JOINT-2 basic configuration
Hello
I have some experience with sensors but this is my first time setting up a C6500 with JOINT-2, and I have a few questions of design. The first question is this: can I mix the VACL and large-scale use to capture traffic in the same configuration?
Customer actually uses VACL to capture traffic of some machines, but he wants now to monitor all traffic from and external partner via a VPN concentrator, so I guess in this case I should use SPAN to monitor VPN port: I'm wrong?
The config that the customer is more or less the following:
detection of intrusion data 1-port module 1 module 1-port data 1 intrusion detection capture captures allowed - vlan 1 intrusion detection module 1 data port 2 capture allowed - vlan 1
Plan ID to access VLAN 10
corresponds to the ip address in
direct capture of action
Plan ID to access VLAN 20
corresponds to the ip address to
action forward
VLAN ID vlan-list filter 1
extended IP access list
IP enable any host 192.168.1.1
allow a host ip 192.168.1.1
...
extended IP access list
allow an ip
If I want to use SCOPE, which is the limitation of the number of source ports I can put in the order to "monitor the session?"
Should I send this "span" traffic detection interface 8 (data-port 2) or I can always send to the data port 1 (detection interface 7)?
Why there are two sensing interfaces?
Thanks in advance...
Ruben
First thing to understand is that the customer should not configure data 1 and data-port port 2 to see the same traffic.
The sensor will get duplicate packets and minimize the overall performance of the detector (spending cpu just to throw duplicates) and at worst could cause false positive and negative or even false.
So the first thing to do is to remove the capture set up configuration data-port 2, so only 1 data port is the packet capture.
Now that the data port 2 is released until you can configure data ports 2 for something else.
So if you want to use the span then Yes you can now configure data-port 2 as a destination span port
Can mix you VACL and Span configurations?
Yes, but not on the same data port. A data port can be a vacl capture port and the second data port a destination span port.
However, you want to try to avoid as much as possible of the duplicate packets. So you will want to try and set it up so that traffic will be normally visible on the destination span port will not also view the vacl capture port (means generally change the VACL to not only capture the traffic).
If you use Span to monitor VPN port?
Duration is usually the best way to ensure you get all the packages in and out of a specific port. You will need to make sure that you use a port range (instead of a span of vlan) and make sure cover you the tx and rx traffic so that you get both in and out of traffic.
Also make sure that the traffic that you are covering the traffic not encrypted and non encrypted traffic (which would be ignored by the sensor).
What is the limitation on the number of source ports?
I don't know, and I think he can differ depending on your version of IOS and the type of controller. So you must read the configuration for your cat guide 6K determine the limits of your specific switch.
Should send you traffic to "merged" to 2 ports data or data port 1?
A data port may not be as well a VACL Capture pore and a destination Span port. So if data-port 1 is configured for the VACL Capture then it cannot be a Span destination port. Configure a port as a VACL Capture port and the port other than the destination Span port.
Why are there 2 remote sensing interfaces?
To do similar things to what you ask. So, you can use 2 different surveillance techniques that would not be on a single port. Or to be able to make promiscuity on a port monitoring, while inline vlan pair monitoring IDE oucederomsurlesecondport. Or use 2 ports set inline interface pair followed.
Tags: Cisco Security
Similar Questions
-
Basic configuration of TFS 2012 fails on the data layer.
Hello
I have a new installation of sql server 2014 and has the last update 7 on it.
Installed TFS 2012 update 4 and I tried the basic configuration to help start Wizard.
I am getting...
"TF255146: Team foundation server requires SQL server 2008 Rs (10.50.1600) or higher." The SQL server instance xxxxxxx you provided is the version 12.0.2495.0.
I couldn't find much online research help. Any ideas how to solve this problem?
Thank you
Vinciane
This issue is beyond the scope of this site and must be placed on Technet or MSDN -
Aironet 1600 I have the Basic Configuration
Hello, someone to share the basic configuration to a SSID and security with WPA with the phrase password not numers
Because I have a problem, I can only see the SSID if I put on the guest mode.
Excellent. You can disable the 2.4 Ghz on the AP all together.
If you think that I helped it would be great if you could evaluate and score the answer.
-
What are the basic element of basic configuration of an oracle database?
What are the basic element of basic configuration of an oracle database?It consists of
one or more data files.
one or more files of control.
two or more redo log files.
