SG300-28P remote access
Hello,
How does one remotely access a SG300-28P?
Thanks, Pete
Pete,
Of course you will need to have a default gateway(many people forget) and open a port though your router(as marty suggested) for inbound connections to the switch.
Hope this helps,
Jasbryan
Similar Messages
-
SG300-28P and aironet access points
Dear support,
does Cisco SG300-28P provide enough PoE to power access points 1550 and 1600?
Thank youHi Mireille, it should. The 1550 is 802.3af compliant.
The 1600 may be interesting because it can actually draw up to 15.4 watt of power and you may run into limitations of cable. It is also 802.3af compliant.
-Tom
Please mark answered for helpful posts -
I have a new SG300-28P, I am unable to connect. After logging in the switch stops at 70% Processing Date. I have try Chrome, IE, and Firefox.
I am not sure of the fireware ver. I do not want to reset to the factory default because there is no backup and I am not sure of the
configuration.Hi Tony, this is going to be purely an issue with the computer/browser, etc.
I;d recommend swapping to a different computer or fully update the one you're using including latest Java.
-Tom
Please mark answered for helpful posts -
SG300-28P - POE not correctly supported on all ports - possible firmware or hardware issue
So, I spent some time this weekend troubleshooting the issues I've had with the new SG300-28P switch and POE to many of my devices in the office. As a recap, I cannot utilize all of the 24 POE ports on the switch for POE purposes. Really only every other port [with a few odd combinations thrown in between]. In addition, the SG300-28P switch, on occasion, is sending POE to non-POE devices [e.g. my Ruckus Zone Director 1106].
Here are my POE devices [all 802.3 af-compliant]:
3 Ruckus 7982 access points
1 Pakedge access point
2 home-automation controllers
2 Polycom voip phones
I called Cisco support several times in regards to this problem, and they figured it was a hardware issue - a faulty switch. So, Cisco sent me a replacement SG300-28P, which I hooked up today. The exact problem still occurs. Default configuration [fresh out of the box]. No way I can land, for example, the 3 Ruckus 7982 AP's on ports 1, 2, and 3 [or ports 1,13, and 2]. I have to put them on ports 1, 3, and 5 in order for them to power up. In addition, I can't plug any other POE devices on the ports either between or below them. I had to skip another port bay. This is very odd behavior!! Two Cisco SG300-28P's in a row with the same problem.
However, I also had one of the new Cisco SG300-10P switches in my possession for a recent project of ours. I decided to hook up the same POE devices to this switch. ALL POE devices were recognized and worked! No need to skip a port. And it didn't matter what device was plugged in first or not. I am now convinced that it is either a hardware issue [bad power supply/transformer?] inside all of the SG300-28P switches, or a firmware issue.
Both of the SG300-28P switches were running firmware 1.1.2 [the latest on Cisco's website]. So, I decided to install an older firmware version on the SG300-28P switch that I'm returning [installed 1.1.1.8]. Here's what I found out. I could then plug 2 POE devices [e.g. two Ruckus AP's] in adjacent horizontal ports, but not three in a row. In addition, not all adjacent ports. It's funky. For example, I could plug an access point in ports 20 and 21, but not in 21 and 22. No rhyme or reason in how it worked. And I still couldn't plug an access point in adjacent vertical ports [e.g. ports 1 and 13]. BUT...
It's interesting that the same exact switch that would not initially allow 2 horizontally-adjacent POE ports to be utilized WOULD allow 2 horizontally-adjacent POE ports to be utilized when running a different firmware version. It's also interesting to note that when plugged into a "non-working" POE port, the SG300-28P would actually make a small whining noise. Very subtle noise; I could hear it when approx. 1ft away from the switch. The noise was not noticeable when ports were skipped [and POE actually worked]. Therefore, I believe that Cisco has some SG300-28P firmware bugs [at least in the last two versions of firmware] that is not truly allowing all 24 ports to utilize POE correctly. This problem does not exist with the SG300-10P switch.
