Search Results

Search found 1662 results on 67 pages for 'cisco ace'.

Page 25/67 | < Previous Page | 21 22 23 24 25 26 27 28 29 30 31 32  | Next Page >

• No blocked ports on internal interface of ASA

  - by blsub6

  I have a cisco ASA 5505 with three interfaces: Internal (100), DMZ (50) and External (0). The internal has a IPSEC VPN tunnel to my internal network I couldn't log in to my domain because of all of the port restrictions and such. I tried monitoring the traffic through the interface, seeing what it's blocking and then unblocking those ports but even then it didn't work completely correctly I finally just added a rule to permit any ip traffic from any network to any network on the internal interface and, of course, it worked fine But is that good security practice? Should I be blocking ports on an interface that's internal and over a VPN with the highest security level?

  Read the article

• WinXP workgroup, 3 routers 3 computers

  - by Silvera

  I have 3 computers with WinXP x86, and 3 Cisco 1800 series routers. I'm trying to create a workgroup so that the 3 computers can share files with eachother. They can ping eachother (without any internet connection), and the routers setup is correctly configured (with interfaces, ip adresses, and ports). But none of the computers can see eachother, even though they are on the same network. My first question would be - can it be done the way it is currently configured - and, if yes, how, or can anyone point me in the right direction?

  Read the article

• What ports do I allow over my internal firewall interface?

  - by blsub6

  I have a Cisco ASA that I have VPN tunnels to connect my internal Windows network. I ran into some trouble logging into my domain so I unblocked all the ports on that internal interface. On a previous question posted here, the general consensus was that I should be blocking ports on my inside interface but my question is: what ports should I unblock? I've tried unblocking ports 88, 139, 135, 389, and 445 and Windows logins still give me problems. Is there some MS documentation somewhere that tells me what I need to unblock to allow Windows logins and other things?

  Read the article

• Apache Virtual Hosts behind Cisco Router

  - by Theo

  I'm setting up an Apache 2.2 Ubuntu web server for internal services that is also supposed to be accessed from outside our LAN. Our LAN has a single external IP that is the external IP of our RV042 Cisco router. We have set up several A records on our external DNS server that point to this IP. Our internal DNS server resolve the same records to the internal IP of our web server, so computers from inside the network can access them using the same address as if they were outside. We forwarded the router's external 80 port to our web server's 80 port. I have set up one Virtual Host for each domain name in our list, and my httpd.conf is something like this: ServerName web.domain.com NameVirtualHost *:80 <VirtualHost *:80> ServerName alfresco.domain.com <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /alfresco http://localhost:8080/alfresco ProxyPassReverse /alfresco http://localhost:8080/alfresco ProxyPass /share http://localhost:8080/share ProxyPassReverse /share http://localhost:8080/share </VirtualHost> <VirtualHost *:80> ServerName crm.domain.com DocumentRoot /var/www/sugarcrm </VirtualHost> Now, this works if we are in our LAN. However, if we are outside of our LAN we reach our web server's default page saying: It Works! This is the default web page for this server. But we can't reach the virtual hosts, as if the domain name is not being preserved when the router forward the packets to the web server. Am I doing something wrong? How can I check what is going on? What should be the settings to make this work from outside?

  Read the article

• Windows updates behind a physical firewall with only IP based rules and generic outbound connections are turned off

  - by user125245

  I have some boxes that I do not want to allow any in or outbound traffic to the internet Except for windows updates. However the fire wall in place (Cisco ASA) apparently only supports ip based rules. As best I can tell access to Microsoft updates via anything other then the half dozen URL masks the Microsoft lists as needed does not appear possible. I have kicked around building a full WSUS that I would then manually copy the update files to so that no direct Microsoft access is needed but this sounds very top heavy for the very few boxes involved. I have also kicked around manual updates all around but am not certain how to be conveniently and confidently sure that the correct updates are being applied in the correct order. Any ideas from any direction would be appreciated. I want this as simple / cost effective as possible but have very little flexibility on the only absolutely required internet access policy.

