STP traffic flow

All,

Got a facility below I'm looking for confirmation his works, your entries please

SW1 - core <------------------- trunk="" -----------="" -----------------="">core sw2

! !

Distribution L3 switch1 - not back to back connection - Distribution L3 switch2

! !

trunk trunk

! !

access layer switch sw1 - connection to distribution switches trunk

(1) I have (SW1 and SW2) basic switches connected to distribution switches (SW1 and SW2 L3 Distribution) the port configured with trunk and L3 interface vlan 40, the vlan 40 forming EIGRP neighbor ship with distribution, so ports switches using L2 and L3. also HSRP vlan 40 configured assets (sw1) standby time (sw2)

(2) distribution switches - connected to basic with chest & int switches vlan 40 forming EIGRP neighbor ship with two basic switches - no VLANs hsrp 40 configured on the distribution switches

(4) access layer switch - connected to the distribution and L2 switches vlan trunk 40 allowed. the gateway to this switch is now based on the HSRP active switches vlan 40 FT

(5) to access switch the connected port Distribution sw1 - State PLEASE FWD, the other port in State BLK

I would like to check with you, if connection made closed between the access to the distribution of switch 1 switch, STP removes the second port of State BLK and put in forwarding State &

traffic will hit the sw2 basis and reach the gateway IP active HSRP to Core sw1

I would say that he must work very well as long as the path EIGRP cost is in line with your bridge ID switch to designated paths. If you are under equal-cost path and default bridge ID, it can cause some strange paths by default so I think it is your primary consideration.

Tags: Cisco Support

Similar Questions

WLC and ACLs traffic flow

Hello world

For WLC I need config as strict ACLs of the traffic flow.

I have to config ACL in both directions?

As in ASA returns traffic is allowed because it's with State I must it ACL for traffic back from the outside to the inside also?

Concerning

MAhesh

Hello

It depends, but in general, you need to configure in both directions.

Have a look here:

http://www.Cisco.com/c/en/us/support/docs/wireless-mobility/wireless-LAN...

Concerning

problem of traffic flow with tunnel created the network with a tunnel to a VPN concentrator

Hi, I worked with Cisco and the seller for 2 weeks on this.II am hoping that what we are witnessing will ring a Bell with someone.

Some basic information:

I work at a seller who needs from one site to the other tunnel. There are currently 1 site to another with the seller using a Juniper SSG, which works without incident in my system. I'm transitioning to routers Cisco 2811 and put in place a new tunnel with the seller for the 2800 uses a different public ip address in my address range. So my network has 2 tunnels with the provider that uses a Cisco VPN concentrator. The hosts behind the tunnel use 20x.x.x.x public IP addresses.

My Cisco router will create a tunnel, but I can't not to hosts on the network of the provider through the Cisco 2811, but I can't get through the tunnel of Juniper. The seller sees my packages and provider host meets them and sends them to the tunnel. They never reach the external interface on my Cisco router.

I'm from the external interface so that my endpoint and the peers are the same IP address. (note, I tried to do a static NAT and have an address of tunnel and my different host to the same result.) Cisco has confirmed that I do have 2 addresses different and this configuration was a success with the creation of another successful tunnels toa different network.)

I tested this configuration on a network of transit area before moving the router to the production network and my Cisco 2811 has managed to create the tunnel and ping the inside host. Once we moved the router at camp, we can no longer ping on the host behind the seller tunnel. The seller assured me that the tunnel setting is exactly the same, and he sees his host to send traffic to the tunnel. The seller seems well versed with the VPN concentrator and manages connections for many customers successfully.

The seller has a second VPN concentrator on a separate network and I can connect to this VPN concentrator with success of the Cisco 2811 who is having problems with the hub, which has also a tunnel with Gin.

Here is what we have done so far:

(1) confirm the config with the help of Cisco 2811. The tunnel is up. SH cyrpto ipa wristwatch tunnel upward.
(2) turn on Nat - T side of the tunnel VPN landscapers
(3) confirm that the traffic flows properly a tunnel on another network (which would indicate that the Cisco config is ok)
(4) successfully, tunnel and reach a different configuration hosting
(5) to confirm all the settings of tunnel with the seller
(6) the seller confirmed that his side host has no way and that it points to the default gateway
(7) to rebuild the tunnel from scratch
8) confirm with our ISP that no way divert traffic elsewhere. My gateway lSP sees my directly connected external address.
(9) confirm that the ACL matches with the seller
(10) I can't get the Juniper because he is in production and in constant use

Is there a known issue with the help of a VPN concentrator to connect to 2 tunnels on the same 28 network range?

Options or ideas are welcome. I had countless sessions with Cisco webex, but do not have access to the hub of the seller. I can forward suggestions.

Here's a code

crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2

Crypto ipsec transform-set mytrans aes - esp esp-sha-hmac

Crypto-map dynamic dynmap 30
Set transform-set RIGHT

ISAKMP crypto key address No.-xauth

interface FastEthernet0/0
Description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE $ 0/0
IP 255.255.255.240
IP access-group 107 to
IP access-group out 106
NAT outside IP
IP virtual-reassembly
route IP cache flow
automatic duplex
automatic speed
crypto mymap map

logging of access lists (applied outside to get an idea of what will happen. No esp traffic happens, he has never hits)

allowed access list 106 esp host host newspaper
106 ip access list allow a whole
allowed access list 107 esp host host Journal
access-list 107 permit ip host host Journal

access-list 107 permit ip host host Journal
107 ip access list allow a whole

Crypto isa HS her
IPv4 Crypto ISAKMP Security Association
status of DST CBC State conn-id slot
QM_IDLE ASSETS 0 1010

"Mymap" ipsec-isakmp crypto map 1
Peer =.
Extend the 116 IP access list
access - list 116 permit ip host host (which is a public IP address))
Current counterpart:
Life safety association: 4608000 kilobytes / 2800 seconds
PFS (Y/N): N
Transform sets = {}
myTrans,
}

OK - so I have messed around the lab for 20 minutes and came up with the below (ip are IP test:-)

(4) ip nat pool crypto-nat 10.1.1.1 10.1.1.1 prefix length 30 <> it comes to the new address of NAT

!
(1) ip nat inside source list 102 interface FastEthernet0/0 overload <> it comes to the interface by default NAT

!
IP nat inside source map route overload of crypto-nat of crypto-nat pool <> it is the policy of the NAT function

!

(6) access-list 101 permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> defines the IP source and destination traffic

!

(2) access-list 102 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255 <> does not NAT the normal communication

(3) access-list 102 deny ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> does not re - NAT NAT

(1) access-list 102 permit ip 172.16.1.0 0.0.0.255 any <> allows everyone else to use the IP Address of the interface for NAT

!

(5) crypto-nat route-map permit 5 <> condition for the specific required NAT
corresponds to the IP 101 <> game of traffic source and destination IP must be NAT'td

(7) access list 103 permit ip 10.1.1.1 host 172.16.2.0 0.0.0.255 <> crypto acl

Then, how the works above, when a package with the what IP 172.16.1.0/24 source wants to leave the router to connect to google, say the source will change to IP interface (1). When 172.16.1.0/24 wants to talk to172.16.2.0/24, it does not get translated (2). When the remote end traffic equaled the following clause of NAT - the already NAT'td IP will not be affected again (3) when a host 172.16.1.0/24 wants to communicate with 172.16.2.20/24 we need a NAT NAT specific pool is required (4). We must define a method of specific traffic to apply the NAT with a roadmap (5) which applies only when the specific traffic (6), then simply define the interesting traffic to the VPN to initiate and enable comms (7) corresponding

Return VPN traffic flows do not on the tunnel

Hello.

I tried to find something on the internet for this problem, but am fails miserably. I guess I don't really understand how the cisco decides on the road.

In any case, I have a Cisco 837 which I use for internet access and to which I would like to be able to complete a VPN on. When I vpn (using vpnc in a Solaris box as it happens which is connected to the cisco ethernet interface), I can establish a VPN and when I ping a host on the inside, I see this package ping happen, however, the return package, the cisco 837 is trying to send via the public internet facing interface Dialer1 without encryption. I can't work for the life of me why.

(Also note: I can also establish a tunnel to the public internet, but again, I don't can not all traffic through the tunnel.) I guess I'm having the same problem, IE back of packages are not going where it should be, but I do know that for some, on the host being ping well, I can see the ping arriving packets and the host responds with a response to ICMP echo).

Here is the version of cisco:

version ADSL #show
Cisco IOS software, software C850 (C850-ADVSECURITYK9-M), Version 12.4 (15) T5, VERSION of the SOFTWARE (fc4)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Updated Friday 1 May 08 02:07 by prod_rel_team

ROM: System Bootstrap, Version 12.3 (8r) YI4, VERSION of the SOFTWARE

ADSL availability is 1 day, 19 hours, 27 minutes
System to regain the power ROM
System restarted at 17:20:56 CEST Sunday, October 10, 2010
System image file is "flash: c850-advsecurityk9 - mz.124 - 15.T5.bin".

Cisco 857 (MPC8272) processor (revision 0 x 300) with 59392K / 6144K bytes of memory.
Card processor ID FCZ122391F5
MPC8272 CPU Rev: Part Number 0xC, mask number 0 x 10
4 interfaces FastEthernet
1 ATM interface
128 KB of non-volatile configuration memory.
20480 bytes K of on board flash system (Intel Strataflash) processor

Configuration register is 0 x 2102

And here is the cisco configuration (IP address, etc. changed of course):

Current configuration: 7782 bytes
!
! Last configuration change at 11:57:21 CEST Monday, October 11, 2010 by bautsche
! NVRAM config updated at 11:57:22 CEST Monday, October 11, 2010 by bautsche
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname adsl
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5
!
AAA new-model
!
!
AAA authentication login local_authen local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec local local_author
AAA authorization sdm_vpn_group_ml_1 LAN
!
!
AAA - the id of the joint session
clock timezone gmt 0
clock daylight saving time UTC recurring last Sun Mar 01:00 last Sun Oct 01:00
!
!
dot11 syslog
no ip source route
dhcp IP database dhcpinternal
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.7.1 10.10.7.99
DHCP excluded-address IP 10.10.7.151 10.10.7.255
!
IP dhcp pool dhcpinternal
import all
Network 10.10.7.0 255.255.255.0
router by default - 10.10.7.1
Server DNS 212.159.6.9 212.159.6.10 212.159.13.49 212.159.13.50
!
!
IP cef
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
no ip bootp Server
nfs1 host IP 10.10.140.207
name of the IP-server 212.159.11.150
name of the IP-server 212.159.13.150
!
!
!
username password cable 7
username password bautsche 7
vpnuser password username 7
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
Prior authentication group part 2
the local address SDM_POOL_1 pool-crypto isakmp client configuration
!
ISAKMP crypto client configuration group groupname2
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
!
ISAKMP crypto client configuration group groupname1
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
ISAKMP crypto sdm-ike-profile-1 profile
groupname2 group identity match
client authentication list sdm_vpn_xauth_ml_1
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
ISAKMP crypto profile sdm-ike-profile-2
groupname1 group identity match
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac ESP_MD5_3DES
Crypto ipsec transform-set ESP-AES-256-SHA aes - esp esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
crypto dynamic-map SDM_DYNMAP_1 2
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
Crypto ctcp port 10000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
!
!
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
waiting-224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description $FW_INSIDE$
10.10.7.1 IP address 255.255.255.0
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
map SDM_CMAP_1 crypto
Hold-queue 100 on
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
No cutting of the ip horizon
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
Dialer-Group 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname
PPP chap password 7
map SDM_CMAP_1 crypto
!
local IP SDM_POOL_1 10.10.148.11 pool 10.10.148.20
IP local pool public_184 123.12.12.184
IP local pool public_186 123.12.12.186
IP local pool public_187 123.12.12.187
IP local pool internal_9 10.10.7.9
IP local pool internal_8 10.10.7.8
IP local pool internal_223 10.10.7.223
IP local pool internal_47 10.10.7.47
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 10.10.140.0 255.255.255.0 10.10.7.2
!
no ip address of the http server
no ip http secure server
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source static 10.10.7.9 123.12.12.184
IP nat inside source static tcp 10.10.7.8 22 123.12.12.185 22 Expandable
IP nat inside source static tcp 10.10.7.8 25 123.12.12.185 25 expandable
IP nat inside source static tcp 10.10.7.8 80 123.12.12.185 80 extensible
IP nat inside source static tcp 10.10.7.8 443 123.12.12.185 443 extensible
IP nat inside source static tcp 10.10.7.8 993 123.12.12.185 993 extensible
IP nat inside source static tcp 10.10.7.8 123.12.12.185 1587 1587 extensible
IP nat inside source static tcp 10.10.7.8 8443 123.12.12.185 8443 extensible
IP nat inside source static 10.10.7.223 123.12.12.186
IP nat inside source static 10.10.7.47 123.12.12.187
!
record 10.10.140.213
access-list 18 allow one
access-list 23 permit 10.10.140.0 0.0.0.255
access-list 23 permit 10.10.7.0 0.0.0.255
Access-list 100 category SDM_ACL = 2 Note
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole
Note access-list 121 SDM_ACL category = 17
access-list 121 deny udp any eq netbios-dgm all
access-list 121 deny udp any eq netbios-ns everything
access-list 121 deny udp any eq netbios-ss all
access-list 121 tcp refuse any eq 137 everything
access-list 121 tcp refuse any eq 138 everything
access-list 121 tcp refuse any eq 139 all
access ip-list 121 allow a whole
access-list 125 permit tcp any any eq www
access-list 125 permit udp any eq isakmp everything
access-list 125 permit udp any any eq isakmp
access-list 194 deny udp any eq isakmp everything
access-list 194 deny udp any any eq isakmp
access-list 194 allow the host ip 123.12.12.184 all
IP access-list 194 allow any host 123.12.12.184
access-list 194 allow the host ip 10.10.7.9 all
IP access-list 194 allow any host 10.10.7.9
access-list 195 deny udp any eq isakmp everything
access-list 195 deny udp any any eq isakmp
access-list 195 allow the host ip 123.12.12.185 all
IP access-list 195 allow any host 123.12.12.185
access-list 195 allow the host ip 10.10.7.8 all
IP access-list 195 allow any host 10.10.7.8
not run cdp
public_185 allowed 10 route map
corresponds to the IP 195
!
public_184 allowed 10 route map
corresponds to the IP 194
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 100
!
!
control plan
!
!
Line con 0
connection of authentication local_authen
no activation of the modem
preferred no transport
telnet output transport
StopBits 1
line to 0
connection of authentication local_authen
telnet output transport
StopBits 1
line vty 0 4
access-class 23 in
privilege level 15
authorization exec local_author
connection of authentication local_authen
length 0
preferred no transport
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
130.88.202.49 SNTP server
130.88.200.98 SNTP server
130.88.200.6 SNTP server
130.88.203.64 SNTP server
end

Any help would be appreciated.

Thank you very much.

Ciao,.

Eric

Hi Eric,.

(Sorry for the late reply - needed some holidays)

So I see that you have a few steps away now. I think that there are 2 things we can try:

1)

I guess you have provided that:

IP nat inside source overload map route SDM_RMAP_1 interface Dialer1

Since the routemap refers to ACL 100 to define the traffic to be translated, we can exclude traffic that initiates the router:

Access-list 100 category SDM_ACL = 2 Note

access-list 100 deny ip 123.12.12.185 host everything
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole

Which should prevent the source udp 4500 to 1029 changing port

OR

2)

If you prefer to use a different ip address for VPN,

Then, you can use a loop like this:

loopback interface 0

123.12.12.187 the IP 255.255.255.255

No tap

map SDM_CMAP_1 crypto local-address loopback 0

I don't think you should apply card encryption to the loopback interface, but it's been a while since I have configured something like that, so if you have problems first try and if still does not get the crypto debugs new (isakmp + ipsec on the vpn, nat router on the router of the client package).

HTH

Herbert

The tunnel from site to Site - just traffic flowing in one direction.

Greetings to all,

I configured a (Site-to-Site) IPSec tunnel between an ASA5510 and Linux Sytem connection a network has with a and B network in the following way:

* Chart:

#---------------IPSec-----------------#

private network (A) - router Linux (GW1) - WAN-(GW2) ASA5510 - public network (B).

* Results:

I checked the IPSec Tunnel on the linux router and the Phase 1 and Phase 2 are on the RISE. ASDM also shows an IPSec connection with the correct settings (GW, LAN, left network etc.).

If I understand "show iskmp crypto his ', ' show crypto ikev1 his ' and ' show crypto ipsec his" also shows that the connection is correct and MORE.

* Now comes the interesting thing:

If I ping from network A to network B, the icmp echo request go thorugh the tunnel and I can see the Rx bytes on the cisco ASA pick-me-up.

If I ping from network to network B, I do not see any Tx Bytes on the Tunnel. The Linux router does not see also all packets through the tunnel.

When I ping from network to network B, the firewall logs ICMP denies. This means that traffic from B to A, I don't know why, is does not match the corresponding ACL of Tunnel, the icmp, packets are routed to the default gateway instead through the tunnel and they are then adapt a less specific rule droping on the main firewall.

* Configurations:

I specially configured Crypto card that corresponds to networks in both directions.

There is an ACL that allows traffic in both directions.

There is a NAT rules that allows traffic between the two networks without being coordinated, so that the two networks to pass freely through the tunnels.

* Ideas?

crypto card?

NAT?

ACL?

security at the level of the interface?

Thanks in advance.

Hey Gomez,

Please try the plotter command of package

CIP in icmp 8 0 detailed

the output of this command would show where the package is abandoned

Please send the output of the above command

HTH!

Concerning

Regnier

L2l VPN is up but no traffic flow

Hi people,

Im trying to set up a VPN L2L between a 1841 and a NSA 2400, via the SDM. The Tunnel rises and when I test connectivity it shows as being successful, but I get an error stating: -.

"

A ping with the size of the data of this VPN interface size MTU and "do not fragment" bit set in the other end VPN device is a failure. This can happen if there is a lower MTU network which removes the packages "do not fragment". »

From my reading, this should not cause any traffic to drop, right?

Currently, I can't ping or telnet services from one end of the tunnel to the other. I was able to ping momentarily at the end of Sonicwall at one point, but this disappeared shortly after (without changing my about config).

All ACLs created have been populated by the SDM.

Should what troubleshooting steps I take?

Reduce the MTU size on the interface of your router
```
router (config)# interface type [slot_#/]     port_# router (config-if)# ip mtu MTU_size_in_bytes 
```

Traffic LWAPP Flow the WLC

Hello

I need to know about traffic flow in the WLC.

I know that all traffic must pass in the WLC, but I need to know if I can change it.

Example:

I have a lwapp ap, but I want to pass traffic in this unit and after crossing the cable without a pass to the WLC system.

Can I do it?

I need to know too much about the options when I'm setting up an AP in the WLC as local, bridge, h - collect, monitor and others.

Thank you.

Hello

Here is the link that says u more on LWAPP traffic study...

http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_white_paper09186a0080901caa.shtml

Abd here is the link which explains on the modes of operation os AP...

http://www.Cisco.com/en/us/docs/wireless/controller/7.0/Configuration/Guide/c70lwap.html

Let me know if this naswered your question and please remember to note the useful messages!

Concerning

Surendra

Traffic and VPN security ACL

I use a PIX 515 with ASA 7.2. I have a couple of tunnels and remote access configuration. The same PIX is used as a firewall between the inside users and the Internet. I'm sure there is a setting for access remote vpn connections to be exempt from the ACL, but am not sure how it works for the tunnels of a site to. I recently set up an ACL in my interface inside and created a precaution an ACL which included the inside_access_in ip access-list declaration allow any 10.4.1.0 255.255.255.0

I have 2 questions, I need to this declaration to allow traffic flows through networks connected inside interface of my firewall (any) to the remote end of the tunnel from site to site 2 (10.4.1.0/24) and I thought including ip in your ACL meant all traffic, but in the syslog server I see some blocked UDP traffic. Anyone would specify how it works for me?

Thank you

Bill

Hi Bill,

The ACL statements are checked in the order, so if the UDP protocol is rejected until the IP address is allowed, you'll see these messages. I do not know how is configured your PIX but if there is a limit of ACL with inside the interface, then we have to allow the VPN traffic and also need to make sure that the bypass NAT is configured for such traffic.

HTH,

Please rate if this can help.

Kind regards

Kamal

ACL for TFTP traffic

Hello

I need access to a different VIRTUAL LAN for TFTP traffic. So I ve created an ACL like this:

permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp

I add this ACL to source (192.168.30.0) as INCOMING interface.

The request to the tftp server tftp is established and the tftp server responds with a random port for file transfer.

Here´s the problem. Because of the random port ACL blocks the transfer of files.

Any idea?

Grettings,

Rouven
```
Hi Ganesh,
Windows 2003, on which the tftp server resides, use the range 1025 to 5000 as ephemeral ports. So I´ve decited to use the following acl:
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 range 1025 5000
permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
This has the drawback you´ve already said. But actually I see no other way to solve the problem.
Thank you for your support!
Greetings,
Rouven
```
Hi Rouven,

As I said earlier, too, we need allow the transfer of data ports for tftp coming dynamically by the client and the server, depending on the traffic flow, try the following ACLs and share results

permit udp 192.168.30.0 0.0.0.255 host 192.168.40.10 eq tftp
permit udp 192.168.30.0 0.0.0.255 lytic 192.168.40.10 1025-5000

Hope to help!

Ganesh.H

Don't forget to note the useful message

VPN-filer configuration on the VPN traffic

Hello world

We set up a site to ipsec with the seller.

For security reasons we do not want to allow all traffic through the tunnel.

ASA has 2 interfaces both inside and outside.

We refuse any one on the external interface ip.

I have config vpn run ACL to allow traffic on port ssh, icmp through the tunnel.

Then I applied it under the group policy.

name of VPN-filter value.

Need to confirm that I must also allow ipec protocols as esp etc under VPN filter ACL?

Concerning

MAhesh

The vpn-filter is applied to the traffic flowing through the tunnel. You don't need to allow all traffic that 'built' like IKE and IPsec VPN.

On the SAA, you must also add this traffic to your external ACL is it necessary on IOS routers.

For the vpn-filter, be aware that the syntax is not
```
permit/deny PROTOCOL SOURCE DESTINATION
```
It's
```
permit/deny PROTOCOL REMOTE LOCAL
```
This is relevant when you want to filter traffic from your network to the network of peers.

Need traffic Analyzer - Capture packets from CISCO

I use a cisco router, I've created interfaces sup, I use public IPs - now I need to check the traffic flow...

I need the same information below.

1. IP source address

2. source port

3 destination IP

4 destination Port

5. date and time of access

I want to capture the details above from the cisco router.

What is the solution for this, cisco can help me in this.

According to your hardware/ios, what you will need to check what features you have available and what it supports

Most routers are limited that they cannot support SPAN but 3845 s can or you could focus on the use of the RITE feature

Some routers also supported the monuitor capture buffer

http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp

https://supportforums.Cisco.com/document/29616/utilizing-new-packet-capture-feature

http://www.Cisco.com/c/en/us/support/docs/switches/Catalyst-6500-Series-switches/10570-41.html

http://www.Cisco.com/c/en/us/TD/docs/iOS/12_4t/12_4t11/ht_rawip.html

Capture packets for VPN traffic

Hi team,

Please help me to set the ACL and capture for remote access VPN traffic.

To see the amount of traffic flows from this IP Source address.

Source: Remote VPN IP (syringe) 10.10.10.10 access

Destination: any

That's what I've done does not

extended VPN permit tcp host 10.10.10.10 access list all

interface captures CAP_VPN VPN access to OUTSIDE gross-list data type

Hello

If you have configured capture with this access list, you filter all TCP traffic, so you will not be able to see the UDP or ICMP traffic too, I would recommend using the ACL, although only with intellectual property:

list of allowed extended VPN ip host 10.10.10.10 access everything

Capture interface outside access, VPN CAP_VPN-list

Then with:

See the capture of CAP_VPN

You will be able to see the packet capture on the SAA, you can export the capture of a sniffer of packages as follows:

https:// /capture//pcap capname--> CAP

For more details of capture you can find it on this link

Let me know if you could get the information that you were trying to achieve.

Please Don t forget to rate and score as correct the helpful post!

David Castro,

Kind regards

VPN - VPN easy hardware Client connects, but no traffic

Hello

I have a PIX 515E and 501 acting as a customer of material. Several remote location are connected as a easy VPN clients, a place to connect, but no traffic flows. I went from mode-extension-network client mode and I can connect through other network hosts.

I don't know why this 501 PIX we're different. There is no ACLs except which is extracted from the station.

Any ideas where I should look?

Thank you

Vince

A few quick comments:

1. I don't see 192.168.0.0 is part of this ACL inside_outbound_nat0_acl.

2. I see an instance of card crypto 40 with "incomplete" crypto card, which is actually not a correspondence address.

outside_map 40 ipsec-isakmp crypto map

peer set card crypto outside_map 40 216.27.161.109

outside_map card crypto 40 the transform-set ESP-DES-MD5 value

! Incomplete

Not sure if it's the current configuration of the pix. If there is an instance of card crypto with an incomplete correspondence address, all traffic will be encrypted.

Kind regards

Arul

Can not pass traffic from the VPN client to remote VPN site to site

Hello

I can't get the traffic flowing between my VPN clients and my remote site-to-site VPN, I did step by step in this link:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a008046f307.shtml

my firewall says that the package is abandoned by statefull inspection.

But this should be the command "same-security-traffic..." "this problem must be resolved

% ASA-6-302020: built ICMP incoming connections for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1

% ASA-6-302020: built outgoing ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0

% ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr (nworks) 10.48.100.2/0 10.48.100.2/0 10.45.231.163/1

% ASA-6-302021: disassembly ICMP connection for faddr gaddr laddr 10.45.231.163/1 10.45.231.163/1 10.48.100.2/0

Is it all what you might think that I'm missing?

Best regards

Erik

Erik,

Please check it out because no decaps means the ASA does not what it is the other side of the tunnel.

If you send traffic and you will see the crypt increment... but nothing in return... 99% sure that the problem is at the other end.

Federico.

See Security Server network traffic

Can someone clarify some confusion that I have with the view security server. I looked different diagrams of network ports and protocols, and I want to understand how the network connectivity outside to an internal network via a security server is managed.
I know that a connection is initiated externally on the Security Server, and it is then passed to a connection to the server that authenticates the user, then allocates a desktop computer. At this point, the external client connects directly on the desktop of the view.
However, I see some diagrams where the above happens, but the connection from the external client to view desktop is managed by the Security server.
In the environment, lack of network traces that I see the first instance and view desktop computers trying to communicate through the firewall to the external client. Currently, they are blocked by the firewall and connections are not established.
How do other people see what is happening?

You are right that the customer view connects to view security server to authenticate and this authentication traffic is passed to the view of the login server that manages the actual authentication (for Active Directory and possibly RSA SecurID or RADIUS etc.). If this authentication is successful, then the Office Protocol traffic is allowed through the Security server. Any traffic Protocol Office which is not in the name of an authenticated user is blocked. As security server is usually deployed in a demilitarized zone, then Security Server provides protection for virtual desktops and presenters RDS to make sure they are not exposed directly to the Internet.

It is possible to configure the Security Server view so that it does not act as the gateway for this Office Protocol traffic, but when it is used to provide remote access from the Internet, it is recommended that protocols of office go through the Security server in order to obtain this protection.

The Office protocols include PCoIP, Blast, redirect RDP, ROR, USB, remote printing etc..

There is a description of the remote to access the view here https://communities.vmware.com/docs/DOC-14974 environments that covers traffic flows.

If you have set things up to protocols route Office via the Security Server, you can still see the first attempts from the virtual office to try to send UDP PCoIP packets directly to the client, but you don't have on those they do not. As soon as the component server PCoIP desktop virtual sees security server incoming UDP packets, it sends the answer UDP datagrams on the Security Server and everything will work as expected.

I hope this helps.

Mark

STP traffic flow

Similar Questions

Maybe you are looking for