Cisco 2950 GANYMEDE + question

I have several switches 2950 that I can't go to work with GANYMEDE.  I use the same configuration for what I use for other cisco switches.

Cisco Internetwork Operating System software

IOS (TM) C2950 Software (C2950-C3H2S-M), Version 12.0 (5.3) WC (1), TEMPORARY SOFTWARE MAINTENANCE

System image file is "flash: c2950-c3h2s - mz.120 - 5.3.WC.1.bin.

password username privilege 15 7 XXXXXX XXX

activate the password XXXXXX

AAA new-model

!

AAA authentication login default group Ganymede + local

AAA authentication login conmethod activate Group Ganymede +.

the AAA authentication enable default group Ganymede + activate

AAA authorization exec default group Ganymede + authenticated if

AAA accounting exec default start-stop Ganymede group.

!

GANYMEDE-server host XXX.XXX.XXX.XXX touches 7-XXXXXXX

GANYMEDE-server host XXX.XXX.XXX.XXX touches 7-XXXXXXX

Any help would be greatly appreciated.

Thank you.

Hello

How does your configuration of vty lines look like?

Have you tried the command in aaa-server test? If you have, what are you?

Tags: Cisco Security

Similar Questions

  • Migration to ISE for servers 3395 Cisco Cisco SNS 3495 question

    Hi all. I have a client that runs on a Cisco 3395 ISE 1.2 Server and wants to migrate to Cisco SNS 3495 servers due to the end of life is imminent. My question is - this client should buy Cisco SNS 3495 server with a new software license, or may transfer or reuse the license of the software from their 3395 servers?

    What will be the best course of action for them. Thank you!!

    Ah, sorry, I was referring to the base, and, the apex (or Basic, advanced from previous levels of ISE) - which are licenses only you really need to worry.  If you look at the details to the CCW, you're talking about this topic is the only one where the cost is indicated for the 3495 (except SmartNet if you added).  This is not a point of STOCK you can add/remove.  Basically, you have what you need from a material point of view when you purchase the device.  Can you rehost license software (Basic, plus, apex) once you get the new devices up and running.

    Tim

  • Cisco SRP 527W questions

    Hello, I have a few questions on the router from cisco srp 527w

    First of all she has a built-in modem

    second question is, where can I get updates firmware for it.

    Please don't tie me to the manual I read it and could not find the relevant info.

    Thanks for the replies

    William

    Hi William:

    To address your first concern, this router supports the connection ADSL2 + annex a (ADSL over POTS) relay. You can also use some 3G USB modems with this router.

    You can find firmware updates in the Software Download Center. This link , you should get just for downloads of series SRP520, but if not just search in the first link dowloads series SRP500.

    Hope that helps.

    Best,

    David

    Please evaluate the useful messages.

  • Cisco AnyConnect VPN question

    I am ASA 5505 that I am of is running correctly by using the AnyConnect client. The question is, can I connect to the fine external interface, but cannot ping or attach them to any host on the inside. When I connect, it accepts the user name and password, and I can run the ASDM or SSH to the firewall very well, but not further. In the control, after I log in, I get an IP address inside, of the order of 10.7.30.x as expected.

    Following configuration:

    : Saved
    :
    ASA Version 8.2 (5)
    !
    asa5505 hostname
    domain BLA
    activate the password * encrypted
    passwd * encrypted
    no names

