SG200-50P and Cisco Router Issue

Similar Messages

• Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

  Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
  I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
  Please help me to find where is the issue.
  I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
  192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
  Here is my current configuration.
  Thanks for your help.
  IOS Configuration
  version 15.2
  crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp key cisco address 198.0.183.225
  crypto isakmp invalid-spi-recovery
  crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
  mode transport
  crypto map static-map 1 ipsec-isakmp
  set peer S2.S2.S2.S2
  set transform-set AES-SET
  set pfs group2
  match address 100
  interface GigabitEthernet0/0
  ip address S1.S1.S1.S1 255.255.255.240
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  crypto map static-map
  interface GigabitEthernet0/1
  ip address 192.168.17.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
  ASA Configuration
  ASA Version 8.4(3)
  interface Ethernet0/0
  switchport access vlan 2
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.83.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address S2.S2.S2.S2 255.255.255.248
  ftp mode passive
  same-security-traffic permit intra-interface
  object network inside-network
  subnet 192.168.83.0 255.255.255.0
  object network datacenter
  host S1.S1.S1.S1
  object network datacenter-network
  subnet 192.168.17.0 255.255.255.0
  object network NETWORK_OBJ_192.168.83.0_24
  subnet 192.168.83.0 255.255.255.0
  access-list outside_access_in extended permit icmp any any echo-reply
  access-list outside_access_in extended deny ip any any log
  access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source dynamic inside-network interface
  nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
  nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
  nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
  access-group outside_access_in in interface outside
  route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
  crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set vpn-transform-set mode transport
  crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set L2L_SET mode transport
  crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
  crypto map vpn 1 match address outside_cryptomap
  crypto map vpn 1 set pfs
  crypto map vpn 1 set peer S1.S1.S1.S1
  crypto map vpn 1 set ikev1 transform-set L2L_SET
  crypto map vpn 20 ipsec-isakmp dynamic dyno
  crypto map vpn interface outside
  crypto isakmp nat-traversal 3600
  crypto ikev1 enable outside
  crypto ikev1 policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  group-policy GroupPolicy_S1.S1.S1.S1 internal
  group-policy GroupPolicy_S1.S1.S1.S1 attributes
  vpn-tunnel-protocol ikev1
  group-policy remote_vpn_policy internal
  group-policy remote_vpn_policy attributes
  vpn-tunnel-protocol ikev1 l2tp-ipsec
  username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
  username admin password rqiFSVJFung3fvFZ encrypted privilege 15
  tunnel-group DefaultRAGroup general-attributes
  address-pool vpn_pool
  default-group-policy remote_vpn_policy
  tunnel-group DefaultRAGroup ipsec-attributes
  ikev1 pre-shared-key *****
  tunnel-group DefaultRAGroup ppp-attributes
  authentication ms-chap-v2
  tunnel-group S1.S1.S1.S1 type ipsec-l2l
  tunnel-group S1.S1.S1.S1 general-attributes
  default-group-policy GroupPolicy_S1.S1.S1.S1
  tunnel-group S1.S1.S1.S1 ipsec-attributes
  ikev1 pre-shared-key *****
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f55f10c19a0848edd2466d08744556eb
  : end

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• Administration of ASA5520 and cisco router mpls 1900

  Hi
  i just want to administor cisco
  ASA5520 and cisco router mpls 1900
  can some tell me as admin what to check as u get into office /reguraly in cisco asa 5520 and vpn mpls router for administrator ,right now its working as configured by supplier for remote sites to connect HQ and access several server
  My interest to know what are the basic day to day checkup on cisco asa5520 working as ips and cisco asa 5520 working as content filtering and cisco vpn mpls
  thx ,attached pic for ur view
  J

  Hello Malai,
  This question is subjective, I mean you can check the statistics on the CSC module for logs of the users going to blacklisted sites.
  You can check the CPU for the ASA's and IPS.
  You can monitor the amount of traffic traversing the interfaces of the ASA, you can determine witch host is using most of the bandwith,etc.
  Its pretty basic administration stuff
  Regards,
  Julio
  Rate all the helpful posts

