How to recover the password on a Cisco 3850 switch when you lost or forgot it? It is easy to solve it for it’s so common for a network user. Here we list some tips and basic steps to help you recover password on catalyst 3850 again.
Tips and Steps to Recover the Password on Cisco Catalyst 3850
On a switch, power off the standalone switch or the entire switch stack. Reconnect the power cord to the active switch. Within 15 seconds, press the Mode button while the System LED is still flashing green. Continue pressing the Mode button until all the system LEDs turn on and remain solid; then release the Mode button.
Several lines of information about the software appear with instructions, informing you if the password recovery procedure has been disabled or not.
If you see a message that begins with this:
The system has been interrupted prior to initializing the flash file system.
The following commands will initialize the flash file system proceed to the below steps
Step1 Initialize the flash file system.
Step2 Ignore the startup configuration with the following command:
Step3 Boot the switch with the packages.conf file from flash.
Switch: boot flash:packages.conf
Step4 Terminate the initial configuration dialog by answering No.
Would you like to enter the initial configuration dialog? [yes/no]: No
Step5 At the switch prompt, enter privileged EXEC mode.
Step 6 Copy the startup configuration to running configuration.
Switch# copy startup-config running-config Destination filename [running-config]?
Press Return in response to the confirmation prompts. The configuration file is now reloaded, and you can change the password.
Step7 Enter global configuration mode and change the enable password.
Switch# configure terminalSwitch(config)#
Step8 Write the running configuration to the startup configuration file.
Switch# copy running-config startup-config
Step9 Confirm that manual boot mode is enabled.
Switch# show boot
BOOT variable = flash:packages.conf;
Manual Boot = yes
Enable Break = yes
Step10 Reload the switch.
Step11 Return the Bootloader parameters (previously changed in Steps 2 and 3) to their original values.
Switch: switch: SWITCH_IGNORE_STARTUP_CFG=0
Step12 Boot the switch with the packages.conf file from flash.
Switch: boot flash:packages.conf
Step13 After the switch boots up, disable manual boot on the switch.
Switch(config)# no boot manual
Refer to https://supportforums.cisco.com/docs/DOC-35289
More Cisco 3850 Tips:
More Cisco switch review, news and Topics you can see at: http://blog.router-switch.com/category/reviews/cisco-switches/
Displays the entire IP route table, a summary of the routing table or route information for specific IP addresses, network masks or protocols.
Syntax: show ip route [[ipAddress [mask]] [bgp | connected | mpls [ipAddress] [ipAddress/PrefLen] [ipAddress mask] [detail] | isis | ospf | static | summary | multicast |unicast]
Specify an IP address for the IP routes to display.
Specify an IP address mask for the specified IP address.
Specify a Prefix Length for the specified IP address. Valid values = 0 - 31.
Description: Use the show ip route command with no arguments to display all IP routes.
Use the show ip route command with the address argument to display routes to a specific IP address.
Use the show ip route command with the mask argument to display routes with a specific network mask.
Use the show ip route command with the bgp, isis, ospf keyword to display summary information about all routes for the specified protocol.
Use the show ip route multicast command to display active routes used by Multicast protocols.
Use the show ip route unicast command to display active routes used for unicast forwarding.
Use the show ip route connected command to display summary information about all directly connected routes.
Use the show ip route mpls command to display all tunnel related route statistics.
use the show ip route mpls detail to display detailed information of all the tunnels by which each route/prefix is reachable. The detail keyword can optionally be used with all ipAddress variants of mpls.
Use the show ip route static command to display summary information about all statically configured routes.
Use the show ip route summary command to display summary information about all IP routes.
Factory Default: None.
Command Mode: Executive and privileged.
Example 1: In the following example, the show ip route command with no arguments displays all routes:
router>show ip route
The following table describes the fields displayed by the show ip route command.
Specifies the route was learned as a result of configuring the interface.
Specifies the route was explicitly configured using the ip route command.
Specifies the route was received from BGP protocol advertisements.
Specifies this route carries MPLS data.
external type 1
Specifies the route was imported into the OSPF area from an Autonomous System Boundary Router (ASBR). Further, this route used the cost associated with the link between the ASBR and this router as part of the cost of the route.
external type 2
Specifies the route was imported into the OSPF area from an Autonomous System Boundary Router (ASBR). Further, this route does not use the cost associated with the link between the ASBR and this router as part of the cost of the route.
Specifies this route was received from IS-IS protocol advertisements.
