Cisco SRP 527W questions

Similar Questions

• Blocking ports from WAN to LAN SRP 527W

  Hi all

  Just bought a router Cisco SRP 527W.

  I tried to figure outhow to block Telnet from the Wan to LAN (VLAN) and in the firewall section, I don't see the option to block LAN to WAN.

  I'm sure its simple but I'm just not see it. Can someone tell me please in the right direction?

  Port forwarding only opens port 25 in this case.  If someone tries to use the port 23 (or any other port besides) the traffic will be dropped.

  Of course, it would be possible that someone trying to log telnet on port 25, but your server must treat that (i.e. it does bind the SMTP application to this port).

  Andy

• Cisco SRP 521W with multiple WAN IP addresses

  Hi all

  I have an unusual scenario that may require the use of a SRP 521W-, the scenario is as follows:

  Temporary installation:

  • Cisco 857 ADSL router until the Ethernet Hand-off is installed
  • Several IPS delivered on the ADSL WAN service
  • Cisco 857 in Bridge Mode and connected to the WAN - SRP 521W port
  • Cisco 521W manages authentication and routing
  • Check Point Firewall system connected to SRP 521W LAN-1
  • Check Point Firewall has IP WAN 203.XXX.XXX.XXX
  • Cisco UC-540W connected to SRP 521W LAN-2
  • Cisco UC-540W has 203.XX WAN IP. XX. XX

  If you understand the situation described above, I'm curious to know if this is possible and if so how? I need a totally separate networks and the only thing they have in common is the Cisco SRP 521W.

  It is also worth noting that the SRP 521W is used because the ADSL service is only temporary, while the fiber build is complete and the carrier provides an Ethernet Hand-Off, then Internet service will change to this type of presentation and the ADSL router will be relegated in the dark loneliness world.

  I went through the router and have been playing around with the settings, the problem is that I have nothing in LABORATORY work more that can I would like to reproduce this environment and test it before deployment... SO I hope someone can help to shed light on this case in order to reduce the amount of trail and error, I have to meet to operate.

  For any help or suggestion is appreciated.

  See you soon,.

  David.

  Hi David,

  Is your PC provides you with all the public addresses within the same subnet?  that is the WAN IP of the router is part of the same subnet as the address 203.x.x.x?  Or well, is separately assigned WAN address?

  If the addresses are all part of the same subnet, I fear the SRP520 will not support what you are trying to do - this product does not support the concept of a single address on the WAN port forwarding/DMZ use.

  If the sunet inside is routed via the WAN address, then it should be possible to turn NAT and attack the VLAN local accordingly.

  PS: The SRP541 host multiple WAN addresses for port forwarding/DMZ.

  Kind regards

  Andy

• Migration to ISE for servers 3395 Cisco Cisco SNS 3495 question

  Hi all. I have a client that runs on a Cisco 3395 ISE 1.2 Server and wants to migrate to Cisco SNS 3495 servers due to the end of life is imminent. My question is - this client should buy Cisco SNS 3495 server with a new software license, or may transfer or reuse the license of the software from their 3395 servers?

  What will be the best course of action for them. Thank you!!

  Ah, sorry, I was referring to the base, and, the apex (or Basic, advanced from previous levels of ISE) - which are licenses only you really need to worry.  If you look at the details to the CCW, you're talking about this topic is the only one where the cost is indicated for the 3495 (except SmartNet if you added).  This is not a point of STOCK you can add/remove.  Basically, you have what you need from a material point of view when you purchase the device.  Can you rehost license software (Basic, plus, apex) once you get the new devices up and running.

  Tim

• L2TP over IPSEC VPN is supported in Cisco SRP 521w?

  I now try to configure a Cisco Small Business Pro SRP 521w for a branch office router, I try to get the router to connect to a VPN L2TP server inside my data center, but it seems to me that the client VPN L2TP function is not supported within the SRP 521w router.

  Can Cisco implementing in the future in the firmware for the router in SRP 521w client VPN L2TP?

  Hello

  This is correct, without L2TP over IPSec tunnels.

  (L2TP only supported on the primary Ethernet WAN interfaces).

