|
Here is a (hopefully) easy question. I have a server which I have on it's own port from our ASA. I have successfully created a NAT rule to forward traffic from an external address to the server. I cannot (due to the suggestion of a regulatory auditor) allow this server to directly talk to anything on our network, so if people inside the network need to access it, I need to direct them to the external IP. It doesn't currently work, and I am guessing it's a simple change to allow this behaviour. Anyone have any ideas?
|
# ¿ Aug 8, 2009 21:39 |
|
|
# ¿ Apr 19, 2024 12:30 |
|
I am going crazy with a complete newbie question I am sure. I had this config working on an ASA 5505, but we decided to build a completely seperate segment with our old pix, and the identical config does not seem to work. Here is the relevant section of code:code:
|
# ¿ Aug 20, 2009 02:57 |
|
Tremblay posted:So what version of code on the pix? 6,7,8? Is the ip address aaa.bbb.ccc.ddd the same IP as the outside interface?
|
# ¿ Aug 21, 2009 14:24 |
|
Tremblay posted:You can't use the actual IP address of the interface in the NAT statement. Use the interface keyword instead.
|
# ¿ Aug 21, 2009 23:17 |
|
In my specific situation this is more in regard to procurve gear, but I think it is the same as cisco as far as this goes. I am trying to set up spanning tree, and I need to know two things: 1) does my spanning tree config have to have the same name on all switches in order to work properly 2) will changing the spanning tree config name result in a temporary loss of connectivity like adding a vlan does?
|
# ¿ Nov 11, 2009 03:36 |
|
I feel dumb asking this in this thread, but does anyone have a recommendation for a wireless headset that works well with Cisco IP Communicator? USB or bluetooth are both good, hopefully under $100.
|
# ¿ Jul 14, 2010 02:42 |
|
how the hell do I boot to an alternate IOS image on a 2911? ROUTER#show flash -#- --length-- -----date/time------ path 1 62558836 Apr 07 2010 22:11:32 c2900-universalk9-mz.SPA.150-1.M1.bin 2 2903 Apr 07 2010 22:26:06 cpconfig-29xx.cfg 3 2915328 Apr 07 2010 22:26:20 cpexpress.tar 4 1038 Apr 07 2010 22:26:30 home.shtml 5 115712 Apr 07 2010 22:26:38 home.tar 6 1697952 Apr 07 2010 22:26:52 securedesktop-ios-3.1.1.45-k9.pkg 7 415956 Apr 07 2010 22:27:02 sslclient-win-1.1.4.176.pkg 8 62662920 Jul 26 2010 02:29:04 c2900-universalk9-mz.SPA.150-1.M3.bin 129765376 bytes available (130387968 bytes used) I have tried: boot system disk0:c2900-universalk9-mz.SPA.150-1.M3.bin wr mem reload boot system flash:c2900-universalk9-mz.SPA.150-1.M3.bin wr mem reload boot system flash c2900-universalk9-mz.SPA.150-1.M3.bin wr mem reload boot system flash0:c2900-universalk9-mz.SPA.150-1.M3.bin wr mem reload boot system flash flash0:c2900-universalk9-mz.SPA.150-1.M3.bin wr mem reload and every time i get: System returned to ROM by reload at 21:05:36 CDT Tue Jul 27 2010 System restarted at 21:18:50 CDT Tue Jul 27 2010 System image file is "flash0:c2900-universalk9-mz.SPA.150-1.M1.bin" Last reload reason: Reload Command I verified the md5 checksum, and the image is correct. I have a feeling I am just a dumbshit typing the wrong thing for boot system ... but I don't know what. I guess I could just delete the old IOS image, but I would rather do it this way, for safety.
|
# ¿ Jul 30, 2010 02:48 |
|
inignot posted:sh run | inc boot boot-start-marker boot system disk0:c2900-universalk9-mz.SPA.150-1.M3.bin boot-end-marker which also did not work.
|
# ¿ Jul 30, 2010 03:06 |
|
abigserve posted:Stupid question, whats your config register set to? (sh ver; at the bottom). It should be 2102.
|
# ¿ Jul 30, 2010 03:33 |
|
Powercrazy posted:The other thing you can do is
|
# ¿ Jul 31, 2010 21:33 |
|
I have a 2911 with a 4 port FXO card, which connects to a CUCM server. I want to use T.37 onramp/offramp on one of those FXO ports. Is there a way to exclude just one port from MGCP, so that I can make that work? Or am I stuck buying Xmedius or rightfax and running T.38?
|
# ¿ Aug 23, 2010 23:43 |
|
Tremblay posted:What this guy said. Also for the love of god don't add your CCM into the AD domain. Someone I'm sure will have that bright idea saying that WSUS can manage the patching if only it were a member server. I am curious if the attacked used an actual vulnerability or just exploited lovely design decisions?
|
# ¿ Sep 22, 2010 22:59 |
|
Is there any way to get a ringing indicator and call pickup ability on a BLF on a 7942G?
|
# ¿ Oct 19, 2010 02:39 |
|
Strange problem. I have 3 vlans configured on two of our branch switches. I have IP addresses defined on 2 of those VLANs (this is an acquisition and the branch is on two completely seperate subnets, so I would like to be able to access it from both). As soon as I enable the second subnets VLAN interface, that subnets DHCP server fills up with BAD_ADDRESS entries, from a mac address that is the inverse of the IP in hex. If I disable the interfaces, it's fine and I do not see those entries. The interfaces do not get their IPs from DHCP either, they are statically set.
|
# ¿ Oct 23, 2011 15:48 |
|
falz posted:I'm not sure about the dhcp issue but layer two switches can only have one VLAN interface/IP address active at a time for management. Use routing to reach it from a different subnet. Anyway, I think I solved my problem. I had the voice vlan defined on the port the DHCP server was connected to. I just did a no switchport voice vlan on the interface and all is well now. Not even sure why it mattered, because they have shoretel phones which don't appear to utilize the voice vlan definition, they utilize a DHCP option to know which vlan to use.
|
# ¿ Oct 23, 2011 16:20 |
|
Powercrazy posted:What is the size and industry your company is in? If you do more than 50k/yr you'll have a specific rep, though you will of course be sharing him with many other businesses within your zipcode. If you are seriously looking at a full Nexus rollout, you will probably get Cisco's attention.
|
# ¿ Oct 26, 2011 12:49 |
|
We have VPLS links to 4 locations, 3 of them are 1.5mbps. At those offices, does anyone see any reason not to use 881s? We may want to add cube licensing later, but are unlikely to need SRST, FXO, or FXS at these offices.
|
# ¿ Nov 9, 2011 01:39 |
|
Gravitom posted:we really need the device itself to push configs when there is a change.
|
# ¿ Nov 11, 2011 00:05 |
|
Grabulon posted:I'm finding telecommunications quite difficult coming from an IP background!
|
# ¿ Nov 13, 2011 00:57 |
|
I replaced a switch at a branch office that we recently acquired today, and ran into some trouble. I pulled their unmanaged dell switch and put in a cisco 2960. I configured each access port with vlan 2 as the access vlan. When I plugged in the existing 2600 series router, spanning tree would complain about a vlan mismatch and disable the port. I was able to get around it by marking the port as a trunk port with vlan 2 as the native vlan, but I am curious how in the future I can avoid this kind of issue (without setting the port to a trunk mode port, which is not ideal because I can't just send the switch to the branch office and ask the end users to move all of the wires over). The router in question had no vlan tagging defined on any interface.
|
# ¿ Nov 20, 2011 05:35 |
|
Nitr0 posted:Wouldn't that be the issue then? If the 2600 didn't have any vlans defined then it would be defaulted to a native vlan1. Try to plug it into a switch access port on vlan2 and there's your mismatch. You should be trunking the router and the switch. falz posted:The 2600 wouldn't be passing vlan info unless it were using a dot1q subint, bvi, or switch module.
|
# ¿ Nov 20, 2011 17:07 |
|
We have about 50 sites with a single MPLS T1 running off a 1751 or 2901 router. We would like to be able to offer bare bones public wifi at all of these sites. We could afford to lose 250kbps at many of these sites, and that would almost certainly be sufficient for our public wifi needs. Is there a way we can securely segment this traffic to keep it away from our internal assets without having to maintain access lists on each router? If we have to pay for DSL at each site that is ok, but I would like to save some cash if possible.
|
# ¿ Dec 1, 2011 23:50 |
|
Powercrazy posted:Has anyone gotten nmap to work in Windows 7? I don't have my *bsd or *nix VM right now and I'd really like to do some scanning.
|
# ¿ Dec 14, 2011 04:21 |
|
Martytoof posted:Anyone here with Vyatta experience? Is it possible to create an etherchannel trunk between a Cisco switch and a Vyatta whitebox for dot1q routing purposes? I mean I know it should be possible, but my google-fu is failing me on the setup on the Vyatta end of things. I'd be port bundling eth1, eth2, and eth3 in this case. I can do dot1q routing on single vif sub interfaces no problem, just the port channeling that's giving me problems.
|
# ¿ Feb 22, 2012 05:00 |
|
Since the conversation has gone the way of 10Gbe, I'd like some advice. We are looking at refreshing our entire VMware environment, and rather than build up, we've decided to build out. As part of this, we are thinking about replacing our iSCSI/VMware switches, which are currently some higher end procurve switches. We don't need a ton of access ports, so we were thinking about getting a pair of 3750s to handle this job. Additionally, we want to toss some 10Gbe cards into our netapp and getting 10Gbe for that (give each head 1 link to each switch, total 4 Gbe ports). Since we are going for smaller VMware servers we don't necessarily see the value of 10Gbe to them today, but would like to retain some amount of spare 10Gbe capacity in case we go with blades for our next refresh. Ciscos documentation on these switches implies that i should be able to get 4 ports to 10Gbe on each, but CDW doesn't seem to show a 4 port 10Gbe module. Is a pair of stacked 3750s with 4 port 10Gbe modules a good solution given my listed requirements?
|
# ¿ Mar 7, 2012 02:04 |
|
ragzilla posted:3750 architecture has always been criticized historically over having lovely buffers which hampers their adoption as a datacenter switch. I'd recommend looking to 4900 (4500 based) or Nexus 5k for 10GbE aggregation/access.
|
# ¿ Mar 7, 2012 05:00 |
|
adorai posted:Given our minimal need of 10Gbe it's more or less impossible to justify going Nexus 5k, it's simply too damned expensive. The 4900 series appears to be quite expensive as well. Do we have any other alternatives? Without knowledge of my environment, am I stupid for getting the 5548s without the 2224s? It knocks over $8k off my price when including smartnet.
|
# ¿ Mar 15, 2012 00:54 |
|
Tremblay posted:Hard code the MAC into the port configuration and only allow one auth'd MAC per that port. Any violation will shutdown the port (default action). I seem to be missing something... 802.1x will work it just seems overkill for this.
|
# ¿ Mar 19, 2012 12:38 |
|
I was wondering if anyone had a great guide for implementing and supporting cisco callmanager environments. I will give a brief description of our voice situation, which was initially implemented by a vendor that sucked and we have muddled our way through it despite the implementation. I now want to make sure it is awesome. We have ~50 locations, 6 of which are cisco cucm sites. These 6 sites have approximately 50 phones total, each site has a 2901 or 2911 router. 5 of the 6 have FXO gateways, 1 is t1 E&M to a legacy PBX. We have a physical server which is a CUCM publisher and a second CUCM server which is a VM. All phones point to the publisher for TFTP and for their call manager server. We have various amounts of DSPs in each router, each router is licensed for SRST but likely doesn't have much in the way of functionality in the event it is severed from the WAN. We also have a CUCX server (VM) for our helpdesk, but some remote non-cisco sites are unable to call our helpdesk, they get dead air. most remote non-cisco sites talk to the cisco locations via H323. Basically, I think the environment is jacked up because we don't know poo poo about transcoders, conference bridges, or cluster failover. It works just fine as is for what we use it for today, but I want to make sure that as we grow (we will be adding roughly 100 phones in the next 3 months) that I am not moving my end users into an environment that is destined for failure. This thread is not the right location to flesh out my design, I just need some documentation or a book recommendation that will go over most of the basics, and give me the base knowledge I need to even know what else I need to learn more about. I have a general cisco voice book from cisco press, but it seems to be geared more toward enabling legacy PBXs to talk to each other through cisco.
|
# ¿ Mar 22, 2012 02:10 |
|
Can I use a twinax cable to go from an HP 10Gbe NIC to a Cisco Nexus switch? If not, can I buy a Cisco branded or third party 10Gbe NIC that will work?
|
# ¿ Mar 27, 2012 23:59 |
|
Senior Funkenstien posted:He means access points.
|
# ¿ Apr 11, 2012 03:05 |
|
Powercrazy posted:With a Private MPLS carrier there is no reason to have a firewall setup between branch and head office unless your intent is to protect your datacenter from your international branch offices. I guess my response is that if you trust your carrier, there is no reason to do it, but if you don't trust them, it might not be a terrible idea. I do need to add this disclaimer: I don't trust anyone.
|
# ¿ Apr 12, 2012 00:43 |
|
My Rhythmic Crotch posted:It might be important to note that I am not living in the US right now so there is basically no secondhand market to get cheap IT gear on.
|
# ¿ Apr 20, 2012 01:18 |
|
ok i just got my nexus 5k switches in today, one is racked, the second is going live tomorrow. Can you point me in the direction of a good nx-os vs ios resource, and also a good resource on VRFs specifically as they relate to management interfaces? We've never made use of our out of band management interfaces but I think I want to start with this switch and server refresh.
|
# ¿ Apr 20, 2012 23:14 |
|
it was a tossup whether I should post this here or in the asterisk thread. I have a CUCM environment. In this environment I have branch offices that I would like gain access to the PSTN via SIP. Does it make sense to license CUBE on each branch router, and terminate the local SIP trunks at the router, or should I terminate them all at our main datacenter? If I terminate at the branches, will the RTP stream traverse our wan to the CUCM, then back to the branch to hit the phone, or will the RTP stream only go from the branch router to the phone?
|
# ¿ May 10, 2012 03:24 |
|
n0tqu1tesane posted:Are you going to have PSTN access at the branch sites other than the SIP trunks? Are you planning on using SRST? What are your plans for calling 911 at the branch sites? Alternatively, if we have to have a central trunking location, I would be ok with a setup that allows us to have a second CUBE router at another location, and the trunks to come up on that router if the primary one goes down. I could probably finish the cisco press voice book i have for the answer, but I am hoping the goons will save me the trouble.
|
# ¿ May 11, 2012 01:34 |
|
the spyder posted:Has anyone ever had a ASA drop the WAN link after 4-5 minutes? The interface shows as up then down, yet the link lights never change. I can ping, then I can not. I am starting to wonder if it is my crappy DSL modem.
|
# ¿ Jun 3, 2012 06:58 |
|
Moey posted:How unusual is this for a small/mid sized company (around 280 employees)?
|
# ¿ Jun 6, 2012 03:38 |
|
Powercrazy posted:2960S's are also PoE capable (at least some models are) and are pretty slick switches with all Console/Management/USB ports on the front.
|
# ¿ Jun 14, 2012 03:42 |
|
|
# ¿ Apr 19, 2024 12:30 |
|
gently caress cisco and their stupid license macs that magically change in CUCM.
|
# ¿ Jun 20, 2012 01:01 |