Network address and mask of the remote network.
Indicates the next router in the remote network.
directly connected to
Indicates the network is directly connected to a local interface.
Indicates the Up/Down bit is set and that the route was leaked from L2 into L1.
The administrative distance assigned to this route.
The metric assigned to this route.
Example 2: In the following example, the show ip route static command displays information about statically configured routes:
router>show ip route static
Example 3: In the following example, the show ip route summary command displays summary information about all IP routes:
router#show ip route summary
The following table defines the fields displayed in the show ip route summary command:
Table 1-9. Fields Displayed by show ip route summary
These routes were learned as a result of configuring the interface
These routes were in the kernel before the routing task started running.
The number of routes that were explicitly configured using the ip route command.
The number of routes received from BGP protocol advertisements.
The number of routes learned from within this area.
The number of routes received from other OSPF areas.
These routes were imported into the OSPF area from an Autonomous System Boundary Router (ASBR). Further, these routes use the cost associated with the link between the ASBR and this router as part of the cost of the route.
These routes were imported into the OSPF area from an Autonomous System Boundary Router (ASBR). Further, these routes do not use the cost associated with the link between the ASBR and this router as part of the cost of the route.
The number of routes received from IS-IS protocol advertisements.
The total number of routes in the IP route table.
Refer to http://www.powerfast.net
More Related Cisco IOS Command Topics:
For any network administrator, it is a necessary to know how to properly use logging. The Cisco IOS offers a great many options for logging. To help you know them well, we will discuss how to configure logging, how to view the log and its status, and list three common errors when it comes to logging.
The logging command in Global Configuration Mode and the show logging command in Privileged Mode are two simple but powerful tools to configure and show all Cisco IOS logging options. Let's take a closer look.
Configure logging in the Cisco IOS
When configuring logging, the most important command to know is the logging command, used when in Global Configuration Mode. Here's an example of this command and its options.
In order to help you know these options in a good way, let’s look at the most common ones.
You can configure the router to send buffered logging of its events to the memory. (Rebooting the router will lose all events stored in the buffered log.) Here's an example:
Router(config)# logging buffered 16384
You can also send the router's events to a syslog server. This is an external server running on your network. Most likely, the syslog server is running on a Linux or Windows server. Because it's external to the router, there's an added benefit: It preserves events even if the router loses power. A syslog server also provides for centralized logging for all network devices.
To configure syslog logging, all you need to do is use the logging command and the hostname or IP address of the syslog server. So, to configure your Cisco device to use a syslog server, use the following command:
Router(config)# logging 10.1.1.1
The Cisco IOS enables logging to the console, monitor, and syslog by default. But there's a catch: There's no syslog host configured, so that output goes nowhere.
There are eight different logging levels.
The default level for console, monitor, and syslog is debugging. The logging on command is the default. To disable all logging, use the no logging on command.
By default, the router logs anything at the level of debugging and greater. That means that logging occurs from level 7 (debugging) up to level 0 (emergencies). If you want to par down what the system logs, use something like the logging console notifications command.
In addition, the router doesn't enable logging to the system buffer by default. That's why you must use the logging buffered command to enable it.
View the status of logging and the logging itself
To view the status of your logging as well as the local buffered log, use the show loggingcommand. Here's an example:
Note that this router has enabled syslog logging and is sending it to host 10.1.1.1. In addition, console logging is at the debugging level, and the setting for local buffered logging is 10,000,000 bytes.
Three common logging errors
Logging can be frustrating at times. To help prevent some of that frustration, let's look at three common errors.
Not setting the terminal to monitor logging
If you Telnet into a router and can't see some of the logging you're expecting, check to see if you've set your terminal to monitor the logging. You can enable this with the terminal monitor command. To disable it, use the terminal no monitor command.
To determine whether you've enabled monitoring, use the show terminal command, and look for the following:
Capabilities: Receives Logging Output
If you see this, you're monitoring logging output. If it returns none for capabilities, then the monitoring is off.
Using the incorrect logging level
If you can't see logging output, you should also check whether you've set the level correctly. For example, if you've set the console logging to emergencies but you're running debugging, you won't see any debugging output on the console.
To determine the set level, use the show logging command. Keep in mind that you need to set the level to a higher number to see all levels below it. For example, setting logging at debugging shows you every other level.
In addition, make sure you match the type of logging that you want to see with the level you're configuring. If you configure monitor logging to debug but you're on the console and you've set it to informational, you won't see the debug output on the console.