    !
    interface Ethernet0/0
    switchport access vlan 2
    !
    interface Ethernet0/1
    !
    interface Ethernet0/2
    !
    interface Ethernet0/3
    switchport access vlan 150
    !
    interface Ethernet0/4
    !
    interface Ethernet0/5
    !
    interface Ethernet0/6
    !
    interface Ethernet0/7
    !
    interface Vlan1
    nameif inside
    security-level 100
    IP 10.7.30.1 255.255.255.0
    !
    interface Vlan2
    nameif outside
    security-level 0
    IP EXTERNAL IP 255.255.255.128
    !
    interface Vlan150
    nameif WLAN_GUESTS
    security-level 50
    IP 10.7.150.1 255.255.255.0
    !
    boot system Disk0: / asa825 - k8.bin
    config to boot Disk0: / running-config
    passive FTP mode
    clock timezone STD - 7
    DNS server-group DefaultDNS
    domain BLA
    permit same-security-traffic intra-interface
    object-group service tcp Webaccess
    port-object eq www
    EQ object of the https port
    object-group network McAfee
    network-object 208.65.144.0 255.255.248.0
    network-object 208.81.64.0 255.255.248.0
    access extensive list ip 10.7.30.0 outside_1_cryptomap allow 255.255.255.0 192.168.24.0 255.255.252.0
    access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 192.168.24.0 255.255.252.0
    access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 172.16.10.0 255.255.255.0
    outside_access_in list extended access permit tcp any host 159.87.30.252 eq smtp
    outside_access_in list extended access permit tcp any host 159.87.30.136 Webaccess object-group
    outside_access_in list extended access permit tcp any host 159.87.30.243 Webaccess object-group
    access-list extended outside_access_in permit tcp host 159.87.70.66 host 159.87.30.251 eq lpd
    outside_access_in list extended access permit tcp any host 159.87.30.252 Webaccess object-group
    outside_access_in list extended access permit tcp any host 159.87.30.245 Webaccess object-group
    outside_access_in list extended access permitted tcp object-group McAfee any eq smtp
    permit access list extended ip 172.16.10.0 outside_access_in 255.255.255.0 10.7.30.0 255.255.255.0
    outside_access_in list extended access permit ip host 159.87.64.30 all
    standard access list vpn_users_splitTunnelAcl allow 10.7.30.0 255.255.255.0
    IPS_TRAFFIC of access allowed any ip an extended list
    access extensive list ip 10.7.30.0 outside_nat0_outbound allow 255.255.255.0 any
    inside_access_in list extended access permit udp 10.7.30.0 255.255.255.0 any eq snmp
    access extensive list ip 10.7.30.0 outside_cryptomap allow 255.255.255.0 172.16.10.0 255.255.255.0
    pager lines 24
    Enable logging
    asdm of logging of information
    host of logging inside the 10.7.30.37
    Debugging trace record
    Within 1500 MTU
    Outside 1500 MTU
    MTU 1500 WLAN_GUESTS
    local pool VPN_POOL 10.7.30.190 - 10.7.30.200 255.255.255.0 IP mask
    no failover
    ICMP unreachable rate-limit 1 burst-size 1
    ASDM image disk0: / asdm-645 - 206.bin
    don't allow no asdm history
    ARP timeout 14400
    Global 1 interface (outside)
    NAT (inside) 0-list of access inside_nat0_outbound
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (outside) 0-list of access outside_nat0_outbound
    NAT (WLAN_GUESTS) 1 0.0.0.0 0.0.0.0
    public static 159.87.30.251 (Interior, exterior) 10.7.30.50 netmask 255.255.255.255
    public static 159.87.30.245 (Interior, exterior) 10.7.30.53 netmask 255.255.255.255
    public static 159.87.30.252 (Interior, exterior) 10.7.30.30 netmask 255.255.255.255