I'm really interested to hear what Cisco's reply and findings on this matter would be. And would welcome a reply from one of their senior support team members/managers who could actually experiment with this, too. In addition, I'd like to know when they think a solution could be created if it's firmware-related. If hardware-related, I don't think I'll be recommending any 28P switches in our projects. Perhaps just the regular SG300-28 with a separate SG300-10P. It's a shame because the SG300-28P is more of a bargain when compared to the two separate components.show power inline
Port based power-limit mode
Unit Power Nominal Power Consumed Power Usage Threshold Traps
1 On 180 Watts 13 Watts (7%) 95 Disable
Port Powered Device State Status Priority Class
gi1 Auto On critical class0
gi2 Never Off low class0
gi3 Auto Searching critical class0
gi4 Never Off low class0
gi5 Auto On critical class0
gi6 Never Off low class0
gi7 Auto On critical class2
gi8 Auto Searching low class0
gi9 Auto Searching low class0
gi10 Auto Searching low class0
gi11 Auto Searching low class0
gi12 Never Off low class0
gi13 Never Off low class0
gi14 Never Off low class0
gi15 Never Off low class0
gi16 Never Off low class0
gi17 Never Off low class0
gi18 Never Off low class0
gi19 Never Off low class0
gi20 Auto Searching low class0
gi21 Never Off low class0
gi22 Auto Searching low class0
[0mMore: , Quit: q or CTRL+Z, One line: gi23 Auto Searching low class0
gi24 Auto Searching low class0
show power inline gigabitethernet xx (for each device plugged in)
Port Powered Device State Status Priority Class
gi1 Auto On critical class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is on - valid resistor detected
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 3
Invalid Signature Counter: 17583
Port Powered Device State Status Priority Class
gi2 Never Off low class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - user setting
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi3 Auto Searching critical class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - detection is in process
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 2
Invalid Signature Counter: 1
Port Powered Device State Status Priority Class
gi4 Never Off low class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - user setting
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi5 Auto On critical class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is on - valid resistor detected
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi7 Auto On critical class2
Power limit (for port power-limit mode): 15.400W
Port Status: Port is on - valid resistor detected
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi13 Never Off low class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - user setting
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 1
Invalid Signature Counter: 0
Port Powered Device State Status Priority Class
gi14 Never Off low class0
Power limit (for port power-limit mode): 15.400W
Port Status: Port is off - user setting
Overload Counter: 0
Short Counter: 0
Denied Counter: 0
Absent Counter: 0
Invalid Signature Counter: 0
show interfaces advertise gigabitethernet xx (for what ports are of interest)
Port: gi9
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi10
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi11
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi21
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi22
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - -
Port: gi23
Type: 1G-Copper
Link state: Down
Auto negotiation: Enabled
1000f 1000h 100f 100h 10f 10h
Admin Local link Advertisement yes no yes yes yes yes
Oper Local link Advertisement - - - - - -
Oper Remote link Advertisement - - - - - -
Priority Resolution - - - - - - -
SG300-28P: System LED not on. everything else working.
Hi Everyone,
Nice to meet you all.
I received an used SG300-28P today and immediately I found its System LED never lits. I upgraded the firmware to the latests but did not make any difference. So far I have configured the switch for my environment and everything is working fine including VLAN, L3 routing and PoE works on all ports.
I am puzzled, not sure what's wrong with it. In the System Summary of the Web GUI it indicates the System LED is constantly on. But the physical one is just dead (never lits including boot)
I hope its just the LED itself, the switch is definately out of warranty. What diagnostics can I run myself to understand it?
Thanks,
MarkHello Siming,
If everything is working properly on the switch, then you shouldn't be worried about the system led. The system led itself is simply not working.
This is the information you need to know about the system led:
Off - If the system led is off, it means the switch is not powered on (which in your case is false, since you told us the switch is working as it should, so that means you have a faulty led)
Green - If the system led is green, it means the switch working normally. If the system led is green and it flashes constantly, it means the switch is using the factory default IP address (192.168.1.254) to access to the switch. If it is solid green, it means that the switch has either an IP assigned via DHCP, or statically by the administrator.
Amber - If the system led is amber, it means there is a problem with the switch
As you can see, you won't be able to get information about the system led when is green or amber, since it is not working.
I would suggest that you properly configure system logs on the switch, perform constantly backups to the running/startup configuration, and keep track of which IP address you are using to access the switch GUI/CLI, that way if you forget your IP address, or if there is a problem with the switch, you know where to find the correct information.
Please let us know if you have further questions.
Alejandro Moncada
SBCD Engineer
[email protected] -
Securing SG300 28P PoE Swtich.
Greeting's, I would like to start by apologizing. I have absolutely no knowledge in switch security management but I've been tasked with it given the shortage of personnel. I have a SG300-28P-PoE switch that needs to be securely configured. I've done the basics of upgrading the firmware to the latest. Given my lack of any experience whatsoever, please include complete procedures (hand holding, I'm sorry).
I wanted step-by-step guidance of:
1. Locking down ports by MAC address.
2. DDoS protection.
3. Lock down login from all but 1 IP and only allow browser based SSL login. No TELNET, SSH or other method.
4. Shutting down any services on the switch.
Any other recommended security steps to secure the switch.
Thanking in advance,
ParthHello Parth,
Thank you for using the Cisco Small Business forums. I am a eContent developer and part of the Small Business Support Community.
Looking over the questions that you've asked, I found a few articles that might help you with the configuration changes you'd like to make:
As Brandon mentioned, the Knowledge Base contains many documents with step-by-step procedures and screenshots for common tasks. Port-security is an excellent solution for the first problem. You can configure ports to lock down when a MAC address is changed:
Port Security
The SG300 security suite has many options for protecting against DDOS attacks:
DDOS
In regards to disabling/enabling services and restricting access to the web console, this article provides some guidance (uncheck the services that you do not wish to use-- in relation to your question, uncheck all except HTTPS):
Enabling SSH/Telnet/HTTP
I hope that these articles help to answer your question. Please remember to mark this question as answered and rate it if it helps to address your issue so other users can benefit from it, and feel free to ask any further questions you might have!
Best,
Gunner Grim
Cisco eContent Developer -
VLAN communication between 2 SG300-28P using one LAG
Hi,
I have 2 SG300-28P without a router used for back-end network usage.
The switches are configured in L2.
I would like to configure on both switches:
The default VLAN with Id 90
One VLAN with Id 80 to access the databases
One VLAN with Id 70 to access the backup server
One agregate with ports 25/26/27/28
Ports 1 to 8, 13 to 20 with VLAN 80 (90UP/80T)
Ports 9 to 12, 21 to 24 with VLAN 70 (70UP)
Computers connecting in VLAN 70 will only talk to VLAN 70.
I would like to use the access mode for ports in VLAN 70.
Computers connecting in VLAN 80 will only talk to VLAN 80.
It seems that the servers on VLAN 80 on switch 1 can communicate with servers on VLAN 80 on switch 2.
My problem is that the servers on VLAN 70 on switch 1 don't access the servers on VLAN 70 on switch 2.
I suppose that this is due to the LAG 25/26/27/28 configured 90UP.
Any idea to resolve this problem?The LAG is like any other link. It is configurable. You should be able to log the cli
config t
int po1
switchport mode trunk
switchport trunk native vlan 90
switchport trunk allowed vlan add 70,80
-Tom
Please rate helpful posts -
SG300-28P Multicast (IGMP) and IGMP routing..
A brief background on the setup:
I recently switched out my switch. It was a Cisco 3750 10/100 switch and I wanted to upgrade to Gig. The cost of a Gig+POE 3750 is too much to bite so I opted for the SG300. My router is a Cisco 891. Here is the setup:
Cisco 891:
two SVI's: vlan1 and vlan 100
Vlan1 = 10.0.1.1/24
Vlan100 = 10.0.100.2/24
Connected to SG300 via Fa0
DHCP Server for vlan1+vlan100
Cisco SG300-28P:
two SVI's: vlan 1 and vlan 100
vlan 1 = 10.0.1.21/24
vlan 100 = 10.0.100.1/24
Connected to 891 on via Gi18
The connection between 891 and SG300 = trunk, vlan1-u, vlan100-t
The problem:
With the 891+3750, I was able to add "ip pim sparse-dense-mode" on all the SVI's and hosts could join any multicast group, irregardless of which vlan the host was a member of.
Now I've changed switches, and I dont get the same love. I have the PIM statement on both SVI's on the 891, but Im unsure of what I need to configure on the SG300. I have enabled "Bridge multicast filtering" + "IGMP snooping". What can I do to get similar functionality using the SG300 + 891? I assume this is my lack of understanding IGMP in general, but was able to get away with it using the PIM statements on the 891+3750 stack.
JeffYou should be able to filter unregisted multicast on every port.
To be able to pass multicast over subnets two things must be certain, the node/device is able to send and receive multicast packets but also register the multicast address being listened to by the node so the local and remote routers can route the multicast packets.
When the switch learns a multicast address through IGMP snooping, this is a registered multicast. The switch will only forward multicast to ports that are registered to the multicast group. Where unregistered multicast comes in, is the multicast that is not statically defined or learned through IGMP which in turn will be forwarded to all ports of the vlan. -
Problems acccessing SG300-28P via management interface
I have a new SG300-28P, and have had occasional issues with being unable to connect to it via anything other than the serial port. I have connectivity between my machine and the switch (tested with ping each way), and in fact, have the same problem if I take a laptop to the switch and connect them directly.
What happens is that though the switch is operating normally, http, https, ssh and telnet attempts to access all fail in one way or another. Ssh and telnet either yields no response or a refused connection (even though those services are enabled). For http and https, I'll occasionally get enough of the web page to be able to tell what it is ... but attempts to log in just don't work.
While this is happening, the CPU and packet load on the switch is very, very low.
Rebooting didn't help entirely, though it may have made it better. Resetting to factory defaults and then reconfiguring makes it work.
This is using the latest firmware: 1.2.7.76.
Searching the web for this sort of failure doesn't yield any results -- maybe I'm the only one to see this?
I don't know what else I can do to diagnose ..... I've got it working without trouble now...I have this problem too. It seems to have started from either when I upgraded to the latest firmware and/or changed the management interface from the default (vlan 1) to vlan 11. It will stay up and pinging for anywhere from a few minutes to 3 hours, then I lose all connectivity until I reboot the device.
switch5782a5#show inventory
NAME: "1" DESCR: "SG300-10P 10-Port Gigabit PoE Managed Switch"
PID: SRW2008P-K9 VID: V01 SN: PSJ1522063N
switch5782a5#sh ver
SW version 1.3.5.58 ( date 10-Oct-2013 time 17:15:41 )
Boot version 1.3.5.06 ( date 21-Jul-2013 time 15:12:10 )
HW version V01 -
Remote Access VPN Clients Cannot Access inside LAN
I have been asked to set up remote access VPN on an ASA 5505 that I previously had no invlovement with. I have set it up the VPN using the wizard, they way I normally do, but the clients have no access to anything in the inside subnet, not even the inside interface IP address of the ASA. Thay can ping each other. The remote access policy below that I am working on is labeled VPNPHONE, address pool 172.16.20.1-10. I do not need split tunneling to be enabled. The active WAN interface is the one labeled outside_cable.
: Saved
ASA Version 8.2(1)
hostname ASA5505
domain-name default.domain.invalid
enable password eelnBRz68aYSzHyz encrypted
passwd eelnBRz68aYSzHyz encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group dataDSL
ip address 76.244.75.57 255.255.255.255 pppoe
interface Vlan3
nameif dmz
security-level 50
ip address 192.168.9.1 255.255.255.0
interface Vlan10
nameif outside_cable
security-level 0
ip address 50.84.96.178 255.255.255.240
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 10
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service Netbios udp
port-object eq 139
port-object eq 445
port-object eq netbios-ns
object-group service Netbios_TCP tcp
port-object eq 445
port-object eq netbios-ssn
object-group network DM_INLINE_NETWORK_1
network-object host 192.168.100.177
network-object host 192.168.100.249
object-group service Web_Services tcp
port-object eq ftp
port-object eq ftp-data
port-object eq www
port-object eq https
object-group network DM_INLINE_NETWORK_10
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_11
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_2
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_3
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_4
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_5
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_6
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_7
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_8
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network DM_INLINE_NETWORK_9
network-object host 192.168.9.10
network-object host 192.168.9.4
object-group network VPN
network-object 192.168.255.0 255.255.255.0
access-list outside_access_in extended permit icmp any host 76.244.75.61
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp
access-list outside_access_in extended permit tcp any host 76.244.75.61 eq ftp-data
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.62 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.59 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.60 eq https
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq www
access-list outside_access_in extended permit tcp any host 76.244.75.58 eq https
access-list dmz_access_in remark Quickbooks
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_6 host 192.168.100.5 eq 56719
access-list dmz_access_in remark Quickbooks range
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_7 host 192.168.100.5 range 55333 55337
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_8 host 192.168.100.5 eq 1434
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_9 host 192.168.100.5 eq 49398
access-list dmz_access_in remark QB
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_10 host 192.168.100.5 eq 8019
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_2 host 192.168.100.5 eq 2638
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_11 host 192.168.100.5 object-group Netbios
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_3 host 192.168.100.5 object-group Netbios_TCP
access-list dmz_access_in extended deny ip host 192.168.9.4 host 192.168.100.5 inactive
access-list dmz_access_in extended permit udp object-group DM_INLINE_NETWORK_4 any
access-list dmz_access_in extended permit tcp object-group DM_INLINE_NETWORK_5 any
access-list dmz_access_in remark Printer
access-list dmz_access_in extended permit ip 192.168.9.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
access-list dmz_access_in extended permit tcp 192.168.9.0 255.255.255.0 any object-group Web_Services
access-list dmz_access_in extended permit udp 192.168.9.0 255.255.255.0 any eq domain
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.255.0 255.255.255.0 echo-reply
access-list dmz_access_in extended permit icmp 192.168.9.0 255.255.255.0 192.168.100.0 255.255.255.0 echo-reply log disable
access-list dmz_access_in remark QB probably does not need any udp
access-list dmz_access_in extended permit udp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark QB included in other rule range
access-list dmz_access_in extended permit tcp host 192.168.9.4 host 192.168.100.5 eq 55333 inactive
access-list dmz_access_in remark May be required for Quickbooks
access-list dmz_access_in extended permit icmp host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.9.4 host 192.168.100.5
access-list CAD_capture extended permit ip host 192.168.100.5 host 192.168.9.4
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.10.0 255.255.255.240
access-list inside_nat0_outbound extended permit ip any 172.16.20.0 255.255.255.240
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0
access-list cad_supplies_RAVPN_splitTunnelAcl standard permit 192.168.9.0 255.255.255.0
access-list dmz_nat0_outbound extended permit ip any 192.168.255.0 255.255.255.0
access-list outside_cable_access_in extended permit icmp any host 50.84.96.182
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp
access-list outside_cable_access_in extended permit tcp any host 50.84.96.182 eq ftp-data
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.183 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.180 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.181 eq https
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq www
access-list outside_cable_access_in extended permit tcp any host 50.84.96.179 eq https
access-list Local_LAN_Access standard permit host 0.0.0.0
access-list vpnusers_spitTunnelACL extended permit ip 192.168.100.0 255.255.255.0 any
access-list nonat-in extended permit ip 192.168.100.0 255.255.255.0 172.16.20.0 255.255.255.0
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu outside_cable 1500
ip local pool VPN_IP_range 192.168.255.1-192.168.255.10 mask 255.255.255.0
ip local pool VPN_Phone 172.16.20.1-172.16.20.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (outside_cable) 10 interface
nat (inside) 0 access-list nonat-in
nat (inside) 10 0.0.0.0 0.0.0.0
nat (dmz) 0 access-list dmz_nat0_outbound
nat (dmz) 10 0.0.0.0 0.0.0.0
static (inside,outside) 76.244.75.62 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.61 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.59 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside) 76.244.75.58 192.168.9.4 netmask 255.255.255.255 dns
static (inside,dmz) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (dmz,outside) 76.244.75.60 192.168.9.10 netmask 255.255.255.255 dns
static (inside,outside_cable) 50.84.96.183 192.168.100.25 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.182 192.168.9.123 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.180 192.168.9.124 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.179 192.168.9.4 netmask 255.255.255.255 dns
static (dmz,outside_cable) 50.84.96.181 192.168.9.10 netmask 255.255.255.255 dns
access-group outside_access_in in interface outside
access-group dmz_access_in in interface dmz
access-group outside_cable_access_in in interface outside_cable
route outside_cable 0.0.0.0 0.0.0.0 50.84.96.177 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.100.0 255.255.255.0 inside
http 204.107.173.0 255.255.255.0 outside
http 204.107.173.0 255.255.255.0 outside_cable
http 0.0.0.0 0.0.0.0 outside_cable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_cable_map interface outside_cable
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp enable outside_cable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
telnet 192.168.100.0 255.255.255.0 inside
telnet timeout 5
ssh 192.168.100.0 255.255.255.0 inside
ssh 204.107.173.0 255.255.255.0 outside
ssh 204.107.173.0 255.255.255.0 outside_cable
ssh 0.0.0.0 0.0.0.0 outside_cable
ssh timeout 15
console timeout 0
vpdn group dataDSL request dialout pppoe
vpdn group dataDSL localname [email protected]
vpdn group dataDSL ppp authentication pap
vpdn username [email protected] password *********
dhcpd address 192.168.100.30-192.168.100.99 inside
dhcpd dns 192.168.100.5 68.94.156.1 interface inside
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec l2tp-ipsec
group-policy cad_supplies_RAVPN internal
group-policy cad_supplies_RAVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value cad_supplies_RAVPN_splitTunnelAcl
group-policy VPNPHONE internal
group-policy VPNPHONE attributes
dns-server value 192.168.100.5
vpn-tunnel-protocol IPSec
split-tunnel-policy excludespecified
split-tunnel-network-list value Local_LAN_Access
client-firewall none
client-access-rule none
username swinc password BlhBNWfh7XoeHcQC encrypted
username swinc attributes
vpn-group-policy cad_supplies_RAVPN
username meredithp password L3lRjzwb7TnwOyZ1 encrypted
username meredithp attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username ipphone1 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone1 attributes
vpn-group-policy VPNPHONE
username ipphone2 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone2 attributes
vpn-group-policy VPNPHONE
username ipphone3 password LOjpmeIOshVdCSOU encrypted privilege 0
username ipphone3 attributes
vpn-group-policy VPNPHONE
username oethera password WKJxJq7L6wmktFNt encrypted
username oethera attributes
vpn-group-policy cad_supplies_RAVPN
service-type remote-access
username markh password nqH+bk6vj0fR83ai0SAxkg== nt-encrypted
username markh attributes
vpn-group-policy cad_supplies_RAVPN
tunnel-group DefaultRAGroup general-attributes
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group cad_supplies_RAVPN type remote-access
tunnel-group cad_supplies_RAVPN general-attributes
address-pool VPN_IP_range
default-group-policy cad_supplies_RAVPN
tunnel-group cad_supplies_RAVPN ipsec-attributes
pre-shared-key *
tunnel-group VPNPHONE type remote-access
tunnel-group VPNPHONE general-attributes
address-pool VPN_Phone
default-group-policy VPNPHONE
tunnel-group VPNPHONE ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1500
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:8b25ecc61861a2baa6d2556a3679cc7c
: endHi,
You have your "group-policy" set so that you have excluding some networks from being tunneled.
In this access-list named Local_LAN_Access you specify "0.0.0.0"
Doesnt this mean you are excluding all networks from being tunneled? In other words no traffic goes to your tunnel.
This access-list should only contain your local LAN network from where you are connecting with the VPN Client. If you dont need to access anything on your local LAN while having the VPN on, you don't even need this setting on. You could just tunnel all traffic instead of excluding some networks.
- Jouni -
Is there a way of remote accessing 'Games and More' on a mobile?
I am new to the forum, please excuse me if I am in the wrong space!
Is there a way of remotely accessing/executing Java applications that are residing in the 'Games and More.' folder on a mobile device?
e.g. Java application is downloaded into 'Games and More' and there is a requirement to execute the program from an ODP (On-Device-Portal). The ODP is external to the 'Games and More' folder but within the same mobile device.
Many thanks
IanIVM wrote:
Is there a way of remotely accessing/executing Java applications that are residing in the 'Games and More.' folder on a mobile device? No.
db -
How to set up my elderly parent with Mac so that I can use remote access to help her?
I want to set my elderly mother up with a new Mac mini so that I can use remote access to show her how use email, browse the internet, share photos. (She lives in KY, I live in OR)
She has had an iPhone and an iPad for about 6 months and she can barely use them without becoming frustrated. I want to be able to see her screen with her and show her how to do things.
My plan is to set her up with a Mac mini and I'll use my MacBookAir to remote into her system. I'm buying the mini to configure and then I'll mail it to her.
My question is whether to try to use Back to My Mac or Teamviewer for remote access
I have broadband with comcast and she has broadband with Access Cable. Each have their company modem/routers--neither of us have Airport Express.
I have my own iCloud account and she has her own. If I use Back to My Mac, it seems that I would need to set up a separate account on my Mac that would sync to her iCloud account.
Teamviewer seems easier because I don't have to use a separate account. Any advice? Anything that I'm not thinking about?As Linc says, you can establish a Screen Sharing session via iMessage and Facetime. The advantage of these 2 approaches is that once your Mom gets used to using them, she will be more comfortable using them to communicate with you. I've talked to my Mom via iChat (aka iMessage) more since she learned to use them, then in all the years before that (including when I was a child ). And just being able to see your Mom via Facetime can be useful when you want to gage how she is doing.
However, if you are any distance from your Mom, they you want backup methods incase something goes wrong.
So beside iMessage/Facetime, the next best would be Back-to-My-Mac via iCloud, however, you will want to establish her Mac as using your account so that you have the right to take control remotely.
An alternative that does not mix up your iCloud acounts would be to use TeamViewer.com (which has an unattended mode so you can do off-hour maintenance when your Mom is not around; or check up on her to find out if she is dating - Turns out if I had been paying attention, I would not have been blind-sided by my Mom getting Married again last Summer - she is in her 80's! ).
LogMeIn.com, as dwb says, can be used the same was as TeamViewer.com
Both LogMeIn.com and TeamViewer.com are very good at making it easy to get through the home router and if you are having any problems connecting using other Methods, TeamViewer.com or LogMeIn.com will most likely not have any issues.
Back-to-My-Mac allows screen sharing and file sharing so you can transfer files as well as control the screen.
Screen Sharing via Messages allows cooperative file transfer. That is to say, you can try pushing a file to your Mom, but she has to accept each transfer.
TeamViewer.com has an unattended file transfer mode.
LogMeIn.com requires the paid version to transfer files. However, there are other ways to transfer files, such as downloading them from the original source on your Mom's system while using screen sharing, using Dropbox (or similar), emailing them, etc...
Of course if you are really network savvy, you can roll your own via ssh tunnels, port forwarding routers, getting dynamic DNS names, transferring files via scp, or tunneling AFP file sharing, tunneling your screen sharing sessions. Lots of fun and excitement playing with terminal commands -
Is there a remote access app with which I can open media on a computer or laptop in the apps that support said media or files on my iPad, email these files as a link, email compatable sizes as an attachment, save compatable types to camera roll, Print, view, play, listen to, and read?
You can use email to send files to your iPad. But the best way to transfer photos, music, documents etc. is to use iTunes on your computer. See page 40 of the iPad User's Manual for information on syncing your iPad using iTunes. The manual is here
http://support.apple.com/manuals/#ipad -
Remote access to Time Capsule won't work
Over the past couple of months I've been doing lots of research and planning into replacing my Mac Pro and old MacBook Pro with a new Mac setup. I was looking for efficiency, productivity and ultimate portability so the Macbook Pro Retina and Time Capsule grabbed my attention.
I was interested in the MacBook Pro Retina for work (travel) and home leisure use. Due to having so much music and video iTunes content, I was interested in purchasing a Time Capsule and a secondary external hard drive, placing all my iTunes content on the Time Capsule which I would then back up to the external hard drive when I was at home. I would then setup Time Capsule to be accessible over the internet so that I could view my media content through iTunes wherever in the world I was (internet speeds permitting of course). By doing this I could carry only my work files with me on the 512GB SSD Macbook Pro Retina, but could access the Time Capsule media files remotely, either via wi-fi or by tethering my iPhone 5.
So I purchased a Time Capsule to test my theory. I followed online guidance on how to achieve such a setup and using my 2008 MacBook Pro (which runs Snow Leopard) and a friends internet connection I got the system to work. I was able to remotely contact Time Capsule and watch High Def video content via wireless internet and even tethered to my iPhone. So I went and purchased a Macbook Pro Retina (running Mountain Lion) and set about setting up the system in the same way. But this is where something's gone wrong. I can't connect to the Time Capsule over the internet at all.
The Air Port utility has been updated to version 6 which is lacking the ability to instruct the Time Capsule to "Allow access over WAN". I thought I'd make sure it still connected via the internet using my old MacBook Pro, which had definitely worked perfectly just a couple weeks earlier, and that won't work either. I can't find the option to "Allow access over WAN" within Airport Utility 5.6.1 either? And the simple apple script application that I wrote (following an online guide) to open the remote connection to Time Capsule with the double left click on an icon has stopped working too.
I don't pretend to be a network engineer and I'm no I.T. expert, though I usually manage to teach myself what I need to know to sort issues like this out, but this has gotten me really stumped! I tried downloading an old version of Airport Utility to see if that had the "Allow access over WAN" feature (within the 'Disks' > 'File Sharing' area of Airport Utility) but my Mac OS won't allow the old versions to run.
Perhaps the version of Airport Utility I used on my Macbook Pro a couple of weeks ago didn't have the "Allow access over WAN" check box either and I just didn't notice - which is likely unless Airport Utility updates itself in the background without any prompts etc. I certainly didn't notice a software update for it any time over the past few days. Either way, I don't understand how it could have been working a few days back and now it's suddenly not.
I used this guides to gain remote access to Time Capsule successfully just a couple of weeks ago:
http://www.youtube.com/watch?v=SIQ7SzA1cK4
Can anyone shed any light on the issue and point me toward a fix please? I'd appreciate the help.Thanks LaPastenague. I'm not sure if I have a static IP but I can confirm it hasn't changed in the past month.
I've pretty much come to the conclusion that what I want to do isn't really possible using Time Capsule. Like I mentioned, I had remote access working a couple of weeks ago but it seems like apple have updated the firmware or airport software to remove something that was necessary to remotely connect in the same way. And even if I did get it working I think it would still be so restrictive, requiring a fast wifi or mobile phone tethered connection to view my media files over the internet.
I got connected via iCloud and B.T.M.M. but the connection was very slow and video wouldn't stream well at all (painful). It seems that the speed constraints would make it very frustrating each time I simply wanted to look through my vast iTunes music collection or movie library. Album covers won't appear either.
Even if it were possible to connect via a static IP I just don't think that the WAN connection would be stable or fast enough to offer an efficint solution(?), so I'll probably have to by an external portable HD and use Time Capsule for Time Machine and Printer Sharing.
I wish I could stream my iTunes movies and music successfully over the internet, but right now it just doesn't seem possible. -
Cannot login to Cisco Jabber 10.5.1 over Mobile and Remote Access
Hi,
We have deployed sucessfully VCS Expressway-C and VCS Expressway-E with only 1 zone which is "Unified Communication Traversal" and is for Mobile and Remote Access only. VCS-C and VCS-E are communicating and in statuses everything is active and working. Also VCS-C can communicate with CUCM and CUP (both version 10.5).
Problem is when I deploy Cisco Jabber 10.5.1 on computer outside of LAN and without VPN it start communicating with VCS-E, ask me for accepting certificate (we have certificate only intenally generated on Windows CA) and after that it is trying to connect and after few seconds it will tell me that it can't communicate with server.
Did any of you had same problem or can you advice how to troubleshoot? In Jabber logs there is only something like "Cannot authenticate" error message, but when I startup VPN I can authenticate without any problems.
ThanksOn Expressway-C are your HTTP Allow Lists setup properly? By default, and auto discovered CUCM and IMP should be listed via IP and Hostname, but if not, you'll need to insert manually.
Also, you can look at the config file your Expressway-E would be handing out to Jabber via this method.
From the internet, browse to:
https://vcse.yourdomain.com:8443/Y29sbGFiLmNvbQ/get_edge_config?service_name=_cisco-uds&service_name=_cuplogin
Where:
vcse is your Expressway-E hostname (or CNAME/A record)
yourdomain.com is your own domain
The first directory is your Base64 encoded domain name, remove and trailing equal signs (=)
The XML returned is basically the DNS SRV record information available as if internal for _cisco-uds and _cuplogin
TFTP DNS SRV is optional if you configured TFTP in IMP for your Legacy Clients.
Maybe you are looking for
-
Do you have a way that allows you to save attachments from multiple emails at the same time?
I have thousands of emails that I have put into Thunderbird's Local Folders, but now would like others in to access the attachments and don't want to go email by email to save off the attachments, time is prohibitive, so was hoping there is a way to
-
On the Catalyst 5000 architecture, all Even VLANs are running on one BUS on the backplane and all the odd VLANs are running on the other BUS on the backplane. Is CSS work in the same way? Hence, is it going to be a problem if I have all Even VLANs or
-
Will not accept my sign in on the Welcome Screen! Keep getting error 400 Adobe Photoshop Elements 9.0. Can not use the organizer without signing in as tools, etc are not available and can not sync files? Or organize properly. Why does my sign in
-
We can get drill down to work from HFM 9.3.1 grids but not from forms. Has anyone got drill down to work from forms in 9.3.1? If so how?
-
Como alinear perfectamente las guias a los milimetros de la regla
Hola estoy usando adobe ilustrator cs5, aveces no me permite alinear exactamente las guias al punto che le indico, se mueve siempre 3 o 4 milimetros mas. como puedo hacer? tengo muchos trabajos que tienen que ser geometricamente exactos sin ningun er