Cisco 2950 GANYMEDE + question
I have several switches 2950 that I can't go to work with GANYMEDE. I use the same configuration for what I use for other cisco switches.
Cisco Internetwork Operating System software
IOS (TM) C2950 Software (C2950-C3H2S-M), Version 12.0 (5.3) WC (1), TEMPORARY SOFTWARE MAINTENANCE
System image file is "flash: c2950-c3h2s - mz.120 - 5.3.WC.1.bin.
password username privilege 15 7 XXXXXX XXX
activate the password XXXXXX
AAA new-model
!
AAA authentication login default group Ganymede + local
AAA authentication login conmethod activate Group Ganymede +.
the AAA authentication enable default group Ganymede + activate
AAA authorization exec default group Ganymede + authenticated if
AAA accounting exec default start-stop Ganymede group.
!
GANYMEDE-server host XXX.XXX.XXX.XXX touches 7-XXXXXXX
GANYMEDE-server host XXX.XXX.XXX.XXX touches 7-XXXXXXX
Any help would be greatly appreciated.
Thank you.
Hello
How does your configuration of vty lines look like?
Have you tried the command in aaa-server test? If you have, what are you?
Tags: Cisco Security
Similar Questions
-
Migration to ISE for servers 3395 Cisco Cisco SNS 3495 question
Hi all. I have a client that runs on a Cisco 3395 ISE 1.2 Server and wants to migrate to Cisco SNS 3495 servers due to the end of life is imminent. My question is - this client should buy Cisco SNS 3495 server with a new software license, or may transfer or reuse the license of the software from their 3395 servers?
What will be the best course of action for them. Thank you!!
Ah, sorry, I was referring to the base, and, the apex (or Basic, advanced from previous levels of ISE) - which are licenses only you really need to worry. If you look at the details to the CCW, you're talking about this topic is the only one where the cost is indicated for the 3495 (except SmartNet if you added). This is not a point of STOCK you can add/remove. Basically, you have what you need from a material point of view when you purchase the device. Can you rehost license software (Basic, plus, apex) once you get the new devices up and running.
Tim
-
Hello, I have a few questions on the router from cisco srp 527w
First of all she has a built-in modem
second question is, where can I get updates firmware for it.
Please don't tie me to the manual I read it and could not find the relevant info.
Thanks for the replies
William
Hi William:
To address your first concern, this router supports the connection ADSL2 + annex a (ADSL over POTS) relay. You can also use some 3G USB modems with this router.
You can find firmware updates in the Software Download Center. This link , you should get just for downloads of series SRP520, but if not just search in the first link dowloads series SRP500.
Hope that helps.
Best,
David
Please evaluate the useful messages.
-
I am ASA 5505 that I am of is running correctly by using the AnyConnect client. The question is, can I connect to the fine external interface, but cannot ping or attach them to any host on the inside. When I connect, it accepts the user name and password, and I can run the ASDM or SSH to the firewall very well, but not further. In the control, after I log in, I get an IP address inside, of the order of 10.7.30.x as expected.
Following configuration:
: Saved
:
ASA Version 8.2 (5)
!
asa5505 hostname
domain BLA
activate the password * encrypted
passwd * encrypted
no names!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
switchport access vlan 150
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
IP 10.7.30.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
IP EXTERNAL IP 255.255.255.128
!
interface Vlan150
nameif WLAN_GUESTS
security-level 50
IP 10.7.150.1 255.255.255.0
!