• IPSec ikev2 between ASA and Cisco Router

  Hi,
  i try to do IPSec with ikev2 (SHA2) between ASA and Cisco Router, without success. Any one can help me ?
  - Remote site (Router) with dynamic public IP -> Dynamic crypto map on the ASA
  - Authentication with Certificats
  - integrity sha2
  I try a lot of configurations without success.
  Thanks for your help.
  Mic

  The more secure ike policy should have the higher priority which is a smaller number. So I would configure there the following way (policy 30 only if really needed):
  crypto ikev1 policy 10
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800
  crypto ikev1 policy 20
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 28800
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes
  hash sha
  group 2
  lifetime 43200
  The Cisco VPN Client is EOL and not supported any longer. And yes, by default DH group 2 is used. But that can be configured by a parameter in the PCF-file.
  There are two (three) better options:
  Best option with very little needed configuration:
  Move to AnyConnect with TLS. AnyConnect is the actual Cisco client that is also supported with Windows 8.x. The legacy IPsec client isn't.
  Best option with a little stronger crypto but more configuration:
  Move to AnyConnect with IPsec/IKEv2. 
  Move to a third-party client like shrew.net. I didn't use that client since a couple of years any more, but it's quite flexible and also has a config for a better DH-group.
  For option 1) and 2) there is an extra license needed, but thats not very expensive.

• SG200-50P and PoE issues

  Community,
  I just purchased a SG200-50P switch to replace a WS-CE500-24LC, that had a limited amount (4) of PoE ports.  I was running Cisco 7940 IP Phone, Cisco AP1231 and AP1100 series access points via PoE off of this switch.
  When I attempt to plug in these device types into the SG200-50P they do not power up.  What is going on?  Why do these devices (7940 IP Phone, 7960 IP Phone, AP1100 series access point, AP1231 series access point) not get PoE from the SG200-50P switch?
  Is there a setting to enable these devices to receive PoE from the switch?
  Thanks for your help.

  Hi
  The modern SGx00 series switches accept 802.3af compliant devices.
  From a coursory look these devices, they  are pre-standard POE.  Check the Q&A URL below for answers regarding at least the phones.
  But no where in the datasheet for the AP1231 can I see that the AP 1231 is 802.3af compliant.
  There is a solution within the URL below, which is to choose a switch that can provide both pre-standard and compliant POE.
  http://www.cisco.com/en/US/products/hw/phones/ps379/products_qanda_item09186a00808996f3.shtml?referring_site=smartnavRD
  regards Dave

• Internal DNS server and NAT routing issue.

  Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
  We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
  Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
  The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
  Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
  I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
  Thanks

  Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
  Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
  The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

• Cisco Transparent firewall and cisco switch issues.

  Dears,
  I have a very plain scenario
   LAN cisco switch <2 vlans>  ----------> cisco transparent firwall with bvi interface ------------>  crypto box ---------> cisco router ------ <remote/other site>
  i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
  The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
  Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.

  Well,
  i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1 
  moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
  i have requested the client to verify his part. do let me know further tips if you have any.
  [ moreover we cannot try to use packet-tracer from cli in transparent mode ]

• Not able to telnet or ssh to outside interface of ASA and Cisco Router

  Dear All
  Please help me with following question, I have set up testing lab, but still not work.
  it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
  Hub -- Juniper SRX
  Spoke One - Cisco ASA with version 9.1(5)
  spoke two - Cisco router with version 12.3
  site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
  Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
  Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
  When I tested it, of cause site to site vpn still up and running.
  Thanks
  YK

  Hello YK,
  On this case on the ASA, you should have the following:
  CConfiguring Management Access Over a VPN Tunnel
  If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
  To specify an interface as a mangement-only interface, enter the following command:
  hostname(config)# management access management_interface
  where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
  You can define only one management-access interface
  Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
    SSH
  - ssh 0 0 outside
  - aaa authentication ssh console LOCAL
  - Make sure you have a default RSA key, or create a new one either ways, with this command:
      *crypto key generate rsa modulus 2048
  Telnet
  - telnet 0 0 outside
  - aaa authentication telnet console LOCAL
  Afterwards, if this works you can define the subnets that should be permitted.
  On the router:
  !--- Step 1: Configure the hostname if you have not previously done so.
  hostname Router
  !--- aaa new-model causes the local username and password on the router
  !--- to be used in the absence of other AAA statements.
  aaa new-model
  username cisco password 0 cisco
  !--- Step 2: Configure the router's DNS domain.
  ip domain-name yourdomain.com
  !--- Step 3: Generate an SSH key to be used with SSH.
  crypto key generate rsa
  ip ssh time-out 60
  ip ssh authentication-retries 3
  !--- Step 4: By default the vtys' transport is Telnet. In this case, 
  !--- Telnet and SSH is supported with transport input all
  line vty 0 4
  transport input All
  *!--- Instead of aaa new-model, the login local command may be used.
  no aaa new-model
  line vty 0 4
    login local
  Let me know how it works out!
  Please don't forget to Rate and mark as correct the helpful Post!
  David Castro,
  Regards,