  Kind regards

  Andy

• Cisco AnyConnect VPN question

  I am ASA 5505 that I am of is running correctly by using the AnyConnect client. The question is, can I connect to the fine external interface, but cannot ping or attach them to any host on the inside. When I connect, it accepts the user name and password, and I can run the ASDM or SSH to the firewall very well, but not further. In the control, after I log in, I get an IP address inside, of the order of 10.7.30.x as expected.

  Following configuration:

  : Saved
  :
  ASA Version 8.2 (5)
  !
  asa5505 hostname
  domain BLA
  activate the password * encrypted
  passwd * encrypted
  no names

  !
  interface Ethernet0/0
  switchport access vlan 2
  !
  interface Ethernet0/1
  !
  interface Ethernet0/2
  !
  interface Ethernet0/3
  switchport access vlan 150
  !
  interface Ethernet0/4
  !
  interface Ethernet0/5
  !
  interface Ethernet0/6
  !
  interface Ethernet0/7
  !
  interface Vlan1
  nameif inside
  security-level 100
  IP 10.7.30.1 255.255.255.0
  !
  interface Vlan2
  nameif outside
  security-level 0
  IP EXTERNAL IP 255.255.255.128
  !
  interface Vlan150
  nameif WLAN_GUESTS
  security-level 50
  IP 10.7.150.1 255.255.255.0
  !
  boot system Disk0: / asa825 - k8.bin
  config to boot Disk0: / running-config
  passive FTP mode
  clock timezone STD - 7
  DNS server-group DefaultDNS
  domain BLA
  permit same-security-traffic intra-interface
  object-group service tcp Webaccess
  port-object eq www
  EQ object of the https port
  object-group network McAfee
  network-object 208.65.144.0 255.255.248.0
  network-object 208.81.64.0 255.255.248.0
  access extensive list ip 10.7.30.0 outside_1_cryptomap allow 255.255.255.0 192.168.24.0 255.255.252.0
  access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 192.168.24.0 255.255.252.0
  access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 172.16.10.0 255.255.255.0
  outside_access_in list extended access permit tcp any host 159.87.30.252 eq smtp
  outside_access_in list extended access permit tcp any host 159.87.30.136 Webaccess object-group
  outside_access_in list extended access permit tcp any host 159.87.30.243 Webaccess object-group
  access-list extended outside_access_in permit tcp host 159.87.70.66 host 159.87.30.251 eq lpd
  outside_access_in list extended access permit tcp any host 159.87.30.252 Webaccess object-group
  outside_access_in list extended access permit tcp any host 159.87.30.245 Webaccess object-group
  outside_access_in list extended access permitted tcp object-group McAfee any eq smtp
  permit access list extended ip 172.16.10.0 outside_access_in 255.255.255.0 10.7.30.0 255.255.255.0
  outside_access_in list extended access permit ip host 159.87.64.30 all
  standard access list vpn_users_splitTunnelAcl allow 10.7.30.0 255.255.255.0
  IPS_TRAFFIC of access allowed any ip an extended list
  access extensive list ip 10.7.30.0 outside_nat0_outbound allow 255.255.255.0 any
  inside_access_in list extended access permit udp 10.7.30.0 255.255.255.0 any eq snmp
  access extensive list ip 10.7.30.0 outside_cryptomap allow 255.255.255.0 172.16.10.0 255.255.255.0
  pager lines 24
  Enable logging
  asdm of logging of information
  host of logging inside the 10.7.30.37
  Debugging trace record
  Within 1500 MTU
  Outside 1500 MTU
  MTU 1500 WLAN_GUESTS
  local pool VPN_POOL 10.7.30.190 - 10.7.30.200 255.255.255.0 IP mask
  no failover
  ICMP unreachable rate-limit 1 burst-size 1
  ASDM image disk0: / asdm-645 - 206.bin
  don't allow no asdm history
  ARP timeout 14400
  Global 1 interface (outside)
  NAT (inside) 0-list of access inside_nat0_outbound
  NAT (inside) 1 0.0.0.0 0.0.0.0
