Telnet from Outside switch to DMZ switch connected to ASA.
Hi all,
I have switch b connected to ASA with fas0/40 under vlan 40.
ASA connection to this switch is under Vlan 3 which is DMZ.
OSPF is running between OSPF and DMZ switch.
I was trying to telnet from Outside interface switch to DMZ switch which goes through the ASA.
My question is is it possible from Outside Switch to ping the DMZ switch or telnet to it as connection has to pass by ASA ?
Thanks
Mahesh
Hello Mahesh,
Yes, as I said on my previous post
access-list outside_in permit tcp host outside_switch_ip host dmz_switch_ip eq 23
access-group outside_in in interface outside
If you want to check if everything is properly setup for that connection to work across the ASA do the following:
packet-tracer input outside tcp outside_ip_switch 1025 dmz_switch_ip 23
Remember to rate all of the helpful posts
Julio
Similar Messages
-
Can only telnet from other switches to a SG300 switch. Also can't access web interface.
For whatever reason I can telnet from another switch to the SG300 switch but not directly to the switch. I also can't access the web interface or ping the switch. Any help would be appreciated. Here is the running config
config-file-header
WasteWaterSG30010MPP
v1.3.5.58 / R750_NIK_1_35_647_358
CLI v1.0
set system mode switch
file SSD indicator encrypted
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end xxxxxxxxxxxxxxxxxxxxxxxx
vlan database
default-vlan vlan 2
exit
vlan database
vlan 2,75,200,999
exit
voice vlan id 200
voice vlan oui-table add ________
voice vlan oui-table add _phone_____________
voice vlan oui-table add ___________________
voice vlan oui-table add ______________
voice vlan oui-table add
voice vlan oui-table add ___________
voice vlan oui-table add ___
voice vlan oui-table add ______________
hostname WasteWaterSG30010MPP
line console
exec-timeout 0
exit
line telnet
password 382fda4a4a26e6637edac0eb8b8ba4581087d32d encrypted
exit
line console
password 382fda4a4a26e6637edac0eb8b8ba4581087d32d encrypted
exit
enable password level 15 encrypted 382fda4a4a26e6637edac0eb8b8ba4581087d32d
username admin password encrypted 382fda4a4a26e6637edac0eb8b8ba4581087d32d privi
lege 15
snmp-server location XXXXXXXX
snmp-server community String1 ro view Default
sntp server 172.16.2.1
ip telnet server
interface vlan 2
ip address 172.16.2.23 255.255.255.0
no ip address dhcp
interface gigabitethernet1
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport mode access
switchport access vlan 999
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type unknown
interface gigabitethernet2
spanning-tree portfast
switchport mode access
switchport access vlan 999
interface gigabitethernet3
spanning-tree portfast
switchport mode access
switchport access vlan 999
interface gigabitethernet4
storm-control broadcast enable
storm-control broadcast level 10
storm-control include-multicast
port security max 10
port security mode max-addresses
port security discard trap 60
spanning-tree portfast
switchport mode access
switchport access vlan 999
macro description ip_phone_desktop
!next command is internal.
macro auto smartport dynamic_type unknown
interface gigabitethernet5
spanning-tree portfast
switchport mode access
switchport access vlan 999
interface gigabitethernet6
spanning-tree portfast
switchport mode access
interface gigabitethernet7
spanning-tree portfast
switchport mode access
switchport access vlan 999
interface gigabitethernet8
spanning-tree portfast
switchport mode access
switchport access vlan 999
interface gigabitethernet9
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 75,200,999
switchport trunk native vlan 2
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
interface gigabitethernet10
spanning-tree link-type point-to-point
switchport trunk allowed vlan add 75,200,999
switchport trunk native vlan 2
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
exitA member of which VLAN ID is that device from which you trying to reach that switch?
Is that device directly connected to switch WasteWaterSG30010MPP? If yes, to which port?
If you are connecting from different VLAN than VLAN2, are you using routing between VLANs? Where is that routing device connected to?
> I also have another switch that connects to the network through this switch and am able to telnet to it.
that second switch member of same VLAN 2? Or management is part of different VLAN?
..too few information to be able to give you final answer. -
Ping to Switch in DMZ not working from Edge Switch
Hi Everyone,
Below is my home Lab setup
Sw1----trunk ----ospf sw2-------direct conenction to ASA------DMZ ------SW3 -------
Switch3 has SVI IP 192.168.69.1
I can ping the IP 169.168.69.1 from sw2 as this has default static route to ASA outside interface IP address.
