06
03551D0E 04160414 BA6DEA79 E4742D48 78C88ED0 14C7A380 22546AFE 300D0609
2A864886 F70D0101 05050003 818100CE C6732F7E 6AB385C5 5BF4E241 BE179F5D
E7C5CC78 2BFB33EC 3181D4D2 90981D2B 1106205F A3C5FEE8 E78A013B ABF3F5E0
52772A22 F3A0A24C C4F62DDB E2E6A21D AC75772B 6FEC9323 3DFC4165 CC645E62
5C8F5842 18B8DF5B C3E3C39C EBB60D3E E7ADA89B A72FB468 92F77F0A A33B5591
F5048271 F074C64E 38291F93 848F09
quit
license udi pid CISCO2901/K9 sn FCZ15489123
username admin privilege 15 secret 5 $1$.CdN$d0DXERD9PqUtu6XPilTv/.
username chap password 0 chap
bba-group pppoe global
virtual-template 1
sessions max limit 256
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F04:7A::2/64
ipv6 enable
tunnel source 173.13.177.215
tunnel mode ipv6ip
tunnel destination 72.52.104.74
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip nat allow-static-host
ip nat enable
ip virtual-reassembly in
shutdown
duplex auto
speed auto
ipv6 enable
ipv6 dhcp server HE1
interface GigabitEthernet0/1
ip address 173.13.177.215 255.255.255.240
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0/0
ip address 10.11.11.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address 2001:470:1F05:7A::1/64
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server HE
pppoe enable group global
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
interface Virtual-Template1
mtu 1492
ip unnumbered FastEthernet0/0/0
ip nat inside
ip nat enable
ip virtual-reassembly in
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server HE
peer default ip address dhcp-pool dslam1
peer default ipv6 pool HE
ppp authentication chap
no routing dynamic
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 173.13.177.222
access-list 1 permit any
ipv6 route ::/0 Tunnel0
ipv6 local pool test 2001:470:7007::/48 64
ipv6 local pool HE-48 2001:470:8008::/48 64
control-plane
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport preferred none
transport input all
transport output all
line vty 5 15
privilege level 15
login local
transport preferred none
transport input all
transport output all
scheduler allocate 20000 1000
end
See both IPv4 and IPv6 are using virtual template to get PPPoE work. Everything's working fairly well on IPv4. I can ping from cisco to the 10.11.11.x address on Actiontec router. But with IPv6, I can't ping 2001:470:1f05:7a:: address on Actiontec router. The correct route through virtual-access is not installed, or the F0/0/0 interface doesn't pass the IPv6 traffic to the corresponding virtual access interface:
AEI_SV_Cisco_2091#sh ipv6 route
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - Neighbor Discovery, l - LISP
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S ::/0 [1/0]
via Tunnel0, directly connected
C 2001:470:1F04:7A::/64 [0/0]
via Tunnel0, directly connected
L 2001:470:1F04:7A::2/128 [0/0]
via Tunnel0, receive
C 2001:470:1F05:7A::/64 [0/0]
via FastEthernet0/0/0, directly connected (this sounds correct, but I'm not able to reach client from this interface)
L 2001:470:1F05:7A::1/128 [0/0]
via FastEthernet0/0/0, receive
S 2001:470:8008::/64 [1/0]
via FE80::21F6:88C4:497E:6F9C, Virtual-Access2.2
L FF00::/8 [0/0]
via Null0, receive
Can some help? Thanks!
Henry
Hi,
The 'bug' i described above seems to apply only to packets the router generates itself. I tested it by creating a temporary subnet. Even though i had no end-to-end connectivity i could see packets matching the outbound acl which were created from a host on that subnet.
Carsten
Similar Messages
-
Nice People HELP ME!!! IPv6 over PPPoE Configuration on Cisco 7206VXR
I have a 7206VXR which connects to a DSLAM via the router's ATM/DS3 interface. A CPE home router connects to the DSLAM. So it's like:
PC -----ethernet---- CPE Router ------ dsl line ------ DSLAM ----- atm/pppoe ------- BVI/Virtual-Template/PPPoE on Cisco 7206VXR
Now the problem is:
- PC CAN ping the BVI interface of Cisco, but NOT beyond that. For instance he can't ping 7206's loopback ipv6 address.
- I found something interesting on the CPE, that CPE itself can't ping BVI interface of Cisco, AND it doesn't have a default gateway ::/0 set on itself. I manually added a default router like "route -A inet6 add ::/0 gw <BVI's IPv6 addr>", and the problem got solved and PC can ping Cisco's loop back IP now. But this is not a solution since I want this thing to be automatically ready.