• Time Capsule and Cisco router

  Will Time Capsule work with a Cisco Router E4200 that is connected to a Worldbook NAS?
  I do not need it to serve as a router, only a sytematic backup solution fro all of our Macs in the network.  We use the NAS as a company client File store and share internally to our staff.

  The TC can be bridged and plonked into the network with no problems.
  Decide how you will treat wireless.. you can handle it several different ways.. but completely off might be best. Or if you are buying a new AC model, then turn off the wireless in the E4200 and see if the TC works better.
  Or if you have some ethernet cabling.. place the TC in wireless dark area and set it up in roaming profile.
  That means you set the same SSID=Wireless name. Same Security WPA2 AES = WPA2 Personal. Same password. But lock channels on both devices.. make sure each is as far apart as possible.. so for example for 2.4ghz wireless set one to channel 1 and the other to channel 11. For 5ghz similarly set them sufficiently far apart that there can be no overlap.

• OS X 10.6.8 and Cisco Router WRT110

  Just upgraded my Macbook Pro to OS X 10.6.8 and am having to reboot my Cisco router continuously to maintain internet connectivity.  Is it the 2 year old router?

  Make sure your firmware is updated for the router.

• Vlans and cisco router

  I have a netgear managed switch and a cisco 1750 router. I would like to set up 2 vlans. the first one is a wan, with a residential cable model connected to it. the other vlan is for my private lan. I will then have the cisco router connected to one port on the switch set up as a trunk. I'm no pro, but from what I've read so far, it should work that way, right? the part I need help with is setting up the cisco router as a gateway and dns proxy, accepting the dynamic ip, gateway, and dns addresses from the cable modem.
  I did see this http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Getting%20Started%20with%20LANs&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1ddcef50
  router in a stick *write that down* so my setup should work if I can figure out the router configuration. a good online tutorial or something would be helpful for this. I have plenty of cisco books, but maybe something for dummies would help me get started, before digging into the tough stuff.

  In order to set up inter vlan routing or a "router on a stick" with a netgear switch you will need a router that supports IEEE 802.1q VLAN Support.
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t1/8021q.htm#28767
  On the router interface that is "trunked" to the switch you will need to have a configuration that looks like the what I have below.
  Router(config)#interface FastEthernet0/1.1
  Router(config-subif)#encapsulation dot1Q 1 native
  Router(config-subif)#ip address 10.xx.xx.16 255.255.255.xxx
  Router(config-subif)#interface FastEthernet0/1.2
  Router(config-subif)#encapsulation dot1Q 2
  Router(config-subif)#ip address 10.xx.xx.130 255.255.255.xxx
  The sub-interface 1."2" corresponds to the vlan id on the trunk. In this case the .2 is vlan 2.
  I have attahced a link that exlains the intricate details on inter vlan routing below:
  http://www.cisco.com/warp/public/473/50.shtml
  Lastly you may want to check the Cisco IOS feature Navigator. I was looking at it and I did not see that the 1750 has IEEE 802.1q VLAN Support. It looks like the 1751 is the first platform in the 1700 series that does.

• Site-Site VPN PIX501 and CISCO Router

  Hello Experts,
  I'm having a test lab at home, I configure a site-to-site vpn using Cisco PIX501 and CISCO2691 router, for the configurations i just some links on the internet because my background on VPN configuration is not too well, for the routers configuration i follow this link:
  www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/867-cisco-router-site-to-site-ipsec-vpn.html
  and for the pIX configuration I just use the VPN wizard of pix. Done all the confgurations but ping is unsuccessful. Hope you can help me with this, don't know what needs to be done here (Troubleshooting).
  Attached here is my router's configuration, topology as well as the pix configuration. Hope you can help me w/ this. Thanks in advance.

  YES! IT FINALLY WORKS NOW! Here's the updated running-config
  : Saved
  PIX Version 7.2(2)
  hostname PIX
  domain-name aida.com
  enable password 2KFQnbNIdI.2KYOU encrypted
  names
  name 172.21.1.0 network2 description n2
  interface Ethernet0
  speed 100
  duplex full
  nameif OUTSIDE
  security-level 0
  ip address 1.1.1.1 255.255.255.252
  interface Ethernet1
  nameif INSIDE
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet4
  shutdown
  no nameif
  no security-level
  no ip address
  passwd 2KFQnbNIdI.2KYOU encrypted
  ftp mode passive
  dns server-group DefaultDNS
  domain-name aida.com
  access-list TO_ENCRYPT_TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
  access-list nonat extended permit ip 192.168.1.0 255.255.255.0 network2 255.255.255.0
  pager lines 24
  mtu OUTSIDE 1500
  mtu INSIDE 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image flash:/asdm-524.bin
  no asdm history enable
  arp timeout 14400
  global (OUTSIDE) 1 interface
  nat (INSIDE) 0 access-list nonat
  nat (INSIDE) 1 192.168.1.0 255.255.255.0
  route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  username mark password MwHKvxGV7kdXuSQG encrypted
  http server enable
  http 192.168.1.3 255.255.255.255 INSIDE
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map MYMAP 10 match address TO_ENCRYPT_TRAFFIC
  crypto map MYMAP 10 set peer 2.2.2.2
  crypto map MYMAP 10 set transform-set MYSET
  crypto map MYMAP interface OUTSIDE
  crypto isakmp enable OUTSIDE
  crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  tunnel-group 2.2.2.2 type ipsec-l2l
  tunnel-group 2.2.2.2 ipsec-attributes
  pre-shared-key *
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  prompt hostname context
  Cryptochecksum:8491323562e3f1a86ccd4334cd1d37f6
  : end
  ROUTER:
  R9#sh run
  Building configuration...
  Current configuration : 3313 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname R9
  boot-start-marker
  boot-end-marker
  aaa new-model
  aaa authentication login default local
  aaa authorization config-commands
  aaa authorization exec default local
  aaa session-id common
  resource policy
  memory-size iomem 5
  ip cef
  no ip domain lookup
  ip domain name aida.com
  ip ssh version 2
  crypto pki trustpoint TP-self-signed-998521732
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-998521732
  revocation-check none
  rsakeypair TP-self-signed-998521732
  crypto pki certificate chain TP-self-signed-998521732
  A75B9F04 E17B5692 35947CAC 0783AD36 A3894A64 FB6CE1AB 1E3069D3
    A818A71C 00D968FE 3AA7463D BA3B4DE8 035033D5 0CA458F3 635005C3 FB543661
    9EE305FF 63
    quit
  username mark privilege 15 secret 5 $1$BTWy$PNE9BFeWm1SiRa/PiO9Ak/
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key cisco address 1.1.1.1 255.255.255.252
  crypto ipsec transform-set MYSET esp-3des esp-sha-hmac
  crypto map MYMAP 10 ipsec-isakmp
  set peer 1.1.1.1
  set transform-set MYSET
  match address TO_ENCRYPT_TRAFFIC
  interface FastEthernet0/0
  ip address 2.2.2.2 255.255.255.252
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map MYMAP
  interface FastEthernet0/1
  ip address 172.21.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip route 0.0.0.0 0.0.0.0 2.2.2.1
  ip http server
  ip http authentication local
  ip http secure-server
  ip nat inside source list NAT_IP interface FastEthernet0/0 overload
  ip access-list extended NAT_IP
  deny   ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 172.21.1.0 0.0.0.255 any
  ip access-list extended TO_ENCRYPT_TRAFFIC
  permit ip 172.21.1.0 0.0.0.255 192.168.1.0 0.0.0.255
  control-plane
  line con 0
  exec-timeout 0 0
  logging synchronous
  line aux 0
  line vty 0 4
  transport input ssh
  end

• Time Capsule and Linksys Router Issues

  The internet cable is connected to the WAN port and the Time Capsule is connected is to one of the ports of the Linksys router. I can successfully backup my MacPro and use the internet for Mail and Safari.
  I want to take advantage of the high speed ethernet performance of Time Capsule. However, I don't know if the Time Capsule is really faster than my Linksys router.  Where do I get this information? I suspect the Time Capsule is much faster because I just purchased the Time Capsule. The router is at least 5 years old.
  In spite my concern about the speeds of the Time Capsule and Linksys router, I tried to attach the Time capsule as recommended by Apple for a  "first time set up." It failed. The Time Capsule using the AirPort Utility cannot make a network connection. I reestablished the devices as given in paragraph one. WiFi runs again.

  Ethernet speed on your local network is determined by the slowest connected device which most likely will be the LinkSys router or your computer.

• VLAN problems with SG200-8P and Cisco ASA 5505 (Sec Plus license)

  Hi,  I've been pulling my hair out trying to get simple vlan trunking working between these devices.
  Basically, no clients on VLAN 99 (guest) will receive DHCP ip addresses when plugged into the SG200.  I have the SG200<>ASA VLAN trunk configured correctly, as I know it, and I've tried numerous variations (set trunk as general tag/untagged, etc., set the ap port to general tag/untag, etc).   Both AP's work properly when connected to the ASA e0/3 port but either will only pull the "inside" VLAN dhcp address when connected to the SG200 switch
  VLAN 1 - inside (has separate dhcp scope assigned by ASA)
  VLAN 99 - guest (has separate dhcp scope assigned by ASA)
  SG200
  purpose
  ASA 5505 (Sec Plus license)
  purpose
  g2
  Trunk 1UP,99T
  Ubiquiti AP (VLAN 1 works, VLAN 99 does not
  g3
  Access port 99T
  vlan 99 does not work
  g8
  Trunk 1UP, 99T
  < Trunk between switch and ASA >
  Int e0/2
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Int e0/3
  switchport trunk allowed vlan 1,99
   switchport trunk native vlan 1
   switchport mode trunk
  Second ubiquiti AP
  Both VLAN 1 and VLAN 99 clients work properly

  Frustrated - yes.  Confused - maybe not as much, but I could have put some more effort into the overall picture.
  There are two VLANs (1 - native) and (99 - guest).   There is a trunk port between the SG200 and the ASA configured as 1-untagged 99 - tagged.    
  No clients connected to the SG200 on VLAN 99  are able to access the ASA VLAN 99 using either a static VLAN IP address or DHCP.   The problem occurs whether I configure the SG200 with an access port 99-tagged or Trunk port 1UP, 99T or general port 1U, 99UP or any combination thereof.
  Anything connected to the SG200 on the native VLAN works properly.
  Anything connected to the ASA VLANs (1 or 99) works properly
  I have not yet tried to see what the switch is doing with the VLAN tags but I suspect I have some mismatch with the Linksys/Cisco SG200 way of setting up a VLAN and how traditional Cisco switches work.
  I was hoping someone with a working SG200 - Cisco ASA setup could share their port/trunk/VLAN settings or perhaps point me in the right direction.
  SG200 g2 - trunk port (1UP, 99T) -- Access Point
  SG200 g2 - access port (99U)
  SG200 g8 - trunk port (1UP, 99T)  connected to ASA5505  e0/3  
  ASA5505 e0/3  (switchport trunk allowed vlan 1,99,  switchport trunk native vlan 1,  switchport mode trunk)
  Thanks,

• F3507g mobile broadband driver - Windows 7 - and Cisco Vpn issue

  Hi All,
  After 3 days trying to install / update latest drivers on my X200/ Windows 7 / 32b, it seems now that my F3507g is now installed correctly…
  I can go the a connection over internet and ping some servers BUT when I initiate my Cisco Vpn, ( working perfectly with my Ethernet connection and my Wifi 5300 AGN ) the connection is ok but no incoming or outgoing traffic !!!
  Any idea on how to solve that issue ?

  Yes, this is a problem with the IPSEC VPN NDIS driver binding your Mobile Broadband driver. You need to read this article and it is explains why and how to work around this issue:
  http://www.customsoftwareframeworks.com/blog/fix-vpn-problems-cellular-win7
  Good luck