Displaying the incorrect time and date in logs
You may see log messages that don't exhibit the correct date and time. There are a variety of options to control the date and time that appear on logging output (either to the screen or to the buffer). To control this, use the following command:
Router(config)# service timestamps debug ?
datetime Timestamp with date and time
uptime Timestamp with system uptime
More Notes: Remember that many problems require some kind of historical log to help find a solution. That's why it's important to make sure you've properly configured logging so you can use your logs to see the past.
Reference from http://www.techrepublic.com/
Use the show logging EXEC command to display the state of logging (syslog).
show logging [history]
Syntax Description: history (Optional) Display information in the syslog history table only.
Command Mode: EXEC
This command first appeared in Cisco IOS Release 10.0.
This command displays the state of syslog error and event logging, including host addresses, and whether console logging is enabled. This command also displays Simple Network Management Protocol (SNMP) configuration parameters and protocol activity.
When you use the optional history keyword, information about the syslog history table is displayed such as the table size, the status of messages, and text of messages stored in the table. Messages stored in the table are governed by the logging history global configuration command.
The following is sample output from the show logging command:
Router# show logging
Syslog logging: enabled
Console logging: disabled
Monitor logging: level debugging, 266 messages logged.
Trap logging: level informational, 266 messages logged.
Logging to 18.104.22.168
SNMP logging: disabled, retransmission after 30 seconds
0 messages logged
The following table describes significant fields shown in the display.
When enabled, system logging messages are sent to a UNIX host that acts as a syslog server; that is, it captures and saves the messages.
If enabled, states the level; otherwise, this field displays disabled.
Minimum level of severity required for a log message to be sent to a monitor terminal (not the console).
Minimum level of severity required for a log message to be sent to a syslog server.
Shows whether SNMP logging is enabled and the number of messages logged, and the retransmission interval.
The following is sample output from the show logging history command:
Router# show logging history
Syslog History Table: 1 maximum table entry, saving level notifications or higher
0 messages ignored, 0 dropped, 15 table entries flushed,
SNMP notifications not enabled
entry number 16: SYS-5-CONFIG_I
Configured from console by console
The following table describes the significant fields shown in the display.
maximum table entry
Number of messages that can be stored in the history table. Set with the logging history size command.
saving level notifications or higher
Level of messages that are stored in the history table and sent to the SNMP server (if SNMP notification is enabled). Set with the logging history command.
Number of messages not stored in the history table because the severity level is greater than that specified with the logging history command.
Number of messages that could not be processed due to lack of system resources. Dropped messages do not appear in the history table and are not sent to the SNMP server.
table entries flushed
Number of messages that have been removed from the history table to make room for newer messages.
Whether syslog traps of the appropriate level are sent to the SNMP server. Syslog traps are either enabled or not enabled through the snmp-server enable command.
Number of the message entry in the history table.
Cisco IOS syslog message consisting of the facility name (SYS) which indicates where the message came from, the severity level (5), the message name (CONFIG_I), and the message text.
Time, based on the router's up time, that the message was generated.
More Related Cisco IOS Commands Reviews:
The Adaptive Radio Modules are a family of solutions in a modular form factor that allow customers to adapt their wireless network to their current and future needs. The modules provide a dedicated third radio that can be field-upgraded on the 3600 Series access point. These modules allow customers to integrate advanced technology into their existing network without having to replace equipment or install additional equipment. Also, by adding a third radio, the Adaptive Radio Modules expands the access point’s performance and capacity.
Cisco offers three adaptive radio modules for the 3600 Access Point:
- 802.11ac Module
- Wireless Security and Spectrum Intelligence (WSSI) Module
- 3G Small Cell Radio Module
These modules allow customers to integrate advanced technology into their existing network without having to replace or install additional equipment. Also, by adding a third radio, it expands the access point’s capability in terms of performance and capacity.
For example, the addition of the WSSI module in a 3600 Access Point allows for advanced security and monitoring features such as CleanAir, wIPS and rogue detection to operate fully on both the 2.4 and 5GHz band without affecting the client traffic associated with the other 2 radios.
Because the module is operating as a dedicated radio, the access point can provide these advanced security features while also services the client traffic. The addition of an adaptive radio module is like adding an additional processor to your access point. Advanced features such as Security and Spectrum Monitoring can operate on a dedicated radio while the access point maintains throughput and performance by serving the client traffic on the two Wi-Fi radios.