Note both CPE and PC are happy with global IPv6 addressed assigned.
I believe this problem is related to how PPPoE/IPCPv6 handles addresses and prefixes.
Ok, now some configuration details: I use 2001:7:7::/64 for the "WAN" side of CPE, and 2001:8:8::/64 for its LAN side (PCs). And here's the Cisco config (only related stuff is shown here):
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool foo
prefix-delegation pool test
address prefix 2001:7:7::/64
bridge irb
bba-group pppoe global
virtual-template 2
sessions max limit 256
interface Loopback0
no ip address
ipv6 address 2001:9:9::1/64
ipv6 enable
interface Virtual-Template2
description Public PPP CHAP
mtu 1492
ip unnumbered BVI1
ip pim sparse-dense-mode
ip igmp version 3
ipv6 unnumbered BVI1
ipv6 enable
ipv6 mtu 1492
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd router-preference High
no ipv6 nd ra suppress
ipv6 dhcp server foo
peer default ip address dhcp-pool Public
peer default ipv6 pool test
ppp authentication chap
ppp pap refuse
interface BVI1
description Public IP ADSL
ip address 12.230.197.129 255.255.255.224
ip pim sparse-dense-mode
ip igmp version 3
ipv6 address 2001:7:7::1/64
ipv6 enable
ipv6 mtu 1492
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd router-preference High
no ipv6 nd ra suppress
ipv6 nd ra lifetime 60
ipv6 nd ra interval 40
ipv6 local pool test 2001:8:8::/56 64
NICE PEOPLE PLS HELP ME! ^_^Thanks Andrew for your response and sorry for the confusion: actually I didn't include all my config lines. For bridging, actually I did what you mentioned and everything works fine with IPv4:
interface ATM1/0.3 multipoint
description Public DHCP
bridge-group 1
pvc 1/1060
encapsulation aal5snap
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip -
Dear Sir/Madam,
I am using ISP that assign me ipv6 by pppoe connection. I dont have any problem with windows and by creating pppoe connection everything works correctly but in os mavericks I don't get ipv6 automatically while I set configure IPv6 automatically in my network preferences.
It is very important for me because I want to switch IPv6 in my mac.
Best Regards,
MassoudIt works if I set manually but I think because there is no option for receive ip via ppp and the pppoe connection can not receive ipv6 automatically same as ipv4.
-
Is Cisco 2901 router suffering from the heartbleed problem?
I am not quite familiar with networking product. So may be this is a stupid question.
We have recently bought a Cisco 2901 router.
http://www.cisco.com/c/en/us/products/routers/2901-integrated-services-router-isr/index.html
We checked the cisco heartbleed info page.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
But Cisco 2901 is not listed neither in "Vulnerable products" or "Products Confirmed Not Vulnerable".
So, is Cisco 2901 vulnerable or not?
Or does it depend on the firmware version? How to check?Just to add to the above. It actually say's that IOS is NOT affected.
The following Cisco products have been analyzed and are not affected by this vulnerability:
Cisco 1000 Series Connected Grid Routers
Cisco 200 Series Smart Switches
Cisco 300 Series Managed Switches
Cisco 500 Series Stackable Managed Switche
<<<<<<<<SNIPPED>>>>>>>>>
Cisco Identity Service Engine (ISE)
Cisco Insight Reporter
Cisco Integrated Management Controller (IMC)
Cisco Intelligent Automation for Cloud
Cisco IOS XR
Cisco IOS
Cisco IP Communicator
Link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed -
Connectivity issues between Cisco 2901 and Cisco SG300-52
Hello,
I am having some serious connectivity issues between the hosts in my LAN.
My LAN is based on a Cisco 2901 router and a Cisco SG300-52 port switch.
The issue that has been happening is that connections between hosts on the LAN (remote desktop, extended ping, etc) is very unstable, at some point I can see a 35% lost packets on an extended ping. This happens at any time of the day and from any host.
All hosts are on the same Vlan(default Vlan) and on the same subnet. Some hosts have fixed IP addresses (servers and network equipment) and others obtain their IP address trough a DHCP reservation established on the router (reserved with the MAC address of every host).
I can provide further details if needed, because this issue is very serious and I would really appreciate any insight or support.
Many thanks in advanced.
Sair Amer
EDIT: After doing every test we could think of, we finally found the reason behind this problem.
