ASA5505 VPN-VLAN and licenses requirements question

Similar Questions

• configuration of vCOP and licensing NOOB question

  Friends,

  I searched for a few loads solution / reporting for vSphere environment and after a few days with Veeam One

  I downloaded vCOP test to see if it's something I need (apparently...)

  Unfortunately I have not understande what wrong with my way of thinking... I see a license key on the evaluation of product mywmare page - but the auto-generated license key

  vCOP in web view client is different. In Operations Manager, I see only three tabs: operations, environment and alerts... I see no reports etc...

  In configuration I see service running, connected vcenter, the status of 'authorized' product

  Where is the flaw? Versions? Is it necessary to change the license but how?

  Please advice; I think that it is something so obvious that I can't find a solution online...

  Many thanks in advance,

  P

  Hello

  According to the Release Notes https://www.vmware.com/support/vcops/doc/vcops-581-vapp-release-notes.html vCOps

  "All license management tasks are performed in the vSphere Client. You cannot assign licenses in vCenter operations Manager Administration Portal. Follow the instructions in the VMware vCenter Operations Manager deployment and Configuration Guide for license.

  vCenter Operations Manager running in mode of foundation if no license key or an incompatible license key is applied. "Assign the license key for the edition you purchased."

  See also this KB: VMware KB: vCenter license 5.x Operations Manager State fails to update after you apply the license

• LRT214 VLAN and site to site vpn

  Hello everyone, I am a bit new to the network of this aspect and was looking for some advice.  I am looking for several routers LRT214 to configure VPN site to site to our main office at 4 locations.  There are 2 VLANS and subnets - one for the network secure (vlan native 1) and one for comments wireless (vlan 2).  It is very good and works well for lan segregation locally.

  IPSEC tunnels do not pass the tags vlan, my question because I will be able to restrict traffic through the vpn tunnel to vlan 1 and deny traffic to vlan 2?

  It appears in the documentation that VPN traffic can be limited by IP address or the local subnet.  My concern is that if there is no way to bind or bridge to the VLAN selected, an adjustable static IP address on a device on the vlan 2 were part of the traffic permitted (vlan 1 range), and therefore cross the tunnel for devices vlan 1 on remote sites.

  Thanks for any input you can offer.

  Hi, seedtech. The VLAN used for the VPN is the default VLAN. So if a tunnel is created, it will cross through the default VLAN.

  Jay-15354

  Linksys technical support

• Based on the IOS VPN Lan-to-Lan (NAT and route map Questions)

  Hello world

  I worked on my review of CCNA security and I have a question about this stage

  LAN1 192.168.0.0/24---(routeur HQ)--10.10.10.0/30--(INTERNET)--20.20.20.0/30--(routeur Branch) - LAN2 192.168.1.0/24

  I use 10.10.10.0/30 and 20.20.20.0/30 networks assuming that these are public addresses (is just a laboratory).

  I read that if I want to make the VPN tunnel while I using NAT I must exclude valuable traffic from the NAT process so I look on the database of cisco for more help and I found this (look at the 3660 router configuration):

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008045a2d2.shtml#T1

  so, I applied this config for my routers, so the config is:

  IP nat inside source map route sheep interface fastEthernet0/1

  access list 110 deny ip 192.168.0.0. 0.0.0.255 192.168.1.0 0.0.0.255

  access list 119 permit ip 192.168.0.0. 0.0.0.255 any

  sheep allowed 10 route map

  corresponds to the IP 110

  I didn't really understand who is using the command route-map here, so I made this configuration:

  IP nat inside list sheep interface FastEthernet0/1

  sheep extended IP access list

  deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  Licensing ip 192.168.0.0 0.0.0.255 any

  Two of them worked I could translate my LAN addresses to the public to address internet and also could establish the VPN tunnel. So my questions are:

  1. What is the purpose of the road-map command?

  2. What is the difference between these two configuration?

  3. which one I should use and in what cases?

  Thanks in advance

  Jose

  Jose,

  Very good questions and in fact no need to the road map it.

  Personally, I like using course maps because it allows much more flexibility than simply ACL setup, but in order to bypass the NAT source IPs, there is no need of route-maps and you can do this with the ACL directly.

  I personally always use road-maps just because I can (route-maps are cool) haha

  Route-maps are very useful in other scenarios where you need to put more of conditions or factors.

  Remember that it is almost always more than one method to accomplish a task... which is one of those cases.

  It will be useful.

  Federico.

• Cisco ASA Site to Site VPN IPSEC and NAT question

  Hi people,

  I have a question about the two Site to Site VPN IPSEC and NAT. basically what I want to achieve is to do the following:

  ASA2 is at HQ and ASA1 is a remote site. I have no problem setting a static static is a Site to IPSEC VPN between sites. Guests residing in 10.1.0.0/16 are able to communicate with hosts in 192.168.1.0/24, but what I want is to configure the NAT with IPSEC VPN for this host to 10.1.0.0/16 will communicate with hosts in 192.168.1.0/24 with translated addresses

  Just an example:

  N2 host (10.1.0.1/16) contacted N1 192.168.1.5 with destination host say 10.23.1.5 No 192.168.1.5 (notice the last byte is the same in the present case,.5)

  The translation still for the rest of the communication (host pings ip destination host 10.23.1.6 N3 N2 not 192.168.1.6 new last byte is the same)

  It sounds a bit confusing to me, but I've seen this type of configuration before when I worked for the supplier of managed services where we have given our customers (Ipsec Site to Site VPN with NAT, don't know how it was setup)

  Basically we contact the customer via site-to-site VPN hosts but their real address were hidden and we used as translated address more high 10.23.1.0/24 instead of (real) 192.168.1.0/24, last byte must be the same.

  Grateful if someone can shed some light on this subject.

  Hello

  OK so went with the old format of NAT configuration

  It seems to me that you could do the following:

  • Configure the ASA1 with static NAT strategy
    • access-list L2LVPN-POLICYNAT allowed ip 192.168.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • public static 10.23.1.0 (inside, outside) access-list L2LVPN-POLICYNAT
  • Because the above is a static NAT of the policy, this means that the translation will be made only when the destination network is 10.1.0.0/16
  • If you have for example a PAT basic configuration to inside-> external traffic, the above NAT configuration and the custom of the actual configuration of PAT interfere with eachother
  • ASA2 side, you can normally configure NAT0 / NAT Exemption for the 10.1.0.0/16 network
    • Note of the INTERIOR-SHEEP access-list SHEEP L2LVPN
    • the permitted INSIDE SHEEP 10.1.0.0 ip access list 255.255.0.0 10.23.1.0 255.255.255.0
    • NAT (inside) 0-list of access to the INTERIOR-SHEEP
  • You will need to consider that your access-list defining the VPN encrypted L2L traffic must reflect the new NAT network
    • ASA1: allowed to access-list L2LVPN-ENCRYPTIONDOMAIN ip 10.23.1.0 255.255.255.0 10.1.0.0 255.255.0.0
    • ASA2: list L2LVPN-ENCRYPTIONDOMAIN allowed ip 10.1.0.0 access 255.255.0.0 10.23.1.0 255.255.255.0

  I could test this configuration to work tomorrow but I would like to know if it works.

  Please rate if this was helpful

  -Jouni

• VLANS, DHCP, subnet, gateways and Multipathing Setup Question

  Hi, I have a House VI3 test network configured like this:

  Netgear wireless router,

  Adapter plugged into Port A1 of HP Procurve wireless game layer of 4000 M 2 switch with 802. 1 q (provides the uplink to my router upstairs that serves internet)

  VLAN by default 1 is 192.168.1.X/24

  On this switch, I have 2 ESX boxes with 4 cards each, Openfiler iSCSI target and a Windows XP Pro box running my Virtual Center.

  I have a Virtual Machine that running SBS2003 with also serves as my DNS server and my DHCP server.

  SBS2003 - 192.168.1.6

  Gateway (router Netgear) 192.168.1.1

  ESX1 - 192.168.1.10

  ESX2 - 192.168.1.11

  XP Pro - 192.168.1.50

  Well, with that of the road, my question is I want to set up a VLAN on my switch Procurve to separate traffic by default network, iSCSI and vMotions traffic.  By ESX Server best practices. to install a second Nic vKernel or SVC Nic console, they must be on a separate subnet with a defined gateway.  If I create a new vLAN for iSCSI and assign a network adapter, the network traffic will not be able to see my gateway. I also need my DHCP server to receive requests from any computer on any vLAN individual and issue a corresponding IP address.

  Now, what should I do?  If I create a vLAN Tirtiary or the second, I'm not able to see the DHCP server of these VLANS?  I can only UNTAG a port in 1 vLAN and port of marking abandon any connection to my DHCP server.  On this switch I assign IP addresses for individual VLANs, but this did not help.  DHCP isn't bradcasting across multiple VLANs. Am I missing a piece of hardware to provide ACLs or something?

  I don't know where to go from here, please help.

  Hello

  To route between VLANs, you must be a switch of layer 3, is a router configured as "a router on a stick", which is essentially a port of the switch, configured as a trunk, connected to the router that is configured with a number of interfaces, one for each VLAN so that it can route traffic between the VLANS. Now create a VLAN for VMotion traffic is fine as has no need to be routed. The VLAN for iSCSI and VLAN to the Service console will have to be sent to iSCI work properly. DHCP can work through several VLANS but need aid IP to be configured on the switch.

  Concerning

• SSL VPN 25 user license - impossible to get more than 2 SSL VPN connections

  Hello

  I just installed a user license user Premium 25 for SSL VPN on my Cisco ASA5505.  Even though it states that the license is installed I get still only two client Anyconnect SSL VPN connections and the third fails systematically.  What Miss me?

  Thanks for posting to the forum and that the problem has been resolved, and what caused the problem and what has been done to solve the problem. It's the most useful forum when people can read on a problem and can also read what the problem turned out to be and what was done to solve the problem, I think that it is also a good example to remind us that sometimes, the problem is not in our configuration, or even in the area that we administer. So sometimes we have to look beyond our normal home to find the source of the problem.

  The question mark it resolved makes it even more obvious to readers that they will find a solution to the problem. So thank you to mark the issue as resolved.

  HTH

  Rick

• Mapping VLAN and probe Inline

  Hello

  I'm doing all my traffic flow of SSL VPN clients through a traffic Inline probe. From what I see, I should use the mapping feature VLAN. But I can't understand how the function works. ASA not very informative or extensive documentation.

  Currently my ASA has a network of interconnection on a VLAN to my router base, and all my internal network is routed to the base IP address. Default gateway of the router of my Core is the ASA. My ASA provides IP addresses to remote VPN SSL clients and is the default router for them. Remote traffic follows the remote client to the ASA, then through the interconnection to my internal networks. My only ASA works as my perimeter firewall and SSL VPN concentrator.

  I have map VLAN undestand will make all traffic from the remote clients to abandon the vehicle on a VLAN individual. So, I created a new VLAN and that added to a trunk on the SAA. Then I activated "restrict access to VLAN" and set it to my VIRTUAL LAN. My traffic Inline probe is connected to the VLAN and can provide DHCP.

  If it were a classic network, I'd Inline traffic probe the gateway by default for this VLAN and provide IP addresses and gateway with its DHCP server. But how does it work with ASA? I can in captivity the evacuation to this VLAN, but cannot find a way to make the traffic passes through the screen. As ASA does not support routing based on the source can't make the jump next to the probe traffic.

  I can do the bridge of the probe (L2) network for interconnection and the remote client VLAN. But the IP address of the ASA on the VLAN does not fall within the same range as the interconnection, so I can't understand if and how it worked.

  Can someone help me with the configuration or explaing me better how works the mapping VLAN?

  Thank you.

  What you are trying to reach is configurable through the "tunnel" default route, and it would force all traffic of VPN with this default route special.

  for example:

  If your traffic probe Inline between the ASA inside your heart and the interface, you can configure:

  Route inside 0.0.0.0 0.0.0.0 in tunnel

  Requiring all VPN traffic route to IP CORE that would go through your online traffic probe

  Here's the order for your info reference:

  http://www.Cisco.com/en/us/docs/security/ASA/asa83/command/reference/QR.html#wp1840612

  Hope that helps.

• several subnets by VLANS and ports link

  Hello

  I need some clarification.

  Our iSCSI SAN storage (Dell MD3660i0 requires a separate subnet by port.

  We require paths multiple access and balancing in VMware.

  To achieve this in ESXi 5.1 we need binding ports... BUT the binding of ports is supported only if the vmks are all in the SAME domain in accordance with these two KBs broadcasting

  VMware KB: Considerations for use binding software iSCSI ports in ESX/ESXi

  VMware KB: When the use of several VMkernel ports with port required to access the storage of two or more tables on different br...

  OK... probably so I simply put my all subnets in ISCSI storage in one VLAN and everything will be ok (one VLAN is after all a broadcast domain, both are stuff of L2)... This would respond to the requirements of KBs... If VMware means "area of distribution" in the true sense of the term.

  So my question is can you configure the port in this way binding? It is supported by VMware?

  VMware has come back to me (in fact the author of one of the kb/s I've referenced)

  http://KB.VMware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalID=2038869

  He confirmed that the terminology used in the KB is misleading and "broadcast domain", it actually means "subnet" so not layer 3 layer 2.

  This means that you can NOT have multiple subnets in a broadcast domain (VLAN) AND use the SW iSCSI port binding.

  BUT

  He told me (he is very familiar with the Dell MD3660i iSCSI kit), you don't have to have binding of ports to achieve several Multipathing and load balancing. If you have a requirement for several subnets of your iSCSI SAN provider then just create multiple vmks on different subnets, and DO NOT make the port binding. The fact that they are on different subnets will be enough to achieve the multiple paths

  It updates the KB to make this much clearer.

  I hope this helps someone

• I am wanting to buy an Apple TV and had a question.

  I have an iPhone 4 and want to connect to an apple tv, listen to my music. My question is: on the screen locked, when I slide up to display the controls, the option of airtime is not there. Is it because the iPhone must see the apple tv until the option appears, or if the option is still on the iPhone without an apple tv in sight? Here is a screenshot of what I see. FYI: software version phones is 7.1.2

  

  Hi @rskern,

  Here are some things you can check:

  • Make sure that the Apple TV is powered on;
  • On the Apple TV (I assume you have the Apple TV 4, correct me if I'm wrong), go to settings-> AirPlay. Check if the antenna is turned on.
  • Check the security settings. Set these voices against zero and clear require verification of device.
  • And finally and most importantly, make sure that your iPhone and Apple TV are on the same network (Wi - Fi).

  If you still don't see the AirPlay button restart your iPhone and Apple TV to see if it will help.

• Trying to remove the folders from Windows one system empty, but in error "is a Windows system folder and is required for Windows work.» It cannot be deleted. »

  My parents bought a laptop from a friend, and recently my father ran an antivirus program that came with multiple files in a folder that has been created by this friend. When you try to delete the folder a box appears that says "it is a Windows system folder and is required for Windows work.» It cannot be deleted. "But all the folders inside are empty and of no use to us. Help?

  The standard answer to questions that begin with «I bought a used computer...» "is you can do a clean install of Windows, because you know not what could be hiding somewhere in the computer.  In this case, it seems as if he is infected with something.

  Legally, the seller was required to give you a way to do this reinstall, but in the vast majority of the private sales of used computers, this requirement is simply ignored.

  If it's a laptop to 'mark' (e.g., Dell, HP, IBM/Lenovo) there may be a hidden partition on the hard drive that can be used to restore the computer to its "fresh from the factory" State.  Of course, this will remove all applications that the previous owner had installed after he or she has bought new, but you should still seriously to consider making such a restore, if the mechanism is available.

  What is the name and the version of the antivirus application that has detected the wrong files?
  What are the names of the files?
  What is the name of the folder that cannot be deleted?
  Are you logged on as a user with the rights "computer administrator" when you try to delete it?

  Assuming that you can not or will not do a clean install of Windows, I suggest the following (do not run scans at the same time, each analysis may take some time, depending on the number of files on the computer):

  Connect as a user with the privileges "computer administrator" and do a full scan with each of the following:

  http://www.eset.com/us/online-scanner
  http://www.Microsoft.com/security/scanner/en-us/default.aspx (requires download)
  http://www.PCtipp.ch/downloads/Sicherheit/35905/multi_av_scanning_tool.html (page is in German, but the downloaded scanner is in English)

  Also download, install, update and run a scan complete with each of the following:

  MalwareBytes AntiMalware
  SUPERAntiSpyware

• Cloning and licenses

  I have 16 laptops that I use for the safety tests.  They must be wiped out and reconfigured after business travel.

  We have been under XP SP3 so far, but we must move on to Vista.  Professional Vista licenses are available from our KMS on the field (that I do not have access to), but we do not know how this will all work together.

  When you destroy a domain Vista workstation, then reconnect it. will he get the same license?  In the same way that a machine can pull the same reserved IP address from the DHCP server, as it is MAC address has not changed?

  If anyone has any advice on this subject would be great, but I guess I would especially need a resource to learn all of the questions I should ask here.  Maybe a link that explains how Vista, cloning and licenses all work together.  Sorry if this all sounds vague.

  Check in the IT Pro TechNet forums forums - this kind of question is really beyond the assistance that we provide here because we support users who install Vista for single computer use.

  "Anonymous2xcfn" wrote in the new message: * e-mail address is removed from the privacy... *

  I have 16 laptops that I use for the safety tests.  They must be wiped out and reconfigured after business travel.

  We have been under XP SP3 so far, but we must move on to Vista.  Professional Vista licenses are available from our KMS on the field (that I do not have access to), but we do not know how this will all work together.

  When you destroy a domain Vista workstation, then reconnect it. will he get the same license?  In the same way that a machine can pull the same reserved IP address from the DHCP server, as it is MAC address has not changed?

  If anyone has any advice on this subject would be great, but I guess I would especially need a resource to learn all of the questions I should ask here.  Maybe a link that explains how Vista, cloning and licenses all work together.  Sorry if this all sounds vague.

• 0xC004F063 bios of the computer is missing license required

  Hello

  I reinstalled Windows 7 a bit more than a month, and then a few days ago I got messages saying my version is not valid, and when I followed the steps recommended to enter the product key I got the message from 0xC004F063 saying: lack me a license required.

  I have no sticker on my laptop (HP ProBook) who was one of the many bought by my company.

  The product key, I got through an online diagnosis service.

  Here's my Diagnostic report.

  Thanks for your help.

  Ian

  Diagnostic report (1.9.0027.0):
  -----------------------------------------
  Validation of Windows data-->

  Validation code: 50
  Code of Validation caching online: 0x0
  Windows product key: *-* - 788W3 - H689G-6P6GT
  The Windows Product Key hash: yr8OHoeXhbT4dc6MxGYjdAStSPY =
  Windows product ID: 00371-OEM-8992671-00008
  Windows product ID type: 2
  Windows license Type: OEM SLP
  The Windows OS version: 6.1.7601.2.00010100.1.0.048
  ID: {FFEC2638-58DB-4F3B-AC7F-CCCA7571B408} (3)
  Admin: Yes
  TestCab: 0x0
  LegitcheckControl ActiveX: N/a, hr = 0 x 80070002
  Signed by: n/a, hr = 0 x 80070002
  Product name: Windows 7 Professional
  Architecture: 0x00000000
  Build lab: 7601.win7sp1_gdr.130828 - 1532
  TTS error:
  Validation of diagnosis:
  Resolution state: n/a

  Given Vista WgaER-->
  ThreatID (s): n/a, hr = 0 x 80070002
  Version: N/a, hr = 0 x 80070002

  Windows XP Notifications data-->
  Cached result: n/a, hr = 0 x 80070002
  File: No.
  Version: N/a, hr = 0 x 80070002
  WgaTray.exe signed by: n/a, hr = 0 x 80070002
  WgaLogon.dll signed by: n/a, hr = 0 x 80070002

  OGA Notifications data-->
  Cached result: n/a, hr = 0 x 80070002
  Version: N/a, hr = 0 x 80070002
  OGAExec.exe signed by: n/a, hr = 0 x 80070002
  OGAAddin.dll signed by: n/a, hr = 0 x 80070002

  OGA data-->
  Status of office: 101 non-active
  Microsoft Office XP Professional - 101 non-active
  Microsoft Publisher 2002-100 authentic
  OGA Version: N/a, 0 x 80070002
  Signed by: n/a, hr = 0 x 80070002
  Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3_3E121E02-372-80004005_3E121E02-322-80004005

  Data browser-->
  Proxy settings: N/A
  User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
  Default browser: C:\Program Files\Google\Chrome\Application\chrome.exe
  Download signed ActiveX controls: fast
  Download unsigned ActiveX controls: disabled
  Run ActiveX controls and plug-ins: allowed
  Initialize and script ActiveX controls not marked as safe: disabled
  Allow the Internet Explorer Webbrowser control scripts: disabled
  Active scripting: allowed
  Recognized ActiveX controls safe for scripting: allowed

  Analysis of file data-->

  Other data-->
  Office details: {FFEC2638-58DB-4F3B-AC7F-CCCA7571B408}1.9.0027.06.1.7601.2.00010100.1.0.048x 32*-*-*-*-6P6GT2S-1-5-21-540487187-2398283291-2519360910Hewlett-PackardHP ProBook 4530 sHewlett-Packard68SRR worm00371-OEM-8992671-00008. F.0920110513000000.000000 + 00067BA3707018400FE08090409Ulaanbaatar Time(GMT+08:00) Standard03HPQOEMSLIC-MPC101101Microsoft Office XP Professional1048779296E9955B0AyjwuUHxYRPbfJSuP2 RJ57ykc plus54186-OEM-1792772-713524100Microsoft Publisher 200210x6MiqtZDRxsTf3nd8UAOAELN008 =54197-OEM-1691301-633524 A381E7A6CD87B70

  Content Spsys.log: 0 x 80070002

  License data-->
  The software licensing service version: 6.1.7601.17514

  Name: Windows 7 Professional edition
  Description: operating system Windows - Windows (r) 7, channel OEM_SLP
  Activation ID: 50e329f7-a5fa-46b2-85fd-f224e5da7764
  ID of the application: 55c92734-d682-4d71-983e-d6ec3f16059f
  Extended PID: 00371-00178-926-700008-02-2057-7601.0000-1142014
  Installation ID: 021432840206793536407555682430260595568982975194209982
  Processor certificate URL: http://go.microsoft.com/fwlink/?LinkID=88338
  The machine certificate URL: http://go.microsoft.com/fwlink/?LinkID=88339
  Use license URL: http://go.microsoft.com/fwlink/?LinkID=88341
  Product key certificate URL: http://go.microsoft.com/fwlink/?LinkID=88340
  Partial product key: 6P6GT
  License status: Notification
  Notification reason: 0xC004F063.
  Remaining Windows rearm count: 3
  Time to trust: 24/04/2014-10:44:07

  Windows Activation Technologies-->
  HrOffline: 0x00000000
  HrOnline: 0xC004C533
  Beyond: 0 x 0000000000000000
  Event timestamp: 4:24:2014 10:22
  ActiveX: Registered, Version: 7.1.7600.16395
  The admin service: recorded, Version: 7.1.7600.16395
  Output beyond bitmask:

  --> HWID data
  Current HWID of Hash: MAAAAAEAAQABAAEAAAACAAAAAwABAAEAJJRKDIaqSnEqcLTA/p5cw2ajFLxcci5z

  Activation 1.0 data OEM-->
  N/A

  Activation 2.0 data OEM-->
  BIOS valid for OA 2.0: Yes
  Windows marker version: 0 x 20001
  OEMID and OEMTableID consistent: Yes
  BIOS information:
  ACPI Table name OEMID value OEMTableID value
  APIC HPQOEM 167C
  FACP HPQOEM 167C
  HPET HPQOEM 167C
  MCFG HPQOEM 167C
  ASF! HPQOEM 167C
  SSDT HPQOEM SataAhci
  SSDT HPQOEM SataAhci
  SLIC SLIC-MPC HPQOEM
  SSDT HPQOEM SataAhci
  SSDT HPQOEM SataAhci

  I own a ProBook's product key on the COA sticker in the battery compartment, look here.

  Try the following:

  Click Start, right click on computer

  Click on properties

  Scroll down to the Windows Activation

  Click on the link 'change product key '.

  Enter the product key located on the COA sticker attached to the bottom of your laptop or in the battery compartment. Click next to activate via the Internet.

  COA certificate of authenticity:

  http://www.Microsoft.com/howtotell/content.aspx?PG=COA

  ??

  What is the certificate of authenticity for Windows?

  http://Windows.Microsoft.com/en-us/Windows7/what-is-the-Windows-certificate-of-authenticity

• Implementation of VLAN and QoS for VOIP on SG200-18

  We recently purchased the smart switch SG200-18 to replace a Netgear switch. We are moving our phone service to VOIP through our local ISP as well.

  I currently have the VOIP phone plugged into Port 17 on SG200-18 (it is a Grandstream Cordless VOIP phone).

  I want to put the VOIP phone on one VLAN separate from the rest of the network and optimize QoS parameters so that the VOIP phone has exceptional audio quality even during network traffic.

  Here are my questions:

  1. do I need to set anything on the type of port to Port 17 (because it resembles a shape any Combo port)?

  2. How can I do to isolate VOIP telephone it's own VLAN (I see the parameters VLANS and VLAN voice, not sure that one to use;) I've tried to set a VLAN and broke the Internet connectivity on the phone until I went and removed)?

  3. do I need to adjust the QoS settings to switch to better optimize the VOIP phone?

  Some additional questions about the GS200-18 in general:

  1. do I need to adjust the parameters of the system on the switch time? I am in the Central time.

  2. do I need to adjust the Green Ethernet/Energy Saving parameters or should I stay with the default settings?

  In addition, a couple of "getting started" questions for Cisco:

  1. I registered an account My Cisco. What should I do to register my switch with Cisco and associate with my My Cisco account?

  2. What are the benefits of purchasing a contract of Cisco Small Business support, and how much would it cost the SG200-18 (I ordered it from Provantage)? I'm curious to see if it's worth the money.

  Here's my 'features ':

  Switch: SG200-18

  VOIP phone: Grandstream DP715 and 710 handsets

  Plugged in: Port 17 on SG200-18

  Services: Internet Local (Direclynx)

  Type of connection: 3 m down / 500 k up DSL move to a future wireless connection that will give us higher speeds

  Backend VOIP provider: VOIP Innovations

  Router: Apple Airport Extreme AC model (all Macs and iOS devices and the OS X Server on the network, so I use the Apple router facilitates installation, because is not QoS, trying to QoS and VLAN in the switch)

  Thank you all!

  Hello

  I'll just go to the list again:

  1. sounds good in the port from the drop-down list. So can I just connect the VOIP phone and go with it, correct?

  Yes, just plug in ethernet combo port and it will work.

  2. is not an issue, but I agree, Apple likely isn't compatible QoS or VLAN.

  3. thanks for the info on time/NTP settings. If I wanted to go there and try to configure NTP, how much is it and what I have to do? I want to I can give it a quick try.

  To Setup NTP on the switch is quite simple.  Go to Administration > Time Settings > time system and check the boxes to activate the main clock Source (SNTP)

  Then go to the settings of the SNTP page and add a new entry with the IP address of an NTP server.  There is a list of available NTP servers here:

  http://www.pool.ntp.org/en/

  You must also ensure that the switches Administrative default gateway is set correctly (it must be set the to the default gateway, probably the most convenient airport) so the switch can contact the NTP server.  That option is set under Administration > Interface Management > Interface IPv4.  Change the user-defined default gateway and enter the IP address of your airport (or whatever your default gateway for your network)

  4 sounds good on the Green Ethernet settings. I'll leave it as default value.

  Yes, better to just let those unless you have weird problems with ports disconnect, who can sometimes be caused by Green Ethernet, but if there's nothing like leave it on and save a few watts.

  5 sounds good on does not need to attach my passage to my Cisco account. Should I fill out a form any registration of the product with Cisco before calling support?

  It is not a record for support.  The only thing we need you to do is to create a Cisco account, but you have already done this, so if/when you call in support, you just need your ID for Cisco (also called a CCOID sometimes) and the serial number of your switch.

  6. thanks for the info on the Service contract. Is it something that I would need to order directly from Cisco or I who would get my Cisco partner (Provantage)? After the three years is up, treat yourself to renewal or it just falls? Is there a certain amount of time I have to buy the Service Contract forward make me ineligible?

  Support contracts are purchased through a partner Cisco, or you can get them online for the CDW or Newegg for example.  Basically, you have until the expiry of your current aid for the purchase of a new contract.  For example, right now your switch comes with 1 year of technical support.  You can only buy a contract while it is still active.  Once your three-year contract is about to run out, you're in the same situation.  You can renew it before it expires, however if you leave is up, you will not be able to put a contract on it.  Contracts are not my specialty, however, so you can check with your partner for complete details.

  7. sounds good to how data use VOIP calls. His dislikes too. :-)

  I agree, a voice call is not much traffic.  What you have described you probably don't have problems, although of course I can't guarantee that.

  8. because it is from your provider and they specifically mentioned the VOIP, I would say that you'll be fine here.

  You had also placed on your airport using access point behind a router in small businesses.  I would like to say that it is possible, a large number of wireless routers have an option to put access point only mode or something like that, but you should check with Apple on how to do it.

  Insofar as a Small Business router if you decide to upgrade for the options VLAN or QoS, I would recommend the RV180, or perhaps the RV320.  Two of these models are available with or without wire depending on what you decide to do with the airport.

  I think I got all the questions, but if not just let me know,

  Christopher Ebert - Network Support Engineer

  Cisco Small Business Support Center

  * Please note the useful messages *.

• Cisco VPN Client and Windows XP VPN Client IPSec to ASA

  I configured ASA for IPSec VPN via Cisco VPN Client and XP VPN client communications. I can connect successfully with Cisco VPN Client, but I get an error when connecting with the XP client. Debugging said "misconfigured groups and transport/tunneling mode" I know, they use different methods of transport and tunneling, and I think that I have configured both. Take a look at the config.

  PS a funny thing - when I connect with client VPN in Windows Server 2003, I have no error. The only difference is that client XP is behind an ADSL router and client server is directly connected to the Internet on one of its public IP of interfaces. NAT in the case of XP can cause problems?

  Config is:

  !

  interface GigabitEthernet0/2.30

  Description remote access

  VLAN 30

  nameif remote access

  security-level 0

  IP 85.*. *. 1 255.255.255.0

  !

  access-list 110 scope ip allow a whole

  NAT list extended access permit tcp any host 10.254.17.10 eq ssh

  NAT list extended access permit tcp any host 10.254.17.26 eq ssh

  access-list extended ip allowed any one sheep

  access list nat-ganja extended permit tcp any host 10.254.17.18 eq ssh

  sheep-vpn access-list extended permits all ip 192.168.121.0 255.255.255.0

  tunnel of splitting allowed access list standard 192.168.121.0 255.255.255.0

  flow-export destination inside-Bct 192.168.1.27 9996

  IP local pool raccess 192.168.121.60 - 192.168.121.120 mask 255.255.255.0

  ARP timeout 14400

  global (outside-Baku) 1 interface

  global (outside-Ganja) interface 2

  NAT (inside-Bct) 0 access-list sheep-vpn

  NAT (inside-Bct) 1 access list nat

  NAT (inside-Bct) 2-nat-ganja access list

  Access-group rdp on interface outside-Ganja

  !

  Access remote 0.0.0.0 0.0.0.0 85.*. *. 1 2

  Route outside Baku 10.254.17.24 255.255.255.248 10.254.17.10 1

  Route outside Baku 192.1.1.0 255.255.255.0 10.254.17.10 1

  Outside-Baku route 192.168.39.0 255.255.255.0 10.254.17.10 1

  Route outside-Ganja 192.168.45.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.69.0 255.255.255.0 10.254.17.18 1

  Route outside-Ganja 192.168.184.0 255.255.255.0 10.254.17.18 1

  Route outside Baku 192.168.208.16 255.255.255.240 10.254.17.10 1

  Route outside-Ganja 192.168.208.112 255.255.255.240 10.254.17.18 1

  dynamic-access-policy-registration DfltAccessPolicy

  Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT

  Crypto ipsec transform-set newset aes - esp esp-md5-hmac

  Crypto ipsec transform-set esp-3des esp-md5-hmac vpnclienttrans

  Crypto ipsec transform-set vpnclienttrans transport mode

  Crypto ipsec transform-set esp-3des esp-md5-hmac raccess

  life crypto ipsec security association seconds 214748364

  Crypto ipsec kilobytes of life security-association 214748364

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  vpnclientmap 30 card crypto ipsec-isakmp dynamic dyn1

  card crypto interface for remote access vpnclientmap

  crypto isakmp identity address

  ISAKMP crypto enable vpntest

  ISAKMP crypto enable outside-Baku

  ISAKMP crypto enable outside-Ganja

  crypto ISAKMP enable remote access

  ISAKMP crypto enable Interior-Bct

  crypto ISAKMP policy 30

  preshared authentication

  3des encryption

  md5 hash

  Group 2

  life 86400

  No encryption isakmp nat-traversal

  No vpn-addr-assign aaa

  Telnet timeout 5

  SSH 192.168.1.0 255.255.255.192 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside Baku

  SSH 10.254.17.18 255.255.255.255 outside Baku

  SSH 10.254.17.10 255.255.255.255 outside Baku

  SSH 10.254.17.26 255.255.255.255 outside-Ganja

  SSH 10.254.17.18 255.255.255.255 outside-Ganja

  SSH 10.254.17.10 255.255.255.255 outside-Ganja

  SSH 192.168.1.0 255.255.255.192 Interior-Bct

  internal vpn group policy

  attributes of vpn group policy

  value of DNS-server 192.168.1.3

  Protocol-tunnel-VPN IPSec l2tp ipsec

  Split-tunnel-policy tunnelspecified

  Split-tunnel-network-list value split tunnel

  BCT.AZ value by default-field

  attributes global-tunnel-group DefaultRAGroup

  raccess address pool

  Group-RADIUS authentication server

  Group Policy - by default-vpn

  IPSec-attributes tunnel-group DefaultRAGroup

  pre-shared-key *.

  Hello

  For the Cisco VPN client, you would need a tunnel-group name configured on the ASA with a pre-shared key.

  Please see configuration below:

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a00805734ae.shtml

  or

  http://tinyurl.com/5t67hd

  Please see the section of tunnel-group config of the SAA.

  There is a tunnel-group called "rtptacvpn" and a pre-shared key associated with it. This group name is used by the VPN Client Group name.

  So, you would need a specific tunnel-group name configured with a pre-shared key and use it on the Cisco VPN Client.

  Secondly, because you are behind a router ADSL, I'm sure that's configured for NAT. can you please activate NAT - T on your ASA.

  "crypto isakmp nat-traversal.

  Thirdly, change the transformation of the value

  raccess 1 set transform-set vpnclienttrans crypto dyn1 dynamic-map

  Let me know the result.

  Thank you

  Gilbert