Special Features, Adaptive Radio Modules
Adaptive Radio Modules allow for the diverse requirements of today’s networks, while future-proofing for the technology of tomorrow. The three flavors of adaptive radio modules provide customers with a leg up on various networking challenges.
-The 802.11ac radio module is the first of its kind in the industry and offers wire-like performance ideal for supporting HD video and high client density deployments
-The WSSI Module delivers always-on spectrum intelligence and proactive security scanning without effecting client performance
-The 3G Small Cell Module allows operators to concurrently offer a Wi-Fi/3G cellular infrastructure in a single access point
What makes Cisco unique is that our 3600 AP is modular designed so it can support different radio types to address emerging client needs, as well as providing investment protection for new and existing deployments.
With our Adaptive Radio Modules, Cisco’s strong portfolio touts:
-The first Enterprise Class Access Point to support the new 802.11ac Wave 1 standard
-The first solution to deliver combined Wi-Fi Serving, Spectrum Analysis and Threat Detection & Mitigation into a single Access Point
-The only solution to concurrently provide 3G Small Cell support and state of the art 802.11n-based 4x4 MIMO Wi-Fi
Adaptive Radio Modules can be used in the enterprise
Without the flexibility of the Adaptive Radio Modules, a customer in the case of the 802.11ac module and the 3G Small Cell would have to deploy an overlay network to support these additional radios. In the case of the WSSI Module, a customer would have to deploy an additional access point that exclusively monitors the traffic for security and spectrum issues.
In all cases, adding additional equipment to the network is costly in terms of deployment and maintenance but there is a cost factor with running Ethernet cables for the additional equipment and the cost of an Ethernet port that has to be taken up on a switch.
With the Adaptive Radio Modules deployed, there is a reduction in this cost since this technology can be added to an existing deployed network. Cisco estimates that there is a 30%+ CAPEX cost savings by eliminating the need for a separate:
- Overlay of additional access points to support 802.11ac, 3G or Security Monitors
- Ethernet cabling and Access Layer port required by each additional Access Point
- Typical cabling infrastructure costs typically running from $750-$1000 per pull – including labor
- Within the Healthcare industry, this cost is typically 2-3 times more
With the Adaptive Radio Modules, not only does the customer get the benefits of being able to deploy advanced technology but there is a significant cost saving to be gained as well.
Reference from http://blogs.cisco.com/wireless/adaptive-radio-modules-for-the-3600-series-ap-best-of-interop-2013-finalist/
More Cisco network Module Reviews:
The Cisco Catalyst 3650 Series Switch delivers converged wired and wireless access on a single platform, creating an uncompromised user experience in any workspace. The converged system provides a single platform for wired and wireless networkwide visibility for faster troubleshooting, advanced security and quality of service (QoS) control, maximum resiliency with fast stateful recovery, and scale with distributed wired and wireless data plane.
The Cisco Catalyst 3650 is built on the advanced Cisco StackWise-160, and takes advantage of the new Cisco Unified Access Data Plane (UADP) application-specific integrated circuit (ASIC). This switch can enable uniform wired-wireless policy enforcement, application visibility, flexibility, application optimization, and superior resiliency. The Cisco Catalyst 3650 Series Switches support full IEEE 802.3at Power over Ethernet Plus (PoE+), and offer modular and field-replaceable redundant fans and power supplies. They can help you increase wireless productivity and reduce your TCO.
All Cisco Catalyst 3650 Series Switches have fixed, built-in uplink ports. Customers can choose from three types of uplink ports at the time of the switch purchase:
The SFP+ interface supports both 10 Gigabit Ethernet and Gigabit Ethernet ports. Refer to Table 1 for a description of the basic switch models and the corresponding uplink ports. Refer to Table 2 for a description of the various uplink port interface options.