It turns out that the switch has problems handling communications between clients at different speeds, because most of the hosts connected were working at 100 Mbps but the servers were working at 1000 Mbps (and the communication between host and servers wasn't stable).
After manually setting the speed on all ports to 100 Mbps the problems have stopped.
Many thanks for you help on this issue.Building configuration...
Current configuration : 4123 bytes
! Last configuration change at 12:06:16 PCTime Sat Jul 19 2014 by ccp
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Foninsa
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 $1$BDbJ$HN3VP8nmywrGB55RCxPd30
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime -4 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 12 2003 12:00
no ip cef
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.151 192.168.1.255
ip dhcp pool FONINSA
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool Laptop-Sporta-Wifi
host 192.168.1.10 255.255.255.0
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-213585710
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-213585710
revocation-check none
rsakeypair TP-self-signed-213585710
crypto pki certificate chain TP-self-signed-213585710
certificate self-signed 01
30820229 30820192
quit
license udi pid CISCO2901/K9 sn
license boot module c2900 technology-package securityk9
username ccp privilege 15 password
redundancy
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 190.196.21.98 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.3 21 190.196.21.98 21 extendable
ip nat inside source static tcp 192.168.1.3 80 190.196.21.98 80 extendable
ip nat inside source static udp 192.168.1.8 1194 190.196.21.98 1194 extendable
ip nat inside source static tcp 192.168.1.4 3389 190.196.21.98 3389 extendable
ip nat inside source static tcp 192.168.1.9 3389 190.196.21.98 10000 extendable
ip nat inside source static tcp 192.168.1.3 3389 190.196.21.98 20000 extendable
ip route 0.0.0.0 0.0.0.0 190.196.21.97
access-list 1 permit 192.168.1.0 0.0.0.255
control-plane
line con 0
password $
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 5
access-class 23 in
privilege level 15
password #
transport input telnet ssh
no scheduler allocate
end -
What's wrong? Verify and compare Cisco 2901 config after loading old config from Cisco 2801
Hi Cisco Community / Friends,
I am new to this site though I have cisco account for many years. I am a CCNA ,I passed my certification on January 2013 I seldom use and utilized my skills on networking becuase of my type of work. I am Project Eng'r working in a System integrator company . Anyway, I would like to ask assistance on the configurations of my Cisco router for this gov't projects.. Here's the situation.
We have a new project for the VSAT Comm'n of Coast Watch Station , The VSAT was installed 7 years ago. The VSAT was only used for a year by this Gov't agency because of subscription issue. Now, they wants to revive and use their VSAT facilities for the Coast watch monitoring. Now, some of this routers are working up to now and for some site are already defective so I need to replace the old 2801 router with a new equivalent model which is Cisco 2901. My plan was just to load the old config into the new Cisco 2901 router. However, after loading it to the new router, I am a little worried because I've got some errors received. I load the old config by copying the old files, edit it in notepad, and load the config using Secure CRT (terminal emulator). When I copy the old config of cisco 2801 to new router cisco 2901 , below are the command not recognized on Cisco 2901. What's wrong ? What are these commands for?
Appreciate your comments and help on this matter.. Thank You very much
Note: I Attached the original config from Cisco 2801 and the other file is the config after I load the config file to Cisco 2901.
(Errors see below)
CWS_4_Pandami(config-erm)#mmi polling-interval 60
^
% Invalid input detected at '^' marker.
CWS_4_Pandami(config-erm)#no mmi auto-configure
^
% Invalid input detected at '^' marker.
CWS_4_Pandami(config-erm)#no mmi pvc
^
% Invalid input detected at '^' marker.
CWS_4_Pandami(config-erm)#mmi snmp-timeout 180
^
% Invalid input detected at '^' marker.
CWS_4_Pandami(config-if)#interface GigabitEthernet0/1
CWS_4_Pandami(config-if)# description ===CWS4 SAT Modem===
CWS_4_Pandami(config-if)# bandwidth 256
CWS_4_Pandami(config-if)# ip address 192.168.42.1 255.255.255.0
CWS_4_Pandami(config-if)# duplex auto
CWS_4_Pandami(config-if)# speed auto
CWS_4_Pandami(config-if)# priority-group 1
^
% Invalid input detected at '^' marker.
CWS_4_Pandami(config)#access-list 100 permit ip any any dscp cs5
CWS_4_Pandami(config)#priority-list 1 protocol ip high list 100
^
% Invalid input detected at '^' marker.Hi
From Cisco's website:
The Modem Management Interface (MMI) is software that enables auto-provisioning for the Cisco 827 routers. The MMI uses a fixed PVC to communicate with the Proxy Element (PE) residing on the digital subscriber line access multiplexer (DSLAM). Using MMI, the Cisco 827 router updates the running image and downloads the prescribed configuration using a configuration file or configuration values in a provisioning information database.
