RE: Confreg problem...help! [7:57732]

[Godswill HO]

Robert,

Aux could only work if you had configured the router
before now to accept Aux connections.

The only posible solution is for you to go through the
console port.

Using a PC with a Terminal emulator set its parameters
to:
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control

Using the appropraite console cable, connect the
router to the PC, run the terminal software and set
the parameters as suggested above. Then:

1. Switch off the Router

2. Press [Enter Key] to connect to the router (do not 
 mind, you will not see anything displayed on the 
 screen)

3. ON the router and type in the break sequence 
 (depending on your terminal emulaion software and the

 OS you are running, your break sequence could be
 i.Ctrl+Break ii.Ctrl+F6+Break iii.Ctrl+a+f iv.Ctrl+b
 v.Ctrl+End vi. Break vii.control+shift+6+b etc!!!  
 which ever works for you.)

4. Then on Rommon> Type "confreg 0X2142" ..To boot 
 from flash.

5. On rommon > type "Reset"
 This makes the router to boot from flash and ignore 
 its configurations.

6. Type "No" after the setup question of oress Ctrl+C
7. On Router> type "Enable"
8. On Router#type "copy startup-config running-config"
9. On Router# type "Config t"
0. On Router(config-t)# type "config-register 0x2102"
1. On Router(config-t)#type end
2. On Router# type "copy running-config startup-config

With these you are set.

If this work for you Bill, just send me a DEER for
thanksgiving day, else please feel free to ask more
questions.

my 0.2 cents

Regards
Godswill Oletu


--- dayo olabisi  wrote:
> Bill,
> 
> telnet won't work if the router isn't up... I think
> connecting via the Aux port may be of help.
> 
> dayo
> --- Creighton Bill-BCREIGH1
>  wrote:
> > I'm assuming you don't have VTY access - telnet,
> of
> > course, doesn't care
> > about console port settings...
> > 
> > Bill Creighton CCNP
> > Senior System Engineer
> > Motorola
> > iDEN CNRC Packet Data / MPS
> > 
> > 
> > 
> > -Original Message-
> > From: Robert Massiache
> > [mailto:[EMAIL PROTECTED]] 
> > Sent: Tuesday, November 19, 2002 3:27 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Confreg problem...help! [7:57732]
> > 
> > 
> > Thanks for the reply.
> > 
> > The problem is upon boot up I am getting only
> > garbled asci characters and 
> > the screen appears to be frozen. It don't let me
> see
> > anything and type 
> > anything to implement your suggestion...sorrry. I
> > welcome if you could tell 
> > me some alternative...thanks a lot!
> > 
> > thanks
> > Robert M
> > 
> > 
> > 
> > 
> > 
> > 
> > >From: "miken"
> > >To: "Robert Massiache" ,
> > >CC: ,
> > >Subject: Re: Confreg problem...help!
> > >Date: Tue, 19 Nov 2002 00:52:49 -0700
> > >
> > >I believe the config-register is stored in NVRAM.
> > So in theory, if you 
> > >bypass the startup config, you may default to the
> > standard 
> > >config-register settings. Haven't tried it though
> > to know for sure. 
> > >Have you tried booting into rommon(control-break
> > sequence) and then 
> > >stepping through the confreg steps? 
> >
>
>http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products
> > >_comm
> >
>
>and_summary_chapter09186a0080087baf.html#xtocid43127http://www.cisco.com/en
> > /
> >
>
>US/partner/products/sw/iosswrel/ps1831/products_command_summary_chapter0918
> > 6
> > >a0080087baf.html#xtocid43127HTH,Mike-
> Original
> > Message -
> > >From: "Robert Massiache" 
> > >To: 
> > >Cc: ; 
> > >Sent: Monday, November 18, 2002 7:39 PM
> > >Subject: Confreg problem...help!
> > >
> > >
> > > > Hi,
> > > > I got a mc3810 router and was running perfect.
> > Sometime ago I 
> > > > mistakenly typed a confreg value which I do
> not
> > remeber exactly but 
> > > > I know it was
> > >not
> > >a
> > > > relevant one. I was actually practicing with
> the
> > confreg entries.
> > > >
> > > > What happened was that after I just rebooted
> the
> > router I lost the
> > >console
> > > > screen. I tried with all sorts of console port
> > values like changing 
> > > > the baud-rate, start stop bit etc.
> > > >
> > > > I found it was responding to 1200 baud speed
> but
> > all I could find is
> > >some
> > > > corrupted and garbled ascii characters on the
> > Teraterm. Same is the 
> > > > case with hyprterm.
> > > >
> > > > Any helpers please...
> > > >
> > > > thanks
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> >
>
_
> > > > Add photos to your e-mail with MSN 8. Get 2
> > months FREE*. 
> > > >
> http://join.msn.com/?page=features/featuredemail
> > > >
> > > >
> > 
> > 
> >
>
_
> > Protect your PC - get McAfee.com VirusScan Online 
> >
>
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> [EMAIL PROTECTED]
> 
> 
> __
> Do you Yahoo!?
> Yahoo! Web Hosting - Let the expert host your site
> http://webhosting.yahoo.com
[EMAIL PROTECTED]

CCIE Home Lab Materials and Equipments [7:57810]

[Godswill HO]

Hi group,

I want to get it right the first time. I intend
setting up my CCIE lab at home. I will appreciate if
someone that have taken the lab or preparing for it,
tell me what Switches, Routers, materials I need to
buy.

Also information about the various needed blades on
the switches is important, cables, cards, modules,
etc.

I currently have a cable connection and also a dialup
connection from home to the internet, are these enough
or do I need to get a second cable connection?

I curently have the following books:
1. CCIE Fundametals Network Design and Case Studies 
 2nd Edition by Cisco Press.

2. Routing TCP/IP, volume 1 by Cisco Press (Jeff
Doyle)

also
1. Cisco router 1601
2. Cisco router 2502
3. cisco router 3000

I intend buying Cisco Catalyst Switch 5000 within a
few days, but I need your assistance.


Please I will appreciate an answer for my big brothers
& sisters CCIEs and those who are currently working
towards it.

Thanks in advance.
Godswill Oletu
CCNP, CCDP, CSS1.

__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57810&t=57810
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Confreg problem...help! [7:57732]

[Godswill HO]

Robert,

Aux could only work if you had configured the router
before now to accept Aux connections.

The only posible solution is for you to go through the
console port.

Using a PC with a Terminal emulator set its parameters
to:
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control

Using the appropraite console cable, connect the
router to the PC, run the terminal software and set
the parameters as suggested above. Then:

1. Switch off the Router

2. Press [Enter Key] to connect to the router (do not 
 mind, you will not see anything displayed on the 
 screen)

3. ON the router and type in the break sequence 
 (depending on your terminal emulaion software and the

 OS you are running, your break sequence could be
 i.Ctrl+Break ii.Ctrl+F6+Break iii.Ctrl+a+f iv.Ctrl+b
 v.Ctrl+End vi. Break vii.control+shift+6+b etc!!!  
 which ever works for you.)

4. Then on Rommon> Type "confreg 0X2142" ..To boot 
 from flash.

5. On rommon > type "Reset"
 This makes the router to boot from flash and ignore 
 its configurations.

6. Type "No" after the setup question of oress Ctrl+C
7. On Router> type "Enable"
8. On Router#type "copy startup-config running-config"
9. On Router# type "Config t"
0. On Router(config-t)# type "config-register 0x2102"
1. On Router(config-t)#type end
2. On Router# type "copy running-config startup-config

With these you are set.

If this work for you Bill, just send me a DEER for
thanksgiving day, else please feel free to ask more
questions.

my 0.2 cents

Regards
Godswill Oletu


--- dayo olabisi  wrote:
> Bill,
> 
> telnet won't work if the router isn't up... I think
> connecting via the Aux port may be of help.
> 
> dayo
> --- Creighton Bill-BCREIGH1
>  wrote:
> > I'm assuming you don't have VTY access - telnet,
> of
> > course, doesn't care
> > about console port settings...
> > 
> > Bill Creighton CCNP
> > Senior System Engineer
> > Motorola
> > iDEN CNRC Packet Data / MPS
> > 
> > 
> > 
> > -Original Message-
> > From: Robert Massiache
> > [mailto:[EMAIL PROTECTED]] 
> > Sent: Tuesday, November 19, 2002 3:27 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Confreg problem...help! [7:57732]
> > 
> > 
> > Thanks for the reply.
> > 
> > The problem is upon boot up I am getting only
> > garbled asci characters and 
> > the screen appears to be frozen. It don't let me
> see
> > anything and type 
> > anything to implement your suggestion...sorrry. I
> > welcome if you could tell 
> > me some alternative...thanks a lot!
> > 
> > thanks
> > Robert M
> > 
> > 
> > 
> > 
> > 
> > 
> > >From: "miken"
> > >To: "Robert Massiache" ,
> > >CC: ,
> > >Subject: Re: Confreg problem...help!
> > >Date: Tue, 19 Nov 2002 00:52:49 -0700
> > >
> > >I believe the config-register is stored in NVRAM.
> > So in theory, if you 
> > >bypass the startup config, you may default to the
> > standard 
> > >config-register settings. Haven't tried it though
> > to know for sure. 
> > >Have you tried booting into rommon(control-break
> > sequence) and then 
> > >stepping through the confreg steps? 
> >
>
>http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products
> > >_comm
> >
>
>and_summary_chapter09186a0080087baf.html#xtocid43127http://www.cisco.com/en
> > /
> >
>
>US/partner/products/sw/iosswrel/ps1831/products_command_summary_chapter0918
> > 6
> > >a0080087baf.html#xtocid43127HTH,Mike-
> Original
> > Message -
> > >From: "Robert Massiache" 
> > >To: 
> > >Cc: ; 
> > >Sent: Monday, November 18, 2002 7:39 PM
> > >Subject: Confreg problem...help!
> > >
> > >
> > > > Hi,
> > > > I got a mc3810 router and was running perfect.
> > Sometime ago I 
> > > > mistakenly typed a confreg value which I do
> not
> > remeber exactly but 
> > > > I know it was
> > >not
> > >a
> > > > relevant one. I was actually practicing with
> the
> > confreg entries.
> > > >
> > > > What happened was that after I just rebooted
> the
> > router I lost the
> > >console
> > > > screen. I tried with all sorts of console port
> > values like changing 
> > > > the baud-rate, start stop bit etc.
> > > >
> > > > I found it was responding to 1200 baud speed
> but
> > all I could find is
> > >some
> > > > corrupted and garbled ascii characters on the
> > Teraterm. Same is the 
> > > > case with hyprterm.
> > > >
> > > > Any helpers please...
> > > >
> > > > thanks
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> >
>
_
> > > > Add photos to your e-mail with MSN 8. Get 2
> > months FREE*. 
> > > >
> http://join.msn.com/?page=features/featuredemail
> > > >
> > > >
> > 
> > 
> >
>
_
> > Protect your PC - get McAfee.com VirusScan Online 
> >
>
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> [EMAIL PROTECTED]
> 
> 
> __
> Do you Yahoo!?
> Yahoo! Web Hosting - Let the expert host your site
> http://webhosting.yahoo.com
[EMAIL PROTECTED]

RE: CCSP [7:57713]

[Godswill HO]

If you take one of the 3 specialized courses plus MCNS
exam, you become a Specialist in that area eg
1. CSPFA+MCNS = Firewall Specialist
2. CSVPN+MCNS = VPN specialist
3. IDSPM+MCNS = IDS Specialsit

For a Limited time more:
CSPFA+CSVPN+IDSPM+MCNS = CSS1

Also
CSPFA+CSVPN+IDSPM+MCNS+SAFE= CCSP

>From now till 09/03
People like my humble self who already have the CSS1
designation would need take only the SAFE exam to
become CCSP.

I did not see any true meaning to all these. Cisco
should know better.

my 0.02 

Regards
Godswill 
CCNP,CCDP,CSS1




(CSPFA for Firewall, CSVPN for
> VPN, and CSIDS for IDS)
--- Creighton Bill-BCREIGH1
 wrote:
> Nevermind - sometime earlier they enabled the
> links...
> 
> -Original Message-
> From: Creighton Bill-BCREIGH1
> [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, November 19, 2002 3:07 PM
> To: [EMAIL PROTECTED]
> Subject: RE: CCSP [7:57713]
> 
> 
> Good Info!
> I tried following the link for those new Specialist
> certs on Cisco's site,
> but the link is broken - are Specialists defined now
> by completing only the
> individual exams? (CSPFA for Firewall, CSVPN for
> VPN, and CSIDS for IDS)
> 
> -Original Message-
> From: ""Peter.Walker:[EMAIL PROTECTED]
> [mailto:""Peter.Walker:[EMAIL PROTECTED]] 
> Sent: Tuesday, November 19, 2002 2:53 PM
> To: [EMAIL PROTECTED]
> Subject: Re: CCSP [7:57713]
> 
> 
> Joshua
> 
> The CCSP is basically just a realignment of the
> current Cisco Security
> Specialist 1 certification into the Cisco
> Professional track. It does add
> one more exam to the requirements but other than
> that no real change. Cisco
> has even 'generously' allowed current CSS1s to take
> the remaining exam to
> get the cert. :-)
> 
> As for the new specialist level certs, they are just
> dumbed down
> ^H^H^H^H^H^H^H^H^H^H^H more focussed variations of
> the CSS1.
> 
> I really dont think Cisco have thought this one
> through as anyone who
> attains CCSP (with the current versions of the
> exams), will also
> automatically get three specialist level certs. In
> my opinion this totally
> devalues the specialist level certs. They should be
> something that takes
> specific specialised skill and knowledge to attain,
> not something you get
> for free as part of the process of attaining an
> intermediate level
> professional qualification.
> 
> Peter Walker
>   CISSP, CSS1, CITPSS, CCNP, CCIP, CCDP, etc
> 
> (Putting flame proof clothing on)
> 
> Joshua Green wrote:
> > 
> > Anyone else hear about the new CCSP cert that
> Cisco is offering?!
> > It's about time!  Although I wish some of the
> other Professional level 
> > certs would count towards it in some way...  I
> also like the three new 
> > Specialist level certs!
> > 
> > 
> > 
> > Thank you,
> > 
> > Joshua Green; MCSE, CCNA
> > [EMAIL PROTECTED]
> > CityScape Communications
> > 2040 Timberbrooke Drive
> > Springfield, IL  62702
> > (217) 793.6238 x18
> > (217) 793.6275 fax
> > (217) 306.6201 cell
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57766&t=57713
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Qualified specialist [7:47263]

[Godswill HO]

Hi,
They will send a congratulatory letter, a certificate
and nothing moreno ID card.

Enjoy
--- Dwayne Saunders  wrote:
> Hi all
>   Was Just wondering after completing your  Cisco
> Qualified specialist
> exam what does Cisco send out if anything
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47319&t=47263
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How Faceless the CQS Logos are??? [7:36521]

[Godswill HO]

Hello,
I know the focus of any certification is not the certificate nor the logo,
the
joy of scaling through all the hurdles, the additional knowledge and
responsibilies it brings, etc out weighs the the certificate or the logo you
are given to put on your complimentary card of letter heading.

However, the logo and the certificate, etc should be appropriate in terms of
quality, representations and designs, no doubt it adds some prestige both to
the holder and the vendor. I was disappointed to find out that the Cisco CQS
certification in so faceless. All that you see in the logo is "Cisco
Certified"...No indication to the type of certification, no mention of
anything relating to it whatsoever. Logos are normally graphical
representations, But Cisco logos are not, no one who sees the CQS logo will
know what it stands for nor what it represents.

I think Cisco can do more, they have the money and resources. sometimes we
had
to pay through our nose to get these certifications, It is only fair one get
value for his hard earned money. It also tell how serious, dedicated and
committed the vendor is to their certifications process. If Cisco would
commit
half the money, strength and vigor they currently exhibits in pursuing and
executing their NDA into this, it would go a way to add more value to the
whole process.

I thought someone shares the same thought with me.

Enjoy.
Godswill Oletu CSS1,CCDP,CCNP.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36521&t=36521
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Passed CSIDSPM Exam!!!!!!!!!!!!!!!! [7:36306]

[Godswill HO]

Am very grateful to you all. The group really helped me through out my CSS1
exam track. It has been a big learn place where knowledge is shared.I sat and
passed the Cisco Secure Intrusion Detection  Systems with Policy
Manager(CSIDSPM) version 2.1 exam today to complete the CSS1(Cisco Security
Specialist 1) track.

 It was a beast of an exam, totally different from the first three. It was a
tough battle but It is all over, thanks once more.

You might think CCIE would be the next, no not at all, next in the list is
CISSP (Certified Information Systems Security Professional) or CCSA
(Checkpoint Certified Security Administrator). I will be grateful if someone
who have taken the CCSA exam help me with the best book/study materials to
use. I can only locate materials for the CCSA CP 2000 exam, but I want to
take
the CCSA NG exam which is the latest version. Any help would be appreciated.

Enjoy.

Godswill Oletu CCNP,CCDP,CSS1.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36306&t=36306
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Last Minute Prayers, Advice and Tips---CSIDSPM [7:36288]

[Godswill HO]

Hi all,

I have just 2 hours between me and my Cisco Secure Intrusion Detection
Systems
with Policy Manager(CSIDSPM) version 2.1 exam. It is the last lap to my CSS1
certification.

Please any last minute tips, advice and offcourse prayers would be
appreciated. Send an offline message where necessary.

Until I hear from you, Enjoy.

Regards.
Godswill Oletu CCNP,CCDP,CSS1(3/4).




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36288&t=36288
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: SNA in CCDP [7:35717]

[Godswill HO]

There are alot one cannot say because of NDA, however it would be safer you
read and know SNA very well.

Enjoy.

Regards.
Oletu
- Original Message -
From: Emil 
To: 
Sent: Monday, February 18, 2002 1:46 AM
Subject: SNA in CCDP [7:35717]


> Hello
> I'm a little bit confusing about CCDP exam topics. According to the Cisco
> site there is no SNA on CCDP , also there is no VoIP.
> In  the CID training there is no SNA but there is some VoIP.
> In the CID book by Birkner ( Cisco Press) there is SNA
>
> The question is: What is on the exam?
> Regards
> EMIL
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35719&t=35717
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DNS Request Redirection [7:35703]

[Godswill HO]

You can still use your former ISP's DNS records while using the new ISP's
bandwidth. It does not matter who owns the DNS server. Everybody have access
to it once they are in the internet. Except when they are specifically
filtered.

The only drawn back is that, Your new ISP have to forward the packet in a
round trip to the old ISP's network through the internet before they are
resolved and sent back to you machine, had it been you are using the DNS of
your new ISP, these request would stop there. Do not loose your sleep,
because at the worst these delays are in milisseconds and not easily
noticeable by the eye, more each machine have a cache so it does not forward
every request. Great if you have a Cache Engine to compliment the machine's
cache.

Whatever, you are kool and everything will be fine, switch to your new ISP
and enjoy.

Regards.
Oletu
- Original Message -
From: Michael Hair 
To: 
Sent: Sunday, February 17, 2002 8:07 PM
Subject: DNS Request Redirection [7:35703]


> I was wondering what is the best way to take care of the following:
>
> I have been using a private address space behind a Cisco 4500 router
> connected up to our current ISP using NAT, now we want to move our
> connection from our current ISP to a new ISP with better bandwidth. My
> problem is that we don't want to change all our client machines TCP/IP
> settings, which are all static, for some reason or another they were all
> setup to use our ISP's DNS. Not my idea but that another problem. So how
can
> I setup our router to forward requests looking from our current ISP's DNS
to
> our new ISP's DNS without touching all the client machines.
>
> Would the best way be to use policy-base routing?
>
> Would a static route work?
>
> Could I use a static route under NAT?
>
> If someone could proved me a sample of how you could do this I would be
> greatful...
>
> Thanks
> Michael
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35718&t=35703
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: access-group ## in or out? [7:35578]

[Godswill HO]

Look at it from both the Router and the Interface perpective.eg if the
interface facing your LAN is E0 and the interface to the internet is S0.

For traffics coming from your LAN into the Router through the E0 interface,
as the traffic is entering that interface from your LAN it is 'in' and as it
passes and go out of that interface into the backplane of the router, it is
considered 'out' relative to interface E0 and 'in' relative to interface S0,
when it leaves interface S0 into the internet, it is then considered 'out'
relative to interface S0.

For traffics coming from the internet into the Router through the S0
interface, as the traffic is entering that interface from the internet it is
'in' and as it passes and go out of that interface into the backplane of the
router, it is considered 'out' relative to interface S0 and 'in' relative to
interface E0, when it leaves interface E0 into your LAN, it is then
considered 'out' relative to interface E0.

You now see that each interface have two instances of 'in' and two instances
of 'out'. Most security designs uses 'in' more often than 'out' and you
should consider using it as well, if tight security implementation is your
goal. The 'in' keyword makes the router to examine the packets before they
enter the interface and impose the Access-list on the traffic before they
ever have the chance of either entering the Router or your network, while
the 'out' keyword only do that after the traffic have pass through the
interface in question, this should only be allowed for trusted traffics for
which you only want to disallow access to certain services.

If you want to restrict a particular source address from entering into your
network or router, using the 'out' keyword have no effect and it is a
security breach because the traffic would have entered your router or
network before it is acted upon.

Have a clear picture of what you want the access-list to do against the
particular traffic, that will give you a clue on the keyword to use. However
for me security is always at the back of my mind, so by default I use the
'in' keyword except where otherwise unnecessary.

Regards.
Oletu

- Original Message -
From: none ya 
To: 
Sent: Friday, February 15, 2002 6:03 PM
Subject: access-group ## in or out? [7:35578]


> Would someone please give me a simple explanation/example that will
clarify
> when to use "in" or "out" when you apply an ACL to a router interface?
> Thanks!
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35651&t=35578
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIx 501 [7:35635]

[Godswill HO]

The new Cisco Secure PIX Firewalls book edited by David and Andy is an
excellent guide. In case you decide going into cisco security certification,
the book will help with the PIX exam as well.

Good hands on you new baby-PIX 501.

Regards.
Oletu

- Original Message -
From: Juan Blanco 
To: 
Sent: Saturday, February 16, 2002 4:30 PM
Subject: PIx 501 [7:35635]


> Team,
> I just got my 501 pix, which book is a good one that I could use to fully
> understand this small box(very small).
> Thanks,
>
> Juan Blanco
> MCSE, CCNA, CCNP, CCDA, CCDP...One day CCIE
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35650&t=35635
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hacking a firewall [7:34978]

[Godswill HO]

O boy user Network Scanner na?

Regards.
- Original Message -
From: sami natour 
To: 
Sent: Saturday, February 09, 2002 12:13 PM
Subject: hacking a firewall [7:34978]


> Hi ,
> I am trying to test how secure BigFire firewall.I need
> to run some tests in other words I want to find if I
> can hack it or not.It is very important to our company
> to know how secure it is .
>
> Best Regards ,
> sami ,
>
>
> __
> Do You Yahoo!?
> Send FREE Valentine eCards with Yahoo! Greetings!
> http://greetings.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35003&t=34978
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Question [7:34497]

[Godswill HO]

I guess you are behind the news. I thin Cisco have pulled them to Court to
answer some questions, that was few months ago.

However, I have not heard anything about the final outcome of the case.

Regards.
Oletu

- Original Message -
From: Kazan, Naim 
To: 
Sent: Tuesday, February 05, 2002 11:43 AM
Subject: Question [7:34497]


> Guys,
>
>
> What the hell is up with cheet-sheets.com? I placed an order and they
don't
> seem to answer their phones or emails.  Are they down or out of business?
>
>
> Thanks
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34545&t=34497
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCNP EXAM [7:34373]

[Godswill HO]

Buy Cisco Presss books for the series.

- Original Message -
From: Aslam Rafay 
To: 
Sent: Monday, February 04, 2002 1:06 PM
Subject: CCNP EXAM [7:34373]


> Guys
> I am taking CCNP cource, any one who recently passed all CCNP exams tell
me
> good resources i can utlitize to pass my exmas..
>
> thanks,
>
> Rafay.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34383&t=34373
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE starting pay [7:33899]

[Godswill HO]

He should be getting ready for retirement so that the youngs ones should
take over.

- Original Message -
From: Jeff Buehler 
To: 
Sent: Sunday, February 03, 2002 2:22 PM
Subject: Re: CCIE starting pay [7:33899]


> Change the original posters question to include:
>
> How about a CCNA, CCDA, CCNP, CCDP, CCIE with 16 years of Telecom
> experience.  (DS0,DS1, DS3, OC-3 to OC-192, DWDM)  Telco switch etc.
> (test, turn-up, trouble-shooting)and only physical experience with IT?
>
>
>
>
> ""Guy""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Well, more power to you!!!
> >
> > As far as what you should expect
> >
> > An entry level NOC position If you go in with the attitude that you
> > should be at a Senior Level because of the IE, then you will be one of
the
> > ones crying about how theres no jobs available... Which ever way you go,
I
> > doubt your CCIE will have any more leverage than your CCNP will...
> Something
> > that might be a good move for you is a latteral move within your ISP. in
> the
> > AS support or something  But it sounds like you are the person the
> > average user calls when they cant get the little E thing on their
desktop
> to
> > do anything If thats your position, get out and move... If you
support
> > the companies about their T1, then your in a good starting place...
> >
> > Best of luck, everyone has to start, but Im afraid the CCIE at this
stage
> > may hurt you...
> >
> > Heres what I mean You are qualified for entry level... Your
> > Certifications say you are over qualified Your work experience says
> your
> > under qualified for your certs...
> >
> > What does an employer do? If they have delt with a CCIE before, they
> > probobly wont consider you because they dont have the confidence in you
to
> > control their multi million dollar network
> >
> > On the otherside... Your certifications would get you overlooked for the
> > positions you would excel at quickly and allow you to get the
experience,
> > because they dont think you would accept any offer for a lower
position...
> >
> > So your resume gets dumped
> >
> > Some important things to consider.
> >
> > I would not consider your resume if it had all of that, and all within
one
> > year... My first instinct would be BRAIN DUMPS... CHEET SHEETS
> > TRANSCENDERS, and I would throw your resume away
> >
> > Now someone with CCNA, maybe CCNP, but not too much, would get my
> attention
> > for a good paying entry to mid level position
> >
> > CCIE is upper level position Cant put you in charge of my team of
> > engineers with experience levels ranging from 2-10 years when you have
> > 0-1 No one would folllow you. It would not be a good team
anymore
> > These are things beyond the technical aspect that management must face.
> >
> > Just think about it.. Im not trying to keep you from succeding, just
> trying
> > to keep you from hurting yourself...
> >
> > Its like the small company that saves up their money for a Super Bowl
> Ad...
> > They get 3 million responses and their 2 man company cant handle it
> WHat
> > happens to them?
> >
> > They run themselves out of business... too much too fast...
> >
> > - Original Message -
> > From: "John Neiberger"
> > To:
> > Sent: Thursday, January 31, 2002 4:31 PM
> > Subject: Re: CCIE starting pay [7:33899]
> >
> >
> > > To go through those certs that quickly is very impressive!  If you
pass
> > > the lab, I still think you will get a lot of funny looks when you say
> > > you have no work experience, yet you are a CCIE.  As long as you're
> > > prepared for that, it's up to you to sell yourself.  It will be tough
> > > but I think if you can show that you really know your stuff, you
should
> > > be able to find a pretty good job.
> > >
> > > However, I wouldn't count on a huge salary right at the begging simply
> > > because of the certifications.
> > >
> > > Good luck!
> > > John
> > >
> > > >>> "Joe Carr"  1/31/02 12:33:02 PM >>>
> > > I'm going for my CCIE now and I have completed the CCNA,CCDA,CCNP,CCIE
> > > written all within the last five months. I currently work for an ISP
in
> > > tech
> > > support (help desk) and I do not not have NOC experience. I have a
> > > very
> > > impressive lab and plan to boe done with the CCIE lab in about four
> > > months.
> > > am just wondering what I should expect out there, I just turrend 21 so
> > > I
> > > still pritty young yet but I have gotten all of these certs plus an
> > > MCDBA
> > > and A+ in less then a year.
> > >
> > > Joe Carr
> > > A+, MCDBA, CCNA, CCDA, CCNP
> > > - Original Message -
> > > From: "John Neiberger"
> > > To: ;
> > > Sent: Thursday, January 31, 2002 12:47 PM
> > > Subject: Re: CCIE starting pay [7:33899]
> > >
> > >
> > > > I'd be surprised if you could find a CCIE with no work experience.
> > > Even
> > > > if you could, they wouldn't be worth that much, IMHO.  Assuming I
> > > pass
> > > > in 

Re: Passing CID [7:33784]

[Godswill HO]

That might be the likely case. But what stops them from correcting these
mistakes each time they review their questions? Why do we have such frequent
typo errors in other exams like microsoft, checkpoint, etc?...just thinking
aloud.


Regards.
Oletu

- Original Message -
From: brian hall 
To: 
Sent: Thursday, January 31, 2002 9:45 AM
Subject: RE: Passing CID [7:33784]


> Its just a typo. I meant, "which answer does not belong"
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33903&t=33784
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passing CID [7:33784]

[Godswill HO]

Hi David,

The CSS1 track looks easier to me than the CCNP track. Among others, the
major reason reason is that, they are a lot of overlapping areas in all four
exams, If you write MCNS, start preparing for the PIX exam, you will
discover that, you are familar with almost 75% of the material, same for the
VPN exam, all you just have to do is to note the specific applications
within the current context. Very unlike the CCNP each four exams deals with
a complete different world of knowledge. For you to see clearly what am
saying: I wrote all four of my CCNP exams within six(6) weeks, but I have
written three of the CSS1 exams in just one(1) week ! (MCNS=22/1/1,
PIX=25/1/1 and VPN=29/1/1), left with IDS. However you need to know your
stuff, but it is not really a terrior of an exam.

Please tell me more about the Checkpoint exam, my next target is either
checkpoint or CISSP, though am more likely to give CISSP a look first,
however Checkpoint will follow vey soon.

Regards.
Oletu.

- Original Message -
From: David L. Blair 
To: 
Sent: Thursday, January 31, 2002 5:26 AM
Subject: Re: Passing CID [7:33784]


> How would you compare the CSS1 tests to the CCNP tests?  I am thinking
about
> going after my CSS1 after I pass the Checkpoint CCSA and CCSE tests.
>
> -dlb
>
> ""Godswill HO""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi Priscilla,
> >
> > Questions like "which answer doesnt not belong " means what??? Is Cisco
> > implying that the double negative means positive as we were taught years
> ago
> > in algebra class or it should be ignored and taken for one negative.
> >
> > Am currently taking my CSS1 track, I wrote Cisco Secure VPN yesterday
> which
> > happens to be the third exam in the series. I came accross a lot
questions
> > which made no sense at all. Looking at the question, it was not a
question
> > at all. it was not asking any particular thing, it had no meaning, no
> > bearing, no sense in it, they are just like saying
> blablablablablablablabla.
> > The more I read them the more I get confused and lost at what Cisco was
> > tring to ask. Have you come accross questions that made you think 'What
> must
> > be in the mind of the examiner when he was asking this question, which
> > aspect of Network or Security implementation was he thinking of? What I
> > normally do is to completely ignore the questions and eliminate the odd
> > options in the answer, at the end of the day in many questions like
these,
> I
> > come out with NOT THE BEST ANSWER as they use to tell one, but rather a
> > choice that made a different SENSE and MEANING than the other three or
> four.
> >
> > I sometimes ask whether the current Cisco questions were not originally
> > written in English but were translated from another language and as such
> the
> > transators did not do a good job or is it a deliberate action on the
part
> of
> > Cisco? If it were the former it is long time they take a closer look at
it
> > and if it is the later, what must have informed their actions?
> >
> > Regards.
> > Godswill Oletu CCNP, CCDP.
> >
> > - Original Message -
> > From: Priscilla Oppenheimer
> > To:
> > Sent: Wednesday, January 30, 2002 4:57 PM
> > Subject: Re: Passing CID [7:33784]
> >
> >
> > > At 07:19 PM 1/30/02, brian hall wrote:
> > > >Passing this test #640-025 was the hardest yet. It took a couple of
> > times.
> > > >Now its on to CCIE and then the lab were the truth comes out.
> > > >Some tell me that passing this brings you close to being prepared to
> take
> > > >the CCIE written. I'll find out soon enough.
> > > >
> > > >To any one who cares using boson CCDP #1 & #3 helped .
> > > >
> > > >I started using the latest version of the CID exam prep from cisco
> press
> > but
> > >
> > > Exam prep guides are written with the goal of summarizing what you
need
> to
> > > know. They are not the course materials, but go beyond in some ways,
and
> > > may also skip some basic stuff. They can be great for review, but
don't
> > > work for everyone as the primary source.
> > >
> > > >found the earlier version of the book written by birkner a better
> source.
> > >
> > > This wasn't an earlier version of the same book. It's a different
book.
> > > This was the course materials ported to book format. The author should
> be
> > > Cisco (course developers) although in this case Birkner didn't exactly
> > > follow the script 

Re: Passing CID [7:33784]

[Godswill HO]

Hi Priscilla,

Questions like "which answer doesnt not belong " means what??? Is Cisco
implying that the double negative means positive as we were taught years ago
in algebra class or it should be ignored and taken for one negative.

Am currently taking my CSS1 track, I wrote Cisco Secure VPN yesterday which
happens to be the third exam in the series. I came accross a lot questions
which made no sense at all. Looking at the question, it was not a question
at all. it was not asking any particular thing, it had no meaning, no
bearing, no sense in it, they are just like saying blablablablablablablabla.
The more I read them the more I get confused and lost at what Cisco was
tring to ask. Have you come accross questions that made you think 'What must
be in the mind of the examiner when he was asking this question, which
aspect of Network or Security implementation was he thinking of? What I
normally do is to completely ignore the questions and eliminate the odd
options in the answer, at the end of the day in many questions like these, I
come out with NOT THE BEST ANSWER as they use to tell one, but rather a
choice that made a different SENSE and MEANING than the other three or four.

I sometimes ask whether the current Cisco questions were not originally
written in English but were translated from another language and as such the
transators did not do a good job or is it a deliberate action on the part of
Cisco? If it were the former it is long time they take a closer look at it
and if it is the later, what must have informed their actions?

Regards.
Godswill Oletu CCNP, CCDP.

- Original Message -
From: Priscilla Oppenheimer 
To: 
Sent: Wednesday, January 30, 2002 4:57 PM
Subject: Re: Passing CID [7:33784]


> At 07:19 PM 1/30/02, brian hall wrote:
> >Passing this test #640-025 was the hardest yet. It took a couple of
times.
> >Now its on to CCIE and then the lab were the truth comes out.
> >Some tell me that passing this brings you close to being prepared to take
> >the CCIE written. I'll find out soon enough.
> >
> >To any one who cares using boson CCDP #1 & #3 helped .
> >
> >I started using the latest version of the CID exam prep from cisco press
but
>
> Exam prep guides are written with the goal of summarizing what you need to
> know. They are not the course materials, but go beyond in some ways, and
> may also skip some basic stuff. They can be great for review, but don't
> work for everyone as the primary source.
>
> >found the earlier version of the book written by birkner a better source.
>
> This wasn't an earlier version of the same book. It's a different book.
> This was the course materials ported to book format. The author should be
> Cisco (course developers) although in this case Birkner didn't exactly
> follow the script and added his own material and left some out.
>
> In general, Cisco Press develops at least two types of books:
>
> Certification guides: not written by Cisco, but still often very helpful
> Course book: training written by Cisco, ported to book format by an editor
> paid by Cisco Press, usually an excellent resource as the tests are taken
> from the course.
>
> A question came up about the different types of Cisco Press books in a
> different thread, so I responded here. (My other response never made it?)
>
> Anyway, congratulations on passing CID! It's a hard test. Good luck with
> CCIE.
>
> Priscilla
>
>
> >The answers are very close to each other and need to be read carefully,
they
> >can be tricky. Watch out for the " which answer doesnt not belong "
> >questions those can be the most difficult.
> >
> >Good luck,
> 
>
> Priscilla Oppenheimer
> http://www.priscilla.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33797&t=33784
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX % DNS Doctoring [7:33331]

[Godswill HO]

0 0.0.0.0 200.200.100.1 1
> route inside 172.16.15.0 255.255.255.0 172.16.3.254 1
> route inside 172.17.0.0 255.255.0.0 172.16.3.254 1
>
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
>
> snmp-server host outside 200.219.100.26
> snmp-server location "Office1"
> snmp-server contact support@office1
> snmp-server community pixpix
> snmp-server enable traps
>
> floodguard enable
> sysopt connection permit-ipsec
> sysopt ipsec pl-compatible
> no sysopt route dnat
>
> crypto ipsec transform-set strong esp-des esp-sha-hmac
> crypto map cmap 10 ipsec-isakmp
> crypto map cmap 10 match address 101
> crypto map cmap 10 set peer 200.200.111.2
>
> crypto map cmap 10 set transform-set strong
> crypto map cmap 20 ipsec-isakmp
> crypto map cmap 20 match address 102
> crypto map cmap 20 set peer 200.219.100.2
>
> crypto map cmap interface outside
>
> isakmp enable outside
> isakmp key  address 200.200.111.2 netmask 255.255.255.255
> isakmp key  address 200.219.100.2 netmask 255.255.255.255
> isakmp key  address 200.200.100.2 netmask 255.255.255.255
>
> isakmp identity address
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash sha
> isakmp policy 10 group 1
> isakmp policy 10 lifetime 3600
>
> telnet 172.16.3.0 255.255.255.0 inside
> telnet timeout 5
> ssh timeout 5
> terminal width 80
>
> -Original Message-
> From: Godswill HO [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, January 26, 2002 7:43 PM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX % DNS Doctoring [7:1]
>
>
> Hi,
>
> It really depends on what you want to do or implement for the DNS. The
> DNS
> guard on PIX is enabled by default and it cannot be disabled not
> configured.
> It help to prevent against DoS attacks by tearing down the UDP conduit
> on
> the PIX firewall as soon as the DNS response is received not waiting
> until
> thee the default UDO timer has expire which is 2 minutes( almost an
> eternity
> in the computer world).
>
> The other doctoring you can do on DNS is on CBAC (Context Based Access
> Control). Here you can alter the default DNS timeout which is 5 seconds
> by
> using:
>
> #IP inspect dns-timeout
>
> It simplyly specifies the length of time a DNS name lookup session will
> still be managed after no activity.
>
> In case you need further help, feel free to ask specific questions.
>
> Regards.
> Oletu
>
> - Original Message -
> From: Dante Martins
> To:
> Sent: Saturday, January 26, 2002 4:58 PM
> Subject: PIX % DNS Doctoring [7:1]
>
>
> > Somebody knows how to do DNS doctoring on PIX
> > I have the DNS on DMZ with static and the clients workstations are on
> > inside interface.
> > Dante
> >
> >
> >
> 
> > This email has been scanned for all viruses by the MessageLabs
> service.
> _
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> This email has been scanned for all viruses by the MessageLabs service.
>
> 
> This email has been scanned for all viruses by the MessageLabs service.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33673&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Telnet to inside through VPN [7:33589]

[Godswill HO]

Try specifying the exact IP address of the PC from where you want to
initiate the Telnet session and not the block of IP.

Regard.
Oletu
- Original Message -
From: Dante Martins 
To: 
Sent: Tuesday, January 29, 2002 10:50 AM
Subject: PIX: Telnet to inside through VPN [7:33589]


> How can I telnet to PIX inside interface from the VPN (I.E. from
> 10.128.128.0 telnet 172.16.3.252).
>
> I have tried using telnet command:
> "telnet 10.128.128.0 inside" but still no working.
>
> Can you help me?
>
> Dante
>
>
>
>
> CONF MAIN PIX
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 DMZ1 security10
> nameif ethernet3 intf3 security15
> nameif ethernet4 intf4 security20
> nameif ethernet5 intf5 security25
> enable password *** encrypted
> passwd ** encrypted
> hostname MAIN
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
> 255.255.255.0
> access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
> 255.255.255.0
> access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
> 255.255.255.0
> access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
> 255.255.240.0
> access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
> 255.255.255.0
> access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
> 255.255.255.0
> pager lines 24
> logging on
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
> interface ethernet3 auto
> interface ethernet4 auto shutdown
> interface ethernet5 auto shutdown
> mtu outside 1500
> mtu inside 1500
> mtu DMZ1 1500
> mtu intf3 1500
> mtu intf4 1500
> mtu intf5 1500
> ip address outside 200.219.100.2 255.255.255.0
> ip address inside 10.128.159.253 255.255.224.0
> ip address DMZ1 10.255.255.254 255.255.224.0
> ip address intf3 10.250.11.254 255.255.255.0
> ip address intf4 127.0.0.1 255.255.255.255
> ip address intf5 127.0.0.1 255.255.255.255
> ip audit info action alarm
> ip audit attack action alarm
> no failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
> failover ip address DMZ1 0.0.0.0
> failover ip address intf3 0.0.0.0
> failover ip address intf4 0.0.0.0
> failover ip address intf5 0.0.0.0
> pdm history enable
> arp timeout 14400
> global (outside) 1 200.219.100.100-200.219.100.199
> global (outside) 1 200.219.100.200
> global (DMZ1) 1 10.255.224.10-10.255.224.70
> nat (inside) 1 0.0.0.0 0.0.0.0 0 0
> nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
> alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
> alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
> alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
> alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255
>
> static (inside,outside) 200.219.100.26 10.128.128.26 netmask
> 255.255.255.255 0 0
> static (inside,outside) 200.219.100.30 10.128.128.30 netmask
> 255.255.255.255 0 0
> static (inside,outside) 200.219.100.31 10.128.128.32 netmask
> 255.255.255.255 0 0
> static (inside,outside) 200.219.100.54 10.128.128.54 netmask
> 255.255.255.255 0 0
>
> conduit permit icmp any any
> conduit permit tcp host 200.219.100.30 eq www any
> conduit permit tcp host 200.219.100.30 eq domain any
> conduit permit udp host 200.219.100.30 eq domain any
> conduit permit tcp host 200.219.100.31 eq www any
> conduit permit tcp host 200.219.100.31 eq domain any
> conduit permit udp host 200.219.100.31 eq domain any
> conduit permit tcp host 200.219.100.26 eq 161 any
> conduit permit tcp host 200.219.100.26 eq 162 any
> conduit permit udp host 200.219.100.26 eq snmp any
> conduit permit udp host 200.219.100.26 eq snmptrap any
> conduit permit tcp host 200.219.100.54 eq domain any
> conduit permit udp host 200.219.100.54 eq domain any
> conduit permit tcp host 200.219.100.54 eq 22 any
>
> route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
> route outside 10.0.64.0 255.255.224.0 10.128.159.252 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> snmp-server host inside 10.128.128.21
> snmp-server location mainsite
> snmp-server contact support@mainsite
> snmp-server community pixpix
> snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> sysopt ipsec pl-compatible
> no sysopt route dnat
>
> crypto ipsec transform-set strong esp-des esp-sha-hmac
> crypto map cmap 1 ipsec-isakmp
> crypto map cmap 1 match address 101
> crypto map cmap 1 set peer 200.200.100.2
> crypto map cmap 1 set transform-set strong
> crypto map cmap 2 ipsec-isakmp
> crypto map cmap 2 match address 102
> crypt

Re: help me with the pix problem! [7:33287]

[Godswill HO]

Hi,
The command:
PIX#conduit permit icmp any any
might just be your life saver. Do not forget that though by default traffics
are permitted from any inside interface to an outside interface, you have to
creat an except for the echo-reply packet from the outside interface to the
inside interface.

Regards.
Oletu

- Original Message -
From: cage 
To: 
Sent: Saturday, January 26, 2002 11:26 AM
Subject: help me with the pix problem! [7:33287]


> hi,everybody.
> My envirment is:
> the outside interface of pix 525 is connected to the fibre-ethernet
> transceiver ,no router availble, and the dmz interface of the pix is
> connected to several severs like www,dns,etc. The inside interface is
> connected to the lan, no proxy availble.
> When I finished my configure, I met some problem:
> 1 The dmz servers traffic can not be out. And at the same time,they can
not
> ping the outside interface address correctly.
> 2 the inside lan nodes can not ping the dmz interface address,but can ping
> other server in the dmz correctly.
>
> I know I should use the nat commands to bring the traffic of dmz to the
> outside, but since the outside address provided by the isp are private
ones,
> so I have to use NAT (dmz) 0, but why the dmz traffic can not be out?
> I hope the design is not wrong.
>
> the following is my config,help me,please.
>
> sh conf
> : Saved
> :
> PIX Version 6.0(1)
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
> nameif ethernet3 intf3 security15
> nameif ethernet4 intf4 security20
> enable password 8Ry2YjIyt7RRXU24 encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname pixfirewall
> fixup protocol ftp 21
> fixup protocol http 80
> fixup protocol h323 1720
> fixup protocol rsh 514
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> fixup protocol sip 5060
> fixup protocol skinny 2000
> names
> access-list acl_in permit tcp any host 202.99.33.69 eq smtp
> access-list acl_in permit tcp any host 202.99.33.72 eq www
> access-list acl_in permit tcp any host 202.99.33.66 eq domain
> access-list acl_in permit tcp any host 202.99.33.67 eq domain
> access-list acl_in permit icmp any any
> access-list ping_acl permit icmp any any
> pager lines 30
> interface ethernet0 auto
> interface ethernet1 auto
> interface ethernet2 auto
>
>
> interface ethernet3 auto shutdown
> interface ethernet4 auto shutdown
> mtu outside 1500
> mtu inside 1500
> mtu dmz 1500
> mtu intf3 1500
> mtu intf4 1500
> ip address outside 210.82.34.29 255.255.255.0
> ip address inside 192.168.4.1 255.255.255.0
> ip address dmz 202.99.33.254 255.255.255.0
> ip address intf3 127.0.0.1 255.255.255.255
> ip address intf4 127.0.0.1 255.255.255.255
> ip audit info action alarm
> ip audit attack action alarm
> no failover
> failover timeout 0:00:00
> failover poll 15
> failover ip address outside 0.0.0.0
> failover ip address inside 0.0.0.0
> failover ip address dmz 0.0.0.0
> failover ip address intf3 0.0.0.0
> failover ip address intf4 0.0.0.0
> pdm history enable
> arp timeout 14400
> global (dmz) 1 202.99.33.73 netmask 255.255.255.0
> nat (inside) 1 192.168.4.250 255.255.255.255 0 0
> nat (dmz) 0 202.99.33.0 255.255.255.0 0 0
> static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0
> static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0
> static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0
>
>
> static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0
> access-group acl_in in interface outside
> access-group ping_acl in interface dmz
> access-group ping_acl in interface inside
> route outside 0.0.0.0 0.0.0.0 210.82.34.25 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
> 0:05:00 sip 0:30:00 sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> no sysopt route dnat
> telnet timeout 5
> ssh timeout 5
> terminal width 80
> Cryptochecksum:3be86ece2c90058e0c9190f986717d63
>
> pixfirewall#
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33343&t=33287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: help me with the pix problem! [7:33287]

[Godswill HO]

Hi,

To really understand this stuff. There are only two ways by which a traffice
can pass from a lower security interface to a higer security interface.
1. Use the conduit or access-list command.
2. As a reply to an initial session.

For the traffic to be allow in (reply to a session initiated from an inside
interface, option 2 above) the ASA compares the traffic's source/destination
IP address and Port numbers and other parameters to what is in its state
table. All four paraments must be complete for the traffic to be allowed
back into the
inside interface by that only can the PIX know that the current traffic
session was indeed a reply to an outbound traffic. For protocols that behave
some what differently, the PIX have the various Fixup Protocol commands to
make adjustments for them the PIX ASA.

In the case of the ping, among the different types of ICMP messages, the PIX
firewall conduit command allow the filtering of 18 ICMP messages. The Ping
is echo and it is ICMP code 8, why the reply is echo-reply ICMP code 0. When
you intiate a ping from a higher security interface to a lower one, the ASA
allows the echo (ICMP type 8) access out, the host reply with echo-reply
(ICMP type 0), which was different from the ICMP type 8 that was sent out.
Naturally the PIX ASA will drop that packet and send 'Host Unreachable'
message to you. To receive your echo-reply you need to create an exception
in the ASA by using the conduit or access-list command.

My 0.02 cents
Regards.
Oletu

- Original Message -
From: chenyan 
To: Godswill HO 
Sent: Saturday, January 26, 2002 8:38 PM
Subject: Re: help me with the pix problem! [7:33287]


> hi,thanks your help.
> As you said, if the ping need the reply by the access-list, then the nat
command for the traffic to the outside need also the reply, but it seems
that there is not the command for the reply.
>
> regards.
>
> - Original Message -
> From: Godswill HO 
> To: cage ; 
> Sent: Sunday, January 27, 2002 2:52 PM
> Subject: Re: help me with the pix problem! [7:33287]
>
>
> > Hi,
> > The command:
> > PIX#conduit permit icmp any any
> > might just be your life saver. Do not forget that though by default
traffics
> > are permitted from any inside interface to an outside interface, you
have to
> > creat an except for the echo-reply packet from the outside interface to
the
> > inside interface.
> >
> > Regards.
> > Oletu
> >
> > - Original Message -
> > From: cage 
> > To: 
> > Sent: Saturday, January 26, 2002 11:26 AM
> > Subject: help me with the pix problem! [7:33287]
> >
> >
> > > hi,everybody.
> > > My envirment is:
> > > the outside interface of pix 525 is connected to the fibre-ethernet
> > > transceiver ,no router availble, and the dmz interface of the pix is
> > > connected to several severs like www,dns,etc. The inside interface is
> > > connected to the lan, no proxy availble.
> > > When I finished my configure, I met some problem:
> > > 1 The dmz servers traffic can not be out. And at the same time,they
can
> > not
> > > ping the outside interface address correctly.
> > > 2 the inside lan nodes can not ping the dmz interface address,but can
ping
> > > other server in the dmz correctly.
> > >
> > > I know I should use the nat commands to bring the traffic of dmz to
the
> > > outside, but since the outside address provided by the isp are private
> > ones,
> > > so I have to use NAT (dmz) 0, but why the dmz traffic can not be out?
> > > I hope the design is not wrong.
> > >
> > > the following is my config,help me,please.
> > >
> > > sh conf
> > > : Saved
> > > :
> > > PIX Version 6.0(1)
> > > nameif ethernet0 outside security0
> > > nameif ethernet1 inside security100
> > > nameif ethernet2 dmz security50
> > > nameif ethernet3 intf3 security15
> > > nameif ethernet4 intf4 security20
> > > enable password 8Ry2YjIyt7RRXU24 encrypted
> > > passwd 2KFQnbNIdI.2KYOU encrypted
> > > hostname pixfirewall
> > > fixup protocol ftp 21
> > > fixup protocol http 80
> > > fixup protocol h323 1720
> > > fixup protocol rsh 514
> > > fixup protocol smtp 25
> > > fixup protocol sqlnet 1521
> > > fixup protocol sip 5060
> > > fixup protocol skinny 2000
> > > names
> > > access-list acl_in permit tcp any host 202.99.33.69 eq smtp
> > > access-list acl_in permit tcp any host 202.99.33.72 eq www
> > > access-list acl_in permit tcp any host 202.99.33.66 eq domain
> > > access-list acl_in permit tcp any h

Re: Cisco Secure ACS Server [7:33415]

[Godswill HO]

I know you can have a maximum of 16 groups and a maximum of 16 servers in
each group bring the total of allowable servers to 256.

Regards.
Oletu
- Original Message -
From: Joel Satterley 
To: 
Sent: Monday, January 28, 2002 3:50 AM
Subject: Cisco Secure ACS Server [7:33415]


> Anyone know what (if any) limitations there are on the amount of
replication
> servers you can have/configure are with ACS v2.6 and above ?
>
> Joel.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33432&t=33415
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: TACAS + and RADIUS Authentication [7:33372]

[Godswill HO]

Yes!!! offcouse,

aaa authenticate login telnetusers tacacs+
!
!
!
Line vty 0 4
login authentication telnetusers
!
!
Henceforth anybody that login including users must be aunthenticated by the
tacacs+, however you have to be very careful with this command, because if
you tacacs+ server become unavailable, you might not be able to login. The
best option is to use this instead.

aaa authentication login telnetusers tacacs+ enable

This ensure that your enable password remains valid for a login into the
router even if the tacacs+ server fails.

Regards.
Oletu


- Original Message -
From: Pierre-Alex GUANEL 
To: 
Sent: Sunday, January 27, 2002 11:43 AM
Subject: TACAS + and RADIUS Authentication [7:33372]


> Can TACACS+ or RADIUS be used to authenticase users that are NOT dialing
in?
>
> (For example can I use either technology to authenticate users telneting
> directly to a router?).
>
> Thanks,
>
> Pierre-Alex
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33378&t=33372
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: pix [7:33352]

[Godswill HO]

YES!
- Original Message -
From: cage 
To: 
Sent: Sunday, January 27, 2002 12:55 AM
Subject: pix [7:33352]


> By using NAT 0#,the lower security traffic can connect to the higher
> security part, but is it necessary to use the access-list & access-groupp
> commands to allow the reply into the higher part?
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33367&t=33352
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX % DNS Doctoring [7:33331]

[Godswill HO]

Hi,

It really depends on what you want to do or implement for the DNS. The DNS
guard on PIX is enabled by default and it cannot be disabled not configured.
It help to prevent against DoS attacks by tearing down the UDP conduit on
the PIX firewall as soon as the DNS response is received not waiting until
thee the default UDO timer has expire which is 2 minutes( almost an eternity
in the computer world).

The other doctoring you can do on DNS is on CBAC (Context Based Access
Control). Here you can alter the default DNS timeout which is 5 seconds by
using:

#IP inspect dns-timeout 

It simplyly specifies the length of time a DNS name lookup session will
still be managed after no activity.

In case you need further help, feel free to ask specific questions.

Regards.
Oletu

- Original Message -
From: Dante Martins 
To: 
Sent: Saturday, January 26, 2002 4:58 PM
Subject: PIX % DNS Doctoring [7:1]


> Somebody knows how to do DNS doctoring on PIX
> I have the DNS on DMZ with static and the clients workstations are on
> inside interface.
> Dante
>
>
> 
> This email has been scanned for all viruses by the MessageLabs service.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33342&t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: about the ping in pix ? [7:33333]

[Godswill HO]

No, though the PIX allow traffic from a higher security interface to a lower
one, you cannot ping the dmz interface from the inside interface
successfully because the echo-reply (response from the dmz interface) will
be disallowed from entering the inside interface, so you will end up having
time-outs.

The only way to have a successful pinging is to implete the permit icmp any
any command.

The ping failed not becaused it did not get to the dmz interface, but
because the PIX Adaptive Security Algorithm(ASA) disallow the response from
coming back to you. The only way to go about it is to use the conduit or
access-list command to create and exception for the ASA, so that it can
allow the returned ping response.

PIX#Conduit permit icmp any any

0.02 cents
Regards.
Oletu

- Original Message -
From: cage 
To: 
Sent: Saturday, January 26, 2002 5:08 PM
Subject: about the ping in pix ? [7:3]


> Is it true :"Traffic is ALWAYS allowed between from a higher security
> interface to a lower security interface without doing anything special?"
> If it is true,can I ping from the inside or dmz to outside without the
> configuring of the access-list icmp any any?
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9&t=3
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX [7:33281]

[Godswill HO]

Have try using nat/pat to allow both subnets in the inside interface access
to the internet? eg

#nat (inside) 1 0 0
#global(outside) 1 216.72.201.1

Will allow all inside users to initiat an outbound connection to the
internet using the public address 216.72.201.1 ie PAT.

Regards.
Oletu

- Original Message -
From: Glenn Johnson 
To: 
Sent: Saturday, January 26, 2002 10:32 AM
Subject: RE: PIX [7:33281]


>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> WW
> Sent: Saturday, January 26, 2002 7:51 AM
> To: [EMAIL PROTECTED]
> Subject: PIX [7:33281]
>
>
> our company have two subnet need to go to internet. however, just one FE
> internal interface is availible, one is dmz and one is for internet.
>
> Since one FE interface can't bound two different subnet. Two subnet
> can't go to internet at the same time.
>
> Would anyone know how to solve the problem?
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33312&t=33281
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access-List questions [7:31001]

[Godswill HO]

Hi,

Try the following:

IP access-list standard allowed
Permit 10.10.10.40 0.0.0.7
Permit  10.10.10.49 0.0.0.0

The first permit statement allow addresses n.n.n.40 to n.n.n.48, while the
last one allow address n.n.n.49. There is no way you can deny whole range
without affecting other addresses with one single statement.

When appliying it to your interface say:

Router(config-if)#IP access-group allowed in

Regards.
Oletu

- Original Message -
From: Hunt Lee 
To: 
Sent: Friday, January 04, 2002 9:29 PM
Subject: Access-List questions [7:31001]


> Hello there,
>
> I need some help on Access-Lists:
>
> Say if I want to permit network access to only 10.10.10.1 - 10.10.10.254
>
> I know you can simply use:
>
> Access-list 10 permit 10.10.10.0 0.0.0.255
>
> However, if I want to only permit the range of 10.10.10.40 to 10.10.10.49
> (inclusive), then what should I do?
>
> Any help is greatly appreciated.
>
> Best Regards,
> Hunt Lee
> IP Solution Analyst
> Cable & Wireless
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=31006&t=31001
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN Error with Win2K server [7:30909]

[Godswill HO]

Hi,

Check lists...
1. Did you Logon to the Domain?
2. Make sure that Client for MS Network and File and Print sharing related
services
are on.
3. Try allow Ports 137, 138 and 139

Good Luck

Regards.
Oletu

- Original Message -
From: Navin Parwal 
To: 
Sent: Friday, January 04, 2002 3:26 AM
Subject: VPN Error with Win2K server [7:30909]


> Hi All ,
> I am facing a strange error , please guide me what I should do .
> I am able to create a tunnel  via dial up with VPN adapter from my
> remote  client which has Windows Millinieum to my Cisco Router which is in
> my HQ , I have done the VPDN set up , but I am not able to authenticate
with
> my Win2K server , it gives an error message saying that no domain server
is
> available to authenticate .
>As soon as I click on OK , i get logged on to the VPN , but only till
the
> router , I am not a part of the domain , i can ping to the WIn2K domain
> controller and othe machines , but I can not access them .
>   I have enabled the users access for remote access and VPN on the Win2K
> server, what could be
> wrong , please guide me .
>   My show VPDN result is given below .
>
>   If possible send me a mail at [EMAIL PROTECTED] as well
>
> thanks in advance
>
> Navin Parwal
>
>
>
> r4#
> r4#sh vpdn
>
> %No active L2TP tunnels
>
> %No active L2F tunnels
>
> PPTP Tunnel and Session Information Total tunnels 1 sessions 1
>
> LocID Remote Name StateRemote Address  Port  Sessions
> 2 estabd   210.214.164.144 1130  1
>
> LocID RemID TunID IntfUsername  State   Last Chg
> 2 32768 2 Vi1 technosys\adm estabd  00:01:33
>
> %No active PPPoE tunnels
> r4#
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=30931&t=30909
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Why use wildcard mask [7:30473]

[Godswill HO]

I think is all originated from the principles of:
1 = Do not Cares (Matches everything and anything)
0 = Cares ( Matches only identical corresponding digit)

Maybe it is a hang-on from the old binary digit stuff. Man you have no
choice than to do the inverse, else your access-list would not work, except
you are ready to develope a router IOS that will use the direct mask.

Goodluck

Regards.
Oletu

- Original Message -
From: 
To: 
Sent: Saturday, December 29, 2001 10:50 PM
Subject: Why use wildcard mask [7:30473]


> Hi All,
>
> I am trying to find out why we do an inverse/wildcard
> masks while using access lists?
>
> For example, if I want to deny 192.168.1.0 255.255.255.0
> network, on the access list, we configure this
> as 192.168.1.0 0.0.0.255, but why do we do it this
> way instead of 255.255.255.0.
>
> All this seems to be is just an inverse relationship pointing back at the
> same thing?  Even if I want to get specific and deny 192.168.1.0
> 255.255.255.192, this translates to 192.168.1.0 0.0.0.63, which seems to
be
> just the standard mask and subtract 255.255.255.255.
>
> Is there a specific reason why we do inverse mask?  It seems to be easier
> just to configure it with normal masks.  This way, we skip on an extra
> procedure.
>
> thanks
> Mike
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=30477&t=30473
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Telnet to PIX from outside interface [7:30413]

[Godswill HO]

Hi,

It is genral knowledge that a PIX firewall can not be telneted into from the
outside interface, however some documentations am reviewing recently seem to
say the opposite. If you workstation IP address is eg 216.72.211.12, try the
command below:

PIX(config)#Telnet 216.72.211.12 255.255.255.255 outside

See whether it will sought out your problem.

Regards.
Oletu

- Original Message -
From: ietobe 
To: 
Sent: Friday, December 28, 2001 9:28 PM
Subject: Telnet to PIX from outside interface [7:30413]


> Hi,Guy
> Can anybody tell me how to allow telnet from outside network on PIX?
>
> Tks
>
> Gabriel
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=30457&t=30413
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help on CLID [7:30179]

[Godswill HO]

Enable this feature in the user group option in the Cisco Secure Access
Server on your Windon NT machine. All you need to do is to check the 'CLID'
box in the 'user group' option.

Then go to each individual account in the ACS and check this button as well,
but this time add the callers' phone number. Repeat this for all users you
want to be authenticated by CLID, however note that once you enable this
feature in the user group option, every user must be additionaly
authenticated by CLID, it then means if you did not suply a particular
user's phone number in his profile he likely would be deny access.

Regards
Oletu

- Original Message -
From: Anil Kumar 
To: 
Sent: Thursday, December 27, 2001 6:10 AM
Subject: Help on CLID [7:30179]


> For one customer I am implementing the dial solution. The
> customer has got a 3662 router with NM-16A card. For the
> authentication, the ACS for Windows NT/2000 has been
> configured. The username database for the ACS is obtanined
> through the Windows NT Domain. Inorder to have more
> security, apart for username / password authentication the
> customer wants the CLID facility to be enabled so that the
> users logs in through one telephone line only.
> How can the CLID be enabled on NM-16A for a 3660 router?
> Request for help.
>
> Thanks in Advance,
>
> Regards.. Anil Kumar
>
>
> __
> Do You Yahoo!?
> Send your FREE holiday greetings online!
> http://greetings.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=30181&t=30179
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: need advice [7:29392]

[Godswill HO]

Hi Festus,

I do not see anyway one access-list command can help you achieve your
objective. If you were talking of chatting and other stuffs that uses a
particular port number, then an access-list would be the answer. To use
access-list, am afraid you have to know the IP addresses of these sites and
block then individually. I will not advice you go this way, because it is
going to slow down your router.

If you are using a proxy server to connct to the net, Zonealarm is a
freeware on the net, download zonealarm into the proxy server and have it
deny access to these sites.

However, if you are not using a proxy server, the handy solution for you
depending on how technically sound your internet users are. Sometime in the
evening when everybody have gone home, you need to go round each computer
and do the following:
Assuming you are using Internet Explorer
1. Click on the Tools then Pick Internet Options
2. Click on Content and Pick Content Advisor
3. On Content Advisor frame, Click on Enable then click on the Rating tab.
4. You have the option to restrict users to sites base on content of that
site eg
--Language, Nudity, Sex and Violence

The is posisble because at registerations sites are classified accordaing to
their contents and so each time anybody access the internet through that
computer, it validate the site againt the database stored on the internet
before pulling up that site.

On your second question, Remember you have to login into the domain to be
able to use the Network printer. Make sure, you are login and confirm from
the NT PDC that that computer had actually login with a valid user ID. Also
check privilidges and Access control list on the shared printer, make sure
that everyone have Full access to the Printer.

Regards.
Oletu
- Original Message -
From: mrfestus wariye 
To: 
Sent: Monday, December 17, 2001 1:21 PM
Subject: need advice [7:29392]


> i have just finished my ccna programme and i am
> currently doing a 2 month internship programme with an
> outfit that runs a cyber cafe business that provides
> internet access services for the public.
> i am their interim network administrator.
> i have noticed a lot of loopholes in the network. and
> some of my problems i need answers to are:-
>
> 1. how do i use a single command line to deny access
> to all pornographic/adult sites on the network.
> 2. some computers within the network are denied access
> to network(to use network resources like the network
> printer).but the same computers can see the shared
> internet access.
>
> your useful advise would be appreciated.
> yours truly,
> festus taferi.
>
>
>
>
> __
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29467&t=29392
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is there a time limited for taking all the CCNP ex [7:29451]

[Godswill HO]

Hi Patrick,

In respective of the date you started any of your CCNP or CCDP track, you
are certified on the very date you wrote the last exam in each of the
serials. eg If I write Routing 2.0 on 1/1/2001 and wrote the other two any
date in between, but for one reason or the other I now write the last exam
say CIT 3.0 on 1/1/2003. You will become CCNP on 1/1/2003 ie if you passed
CIT 3.0 and the two years expiration of your certicate start counting from
1/1/2003 not 1/1/2001 when you first wrote the exam.

However, you might be having a problem if the course you are yet to write
get upgraded, it means, you probably are going to buy new books, look for
new exam scenerios, would not have a familar exam format and all that. Apart
from that, you will still be on course. If for example one of the exams you
have written got upgraded before you complete all four, you are not required
to go back and write that exam again, you have passed it already and it
still count towards your credit.

Another thing you also have to bear in mind is that, Cisco normally upgrade
the whole certificate at interval of times, eg the current CCNA v2 was
upgraded June 2000 from v1. I donot know the current version of CCNP we have
now, assuming it is version 2, and you were not able to upgrade before say
version 3 came up, You will still have the version 2 exams available for you
to write at the end of the day, you will have CCNP v2 for you to get CCNP
v3, you have to write just one upgrade exam and that is all., so your CCNP
v2 by that exam would be upgraded to CCNP v3.

Good luck

Regards.
Oletu
- Original Message -
From: Patrick Zhou 
To: 
Sent: Monday, December 17, 2001 7:51 PM
Subject: RE: Is there a time limited for taking all the CCNP ex [7:29449]


> Thanks for your reply!
>
> You meant, CCNA had 3 years to expire, but CCNP had only 2 years, right?
>
> Oh! I never knows that, I had thought that expiration of CCNP was also 3
> years!!
>
> But how comes, if I start my ccnp exam in 2002, while the exams will be
> upgraded in 2003? Would I have only 1 year time to finished all my ccnp
> exams? Even I pass, will my certifications be retired after 2003's ccnp
> exam upgrade?
>
> It's quite a confused question... thanks again for your kindness reply!
>
> Regards,
>
> Patrick
> MCSE, MCDBA, CCNA
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Nick S.
> Sent: Tuesday, December 18, 2001 10:21 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Is there a time limited for taking all the CCNP ex
> [7:29375]
>
> Well, the 2 yr. limit exists because the certification itself expires in
> 2
> yrs.
>
> So if u begin ur ccnp today by going for 1 of the tests, the new version
> of
> that test usually comes out in 2 yrs time, by which if u have or have
> not
> finished ur ccnp, ur certification has retired.
>
> Nick
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29451&t=29451
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help with IP Addressing/VLSM- work project [7:29160]

[Godswill HO]

Hi Sarah,

Since all you need is just five usable subnets, the way I go about it is:
2 raise to the power of 3=8 subnets. (You cannot use 2 raise to the power of
2, cos that would give me 4 subnets but I need at least 5 subnets).
It means you can not get exactly five subnets, you will have 3 extra subnets
for future use. From above you borrowed 3-bits from the last octet of the
given IP address for subnet purposes, then going by the last octet the eight
bit have these weights (128, 64, 32, 16, 8, 4, 2, 1), since you are using
the first three bits then it add up to be 128+64+32=224, now to get the
number of IP addresses in each subnet, 256-224=32. It also means your IP
addresses would be multiples of 32. The 8 subnets would now be:

1. 65.85.105.0 255.255.255.224
2. 65.85.105.32 255.255.255.224
3. 65.85.105.64 255.255.255.224
4. 65.85.105.96 255.255.255.224
5. 65.85.105.128 255.255.255.224
6. 65.85.105.160 255.255.255.224
7. 65.85.105.192 255.255.255.224
8. 65.85.105.224 255.255.255.224

It is now up to you which five to utilize first. For documentation purposes
and ease of troubleshooting, it will be appropriate you use the first five
and leave the rest for future development and expansion.

Regards
Oletu
- Original Message -
From: Sarah Parker 
To: 
Sent: Thursday, December 13, 2001 8:15 PM
Subject: Help with IP Addressing/VLSM- work project [7:29160]


> Hello Everyone,
>
> I am working on a small IP address project and trying
> to figure out VLSM.
>
> Since I am not very good and do not have much
> experience with IP addressing, I wanted to send this
> to make sure what I have is correct or if I am really
> wrong on this one.
> Thanks in advance for any feedback or corrections!!
>
> This is a new network-
> Current IP Address=65.85.105.0
> Mask=255.255.255.0
>
> I need a total of  5 subnets.
>
> What I did
> Took 65.85.105.0, 255.255.255.128 to subnet into  2
> networks,
> This gave me
> Subnet 1= 65.85.105.0, hosts 1-126, broadcast  127
> Subnet 2=65.85.105.128, hosts 129-254, broadcast 255
>
> Took 65.85,105.128 255.255.255.192 to subnet into 4
> subnets
> This gave me
> Subnet 1=65.85.105.0. hosts 1-62, broadcast 63
> Subnet 2=65.85.105.64, hosts 54-126, broadcast 127
> Subnet 3=65.85.105.128, hosts 129-190, broadcast 190
> Subnet 4=65.85.105.192, hosts 193.254, broadcast 255
>
> So this would give me to use on the network
> 1=65.85.105.0 255.255.255.128 (17 mask?)
> 2=65.85.105.0 255.255.255.192 (18 mask?)
> 3=65.85.105.64 255.255.255.192
> 4=65.85.105.128 255.255.255.192
> 5=65.85.105.192 255.255.255.192
>
>
> Did I do this correctly? This is based on using subnet
> zero.
>
> I am using a public class A but for security reasons I
> did change the actual real address.
>
> Thanks again for everyones feedback.
>
>
> __
> Do You Yahoo!?
> Check out Yahoo! Shopping and Yahoo! Auctions for all of
> your unique holiday gifts! Buy at http://shopping.yahoo.com
> or bid at http://auctions.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=29205&t=29160
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists [7:28927]

[Godswill HO]

You Probably have to provide more information.

1. Are your users dialing into a router(Access server) or through a RAS card
on a
computer system?
2. The answer to ques1 is through a router, then is the router also the
router that
 connect to the internet or you have another gateway router?
3. Then the interfaces to which you apply the the access-list also counts,
so say more
on the interfaces you have on your router and the ones you applied the
access-list
   on and again in which direction (in or out)?

Regards

- Original Message -
From: J. Johnson 
To: 
Sent: Wednesday, December 12, 2001 11:24 AM
Subject: Access Lists [7:28927]


> We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
> network when they dial in.  We do not want everyone to get on the internet
> when they dial-in.  This is what my access list look like
>
> access-list 110 permit ip  165.5.0.0 0.0.255.255 any
>  access-list 110 deny ip any any
>
> Everyone can get to our network and get on the internet with the above
list.
> Can you see anything wrong?
>
> Thanks.
>
> Jill
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=28967&t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]