Cisco Catalyst 3650 Highlights
•Built on Cisco Unified Access Data Plane (UADP) application-specific integrated circuit (ASIC) with programmability to support Cisco ONE Enterprise Networks
Architecture and software-defined networking (SDN)
•Integrated wireless LAN controller functionality
•Native Flexible NetFlow (FnF) on all ports
•Granular, hierarchical bandwidth management
•Cisco TrustSec support
Cisco Catalyst 3650 Primary Features
•Integrated wireless LAN controller capability with:
- Up to 40G of wireless capacity per switch (48-port models)
- Support for up to 25 access points and 1000 wireless clients on each switch or stack
•24 and 48 10/100/1000 data and Power over Ethernet Plus (PoE+) models with Energy-Efficient Ethernet (EEE)
-Optional Cisco StackWise-160 technology provides scalability and resiliency with 160 Gbps of stack throughput (for additional wired and wireless capabilities, please visit the Cisco Catalyst 3850 Series Switches page)
- Fixed, built-in 4 x Gigabit Ethernet, 2 x 10 Gigabit Ethernet, or 4 x 10 Gigabit
Ethernet Small Form-Factor Pluggable (SFP) and SFP+ uplink ports
- Dual redundant power supplies and three modular fans, providing higher redundancy
- Full IEEE 802.3at (PoE+) with 30W power on all ports in 1 rack unit (RU) form factor
•Software support for IPv4 and IPv6 routing, multicast routing, modular QoS, FnF Version 9, and advanced security features
•Single, consistent Cisco IOS XE Software image across all license levels, providing an easy upgrade path for access points and software features
•Enhanced limited lifetime warranty (E-LLW) with next business day (NBD) advance hardware replacement and 90-day access to Cisco Technical Assistance Center (TAC) support
The Cisco Catalyst 3650 Series Switches are available in LAN Base, IP Base, and IP Services feature sets. All switches ship with a default AC power supply. A DC power supply can be purchased as an option or spare. The base switch does not include any access point licenses. Figure 1 shows the Cisco Catalyst 3650 Series.
Figure1. Cisco Catalyst 3650 Series Switches (Front and Back)
Table1. Compare different switch models.
The Cisco Catalyst 3650 provides maximum data, power, and wireless resiliency using Cisco StackWise-160 technology, which is built on the highly successful industryleading CiscoStackWise technology. The StackWise-160 technology provides optional stacking with 160 Gbps of bandwidth for providing resiliency within the stack. The stack behaves as a single switching unit that is managed by an active switch elected from one of the member switches. The active switch creates and updates all the switching, routing, and wireless tables. In an event of the active member failure, the standby member assumes the role of the active switch, continuing to keep the stack operational.
Cisco Catalyst 3650 Primary Advantages
Converged Wired and Wireless Platform
The Cisco Catalyst 3650 is a stackable platform that converges wired and wireless services on a Cisco IOS XE Software based platform. The CAPWAP tunnels from the access points terminate at the 3650 switch, enabling users to configure and apply software features such as QoS, security, and FnF across wired ports and wireless SSIDs on the same switch at the same time. The converged wired and wireless platform supports the Cisco Unified Access solution. With “one policy, one management, one network,” the Cisco Catalyst 3650 and Cisco Unified Access help IT spend less time running the network and more time on business innovation.
The Cisco Catalyst 3650 is hardware capable of supporting Cisco TrustSec functionality. Cisco TrustSec uses the device and user credentials acquired during authentication for classifying the packets by security groups as they enter the network with scalability and simplified management. The classification is maintained through the network by the security group tag (SGT) and through integration with the Cisco Identity Services Engine. The Cisco Catalyst 3650 is also hardware-ready for link layer MACsec encryption, which provides networkwide encryption to protect data traffic across the network.
Application Visibility and Control (AVC)
With the native support for FnF on all the ports, the Cisco Catalyst 3650 can monitor both east-west and north-south wired traffic at the same time. The Cisco Catalyst 3650 switch terminates the wireless CAPWAP tunnels from the access point, providing full visibility into the wireless traffic at the switch. Because the wireless traffic is now isible at the switch, it is possible to identify wireless traffic using FnF and prioritize the traffic using advanced QoS capabilities for an improved user experience and faster troubleshooting.
The Cisco Catalyst 3650 supports Cisco Catalyst SmartOperations. SmartOperations features such as Auto Smartports, Auto QoS, and Smart Install reduce deployment time by automating most of the basic switch and port configurations.
Foundation for Cisco ONE Enterprise Networks Architecture
The Cisco Catalyst 3650 is built on the UADP ASIC, which provides wire-rate hardware performance with software programmability. The UADP ASIC features a programmable data plane, enabling deployment of SDN services and support of future software features over the product lifetime. The Cisco Catalyst 3650 supports the Cisco ONE Enterprise Networks Architecture for openness, programmability, and operational simplicity.