The customer premise equipment (CPE) can be automatically configured using the Cisco DSL CPE download, but it can be configured only with the image provisioning feature.
So because this is your device, you don't want to use MMI anyways.
And "priority-list" is QoS. Probably that QoS-command is old and removed, because now QoS is configured using class-maps and policy-maps. -
PIX515e dual-stack ipv4 & ipv6 over PPPoE
Hi Everyone,
In short: I am trying to get ipv4 and ipv6 over PPPoE running on my PIX515e.
Heres a bit more info about my setup and the scenario:
My internet provider (residential) has offered me a dual-stack service on my ADSL.
I get a STATIC ipv4 address, but a DYNAMIC ipv6 address. Additionally I get a STATIC ipv6 /56 prefix for my lan "if my router supports prefix delegation".
My PIX is the 515e and its running PIX 7.2(4) with ASDM 5.2.
Getting the ipv4 side of it working isnt an issue - ive configured the pppoe side of it with my username and password, and configured my outside interface (Ethernet 0) with the ipv4 address.
But I cannot figure out how to get a dynamic ipv6 address on the outside (Ethernet 0) interface.
At this stage all I care about is getting a dynamic ipv6 address on Ethernet 0. I dont care about the "lan" prefix or Prefix Delegation part of it because I figure I'll just NAT my lan ipv6 addresses out to the internet using the dyanmic ipv6 address on the outside interface.
Ive read a lot of articles and looked at a lot of examples but none quite explain what im trying to do.
I have enabled ipv6 on the outside interface - ipv6 enable
and ive looked at ipv6 address and ive found the autoconfigure option but that doesnt appear to fetch the ipv6 address from my internet provider.
I guess im expecting to see something like ipv6 address dhcp or ipv6 address pppoe
So my question is does anyone know how I can get dual-stack working on my outside interface with dynamically assigned ipv6 from pppoe.
Or do i need to update the PIX software on my device. If so, can anyone suggest which version?
Any help is greately appreciated.I wanted to provide an update on this topic. It turns out the traffic class that I was testing with was overlapping another class's match statement, which had a much lower bandwidth percentage.
After making the corrections, it seems the IPv4 and IPv6 work very well together in the queues. And now that you can run fair-queueing per class, I'm actually impressed with how well it is working.
Now if only I could classify traffic based on the number of packets/bytes seen in netflow.... then I could shape some really nice QoS policies! -
Enable Web gui on Cisco 2901 ISR running IOS 15...
I have recently purchased a Cisco 2901 Integrated Service Router that is running IOS 15... and need some help activating the WEB GUI Interface. I have read some documentation and have not had any luck. Some detailed instructions for the command line would be great if someone has the time to help.
ThanksHi,
It looks as though there is not a Web GUI available for the 2901. However, Cisco does provide a tool called Cisco Configuration Professional, which provides tools to configure routers. It provides options for configuring many different functions in Cisco routers. You can follow the steps laid out in this article: http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_configuration_professional/guides/CiscoCPqsg.html
This gives a great overview of how to install and start using Configuration Professional. I hope this helps, and please feel free to respond with any further questions. I will certainly do my best to answer them!
Garrett -
Configuración Inicial router Cisco 2901
Estimados, antes que nada, disculpen mi ignorancia.
Tengo el siguiente escenario, y quiero comenzar a reemplazar algunos equipos.
Tengo un RV042 conectado a Internet y a un switch 3COM.
Quiero reemplazar estos equipos por un Cisco 2901 y un switch SG500.
No he utilizado antes IOS de Cisco, y quiero comenzar configurando lo básico. Salida a Internet. Luego necesitaria agregar VPNs, pero sería un segundo paso.
Estuve leyendo sobre ACL y las tablas de ruteo, pero no logro hacer funcionar. Puedo pinguear los equipos pero no logro navegar.
En este momento he vuelto a empezar y tengo el router reseteado de fabrica.
Pueden guiarme?
GraciasGracias por tu respuesta.
Lo primero que me pregunto es, a diferencia de los routers convencionales, uno configura ciertos parametros:
IP publica, mascara de red, puerta de enlace (se supone que es el gateway conectado a la fibra) y los dns del ISP.
Cuando voy a configurar las interfaces de red en IOS, como especifico estos datos?