  Read the article

• Linux QoS (Skype / BitTorent / SIP / HTTP priority)

  - by Andre

  We are configuring a linux box that will act as internet gateway for an office of 30-50 computers. We are using iptables/HTB for traffic shaping. Is there a way to match traffic on L7 level? It's easy to identify traffic by TCP/UDP ports (like SIP and HTTP). But what if we are dealing with Skype & BitTorent? It was surprise for me that there is no powerful and matured sulution for tasks like this. I found only l7-filter (http://l7-filter.clearfoundation.com/) patch for the Linux kernel, but it's no longer supported (it seems to). Moreover it couldn't be compiled with modern Linux kernels. The only option I found was to use a Cisco router. Are there other ways to identify and shape Skype and Bittorent traffic?

  Read the article

• Switch to switch encryption over a wireless bridge (TrustSec?)

  - by metatheorem

  I am planning to connect an existing Cisco 3750 switch to a 3560C switch over a wireless PTP bridge. The bridge will be WPA2 protected, but I am looking for an additional measure of security between the switches to prevent other wireless access through either switch. They do not support IPSec, only 802.1Q tunnels, and buying additional hardware is not likely an option. I am looking into using TrustSec manual mode between the switches. After some effort reading into TrustSec and MACsec, I am mostly certain this is a good choice over the wireless bridge, keeping in mind it is a shared medium. Two questions: Can I reliably prevent other wireless traffic from accessing the switches using TrustSec? Does anyone know of any better options with the 3000 series switches?

  Read the article

• Network connectivity issue

  - by kubiej21

  I am a novice cisco user and I am trying to investigate as to why one of our connections went down. We have a fiber network ring that is operating just fine. Connected to this ring via ethernet, is a lone 3560. This connection has worked flawlessly for the past year and a half. This morning, I noticed that I could not connect to that remote switch. I checked the configurations on both switches, and nothing has changed (as I expected). In the field, the port lights were flashing, indicating that some sort of communication is occurring. There is only 1 ethernet cable that has been run between these two locations, so testing an alternate path is not possible. What else can I do to fix this connection?

  Read the article

• Excluding four IP's from a /32 static route

  - by Justin

  I have a Cisco ASA routing a /32 of public addresses (non RFC-1812) through a private link. When the device sees the destination address it selects the private route instead of going out over the public network. This works great but I am now trying to exclude 4 IP's from the private route. Traffic to these addresses should go over the public internet instead of being routed over the private network. Can I just add anothe route for these four IP's or do I have to modify the existing route for the /32?

  Read the article

• Bridging two networks

  - by Jukodan

  I'm hoping you may be able to offer some advice as I'm not very familiar with setting up routers/access points. I have a network of computers on an active directory domain on the 192.NET. I then have another network on the 10.NET that needs to have access to the domain on the 192.NET. I am using cisco/linksys routers. What methodology would you suggest so that these two can communicate and I can add the computers form the 10.NET to the domain? Edit: Basically, I'm having trouble figuring out how to setup a static route

  Read the article

• CodeMirror Dynamic Syntax Validation

  - by rawr

  Been trying to decide between using CodeMirror or Ace editor. I've been leaning towards CodeMirror, however there's one feature of Ace that I really like and that is how it does syntax validation. So as I'm typing there can appear a warning or error icon in the left gutter area beside the line number, and when I hover over it it gives me a little description. Is there any way to get this functionality in CodeMirror? Specifically, I'm using the css mode for CodeMirror. It'd also be nice to be able to add in my own custom validation. Thanks.

  Read the article

• Implement QoS/Bandwidth Management or Upgrade Bandwidth?

  - by Michael

  A question that I'm faced with currently. Here's my setup: Cisco ASA 5510 15Mbps Internet Connection @ $1350/month The bandwidth was originally meant for 35-45 people but we've grown quite quickly to roughly 60-65 people. Needless to say, when I check bandwidth logs it's almost always spiked at 15Mbps. I did use Wireshark to do some poking around to see what was hogging up our bandwidth but with everything running through CDNs and Cloud Services it proved difficult to get a good grasp of where our bandwidth was going. So the question is do I ONLY implement bandwidth management through ASA OR upgrade the Internet to 50Mbps ($1600/month) and then implement bandwidth management through ASA? Any suggestions on how to segment the 15Mbps connection if we decided ONLY to go with the bandwidth management solution? Thanks. UPDATE 1 Installed PRTG and used packet content to monitor the traffic. As I suspected still pretty vague. My Top Connections include the following: a204-2-160-16.deploy.akamaitechnologies.com ec2-50-16-212-159.compute-1.amazonaws.com a204-2-160-48.deploy.akamaitechnologies.com a72-247-247-133.deploy.akamaitechnologies.com mediaserver-sv5-t1-1.pandora.com Other than the Pandora destination, the rest doesn't tell me much on how to properly control the bandwidth. Any thoughts or suggestions? Thanks. M

  Read the article

• Skype performance in IPSEC VPN

  - by dunxd

  I've been challenged to "improve Skype performance" for calls within my organisation. Having read the Skype IT Administrators Guide I am wondering whether we might have a performance issue where the Skype Clients in a call are all on our WAN. The call is initiated by a Skype Client at our head office, and terminated on a Skype Client in a remote office connected via IPSEC VPN. Where this happens, I assume the trafficfrom Client A (encrypted by Skype) goes to our ASA 5510, where it is furtehr encrypted, sent to the remote ASA 5505 decrypted, then passed to Client B which decrypts the Skype encryption. Would the call quality benefit if the traffic didn't go over the VPN, but instead only relied on Skype's encryption? I imagine I could achieve this by setting up a SOCKS5 proxy in our HQ DMZ for Skype traffic. Then the traffic goes from Client A to Proxy, over the Skype relay network, then arrives at Cisco ASA 5505 as any other internet traffic, and then to Client B. Is there likely to be any performance benefit in doing this? If so, is there a way to do it that doesn't require a proxy? Has anyone else tackled this?

  Read the article

• Site to Site VPN with Fault Tolerence

  - by Nordberg

  Hello, I have a situation where I require an IPSEC tunnel between two sites. Site 2 is a small branch office with basic (ADSL) connectivity and Site 1 is the "main" office with SDSL and ADSL for redundancy should the SDSL fail. From Site 1, all traffic bound for the 172.0.0.0 network will then be sent down another IPSEC tunnel to a supplier's Remote Server. See this page for the basic premise (this is a rough idea and things can be moved about etc...) I am considering specifying Cisco ASA devices as the firewalls for both sites for all connections. Would it be possible to employ something like HSRC to provide a backup at Site 1 should the SDSL go down? I suppose the key aims here are that Site 2 can somehow failover to initiate a VPN to the ASA behind the ADSL at Site 1. I will have a 21 subnet mask on all internet connections so can play with Class C routing if need be... If I'm barking up the wrong tree with HSRC, is there another way I can acheive this without massive expenditure on Barracuda routers et al? Many Thanks.

  Read the article

• ASA DHCP Relay configuration..

  - by Jeff

  I have locations in different cities, connected using 2 Cisco ASA devices. my main location, corporate, use the IP 192.168.1.x The second location, remote store, use the IP 192.168.3.x I have a DHCP server (192.168.1.254) at my corporate location. I have created a scope for the 192.168.1.x which works fine for the corporate location. I created a scope for the remote location (192.168.3.x) on my DHCP server and tried to configure the remote ASA DCHP Relay, on the remote ASA: I disabled the DHCP Server on the inside. I enabled DHCP Relay on the inside, with set route set at yes. I set the Global DHCP Relay Servers, specify up to four servers to which DHCP requests would be relayed. I added my DHCP, 192.168.1.254 I flashed these settings to the ASA and gave it a try, didn't do anything. am i missing something - forgetting something. not really sure what im doing wrong. DHCP Settings on remote ASA: dhcp-client update dns server both dhcpd dns 192.168.1.254 dhcpd ping_timeout 750 dhcpd domain JEWELS.LOCAL dhcpd auto_config outside dhcpd update dns both ! dhcpd address 192.168.3.2-192.168.3.33 inside ! dhcprelay server 192.168.1.254 outside dhcprelay enable inside dhcprelay setroute inside on my local ASA: i have two ACLs for UDP ports 67 and 68 permitting any inbound traffic from the remote locations IP ... dhcprelay timeout 120

  Read the article

• Why does nmap ping scan over a VPN link return all hosts alive?

  - by ewwhite

  I'm curious as to why running an nmap -sP (ping scan) on a remote subnet linked via a Cisco site-to-site IPSec tunnel returns "host up" status for every IP in the range. [root@xt ~]# nmap -sP 192.168.108.* Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2012-11-22 14:08 CST Host 192.168.108.0 appears to be up. Host 192.168.108.1 appears to be up. Host 192.168.108.2 appears to be up. Host 192.168.108.3 appears to be up. Host 192.168.108.4 appears to be up. Host 192.168.108.5 appears to be up. . . . Host 192.168.108.252 appears to be up. Host 192.168.108.253 appears to be up. Host 192.168.108.254 appears to be up. Host 192.168.108.255 appears to be up. Nmap finished: 256 IP addresses (256 hosts up) scanned in 14.830 seconds However, a ping of a known-down IP simply times out or doesn't return anything... [root@xt ~]# ping 192.168.108.201 PING 192.168.108.201 (192.168.108.201) 56(84) bytes of data. --- 192.168.108.201 ping statistics --- 144 packets transmitted, 0 received, 100% packet loss, time 143001ms Is there a more effective way to scan live devices connected in this manner?

  Read the article

• Port translation in router causing some email to fail

  - by user22037

  We are in the process of setting up a spam filter (SAVASM). One change we are making is to push incoming email on port 25 through our spam filter/server but have users actually send their email on a different port. I am attempting to make this happen by using port address translation to send port 25 traffic to the SAVASM server IP. As a step in making this change I setup port translation without actually changing the IP addresses. The NAT rules for the email server went from one Static NAT rule with no port specified, to multiple Static NAT rules each with a port or group matching the Access Rules for that server (smtp, pop3, http, https, and some other custom ports). The problem we are running into is confusing. Some outgoing mail through this server is failing when the router has the multiple NAT rules with port translation settings. Email goes through fine FROM our email to our internal accounts and to Gmail. However email fails when FROM our client's email address TO our client's email or their personal Comcast. The only situation that worked for them was if they changed FROM to Comcast and then messages went through fine to both Comcast and the client's accounts. Switching back to regular Static NAT rule everything then worked for them. Does anyone have a clue as to what might be going on? We are on a Cisco ASA 5500 box.

  Read the article

• Why is the link between my switch and my router always negotiating half-duplex mode?

  - by Massimo

  I have a Cisco 2950 switch which has one of its ports connected to an Internet router provided by my ISP; I have no access to the router configuration, but I manage the switch. If I leave all switch ports with their default setup (auto-negotiation of speed and duplex mode), this link always connects at 100 MBit/s, but in half-duplex mode. I've tried replacing the cable, and also moving the link to another switch port: the result is always the same. A different device connected to the same port (or to any switch port, really) shows no problem at all. It could be guesed that someone configured the router to only connect in half-duplex mode... BUT, here's the catch: if I manually force the switch port to full-duplex mode (duplex full in the interface configuration), the link goes up, stays up and is completely stable. So: The connection is not forced to half-duplex mode by the router, otherwise it would not connect at all if I force the switch end to full-duplex. There is no actual link problem, otherwise the full-duplex connection would not go up or would at least show some errors. But if I leave the port free to auto-negotiate, it always connects in half-duplex mode. Why?

  Read the article

• Routing for Two Hosts Behind a IPSec Tunnel

  - by Brent

  Network A 10.110.15.0/24 Firewall is .1 Host A is .2 Network B 10.110.16.0/24 Firewall is .1 Host B is .2 Two Cisco ASA's. IPSec tunnel with a crypo map that secures 10.110.15.0/24 <- 10.110.16.0/24. Let's say two hosts, 10.110.15.2 and 10.110.16.2 need to talk to each other. Normally I have to enter a persistent static route on a each host along the lines of: route add 10.110.16.0 mask 255.255.255.0 10.110.15.1 metric 1 -p (on the "A" box) I also have to enter another persistent static route on the .16 host in order for the traffic to know how to get back to the .15 network. Note that the default for each machine IS the firewall, so .1. I have no problem adding persistent routes on Windows/ESX/*nux machines but what about a smart switch in the .16 network that I want to manage from the .15 network. Do I need to run a routing protocol? Do I need to have Reverse Route Injection enabled on both ends of the IPSec tunnel? Should I add a route on the firewall? If so, how do you formulate it? Does it get a metric of 1 and my default route 0.0.0.0 get a metric of 2?

  Read the article

• iPhone doesn't save password for Cisco IPsec VPN using racoon daemon

  - by dsx

  On my Debian server I had set up racoon daemon (1:0.8.0-14) for Cisco IPSec VPN using certificates for authentication. My racoon.conf is like following: log info; path certificate "/etc/racoon/certs"; listen { isakmp $SERVER_IP_HERE [500]; isakmp_natt $SERVER_IP_HERE [4500]; } timer { natt_keepalive 10 sec; } remote anonymous { lifetime time 24 hours; proposal_check obey; passive on; exchange_mode aggressive,main; my_identifier asn1dn; peers_identifier asn1dn; verify_identifier on; certificate_type x509 "cert_name.crt" "key_name.key"; ca_type x509 "ca.crt"; mode_cfg on; verify_cert on; ike_frag on; generate_policy on; nat_traversal on; dpd_delay 20; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method xauth_rsa_server; dh_group modp1024; } } mode_cfg { conf_source local; auth_source system; auth_throttle 3; save_passwd on; dns4 8.8.8.8; network4 $SOME_LAN_SUBNET; netmask4 255.255.255.0; pool_size 128; } sainfo anonymous { pfs_group 2; lifetime time 24 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } I'm not using PSK authentication here. Using iPhone configuration utility I had uploaded all required certificates to iPhone and set up VPN on demand. Everything works just fine except one thing: iPhone refuses to save VPN password regardless of save_passwd on; in racoon configuration file. As opposed to iPhone behaviour, Mac OS X 10.8.2 have no problems saving password. I had examined iPhone log file and found following: racoon[151] <Notice>: >>>>> phase change status = phase 1 established configd[50] <Notice>: IPSec Network Configuration started. configd[50] <Notice>: IPSec Network Configuration: INTERNAL-IP4-ADDRESS = $SUBNET_IP_HERE. configd[50] <Notice>: IPSec Network Configuration: INTERNAL-IP4-MASK = 255.255.255.0. configd[50] <Notice>: IPSec Network Configuration: SAVE-PASSWORD = 0. configd[50] <Notice>: IPSec Network Configuration: INTERNAL-IP4-DNS = 8.8.8.8. configd[50] <Notice>: IPSec Network Configuration: BANNER = . configd[50] <Notice>: IPSec Network Configuration: DEF-DOMAIN = . configd[50] <Notice>: IPSec Network Configuration: DEFAULT-ROUTE = local-address $SUBNET_IP_HERE/32. configd[50] <Notice>: IPSec Phase2 starting. configd[50] <Notice>: IPSec Network Configuration established. configd[50] <Notice>: IPSec Phase1 established. Please note IPSec Network Configuration message containing SAVE-PASSWORD = 0.. Is it a bug in racoon daemon on server, or iPhone (iOS version is 6.0.1 (10A523)) or it is me missing something? How to make iPhone remember IPSec VPN password?

  Read the article

• Tips and Suggestions IP Address Re-Addressing?

  - by RSXAdmin

  Hello serverfault Universe, My ever evolving and expanding local area network is currently using a class-C address. My network consists of multiple subnets depending on site/location. 192.168.1.x is site HQ 192.168.5.x is secondary site 192.168.10.x is so on and so forth. Long story short - I have inherited this network design from the previous admin who has left the company which started off with a dozen people and now has just over 300 full time/part time employees. We do not yet have client VPN access; but we do have site to site VPN setup. My question is, in preparation for outside client access to my network via Cisco ASA, I would like to re-address the HQ site because I understand a 192.168.1.x or 192.168.0.x are not very good choices for a company subnet - it may conflict with a home user's LAN when connecting to my LAN, I believe? Through your experience, does anyone out there have any suggestions and tips on how I can proceed with re-addressing my subnets. If I designed this network I would have gone with a 10.0.0.0 (mask 255.255.255.0) so I am leaning towards changing it to fit. Thank you.

  Read the article

• Piecing together low-powered hardware for an RS-232 terminal server

  - by Fred

  I'm working on reconstructing my Cisco lab for training/educational purposes and I found that the actual terminal server I have is dead. I have a couple of 8-port PCI serial cards which would be more than ample for my lab, but I don't want to leave my personal computer running to be able to access the console ports. Ideally I would access the terminal server remotely, either by SSH/RDP to the box (depending on what OS I go with) or by installing a software package that allows me to telnet directly to a serial port. I know I've found a program that does this under Linux in the past but its name escapes me at the moment. I'm thinking about scavenging for some old hardware, on eBay or something, to put together a low-powered PC. Needs to be something that: Has Low-power consumption Has at least 2 PCI slots (though I certainly wouldn't complain about having more) Has onboard Ethernet (or, if not, another PCI or ISA slot (not shared)) Can be headless once an OS installed (probably Linux) I'm currently leaning towards an old fashioned Pentium (sub-133MHz era) but I am wondering if anybody else knows of another platform/mobo that would suit these needs. Alternatively, I've been considering buying a Raspberry Pi and a big USB hub along with a bunch of USB-Serial adapters but this sounds like it'd get messy quick with cables and adapters all over the place, and I may not even have the same ttyS#'s between boots.

  Read the article

• Swapping out a hardware firewall does the mac address get cached?

  - by Dan

  We need to replace a hardware firewall (cisco pix) and have a spare that we will use (temporarily). The firewall sits in front of a couple of web-servers colocated at a data-centre. The replacement will be configured with identical settings (external/internal IP addresses, configured ports etc.). When we swap the firewalls over, will this work immediately or will the old Pix's mac address be cached and the new firewall not be seen until the cache is cleared? (What is it though that is caching the address? Is it just the switch/router that our pix is connected to?) Reason for asking is a few years ago I had a smoothwall firewall in front of a lone server (the external IP of the smoothwall was also the external IP of the web-server). When I replaced the smoothwall with a pix, the IP address of the web-server stayed the same but it now had to be reached via the new firewall on a different IP. It took about 2-4 hours before the rest of the world could see that web-server again. I'm hoping for less downtime this time!

  Read the article

• DDoS nulling to some ips and other options?

  - by Prix

  I am looking for some information in regards DDoS in the follow scenario: I have a server that is behind a Cisco Guard and it will be DDoS'ed, I only care about a set list of IPS that by not means are the attackers. Is it possible to null all other ips but this list to actually get any response to my server or in the long run no matter what I do if they have enough DDoS power I will just go down like a flie ? Is there any recommended company out there that can actually cope with a DDoS ? My server will mainly run several clients that will get connected to a external server and all it needs access to is my local MySQL the the private network so I can access it. There will be no other services runnings such as web or ftp etc at least not to the external ips of the server if i ever have to have any of these service they will be on the private network. The MySQL will be available externally only to 1 safe ip not known by anyone but me and internally at localhost + private network. Are there any solutions ?

  Read the article

• Road Warrior VPN Setup

  - by wobblycogs

  I apologise up front for the rather open ended nature of this question but I've got well out of my depth and could really do with some pointers. I need to set up a road warrior VPN solution which will allow our customers to securely access a number of services we provide for them. Customer machines will be running a variety of Windows versions from XP onwards with a variety of patch levels. Typically they will connect from the clients main offices but not always. It is safe to assume that all clients will be behind NATs but we may occasionally see a connection that isn't NAT'ed. Typical connection situation is therefore: Customer Laptop -- Router (NAT) -- Internet -- VPN Server + Firewall -- Server (Win 2008 R2, Non-routable IP) There will initially be a dozen or so people that could connect but that will grow quickly to around 100. It's unlikely that we'll see that many concurrent connections though, I imagine our total VPN throughput would be <50Mbps peak. What are my options for setting this up? I've been trying to set up a system like this using a MikroTik router for a few days but have struggled to get it working correctly, particularly with NAT'ed clients. I've had a quick look at OpenVPN and liked what I saw but I think it's unlikely our customers IT departments would allow the client to be installed. Finally I've looked at the Cisco ASA range but I'm on a fairly tight budget so this is less preferable but it looks like it would work pretty much out of the box. My fall back position is to connect the server directly and use the provided VPN + Firewall facilities but that is far from ideal as the number of servers is likely to grow over time.

  Read the article

< Previous Page | 21 22 23 24 25 26 27 28 29 30 31 32  | Next Page >