    public static 159.87.30.243 (Interior, exterior) 10.7.30.19 netmask 255.255.255.255
    public static 159.87.30.136 (Interior, exterior) 10.7.30.43 netmask 255.255.255.255
    Access-group inside_access_in in interface inside the control plan
    Access-group outside_access_in in interface outside
    Route outside 0.0.0.0 0.0.0.0 159.87.30.254 1
    Route inside 172.16.1.0 255.255.255.0 10.7.30.1 1
    Timeout xlate 03:00
    Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
    Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
    Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    Floating conn timeout 0:00:00
    dynamic-access-policy-registration DfltAccessPolicy
    AAA-server ADWM-FPS-02 nt Protocol
    AAA-server ADWM-FPS-02 (inside) host 10.7.30.32
    Timeout 5
    auth-domain NT ADWM-FPS-02 controller
    AAA-server ADWM-FPS-02 (inside) host 10.7.30.49
    auth-DC NT ADWM-DC02
    AAA authentication http LOCAL console
    AAA authentication LOCAL telnet console
    the ssh LOCAL console AAA authentication
    Enable http server
    http 206.169.55.66 255.255.255.255 outside
    http 206.169.50.171 255.255.255.255 outside
    http 10.7.30.0 255.255.255.0 inside
    http 206.169.51.32 255.255.255.240 outside
    http 159.87.35.84 255.255.255.255 outside
    SNMP-server host within the 10.7.30.37 community * version 2 c
    location of the SNMP server *.
    contact SNMP Server
    Community SNMP-server
    Server enable SNMP traps snmp authentication linkup, linkdown cold start
    Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
    Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
    Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
    life crypto ipsec security association seconds 28800
    Crypto ipsec kilobytes of life - safety 4608000 association
    Crypto-map dynamic outside_dyn_map pfs set 20 Group1
    card crypto outside_map 1 match address outside_1_cryptomap
    peer set card crypto outside_map 1 206.169.55.66
    map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
    card crypto outside_map 2 match address outside_cryptomap
    peer set card crypto outside_map 2 159.87.64.30
    card crypto outside_map 2 game of transformation-ESP-AES-192-SHA
    map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
    outside_map interface card crypto outside
    Crypto ca trustpoint *.
    Terminal registration
    full domain name *.
    name of the object *.
    MYKEY keypairs
    Configure CRL
    Crypto ca trustpoint A1
    Terminal registration
    fqdn ***************
    name of the object *.
    MYKEY keypairs
    Configure CRL
    Crypto ca trustpoint INTERMEDIARY
    Terminal registration
    no client-type
    Configure CRL
    Crypto ca trustpoint _SmartCallHome_ServerCA
    Configure CRL
    Crypto ca trustpoint ASDM_TrustPoint0
    Configure CRL
    Crypto ca trustpoint ASDM_TrustPoint1
    Configure CRL
    ca encryption certificate chain *.
    certificate ca 0301
    BUNCH OF STUFF
    quit smoking
    A1 crypto ca certificate chain
    OTHER LOTS of certificate
    quit smoking
    encryption ca INTERMEDIATE certificate chain
    YET ANOTHER certificate
    quit smoking
    Crypto ca certificate chain _SmartCallHome_ServerCA
    certificate ca LAST BOUQUET
    quit smoking
    crypto ISAKMP allow outside
    crypto ISAKMP policy 10
    preshared authentication
    3des encryption
    sha hash
    Group 2
    life 86400
    No encryption isakmp nat-traversal
    Telnet 10.7.30.0 255.255.255.0 inside
    Telnet timeout 30
    SSH 206.169.55.66 255.255.255.255 outside

    SSH timeout 5
    Console timeout 0
    management-access inside
    dhcpd 4.2.2.2 dns 8.8.8.8
    !
    dhcpd address 10.7.150.10 - 10.7.150.30 WLAN_GUESTS
    enable WLAN_GUESTS dhcpd
    !

    a basic threat threat detection
    Statistics-list of access threat detection
    no statistical threat detection tcp-interception
    SSL encryption rc4 - md5 of sha1
    SSL-trust A1 out point
    WebVPN
    allow outside
    AnyConnect essentials
    SVC disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1 image
    enable SVC
    attributes of Group Policy DfltGrpPolicy
    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
    internal VPNUsers group strategy
    Group Policy VPNUsers attributes
    value of server DNS 10.7.30.20
    Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
    Split-tunnel-policy tunnelspecified
    value of Split-tunnel-network-list vpn_users_splitTunnelAcl
    dwm2000.WM.State.AZ.us value by default-field
    Split-dns value dwm2000.wm.state.az.us
    username HCadmin password * encrypted privilege 15
    attributes global-tunnel-group DefaultWEBVPNGroup
    address VPN_POOL pool
    authentication-server-group ADWM-FPS-02
    strategy - by default-VPNUsers group
    tunnel-group 206.169.55.66 type ipsec-l2l
    IPSec-attributes tunnel-group 206.169.55.66
    pre-shared key *.
    tunnel-group 159.87.64.30 type ipsec-l2l
    IPSec-attributes tunnel-group 159.87.64.30
    pre-shared key *.
    !
    class-map IPS_TRAFFIC
    corresponds to the IPS_TRAFFIC access list
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    type of policy-card inspect dns preset_dns_map
    parameters
    message-length maximum 512
    Policy-map global_policy
    class inspection_default
    inspect the preset_dns_map dns
    inspect the ftp
    inspect h323 h225
    inspect the h323 ras
    inspect the rsh
    inspect the rtsp
    inspect esmtp
    inspect sqlnet
    inspect the skinny
    inspect sunrpc
    inspect xdmcp
    inspect the sip
    inspect the netbios
    inspect the tftp
    inspect the icmp
    Review the ip options
    class IPS_TRAFFIC
    IPS inline help
    !
    global service-policy global_policy
    field of context fast hostname
    anonymous reporting remote call
    call-home
    Profile of CiscoTAC-1
    no active account
    http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
    email address of destination [email protected] / * /
    destination-mode http transport
    Subscribe to alert-group diagnosis
    Subscribe to alert-group environment
    Subscribe to alert-group monthly periodic inventory
    monthly periodicals to subscribe to alert-group configuration
    daily periodic subscribe to alert-group telemetry
    Cryptochecksum:e70de424cf976e0a62b5668dc2284587
    : end
    ASDM image disk0: / asdm-645 - 206.bin
    ASDM location 159.87.70.66 255.255.255.255 inside
    ASDM location 208.65.144.0 255.255.248.0 inside
    ASDM location 208.81.64.0 255.255.248.0 inside
    ASDM location 172.16.10.0 255.255.255.0 inside
    ASDM location 159.87.64.30 255.255.255.255 inside
    don't allow no asdm history

    Anyone have any ideas?

    Hello

    Please, add this line in your configuration and let me know if it works:

    access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 10.7.30.0 255.255.255.0

    I ask you to add that it is because you have not specified any exceptions for the return shipping. Once you add to it, will allow you to go through the tunnel VPN, packets back. When this command is not there, you will be able to access everything on the SAA but nothing behind it.

    Let me know if it helps.

    Thank you

    Vishnu

  • AS with GANYMEDE + question

    Try to get the module ACE and IOS devices to work with GANYMEDE. I have GBA v3.2.

    The "optional" syntax does not work. No idea if the argument is valid for the version of the CSA?

    Service = exec

    Optional shell: Admin = domain Admin

    I tried it with quotes, but which didn't work either.

    Hello

    This is a doc of reference for the configuration of the ACE for authentication Ganymede +,.

    http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

    0_A1/configuration/Security/Guide/AAA.html#wp1321891

    Under the custom for attribute Ganymede + we need to specify the attribute in the form,

    Shell: Admin * ADMIN MYDOMAIN1

    = means mandatory attribute

    * Optional means

    Information on the context/role/domain (virtualization on ACE):

    http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

    0_A1/configuration/virtualization/guide/ovrview.html

    Default 'role' on ACE:

    http://www.Cisco.com/en/us/docs/interfaces_modules/services_modules/ACE/v3.0

    0_A1/configuration/virtualization/guide/ovrview.html#wp1051297

    HTH

    JK

    Please evaluate the useful messages-

  • GANYMEDE + question: Please help

    Dear all,

    It is with regard to Ganymede +. I have configured Ganymede + on switch cisco, but it is local user name and password

    for authentication.

    With below configuration on the other switch, works very well with Ganymede + username and password, but not with

    This switch.

    AAA new-model

    AAA authentication login default group Ganymede + local

    AAA authentication login no_login local

    AAA accounting send stop-record an authentication failure

    AAA accounting exec default start-stop Ganymede group.

    orders accounting AAA 15 by default start-stop Ganymede group.

    Default connection accounting AAA power Ganymede group.

    AAA - the id of the joint session

    RADIUS-server host 10.0.2.193 touches 110A101614425A5E57 7

    RADIUS-server application made

    username admin privilege 15 password *.

    line vty 0 4

    transport input telnet ssh

    by default the authentication of connection

    Also, this switch is configured for intervlan routing, with the following configuration and I added 10.0.6.1 address IP Cisco ACS.

    interface Vlan5

    the IP 10.0.0.1 255.255.255.0

    !

    interface Vlan20

    IP 10.0.2.1 255.255.255.0

    IP helper 10.0.0.7

    !

    interface Vlan60

    IP 10.0.6.1 255.255.255.0

    REFLXIS_PUNCORE #show Ganymede

    GANYMEDE + server: 10.0.2.193/49

    Opening of socket: 33

    Firm grip: 33

    Write-offs of socket: 0

    Socket errors: 0

    Socket timeouts: 0

    Failed connection attempts: 0

    Total packets sent: 33

    Recv packets total: 0

    So please help on the same.

    Hello Eve,.

    the IP address of the server 10.0.2.193 is accessible in 20 Vlan.

    Therefore, the switch will try to connect to the server using the address IP of Vlan20, 10.0.2.1.

    You can fix this in two ways:

    1. change the configuration on the radius server to have an entry with 10.0.2.1 instead of 10.0.6.1.

    or

    2. change the configuration of the switch, adding "ip radius-server source interface vlan 60.

    Please indicate the so useful post

    Marco

  • VPN between ASA and cisco router [phase2 question]

    Hi all

    I have a problem with IPSEC VPN between ASA and cisco router

    I think that there is a problem in the phase 2

    Can you please guide me where could be the problem.
    I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

    Looking forward for your help

    Phase 1 is like that

    Cisco_router #sh crypto isakmp his

    IPv4 Crypto ISAKMP Security Association
    status of DST CBC State conn-id slot
    78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

    and ASA

    ASA # sh crypto isakmp his

    ITS enabled: 1
    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
    Total SA IKE: 1

    1 peer IKE: 78.x.x.41
    Type: L2L role: initiator
    Generate a new key: no State: MM_ACTIVE

    Phase 2 on SAA

    ASA # sh crypto ipsec his
    Interface: Outside
    Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

    Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
    19.194.0 255.255.255.0
    local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
    current_peer: 78.x.x.41

    #pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

    Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
    current outbound SPI: C96393AB

    SAS of the esp on arrival:
    SPI: 0x3E9D820B (1050509835)
    transform: esp-3des esp-md5-hmac no
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 7, crypto-card: Outside_map
    calendar of his: service life remaining (KB/s) key: (4275000/3025)
    Size IV: 8 bytes
    support for replay detection: Y
    outgoing esp sas:
    SPI: 0xC96393AB (3378746283)
    transform: esp-3des esp-md5-hmac no
    running parameters = {L2L, Tunnel}
    slot: 0, id_conn: 7, crypto-card: Outside_map
    calendar of his: service life remaining (KB/s) key: (4274994/3023)
    Size IV: 8 bytes
    support for replay detection: Y

    Phase 2 on cisco router

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
    current_peer 87.x.x.4 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
    current outbound SPI: 0x0 (0)

    SAS of the esp on arrival:

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:

    outgoing ah sas:

    outgoing CFP sas:

    protégé of the vrf: (none)
    local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
    Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
    current_peer 87.x.x.4 port 500
    LICENCE, flags is {origin_is_acl},
    #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
    #pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
    compressed #pkts: 0, unzipped #pkts: 0
    #pkts uncompressed: 0, #pkts compr. has failed: 0
    #pkts not unpacked: 0, #pkts decompress failed: 0
    Errors #send 0, #recv 0 errors

    local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
    Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
    current outbound SPI: 0x3E9D820B (1050509835)

    SAS of the esp on arrival:
    SPI: 0xC96393AB (3378746283)
    transform: esp-3des esp-md5-hmac.
    running parameters = {Tunnel}
    Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
    calendar of his: service life remaining (k/s) key: (4393981/1196)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    the arrival ah sas:

    SAS of the CFP on arrival:

    outgoing esp sas:
    SPI: 0x3E9D820B (1050509835)
    transform: esp-3des esp-md5-hmac.
    running parameters = {Tunnel}
    Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
    calendar of his: service life remaining (k/s) key: (4394007/1196)
    Size IV: 8 bytes
    support for replay detection: Y
    Status: ACTIVE

    outgoing ah sas:

    outgoing CFP sas:

    VPN configuration is less in cisco router

    access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
    access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

    access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
    access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

    sheep allowed 10 route map
    corresponds to the IP 105

    Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

    mycryptomap 100 ipsec-isakmp crypto map
    the value of 87.x.x.4 peer
    Set transform-set mytransformset
    match address 101

    crypto ISAKMP policy 100
    BA 3des
    md5 hash
    preshared authentication
    Group 2
    ISAKMP crypto key xxx2011 address 87.x.x.4

    Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

    You currently have:

    Extend the 105 IP access list
    5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
    10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
    30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
    50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

    It should be:

    Extend the 105 IP access list
    10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
    30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
    50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

    IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

    To remove it and add it to the bottom:

    105 extended IP access list

    not 5

    IP 172.19.194.0 allow 60 0.0.0.255 any

    Then ' delete ip nat trans. "

    and it should work now.

  • LACP hash between N3048 and CISCO SG300/SG200 + question Twinax attach direct cable

    Hello

    In my network I have deployed two new N3048 with 2 transceivers SPF + and SPF module back + as core switches are connected to other 3 switches from edge of N2048 using optical fiber and I reused my previous CISCO SG300 and SG200 goes to serve the other two boxes of my campus via the spine in copper.

    I have 4 copper cable which starts from the hub of the SG300 network and 2 the SG200 brass. I set up to have a redundant connection using 2 + 2 with SG300 and 1 + 1 with SG200 RSTP.

    So for the SG300 I re LAG + LACP to have two channels of the N3048s port, but now that a single cable is connected because I don't know what kind of LACP hash mode should I put on N3048 to have a compatible hash between Dell and Cisco switches.

    My N3048 have mode 7 (Advanced hash) as default but I guess that cisco models do not understand... so, what mode is the best for LACP work perfectly with small business cisco switches?

    I also received my twinax cables to connect my two N3048 via SPF + back modules... conhot can I plug the cables into the slots SPF + (already mounted) without turning off my basic switches?

    Thank you!

    See you soon

    Cables can be connected/disconnected, but I don't know if the real module SFP + for the rear of the N3000 is hot plug.

  • Cisco AP purchase Questions

    Hello! I am looking to buy a single Cisco Aironet 1852 and use Mobility Express. Is the number of a particular product, I'm looking at AIR-AP1852E-A-K9.

    (1) are additional licenses needed to use mobility Express?

    (2) what is the difference between AIR-AP1852E-A-K9 and AIR-AP1852E-A-K9C?

    (3) I'm trying to find the data sheet for this particular access point and looks like I have to be a partner of Cisco. I thought that the sheets are available for all. Am I missing something? What happens if I try just to watch the product numbers?

    (4) if I buy this particular Cisco access point, does with a support contract or should I buy one? I can't go without buying a support contract?

    (5) the free tools I can use for the best placement of WiFi AP?

    Thanks in advance!

    1 NO.

    2. do not.

    3. this URL does not access partner.  It takes you to the indoor access points.

    http://www.Cisco.com/c/en/us/products/wireless/buyers-guide.html# ~ indoorac-Wave2

    4. it does not come with a support contract.  You have to buy it separately.

    5. Yes, it is called trial and error.

  • Cisco SGE2010P routing question

    I currently have a Cisco SGE2010P that I use as my default gateway for everything on my network. I have a static route that points our VoIP traffic on a dedicated line, and that works very well. I recently added a second route that points to another router with a metric of 200. Now, my hope was that if the main road with a metric of 1 was not the next road would be. In my tests, this does not happen. Am I missing something? Now if I put the metric higher as the default route, then phones register and everything works fine. Any thoughts?

    Hi Sean, when packets match several static routes, the gateway sends the packet to the route with the lowest metric.

    -Tom
    Please mark replied messages useful

  • CIsco UCS FI question license (2,23e)

    Hello

    I have system UCS running firmware version 2.2 (3rd) and after the application of the licenses of four additional ports for each fabric of interconnection, I got a warning that tissue-period of grace entered interconnection.

    We have these warning although we are not on the supply of all ports (e.g. absolute amount = quantity). Please check the attached screenshot.

    I want to check if anyone had this problem before and if it of the bug or not.

    Thank you

    Mohammad

    https://Tools.Cisco.com/bugsearch/bug/CSCui19338/?reffering_site=dumpcr

    Perhaps?

  • Cisco telepresence camera question - motivates and focus on who speaks. ???

    Hi all

    Wonder about a telepresence from cisco camera that when placed in a conference room can detect, move and focus on the person speaking?

    Is this feature available on the PrecesionHD 4 x camera or another that I do not read this feature in the data sheet?

    If so, please provide the reference for this.

    Kind regards

    It is compatible with the SX80, C40/60/90 points of termination.  SpeakerTrack 60 is a unit of two cameras and therefore requires two inputs of camera on the codec, then it will not work with the SX20 because it has only one entrance of the camera.  Both cameras help to provide seamless switching of active speakers in the room.

  • Cisco ASA GANYMEDE + mode does not

    Hello

    I'm setting the ASA 8.4 with GANYMEDE with below CLI configurations, I can only successfully connect on the MODE of USE of the ASA via GANYMEDE, but unable to get to the activation of the mode of the ASA via GANYMEDE. Also the ASA does not password enable local no more.

    Also, I can successfully run "test the aaa of authentication GANYMEDE + username password password1 abc.

    INFO: Authentication successful

    Similarly, GANYMEDE ACS work for user mode and activate the mode for routers / switches.

    Run ASA CLI

    ~~~~~~~~~~~~~

    privilege of [ENTER ADMIN password PASSWORD HERE] user_name [ENTER name of USER HERE] 15

    activate the password [ENTER ENABLE MODE PASSWORD HERE]

    GANYMEDE + Protocol Ganymede + AAA-server

    AAA-server GANYMEDE + 3 max-failed-attempts

    AAA-server GANYMEDE + deadtime 10

    AAA-server GANYMEDE + (inside) host [ENTER GANYMEDE + SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10

    GANYMEDE + LOCAL console for AAA of http authentication

    authentication AAA ssh console GANYMEDE + LOCAL

    Console telnet authentication GANYMEDE + LOCAL AAA

    AAA authentication enable console LOCAL + GANYMEDE

    AAA GANYMEDE + LOCAL authorization control

    AAA accounting enable console GANYMEDE +.

    AAA accounting console GANYMEDE + ssh

    HeyRizwan,

    What version of ACS are you running?

    Make sure that you set the user name with a static 15 privilege level, otherwise it will not be able to pass authentication enable.

    If ACS 5.x or higher to pass the elements of the policy: the Shell profile and make sure that you have assigned to a maximum static privilege to 15 and more important than its access policy rule

    Looking for a Networking Assistance?
    Contact me directly to [email protected] / * /

    I will fix your problem as soon as POSSIBLE.

    See you soon,.

    Julio Segura Carvajal
    http://laguiadelnetworking.com

  • Cisco ISE and question Admin CLI

    Hello.

    I have a strange problem with my installation of ISE. First of all, I use AD users for authentication. It works very well on HTTPS. I can connect with my admin AD by HTTPS.

    The problem starts when I try to log in via the CLI (SSH). I got login prompt. When I type my credentials AD that he said "Login Incorrect" and I got the same result if I try it with the local administrator account.

    I tried to reset the password for the local administrator over HTTPS to check this kind of wrong password. But no effect.

    My ISE is installed VMware.

    Experiences with it?

    ARM

    CLI authentication which is the base Linux OS is not / cannot be bound to AD to the admin authentication. Only, you integrate the application on top of Linux, which in this case is ISE, to AD. So, if you want to connect to the cli shell, you will need to use the username/password you configured during installation. If you do not remember those you need to perform a rest of password via the installation CD / ISO

    Thank you for evaluating useful messages!

  • Finger: Cisco VPN or phone lines

    My problem: I have 7 inbound customer calls and 7 telephone lines. On 6 of the phone lines, I see this problem: dial-in is fine, but when the VPN is established, I lose connectivity on the other equipment beyond the router. The phone line works for each client.

    The configuration test (everything is in my lab):

    1 W2K/Exchange Server. DHCP host, IP = xxx.yyy.8.2

    1 cisco 2610 w / NM-08:00-modems, pomp IP = xxx.yyy.8.1

    IOS = PKI/3DES 12.2 (11) T11

    (router & server on Cisco 2950 switch

    7 (identically configured) W2K Pro customers

    7 telephone lines through a telecommunications system

    I know this may be a case of a point of view of router thing, but I would appreciate some suggestions, that I can do for the phone guys because they see this as a problem, in part because the router constantly popping up messages cannot be informative but resemble errors:

    % CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd package not an IPSEC packet.

    The offending address can be a solid connection or not.

    I ran a "debug crypto ipsec" on the 2 guests (a good, a bad); They seem to resemble the map of disconnect and then reconnect to the VPN.

    Search for CRYPTO_4 error and found comments like: "To ensure that routers ACL is mirror images." I only have 1 router and the independent connections pass/fail error seeems.

    "See map of CRYPTO" reveals no difference between clients: the customer who is chatting with the server has the same appearance as the customer who can not see the server.

    I have a little experience of Cisco, but brutally inherited this project. Do not have access to the prior notes Wizard VPN came up with (if there a) and virtual private networks are new to me.

    TIA,

    Martin

    I have not see this exact problem, but I've seen similar. They way I fixed it was to change the path of switching. Try:

    Group-Async1 interface

    no ip route cache

    no ip mroute-cache

Maybe you are looking for

  • ZTE C open does not have access to the root after race unlock tool

    I ordered an open C of ZTE on Ebay from the United Kingdom, and I wanted to unlock the bootloader.I followed the instructions from here (http://en.comebuy.com/developer-firefox-os-open-c.html), installed the version of the EU (I ordered the phone fro

  • My sound is gone for all notifications, why?

    I look for iPad 2 do not know how or when, but I don't have any sound even when I'm playing solitaire, she turned even on side button can someone help please thank you

  • can I delete old updates of windows to free up disk space?

    I was wondering if there is no safe way to remove old updates from windows on windows xp for free disk space.

  • Can running in the rain slaughter unit

    I've got a long race scheduled for Saturday and it is supposed to rain. I'm running with a headset to the headset jack is open. Is there a reason to worry about the water penetrate into the socket and ruin the unit?

  • No apps on more?

    For the past week or so when you go to the market and then go to my apps it's white and it says I have not all downloaded apps. At first I thought that it was a small problem, but it has been more than a week, it of something new, what happens to eve