Yo defino lo siguiente:
Int G 0/1
IP Ad 190.111.249.X 255.255.255.252
desc Internet
Int G 0/0
IP Ad 192.168.1.1 255.255.255.0
desc LAN
Desde ahí como configuro la salida a internet?
Cual es la ip que debo configurar en la interface de internet, una propia para la interface que apunte al equipo que tiene la fibra?
Como seria una regla basica de Nateo para salir a internet?
Segui tutoriales, configure tal cual leia, y aun asi no lograba navegar.
Gracias por la ayuda que puedan brindarme. -
Discussion Jabber on Notebooks and Cisco 2901 gateway
At work we now have Cisco Jabber clients on notebooks. Internal connections are now possible, allthought with great latency because the central "master" resides a thousand kilometers thru europe away behind a VPN-connection. As a country subsidiary a local cisco 2901 should connect to the telephony as a gateway...
- How is the general architecture of cisco collaboration?
- Is it correct to look at our cisco 2901 like a local domain-controller in windows-network?Hi
Thx for the answer. To figure it out more clear on a top-level:
We are sitting in the south of europe and our master resides up in North. Using Jabber clients on notebooks a telephony-call to customers in our country will go throught vpn-tunnel up north to u-turn and come down to our cisco2901 which is connected to legacy telephony-(ISDN-)wires and finally to customers...
Is this a recommended architecture? -
Cisco SSL-VPN / webvpn with Cisco 2901 IOS 15.3.3M
Dear Community,
I have a strange issue that I am hoping some of you will be able to assist with.
I am running an environment with the following specifications
Cisco ISR G2 2901 with IOS 15.3.3M
Security Licence enabled
Data Licence enabled
VPN Licence enabled
Cisco ISR G2 2951 with IOS 15.3.3M
Security Licence enabled
Data Licence enabled
SM with ESX server.
Desktop Environment
Windows XP SP3
Internet Explorer 8
Desktop Environment 2
Windows 8
Internet Explorer 10
I have a ESX server set up with a web page on the 2951. The 2901 unit has a SSL VPN / web vpn service set up on it to allow the Desktop Environments to connect to the 2951 web page. The Desktop Environments are not allowed to directly connect to the 2951 router that is why the SSL-VPN / web vpn is used.
This system was initially working with IOS 15.2.4M2 however an update of the IOS was required and now the VPN does not fully function correctly.
PROBLEM: Now the webvpn interface loads with the welcome screen and login. After logging in it has a screen with a link to the webpage on the 2951. When I try open this webpage on the 2951 and the SSL-VPN starts to build I only get half my web page. There seems to be a problem where I only get half a page loading or just a blank page with just HTML headers. I have tried changing the page to just HTML but it still does not display properly. This is with Internet Explorer ( all versions ). With firefox there are no problems but I cannot run this browser as my environment will not allow it.
If anyone can assit me here it would really make my day.
Thanks,
WillCan anyone help with this ?
-
5 users limitation using PPPoE on cisco??
Hello,
I am trying to use a cisco as a pppoe server. The problem is that its not able to connect mor e than 5 users at a time. I thought the cisco(3620) had some problems and used another (2610) with the same result. What could be the problem?
TIA
Shekhar Basnet
Here are some info.
System image file is "flash:c2600-ik9o3s-mz.122-31"
cisco 2610 (MPC860) processor (revision 0x203) with 61440K/4096K bytes of memory
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)
PPPoE# sho run
Building configuration...