Reduced Total Cost of Ownership
The Cisco Catalyst 3650 reduces the total cost of ownership and provides superior investment protection through:
•Built-in wireless controller functionality
•Support for fixed GE or 10 GE uplink
•Support for IP Base and IP Services software options
•Dual redundant power supply and three individual fans to help ensure high availability
•E-LLW with NBD advance hardware replacement and 90-day access to Cisco TAC support
More Related Cisco 3650 Series News:
Cisco Business Edition 6000 (BE 6000) is a packaged solution optimized for medium-sized business requirements. It is a combination of Cisco Unified Communications applications on the Cisco Unified Computing System (Cisco UCS) that offers midsize customers’ business agility and reduced TCO through server consolidation, operational efficiency and scalability, improved business continuity, and greater investment leverage.
Cisco BE 6000 consists of the following foundational elements:
You can optionally install the following applications to the BE 6000 solution:
In addition, Cisco BE 6000 integrates with cloud-based Cisco WebEx Software-as-a-Service offerings including WebEx Connect IM and Presence, as well as WebEx Web Conferencing.
Cisco BE 6000 comes with two hardware options of Cisco UCS 220 M3 Server:
What is the difference between Cisco Business Edition 6000 and generic unified communications applications on Cisco UCS ("UC on UCS")? The table will show you the Differences between Cisco BE 6000 and Deployments with Unified Communications Applications on Cisco UCS
Maximum Capacities of Cisco BE 6000
About Deployment Model-Cisco Business Edition 6000
Cisco BE 6000 supports fully featured redundancy for both LAN and WAN environments. You can deploy a redundant server for Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, and Cisco Unified Contact Center Express applications in a remote location over your WAN.
The Cisco BE 6000 Medium Density server supports up to five co-resident applications. However, the Cisco Virtualization Hypervisor software with license comes standard with Cisco BE 6000, and is entitled for two CPU sockets and 16 GB of virtual memory to deploy additional applications. Following are configuration scenario examples:
• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, Cisco Unified Contact Center Express, and Cisco Unified Provisioning Manager (primary)
• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, Cisco Unified Contact Center Express, and Cisco Unified Provisioning Manager (primary)
• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Contact Center Express, Cisco Unified Attendant Console, and Cisco Unified Provisioning Manager (primary)
Optional Cisco Virtualization Foundation Edition is entitled for two CPU sockets and 32 GB of virtual memory and enables the VMware vCenter compatibility feature.
Cisco Business Edition 6000 supports more than two nodes in the cluster. You can deploy Cisco BE 6000 with more than three nodes in the cluster as long as the user count does not exceed 1000 users.
Is Cisco Prime Collaboration Provisioning bundled with Business Edition 6000 different from the enterprise version of Cisco Prime Collaboration Provisioning? I have been using Cisco Unified Provisioning Manager Business Edition to manage Business Edition 6000. How do I migrate to the new management application Cisco Prime Collaboration Provisioning? Can I install Cisco Business Edition 6000 on a different specifications-based Cisco UCS Server or on a third-party server? Can I install any third-party application server on Cisco Business Edition 6000 hardware? Etc. More Qs about Cisco BE6000 and its licensing options you can read the full page Cisco Business Edition 6000 Q&A
In this article it describes the issue faced by a user on ASA 8.6.
Here the Problem is:
User is using ASA 5525 with 8.6 versions, and he is trying to ping through different interfaces, however he is not able to do that. The test results are mentioned below:
Can PING between the outside interface and the next hop (same subnet)
Cannot PING between the inside interface and the next hop (same subnet)
Cannot PING between the DMZ interface and the next hop (same subnet)
Please see below configuration for firewall for reference.
ip address 16.x.x.x 255.255.255.248
no ip address
ip address 17.x.x.x 255.255.255.0
no ip address
ip address 18.x.x.x 255.255.255.0
access-list o_inside extended permit icmp any any
access-list o_inside extended permit icmp any any echo
access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0
access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0
access-list o_dmz extended permit icmp any any
access-list outside extended permit icmp any any
access-list outside extended permit icmp any any echo-reply
icmp permit any outside
icmp permit any dmz
inspect icmp error
route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1
route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1
route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1
User wants to know what should be added to achive the above mentioned result.
ASA should by default without any configurations accept ICMP on its interface.
Check the output of "show arp" and see if you can see the IP address (and the MAC address) of the host/router you are trying to ping.