The database contains
multiple users/schemas
one or more rollback segments
one or more storage space
Data dictionary tables
User objects (table, index, views etc.,)
The server who access the database consists of
SGA (dictionary database Cache buffers, a Redo buffers of the newspaper, shared pool SQL buffer)
SMON (System MONito)
PMON (Process MONitor)
LGWR (LoG Write)
DBWR (data writing)
ARCH (archive)
CKPT (Check Point)
RECO
Dispatcher
Associate the user with PGS process -
Basic configuration of 4402 WLC
I have a WLC4402 attached to the trunk switch port 2950. The switch has 3 VLAN, 300, 400 and 500. Management and AP interfaces are marked on 500. I use a router 2600 on a stick that is also connected to the 2950 through another trunk. The AP Manager and IP address management are 172.16.20.1 and 172.16.20.2. The VLAN switch 2 have an IP subnet 10.10.10.0/24 and 10.10.11.0/24. I can ping to the management interface a PC on each VLAN without problem. As soon as I create a dynamic interface that is mapped to an IP to the VLAN 300 or 400, pings stop, unless I tag dynamic interfaces with 500 VLAN! I suspect it has to do with the VLAN native on the trunk but can't figure out how to get the dynamic interfaces for work.
You want to keep vlan 500. If you then leave without tag your management will be the vlan 1 is not recommended. When you configure the switch (trunk) port to vlan native 500, that means that andy untagged frames will be put on the vlan 500. The interfaces that you create must be referenced...
Configure the interface of management to '0' first of all, then set up the trunk with vlan native 500. then go back and set up the PA - manager without label '0 '.
-
basic configuration question IPSec GRE
the Sub test config has been entered at R1 (router left mostly). R4 has a similar to the inverse IP address config. R1 is able to ping R4 loopback at the present time.
crypto ISAKMP policy 10
BA aes
preshared authentication
Group 2
life 120
address of cisco crypto isakmp 203.115.34.4 keys
!
!
Crypto ipsec transform-set MY_TRANSFORM ah-sha-hmac esp - aes
!
MY_MAP 10 ipsec-isakmp crypto map
defined by peer 203.115.34.4
game of transformation-MY_TRANSFORM
match address 100
!
!
!
!
interface Loopback0
192.168.10.1 IP address 255.255.255.255
!
interface Tunnel0
IP 192.168.14.1 255.255.255.0
source of tunnel Serial1/2
tunnel destination 203.115.34.4
card crypto MY_MAP!
!
interface Serial1/2
IP 203.115.12.1 255.255.255.0
series 0 restart delay
!
!
Router eigrp 100
network 192.168.0.0 0.0.255.255
Auto-resume
!
router ospf 100
router ID 1.1.1.1
Log-adjacency-changes
network 203.115.0.0 0.0.255.255 area 0
!!
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 connect
!
!
I see cisco samples configurations include an access list entry as follows...
access-list 100 permit gre 203.115.12.1 host 203.115.34.4
I understand the purpose of the ACL above regarding the test configuration that I posted here.
Let me explain.
LAN - router - WAN - router - LAN
Communication between the two LANs can be on a GRE tunnel to an IPsec tunnel or IPsec/GRE tunnel.
If you simply want to communicate between them unicast IP traffic, IPsec is recommended because it will encrypt the traffic.
If you need non-unicast or non - IP traffic through, then you can create a GRE tunnel.
If you want IPsec encryption for the GRE tunnel and then configure IPsec/GRE.
The ACL you mention will not work because the GRE traffic is only between tunnel endpoints.
The traffic that flows between local networks is the IP (not the GRE traffic) traffic where a permit GRE ACL will not work.
It will be useful.
Federico.
-
Basic configuration of NAC appliance
I have a small project to authenticate users about 100 to access the network. We plan to use the Cisco NAC appliance. Just to clarify (I saw some post but I'm not sure of the correct answer) do I need 2 separate devices, one as a server and the other as a controller; or I just need a do two tasks?
Thank you
-Arturo
Hi Arturo,.
You need two devices to operate. A Manager and a server.
There is a great Cisco Press book on the ANC by James Heary device that will give you a lot of details and information on the configuration of the devices.
I hope this helps.
Paul
-
Hello...
I would ask the Expert whether my set is correct or not... Pls help beginners
I have pix506E...
214.xxx.xxx.161 line fixed IP connected to the router to 192.168.1.2 and then connected to the PIX506E Firewall outside Interface 192.168.1.1.
The inside of the firewall Interface IP is 10.1.1.1, connected to spend... Switch to client/server with the ip address 10.1.1.10/50.
My problem is inside and outside user is not connect (also can not ping) although I do a few rules about it. I can't also even surf the internet... the firewall is blocking everything. I don't know if my setup is correct...
I have my connection setup... Pls Browse...
Thank you
Tonny
Distribution of Excellence WT
You test now with only the 10.1.1.2 PC? you have activated natting only for this PC now... so make sure that test you it with this IP address.
Sure you have opposite roads to 202.196.169.170 - 202.196.169.190 on the internet router point to the PIX outside 192.168.1.1? Make sure that your access provider forwards this IP range.
to allow the ping, configure an access list and apply it to the outside, as icmp is disabled by default.
outside to allow icmp an entire access list
Access-group outside in the interface to the outside.
all the best!
-
Basic configuration problem - please help!
Hello
I'll put up my first PIX firewall in a network of trial right now, and it is supposed to go into production in the next few days.
I am trying to open some ports for a server inside, doing everything 'by the book' (cisco e-learning, to be exact), but I had no success with that. Basically, I'm trying to map an inside Server (192.168.254.199) to (xxx.115.215.1) external IP address that is assigned to the external interface. The type of traffic that must be passed inside the server is http and remote desktop. (Other users are PATed to xxx.115.215.2) So I tried to use the static/conduit pairs, according to e-learning stuff...
public static xxx.115.215.1 (Interior, exterior) 192.168.254.199
conduct permitted tcp xxx.115.215.1 eq www host everything
driving permit host xxx.115.215.1 eq tcp 3389 everything
After I type this, I can't access the internet from the server, or ping to the outside... and of course can not access office remote/web server from outside, which is the main goal.
Here is the config:
6.3 (5) PIX version
interface ethernet0 car
interface ethernet1 100full
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
activate the password xxx
passwd xxx
hostname pix
fixup protocol dns-length maximum 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol 2000 skinny
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names of
pager lines 24
Outside 1500 MTU
Within 1500 MTU
IP address outside xxx.115.215.1 255.255.255.0
IP address inside 192.168.254.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
history of PDM activate
ARP timeout 14400
Global 1 xxx.115.215.2 (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
allow icmp a conduit
Route outside 0.0.0.0 0.0.0.0 xxx.115.215.125 1
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0: CPP 02:00 0:10:00 01:00 h225
H323 timeout 0:05:00 mgcp 0: sip from 05:00 0:30:00 sip_media 0:02:00
Sip timeout - disconnect 0:02:00 prompt Protocol sip-0: 03:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
AAA-server GANYMEDE + 3 max-failed-attempts
AAA-server GANYMEDE + deadtime 10
RADIUS Protocol RADIUS AAA server
AAA-server RADIUS 3 max-failed-attempts
AAA-RADIUS deadtime 10 Server
AAA-server local LOCAL Protocol
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
Telnet timeout 5
SSH timeout 5
Console timeout 0
dhcpd address 192.168.254.100 - 192.168.254.150 inside
dhcpd dns 192.168.254.199 199.185.225.10
dhcpd wins 192.168.254.199
dhcpd lease 28800
dhcpd ping_timeout 750
dhcpd field test.local
dhcpd allow inside
Terminal width 80
Cryptochecksum:xxx
: end
PIX #.
I am sure that the problem is something simple, as I'm just a newbie...
Your help will be GREATLY apprechiated!
Thanks in advance
good news... I'm glad it works now!
Please solve the case, while it appears on the list as "checked"... See you soon,.
-
501 - pix basic configuration help
People:
Just acquired a 501. I'm really new to cisco pix and have no idea how to set it up.
NAT seems to work (I connect via a client workstation on the 'inside' interface) using the pdm. However, I can't get the 'external' interface to work.
I must be missing something:
In the properties of the system, both inside and outside are turned on. I assigned (ethernet0) outside an IP address and a subnet mask 255.255.254.0 provided - it is a multinet). However there is no field to assign the router or dns.
After a lot of tinkering, I can't work natted stations to talk to the outside world.
Any advice?
Bobby
The easiest way to get this working is by using the Setup Wizard. Launch PDM and goto menu "Assistants"->"Installation Wizard".
I think that the reason why you couldn't get working of the external interface is that you don't have the program to setup the default gateway and dns properly. By going through the wizard, you will find a place for complete information.
Jack
-
vulnerability, right tools of analysis for DB beyond basic configurations. »
Someone is using external tools for analysis of vulnerability DB as well as any recommendation?
I'm looking for external suppliers and ANALYSIS tool. I don't mean to Oracle security (links you posted). Thank you.
-
JOINT-2: Tips for the initial configuration of the network?
Hello team:
I was asked to do a very basic configuration of a whole new JOINT-2 on a CAT6500. According to the documentation, once in the Supervisor´s CLI, I run a 'session' command to the location where the METHOD.
Once, I follow the wizard to add the IP, mask and gateway. Having this configured, the management interface of module´s should be visible from the rest of the network, but I do not see how this happens, because the module must use one of VLAN switch´s and I haven´t found how it is configured.
Question: how will this link JOINT itself for layer 3 engine switch´s? I don't see how its layer 2 will correspond to any VLAN available in the host LAN switch...
Any help will be greatly appreciated
Rogelio Alvez
Argentina
I think what you need to add a command on the 6500 that puts management of JOINT-2 port in a vlan individual. For example:
intrusion detection module 9 management access port - vlan 101
This places the management for the joint-2 card port 9 slot vlan 101. The host IP that you set on the map of JOINT-2 itself then be valid for that vlan.
Steve
-
Cannot store basic Camileo S10 and P30 configurations
Hello, first post for me. I got a Camileo S10 and changed with a Camileo P30, and on the two camera, I can't record some basic configurations. I have to put every time that use of the camera. By example, if I activate the stabilizer in 720 p, at a filming of a video, as someone close to the camera, 5 min later I have to ashoot another video, I always have to go into the settings and re-setup stabilizing, because this setting are not stored, while the 720 p stay stored configuration. Same thing for the photo shoot, where of the light conditions and so on must be set each time. It's very annoying, and I can't ask my son to not to move to get a picture, if everytime I open the camera I have to redo the configurations... I'm doing something wrong here? Is there a way to save configurations, as in most normal and camcorder camera?
Thank you very much
Lillo
Hello
I contacted my friend because he has the same cam. I ve asked him to check this.
He told me that this stabilization can be used in HD recording and it can be used by the registration with a lower resolution only.
Another thing:
Did you put the battery inside and full load?
What's with the time and data? Is always shown the right one? -
Basic IDS module configuration
I have some basic configuration questions to ask questions about a module IDS in a router 3725.
(NM-CIDS)
1. the interface of the module must be configured as a normal interface like any other fast ethernet interface. If so, how do I enter the web configuration of the sensor? I can t give the sensor a IP on the same subnet as another interface, so I have to create a VLAN on my switch and install a new network adapter on a computer just to access the sensor?
2. I want to use the sensor to monitor my internet connection. My internet come in the router where the sensor is, but not on the sensor interface. So I added the line: ID-service-module of surveillance on the internet interface. I m now, assuming that the sensor monitors this interface, but it can block t any IP address on it can it? Can I use the interface of s sensor as my internet connection? It will route traffic to the router as any other interface?
3. If the probe to be on it's own subnet, I can get t the licensing of auto update, since this new subnet as no access to the internet.
I must admit, I was a bit confused as the basis of this module menu, documentation is clear on how to implement and I did, I even upgraded the sensor to version 5.0, but the basic idea behind it and basic configuration is not clear, he only tells me the reasons for the separate subnet.
Can someone guide me in the right direction?
My goal is to install the sensor for connection to the internet society that is currently connected to a fast ethernet on the router card and send events to a syslog server that I'm being followed.
Thank you
Bernard Magny
The NM-CIDS has 2 interfaces, you have to deal with.
The internal interface on the backplane of the router and an external interface that you can plug a wire to.
In addition, it has an interface of the router on the backplane of the NM-CIDS router. This background basket of the router interface and the internal interface of the NM-CIDS may be considered to be wired together.
To think of the NM-CIDS, the simplest method is to consider a PC that sits inside the router.
It can easily be compared to a device IDS.
The internal of the NM-CIDS is the interface to sniff. NM - CIDS does not have this internal interface to an IP address. It is used only for the reception of packets from the router for the follow-up and sending TCP resets.
The router has its bottom of basket interface that corresponds to this interface to internal sniffing NM-CIDS. You must obtain an IP address from the router interface NM - CIDS, but no traffic will never really "routed" to it. If most of the users will be either assign a non-routable address or a loopback address, or do share an address with an other interfaces of the router.
This address is NOT used to configure or control the NM-CIDS using a nonroutable loopback address is often the best thing to do.
This router interface and NM-CIDS background basket can best be compared to a port span on a switch controlled by a device.
The "ids" command applied to a physical interface of the router is like "covering" this interface.
The 'split' traffic is copied to the destination port "span", which is the bottom interface of router for the NM-CIDS basket. Once these packages are copied into the bottom of the router on the NM-CIDS slot basket, then the internal port of the NM-CIDS will sniff and analyze packets.
If the real package comes in an interface of the router and get "routed" to another interface on the other. If there is an 'ID' command on one of these 2 interfaces then these packages will be also copied ("split") in the NM-CIDS for surveillance. So the NM-CIDS amd the corresponding interface from the router backplane are not in the path of the package and are only a copy of the package.
NOTE: Technically, the package doesn't is not 'stride' because 'covering' is only taken in charge by a switch, but the majority of users to understand the concept. And the concept is what I'm trying to convey.
Now the external port of the NM-CIDS is the port command and control. This is where you have assigned an IP address. Understand that this is NOT a router interface. He will not participate in routing protocols. All packets destined for this port will stop at the NM-CIDS.
This port is better compared with the command and control of a device IDS sensor port. The port address is used only to talk directly to the IDS sensor.
So what address to to affect?
The best method is to give an address on your internal network more secure and phsyically in this network, all taking as you would for any other PC (or the port command and control of a device ID).
Since this interface the NM-CIDS is not a router interface and does NOT participate in routing, then it's OK for the router itself to have an interface on the same subnet and be connected to the same switch and the same vlan as the external command and control NM-CIDS interface. In fact, it's exactly what most users do. In addition, IP from the router on that subnet is usually the default gateway configured on the NM-CIDS for its command and control interface. If you think that the NM - CID is a PC, so it makes sense.
Some clients may have a special network for the management of their security devices (usually only large companies). In these scenarios, NM - CIDS command and control can be placed on a network that is not routable even by the router, in which he was placed. It's pretty rare, but it is possible to do.
-
The incomplete 1941W Cisco router configuration
Good day all.
I was running a business of small ecommerce for the last 5 years on a Linksys wireless router. Now that I have more than 14 posts and 6 networked printers, it was time to take a step towards the top.
I bought a 1941W SRI CISCO to take us to the Gigabit speed in the next decade with a CISCO switch. I assume that the 1941W, although robust with scalability, would provide the installation of it, simple as the product Linksys (Cisco) or at least a simple 1-2-3 How to get basic connections made. I was wrong and now I find that I have some difficulty to negotiate Internet on the router again.
Included below is my config NVRAM. I hope someone could tell where I can have a few gaps in my config.
Please note: this config is derived from an example on the net that seemed simple enough, so if you find yourself asking, "why did do that?", I hope that this provides the perspective.
TEST router configuration
28/07/2010Objective: Complete the basic configuration to connect (and ping) to the internet
Problem: Cannot conect to the internet; Incomplete suspected configuration; Maybe bad config NAT or DNS issue
Comments: In the process.TEXT OF HYPERTERMINAL CONNECTION TO THE CONSOLE:
User access audit
User name: admin
Password:TESTROUTER > activate
Password:
TESTROUTER #ping 8.8.8.8Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 8.8.8.8, time-out is 2 seconds:
.....
Success rate is 0% (0/5)TESTROUTER #show config
With the help of 2615 off 262136 bytes
!
! 01:33:34 CST configuration was last modified Thursday, July 29, 2010 by admin
!
version 15.0
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec show-time zone
horodateurs service log datetime msec show-time zone
encryption password service
!
hostname TESTROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
recording console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX
enable password 7 XXXXXXXXXXXXXXXX
!
AAA new-model
!
!
AAA authentication login default local
the AAA authentication enable default
!
!
!
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone CST - 6
Service-module wlan-ap 0 autonomous bootimage
!
No ipv6 cef
no ip source route
inaccessible 2000 IP icmp rate-limit
IP icmp rate-limit unreachable DF 2000
IP cef
!
!
!
!
no ip bootp Server
no ip domain search
8.8.8.8 IP name-server
IP-server names 8.8.4.4
name of the IP-server 209.18.47.61
name of the IP-server 209.18.47.62
Authenticated MultiLink bundle-name Panel
!
!
!
license udi pid CISCO1941W-A/K9 sn XXXXXXXXXXX
ISM HW-module 0
!
!
!
admin password username 7 XXXXXXXXXXXX
!
!
!
!
!
!
interface GigabitEthernet0/Wlan-0
Description interface connecting to the AP the switch embedded internal
Shutdown
!
interface GigabitEthernet0/0
Description of connection to the internet to transfer Ethernet/fiber TWC (ISP)
address IP AA. BB. CC.149 255.255.255.0
IP access-group 115 to
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No cdp enable
!
wlan-ap0 interface
description of the Service interface module to manage the embedded AP
no ip address
ARP timeout 0
No mop enabled
No mop sysid
!
interface GigabitEthernet0/1
Internal description of the connection to the local network
IP 10.10.10.1 255.255.255.0
IP access-group 116 to
no ip proxy-arp
IP nat inside
IP virtual-reassembly
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No cdp enable
No mop enabled
!
interface Vlan1
no ip address
Shutdown
!
IP forward-Protocol ND
!
no ip address of the http server
no ip http secure server
!
IP nat inside source list 1 interface GigabitEthernet0/0 overload
IP route 0.0.0.0 0.0.0.0 AA. ABM CC.1
IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 115 deny ip 127.0.0.0 0.255.255.255 everything
!
not run cdp!
!
control plan
!
!
Line con 0
line to 0
line 67
no activation-character
No exec
preferred no transport
transport of entry all
transport output pad rlogin lapb - your MOP v120 udptn ssh telnet
line vty 0 4
password 7 XXXXXXXXXXXXXX
!
Scheduler allocate 20000 1000
endTESTROUTER #.
END OF HYPERTERMIAL TO THE TEXT OF THE CONSOLE
Thanks in advance to those who consider a response.
Daniel
Daniel
You have a LCD 115 on the external interface and it is just a line in this acl which is a refusal. Be aware that an acl has implicit deny all the end anyway so basically that this acl blocking all incoming which responses return icmp (ping) traffic. Because you run the command ping to the router using an IP address not not a DNS then NAT or DNS name is a problem at present.
I suggest that rewrite you the acl - 115
access-list 115 permit icmp host 8.8.8.8 entire echo response
and test again with your ping. If it works then it's the acl that is the problem and you need to write your acl so that is what you want to allow before that you want to deny.
Jon
Maybe you are looking for
-
Tools Page Firefox 42 Options cannot make selections
When I select Options under the Tools menu of FF42, the page is in place but I can't make any choice - it's totally insensitive.Earlier versions had the box that worked. I don't like the Options does on a Web page tab or a box, I just need to make th
-
My pro iPad connects to the WIFI, but loses connectivity to drops in use. My other IOS devices (iPhone, macbook, etc.) do not have this problem. Ideas to solve?
-
Pavilion 15-p253nh: I'm going to lose warranty if I replace my HARD drive on my own?
Hello! I'm curious to know that if I replaced my laptop HARD drive, would I lose my warranty? I have a Pavilion 15-p253nh which is not a separate removable bottom panel for RAM or HARD disk. Do I have to disassemble my laptop to replace the HARD driv
-
How to fix thisand related errors C:\DOCUME~1\Scott\LOCALS~1\Temp\8e91_appcompat.txt
When I open my file to load down, either online or offline file freezes the pc and I get this message C:\DOCUME~1\Scott\LOCALS~1\Temp\8e91_appcompat.txt I have down loaded a fix? and may have gotten a similar message-
-
Cannot start Windows & startup repair does not work!
I have Windows 7 Home Premium installed on the HP DM4t laptop. My laptop can not restart. I tried using the reapir drive system but it shows some loading filed and I got a black screen with the pointer (arrow). It remains like this for hours and hour