But i can not ping IP 192.168.69.1 from SW1 need to why ?
is this default behaviour?
On switch 1 i add the static route 192.168.69.0 255.255.255.0 192.168.11.1
Where 192.168.11.1 is interface IP of Sw2 which has direct connection to ASA outside Interface IP ---192.168.11.2.
Also i define Loopback IP 192.167.77.1 on Sw3.
This IP i can ping from Sw1 but IP 192.168.69.1 i can not ping.
I define below static route of Sw1
ip route 192.168.77.0 255.255.255.0 192.168.10.2
where 10.2 is vlan 10 IP on Sw2.
Thanks
Mahesh
Message was edited by: mahesh parmarHi jouni,
yesterday i already tried with gateway IP of 192.168.10.2 it did not work then i used 11.1 as gateway same issue.
Today i tried again same thing.
3550SMIA(config)#ip route 192.168.69.0 255.255.255.0 192.168.10.2
3550SMIA(config)#end
3550SMIA#ping 192.168.69.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.69.1, timeout is 2 seconds:
Success rate is 0 percent (0/5)
3550SMIA#
here is sh ip route
3550SMIA# sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/3] via 192.168.5.3, 5d02h, FastEthernet0/11
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 3.3.3.3/32 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11
C 3.4.4.0/24 is directly connected, Loopback0
C 192.168.30.0/24 is directly connected, Vlan30
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
S 192.168.77.0/24 [1/0] via 192.168.10.2
C 192.168.10.0/24 is directly connected, Vlan10
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
O E2 172.31.2.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
O E2 172.31.1.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
O E2 172.31.0.0 [110/300] via 192.168.5.3, 5d02h, FastEthernet0/11
O 192.168.11.0/24 [110/3] via 192.168.5.3, 5d02h, FastEthernet0/11
O 192.168.98.0/24 [110/2] via 192.168.99.1, 5d02h, FastEthernet0/8
C 192.168.99.0/24 is directly connected, FastEthernet0/8
C 192.168.20.0/24 is directly connected, Vlan20
192.168.5.0/31 is subnetted, 1 subnets
C 192.168.5.2 is directly connected, FastEthernet0/11
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/2] via 192.168.5.3, 5d02h, FastEthernet0/11
S 192.168.69.0/24 [1/0] via 192.168.10.2
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 5d02h, FastEthernet0/11
Thanks
MAhesh -
Hi Everyone.
I have ASA connected to Switch.
This is outside connection.
I was trying to Telnet to ASA from Switch which has outside connection to ASA.
I config the command
telnet 192.168.0.0 255.255.0.0 outside
Still from Switch i am unable to telnet to ASA ?
ASA has default route to switch with route outside command
Need to know things below
1>Is this possible to Telnet to both outside and inside interface of ASA from the nei switch which is on outside interface of ASA ??Hello,
So this means that outside interface is never allowed telnet by design right?
Correct,
As I mention on my previous post
Also you cannot access a distant-interface, this means from an inside user you will be able to access inside interface but traffic to outside interface ip address will be denied no matter what ( Security desing meassure)
Regards
Remember to rate all of the helpful posts -
How to find the server connected from multiple switched netwtwork
I have one server connected to distrubted switch or acces switch in network .
They were 45 switches in netwrok and need help how to find that server connected switch from Core switch ?
How many mehtodes and process we can use to find that connected physical switch ?
Thanks in advance !!!It's a bit of a tedious process. but if you ping the IP address of the server from the core switch and then check the ARP entry to get its MAC address, you can then trace the address tables in the switches to find the switch that the server is physically connected to. Once you have the MAC address, you'll have to check the address table in each switch in the path between the core and the server to find it.
-
After executing the following command: 'clear tcp tcplist', I am no longer able to telnet to the 6513 switch (CatOS). I would like to restore the telnet functionality to this switch. Does anyone have an ideas. I have searched everywhere for a resolution. Thanks.
Hello,
the command you mention drops all TCP connections. Where are you trying to telnet from ? Check the line status of that device with the 'show line' command, and try to clear all lines which have an *.
Regards,
GP -
Design help related to ACE to Switch connectivity using Port-Channel
Hi,
I have a Cisco ACE 4710 configured in One-Arm mode. This ACE is getting connected with 2 3750 switches. These 2 3750 switches connected in trunk mode.
ACE is connected to these 3750 switches using Port-channel.