The 4 "static" configurations above are pretty basic but 2 of them are Static Identity NAT configurations that you probably won’t need in the new software
The below 2 configurations probably won’t need any corresponding configuration in the new ASA/software since the traffic should go through wihtout NAT configurations.
static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255
static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0
The below Static NAT configurations you can easily convert using Auto NAT / Network Object NAT. Use "object" names that describe the setup better, use generic "object" names.
static (dmz,outside) 22.214.171.124 192.168.1.56 netmask 255.255.255.255
static (dmz,outside) 126.96.36.199 192.168.1.85 netmask 255.255.255.255
object network STATIC-1
nat (dmz,outside) static 188.8.131.52
object network STATIC-2
nat (dmz,outside) static 184.108.40.206
The best way to find possible problems with the ASA configurations is to use the "packet-tracer" command. This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT
For a connection coming from behind "outside" you can use this format of the command
packet-tracer input outside tcp <source ip> 12345 <server nat ip> <destination port>
To test anything else you naturally just switch the "input <interface name>" to the one where the traffic is sourced from. You will naturally also have to check whether you need to use "tcp" or "udp" and also select a source/destination IP/port.
Taking the output of the following commands should help you to troubleshoot possible problems
You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.
If you are doing Dynamic PAT from "inside" to "dmz" then you should remove the above "static" commands that refer to "(inside,dmz)" then user wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why Dynamic PAT is not encouraged between local interfaces. It causes complexity for the NAT configurations when user have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT
For the "management" interface you probably need any new NAT configuration.
The Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.
nat (inside,dmz) after-auto source dynamic inside-pat-source dmz-pat-global
More Related Cisco ASA Topics:
How to set up a console server? And first we should know what a console server is.
A console server is a device which, via serial ports, has access to the physical console port of several different devices commonly located in the same rack. These are most commonly seen in two different environments: labs, where a number of different pieces of equipment will be located in close proximity and constant access to the console is essential (as the configuration changes often) and the second is in remote environments where companies locate equipment without easy access to remote personnel.
Cisco Console Router Basics
For those looking to set up a reasonably priced lab environment the older Cisco 2509 (8 ports) and 2511 (16 ports) should be considered. While these are certainly a bit dated they still work fine in many environments and operate on little power and in flexible environmental conditions. For those looking to get a more modern equivalent device there are now HWIC modules (HWIC-8A, HWIC-16A) that support the same number of serial ports as the older 2509 and 2511 devices.
In either case, they utilize what is referred to as an octal cable which connects to the device with a single connector and has 8 different serial RJ-45 connectors on the other side which connect directly to the serial port of other Cisco devices. These cables can be found online for a reasonable price.
8-port Cisco Octal Cable
Cisco Console Router Configuration
The configuration of a console router is not overly complex. Since most Cisco (and other) equipment defaults to the same console settings (9600, 8, 1, Hardware) only some minor changes need to be added to ensure a good console experience. The steps to configure the console lines are shown in Table 1:
Table1–Console Line Configuration
Enter privileged EXEC mode
Enter device configuration mode
Enter line configuration mode
Console(config)#line 1 16
Disable EXEC processing
Disable EXEC timeout
Console(config-line)#exec-timeout 0 0
Enable input telnet transport
Console(config-line)#transport input telnet
The next part is to configure easy access to those connected devices, but first let’s cover why this is necessary. To create a connection from the console router to another connected device’s console port the user has to initiate a telnet connection to the console router using a port number that maps to the specific line.
For example, on the 2511, if a device’s console was connected to line 5 then a telnet connection would be initiated to console_router_ip_address using port number 2005 (for the 2511 line 1 maps to 2001 and line 16 maps to 2016 with the other lines mapping following this order). The specific mapping that is used depends on the platform. On platforms where the console ports are connected off an add-on module then what slot the add-on module was inserted into would also affect the port number to use.
Once these numbers have been initially mapped out it is certainly not that convenient to remember each of these port numbers every time access to the lab is needed. To get around this it is common to configure a local hostname list. For example, if Router1 was connected off of line 6 and Switch 1 was connected off of line 12 the user would either have to access the console and telnet to the specific ports (2006 and 2012, respectively) or a hostname could be associated with a hostname/IP address/Port. Table 2 shows an example of the configuration needed to perform this:
Table2–IP Hostname List Configuration
Exit into global configuration mode
Configure a local host entry
Console(config)#ip host hostname port-number ip-address
For small lab environments it is common for console routers to only be accessed via a single Ethernet connection. This is fine for lab environments, but if the console server is being used as part of a larger Out-Of-Band management plan for a production network, this single point-of-failure is unacceptable. In these situations, multiple points of access to the console router are often required to meet redundancy requirements.
