7500 series - how to display serial number [7:47361]

2002-06-25 Thread [EMAIL PROTECTED] 

I know the question has been asked millions of times before, but I don't 
think I've seen this answer.
While I was browsing CCO, I came across this snippet at 
http://www.cisco.com/warp/public/63/7500_faq.html#Q9

Q. How Can I Find the Serial Number of My Cisco 7500 Chassis? 
A. The show rsp chassis command was introduced in Cisco IOS. Software
releases 12.0(13)S and
12.0(13)SC. This command will be supported in future releases.
Router>show rsp chassis 
 Backplane NVRAM(ver 1) contents:
Chassis model: 0x01
 Chassis S/N: 50014400
  MAC base: 0060.5C51.1A00
MAC block size: 1024
 RMA failure: 0
  RMA number: 0
   Manufactured Date: 96 12 10
Router>

I have no idea whether this is the "real" serial number that is displayed,
but I thought some people may find this useful.

JMcL


Important:  This e-mail is intended for the use of the addressee and may
contain information that is confidential, commercially valuable or subject
to legal or parliamentary privilege.  If you are not the intended recipient
you are notified that any review, re-transmission, disclosure, use or
dissemination of this communication is strictly prohibited by several
Commonwealth Acts of Parliament.  If you have received this communication in
error please notify the sender immediately and delete all copies of this
transmission together with any attachments.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47361&t=47361
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 7500 series - how to display serial number [7:47361]

2002-06-25 Thread Deepak Achar 

hi
 can u just check the following command.

router#sh tech-support
it gives all information about the router.

regards
deepak n achar


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47362&t=47361
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX Problem [7:47363]

2002-06-25 Thread Mamoon Dawood 

Dear All,

I the PIX firewall, Can I make an access list using the FQDN (eg:
www.yahoo.com)
instead of using IP address, since I want to permit users to only enter some
sites,
I think the problem is that we can not configure a name server,

Kindest Regards,
Mamoon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47363&t=47363
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Benchmark CCIE [7:47320]

2002-06-25 Thread bin xiao 

I can not read the paper. 
Because It need username and password for CCO.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47364&t=47320
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 7500 series - how to display serial number [7:47361]

2002-06-25 Thread Madisa Ramagoffu 

Hi

I am not sure about the command to see the serial number on the
chassis
I think you should use the command to see the module installed 


show diag



output sample
 where you see "x" , that's where the serial numbers are 

router#sh diag
Slot 0:
Physical slot 0, ~physical slot 0xF, logical slot 0, CBus 0
Microcode Status 0x4
Master Enable, LED, WCS Loaded
Board is analyzed 
Pending I/O Status: None
EEPROM format version 1
VIP4-80 RM7000 controller, HW rev 2.04, board revision B0
Serial number: XXX  Part number: 73-3143-09
Test history: 0x00RMA number: 00-00-00
Flags: cisco 7000 board; 7500 compatible

EEPROM contents (hex):
  0x20: 01 22 02 04 01 78 5A 9A 49 0C 47 09 00 00 00 00
  0x30: 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Slot database information:
Flags: 0x4  Insertion time: 0x2610 (2d09h ago)

Controller Memory Size: 128 MBytes CPU SDRAM, 64 MBytes Packet
SDRAM

PA Bay 0 Information:
OC-12 ATM MM Port Adaptor, 1 ports
EEPROM format version 1
HW rev 2.00, Board revision A0
Serial number: XXX  Part number: 73-3310-02 





>>> "Deepak Achar"  06/25 10:05 AM >>>
hi
 can u just check the following command.

router#sh tech-support
it gives all information about the router.

regards
deepak n achar




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47365&t=47361
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CIT 640-606 exam update [7:47160]

2002-06-25 Thread Elaluf Silvia 

Hi
I dont have to re-test until 1.5 years from now for my CCNP, however a
friend of mine with 3 to 4 years experience with Cisco found the  new CIT
(Beta trial) exam quite difficult. He failed and waited for 12 weeks to get
his result.

Silvia


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47366&t=47160
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CIT 640-606 [7:47367]

2002-06-25 Thread Ismail M Saeed 

Dear All,
The CIT 640-606 still a Beta exam till now?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47367&t=47367
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP NLRI [7:47337]

2002-06-25 Thread Henry D. 

Think of it as a route with additional info. BGP uses such things as AS
number,
MED value, communities, etc. NLRI consists of the prefix plus that extra
info.

""rick""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I am having some trouble understanding NLRI as opposed to
> straight network routing updates.
> Anyone got a pointer to information that might clear up NLRI
> some?
>
> Thanks
>
> --
> --Rick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47368&t=47337
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CIT 640-606 [7:47367]

2002-06-25 Thread _ Einstooge _ 

Ismail,

   No the CIT-606 Beta ended March 18,2002. :>( 

   But, candidates who registered for the old CIT 506 exam prior to
05Jun2002 have until 17Jul02 to take it.

   So, If you have are not currently registered to take the old exam - you
mush take the new CIT 606 replacment. :>)

Later,
M


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47369&t=47367
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

a diversion for when you get too deep in studing... [7:47372]

2002-06-25 Thread Jacobi Michael CRPH 

I found this.  be warned, it is big!  "my favorite net things"

http://www.fazed.net/humor/videos/favorites.mpg




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47372&t=47372
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Neil Borne 

The problem that I am coming accross is that some of my customers take the 
wireless gear outta the box and plug it in and when they figure that work 
with factory defaults they leave it alonethen all of a sudden someone 
pulls up in the front yard and starts snooping around.

One thing you can do is WEP and depending on the vendor try some filtering 
by mac, ssid, or protocol...


You will have do some serious lockdown measures when its a internal user as 
opposed to outside users...


But like the last email stated if things get bad use netstumbler but be 
careful from the last I heard it works with only some wireless cards...


>From: "Patrick Donlon" 
>Reply-To: "Patrick Donlon" 
>To: [EMAIL PROTECTED]
>Subject: Rogue Wireless LANs [7:47287]
>Date: Mon, 24 Jun 2002 11:48:48 -0400
>
>I've just found a wireless LAN set up by someone in the building, I found 
>it
>by chance when I was checking something with a colleague from another dept.
>The WLAN has zero security which is not a surprise and lets the user into
>the main LAN in the site with a DHCP address served up too! Does anyone 
>have
>any tips on preventing users and dept's who don't think about security from
>plugging whatever they like into the network,
>
>Cheers
>
>Pat
>
>
>
>--
>
>email me on : [EMAIL PROTECTED]
_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47373&t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Microsoft VPN ports [7:47376]

2002-06-25 Thread Spencer Plantier 

Does anyone know which ports need to be opened up to
let MSCHAP2 VPN go through the PIX?

Thanks, 

=
Spencer Plantier
Internet Solutions Engineer
Cell 919-696-8848

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47376&t=47376
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

640-604 [7:47375]

2002-06-25 Thread Stefan Razeshu 

The switching exam is covering also the lane ( atm part)?
best regards 
Stefan


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47375&t=47375
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ATM T-1 cards for a 3640 [7:47348]

2002-06-25 Thread Jeffrey Reed 

Here's a list of 3600 ATM Modules:
1-Port DS3 ATM Network Module  NM-1A-T3=   $6000
4-port T1 ATM Network Module with IMA  NM-4T1-IMA=   $4000
8-port T1 ATM Network Module with IMA  NM-8T1-IMA=   $7000

Here's the list under 2600 routers:
1-Port DS3 ATM Network Module  NM-1A-T3=   $6000
Single port ATM 25 Network Module for 3600 series(spare)  NM-1ATM-25=
$2200

List pricing & all Cut-n-paste from Cisco's reseller website...

Jeffrey Reed
Classic Networking, Inc.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chuck
Sent: Tuesday, June 25, 2002 1:15 AM
To: [EMAIL PROTECTED]
Subject: Re: ATM T-1 cards for a 3640 [7:47348]

the cards in question are the ATM T1 IMA cards, which list for 4,000 for the
4 port and 7,000 for the 8 port. You do the math.

No there is no 1 port ATM T1 for the 36xx box.

OTOH, there is a 1 port ATM T1 card for the 2650 router - I don't have my
pricing tools handy, so I can't get you a part number or list price.
Something like AIM module, which takes a WIC T1 card inserted into it to
become a T! ATM port. Last I looked, this option was not available for the
36xx series.

HTH


""Anil Gupte""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Someone sent me the following:
> > Here are the prices that I found (approx. prices):
> >
> > 4 port T1 ATM interfaces NEW=$3000 Refurb (no returns etc.)=$2100
> > 8 port T1 ATM interfaces NEW=$5250 Refurb (no returns etc.)=$4100
> >
>
> Is there not a less expensive card with a single ATM interface for a 3640?
>
> Thanx,
> Anil Gupte
Confidential e-mail for addressee only.  Access to this e-mail by anyone
else is unauthorized.  If you have received this message in error, please
notify the sender immediately by reply e-mail and destroy the original
communication.  2




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47374&t=47348
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WHEN WILL CCIE 350-001 EXPIRE [7:47184]

2002-06-25 Thread Clark Jason 

So offically, 7/31 is the last day that you can register to take the 350-001
version of the exam??? Is that correct??? I have heard no one explicitly say
that.






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47377&t=47184
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISDN Gurus HElp! [7:47353]

2002-06-25 Thread Pierre-Alex Guanel 

Please send us the output of "show isdn status" on that router.

Thanks,

Pierre-Alex


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47378&t=47353
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Benchmark CCIE [7:47320]

2002-06-25 Thread Pierre-Alex Guanel 

Thanks for the landmark...

With an extra more focus, today I was able to do a new case scenario:

http://www.cisco.com/warp/public/793/access_dial/bri_isdn_11048.html

in exactly 15 minutes. That was pretty stressfull!

Pierre-Alex


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47379&t=47320
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cat 6k IOS upgrade failure [7:47282]

2002-06-25 Thread Michael Williams 

See if this helps it may not, but it had the same error message, so it
may be helpful in getting "out" of the jam you're in (once you open the
following URL, do a text search on "open error" to find the spot that gives
the error like you're getting)

http://www.cisco.com/warp/public/473/14.shtml

HTH,
Mike W.


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47380&t=47282
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multi-Switch SPAN/Monitor question [7:47026]

2002-06-25 Thread Michael Williams 

Why would you *not* need to still use a smaller switch if you start trunking
on the 5509s?  You would still need to span from each switch to an aggregate
switch for connection to the IDS  All trunking will do is carry
interswitch traffic and broadcasts...  if you have communications between
two devices on the same switch, you'd still need an IDS sensor connected to
(a span port on) that switch to watch that traffic, correct?  Since that
traffic between two devices on the same switch won't go over the trunk
link.

Mike W.

Group Study Mailbox wrote:
> 
> I'm doing exactly that.  I have two 5509s spanning into a
> smaller
> switch, and the smaller switch spanning into my sensor.  But
> we're
> moving in a few months, and after the move, I'll be trunking
> the 5509s,
> so I won't need to do that anymore.
> 
> Bob German
> CCNA, MCSE, CNE
> Sr Sys Eng - Irides, LLC



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47381&t=47026
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Documentation CD Errors [7:47358]

2002-06-25 Thread cebuano 

Hi,
I'm assuming you have installed all the components of the Installer CD and
that you are using Netscape as the DocCD browser. Make sure the URL is set
to http://127.0.0.1:8080/home/home.htm. Under Preferences in Netscape, make
sure that your proxy is set to off.
Do not use IE (specially version 6 which alone will not support Java applets
properly, unless you download the Java Runtime Environment - free - from
sun.com).
HTH,
Elmer

- Original Message -
From: "Magondo, Michael" 
To: 
Sent: Tuesday, June 25, 2002 2:21 AM
Subject: Documentation CD Errors [7:47358]


> Hi guys
>
> I have a problem that I'm sure you guys may have encountered before.
> Even after installing the recommended software, I still get gibberish
> when I click on any link on the documentation CD home page. I am
> currently using the November 2001 CD and have tried with various other
> editions of this CD. Can anyone suggest a quick course of action.
>
> Michael




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47382&t=47358
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FYI Cisco Press sale [7:47383]

2002-06-25 Thread Mike Mandulak 

CompUSA is doing a close out sale of all of it's Cisco Press books (amongst
others). I picked up a dozen books (that I've wanted for a while) from 2
different stores for US $260, normally the collection would have run $680.

MikeM
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47383&t=47383
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Benchmark CCIE [7:47320]

2002-06-25 Thread Pierre-Alex Guanel 

Thank you for the Tips Bernard. I will change my "bad" habits :)

Just curious... When you configure your routers do you enter all the
commands in global config mode, then interface mode, then router mode
? Or do you configure the routers according to the sequence in which the
router operates (for example: Layer 1, Layer 2, Layer 3)?

I have found that when I configure my routers the second way, I feel much
more in control of what is going on (because the config is logical). The
down side is that I take much more time because I am some how thinking about
the process while I am doing it.

On the other hand, when I configure from memory (i.e. all commands in global
mode, then interface mode ...) there is no "internal dialog" but things are
going much faster and I can keep within the timeline.

I would like to know how the folks who took the CCIE and those who are close
to taking it configure routers under time presure: memorization of configs
or sequence in which the router operates

Thanks,

Pierre-Alex






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47384&t=47320
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FW: WHEN WILL CCIE 350-001 EXPIRE [7:47184]

2002-06-25 Thread Davis, Scott [ISE/RAC] 

Actually that is not accurate. When the new exam is introduced, there will
be a short "grandfather" period where both exams are live. Then after that
period the there will be a deadline date for the old version to be retired.
However, since you can schedule your exam up to 30 days in advance, it is
completely dependant on when you register as to what exam you get. I just
had this experience with CIT. Myself and several others sat the exam
together. Most of us scheduled the exam on the day we decided when to take
it. Three others waited until the next day (6/6, the CIT 506 retirement
day). When we sat the exam on 6/7 those who scheduled on 6/5 got 506, the
other 3 got 606.

Scott
-Original Message-
From: Michael L. Williams [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 24, 2002 7:42 PM
To: [EMAIL PROTECTED]
Subject: Re: WHEN WILL CCIE 350-001 EXPIRE [7:47184]


He/She will take the newer version doesn't matter when you register.  It
matters when you take it.

HTH,
Mike W.

"Shaheen Gagan"  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Suppose someone registers with prometric to take the exam 350-001
> in August,and this exam retires in July.
> What happens then, he/she still takes the 350-001 version
> or the newest version of it (351-001).
>
> Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47385&t=47184
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: T1 Cat5 Crossover Pinout (WIC-1DSU-T1) [7:47332]

2002-06-25 Thread George Siaw 

Hi Kevin,

Don't know if this will help but try
"rj45-8pin--T1-crossover-rj45-8pin.htm" link found on page below:
http://ftp.digi.com/support/techsupport/common/cables/async/

Let us know if it works.


Regards,
George.




-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Kevin Love
Sent: 25 June 2002 01:50
To: [EMAIL PROTECTED]
Subject: T1 Cat5 Crossover Pinout (WIC-1DSU-T1) [7:47332]

Hey Team,

I am trying to pass data through a WIC-1DSU-T1 to test it.  In order to
do
this, I need to put a couple of modular routers back-to-back.  I can
handle
the configuration if I can just get the right cable.  I have cable and a
crimper.  Does anybody have any idea what pinout I would need to use to
do
this correctly?  I have checked Cisco's web site and can't find
anything.

Thanks for your help!

Kevin Love
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47386&t=47332
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Stephen Manuel 

Neil and others,

Recently I installed in my home a linksys wireless router/switch/ap, it
works great, yes I have wep enabled.

After installing the equipment, I became really interested in wireless
networking, reading some books, looking for a certification track, scouring
websites, etc...

I downloaded netstumbler and acquired all the necessary equipment to do some
serious wardriving. I've logged over 300 AP's, mapped them using Stumverter
and MS Mappoint 2002, it gets down to what side of the street the AP was on,
just to add a little spice to the situation, I've got netstumbler to play a
.wav file when it finds an AP.

Amazingly, 75% of the AP's I've found don't have web enabled. A rather large
number of the AP's use the company name as the SSID or use the vendor
default SSID, ie. tsunami for Cisco.

I'm convinced this whole area of wireless networking is wide open to be
farmed for business. I've been trying formulate a business plan to approach
businesses to help them install a wireless infrastructure properly and setup
security measures for those companies already in the wireless business
without implementing security.

What my research has shown me so far is that without upper managements
support for strict policies with regards to the installation of AP's the
company is playing a game of russian roulette because the current Wireless
Implementation is FULL of security holes.

Depending on how much security you want to implement here's what I would
recommend.

Enable WEP - however airsnort a linux utility can crack wep in a relatively
short time

Disable the SSID Broadcast - most AP's have this option, this will prevent
netstumbler from picking up the presence of the AP which makes it a little
more difficult to associate with the AP. Kismet is a linux utility that will
still detect the presence of the AP by passively sniffing for the wireless
packets.

MAC Filtering - enable it but most AP and Wireless cards allow you to spoof
the MAC address, meaning a wireless sniffer like ethereal can sniff out a
few MAC addresses and a hacker can use one to gain access.

Place the AP outside of the firewall

Create VPN access for those wireless clients needing access to internal
servers.

I'm sure others have done work in this area and can add to the discussion.

BTW, interesting enough the first 3 companies I approached about the
unsecure AP's, 1 denies having wireless networking installed, 2 ignored me.

HTH,

Stephen Manuel




- Original Message -
From: "Neil Borne" 
To: 
Sent: Tuesday, June 25, 2002 8:52 AM
Subject: Re: Rogue Wireless LANs [7:47287]


> The problem that I am coming accross is that some of my customers take the
> wireless gear outta the box and plug it in and when they figure that work
> with factory defaults they leave it alonethen all of a sudden someone
> pulls up in the front yard and starts snooping around.
>
> One thing you can do is WEP and depending on the vendor try some filtering
> by mac, ssid, or protocol...
>
>
> You will have do some serious lockdown measures when its a internal user
as
> opposed to outside users...
>
>
> But like the last email stated if things get bad use netstumbler but be
> careful from the last I heard it works with only some wireless cards...
>
>
> >From: "Patrick Donlon"
> >Reply-To: "Patrick Donlon"
> >To: [EMAIL PROTECTED]
> >Subject: Rogue Wireless LANs [7:47287]
> >Date: Mon, 24 Jun 2002 11:48:48 -0400
> >
> >I've just found a wireless LAN set up by someone in the building, I found
> >it
> >by chance when I was checking something with a colleague from another
dept.
> >The WLAN has zero security which is not a surprise and lets the user into
> >the main LAN in the site with a DHCP address served up too! Does anyone
> >have
> >any tips on preventing users and dept's who don't think about security
from
> >plugging whatever they like into the network,
> >
> >Cheers
> >
> >Pat
> >
> >
> >
> >--
> >
> >email me on : [EMAIL PROTECTED]
> _
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47387&t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Microsoft VPN ports [7:47376]

2002-06-25 Thread Kent Hundley 

http://www.cisco.com/warp/public/110/pix_pptp.html

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Spencer Plantier
Sent: Tuesday, June 25, 2002 6:14 AM
To: [EMAIL PROTECTED]
Subject: Microsoft VPN ports [7:47376]


Does anyone know which ports need to be opened up to
let MSCHAP2 VPN go through the PIX?

