|
jwh posted:Ugh, that sounds like bad times. Everybody who works with the Juniper M-series seems to really fall for them, but I've never had the chance. We have a few Juniper m7i's where I work and they are awesome. I think they're super easy to use. We were bought out by a corp that is "powered by Cisco" so now I'm getting used to the 7200 and 7600 series stuff.
|
#
¿
May 23, 2007 02:49
|
|
|
|
| # ¿ Apr 25, 2024 23:04 |
|
|
conntrack posted:Is there a market for those serial cards? We have like 50 of them in the poo poo heap at work. There's a market for them. I work for a CLEC and we still use them since many of our customer facing links are Frame Relay T1s. If you're looking to move those and they're V2 T1 WICs I can get you our inventory guys number. For the right price I bet he'll take the whole lot.
|
|
#
¿
Aug 4, 2007 13:01
|
|
|
A furniture chain in my area is going out of business so I stopped over there with my wife to see what kind of discounts they had going on. On a table with misc. junk they had a Cisco PIX 501 and a Cisco 2600 series router with a 56K WIC in it. Neither had a price tag on them so I offered $20 for the PIX - and they took it!! Once they took the $20 for the PIX I figured I'd offer $10 for the 2600 - apparently my ultra low ball got the guy nervous and he said, "Oh, well - that's not supposed to be out on the table our IT guy was looking into that one so I can't sell it." I guess that's what I get for being too greedy.  That PIX for $20 is the steal of the week for me though.
|
|
#
¿
Aug 4, 2007 22:08
|
|
|
The company I work for still deploys PIX firewalls like they're going out of style. We're about 5 years behind everybody else when it comes to updating hardware though. Maybe it's a Midwest thing - a lot of the technical contractors around here are still using them as well.
|
|
#
¿
Aug 5, 2007 20:12
|
|
|
CrazyLittle posted:Nope. San Francisco here, and if a customer wants one DSU1 (T1) connection they get a Cisco 1720 running 12.3. We figure it's cheap, won't break, and gets the job done. That's exactly what we're doing in a lot of cases. It's either a 1720 with a V2 T1 WIC for Serial Frame or if we're going to do a HPBX roll out for them it's a 2431 IAD 8FXS/16FXS/24FXS/E1T1, PIX 501 10 user or unlimited, and a 2950 Switch. All... day... long...
|
|
#
¿
Aug 5, 2007 21:58
|
|
|
CrazyLittle posted:1720's support V2s? What IOS are you running it with? 12.3(22) - usually we'll use an IP Base image unless it needs to run BGP - then we'll upgrade the memory and install one of the Ent Services images. Our engineering group just last week authorized us to use 12.4(16) version IOS. Almost all of our voice installs are running 12.3(14)T6  Now that I think about it they're just WIC1-DSU-T1 cards. GOOCHY fucked around with this message at 23:55 on Aug 5, 2007 |
|
#
¿
Aug 5, 2007 23:53
|
|
|
I'm having a weird issue trying to get in and reset the password for this PIX 501. I set things up according to the password recovery walk-through on Cisco's site - can ping my gateway and TFTP server from the PIX monitor prompt - but cannot TFTP the password recovery file to the PIX device. I cannot ping the IP address of interface 1 (which is the default interface for the device monitor) from the TFTP server. I assume that ICMP echo reply is turned off on the PIX.quote:monitor> address 192.168.10.221 I connected the PIX directly to a laptop with Solarwinds TFTP server software and I get the same kind of response. The Solarwinds TFTP logs tell me that it's timing out. After I pinged the laptop IP address I could see the entry in the arp table via arp -a. quote:8/6/2007 09:16 :Timeout error sending np62.bin to 192.168.10.221, 0 bytes I have no firewalls installed on the machines I'm working with here and was able to TFTP an IOS file to a different device using the same parameters as above without issue. I'm kind of stumped as to how I'm going to break into this thing. Google is basically telling me the same thing as Cisco's site. Has anybody run into this problem before? GOOCHY fucked around with this message at 15:41 on Aug 6, 2007 |
|
#
¿
Aug 6, 2007 15:26
|
|
|
Tremblay posted:Are you resolving the PIX interface in ARP? I can't remember if ROMMON defaults to eth0 or eth1, so I'd set that manually as well. In ROMMON the PIX should respond to pings. Yeah, it shows the IP address that the interface on the PIX is set to and the MAC address in the ARP table. I tried setting the interface manually to both 0 and 1 and they both react in the exact same manner - timeouts. I should probably note that after the Solarwinds TFTP server tries to communicate with the PIX and gets timeouts repeatedly it crashes. I'm going to give another TFTP server a try but I'm thinking I'll get the same result. EDIT - tried changing the gateway to 0.0.0.0 and I get the same result. The PIX and the TFTP server are obviously seeing each other as the TFTP logs are showing it attempting to access the file - but it just times out and the TFTP server crashes... how weird... GOOCHY fucked around with this message at 19:14 on Aug 6, 2007 |
|
#
¿
Aug 6, 2007 16:47
|
|
|
Just to wrap up this weird one - I downloaded the Cisco TFTP server released in 1995 and hosted on oldversion.com and it worked immediately. Note to self - Solarwinds TFTP server acts funky from time to time...
|
|
#
¿
Aug 6, 2007 19:21
|
|
|
Kreg posted:Anyone have any experience bonding links which terminate on different routers? Shew... may just want to do a CFA move and kick one or the other T1 over to the other channelized DS3 so they're both riding the same one.
|
|
#
¿
Jul 23, 2008 01:35
|
|
|
Richard Noggin posted:To start - I'm loving green when it comes to Cisco stuff. I'd get into whatever router is routing for the T1 and do ip-accounting on the relevant interface. "sh ip nat trans" may be helpful as well?
|
|
#
¿
Jul 29, 2008 23:15
|
|
|
It'll be interesting to see what pops up when somebody plugs a console cable into this thing.
|
|
#
¿
Jun 4, 2009 03:07
|
|
|
Once you're gone, the next network consultant or IT guy is going to be really impressed.
|
|
#
¿
Jun 5, 2009 15:54
|
|
|
I have a weird issue with a Cisco PIX 501 that I can't seem to figure out. A small client of ours is using it as their WAN firewall in our datacenter, but we have management to the device as well. What they're seeing is every few days network performance out to the Internet degrades, and over time it slows to a crawl. Management access via SSH and HTTPS no longer responds but I can connect my laptop up to it via the console port and manage the device. Memory usage is low, cpu usage is low, etc. I was expecting to see a ton of xlates indicating a compromise of some sort on the inside network - and there are a few hosts showing 10-15 xlates, but that doesn't seem too out of the ordinary. I'm stumped. A "reload" resolves the issue - speed to the Internet is restored to its normal level, I can manage via SSH/HTTPS again, etc. But, it only takes a few days and then its back at the same level again. The firewall is running 6.3(5) software, so it's not the well known bug that's out there, I don't think. sh xlate sh conn count etc. All show fairly low usage. Any ideas?
|
|
#
¿
Jun 15, 2009 21:25
|
|
|
Yeah, it actually does PAT from the inside networks outbound and has a few 1:1 static NATs public/private setup for a few different servers. This device also acts as an IPSec VPN endpoint to an off-site partner of theirs. Since this thing is end-of-life I'm thinking about throwing in a Juniper Netscreen, of which I'm more familiar/comfortable and calling it good. Anybody else seen this? A couple of the network guys here have anecdotal experiences of PIX 501's doing this but don't have any suggestions of how to fix it other than replacing it.  EDIT - It's starting to look like an internal network compromise. There's an inside host that has a bunch of xlate's that are successive ports - PAT Global <public IP>(1630) Local 192.168.1.92(1040) PAT Global <public IP>(1631) Local 192.168.1.92(1041) PAT Global <public IP>(1632) Local 192.168.1.92(1042) etc., etc. I'm having them take a look at this particular inside host as it seems to be the biggest offender. The sheer amount of translation slots plus the successive nature of the ports tells me it's probably not something benign. GOOCHY fucked around with this message at 22:23 on Jun 15, 2009 |
|
#
¿
Jun 15, 2009 21:35
|
|
|
CrazyLittle posted:The way our upstream explained it to us is: that Cisco's SIP fixup causes more problems than it fixes, and both polycom and broadsoft already have their own workarounds built-in. So if you disable fixup for SIP protocol, then you fix the sip-header related issues. Yep. I work for a CLEC that provides hosted VoIP services via Broadsoft with mostly Polycom handsets. I see this every now and then when our new turn up group configs a new install improperly.
|
|
#
¿
Jul 28, 2010 19:19
|
|
|
Zuhzuhzombie!! posted:Can the ISP simply route you the other block of IPs, let you advertise/allocate it as you want, and then just forward everything out of your network like normal? This is the question I'd ask too. Why don't they just route the 2nd additional public subnet down to your ASA device instead of, presumably, having it as a secondary "connected" network on the interface on the ISP end. That's how I'm envisioning they're doing it, anyway. If they do it that way you can break the network out however you wish on your side.
|
|
#
¿
Oct 20, 2011 15:38
|
|
|
I think I'd rather find a carrier to do a private MPLS WAN for the multiple sites rather than deal with IPSec VPNs like that.
|
|
#
¿
Dec 7, 2011 20:06
|
|
|
Configure it in the ASDM - it's a lot more newb friendly. Configure button -> NAT on the left hand side menu -> configure new NAT rule -> inside -> outside -> press OK. There's your 1:1 NAT.
|
|
#
¿
Jan 31, 2012 03:42
|
|
|
static (inside,outside) <public host> <private host> netmask 255.255.255.255 ! access-list outside_access_in extended permit tcp any host <public host> eq smtp log notifications That's a general 1:1 NAT scenario with an ACL entry allowing any source network to connect via SMTP, for example.
|
|
#
¿
Jan 31, 2012 21:54
|
|
|
I've only seen ATM cards able to handle DSL since it usually requires a VPI/VCI. I guess I can't really see how a serial T1 WIC would work with a DSL or cable modem.
|
|
#
¿
Feb 2, 2012 15:38
|
|
|
ruro posted:Why are you dropping packets that conform to the policer? You should be dropping packets that exceed it. You also don't need a class-map if you just want to match all traffic, you can use the special "class-default" for that. This is pretty much how we do it on our network. Small CLEC in the Midwest.
|
|
#
¿
Feb 16, 2012 16:16
|
|
|
Can any of you guys recommend a good network design best practices/fundamentals book?
|
|
#
¿
Jun 15, 2012 22:16
|
|
|
I work with ASA's and FWSM's every day and it's mostly via the ASDM. Rarely I'll have an issue that seems to be easier to shake out via CLI.
|
|
#
¿
Jul 18, 2012 17:22
|
|
|
I'm sure that's on top of the circuits and to be honest it's really not that excessive. I work for a MSP doing what you describe and providing the support you're talking aboout. We're probably in that ballpark as far as CPE router/firewall/etc. management. I think our managed firewall service is $99/mo. or so. Routers are in that same area if I recall correctly. You're asking for skilled labor on demand so it costs a little bit of scratch.
|
|
#
¿
Sep 5, 2012 21:04
|
|
|
Mierdaan posted:ASA goons: how boned am I if my boss wants one of our helpdesk guys, who has no Cisco-specific training (or even network training in general) to be in charge of the installation and management/reporting for an ASA IDS/IPS module? Installation, as in racking the device and powering it on, then pulling his cell phone out of his pocket to call someone who knows what they're doing?
|
|
#
¿
Sep 6, 2012 20:36
|
|
|
Annoying... We have several (75 or so per chassis) NxT1 MLPPP connected clients that are terminated to Cisco 7200's throughout our network. Customer connections will work without issue for months at a time but then we will start hearing sporadic reports of slowness. When we start hearing clients reporting slow connections we investigate and a 'sh ppp multilink' shows dropped fragments. We'll remove the interleaving and fragment delay, configure "ppp multilink fragment disable" and the "speed" issue immediately goes away. We've opened a few tickets with the TAC and even they can't figure it out. Reboot the chassis during a maintenance window and we don't hear from anybody again about slowness for another 6-8-10 months. Rinse, repeat.  Trying to get our engineering group to consult with TAC again one more time.
|
|
#
¿
Sep 7, 2012 22:09
|
|
|
Martytoof posted:Not a question or anything, but I got some time with a 7206VXR today and I was slightly amused to see that the product hasn't really changed visually from what I remember using 10+ years ago Employee of a MSP that has these scattered throughout the network, reporting for duty!
|
|
#
¿
Oct 9, 2012 17:00
|
|
|
Zuhzuhzombie!! posted:We got it late yesterday. Sorry for not updating. Did he just do a "clock source line"?
|
|
#
¿
Oct 10, 2012 14:46
|
|
|
You guys ever run into an issue with the AnyConnect client where you want it to pre-populate a server name in the "Connect To:" field for the users but it doesn't seem to work? This is for an SSL VPN where the users login and download the client from the ASA. I edited the .xml file according to Cisco's instruction but that doesn't seem to want to do it for me.
|
|
#
¿
Oct 22, 2012 21:12
|
|
|
Nitr0 posted:That's a pretty old version of the client at this point. Stock photo... the version being used is 2.5.6005. I must be missing something pretty simple here.
|
|
#
¿
Oct 22, 2012 21:26
|
|
|
ragzilla posted:Is this an MSI pre-deploy? Or after users successfully connect and install? After users connect and install. They sign in and are prompted to download the client if it's not the current version.
|
|
#
¿
Oct 23, 2012 13:33
|
|
|
It was simple, kind of like I thought -  You have to tell it what profile to download instead of "None". *sigh*
|
|
#
¿
Oct 23, 2012 15:39
|
|
|
E: Nevermind. A "show boot"? Something is weird in the boot up sequence probably. GOOCHY fucked around with this message at 20:27 on Oct 23, 2012 |
|
#
¿
Oct 23, 2012 20:25
|
|
|
static (inside, outside) <public host> <private host> netmask 255.255.255.255 ! access-list outside_access_in extended permit tcp any host <public host> eq smtp log notifications ! access-group outside_access_in in interface outside 1:1 NAT map - allow traffic inbound via SMTP GOOCHY fucked around with this message at 21:01 on Nov 15, 2012 |
|
#
¿
Nov 15, 2012 20:59
|
|
|
falz posted:I ran in to a similar or same issue with a customer's network last week. Consulting company designed it but not well thought it. Traffic flow was such that traffic from remote sites came from a managed MPLS network, SYN would hit the host but the reply would hit the gw, which was the ASA. It naturally dropped it since it's stateful. That's kind of an interesting scenario. How did you figure out that you had to configure it this way? I run into a lot of weird design poo poo working for a MSP but I can't say I've seen that one in the past.
|
|
#
¿
Jan 22, 2013 21:26
|
|
|
Normally I'd expect to see the isakmp config options in a site-to-site VPN tunnel config on an ASA. I also don't think that static route is doing what you want it to do. Edit: This is an example of a basic site-to-site config I turned up earlier in the week with a remote peer from an ASA running 8.2, I believe. There was a NAT exemption that was necessary also but this is somewhat what the config will look like. crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map outside_map 1 match address outside_cryptomap_1 crypto map outside_map 1 set pfs crypto map outside_map 1 set peer <remote peer public host> crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp am-disable ! tunnel-group <remote peer public host> type ipsec-l2l tunnel-group <remote peer public host> ipsec-attributes pre-shared-key <pre-shared-key> ! ! access-list outside_cryptomap_1 extended permit ip <local network/network mask> <remote network/network mask> GOOCHY fucked around with this message at 01:36 on Jan 30, 2013 |
|
#
¿
Jan 30, 2013 01:30
|
|
|
Stale ARP cache? If there are VLANs on the HP switch are you plugged into a port for the "LAN" VLAN?
|
|
#
¿
Feb 16, 2013 21:20
|
|
|
For one, the WAN interface is shutdown. Do a "no shut" or admin it up in the software you're using. Giving it the quick once over it looks normal otherwise. NAT looks normal, etc. interface GigabitEthernet1 description $ETH-WAN$ ip address dhcp client-id GigabitEthernet1 ip nat outside ip virtual-reassembly in shutdown duplex auto speed auto If you have a Cisco rollover cable to console in with, pull up a terminal (PuTTY, SecureCRT, etc.) login - conf t int gigabitethernet1 no shut exit wr
|
|
#
¿
Feb 20, 2013 19:01
|
|
|
|
| # ¿ Apr 25, 2024 23:04 |
|
|
routenull0 posted:So what is everyone using for netflow collection and analysis? I'm in the process of talking to vendors because I am tired of dealing with cacti and it's inability to accurately get sub-5min spikes. Even with the adjustments for 1min polling, it's just a hack job. We mainly use cacti for historical purposes and capacity planning, but with the amount of data deal with, cacti has burned us a few times. The added features of netflow would allow better planning, but also analysis of what is actually going on. We use Scrutinizer.
|
|
#
¿
Mar 1, 2013 20:51
|
|