On newer platforms this can be done through multiple Ethernet connections through diverse switches and/or via a backup method like dial-up. In both cases the IP address being used to access the device is different depending on the access method. It is because of this that loopback IP addresses are typically configured on console routers which are then used in the console routers ip host statements. This way, regardless of access method, the ip host statements would still work and connect the user to the correct device. The configuration for this is shown in Table 3:
Table 3–Loopback Interface Configuration
Create a loopback interface
Console(config)#interface loopback 0
Configure an IP address for the interface
Console(config-if)#ip address 10.10.10.10 255.255.255.255
Assuming the configuration shown in Table 3 was entered, the configuration for Router1 shown above would be ip host Router1 2006 10.10.10.10. To access it via the console router the command telnet Router1 would be used.
As the cost of used Cisco hardware continues to come down and the interest in Cisco certification continues to rise, it is becoming more common for those getting into the field to invest in a lab. Adding a console router to this environment makes the access to the lab easy and allows the student to play around with a number of different configurations without having to worry about physical access or by inadvertently closing access to the device.
For those looking to deploy console routers into production environments, the question is why have you waited this long? Out-Of-Band options are an important part of any production environment and should be a consideration from the beginning of the planning stages.
Regardless of the environment it is the intention of this article to get the console router up and going as soon as possible.
More about Cisco Router Topics you can visit:
Cisco released software security updates to address denial-of-service and arbitrary command execution vulnerabilities in several products, including a known flaw in the Apache Struts development framework used by some of them.
The company released new versions of Cisco IOS XR Software to fix an issue with handling fragmented packets that can be exploited to trigger a denial-of-service condition on various Cisco CRS Route Processor cards. The affected cards and the patched software versions available for them are listed in a Cisco advisory.
The company also released security updates for Cisco Identity Services Engine (ISE), a security policy management platform for wired, wireless, and VPN connections. The updates fix a vulnerability that could be exploited by authenticated remote attackers to execute arbitrary commands on the underlying operating system and a separate vulnerability that could allow attackers to bypass authentication and download the product’s configuration or other sensitive information, including administrative credentials.
Cisco also released updates that fix a known Apache Struts vulnerability in several of its products, including ISE. Apache Struts is a popular open-source framework for developing Java-based Web applications.
The vulnerability, identified as CVE-2013-2251, is located in Struts’ DefaultActionMapper component and was patched by Apache in Struts version 220.127.116.11 which was released in July.
The new Cisco updates integrate that patch into the Struts version used by Cisco Business Edition 3000, Cisco Identity Services Engine, Cisco Media Experience Engine (MXE) 3500 Series and Cisco Unified SIP Proxy.
“The impact of this vulnerability on Cisco products varies depending on the affected product,” Cisco said in an advisory. “Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system.”
No authentication is needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy, but the flaw’s successful exploitation on Cisco Business Edition 3000 requires the attacker to have valid credentials or trick a user with valid credentials into executing a malicious URL, the company said.
“Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product,” Cisco said.
Security researchers from Trend Micro reported in August that Chinese hackers are attacking servers running Apache Struts applications by using an automated tool that exploits several Apache Struts remote command execution vulnerabilities, including CVE-2013-2251.
The existence of an attack tool in the cybercriminal underground for exploiting Struts vulnerabilities increases the risk for organizations using the affected Cisco products.
In addition, since patching CVE-2013-2251 the Apache Struts developers have further hardened the DefaultActionMapper component in more recent releases.
Struts version 18.104.22.168, which was released in September, made some changes to the DefaultActionMapper “action:” prefix that’s used to attach navigational information to buttons within forms in order to mitigate an issue that could be exploited to circumvent security constraints. The issue has been assigned the CVE-2013-4310 identifier.
Struts 22.214.171.124, released on Oct. 17, turned off support for the “action:” prefix by default and added two new settings called “struts.mapper.action.prefix.enabled” and “struts.mapper.action.prefix.crossNamespaces” that can be used to better control the behavior of DefaultActionMapper.
The Struts developers said that upgrading to Struts 126.96.36.199 is strongly recommended, but held back on releasing more details about CVE-2013-4310 until the patch is widely adopted.
It’s not clear when or if Cisco will patch CVE-2013-4310 in its products, giving that the fix appears to involve disabling support for the “action:” prefix. If the Struts applications in those products use the “action:” prefix the company might need to rework some of their code.
Original News refer to http://www.pcworld.com/article/2057660/cisco-fixes-serious-security-flaws-in-networking-communications-products.html
More Related Cisco Network Topics: