Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About drumrb0y
Stats
Member since
08-14-2003
184
Posts
15
Helpful
1
Solution
Created by
drumrb0y
in Wireless and Mobility
in Wireless and Mobility
03-01-2013
12:43 PM
03-01-2013
12:43 PM
I just completed setting up a AIR-CT2504-K9 controller with 9 APs with RADIUS on the private WLAN and an open guest WLAN; I want to enable netflow exports to a collector, but see no place in the GUI to do this and no obvious CLI commands. Could someone please point me in the right direction? Thanks, M
... View more
Labels:
02-26-2013
07:50 AM
I had the same issue with a 2504 controller and Scott's recommendation fixed it. Great job, Scott. Cisco should clarify their startup guide to account for this.
... View more
Created by
drumrb0y
in VPN and AnyConnect
in VPN and AnyConnect
11-05-2012
11:32 AM
11-05-2012
11:32 AM
Thanks for your reply; Here are the relevant parts of the ASA config: crypto ipsec transform-set fdoe3desset esp-3des esp-md5-hmac crypto ipsec transform-set doe-sha esp-3des esp-sha-hmac crypto ipsec transform-set des-sha esp-des esp-sha-hmac crypto ipsec transform-set remoteset esp-des esp-md5-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map fdoedynmap 65530 set transform-set remoteset crypto dynamic-map fdoedynmap 65530 set security-association lifetime seconds 7200 crypto map remotemap 65535 ipsec-isakmp dynamic fdoedynmap crypto map remotemap interface outside crypto ca trustpoint ASDM_TrustPoint0 enrollment terminal subject-name ------------------ keypair doesslkey crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment terminal subject-name -------------------- crl configure crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 20 authentication pre-share encryption des hash md5 group 2 lifetime 3600 ** snip ** crypto isakmp policy 70 authentication pre-share encryption 3des hash md5 group 1 lifetime 28800 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 webvpn enable outside csd image disk0:/csd_3.6.6203-k9.pkg csd enable svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1 svc image disk0:/anyconnect-macosx-i386-3.1.00495-k9.pkg 2 svc image disk0:/anyconnect-linux-3.0.10055-k9.pkg 3 svc enable group-policy fdoe_vpn internal group-policy fdoe_vpn attributes wins-server value xx.xx.xx.xx dns-server value yy.yy.yy.yy vpn-idle-timeout 240 vpn-session-timeout 720 vpn-tunnel-protocol IPSec svc split-tunnel-policy tunnelspecified split-tunnel-network-list value split default-domain value fldoe.int The user has an AnyConnect client installed on his Apple laptop; I wasn't aware that there was a component that needed to be installed in the ASA for AnyConnect clients to work. Am I confusing AnyConnect with another web SSL VPN application for the ASA 5550?
... View more
Created by
drumrb0y
in VPN and AnyConnect
in VPN and AnyConnect
11-02-2012
09:38 AM
11-02-2012
09:38 AM
I have AnyConnect newly configured on my ASA 5550, running 8.2.x code; however, Mac users cannot connect using the Apple client, nor using the Cisco AnyConnect client - they are getting a "posture error" of some kind or the laptop is failing some kind of machine profiling. Help - I have no Apple OS experience on this. Thanks, Marc
... View more
Labels:
10-02-2012
09:56 AM
Yes, I performed a 'clear xlate' - both local, global, and general, to no effect. I wound up opening a TAC case for this and the tech indicated that I needed to do a 'clear conn' to reset the xlate to the new limits. Marc
... View more
10-02-2012
07:33 AM
I've got an ASA 5550 running Software Version: 8.2(2);
I replaced two static NAT commands below with new commands to change the
connection limits:
no static (inside,outside) ggg.ggg.ggg.118 ppp.ppp.ppp.118 netmask 255.255.255.255 tcp 500 1000 static (inside,outside) ggg.ggg.ggg.118 ppp.ppp.ppp.118 netmask 255.255.255.255 tcp 5000 5000
no static (inside,outside) ggg.ggg.ggg .229 ppp.ppp.ppp.229 netmask 255.255.255.255 tcp 1000 0 static (inside,outside) ggg.ggg.ggg.229 ppp.ppp.ppp.229 netmask 255.255.255.255 tcp 5000 5000 ~~ However, I am still getting connection limit exceeded messages in the log:
Oct 02 2012 10:01:22: %ASA-3-201011: Connection limit exceeded 500/500 for inbound packet
from 169.139.16.2/59278 to ggg.ggg.ggg.118/443 on interface outside
Help! This is a mission-critical application that is being affected. Thanks! Message was edited by: Marc Chin
... View more
Labels:
04-14-2012
05:14 PM
You caught it, Jouni! I was confident that the issue was simply a typo in my configuration and you caught it... Once I removed that incorrect command and performed a 'clear xlate' in the ASA, I immediately began moving pings between the DMZ190 and DMZ184 hosts, as well as internal networks to the DMZ184 Thanks to both you and Julio for your time, Marc
... View more
04-14-2012
04:32 PM
Hi Julio; Yes, I can ping hosts in both VLANs from the ASA; partial 'sh route' output is: Gateway of last resort is 64.xx.xx.1 to network 0.0.0.0 C 64.xx.xx.0 255.255.255.0 is directly connected, outside S 10.10.0.0 255.255.128.0 [1/0] via 10.10.250.12, transit C 10.10.184.0 255.255.255.0 is directly connected, dmz184 C 10.10.190.0 255.255.255.0 is directly connected, dmz190 S* 0.0.0.0 0.0.0.0 [1/0] via 64.xx.xx.1, outside ASA1# Full failed packet-tracer output: ASA1# packet-tracer input dmz190 icmp 10.10.190.155 8 8 10.10.184.$ Phase: 1 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 2 Type: UN-NAT Subtype: static Result: ALLOW Config: static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0 nat-control match ip transit 10.10.184.0 255.255.255.0 dmz190 any static translation to 10.10.184.0 translate_hits = 0, untranslate_hits = 153 Additional Information: NAT divert to egress interface transit Untranslate 10.10.184.0/0 to 10.10.184.0/0 using netmask 255.255.255.0 Phase: 3 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group dmz190_out in interface dmz190 access-list dmz190_out extended permit ip any any Additional Information: Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 7 Type: NAT Subtype: host-limits Result: ALLOW Config: static (dmz190,dmz184) 10.10.190.0 10.10.190.0 netmask 255.255.255.0 nat-control match ip dmz190 10.10.190.0 255.255.255.0 dmz184 any static translation to 10.10.190.0 translate_hits = 0, untranslate_hits = 2 Additional Information: Phase: 8 Type: NAT Subtype: rpf-check Result: ALLOW Config: static (transit,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0 nat-control match ip transit 10.10.184.0 255.255.255.0 dmz190 any static translation to 10.10.184.0 translate_hits = 0, untranslate_hits = 153 Additional Information: Phase: 9 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 3374152, packet dispatched to next module Result: input-interface: dmz190 input-status: up input-line-status: up output-interface: transit output-status: up output-line-status: up Action: drop Drop-reason: (no-adjacency) No valid adjacency ASA1# I hope this helps, Marc
... View more
04-14-2012
02:22 PM
I have an ASA 5510 with sub-interfaces configured for multiple VLANs traversing a trunk on Interface 0/2; these interfaces are all DMZs - they all must reach a fellow DMZ VLAN that contains a domain controller: interface Ethernet0/2.184 description VLAN-184-DMZdomaincontroller vlan 184 nameif dmz184 security-level 49 ip address 10.10.184.1 255.255.255.0 The VLAN 190 represents a typical DMZ sub-interface; note that the security level is not the same, so that communication is allowed: interface Ethernet0/2.190 description VLAN-190 vlan 190 nameif dmz190 security-level 50 ip address 10.10.190.1 255.255.255.0 Since all the DMZ VLANs are connected networks, no explicit routes are necessary; access-lists are currently wide-open for troubleshooting: access-list dmz184_out extended permit ip any any access-list dmz190_out extended permit ip any any access-group dmz184_out in interface dmz184 access-group dmz190_out in interface dmz190 Both DMZs have Internet access: nat (dmz184) 1 10.10.184.0 255.255.255.0 nat (dmz190) 1 10.10.190.0 255.255.255.0 global (outside) 1 interface route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx 1 Both DMZs have a static NAT to each other: static (dmz184,dmz190) 10.10.184.0 10.10.184.0 netmask 255.255.255.0 static (dmz190,dmz184) 10.10.190.0 10.10.190.0 netmask 255.255.255.0 Problem: Packet tracer shows different results for flow sourced from each VLAN and I cannot ping fron a host in VLAN 190 to a host in VLAN 184: OK - packet-tracer input dmz184 icmp 10.10.184.100 8 8 10.10.190.155 Result: input-interface: dmz184 input-status: up input-line-status: up output-interface: dmz190 output-status: up output-line-status: up Action: allow NOT OK - packet-tracer input dmz190 icmp 10.10.190.155 8 8 10.10.184.100 Result: input-interface: dmz190 input-status: up input-line-status: up output-interface: transit output-status: up output-line-status: up Action: drop Drop-reason: (no-adjacency) No valid adjacency I don't have access to the VLAN 184 host and can only ping one-way. I'm running version 8.0(5). Suggestions? Troubleshooting ideas? Thanks in advance, Marc
... View more
Labels:
03-30-2012
09:11 AM
The only interface that connects my old network to the new one is the 'transit' interface; the output of the command is: ASA1# sh int ip brief Interface IP-Address OK? Method Status Protocol Ethernet0/2 unassigned YES unset up up Ethernet0/2.188 10.10.188.1 YES CONFIG up up Ethernet0/2.200 10.10.200.1 YES manual up up
... View more
03-30-2012
06:51 AM
There is a static route in place: ip route 10.10.200.0 255.255.255.0 10.10.250.1
... View more
03-30-2012
05:52 AM
Thanks for your reply; No, I cannot ping the ASA from the 6506; however, the ASA can ping the 6506 and my workstation beyond. I also noted that the ASA doesn't show up in a 'show cdp neighbors' on the 6506.
... View more
03-29-2012
01:20 PM
I haven't added to my entwork in a while, so I might be a bit rusty on LAN connectivity troubleshooting. I have an ASA55xx that will be the L3 core of a new network infrastructure; the VLANs defined on the edge switches will trunk to a DMZ interface on the ASA and subinterfaces will route internally. My old network will connect via a "transit" DMZ interface and the outside interface will be configured as is typical. My problem is that I only have 1-way connectivity between a ASA subinterface and my old network; a simple diagram is: Servers -> subinterface (10.10.200.1) -> DMZ interface -> [ASA55xx] -> transit interface -> [6506] -> L3 VLAN (10.10.3.1) -> My workstation I can ping from the ASA to my workstation at 10.10.3.x, but I cannot ping the subinterface 10.10.200.1 from my workstation. I suspect that it might be a NAT issue, but configuring NAT bypass did nothing. Partial ASA config: names ! interface Ethernet0/0 nameif outside security-level 0 ip address xx.xx.xx.xx yy.yy.yy.yy ! interface Ethernet0/1 no nameif no security-level no ip address ! interface Ethernet0/1.162 description VLAN-162 vlan 162 nameif inside162 security-level 100 ip address 10.10.162.1 255.255.255.0 ! interface Ethernet0/1.179 description BACKBONE vlan 179 nameif inside179 security-level 100 ip address 10.10.179.254 255.255.255.0 ! interface Ethernet0/2 no nameif no security-level no ip address ! interface Ethernet0/2.200 description VLAN-200-TKRDMZ vlan 200 nameif dmz200 security-level 50 ip address 10.10.200.1 255.255.255.0 ! interface Ethernet0/3 nameif transit security-level 75 ip address 10.10.250.1 255.255.255.240 ! access-list transit-nat-bypass extended permit ip 10.10.162.0 255.255.255.0 interface transit ! nat-control global (outside) 1 interface nat (transit) 0 0.0.0.0 0.0.0.0 nat (inside162) 0 access-list transit-nat-bypass nat (inside162) 1 10.10.162.0 255.255.255.0 nat (dmz200) 1 10.10.200.0 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 xx.xx.xx.xx route transit 10.10.3.0 255.255.255.0 10.10.250.12 1 route inside179 10.10.179.0 255.255.255.0 10.10.179.1 1 I can provide Cat6500 config lines also, but I don't think that the issue lies there. Any opinions will be welcomed. ~Thanks!
... View more
Labels:
Created by
drumrb0y
in VPN and AnyConnect
in VPN and AnyConnect
06-29-2011
06:55 AM
06-29-2011
06:55 AM
Hi Jennifer; You and I were both correct in our suspicion - the issue has since resolved itself and it was upstream. Thanks for your reply! Marc
... View more
Created by
drumrb0y
in VPN and AnyConnect
in VPN and AnyConnect
06-28-2011
01:12 PM
06-28-2011
01:12 PM
I have a host that can successfully connect to a PIX 515E (7.x OS) via VPN Client; however, I have no IP routing to the LAN from the remote host. 1) The VPN IP pool works fine 2) The LAN default gateway is the inside interface on the PIX; the network is flat L2 behind it. 3) The default route on the PIX points out; no other routes are defined 4) The VPN remote host can be pinged from LAN hosts, but the VPN remote host cannot ping any LAN host, not even the PIX inside interface The default group policy is: group-policy DfltGrpPolicy attributes banner value ***** wins-server value *** dns-server value *** dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-storage disable ip-comp disable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain value *** split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none group-policy **** internal This seems like a simple problem, but I was told that VPN Client connections worked fine until a day ago and no configuration changes have been made in months. Thanks for any assistance, M
... View more
Labels:
03-01-2013
I just completed setting up a AIR-CT2504-K9 controller with 9 APs with
RADIUS on the private WLAN an...
02-26-2013
I had the same issue with a 2504 controller and Scott's recommendation
fixed it.Great job, Scott.Cis...
11-05-2012
Thanks for your reply;Here are the relevant parts of the ASA
config:crypto ipsec transform-set fdoe3...
11-02-2012
I have AnyConnect newly configured on my ASA 5550, running 8.2.x code;
however, Mac users cannot con...
10-02-2012
Yes, I performed a 'clear xlate' - both local, global, and general, to
no effect.I wound up opening ...
10-02-2012
I've got an ASA 5550 running Software Version: 8.2(2); I replaced two
static NAT commands below with...
04-14-2012
You caught it, Jouni!I was confident that the issue was simply a typo in
my configuration and you ca...
04-14-2012
Hi Julio;Yes, I can ping hosts in both VLANs from the ASA; partial 'sh
route' output is:Gateway of l...
04-14-2012
I have an ASA 5510 with sub-interfaces configured for multiple VLANs
traversing a trunk on Interface...
Created by
drumrb0y
in VPN and AnyConnect
06-29-2011
06-29-2011
Hi Jennifer;You and I were both correct in our suspicion - the issue has
since resolved itself and i...
Created by
drumrb0y
in VPN and AnyConnect
06-28-2011
06-28-2011
I have a host that can successfully connect to a PIX 515E (7.x OS) via
VPN Client; however, I have n...
Public Statistics
| Date Registered | 08-14-2003 12:18 PM |
| Date Last Visited | 08-18-2017 03:54 AM |
| Total Messages Posted | 184 |
| Total Helpful Votes Received | 15 |
Helpful Votes Given To
.jpg "Hall of Fame Guru"){kind=icon}
Helpful Votes From