ACE Config:
================================
interface gigabitEthernet 1/1
description One-arm mode port to DMZ Switch 1 port 20
channel-group 1
no shutdown
interface gigabitEthernet 1/2
description One-arm mode port to DMZ Switch 2 port 20
channel-group 1
no shutdown
interface port-channel 1
switchport access vlan 51
port-channel load-balance src-dst-ip
no shutdown
interface vlan 51
ip address 10.40.56.131 255.255.255.128
access-group input everyone
access-group output everyone
nat-pool 1 10.40.56.215 10.40.56.215 netmask 255.255.255.255 pat
service-policy input LB
service-policy input remote-access
no shutdown
===========================================================
The problem is that 3750 switches are not stacked.
Application is working fine. But i am getting a lot of MAC flapping messages..
kindly suggest whether this design is OK or something needs to be done to rectify it...
Attached a small diagram..Hello acharyr123,
I don't think this design is ok, and it would cause mac flapping since the two indepedendent 3750 switches will learn the ace mac addresses off of two different interfaces. The 3750s would have to be stacked so that they would act as one switch then this should work correctly.
Thanks
Joel Lamousnery
TAC CSE -
WLC is ARPing but will not receive answer from vlan-switch
Hi - this is my first posting in theese forums - hope I get it right
Setup: a procurve-vlan-switch (2915) is connected directly to a cisco-wlc (2504) on two ports.
Port 1 on the wlc has the management- and apmanager-interface, untagged, connected to untagged port on procurveswitch.
Port 2 on the wlc has a dynamic interface (vlan 100) connected to tagged (vlan100) port on the switch.
Port 1 I can ping, and everything works as it should, LAP connects and so on.
Port 2 I can't ping, and it will not let clients get an ip-address i the vlan100 segment.
Wireshark tells me, that wlc sends arp-requests to the vlan-gateway on the procurve switch, and also that the switch replies in the same vlan (with tagged packets). But the WLC will not pick theese answers up and keeps ARPing for the gateway. Result is = no dhcp-answer to the clients.
Workaround: If I first ping from the wlc to the gateway, everything works for 5 minutes, i.e. I can ping the dynamic interface on the wlc and clients get ip-addresses, but when the arp-cache times out, everything goes black again.
BIG question: Can anyone help me with this? Why will the wlc not pick the arp-answer from the switch? The wlc asks with tagged packets and get tagged replies imediatly but will not listen
Sincerely
Nicholas Wolf HaamannIs there a reason you are using two separate ports on the WLC?
Generally you would just create a Trunk port to the WLC and all traffic would pass over it.
The fact it works for 5 minutes makes me wonder if the WLC is somehow using the same MAC for both ports. What MAC addresses does the MAC address table on the HP switch show for both ports? -
Best way to remove CSM configuration from a switch
have a redundant pair of CSM , would like to move slave CSM to a new switch, what is quickest way to eliminate all configuration from this switch so the same can be installed on the new switch , without reloading the switch or causing any downtime to already existing connections through the master CSM.
HI Imre,
Kindly read the following section for the required :
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/redun.html#wp1047388 -
Collecting information from Cisco switchs using SNMP
Dear All,
I have a wide network with more than 250 sites connected using the DSL. the WAN devices are under the provider responsability and the LAN devices are directly in my responsability. In each site, I have :
1 or 2 Cisco switchs (2960 or 3560), connecting via fibr.
or
Linksys switch connected via ethernet cable
and
cisco 877 router connected to switch
cisco 881G router conected to switch
pc and printers
In order to improve the availibilty of our network, we lauch every day a script from local pc to test connectivity of LAN equipements :
ping to switchs (Vlan 1), ping to ip fa0/0 cisco router1, ip cisco router2, ping to HSRP address (of two router). the resulting ini file will be inserted in a database and exported to excel for analysing.
I'm asking if someone can help in order to implement SNMP and let me know the name of cisco MIB to implement to :
- to have from SNMP information, the result of show cdp nei, show interface status, show ip int brief,...
- to have if wan router LAN interface are up,connected
- others usefuls informations.
Thanks and regards,
AAHi,
the basic SNMP config for 2960 and 3560 is:
snmp-server community <> RO
The configuration for SNMP traps to get alerts from the device if there is for example a failure with a fan is:
snmp-server enable traps
snmp-server host <> <>
This enables all traps available with your IOS version. You can the disable not wanted traps by using the "no"-command like this.
Example for dot1x traps:
no snmp-server enable traps dot1x
With a snmp client you can then do a snmpwalk (or snmp get) without a specific OID to get all the SNMP information from the device:
On a Linux server the following command should work:
snmpwalk -v 2c -c <> -T <>
-v = use SNMP version 2c
-c = use the community string you configured on the device
-T = output in the dotted decimal format
But be careful, this will be a lot of data output.
Here you will find a docu for configuring SNMP on a Cisco device:
http://www.cisco.com/en/US/docs/ios/12_2/configfun/configuration/guide/fcf014.html
Sven -
Disable portfast on switch-to-switch connection
Hi,
From http://www.cisco.com/en/US/customer/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml, it says, "do not use portfast when you have switch-to-switch connection. In this case, the command can result in a loop."
For e.g. when someone connects a switch port(with portfast enabled) to another switch port(with portfast enabled)
1) can this scenario cause a loop even though the connection between these switch is only a single link?
2) If it does not cause a loop, what will happen? STP recalculation which causes a short network outage?
Thanks.
ChristinaHi Christina,
1) Only if there is a redundant physical path between the switches, such as through another switch. If the only physical path between the two switches is the switch-to-switch link in question, then no loop can occur.
2) Portfast simply ignores the standard STP state transitions and immediately enters the forwarding state, so assuming no loop, a switch-to-switch link that has portfast configured will skip the 50 second STP convergence time and immediately forward traffic.
HTH,
Bobby
*Please rate helpful posts. -
Seeking to fix this error: "Failed while adding virtual Ethernet switch connections."
I am getting the error below when trying ot make modifications to my Hyper-V.
I am trying to add a new Virtual Adaptor.
Hoping someone may have a suggestion on how to fix this.
Error:
New-VMSwitch : Failed while adding virtual Ethernet switch connections.
Failed to connect Ethernet switch port (switch name = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX', port name =
'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX', adapter GUID = '{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}'): The system cannot
find the file specified. (0x80070002).
The operation failed because the file was not found.
At line:1 char:1
+ New-VMSwitch -Name "LAN1" -NetAdapterName "Ethernet" -AllowManagementOS $True
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Microsoft.HyperV.PowerShell.VMTask:VMTask) [New-VMSwitch], Virtualizati
onOperationFailedException
+ FullyQualifiedErrorId : ObjectNotFound,Microsoft.HyperV.PowerShell.Commands.NewVMSwitchCommandAlex just a quick response to your advice re disabling AV, this did not work for me, after more searching the internet for a solution I found a post from 2013 where one poster offered the advice to go one step further, and it was to remove the AV package
completely, the package in question was KIS2013. I have KIS2015 and figured I would try it as I was getting a little frustrated with the constant failure to create a virtual switch.
Anyway, it worked for me, I removed KIS, rebooted, and the VS was created on the first attempt without any issue. So simply pausing/disabling the AV from within the AV program may not be enough, I suspect that some may work and others not, as in the case
of KIS. I wonder also if you disable the AV services at start-up if this would also work but I did not try it.
Anyway to other people experiencing this issue, I suggest disabling AV first as per Alex's advice, and if this does not work for you then suggest trying to remove the AV before doing anything more drastic like re-installation of OS as I have seen suggested
in more than one place.
Thanks
Mr Bee
--EDIT--
Just wanted to add, it is also worth 'excluding' any Hyper-V folders from the AV engine, I did not try this before removing KIS2015 so it may work without the need to remove your AV product, but on re-install I have now exluded the folders as suggest by
a few folks in various posts... -
Dear Experts,
I'm going to try configure on how to telnet to Edge switch but still no result. My Network topology is below:
- 1 Core Switch 3560
- 3 Edge Switch 2960
I'm configured 4 VLAN:
+ Vlan 19: 10.19.10.0/24
+ Vlan 20: 10.20.10.0/24
+ Vlan 21: 10.21.10.0/24
+ Vlan 22: 10.22.10.0/24
On each Vlan, I was assigned Vlan interface IP.
I'm using VTP mode (Server and client) to trunking VLAN and Core SW is standing a VTP Server. I can telnet to Core SW using VLAN Interface IP.
The question is how can I configure to telnet to Edge SW?
Has somebody help me on this?
Thanks in advance!
JHHi,
From looking at your topology, the configuration should work. You should be able to telnet into the edge switches from anywhere in the network using the ip addresses of the vlan interfaces on each switch.
What exactly is the issue you're experiencing?
Are you able to ping the switch ip addresses?
Looking forward to hearing from you -
Hi,
I'm to connect to one 11g DB that run in SUSE. Here is the name of the DB
SQL> select name from v$database;
NAME
ORCL
SQL>
select instance_name from v$instance ;
INSTANCE_NAME
orcl
But when I login as root in the SUSE machine I've got this (the reason of that I used ssh, is due to that telnet is not available in SUSE)
[root@webserver oracle]# ssh -p 1521 orcl
ssh: Could not resolve hostname orcl: Name or service not known
Any advice for this message above?HuaMin Chen wrote:
Many thanks Edstevens. Then how can I achieve that I want to be able to connect to it from outside. I know that "ssh/telnet" is one pre-condition for that, isn't it?Not necessarily. As I said before, you can install the oracle client on your desktop/laptop and use the tools from there. No need for ssh at all.
>
Another thing is:
I've just added 1521 port to the router
http://www.4shared.com/photo/SdPj4_y1/fig100.html
Do I need to reboot the router? Does anyone know if there's a "reboot" option for this model "TL-WR740N "?Don't know. I'm not a router guy.
>
Within the machine, I can ssh to 22 port without any problem:That's because port 22 is the standard port for the ssh communications protocol
>
[root@webserver ~]# ssh -p 22 3masters.dyndns.info
[email protected]'s password:
Last login: Fri May 13 23:30:13 2011 from 014198214097.ctinets.comFine, you can connect to the server.
As I said before, don't do this as root. Don't do anything as root that doesn't absolutely require the very powerful privileges of root.
[root@webserver ~]# exit
logout
But I do have problem to ssh to 1521 port below:
[root@webserver ~]# ssh -p 1521 3masters.dyndns.info
ssh_exchange_identification: Connection closed by remote host
One more time: port 1521 is used by the oracle listener to to listen for connection requests to the oracle database. SSH is not making such a request and is NOT the tool for connecting to the database. The listener has no idea what is being asked of it when ssh sends it a packet, so the listener refuses to deal with it. You DO NOT connect to port 1521 with ssh. You connect to port 1521 with an Oracle compliant, OCI aware, program such as sqlplus.
Any ideas?
Think of SSH as being unix's equivielent to Windows cmd.exe. You don't connect to the database with cmd, though you may open cmd and then, from there, execute sqlplus.
What do you imagine yourself doing once you 'connect from the outside'? What commands are you expecting to give? What are you expecting to see?
Best regards
Edited by: HuaMin Chen on May 13, 2011 11:51 PM -
Vlan pruning caused switch connectivity degredation
After pruning vlans on a 2950 and copied run to start all of a sudden connectivity to switch is slower. The 2950 is trunked to a 6513 with dual trunks using spanning tree. Both sides of the trunks native vlans are vlan 1 and they are both set up for 802.1q. Tried adding vlans back in to the switch still slow. Can't see why deleting vlans from a switch would cause degredation in the connection. Also Vlan 1 on the 2950 is taking a lot of input errors. The port on the 6513 has not been pruned.
Hello,
are you manually pruning with a VLAN list, or have you globally configured VTP pruning on the VTP server ? Are all switches running the same version of VTP ? Can you post the output of 'show vtp status' from both the 2950 and the 6513 ?
Regards,
GP
Maybe you are looking for
-
Hi all, I found the problem in FS10N that is cumulate balance different between the privouse year and current year. Who can tell me how to resolve this problem? For example: FS10N 11/ 2006: Balance=1000 Cumulate balance=2000- 12/ 2006: Balance=200
-
Syncing Office for Mac Files with ICloud
I am using Office for Mac on both my iMac and Air. I want to sync my Word, Powerpoint and Excel files between the computers using ICloud. Can/how do I do this?
-
Delivery creation problem in ECC.
Hello Experts, We are facing an issue while doing a delivery for free delivery order in ECC. We do have a GATP ( SCM 5.0) for availabity check. Eg. Material # is "12345678". The error is as below: The message is "Only 0 TRP of material "12345678" av
-
Source System Problem after system refresh in RSA1 trx
Hi, We have R/3 4.7 Test source system created in our SCM 2007 Test System. The source system check was OK. The R3 Test system was refreshed with Production data few days back and now my source system is not working. When i perform Source System chec
-
HI there! I'm developing an offline search engine(of course in Java)(I'm a litle bit beginner)and I've a big problem I need to change directory and to look over a specified files.And this is the problem, i don't know how to change directory. Please h