  NAT (outside) 0-list of access outside_nat0_outbound
  NAT (WLAN_GUESTS) 1 0.0.0.0 0.0.0.0
  public static 159.87.30.251 (Interior, exterior) 10.7.30.50 netmask 255.255.255.255
  public static 159.87.30.245 (Interior, exterior) 10.7.30.53 netmask 255.255.255.255
  public static 159.87.30.252 (Interior, exterior) 10.7.30.30 netmask 255.255.255.255
  public static 159.87.30.243 (Interior, exterior) 10.7.30.19 netmask 255.255.255.255
  public static 159.87.30.136 (Interior, exterior) 10.7.30.43 netmask 255.255.255.255
  Access-group inside_access_in in interface inside the control plan
  Access-group outside_access_in in interface outside
  Route outside 0.0.0.0 0.0.0.0 159.87.30.254 1
  Route inside 172.16.1.0 255.255.255.0 10.7.30.1 1
  Timeout xlate 03:00
  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  Floating conn timeout 0:00:00
  dynamic-access-policy-registration DfltAccessPolicy
  AAA-server ADWM-FPS-02 nt Protocol
  AAA-server ADWM-FPS-02 (inside) host 10.7.30.32
  Timeout 5
  auth-domain NT ADWM-FPS-02 controller
  AAA-server ADWM-FPS-02 (inside) host 10.7.30.49
  auth-DC NT ADWM-DC02
  AAA authentication http LOCAL console
  AAA authentication LOCAL telnet console
  the ssh LOCAL console AAA authentication
  Enable http server
  http 206.169.55.66 255.255.255.255 outside
  http 206.169.50.171 255.255.255.255 outside
  http 10.7.30.0 255.255.255.0 inside
  http 206.169.51.32 255.255.255.240 outside
  http 159.87.35.84 255.255.255.255 outside
  SNMP-server host within the 10.7.30.37 community * version 2 c
  location of the SNMP server *.
  contact SNMP Server
  Community SNMP-server
  Server enable SNMP traps snmp authentication linkup, linkdown cold start
  Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
  Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
  Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
  life crypto ipsec security association seconds 28800
  Crypto ipsec kilobytes of life - safety 4608000 association
  Crypto-map dynamic outside_dyn_map pfs set 20 Group1
  card crypto outside_map 1 match address outside_1_cryptomap
  peer set card crypto outside_map 1 206.169.55.66
  map outside_map 1 set of transformation-ESP-3DES-MD5 crypto
  card crypto outside_map 2 match address outside_cryptomap
  peer set card crypto outside_map 2 159.87.64.30
  card crypto outside_map 2 game of transformation-ESP-AES-192-SHA
  map outside_map 65535-isakmp ipsec crypto dynamic outside_dyn_map
  outside_map interface card crypto outside
  Crypto ca trustpoint *.
  Terminal registration
  full domain name *.
  name of the object *.
  MYKEY keypairs
  Configure CRL
  Crypto ca trustpoint A1
  Terminal registration
  fqdn ***************
  name of the object *.
  MYKEY keypairs
  Configure CRL
  Crypto ca trustpoint INTERMEDIARY
  Terminal registration
  no client-type
  Configure CRL
  Crypto ca trustpoint _SmartCallHome_ServerCA
  Configure CRL
  Crypto ca trustpoint ASDM_TrustPoint0
  Configure CRL
  Crypto ca trustpoint ASDM_TrustPoint1
  Configure CRL
  ca encryption certificate chain *.
  certificate ca 0301
  BUNCH OF STUFF
  quit smoking
  A1 crypto ca certificate chain
  OTHER LOTS of certificate
  quit smoking
  encryption ca INTERMEDIATE certificate chain
  YET ANOTHER certificate
  quit smoking
  Crypto ca certificate chain _SmartCallHome_ServerCA
  certificate ca LAST BOUQUET
  quit smoking
  crypto ISAKMP allow outside
  crypto ISAKMP policy 10
  preshared authentication
  3des encryption
  sha hash
  Group 2
  life 86400
  No encryption isakmp nat-traversal
  Telnet 10.7.30.0 255.255.255.0 inside
  Telnet timeout 30
  SSH 206.169.55.66 255.255.255.255 outside

  SSH timeout 5
  Console timeout 0
  management-access inside
  dhcpd 4.2.2.2 dns 8.8.8.8
  !
  dhcpd address 10.7.150.10 - 10.7.150.30 WLAN_GUESTS
  enable WLAN_GUESTS dhcpd
  !

  a basic threat threat detection
  Statistics-list of access threat detection
  no statistical threat detection tcp-interception
  SSL encryption rc4 - md5 of sha1
  SSL-trust A1 out point
  WebVPN
  allow outside
  AnyConnect essentials
  SVC disk0:/anyconnect-dart-win-2.5.2019-k9.pkg 1 image
  enable SVC
  attributes of Group Policy DfltGrpPolicy
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  internal VPNUsers group strategy
  Group Policy VPNUsers attributes
  value of server DNS 10.7.30.20
  Protocol-tunnel-VPN IPSec l2tp ipsec svc webvpn
  Split-tunnel-policy tunnelspecified
  value of Split-tunnel-network-list vpn_users_splitTunnelAcl
  dwm2000.WM.State.AZ.us value by default-field
  Split-dns value dwm2000.wm.state.az.us
  username HCadmin password * encrypted privilege 15
  attributes global-tunnel-group DefaultWEBVPNGroup
  address VPN_POOL pool
  authentication-server-group ADWM-FPS-02
  strategy - by default-VPNUsers group
  tunnel-group 206.169.55.66 type ipsec-l2l
  IPSec-attributes tunnel-group 206.169.55.66
  pre-shared key *.
  tunnel-group 159.87.64.30 type ipsec-l2l
  IPSec-attributes tunnel-group 159.87.64.30
  pre-shared key *.
  !
  class-map IPS_TRAFFIC
  corresponds to the IPS_TRAFFIC access list
  class-map inspection_default
  match default-inspection-traffic
  !
  !
  type of policy-card inspect dns preset_dns_map
  parameters
  message-length maximum 512
  Policy-map global_policy
  class inspection_default
  inspect the preset_dns_map dns
  inspect the ftp
  inspect h323 h225
  inspect the h323 ras
  inspect the rsh
  inspect the rtsp
  inspect esmtp
  inspect sqlnet
  inspect the skinny
  inspect sunrpc
  inspect xdmcp
  inspect the sip
  inspect the netbios
  inspect the tftp
  inspect the icmp
  Review the ip options
  class IPS_TRAFFIC
  IPS inline help
  !
  global service-policy global_policy
  field of context fast hostname
  anonymous reporting remote call
  call-home
  Profile of CiscoTAC-1
  no active account
  http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address
  email address of destination [email protected] / * /
  destination-mode http transport
  Subscribe to alert-group diagnosis
  Subscribe to alert-group environment
  Subscribe to alert-group monthly periodic inventory
  monthly periodicals to subscribe to alert-group configuration
  daily periodic subscribe to alert-group telemetry
  Cryptochecksum:e70de424cf976e0a62b5668dc2284587
  : end
  ASDM image disk0: / asdm-645 - 206.bin
  ASDM location 159.87.70.66 255.255.255.255 inside
  ASDM location 208.65.144.0 255.255.248.0 inside
  ASDM location 208.81.64.0 255.255.248.0 inside
  ASDM location 172.16.10.0 255.255.255.0 inside
  ASDM location 159.87.64.30 255.255.255.255 inside
  don't allow no asdm history

  Anyone have any ideas?

  Hello

  Please, add this line in your configuration and let me know if it works:

  access extensive list ip 10.7.30.0 inside_nat0_outbound allow 255.255.255.0 10.7.30.0 255.255.255.0

  I ask you to add that it is because you have not specified any exceptions for the return shipping. Once you add to it, will allow you to go through the tunnel VPN, packets back. When this command is not there, you will be able to access everything on the SAA but nothing behind it.

  Let me know if it helps.

  Thank you

  Vishnu

• VPN between ASA and cisco router [phase2 question]

  Hi all

  I have a problem with IPSEC VPN between ASA and cisco router

  I think that there is a problem in the phase 2

  Can you please guide me where could be the problem.
  I suspect questions ACL on the router, but I cannot fix. ACL on the router is specified below

  Looking forward for your help

  Phase 1 is like that

  Cisco_router #sh crypto isakmp his

  IPv4 Crypto ISAKMP Security Association
  status of DST CBC State conn-id slot
  78.x.x.41 87.x.x.4 QM_IDLE 2006 0 ACTIVE

  and ASA

  ASA # sh crypto isakmp his

  ITS enabled: 1
  Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
  Total SA IKE: 1

  1 peer IKE: 78.x.x.41
  Type: L2L role: initiator
  Generate a new key: no State: MM_ACTIVE

  Phase 2 on SAA

  ASA # sh crypto ipsec his
  Interface: Outside
  Tag crypto map: Outside_map, seq num: 20, local addr: 87.x.x.4

  Outside_cryptomap_20 ip 172.19.209.0 access list allow 255.255.255.0 172.
  19.194.0 255.255.255.0
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer: 78.x.x.41

  #pkts program: 8813, #pkts encrypt: 8813, #pkts digest: 8813
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 8813, model of #pkts failed: 0, #pkts Dang failed: 0
  #send errors: 0, #recv errors: 0

  local crypto endpt. : 87.x.x.4, remote Start crypto. : 78.x.x.41

  Path mtu 1500, fresh ipsec generals 58, media, mtu 1500
  current outbound SPI: C96393AB

  SAS of the esp on arrival:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4275000/3025)
  Size IV: 8 bytes
  support for replay detection: Y
  outgoing esp sas:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac no
  running parameters = {L2L, Tunnel}
  slot: 0, id_conn: 7, crypto-card: Outside_map
  calendar of his: service life remaining (KB/s) key: (4274994/3023)
  Size IV: 8 bytes
  support for replay detection: Y

  Phase 2 on cisco router

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x0 (0)

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  protégé of the vrf: (none)
  local ident (addr, mask, prot, port): (172.19.194.0/255.255.255.0/0/0)
  Remote ident (addr, mask, prot, port): (172.19.209.0/255.255.255.0/0/0)
  current_peer 87.x.x.4 port 500
  LICENCE, flags is {origin_is_acl},
  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
  #pkts decaps: 8947, #pkts decrypt: 8947, #pkts check: 8947
  compressed #pkts: 0, unzipped #pkts: 0
  #pkts uncompressed: 0, #pkts compr. has failed: 0
  #pkts not unpacked: 0, #pkts decompress failed: 0
  Errors #send 0, #recv 0 errors

  local crypto endpt. : 78.x.x.41, remote Start crypto. : 87.x.x.4
  Path mtu 1452, ip mtu 1452, ip mtu BID Dialer0
  current outbound SPI: 0x3E9D820B (1050509835)

  SAS of the esp on arrival:
  SPI: 0xC96393AB (3378746283)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 29, flow_id: Motorola SEC 1.0:29, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4393981/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:
  SPI: 0x3E9D820B (1050509835)
  transform: esp-3des esp-md5-hmac.
  running parameters = {Tunnel}
  Conn ID: 30, flow_id: Motorola SEC 1.0:30, card crypto: mycryptomap
  calendar of his: service life remaining (k/s) key: (4394007/1196)
  Size IV: 8 bytes
  support for replay detection: Y
  Status: ACTIVE

  outgoing ah sas:

  outgoing CFP sas:

  VPN configuration is less in cisco router

  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 101 permit ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.206.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.203.0 0.0.0.255 172.19.194.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect
  access-list 105 deny ip 172.19.209.0 0.0.0.255 172.19.194.0 0.0.0.255 connect

  sheep allowed 10 route map
  corresponds to the IP 105

  Crypto ipsec transform-set esp-3des esp-md5-hmac mytransformset

  mycryptomap 100 ipsec-isakmp crypto map
  the value of 87.x.x.4 peer
  Set transform-set mytransformset
  match address 101

  crypto ISAKMP policy 100
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  ISAKMP crypto key xxx2011 address 87.x.x.4

  Your permit for 105 ACL statement should be down is changed to match because it is the most general ACL.

  You currently have:

  Extend the 105 IP access list
  5 permit ip 172.19.194.0 0.0.0.255 (18585 matches)
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  It should be:

  Extend the 105 IP access list
  10 deny ip 172.19.194.0 0.0.0.255 172.19.206.0 0.0.0.255 connect
  30 deny ip 172.19.194.0 0.0.0.255 172.19.203.0 0.0.0.255 connect
  50 deny ip 172.19.194.0 0.0.0.255 172.19.209.0 0.0.0.255 connect

  IP 172.19.194.0 allow 60 0.0.0.255 (18585 matches)

  To remove it and add it to the bottom:

  105 extended IP access list

  not 5

  IP 172.19.194.0 allow 60 0.0.0.255 any

  Then ' delete ip nat trans. "

  and it should work now.

• LACP hash between N3048 and CISCO SG300/SG200 + question Twinax attach direct cable

  Hello

  In my network I have deployed two new N3048 with 2 transceivers SPF + and SPF module back + as core switches are connected to other 3 switches from edge of N2048 using optical fiber and I reused my previous CISCO SG300 and SG200 goes to serve the other two boxes of my campus via the spine in copper.

  I have 4 copper cable which starts from the hub of the SG300 network and 2 the SG200 brass. I set up to have a redundant connection using 2 + 2 with SG300 and 1 + 1 with SG200 RSTP.

  So for the SG300 I re LAG + LACP to have two channels of the N3048s port, but now that a single cable is connected because I don't know what kind of LACP hash mode should I put on N3048 to have a compatible hash between Dell and Cisco switches.

  My N3048 have mode 7 (Advanced hash) as default but I guess that cisco models do not understand... so, what mode is the best for LACP work perfectly with small business cisco switches?

  I also received my twinax cables to connect my two N3048 via SPF + back modules... conhot can I plug the cables into the slots SPF + (already mounted) without turning off my basic switches?

  Thank you!

  See you soon

  Cables can be connected/disconnected, but I don't know if the real module SFP + for the rear of the N3000 is hot plug.

• Cisco AP purchase Questions

  Hello! I am looking to buy a single Cisco Aironet 1852 and use Mobility Express. Is the number of a particular product, I'm looking at AIR-AP1852E-A-K9.

  (1) are additional licenses needed to use mobility Express?

  (2) what is the difference between AIR-AP1852E-A-K9 and AIR-AP1852E-A-K9C?

  (3) I'm trying to find the data sheet for this particular access point and looks like I have to be a partner of Cisco. I thought that the sheets are available for all. Am I missing something? What happens if I try just to watch the product numbers?

  (4) if I buy this particular Cisco access point, does with a support contract or should I buy one? I can't go without buying a support contract?

  (5) the free tools I can use for the best placement of WiFi AP?

  Thanks in advance!

  1 NO.

  2. do not.

  3. this URL does not access partner.  It takes you to the indoor access points.

  http://www.Cisco.com/c/en/us/products/wireless/buyers-guide.html# ~ indoorac-Wave2

  4. it does not come with a support contract.  You have to buy it separately.

  5. Yes, it is called trial and error.

• Cisco SGE2010P routing question

  I currently have a Cisco SGE2010P that I use as my default gateway for everything on my network. I have a static route that points our VoIP traffic on a dedicated line, and that works very well. I recently added a second route that points to another router with a metric of 200. Now, my hope was that if the main road with a metric of 1 was not the next road would be. In my tests, this does not happen. Am I missing something? Now if I put the metric higher as the default route, then phones register and everything works fine. Any thoughts?

  Hi Sean, when packets match several static routes, the gateway sends the packet to the route with the lowest metric.

  -Tom
  Please mark replied messages useful

• CIsco UCS FI question license (2,23e)

  Hello

  I have system UCS running firmware version 2.2 (3rd) and after the application of the licenses of four additional ports for each fabric of interconnection, I got a warning that tissue-period of grace entered interconnection.

  We have these warning although we are not on the supply of all ports (e.g. absolute amount = quantity). Please check the attached screenshot.

  I want to check if anyone had this problem before and if it of the bug or not.

  Thank you

  Mohammad

  https://Tools.Cisco.com/bugsearch/bug/CSCui19338/?reffering_site=dumpcr

  Perhaps?

• Cisco 2950 GANYMEDE + question

  I have several switches 2950 that I can't go to work with GANYMEDE.  I use the same configuration for what I use for other cisco switches.

  Cisco Internetwork Operating System software

  IOS (TM) C2950 Software (C2950-C3H2S-M), Version 12.0 (5.3) WC (1), TEMPORARY SOFTWARE MAINTENANCE

  System image file is "flash: c2950-c3h2s - mz.120 - 5.3.WC.1.bin.

  password username privilege 15 7 XXXXXX XXX

  activate the password XXXXXX

  AAA new-model

  !

  AAA authentication login default group Ganymede + local

  AAA authentication login conmethod activate Group Ganymede +.

  the AAA authentication enable default group Ganymede + activate

  AAA authorization exec default group Ganymede + authenticated if

  AAA accounting exec default start-stop Ganymede group.

  !

  GANYMEDE-server host XXX.XXX.XXX.XXX touches 7-XXXXXXX

  GANYMEDE-server host XXX.XXX.XXX.XXX touches 7-XXXXXXX

  Any help would be greatly appreciated.

  Thank you.

  Hello

  How does your configuration of vty lines look like?

  Have you tried the command in aaa-server test? If you have, what are you?

• Cisco telepresence camera question - motivates and focus on who speaks. ???

  Hi all

  Wonder about a telepresence from cisco camera that when placed in a conference room can detect, move and focus on the person speaking?

  Is this feature available on the PrecesionHD 4 x camera or another that I do not read this feature in the data sheet?

  If so, please provide the reference for this.

  Kind regards

  It is compatible with the SX80, C40/60/90 points of termination.  SpeakerTrack 60 is a unit of two cameras and therefore requires two inputs of camera on the codec, then it will not work with the SX20 because it has only one entrance of the camera.  Both cameras help to provide seamless switching of active speakers in the room.

• Cisco ISE and question Admin CLI

  Hello.

  I have a strange problem with my installation of ISE. First of all, I use AD users for authentication. It works very well on HTTPS. I can connect with my admin AD by HTTPS.

  The problem starts when I try to log in via the CLI (SSH). I got login prompt. When I type my credentials AD that he said "Login Incorrect" and I got the same result if I try it with the local administrator account.

  I tried to reset the password for the local administrator over HTTPS to check this kind of wrong password. But no effect.

  My ISE is installed VMware.

  Experiences with it?

  ARM

  CLI authentication which is the base Linux OS is not / cannot be bound to AD to the admin authentication. Only, you integrate the application on top of Linux, which in this case is ISE, to AD. So, if you want to connect to the cli shell, you will need to use the username/password you configured during installation. If you do not remember those you need to perform a rest of password via the installation CD / ISO

  Thank you for evaluating useful messages!

• Issue from site to site of SRP527w port forwarding

  

  Hello

  I have problem with setting up port forwarding on the VPN between two cisco 527w.

  Scenario when we see a tunnel VPN from Site to Site between Site A and B; a printer behind Site B must be accessible using the IP WAN of A Site address.

  Like the picture above:

  -From site A, I am able to ping printer and printer access locally and via 120.146.x.x with port forwarding to installation on site has to the printer.

  -From site B, I am able to ping A site gateway but not able to access the printer through 120.146.x.x. The printer can be access via 129.203.x.x if port forwarding is configured on the site B on the printer.

  Cisco SRP 527w supports port forwarding via VPN site-to-site site A to site B printer?

  Y at - it no suggest or another solution for this scenario?

  Some help would be very appreciated.

  Kind regards

  Thai

  Hi thai,

  I'm not entirely sure - I think that an IOS based router, for example, the 800 series, you could do with proper setup.

  I would say that remote access to a printer or a server like this is perhaps not the most secure solution however.  A better approach would be to use a router that supports both a remote access VPN site.  With this, you must be able to use a VPN client to access the site with the IP address static, then tunnel to the other site where the device is.  You might consider the series RV of the device as well as IOS routers for that.

  Kind regards

  Andy