ip audit notify log
ip audit po max-events 100
vpdn enable
vpdn-group canopy-consumer
accept-dialin
protocol pppoe
virtual-template 10
pppoe limit per-vlan 300
interface FastEthernet1/0.630
description #### PPPoE clients #####
encapsulation dot1Q 630
pppoe enable
interface Virtual-Template10
ip address 192.168.125.125 255.255.255.252
peer default ip address pool consumer-pool
ppp authentication pap
ip local pool consumer-pool x.x.254.112 x.x.254.119
Here's a sample log when trying to connect using a 6th customer
Feb 5 16:49:53: PPPoE 0: I PADI L:ffff.ffff.ffff R:000a.e44f.ba27 630 Fa1/0.630
Feb 5 16:49:53: PPPoE 0: O PADO L:f730.8100.0276 R:ba27.0003.e3e8 630 Fa1/0.630
Feb 5 16:49:53: PPPoE 0: I PADR L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
Feb 5 16:49:53: PPPoE 396: Creating
Feb 5 16:49:53: PPPoE 396: Created L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
Feb 5 16:49:53: PPPoE 396: O PADS L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
Feb 5 16:49:53: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
Feb 5 16:49:54: PPPoE 396: I PADT L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
Feb 5 16:49:54: PPPoE 396: Shutting down
Feb 5 16:49:54: PPPoE 396: O PADT L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
Feb 5 16:49:54: PPPoE 396: Destroying L:0003.e3e8.f730 R:000a.e44f.ba27 630 Fa1/0.630
Feb 5 16:49:54: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down
PPPoE#sho idb
Maximum number of IDBs 300
24 SW IDBs allocated (2624 bytes each)
19 HW IDBs allocated (4976 bytes each)
HWIDB#1 1 Ethernet0/0 (HW IFINDEX, Ether)
HWIDB#2 3 BRI0/0 (HW IFINDEX, HW ISDN, Serial)
HWIDB#3 4 Serial0/0 (HW IFINDEX, Serial)
HWIDB#4 5 BRI0/0:1 (HW ISDN, Serial)
HWIDB#5 6 BRI0/0:2 (HW ISDN, Serial)
HWIDB#6 7 Serial0/1 (HW IFINDEX, Serial)
HWIDB#7 8 FastEthernet1/0 (DOT1Q, HW IFINDEX, Ether)
HWIDB#8 9 Virtual-Access1 (Serial, HW VACCESS)
HWIDB#9 10 Virtual-Access2 (Serial, HW VACCESS)
HWIDB#10 11 Virtual-Access3 (Serial, HW VACCESS)
HWIDB#11 12 Virtual-Access4 (Serial, HW VACCESS)
HWIDB#12 13 Virtual-Access5 (Serial, HW VACCESS)
HWIDB#13 14 Virtual-Access6 (Serial, HW VACCESS)
HWIDB#14 15 Virtual-Template10 (HW IFINDEX, Serial, HW VTEMPLATE)
HWIDB#15 16 Loopback0 (HW IFINDEX)Yahoooo!! Success at last.. Thanks a lot Mak. But I would love to know the reason behind it. So even changing the subnet on VT to /24 would have had no effect then?
PPPoE#sho user
Line User Host(s) Idle Location
* 66 vty 0 shekhar idle 00:00:00 x.x.233.248
Interface User Mode Idle Peer Address
Vi1 silt Virtual PPP (PPPoE ) 00:00:05 x.x.225.35
Vi2 hhc123 Virtual PPP (PPPoE ) 00:00:15 x.x.225.37
Vi3 mahaguthi Virtual PPP (PPPoE ) 00:00:55 x.x.225.33
Vi4 atlas Virtual PPP (PPPoE ) 00:00:35 x.x.225.36
Vi5 hope Virtual PPP (PPPoE ) 00:01:35 x.x.225.34
Vi6 ktptest Virtual PPP (PPPoE ) 00:00:05 x.x.225.38
PPPoE# -
Problem with VPN client on Cisco 1801
Hi,
I have configured a new router for a customer.
All works fine but i have a strange issue with the VPN client.
When i start the VPN the client don't close the connection, ask for password, start to negotiate security policy the show the not connected status.
This is the log form the VPN client:
Cisco Systems VPN Client Version 5.0.07.0290
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7601 Service Pack 1
Config file directory: C:\Program Files (x86)\Cisco Systems\VPN Client\
1 14:37:59.133 04/08/13 Sev=Info/6 GUI/0x63B00011
Reloaded the Certificates in all Certificate Stores successfully.
2 14:38:01.321 04/08/13 Sev=Info/4 CM/0x63100002
Begin connection process
3 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100004
Establish secure connection
4 14:38:01.335 04/08/13 Sev=Info/4 CM/0x63100024
Attempt connection with server "asgardvpn.dyndns.info"
5 14:38:02.380 04/08/13 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 79.52.36.120.
6 14:38:02.384 04/08/13 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
7 14:38:02.388 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 79.52.36.120
8 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
9 14:38:02.396 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
10 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
11 14:38:02.460 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (SA, VID(Unity), VID(dpd), VID(?), VID(Xauth), VID(Nat-T), KE, ID, NON, HASH, NAT-D, NAT-D) from 79.52.36.120
12 14:38:02.506 04/08/13 Sev=Info/6 GUI/0x63B00012
Authentication request attributes is 6h.
13 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
14 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DPD
15 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
16 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
17 14:38:02.460 04/08/13 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
18 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
19 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(HASH, NOTIFY:STATUS_INITIAL_CONTACT, NAT-D, NAT-D, VID(?), VID(Unity)) to 79.52.36.120
20 14:38:02.465 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
21 14:38:02.465 04/08/13 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0xCEFD, Remote Port = 0x1194
22 14:38:02.465 04/08/13 Sev=Info/5 IKE/0x63000072
Automatic NAT Detection Status:
Remote end is NOT behind a NAT device
This end IS behind a NAT device
23 14:38:02.465 04/08/13 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
24 14:38:02.502 04/08/13 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 79.52.36.120
25 14:38:02.502 04/08/13 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 79.52.36.120
26 14:38:02.502 04/08/13 Sev=Info/4 CM/0x63100015
Launch xAuth application
27 14:38:07.623 04/08/13 Sev=Info/4 CM/0x63100017
xAuth application returned
28 14:38:07.623 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 79.52.36.120
29 14:38:12.656 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
30 14:38:22.808 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
31 14:38:32.949 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
32 14:38:43.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
33 14:38:53.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
34 14:39:03.371 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
35 14:39:13.514 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
36 14:39:23.652 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
37 14:39:33.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
38 14:39:43.948 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
39 14:39:54.088 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
40 14:40:04.233 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
41 14:40:14.384 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
42 14:40:24.510 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
43 14:40:34.666 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
44 14:40:44.807 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
45 14:40:54.947 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
46 14:41:05.090 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
47 14:41:15.230 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
48 14:41:25.370 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
49 14:41:35.524 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
50 14:41:45.665 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
51 14:41:55.805 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
52 14:42:05.951 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
53 14:42:16.089 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
54 14:42:26.228 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
55 14:42:36.383 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
56 14:42:46.523 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
57 14:42:56.664 04/08/13 Sev=Info/6 IKE/0x63000055
Sent a keepalive on the IPSec SA
58 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
59 14:43:02.748 04/08/13 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 79.52.36.120
60 14:43:03.248 04/08/13 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=2B1FFC3754E3B290 R_Cookie=73D546631A33B5D6) reason = DEL_REASON_CANNOT_AUTH
61 14:43:03.248 04/08/13 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "asgardvpn.dyndns.info" because of "DEL_REASON_CANNOT_AUTH"
62 14:43:03.248 04/08/13 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
63 14:43:03.262 04/08/13 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
64 14:43:03.262 04/08/13 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
65 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
66 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
67 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
68 14:43:03.265 04/08/13 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
And this is the conf from the 1801:
hostname xxx
boot-start-marker
boot-end-marker
enable secret 5 xxx
aaa new-model
aaa authentication login xauthlist local
aaa authorization network groupauthor local
aaa session-id common
dot11 syslog
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.1.1 10.0.1.10
ip dhcp excluded-address 10.0.1.60 10.0.1.200
ip dhcp excluded-address 10.0.1.225
ip dhcp excluded-address 10.0.1.250
ip dhcp pool LAN
network 10.0.1.0 255.255.255.0
default-router 10.0.1.10
dns-server 10.0.1.200 8.8.8.8
domain-name xxx
lease infinite
ip name-server 10.0.1.200
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect log drop-pkt
ip inspect name Firewall cuseeme
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall vdolive
ip inspect name Firewall udp
ip inspect name Firewall tcp
ip inspect name Firewall https
ip inspect name Firewall http
multilink bundle-name authenticated
username xxx password 0 xxxx
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxx
key xxx
dns 10.0.1.200
wins 10.0.1.200
domain xxx
pool ippool
acl 101
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set xauthtransform esp-des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
archive
log config
hidekeys
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
dsl operating-mode adsl2+
hold-queue 224 in
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface Vlan1
ip address 10.0.1.10 255.255.255.0
ip nat inside
ip virtual-reassembly
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication chap callin
ppp pap sent-username aliceadsl password 0 aliceadsl
crypto map clientmap
ip local pool ippool 10.16.20.1 10.16.20.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 10.0.1.2
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 1056 interface Dialer0 1056
ip nat inside source static tcp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source static udp 10.0.1.60 3111 interface Dialer0 3111
ip nat inside source list 101 interface Dialer0 overload
access-list 101 remark *** ACL nonat ***
access-list 101 deny ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 150 remark *** ACL split tunnel ***
access-list 150 permit ip 10.0.1.0 0.0.0.255 10.16.20.0 0.0.0.255
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
password xxx
scheduler max-task-time 5000
end
Anyone can help me ?
Sometimes the vpn can be vreated using the iPhone or iPad vpn client...I am having a simuliar issue with my ASA 5505 that I have set up. I am trying to VPN into the Office. I have no problem accessing the Office network when I am on the internet without the ASA 5505. After I installed the 5505, and there is internet access, I try to connect to the Office network without success. The VPN connects with the following error.
3 Dec 31 2007 05:30:00 305006 xxx.xx.114.97
regular translation creation failed for protocol 50 src inside:192.168.1.9 dst outside:xxx.xx.114.97
HELP? -
VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)
Hi, I've been pulling my hair out trying to get simple vlan trunking working between these devices.
Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200. I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc). Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
VLAN 1 - inside (has separate dhcp scope assigned by ASA)
VLAN 99 - guest (has separate dhcp scope assigned by ASA)
SG200
purpose
ASA 5505 (Sec Plus license)
purpose
g2
Trunk 1UP,99T
Ubiquiti AP (VLAN 1 works, VLAN 99 does not
g3
Access port 99T
vlan 99 does not work
g8
Trunk 1UP, 99T
< Trunk between switch and ASA >
Int e0/2
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Int e0/3
switchport trunk allowed vlan 1,99
switchport trunk native vlan 1
switchport mode trunk
Second ubiquiti AP
Both VLAN 1 and VLAN 99 clients work properlyFrustrated - yes. Confused - maybe not as much, but I could have put some more effort into the overall picture.
There are two VLANs (1 - native) and (99 - guest). There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.
No clients connected to the SG200 on VLAN 99 are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP. The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
Anything connected to the SG200 on the native VLAN works properly.
Anything connected to the ASA VLANs (1 or 99) works properly
I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
SG200 g2 - trunk port (1UP, 99T) -- Access Point
SG200 g2 - access port (99U)
SG200 g8 - trunk port (1UP, 99T) connected to ASA5505 e0/3
ASA5505 e0/3 (switchport trunk allowed vlan 1,99, switchport trunk native vlan 1, switchport mode trunk)
Thanks, -
Communication problem between ASA 5510 and Cisco 3750, L2 Decode drops
Having problem with communication between ASA 5510 an Cisco Catalyst 3750.
Here is the Cisco switch port facing the ASA 5510 configuration:
interface FastEthernet2/0/6
description Trunk to ASA 5510
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 131,500
switchport mode trunk
switchport nonegotiate
And here is the ASA 5510 port configuration:
interface Ethernet0/3
speed 100
no nameif
no security-level
no ip address
interface Ethernet0/3.500
vlan 500
nameif outside
security-level 0
ip address X.X.X.69 255.255.255.0
There is a default route on ASA to X.X.X.1.
When I try to ping from ASA X.X.X.1 i get:
Sending 5, 100-byte ICMP Echos to 31.24.36.1, timeout is 2 seconds:
Also in the output of show interface eth 0/3 on the ASA i can see that the L2 Decode drop counter increases.
I have also changed the ports on the Switch and ASA but the same error stays.
Any thoughts?I don't see anything wrong with your trunk configuration; I have a similar one working between an ASA 5520 and a Catalyst 3750G.
Maybe you should adjust the "speed 100"? In my experience, partial autoconfiguration results in duplex mis-matches, which results in dropped packets.
I'd try removing the "speed 100" and letting the ASA port autonegotiate with the switch. Alternatively, have both sides set
speed 100
duplex full
and see if things improve.
-- Jim Leinweber, WI State Lab of Hygiene
Maybe you are looking for
-
Hi guys, I'm having quite simple task, but no idea how to achieve it. A have a While loop, inside it I have som form to fill in and the output of this form is saved into xml file (using older MSXML library) and OK button for running parser and writt
-
How to build the Logical cube and physical cube
Hi All, I have to build the logical cube and physical cube ,i dont have idea about this ,that means i think for that we have to do the partition for the cube may i correct , correct me if i wrong ,plz help me on this Thanks
-
Google Chrome won't open properly in Lion
I have just upgraded to Lion and I am having a number of difficulties, my BTYahooo home page won't display properly in Google Chrome browser, even though it will in Safari. I also used to be able to get Dock Art working with itunes but it has now s
-
WIll cancel sql server database backup cause anything to be hurt?
I run full backup of one big database. After 20 seconds, I click "stop action now" to cancel this backup. Will it cause anything to hurt? Want to make sure that database is still safe. Thanks
-
Cannot Add new line using BI IP query
Hi All, We have created a planning application (BI IP Query) and used it in VC 7.1 model using BI Query Wizard service. Now we are able to customize existing rows ( existing rows are using flat file upload)... we can able to change the existing recor