boot system Disk0: / asa825 - k8.bin
config to boot Disk0: / running-config
passive FTP mode
clock timezone STD - 7
DNS server-group DefaultDNS
domain BLA
permit same-security-traffic intra-interface
object-group service tcp Webaccess
port-object eq www
EQ object of the https port
object-group network McAfee
network-object 208.65.144.0 255.255.248.0
network-object 208.81.64.0 255.255.248.0
access extensive list ip 10.7.30.0 outside_1_cryptomap allow 255.255.255.0 192.168.24.0 255.255.252.0
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 192.168.24.0 255.255.252.0
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 172.16.10.0 255.255.255.0
outside_access_in list extended access permit tcp any host 159.87.30.252 eq smtp
outside_access_in list extended access permit tcp any host 159.87.30.136 Webaccess object-group
outside_access_in list extended access permit tcp any host 159.87.30.243 Webaccess object-group
access-list extended outside_access_in permit tcp host 159.87.70.66 host 159.87.30.251 eq lpd
outside_access_in list extended access permit tcp any host 159.87.30.252 Webaccess object-group
outside_access_in list extended access permit tcp any host 159.87.30.245 Webaccess object-group
outside_access_in list extended access permitted tcp object-group McAfee any eq smtp
permit access list extended ip 172.16.10.0 outside_access_in 255.255.255.0 10.7.30.0 255.255.255.0
outside_access_in list extended access permit ip host 159.87.64.30 all
standard access list vpn_users_splitTunnelAcl allow 10.7.30.0 255.255.255.0
IPS_TRAFFIC of access allowed any ip an extended list
access extensive list ip 10.7.30.0 outside_nat0_outbound allow 255.255.255.0 any
inside_access_in list extended access permit udp 10.7.30.0 255.255.255.0 any eq snmp
access extensive list ip 10.7.30.0 outside_cryptomap allow 255.255.255.0 172.16.10.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
host of logging inside the 10.7.30.37
Debugging trace record
Within 1500 MTU
Outside 1500 MTU
MTU 1500 WLAN_GUESTS
local pool VPN_POOL 10.7.30.190 - 10.7.30.200 255.255.255.0 IP mask
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm-645 - 206.bin
don't allow no asdm history
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 0-list of access outside_nat0_outbound
NAT (WLAN_GUESTS) 1 0.0.0.0 0.0.0.0
public static 159.87.30.251 (Interior, exterior) 10.7.30.50 netmask 255.255.255.255
public static 159.87.30.245 (Interior, exterior) 10.7.30.53 netmask 255.255.255.255
public static 159.87.30.252 (Interior, exterior) 10.7.30.30 netmask 255.255.255.255
public static 159.87.30.243 (Interior, exterior) 10.7.30.19 netmask 255.255.255.255
public static 159.87.30.136 (Interior, exterior) 10.7.30.43 netmask 255.255.255.255
Access-group inside_access_in in interface inside the control plan
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 159.87.30.254 1
Route inside 172.16.1.0 255.255.255.0 10.7.30.1 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
AAA-server ADWM-FPS-02 nt Protocol
AAA-server ADWM-FPS-02 (inside) host 10.7.30.32
Timeout 5
auth-domain NT ADWM-FPS-02 controller
AAA-server ADWM-FPS-02 (inside) host 10.7.30.49
auth-DC NT ADWM-DC02
AAA authentication http LOCAL console
AAA authentication LOCAL telnet console
the ssh LOCAL console AAA authentication
Enable http server
http 206.169.55.66 255.255.255.255 outside
http 206.169.50.171 255.255.255.255 outside
http 10.7.30.0 255.255.255.0 inside
http 206.169.51.32 255.255.255.240 outside
http 159.87.35.84 255.255.255.255 outside
SNMP-server host within the 10.7.30.37 community * version 2 c
location of the SNMP server *.
contact SNMP Server
Community SNMP-server
Server enable SNMP traps snmp authentication linkup, linkdown cold start
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Crypto-map dynamic outside_dyn_map pfs set 20 Group1
card crypto outside_map 1 match address outside_1_cryptomap
peer set card crypto outside_map 1 206.169.55.66
map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
card crypto outside_map 2 match address outside_cryptomap
peer set card crypto outside_map 2 159.87.64.30
card crypto outside_map 2 game of transformation-ESP-AES-192-SHA
map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
outside_map interface card crypto outside
Crypto ca trustpoint *.
Terminal registration
full domain name *.
name of the object *.
MYKEY keypairs
Configure CRL
Crypto ca trustpoint A1
Terminal registration
fqdn ***************
name of the object *.
MYKEY keypairs
Configure CRL
Crypto ca trustpoint INTERMEDIARY
Terminal registration
no client-type
Configure CRL
Crypto ca trustpoint _SmartCallHome_ServerCA
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint0
Configure CRL
Crypto ca trustpoint ASDM_TrustPoint1
Configure CRL
ca encryption certificate chain *.
certificate ca 0301
BUNCH OF STUFF
quit smoking
A1 crypto ca certificate chain
OTHER LOTS of certificate
quit smoking
encryption ca INTERMEDIATE certificate chain
YET ANOTHER certificate
quit smoking
Crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca LAST BOUQUET
quit smoking
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
No encryption isakmp nat-traversal
Telnet 10.7.30.0 255.255.255.0 inside
Telnet timeout 30
SSH 206.169.55.66 255.255.255.255 outsideSSH timeout 5
Console timeout 0
management-access inside
dhcpd 4.2.2.2 dns 8.8.8.8
!
dhcpd address 10.7.150.10 - 10.7.150.30 WLAN_GUESTS
enable WLAN_GUESTS dhcpd
!a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
SSL encryption rc4 - md5 of sha1
SSL-trust A1 out point
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1 image
enable SVC
attributes of Group Policy DfltGrpPolicy
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
internal VPNUsers group strategy
Group Policy VPNUsers attributes
value of server DNS 10.7.30.20
Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list vpn_users_splitTunnelAcl
dwm2000.WM.State.AZ.us value by default-field
Split-dns value dwm2000.wm.state.az.us
username HCadmin password * encrypted privilege 15
attributes global-tunnel-group DefaultWEBVPNGroup
address VPN_POOL pool
authentication-server-group ADWM-FPS-02
strategy - by default-VPNUsers group
tunnel-group 206.169.55.66 type ipsec-l2l
IPSec-attributes tunnel-group 206.169.55.66
pre-shared key *.
tunnel-group 159.87.64.30 type ipsec-l2l
IPSec-attributes tunnel-group 159.87.64.30
pre-shared key *.
!
class-map IPS_TRAFFIC
corresponds to the IPS_TRAFFIC access list
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
inspect the icmp
Review the ip options
class IPS_TRAFFIC
IPS inline help
!
global service-policy global_policy
field of context fast hostname
anonymous reporting remote call
call-home
Profile of CiscoTAC-1
no active account
http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
email address of destination [email protected] / * /
destination-mode http transport
Subscribe to alert-group diagnosis
Subscribe to alert-group environment
Subscribe to alert-group monthly periodic inventory
monthly periodicals to subscribe to alert-group configuration
daily periodic subscribe to alert-group telemetry
Cryptochecksum:e70de424cf976e0a62b5668dc2284587
: end
ASDM image disk0: / asdm-645 - 206.bin
ASDM location 159.87.70.66 255.255.255.255 inside
ASDM location 208.65.144.0 255.255.248.0 inside
ASDM location 208.81.64.0 255.255.248.0 inside
ASDM location 172.16.10.0 255.255.255.0 inside
ASDM location 159.87.64.30 255.255.255.255 inside
don't allow no asdm historyAnyone have any ideas?
Hello
Please, add this line in your configuration and let me know if it works:
access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 10.7.30.0 255.255.255.0
I ask you to add that it is because you have not specified any exceptions for the return shipping. Once you add to it, will allow you to go through the tunnel VPN, packets back. When this command is not there, you will be able to access everything on the SAA but nothing behind it.
Let me know if it helps.
Thank you
Vishnu
-
AS with GANYMEDE + question
Try to get the module ACE and IOS devices to work with GANYMEDE. I have GBA v3.2.
The "optional" syntax does not work. No idea if the argument is valid for the version of the CSA?
Service = exec
Optional shell: Admin = domain Admin
I tried it with quotes, but which didn't work either.
Hello
This is a doc of reference for the configuration of the ACE for authentication Ganymede +,.
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/Security/Guide/AAA.html#wp1321891
Under the custom for attribute Ganymede + we need to specify the attribute in the form,
Shell: Admin * ADMIN MYDOMAIN1
= means mandatory attribute
* Optional means
Information on the context/role/domain (virtualization on ACE):
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/virtualization/guide/ovrview.html
Default 'role' on ACE:
http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0
0_A1/configuration/virtualization/guide/ovrview.html#wp1051297
HTH
JK
Please evaluate the useful messages-
-
GANYMEDE + question: Please help
Dear all,
It is with regard to Ganymede +. I have configured Ganymede + on switch cisco, but it is local user name and password
for authentication.
With below configuration on the other switch, works very well with Ganymede + username and password, but not with
This switch.
AAA new-model
AAA authentication login default group Ganymede + local
AAA authentication login no_login local
AAA accounting send stop-record an authentication failure
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
Default connection accounting AAA power Ganymede group.
AAA - the id of the joint session
RADIUS-server host 10.0.2.193 touches 110A101614425A5E57 7
RADIUS-server application made
username admin privilege 15 password *.
line vty 0 4
transport input telnet ssh
by default the authentication of connection
Also, this switch is configured for intervlan routing, with the following configuration and I added 10.0.6.1 address IP Cisco ACS.
interface Vlan5
the IP 10.0.0.1 255.255.255.0
!
interface Vlan20
IP 10.0.2.1 255.255.255.0
IP helper 10.0.0.7
!
interface Vlan60
IP 10.0.6.1 255.255.255.0
REFLXIS_PUNCORE #show Ganymede
GANYMEDE + server: 10.0.2.193/49
Opening of socket: 33
Firm grip: 33
Write-offs of socket: 0
Socket errors: 0
Socket timeouts: 0
Failed connection attempts: 0
Total packets sent: 33
Recv packets total: 0
So please help on the same.
Hello Eve,.
the IP address of the server 10.0.2.193 is accessible in 20 Vlan.
Therefore, the switch will try to connect to the server using the address IP of Vlan20, 10.0.2.1.
You can fix this in two ways:
1. change the configuration on the radius server to have an entry with 10.0.2.1 instead of 10.0.6.1.
or
2. change the configuration of the switch, adding "ip radius-server source interface vlan 60.
Please indicate the so useful post
Marco
-
VPN between ASA and cisco router [phase2 question]
Hi all
I have a problem with IPSEC VPN between ASA and cisco router
I think that there is a problem in the phase 2
Can you please guide me where could be the problem.
I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified belowLooking forward for your help
Phase 1 is like that
Cisco_router #sh crypto isakmp his
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVEand ASA
ASA # sh crypto isakmp his
ITS enabled: 1
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 11 peer IKE: 78.x.x.41
Type: L2L role: initiator
Generate a new key: no State: MM_ACTIVEPhase 2 on SAA
ASA # sh crypto ipsec his
Interface: Outside
Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
19.194.0 255.255.255.0
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer: 78.x.x.41#pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
#send errors: 0, #recv errors: 0local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41
Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
current outbound SPI: C96393ABSAS of the esp on arrival:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4275000/3025)
Size IV: 8 bytes
support for replay detection: Y
outgoing esp sas:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac no
running parameters = {L2L, Tunnel}
slot: 0, id_conn: 7, crypto-card: Outside_map
calendar of his: service life remaining (KB/s) key: (4274994/3023)
Size IV: 8 bytes
support for replay detection: YPhase 2 on cisco router
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x0 (0)SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
current_peer 87.x.x.4 port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errorslocal crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
current outbound SPI: 0x3E9D820B (1050509835)SAS of the esp on arrival:
SPI: 0xC96393AB (3378746283)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4393981/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEthe arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
SPI: 0x3E9D820B (1050509835)
transform: esp-3des esp-md5-hmac.
running parameters = {Tunnel}
Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
calendar of his: service life remaining (k/s) key: (4394007/1196)
Size IV: 8 bytes
support for replay detection: Y
Status: ACTIVEoutgoing ah sas:
outgoing CFP sas:
VPN configuration is less in cisco router
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectaccess-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connectsheep allowed 10 route map
corresponds to the IP 105Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset
mycryptomap 100 ipsec-isakmp crypto map
the value of 87.x.x.4 peer
Set transform-set mytransformset
match address 101crypto ISAKMP policy 100
BA 3des
md5 hash
preshared authentication
Group 2
ISAKMP crypto key xxx2011 address 87.x.x.4Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.
You currently have:
Extend the 105 IP access list
5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIt should be:
Extend the 105 IP access list
10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connectIP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)
To remove it and add it to the bottom:
105 extended IP access list
not 5
IP 172.19.194.0 allow 60 0.0.0.255 any
Then ' delete ip nat trans. "
and it should work now.
-
LACP hash between N3048 and CISCO SG300/SG200 + question Twinax attach direct cable
Hello
In my network I have deployed two new N3048 with 2 transceivers SPF + and SPF module back + as core switches are connected to other 3 switches from edge of N2048 using optical fiber and I reused my previous CISCO SG300 and SG200 goes to serve the other two boxes of my campus via the spine in copper.
I have 4 copper cable which starts from the hub of the SG300 network and 2 the SG200 brass. I set up to have a redundant connection using 2 + 2 with SG300 and 1 + 1 with SG200 RSTP.
So for the SG300 I re LAG + LACP to have two channels of the N3048s port, but now that a single cable is connected because I don't know what kind of LACP hash mode should I put on N3048 to have a compatible hash between Dell and Cisco switches.
My N3048 have mode 7 (Advanced hash) as default but I guess that cisco models do not understand... so, what mode is the best for LACP work perfectly with small business cisco switches?
I also received my twinax cables to connect my two N3048 via SPF + back modules... conhot can I plug the cables into the slots SPF + (already mounted) without turning off my basic switches?
Thank you!
See you soon
Cables can be connected/disconnected, but I don't know if the real module SFP + for the rear of the N3000 is hot plug.
-
Hello! I am looking to buy a single Cisco Aironet 1852 and use Mobility Express. Is the number of a particular product, I'm looking at AIR-AP1852E-A-K9.
(1) are additional licenses needed to use mobility Express?
(2) what is the difference between AIR-AP1852E-A-K9 and AIR-AP1852E-A-K9C?
(3) I'm trying to find the data sheet for this particular access point and looks like I have to be a partner of Cisco. I thought that the sheets are available for all. Am I missing something? What happens if I try just to watch the product numbers?
(4) if I buy this particular Cisco access point, does with a support contract or should I buy one? I can't go without buying a support contract?
(5) the free tools I can use for the best placement of WiFi AP?
Thanks in advance!
1 NO.
2. do not.
3. this URL does not access partner. It takes you to the indoor access points.
http://www.Cisco.com/c/en/us/products/wireless/buyers-guide.html# ~ indoorac-Wave2
4. it does not come with a support contract. You have to buy it separately.
5. Yes, it is called trial and error.
-
Cisco SGE2010P routing question
I currently have a Cisco SGE2010P that I use as my default gateway for everything on my network. I have a static route that points our VoIP traffic on a dedicated line, and that works very well. I recently added a second route that points to another router with a metric of 200. Now, my hope was that if the main road with a metric of 1 was not the next road would be. In my tests, this does not happen. Am I missing something? Now if I put the metric higher as the default route, then phones register and everything works fine. Any thoughts?
Hi Sean, when packets match several static routes, the gateway sends the packet to the route with the lowest metric.
-Tom
Please mark replied messages useful -
CIsco UCS FI question license (2,23e)
Hello
I have system UCS running firmware version 2.2 (3rd) and after the application of the licenses of four additional ports for each fabric of interconnection, I got a warning that tissue-period of grace entered interconnection.
We have these warning although we are not on the supply of all ports (e.g. absolute amount = quantity). Please check the attached screenshot.
I want to check if anyone had this problem before and if it of the bug or not.
Thank you
Mohammad
https://Tools.Cisco.com/bugsearch/bug/CSCui19338/?reffering_site=dumpcr
Perhaps?
-
Cisco telepresence camera question - motivates and focus on who speaks. ???
Hi all
Wonder about a telepresence from cisco camera that when placed in a conference room can detect, move and focus on the person speaking?
Is this feature available on the PrecesionHD 4 x camera or another that I do not read this feature in the data sheet?
If so, please provide the reference for this.
Kind regards
It is compatible with the SX80, C40/60/90 points of termination. SpeakerTrack 60 is a unit of two cameras and therefore requires two inputs of camera on the codec, then it will not work with the SX20 because it has only one entrance of the camera. Both cameras help to provide seamless switching of active speakers in the room.
-
Cisco ASA GANYMEDE + mode does not
Hello
I'm setting the ASA 8.4 with GANYMEDE with below CLI configurations, I can only successfully connect on the MODE of USE of the ASA via GANYMEDE, but unable to get to the activation of the mode of the ASA via GANYMEDE. Also the ASA does not password enable local no more.
Also, I can successfully run "test the aaa of authentication GANYMEDE + username password password1 abc.
INFO: Authentication successful
Similarly, GANYMEDE ACS work for user mode and activate the mode for routers / switches.
Run ASA CLI
~~~~~~~~~~~~~
privilege of [ENTER ADMIN password PASSWORD HERE] user_name [ENTER name of USER HERE] 15
activate the password [ENTER ENABLE MODE PASSWORD HERE]
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
AAA-server GANYMEDE + (inside) host [ENTER GANYMEDE + SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
GANYMEDE + LOCAL console for AAA of http authentication
authentication AAA ssh console GANYMEDE + LOCAL
Console telnet authentication GANYMEDE + LOCAL AAA
AAA authentication enable console LOCAL + GANYMEDE
AAA GANYMEDE + LOCAL authorization control
AAA accounting enable console GANYMEDE +.
AAA accounting console GANYMEDE + ssh
HeyRizwan,
What version of ACS are you running?
Make sure that you set the user name with a static 15 privilege level, otherwise it will not be able to pass authentication enable.
If ACS 5.x or higher to pass the elements of the policy: the Shell profile and make sure that you have assigned to a maximum static privilege to 15 and more important than its access policy rule
Looking for a Networking Assistance?
Contact me directly to [email protected] / * /I will fix your problem as soon as POSSIBLE.
See you soon,.
Julio Segura Carvajal
http://laguiadelnetworking.com -
Cisco ISE and question Admin CLI
Hello.
I have a strange problem with my installation of ISE. First of all, I use AD users for authentication. It works very well on HTTPS. I can connect with my admin AD by HTTPS.
The problem starts when I try to log in via the CLI (SSH). I got login prompt. When I type my credentials AD that he said "Login Incorrect" and I got the same result if I try it with the local administrator account.
I tried to reset the password for the local administrator over HTTPS to check this kind of wrong password. But no effect.
My ISE is installed VMware.
Experiences with it?
ARM
CLI authentication which is the base Linux OS is not / cannot be bound to AD to the admin authentication. Only, you integrate the application on top of Linux, which in this case is ISE, to AD. So, if you want to connect to the cli shell, you will need to use the username/password you configured during installation. If you do not remember those you need to perform a rest of password via the installation CD / ISO
Thank you for evaluating useful messages!
-
Finger: Cisco VPN or phone lines
My problem: I have 7 inbound customer calls and 7 telephone lines. On 6 of the phone lines, I see this problem: dial-in is fine, but when the VPN is established, I lose connectivity on the other equipment beyond the router. The phone line works for each client.
The configuration test (everything is in my lab):
1 W2K/Exchange Server. DHCP host, IP = xxx.yyy.8.2
1 cisco 2610 w / NM-08:00-modems, pomp IP = xxx.yyy.8.1
IOS = PKI/3DES 12.2 (11) T11
(router & server on Cisco 2950 switch
7 (identically configured) W2K Pro customers
7 telephone lines through a telecommunications system
I know this may be a case of a point of view of router thing, but I would appreciate some suggestions, that I can do for the phone guys because they see this as a problem, in part because the router constantly popping up messages cannot be informative but resemble errors:
% CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet.
The offending address can be a solid connection or not.
I ran a "debug crypto ipsec" on the 2 guests (a good, a bad); They seem to resemble the map of disconnect and then reconnect to the VPN.
Search for CRYPTO_4 error and found comments like: "To ensure that routers ACL is mirror images." I only have 1 router and the independent connections pass/fail error seeems.
"See map of CRYPTO" reveals no difference between clients: the customer who is chatting with the server has the same appearance as the customer who can not see the server.
I have a little experience of Cisco, but brutally inherited this project. Do not have access to the prior notes Wizard VPN came up with (if there a) and virtual private networks are new to me.
TIA,
Martin
I have not see this exact problem, but I've seen similar. They way I fixed it was to change the path of switching. Try:
Group-Async1 interface
no ip route cache
no ip mroute-cache
Maybe you are looking for
-
ZTE C open does not have access to the root after race unlock tool
I ordered an open C of ZTE on Ebay from the United Kingdom, and I wanted to unlock the bootloader.I followed the instructions from here (http://en.comebuy.com/developer-firefox-os-open-c.html), installed the version of the EU (I ordered the phone fro
-
My sound is gone for all notifications, why?
I look for iPad 2 do not know how or when, but I don't have any sound even when I'm playing solitaire, she turned even on side button can someone help please thank you
-
can I delete old updates of windows to free up disk space?
I was wondering if there is no safe way to remove old updates from windows on windows xp for free disk space.
-
Can running in the rain slaughter unit
I've got a long race scheduled for Saturday and it is supposed to rain. I'm running with a headset to the headset jack is open. Is there a reason to worry about the water penetrate into the socket and ruin the unit?
-
For the past week or so when you go to the market and then go to my apps it's white and it says I have not all downloaded apps. At first I thought that it was a small problem, but it has been more than a week, it of something new, what happens to eve