Thanks,

=
Spencer Plantier
Internet Solutions Engineer
Cell 919-696-8848

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47388&t=47376
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Benchmark CCIE [7:47320]

2002-06-25 Thread Chuck 

The folks who brought you the "Caslow" book and the old ECP1 class taught
that you should do  all your L2 first, then make a second pass to do your
L3. their reasoning was that it became easier to troubleshoot if you did
things one layer at a time. Otherwise, if you put it all in, and there was a
problem, you had too many variables to consider.

OTOH, these same folks are very big on checklists. Knowing, memorizing,
ordered lists of things to do in each and every situation.

Putting ISDN aside for a moment, given that the current Lab structure
"assures" that your L1 is good, and that your L3 is pretty much ( not 100% )
ready to go,  that leaves you a bit more freedom in how you approach things.

Everyone who has studied ISDN knows that it can be problematic, even in the
best of circumstances. The CCIE Lab is definitely NOT the best of
circumstances!  My opinion, based on practice and on conversation, is that
you have to have confidence that you can configure it correctly from
scratch, and be confident that even if it does not appear to be working,
that you have done things correctly.

this is where the checklist approach comes in, and where you need to develop
a consistent approach each and every time you do ISDN  ( or anything else
for that matter )

if you are told, for example, to use PAP authentication, and to use the
router name as the authentication name, will that throw you off if you have
studied in a particular manner? OTOH, if your checklist goes something like:

ISDN: Calling party

I) physical interface steps
a) setup
b) authentication
1) pap
2) chap

II ) logical interface steps
a) setup
b) authentication
1) PAP
2) CHAP

ISDN: Called party

I) physical interface steps
a) setup
b) authentication
1) pap
2) chap

II ) logical interface steps
a) setup
b) authentication
1) PAP
2) CHAP


that gives you a framework from which you can quickly and easily configure
ISDN under any given set of circumstances.
Obviously, this checklist is by no means complete. but I think you get the
idea. Don't lose yourself in memorizing configurations, don't get distracted
by infinite variations,  do learn the specific details based on a consistent
approach.

this, BTW, is where "speed" comes into play. Speed is not how fast you can
type. It is how fast you can turn the written requirement into a working
configuration. If you have to spend too much time thinking about the
requirement, you will find yourself out of time, no matter how fast you
type.

JMHO from someone who's been there and will be there again.


""Pierre-Alex Guanel""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Thank you for the Tips Bernard. I will change my "bad" habits :)
>
> Just curious... When you configure your routers do you enter all the
> commands in global config mode, then interface mode, then router mode
> ? Or do you configure the routers according to the sequence in which the
> router operates (for example: Layer 1, Layer 2, Layer 3)?
>
> I have found that when I configure my routers the second way, I feel much
> more in control of what is going on (because the config is logical). The
> down side is that I take much more time because I am some how thinking
about
> the process while I am doing it.
>
> On the other hand, when I configure from memory (i.e. all commands in
global
> mode, then interface mode ...) there is no "internal dialog" but things
are
> going much faster and I can keep within the timeline.
>
> I would like to know how the folks who took the CCIE and those who are
close
> to taking it configure routers under time presure: memorization of configs
> or sequence in which the router operates
>
> Thanks,
>
> Pierre-Alex




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47390&t=47320
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Shawn Heisey 

Pat,

The "8th layer" policy idea is good.  I would take that one step
further, after checking with your legal department to make sure they
don't have a problem with it and that it's airtight:

In addition to the "disciplinary action up to and including termination"
clause, incorporate in company policy a clause something like this: 
"Any personal computer or networking equipment that is plugged into
company infrastructure without explicit approval is forfeit and becomes
the property of the company."

This is particularly effective if your policies include a statement that
those who agree to it also agree to any future revisions of said policy.

As for a technical way to stop it ... shutdown all unused switchports,
or assign them to a VLAN that goes nowhere.  You'd still need to check
for rogue equipment -- someone could set up their machine with two NICs,
hang an AP off one of them, and make it work with address translation.

Thanks,
Shawn

Patrick Donlon wrote:
> 
> Thanks Chris, I was thinking more about securing the switch ports by
> authenticating mac's (probably a bit OTT) or using SNMP to check for new
> devices, any other ideas?  I've already set up a wireless LAN here with WEP
> with authentication on an ACS server, which is a waste of time when you
have
> people setting up there own kit,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47391&t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: T1 Cat5 Crossover Pinout (WIC-1DSU-T1) [7:47332]

2002-06-25 Thread Erick B. 

A T1 crossover connects pins 1 to 4 and 2 to 5 (ie:
the Rx pair 1,2 to the Tx pair 4,5). 


--- Kevin Love  wrote:
> Hey Team,
> 
> I am trying to pass data through a WIC-1DSU-T1 to
> test it.  In order to do
> this, I need to put a couple of modular routers
> back-to-back.  I can handle
> the configuration if I can just get the right cable.
>  I have cable and a
> crimper.  Does anybody have any idea what pinout I
> would need to use to do
> this correctly?  I have checked Cisco's web site and
> can't find anything.
> 
> Thanks for your help!


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47392&t=47332
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread Richard Tufaro 

Hey all, just recently got my hands on 4 new PIX firewalls and I am having
some issues with them that perhaps may be shortcoming of the PIX or me, but
I wanted to throw them out there and see if anyone has any comments:

1. Is there a way in the PIX to !Comment your access-list or conduit lines
to tell what the rule is doing. Now don't get me wrong you can look at the
rule and its pretty straight forward, but I would like to comment them much
like you can do in IOS. The only way that I have found to do this is by
taking every external or internal IP address that we have and are denying or
allowing and giving it a name. But this also has its shortcomings because of
the 16 character limit.

2. What is with the access-list rules and importing? I don't get it. Why do
they need to append instead of replace? I am going to assume that the
access-list is reading from the top down (just like in IOS) so if I export
my config, change around the order then try to paste *does not take*. The
workaround I found for this nifty problem is exporting the access-list to
Ultraedit, putting a "no" statement infront of all of the statements,
clearing them, then making the change and importing them. How do people in a
large PIX environment with a multitude of rules, and a dynamic environment
manage this? Or the PIX's for that matter as a side.

3. Tell me if im smoken crack here, but the default stance of the PIX is bas
acwards, when it comes to internal hosts to the outside. I mean look when I
put out the firewall and config my INBOUND lists, why do I want everyone in
the company to be able to NETBIOS across the firewall (outbound)?! I have
worked with one other firewall (CyberGuard) and there stance IMHO is the
best, DENY ALL, permit what I say to permit. Its a firewall, not a router
(in the security sense people, I now what it is REALLY, but relating to
Cisco).

4. Little things too...like why no command completion? I know that this is a
Cisco acquired device, but you would think that they would make it easy to
configure from the command line, especially with the influx of making it
more IOS'e. Is this going to be available in later versions? Anyone know?

5. I know the PIX was conceived as a small lightweight, "streamline" device
that is going to protect your network with but you should not do any WIZ
bang stuff with itbut then again Cisco markets to everyone and are
competing with the WIZ Bang firewall vendors like checkpoint. I mean come on
GROUPING was just added in 6.2!

If anyone can shed some light on these issues for me it would be much
appreciated. What im really looking for here is some guidance as to people
with large PIX deployments and how they manage day to day, and deploy new
ones. I know this is a long post but coming from Cyberguard, and going to
PIX there seems to be some major deficiencies as far as functionality and
manageability. Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47393&t=47393
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Benchmark CCIE [7:47320]

2002-06-25 Thread Pierre-Alex Guanel 

Understood ...

THANKS Chuck!!!

Pierre-Alex


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47395&t=47320
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

E&M VIC with MUX [7:47394]

2002-06-25 Thread Erwin 

I was just wondering if anyone here has been implented VoIP using E&M
connected to the PABX on the other end, and connected directly to MUX (TDM
Multiplexer).
The question is whether it is possible to have such a connection from E&M
VIC to the MUX?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47394&t=47394
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Priscilla Oppenheimer 

Thanks for all the good info about wireless security.

I have one philosophical comment, one semi-technical comment, and one
question:

Philosophical: It amazes me that companies (especially small companies) 
don't want to hear about their security vulnerabilities. I see that a lot 
too. It means your business plan will have to include a lot of up front 
salesy type stuff to convince people that they really have a problem.

Semi-technical: As you mentioned, WEP is quite crackable. Some people in 
the industry are outraged that the IEEE let it out the door. See this good 
WEP FAQ from UC Berkeley:

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Question: Is Cisco's LEAP better than WEP? Does it have the same purpose 
but without some of the issues? I should know this, but I don't use Cisco 
for wireless (shame, shame).

Thanks for all your excellent advice.

Priscilla

At 12:02 PM 6/25/02, Stephen Manuel wrote:
>Neil and others,
>
>Recently I installed in my home a linksys wireless router/switch/ap, it
>works great, yes I have wep enabled.
>
>After installing the equipment, I became really interested in wireless
>networking, reading some books, looking for a certification track, scouring
>websites, etc...
>
>I downloaded netstumbler and acquired all the necessary equipment to do some
>serious wardriving. I've logged over 300 AP's, mapped them using Stumverter
>and MS Mappoint 2002, it gets down to what side of the street the AP was on,
>just to add a little spice to the situation, I've got netstumbler to play a
>.wav file when it finds an AP.
>
>Amazingly, 75% of the AP's I've found don't have web enabled. A rather large
>number of the AP's use the company name as the SSID or use the vendor
>default SSID, ie. tsunami for Cisco.
>
>I'm convinced this whole area of wireless networking is wide open to be
>farmed for business. I've been trying formulate a business plan to approach
>businesses to help them install a wireless infrastructure properly and setup
>security measures for those companies already in the wireless business
>without implementing security.
>
>What my research has shown me so far is that without upper managements
>support for strict policies with regards to the installation of AP's the
>company is playing a game of russian roulette because the current Wireless
>Implementation is FULL of security holes.
>
>Depending on how much security you want to implement here's what I would
>recommend.
>
>Enable WEP - however airsnort a linux utility can crack wep in a relatively
>short time
>
>Disable the SSID Broadcast - most AP's have this option, this will prevent
>netstumbler from picking up the presence of the AP which makes it a little
>more difficult to associate with the AP. Kismet is a linux utility that will
>still detect the presence of the AP by passively sniffing for the wireless
>packets.
>
>MAC Filtering - enable it but most AP and Wireless cards allow you to spoof
>the MAC address, meaning a wireless sniffer like ethereal can sniff out a
>few MAC addresses and a hacker can use one to gain access.
>
>Place the AP outside of the firewall
>
>Create VPN access for those wireless clients needing access to internal
>servers.
>
>I'm sure others have done work in this area and can add to the discussion.
>
>BTW, interesting enough the first 3 companies I approached about the
>unsecure AP's, 1 denies having wireless networking installed, 2 ignored me.
>
>HTH,
>
>Stephen Manuel
>
>
>
>
>- Original Message -
>From: "Neil Borne"
>To:
>Sent: Tuesday, June 25, 2002 8:52 AM
>Subject: Re: Rogue Wireless LANs [7:47287]
>
>
> > The problem that I am coming accross is that some of my customers take
the
> > wireless gear outta the box and plug it in and when they figure that work
> > with factory defaults they leave it alonethen all of a sudden someone
> > pulls up in the front yard and starts snooping around.
> >
> > One thing you can do is WEP and depending on the vendor try some
filtering
> > by mac, ssid, or protocol...
> >
> >
> > You will have do some serious lockdown measures when its a internal user
>as
> > opposed to outside users...
> >
> >
> > But like the last email stated if things get bad use netstumbler but be
> > careful from the last I heard it works with only some wireless cards...
> >
> >
> > >From: "Patrick Donlon"
> > >Reply-To: "Patrick Donlon"
> > >To: [EMAIL PROTECTED]
> > >Subject: Rogue Wireless LANs [7:47287]
> > >Date: Mon, 24 Jun 2002 11:48:48 -0400
> > >
> > >I've just found a wireless LAN set up by someone in the building, I
found
> > >it
> > >by chance when I was checking something with a colleague from another
>dept.
> > >The WLAN has zero security which is not a surprise and lets the user
into
> > >the main LAN in the site with a DHCP address served up too! Does anyone
> > >have
> > >any tips on preventing users and dept's who don't think about security
>from
> > >plugging whatever they like into the network,
> > >
> > >Cheers
> > >
> > >Pat
> > >
> > >

RE: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Dan Penn 

You have given me an idea.  All I need is a laptop now =)  I would go
war driving in the area to specifically find businesses running
unsecured wireless.  I bet I would find some businesses that didn't even
know they were running wireless such as this thread started out.

Dan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Stephen Manuel
Sent: Tuesday, June 25, 2002 10:02 AM
To: [EMAIL PROTECTED]
Subject: Re: Rogue Wireless LANs [7:47287]

Neil and others,

Recently I installed in my home a linksys wireless router/switch/ap, it
works great, yes I have wep enabled.

After installing the equipment, I became really interested in wireless
networking, reading some books, looking for a certification track,
scouring
websites, etc...

I downloaded netstumbler and acquired all the necessary equipment to do
some
serious wardriving. I've logged over 300 AP's, mapped them using
Stumverter
and MS Mappoint 2002, it gets down to what side of the street the AP was
on,
just to add a little spice to the situation, I've got netstumbler to
play a
.wav file when it finds an AP.

Amazingly, 75% of the AP's I've found don't have web enabled. A rather
large
number of the AP's use the company name as the SSID or use the vendor
default SSID, ie. tsunami for Cisco.

I'm convinced this whole area of wireless networking is wide open to be
farmed for business. I've been trying formulate a business plan to
approach
businesses to help them install a wireless infrastructure properly and
setup
security measures for those companies already in the wireless business
without implementing security.

What my research has shown me so far is that without upper managements
support for strict policies with regards to the installation of AP's the
company is playing a game of russian roulette because the current
Wireless
Implementation is FULL of security holes.

Depending on how much security you want to implement here's what I would
recommend.

Enable WEP - however airsnort a linux utility can crack wep in a
relatively
short time

Disable the SSID Broadcast - most AP's have this option, this will
prevent
netstumbler from picking up the presence of the AP which makes it a
little
more difficult to associate with the AP. Kismet is a linux utility that
will
still detect the presence of the AP by passively sniffing for the
wireless
packets.

MAC Filtering - enable it but most AP and Wireless cards allow you to
spoof
the MAC address, meaning a wireless sniffer like ethereal can sniff out
a
few MAC addresses and a hacker can use one to gain access.

Place the AP outside of the firewall

Create VPN access for those wireless clients needing access to internal
servers.

I'm sure others have done work in this area and can add to the
discussion.

BTW, interesting enough the first 3 companies I approached about the
unsecure AP's, 1 denies having wireless networking installed, 2 ignored
me.

HTH,

Stephen Manuel




- Original Message -
From: "Neil Borne" 
To: 
Sent: Tuesday, June 25, 2002 8:52 AM
Subject: Re: Rogue Wireless LANs [7:47287]


> The problem that I am coming accross is that some of my customers take
the
> wireless gear outta the box and plug it in and when they figure that
work
> with factory defaults they leave it alonethen all of a sudden
someone
> pulls up in the front yard and starts snooping around.
>
> One thing you can do is WEP and depending on the vendor try some
filtering
> by mac, ssid, or protocol...
>
>
> You will have do some serious lockdown measures when its a internal
user
as
> opposed to outside users...
>
>
> But like the last email stated if things get bad use netstumbler but
be
> careful from the last I heard it works with only some wireless
cards...
>
>
> >From: "Patrick Donlon"
> >Reply-To: "Patrick Donlon"
> >To: [EMAIL PROTECTED]
> >Subject: Rogue Wireless LANs [7:47287]
> >Date: Mon, 24 Jun 2002 11:48:48 -0400
> >
> >I've just found a wireless LAN set up by someone in the building, I
found
> >it
> >by chance when I was checking something with a colleague from another
dept.
> >The WLAN has zero security which is not a surprise and lets the user
into
> >the main LAN in the site with a DHCP address served up too! Does
anyone
> >have
> >any tips on preventing users and dept's who don't think about
security
from
> >plugging whatever they like into the network,
> >
> >Cheers
> >
> >Pat
> >
> >
> >
> >--
> >
> >email me on : [EMAIL PROTECTED]
> _
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47397&t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Benchmark CCIE [7:47320]

2002-06-25 Thread Donald B Johnson Jr 

Just sub public for customer in the link. Then you should be in.
Don




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47398&t=47320
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Connecting to 516-CS - Problems [7:47342]

2002-06-25 Thread trammer 

Tim,

Thanks for the input.

I believe according to what I could find on cisco's site is that you need to
unplug the unit and then hold the default button until the LAN LED flashes
once.

Now my question is that can I connect to the 516 via the setup that I
mentioned?  (Regular DB9 with rollover to J1).  I am assuming so.


Thanks.



""Ouellette, Tim""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Do you have the document on how to reset the CS 516 to it's defaults? If
> not, email me and i'll see if I can send it over to you.  That's what I
had
> to do on my cs-516 and it works great!
>
> Tim
>
> -Original Message-
> From: trammer [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 25, 2002 2:20 AM
> To: [EMAIL PROTECTED]
> Subject: Connecting to 516-CS - Problems [7:47342]
>
>
> Hello all.
>
> I recently acquired a 516-CS on ebay for use in my home pod.  The problem
I
> have is connecting to the darn thing.  I am either making a foolish
mistake
> or there is something wrong with the box.
>
> The unit comes up fine with the OK led lit green once booted.  I know that
> the ethernet interface is up and functioning because I am able to telnet
to
> it, just can't log in because I do not have the passwords.
>
> I am trying to console into the box however and I am not having any luck.
I
> am using a regular DB9 console kit (DB9 Femail>Rolled Cable) to connect to
> J1 with 9600-8-N-1.
>
> I am getting the feeling that the box is either corrupt in some manner or
I
> am not using the correct cable configuration to connect to the box.
>
>
> If anyone has any insight on this it is appreciated.
>
>
>
> Cheers.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47371&t=47342
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread Roberts, Larry 

1) not that I am aware of
2) Change the access-list name and paste it to the firewall. Then just
change the access-group statement to the new one. Its an instant change.
3) I think your on crack. If your using access-lists on all interfaces ( you
are aren't you ??? )then there is an implicit deny any any at the end.
I find many people who put an permit ip any any for the inside access-list.
While it makes administration much easier, it also is a BAD practice.
Remember we want to explicitly approve ports, no explicitly deny. You would
be surprised the small number of ports that really need to be open!
4) This is a security device. You should always type the full command. I
don't want to take any chances of typing one thing and the PIX taking it as
another. I realize that you should know exactly what command your entering,
but hey, not everyone is competent on the PIX so no chances.
5) Where did you get that info? The PIX 535 will absolutely blow any
checkpoint device out of the water. Not to mention that checkpoint still
hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only
recently made to be a small lightweight FW with the 501. I don't know about
you, but I want a firewall to do one thing and one thing only. I don't want
a FW that is also a mail gateway, dns server and whatnot that so many
devices try to be now.

Many FW's are made to be user friendly, and cover the backend stuff that
really happens. The PIX didn't take that approach. They want someone to
understand what they are doing, and putting a pretty GUI on it will only
lead to people who shouldn't be administering it, administrating it.
That is why I completely disagree with the PDM. 

Im  not directly these comment at you in particular so please don't take
them that way. Im only saying that we need to realize exactly what a FW
should do, and what it should not. We also need to realize exactly how a FW
works, not how the GUI works!

I agree it is a completely different interface, but if you are used to the
IOS interface, it will come quickly and you will never look back.

But, this is just my opinion!

Thanks

Larry
 

-Original Message-
From: Richard Tufaro [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, June 25, 2002 11:51 AM
To: [EMAIL PROTECTED]
Subject: PIX Firewall (6.2) General Questions RANT [7:47393]


Hey all, just recently got my hands on 4 new PIX firewalls and I am having
some issues with them that perhaps may be shortcoming of the PIX or me, but
I wanted to throw them out there and see if anyone has any comments:

1. Is there a way in the PIX to !Comment your access-list or conduit lines
to tell what the rule is doing. Now don't get me wrong you can look at the
rule and its pretty straight forward, but I would like to comment them much
like you can do in IOS. The only way that I have found to do this is by
taking every external or internal IP address that we have and are denying or
allowing and giving it a name. But this also has its shortcomings because of
the 16 character limit.

2. What is with the access-list rules and importing? I don't get it. Why do
they need to append instead of replace? I am going to assume that the
access-list is reading from the top down (just like in IOS) so if I export
my config, change around the order then try to paste *does not take*. The
workaround I found for this nifty problem is exporting the access-list to
Ultraedit, putting a "no" statement infront of all of the statements,
clearing them, then making the change and importing them. How do people in a
large PIX environment with a multitude of rules, and a dynamic environment
manage this? Or the PIX's for that matter as a side.

3. Tell me if im smoken crack here, but the default stance of the PIX is bas
acwards, when it comes to internal hosts to the outside. I mean look when I
put out the firewall and config my INBOUND lists, why do I want everyone in
the company to be able to NETBIOS across the firewall (outbound)?! I have
worked with one other firewall (CyberGuard) and there stance IMHO is the
best, DENY ALL, permit what I say to permit. Its a firewall, not a router
(in the security sense people, I now what it is REALLY, but relating to
Cisco).

4. Little things too...like why no command completion? I know that this is a
Cisco acquired device, but you would think that they would make it easy to
configure from the command line, especially with the influx of making it
more IOS'e. Is this going to be available in later versions? Anyone know?

5. I know the PIX was conceived as a small lightweight, "streamline" device
that is going to protect your network with but you should not do any WIZ
bang stuff with itbut then again Cisco markets to everyone and are
competing with the WIZ Bang firewall vendors like checkpoint. I mean come on
GROUPING was just added in 6.2!

If anyone can shed some light on these issues for me it would be much
appreciated. What im really looking for here is some guidance as to people
with large PIX de

Re: !!!For the curious Minds; Here's The 3550-EMI [7:47322]

2002-06-25 Thread Steven A. Ridder 

Think of it as a native IOS 6500.  Same function with less performance.


""Eric R""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Just got a new 3550-EMI 24port.
> Check the sh ip portion. Yep, it's an IP router!
> Looks like this little bad boy could actually throw a rather large monkey
> wrech into the works.
>
> -Eric
>
> ##
>
> 3550-EMI#?
> Exec commands:
>   access-enableCreate a temporary Access-List entry
>   access-template  Create a temporary Access-List entry
>   archive  manage archive files
>   cd   Change current directory
>   clearReset functions
>   clockManage the system clock
>   cluster  cluster exec mode commands
>   configureEnter configuration mode
>   connect  Open a terminal connection
>   copy Copy from one file to another
>   debugDebugging functions (see also 'undebug')
>   delete   Delete a file
>   dir  List files on a filesystem
>   disable  Turn off privileged commands
>   disconnect   Disconnect an existing network connection
>   dot1xIEEE 801.1X commands
>   enable   Turn on privileged commands
>   eraseErase a filesystem
>   exit Exit from the EXEC
>   format   Format a filesystem
>   fsck Fsck a filesystem
>   help Description of the interactive help system
>   lock Lock the terminal
>   loginLog in as a particular user
>   logout   Exit from the EXEC
>   mkdirCreate new directory
>   more Display the contents of a file
>   mrinfo   Request neighbor and version information from a
multicast
>router
>   mrm  IP Multicast Routing Monitor Test
>   mstatShow statistics after multiple multicast traceroutes
>   mtrace   Trace reverse multicast path from destination to source
>   name-connection  Name an existing network connection
>   no   Disable debugging functions
>   ping Send echo messages
>   pwd  Display current working directory
>   rcommand Run command on remote switch
>   reload   Halt and perform a cold restart
>   rename   Rename a file
>   resume   Resume an active network connection
>   rmdirRemove existing directory
>   rsh  Execute a remote command
>   send Send a message to other tty lines
>   setupRun the SETUP command facility
>   show Show running system information
>   systat   Display information about terminal lines
>   telnet   Open a telnet connection
>   terminal Set terminal line parameters
>   test Test subsystems, memory, and interfaces
>   traceroute   Trace route to destination
>   tunnel   Open a tunnel connection
>   udld UDLD protocol commands
>   undebug  Disable debugging functions (see also 'debug')
>   verify   Verify a file
>   vlan Configure VLAN parameters
>   vmps VMPS actions
>   whereList active connections
>   writeWrite running configuration to memory, network, or
> terminal
>
> ##
>
> 3550-EMI#sh ip ?
>   access-lists  List IP access lists
>   accountingThe active IP accounting database
>   aliases   IP alias table
>   arp   IP ARP table
>   cache IP fast-switching route cache
>   cef   Cisco Express Forwarding
>   dvmrp DVMRP information
>   eigrp IP-EIGRP show commands
>   flow  NetFlow switching
>   igmp  IGMP information
>   interface IP interface status and configuration
>   irdp  ICMP Router Discovery Protocol
>   local IP local options
>   masks Masks associated with a network
>   mcacheIP multicast fast-switching cache
>   mpacket   Display possible duplicate multicast packets
>   mrm   IP Multicast Routing Monitor information
>   mrouteIP multicast routing table
>   msdp  Multicast Source Discovery Protool (MSDP)
>   nat   IP NAT information
>   ospf  OSPF information
>   pim   PIM information
>   prefix-list   List IP prefix lists
>   protocols IP routing protocol process parameters and statistics
>   redirects IP redirects
>   rip   IP RIP show commands
>   route IP routing table
>   rpf   Display RPF information for multicast source
>   sdr   Session Directory (SDPv2) cache
>   sockets   Open IP sockets
>   traffic   IP protocol statistics
>   vrf   VPN Routing/Forwarding instance information
>
> ##
>
> 3550-EMI(config)#?
> Configure co

Re: !!!For the curious Minds; Here's The 3550-EMI [7:47322]

2002-06-25 Thread Robert T. Repko (R Squared Consultant 

I just setup a 3550 EMI using Layer 3 routing.  I have a customer that 
installed a fiber optic ring to 12 locations around town.  One of their 
4908's went down and I installed a 3550 EMI while the 4908 is being 
repaired.  Different  subnets on each GBIC and VLAN, plugged it in and ran 
perfectly.  Was even able to use an ip helper address so they could pick up 
an IP address from their DHCP server.  Really impressed with the box.


At 6/25/2002 02:19 AM, Eric R reminisced:
>Just got a new 3550-EMI 24port.
>Check the sh ip portion. Yep, it's an IP router!
>Looks like this little bad boy could actually throw a rather large monkey
>wrech into the works.
>
>-Eric
>
>##
>
>3550-EMI#?
>Exec commands:
>   access-enableCreate a temporary Access-List entry
>   access-template  Create a temporary Access-List entry
>   archive  manage archive files
>   cd   Change current directory
>   clearReset functions
>   clockManage the system clock
>   cluster  cluster exec mode commands
>   configureEnter configuration mode
>   connect  Open a terminal connection
>   copy Copy from one file to another
>   debugDebugging functions (see also 'undebug')
>   delete   Delete a file
>   dir  List files on a filesystem
>   disable  Turn off privileged commands
>   disconnect   Disconnect an existing network connection
>   dot1xIEEE 801.1X commands
>   enable   Turn on privileged commands
>   eraseErase a filesystem
>   exit Exit from the EXEC
>   format   Format a filesystem
>   fsck Fsck a filesystem
>   help Description of the interactive help system
>   lock Lock the terminal
>   loginLog in as a particular user
>   logout   Exit from the EXEC
>   mkdirCreate new directory
>   more Display the contents of a file
>   mrinfo   Request neighbor and version information from a
multicast
>router
>   mrm  IP Multicast Routing Monitor Test
>   mstatShow statistics after multiple multicast traceroutes
>   mtrace   Trace reverse multicast path from destination to source
>   name-connection  Name an existing network connection
>   no   Disable debugging functions
>   ping Send echo messages
>   pwd  Display current working directory
>   rcommand Run command on remote switch
>   reload   Halt and perform a cold restart
>   rename   Rename a file
>   resume   Resume an active network connection
>   rmdirRemove existing directory
>   rsh  Execute a remote command
>   send Send a message to other tty lines
>   setupRun the SETUP command facility
>   show Show running system information
>   systat   Display information about terminal lines
>   telnet   Open a telnet connection
>   terminal Set terminal line parameters
>   test Test subsystems, memory, and interfaces
>   traceroute   Trace route to destination
>   tunnel   Open a tunnel connection
>   udld UDLD protocol commands
>   undebug  Disable debugging functions (see also 'debug')
>   verify   Verify a file
>   vlan Configure VLAN parameters
>   vmps VMPS actions
>   whereList active connections
>   writeWrite running configuration to memory, network, or
>terminal
>
>##
>
>3550-EMI#sh ip ?
>   access-lists  List IP access lists
>   accountingThe active IP accounting database
>   aliases   IP alias table
>   arp   IP ARP table
>   cache IP fast-switching route cache
>   cef   Cisco Express Forwarding
>   dvmrp DVMRP information
>   eigrp IP-EIGRP show commands
>   flow  NetFlow switching
>   igmp  IGMP information
>   interface IP interface status and configuration
>   irdp  ICMP Router Discovery Protocol
>   local IP local options
>   masks Masks associated with a network
>   mcacheIP multicast fast-switching cache
>   mpacket   Display possible duplicate multicast packets
>   mrm   IP Multicast Routing Monitor information
>   mrouteIP multicast routing table
>   msdp  Multicast Source Discovery Protool (MSDP)
>   nat   IP NAT information
>   ospf  OSPF information
>   pim   PIM information
>   prefix-list   List IP prefix lists
>   protocols IP routing protocol process parameters and statistics
>   redirects IP redirects
>   rip   IP RIP show commands
>   route IP routing table
>   rpf   Display RPF informatio

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread John Golovich 

I attended a Cisco Wireless update last month and came
out of it with this information.

Their updated WEP provides dynamic keys now.  It is
still crackable, but by the time it is cracked the key
has regenerated. 

Also the keys are no longer hard coded into the
device, since they are dynamic.


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47400&t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Benchmark CCIE [7:47320]

2002-06-25 Thread Pierre-Alex Guanel 

Don, I did not understand your post.  Pierre-Alex


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47401&t=47320
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Thomas E. Lawrence 

I realize you are speaking in jest, but for those who might consider this
approach as a means of drumming up business, you may want to give some
thought.

Connecting to a network to which you have no reason nor any right to connect
can be considered hacking, and you could be subject to prosecution,
ironically by an organization that is asking for trouble anyway.Just because
I don't have locks on my doors does not mean it's ok for you to walk into my
home any time you please.

Please be careful how you approach a company when you have discovered by
accident a particularly egregious vulnerability.

Tom


""Dan Penn""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> You have given me an idea.  All I need is a laptop now =)  I would go
> war driving in the area to specifically find businesses running
> unsecured wireless.  I bet I would find some businesses that didn't even
> know they were running wireless such as this thread started out.
>
> Dan
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> Stephen Manuel
> Sent: Tuesday, June 25, 2002 10:02 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Rogue Wireless LANs [7:47287]
>
> Neil and others,
>
> Recently I installed in my home a linksys wireless router/switch/ap, it
> works great, yes I have wep enabled.
>
> After installing the equipment, I became really interested in wireless
> networking, reading some books, looking for a certification track,
> scouring
> websites, etc...
>
> I downloaded netstumbler and acquired all the necessary equipment to do
> some
> serious wardriving. I've logged over 300 AP's, mapped them using
> Stumverter
> and MS Mappoint 2002, it gets down to what side of the street the AP was
> on,
> just to add a little spice to the situation, I've got netstumbler to
> play a
> .wav file when it finds an AP.
>
> Amazingly, 75% of the AP's I've found don't have web enabled. A rather
> large
> number of the AP's use the company name as the SSID or use the vendor
> default SSID, ie. tsunami for Cisco.
>
> I'm convinced this whole area of wireless networking is wide open to be
> farmed for business. I've been trying formulate a business plan to
> approach
> businesses to help them install a wireless infrastructure properly and
> setup
> security measures for those companies already in the wireless business
> without implementing security.
>
> What my research has shown me so far is that without upper managements
> support for strict policies with regards to the installation of AP's the
> company is playing a game of russian roulette because the current
> Wireless
> Implementation is FULL of security holes.
>
> Depending on how much security you want to implement here's what I would
> recommend.
>
> Enable WEP - however airsnort a linux utility can crack wep in a
> relatively
> short time
>
> Disable the SSID Broadcast - most AP's have this option, this will
> prevent
> netstumbler from picking up the presence of the AP which makes it a
> little
> more difficult to associate with the AP. Kismet is a linux utility that
> will
> still detect the presence of the AP by passively sniffing for the
> wireless
> packets.
>
> MAC Filtering - enable it but most AP and Wireless cards allow you to
> spoof
> the MAC address, meaning a wireless sniffer like ethereal can sniff out
> a
> few MAC addresses and a hacker can use one to gain access.
>
> Place the AP outside of the firewall
>
> Create VPN access for those wireless clients needing access to internal
> servers.
>
> I'm sure others have done work in this area and can add to the
> discussion.
>
> BTW, interesting enough the first 3 companies I approached about the
> unsecure AP's, 1 denies having wireless networking installed, 2 ignored
> me.
>
> HTH,
>
> Stephen Manuel
>
>
>
>
> - Original Message -
> From: "Neil Borne"
> To:
> Sent: Tuesday, June 25, 2002 8:52 AM
> Subject: Re: Rogue Wireless LANs [7:47287]
>
>
> > The problem that I am coming accross is that some of my customers take
> the
> > wireless gear outta the box and plug it in and when they figure that
> work
> > with factory defaults they leave it alonethen all of a sudden
> someone
> > pulls up in the front yard and starts snooping around.
> >
> > One thing you can do is WEP and depending on the vendor try some
> filtering
> > by mac, ssid, or protocol...
> >
> >
> > You will have do some serious lockdown measures when its a internal
> user
> as
> > opposed to outside users...
> >
> >
> > But like the last email stated if things get bad use netstumbler but
> be
> > careful from the last I heard it works with only some wireless
> cards...
> >
> >
> > >From: "Patrick Donlon"
> > >Reply-To: "Patrick Donlon"
> > >To: [EMAIL PROTECTED]
> > >Subject: Rogue Wireless LANs [7:47287]
> > >Date: Mon, 24 Jun 2002 11:48:48 -0400
> > >
> > >I've just found a wireless LAN set up by someone in the building, I
> found
> > >it
> > >by chance when I was checking something with a coll

RE: PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread Kent Hundley 

Richard,

1) No comments are allowed right now.  Yes, its a pain.

2) Try using PDM, its a fairly nic GUI interface. For large enviro's try
CSPM.

3) The PIX's default stance is a holdover from the days when not a lot of
people were concerned about blocking outbound traffic.  Yes, it probably
should be changed and yes, a lot of security people don't like the "default
permit out" stance.

4) Yes, another pain, probably something that they will eventually include,
but I don't know specific details.

5) I don't think anyone would argue that the PIX lacks some of the "wiz
bang" features of other commercial firewalls.  The big selling points for
the PIX in the past have been speed and support.  The speed factor has been
taken out of the equation by new boxes from Nokia and others. (BSD kernel
running Firewall-1 at gigabit speeds)  The support factor is still a good
point, but it's clear to me that Cisco needs to step up their development
efforts on the PIX if they want to stay in the game.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Richard Tufaro
Sent: Tuesday, June 25, 2002 9:51 AM
To: [EMAIL PROTECTED]
Subject: PIX Firewall (6.2) General Questions RANT [7:47393]


Hey all, just recently got my hands on 4 new PIX firewalls and I am having
some issues with them that perhaps may be shortcoming of the PIX or me, but
I wanted to throw them out there and see if anyone has any comments:

1. Is there a way in the PIX to !Comment your access-list or conduit lines
to tell what the rule is doing. Now don't get me wrong you can look at the
rule and its pretty straight forward, but I would like to comment them much
like you can do in IOS. The only way that I have found to do this is by
taking every external or internal IP address that we have and are denying or
allowing and giving it a name. But this also has its shortcomings because of
the 16 character limit.

2. What is with the access-list rules and importing? I don't get it. Why do
they need to append instead of replace? I am going to assume that the
access-list is reading from the top down (just like in IOS) so if I export
my config, change around the order then try to paste *does not take*. The
workaround I found for this nifty problem is exporting the access-list to
Ultraedit, putting a "no" statement infront of all of the statements,
clearing them, then making the change and importing them. How do people in a
large PIX environment with a multitude of rules, and a dynamic environment
manage this? Or the PIX's for that matter as a side.

3. Tell me if im smoken crack here, but the default stance of the PIX is bas
acwards, when it comes to internal hosts to the outside. I mean look when I
put out the firewall and config my INBOUND lists, why do I want everyone in
the company to be able to NETBIOS across the firewall (outbound)?! I have
worked with one other firewall (CyberGuard) and there stance IMHO is the
best, DENY ALL, permit what I say to permit. Its a firewall, not a router
(in the security sense people, I now what it is REALLY, but relating to
Cisco).

4. Little things too...like why no command completion? I know that this is a
Cisco acquired device, but you would think that they would make it easy to
configure from the command line, especially with the influx of making it
more IOS'e. Is this going to be available in later versions? Anyone know?

5. I know the PIX was conceived as a small lightweight, "streamline" device
that is going to protect your network with but you should not do any WIZ
bang stuff with itbut then again Cisco markets to everyone and are
competing with the WIZ Bang firewall vendors like checkpoint. I mean come on
GROUPING was just added in 6.2!

If anyone can shed some light on these issues for me it would be much
appreciated. What im really looking for here is some guidance as to people
with large PIX deployments and how they manage day to day, and deploy new
ones. I know this is a long post but coming from Cyberguard, and going to
PIX there seems to be some major deficiencies as far as functionality and
manageability. Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47403&t=47393
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Benchmark CCIE [7:47320]

2002-06-25 Thread cebuano 

Just to reiterate...
I personally know a couple of candidates who had issues with their ISDN
switch in the lab to not work no matter what. As a matter of fact, in
Solie's book on page 459 he brings up this "well-known transitive" problem.
So lab candidates, pay attention to this page as it just might save you
$1250 plus some grief.
Perhaps someone can suggest to the lab folks to swap Adtran for Teltone or
Emutel ;->
My 2 cents...
Elmer

- Original Message -
From: "Chuck" 
To: 
Sent: Tuesday, June 25, 2002 12:30 PM
Subject: Re: Benchmark CCIE [7:47320]


> The folks who brought you the "Caslow" book and the old ECP1 class taught
> that you should do  all your L2 first, then make a second pass to do your
> L3. their reasoning was that it became easier to troubleshoot if you did
> things one layer at a time. Otherwise, if you put it all in, and there was
a
> problem, you had too many variables to consider.
>
> OTOH, these same folks are very big on checklists. Knowing, memorizing,
> ordered lists of things to do in each and every situation.
>
> Putting ISDN aside for a moment, given that the current Lab structure
> "assures" that your L1 is good, and that your L3 is pretty much ( not
100% )
> ready to go,  that leaves you a bit more freedom in how you approach
things.
>
> Everyone who has studied ISDN knows that it can be problematic, even in
the
> best of circumstances. The CCIE Lab is definitely NOT the best of
> circumstances!  My opinion, based on practice and on conversation, is that
> you have to have confidence that you can configure it correctly from
> scratch, and be confident that even if it does not appear to be working,
> that you have done things correctly.
>
> this is where the checklist approach comes in, and where you need to
develop
> a consistent approach each and every time you do ISDN  ( or anything else
> for that matter )
>
> if you are told, for example, to use PAP authentication, and to use the
> router name as the authentication name, will that throw you off if you
have
> studied in a particular manner? OTOH, if your checklist goes something
like:
>
> ISDN: Calling party
>
> I) physical interface steps
> a) setup
> b) authentication
> 1) pap
> 2) chap
>
> II ) logical interface steps
> a) setup
> b) authentication
> 1) PAP
> 2) CHAP
>
> ISDN: Called party
>
> I) physical interface steps
> a) setup
> b) authentication
> 1) pap
> 2) chap
>
> II ) logical interface steps
> a) setup
> b) authentication
> 1) PAP
> 2) CHAP
>
>
> that gives you a framework from which you can quickly and easily configure
> ISDN under any given set of circumstances.
> Obviously, this checklist is by no means complete. but I think you get the
> idea. Don't lose yourself in memorizing configurations, don't get
distracted
> by infinite variations,  do learn the specific details based on a
consistent
> approach.
>
> this, BTW, is where "speed" comes into play. Speed is not how fast you can
> type. It is how fast you can turn the written requirement into a working
> configuration. If you have to spend too much time thinking about the
> requirement, you will find yourself out of time, no matter how fast you
> type.
>
> JMHO from someone who's been there and will be there again.
>
>
> ""Pierre-Alex Guanel""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Thank you for the Tips Bernard. I will change my "bad" habits :)
> >
> > Just curious... When you configure your routers do you enter all the
> > commands in global config mode, then interface mode, then router mode
> > ? Or do you configure the routers according to the sequence in which the
> > router operates (for example: Layer 1, Layer 2, Layer 3)?
> >
> > I have found that when I configure my routers the second way, I feel
much
> > more in control of what is going on (because the config is logical). The
> > down side is that I take much more time because I am some how thinking
> about
> > the process while I am doing it.
> >
> > On the other hand, when I configure from memory (i.e. all commands in
> global
> > mode, then interface mode ...) there is no "internal dialog" but things
> are
> > going much faster and I can keep within the timeline.
> >
> > I would like to know how the folks who took the CCIE and those who are
> close
> > to taking it configure routers under time presure: memorization of
configs
> > or sequence in which the router operates
> >
> > Thanks,
> >
> > Pierre-Alex




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47404&t=47320
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Howard C. Berkowitz 

>You have given me an idea.  All I need is a laptop now =)  I would go
>war driving in the area to specifically find businesses running
>unsecured wireless.  I bet I would find some businesses that didn't even
>know they were running wireless such as this thread started out.
>
>Dan

I'd get some legal advice, or at least talk to the FCC, about whether 
this would be a violation of the Communications Act of 1934.  I 
_think_ it would be OK as long as you didn't disclose message content.

>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
>Stephen Manuel
>Sent: Tuesday, June 25, 2002 10:02 AM
>To: [EMAIL PROTECTED]
>Subject: Re: Rogue Wireless LANs [7:47287]
>
>Neil and others,
>
>Recently I installed in my home a linksys wireless router/switch/ap, it
>works great, yes I have wep enabled.
>
>After installing the equipment, I became really interested in wireless
>networking, reading some books, looking for a certification track,
>scouring
>websites, etc...
>
>I downloaded netstumbler and acquired all the necessary equipment to do
>some
>serious wardriving. I've logged over 300 AP's, mapped them using
>Stumverter
>and MS Mappoint 2002, it gets down to what side of the street the AP was
>on,
>just to add a little spice to the situation, I've got netstumbler to
>play a
>.wav file when it finds an AP.
>
>Amazingly, 75% of the AP's I've found don't have web enabled. A rather
>large
>number of the AP's use the company name as the SSID or use the vendor
>default SSID, ie. tsunami for Cisco.
>
>I'm convinced this whole area of wireless networking is wide open to be
>farmed for business. I've been trying formulate a business plan to
>approach
>businesses to help them install a wireless infrastructure properly and
>setup
>security measures for those companies already in the wireless business
>without implementing security.
>
>What my research has shown me so far is that without upper managements
>support for strict policies with regards to the installation of AP's the
>company is playing a game of russian roulette because the current
>Wireless
>Implementation is FULL of security holes.
>
>Depending on how much security you want to implement here's what I would
>recommend.
>
>Enable WEP - however airsnort a linux utility can crack wep in a
>relatively
>short time
>
>Disable the SSID Broadcast - most AP's have this option, this will
>prevent
>netstumbler from picking up the presence of the AP which makes it a
>little
>more difficult to associate with the AP. Kismet is a linux utility that
>will
>still detect the presence of the AP by passively sniffing for the
>wireless
>packets.
>
>MAC Filtering - enable it but most AP and Wireless cards allow you to
>spoof
>the MAC address, meaning a wireless sniffer like ethereal can sniff out
>a
>few MAC addresses and a hacker can use one to gain access.
>
>Place the AP outside of the firewall
>
>Create VPN access for those wireless clients needing access to internal
>servers.
>
>I'm sure others have done work in this area and can add to the
>discussion.
>
>BTW, interesting enough the first 3 companies I approached about the
>unsecure AP's, 1 denies having wireless networking installed, 2 ignored
>me.
>
>HTH,
>
>Stephen Manuel
>
>
>
>
>- Original Message -
>From: "Neil Borne"
>To:
>Sent: Tuesday, June 25, 2002 8:52 AM
>Subject: Re: Rogue Wireless LANs [7:47287]
>
>
>>  The problem that I am coming accross is that some of my customers take
>the
>>  wireless gear outta the box and plug it in and when they figure that
>work
>>  with factory defaults they leave it alonethen all of a sudden
>someone
>>  pulls up in the front yard and starts snooping around.
>>
>>  One thing you can do is WEP and depending on the vendor try some
>filtering
>>  by mac, ssid, or protocol...
>>
>>
>>  You will have do some serious lockdown measures when its a internal
>user
>as
>>  opposed to outside users...
>>
>>
>>  But like the last email stated if things get bad use netstumbler but
>be
>>  careful from the last I heard it works with only some wireless
>cards...
>>
>>
>>  >From: "Patrick Donlon"
>>  >Reply-To: "Patrick Donlon"
>>  >To: [EMAIL PROTECTED]
>>  >Subject: Rogue Wireless LANs [7:47287]
>>  >Date: Mon, 24 Jun 2002 11:48:48 -0400
>>  >
>>  >I've just found a wireless LAN set up by someone in the building, I
>found
>>  >it
>>  >by chance when I was checking something with a colleague from another
>dept.
>>  >The WLAN has zero security which is not a surprise and lets the user
>into
>>  >the main LAN in the site with a DHCP address served up too! Does
>anyone
>>  >have
>>  >any tips on preventing users and dept's who don't think about
>security
>from
>>  >plugging whatever they like into the network,
>>  >
>>  >Cheers
>>  >
>>  >Pat
>>  >
>>  >
>>  >
>>  >--
>>  >
>>  >email me on : [EMAIL PROTECTED]
>>  _
>>  Get your FREE download of MSN Explorer at
>http://explorer.msn.com

RE: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Dan Penn 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Dan Penn
Sent: Tuesday, June 25, 2002 11:33 AM
To: [EMAIL PROTECTED]
Subject: RE: Rogue Wireless LANs [7:47287]

You have given me an idea.  All I need is a laptop now =)  I would go
war driving in the area to specifically find businesses running
unsecured wireless.  I bet I would find some businesses that didn't even
know they were running wireless such as this thread started out.

Dan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Stephen Manuel
Sent: Tuesday, June 25, 2002 10:02 AM
To: [EMAIL PROTECTED]
Subject: Re: Rogue Wireless LANs [7:47287]

Neil and others,

Recently I installed in my home a linksys wireless router/switch/ap, it
works great, yes I have wep enabled.

After installing the equipment, I became really interested in wireless
networking, reading some books, looking for a certification track,
scouring
websites, etc...

I downloaded netstumbler and acquired all the necessary equipment to do
some
serious wardriving. I've logged over 300 AP's, mapped them using
Stumverter
and MS Mappoint 2002, it gets down to what side of the street the AP was
on,
just to add a little spice to the situation, I've got netstumbler to
play a
.wav file when it finds an AP.

Amazingly, 75% of the AP's I've found don't have web enabled. A rather
large
number of the AP's use the company name as the SSID or use the vendor
default SSID, ie. tsunami for Cisco.

I'm convinced this whole area of wireless networking is wide open to be
farmed for business. I've been trying formulate a business plan to
approach
businesses to help them install a wireless infrastructure properly and
setup
security measures for those companies already in the wireless business
without implementing security.

What my research has shown me so far is that without upper managements
support for strict policies with regards to the installation of AP's the
company is playing a game of russian roulette because the current
Wireless
Implementation is FULL of security holes.

Depending on how much security you want to implement here's what I would
recommend.

Enable WEP - however airsnort a linux utility can crack wep in a
relatively
short time

Disable the SSID Broadcast - most AP's have this option, this will
prevent
netstumbler from picking up the presence of the AP which makes it a
little
more difficult to associate with the AP. Kismet is a linux utility that
will
still detect the presence of the AP by passively sniffing for the
wireless
packets.

MAC Filtering - enable it but most AP and Wireless cards allow you to
spoof
the MAC address, meaning a wireless sniffer like ethereal can sniff out
a
few MAC addresses and a hacker can use one to gain access.

Place the AP outside of the firewall

Create VPN access for those wireless clients needing access to internal
servers.

I'm sure others have done work in this area and can add to the
discussion.

BTW, interesting enough the first 3 companies I approached about the
unsecure AP's, 1 denies having wireless networking installed, 2 ignored
me.

HTH,

Stephen Manuel




- Original Message -
From: "Neil Borne" 
To: 
Sent: Tuesday, June 25, 2002 8:52 AM
Subject: Re: Rogue Wireless LANs [7:47287]


> The problem that I am coming accross is that some of my customers take
the
> wireless gear outta the box and plug it in and when they figure that
work
> with factory defaults they leave it alonethen all of a sudden
someone
> pulls up in the front yard and starts snooping around.
>
> One thing you can do is WEP and depending on the vendor try some
filtering
> by mac, ssid, or protocol...
>
>
> You will have do some serious lockdown measures when its a internal
user
as
> opposed to outside users...
>
>
> But like the last email stated if things get bad use netstumbler but
be
> careful from the last I heard it works with only some wireless
cards...
>
>
> >From: "Patrick Donlon"
> >Reply-To: "Patrick Donlon"
> >To: [EMAIL PROTECTED]
> >Subject: Rogue Wireless LANs [7:47287]
> >Date: Mon, 24 Jun 2002 11:48:48 -0400
> >
> >I've just found a wireless LAN set up by someone in the building, I
found
> >it
> >by chance when I was checking something with a colleague from another
dept.
> >The WLAN has zero security which is not a surprise and lets the user
into
> >the main LAN in the site with a DHCP address served up too! Does
anyone
> >have
> >any tips on preventing users and dept's who don't think about
security
from
> >plugging whatever they like into the network,
> >
> >Cheers
> >
> >Pat
> >
> >
> >
> >--
> >
> >email me on : [EMAIL PROTECTED]
> _
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47406&t=47287
--
FAQ, list archives, and subscription info: http://www.

Re: RE: PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread Richard Tufaro 

ok good answers on some, but you tap around a few things..

1) why no comments? do competent administrators not need any comments to
tell you what the rules are doing and where they are going (or not going?)
2) I don't get that part...change the name of the access-listno not an
instant change, there is a second step of applying it to the interface. Let
me see...4 step process to change a rule.
3) I understand the IOS access-lists (which 5.1? PIX just recently
introduced). Still the administration is a pain. All im doing is making
access-listsbig deal. What does PIX get you there "ASA" and "state full"
inspection.
4) I ment command completion..just a little thing. Like when im typing: >
object-group network. I want to be able to type obje. TAB and ten the IOS
complete the command. This is not being "competent" this is being efficient.
5) What basis to you say that the 535 will blow Checkpoint out of the water?
Because of speed? Dude little secret if you take Windows...and strip it to
DOS...its going to smoke. And please don't harp about doing things
"property". Because when you say "properly" you mean the Cisco way. Hate to
tell you, but they take "standards" all the time and fit them to there
devices.

To sum it up on your last comment let me say this. A FIREWALL is only as
good as its configuration. That being said, if I can mitigate the risk of
making a configuration mistake by having a "user friendly" way of doing it,
I don't see why that is so wrong. While I agree that I firewall should not
be a ONE ALL BE ALL on the network, having SMTP proxy's and such on your
firewall sometimes makes sense for:

outside address conservation (all MX records for example are routed back to
one IP on the outside then relayed to internal hosts). Oh and PIX does do a
chezzbal implementation of this (mailguard). Which has a tendency to suck as
far as I have seen (cant do ESMTP?! whats with that?)

I have worked on CyberGuards for a long time...they are SCO unix. You want
to learn a little somehting about the backend of a firewall, get on the
command line on one of those and gopowerful but tricky. I dont mean to
come off crase becouse im not trying to..just some agrugments to throw back..

>>> "Roberts, Larry"  06/25 12:51 PM >>>
1) not that I am aware of
2) Change the access-list name and paste it to the firewall. Then just
change the access-group statement to the new one. Its an instant change.
3) I think your on crack. If your using access-lists on all interfaces ( you
are aren't you ??? )then there is an implicit deny any any at the end.
I find many people who put an permit ip any any for the inside access-list.
While it makes administration much easier, it also is a BAD practice.
Remember we want to explicitly approve ports, no explicitly deny. You would
be surprised the small number of ports that really need to be open!
4) This is a security device. You should always type the full command. I
don't want to take any chances of typing one thing and the PIX taking it as
another. I realize that you should know exactly what command your entering,
but hey, not everyone is competent on the PIX so no chances.
5) Where did you get that info? The PIX 535 will absolutely blow any
checkpoint device out of the water. Not to mention that checkpoint still
hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only
recently made to be a small lightweight FW with the 501. I don't know about
you, but I want a firewall to do one thing and one thing only. I don't want
a FW that is also a mail gateway, dns server and whatnot that so many
devices try to be now.

Many FW's are made to be user friendly, and cover the backend stuff that
really happens. The PIX didn't take that approach. They want someone to
understand what they are doing, and putting a pretty GUI on it will only
lead to people who shouldn't be administering it, administrating it.
That is why I completely disagree with the PDM. 

Im  not directly these comment at you in particular so please don't take
them that way. Im only saying that we need to realize exactly what a FW
should do, and what it should not. We also need to realize exactly how a FW
works, not how the GUI works!

I agree it is a completely different interface, but if you are used to the
IOS interface, it will come quickly and you will never look back.

But, this is just my opinion!

Thanks

Larry
 

-Original Message-
From: Richard Tufaro [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, June 25, 2002 11:51 AM
To: [EMAIL PROTECTED] 
Subject: PIX Firewall (6.2) General Questions RANT [7:47393]


Hey all, just recently got my hands on 4 new PIX firewalls and I am having
some issues with them that perhaps may be shortcoming of the PIX or me, but
I wanted to throw them out there and see if anyone has any comments:

1. Is there a way in the PIX to !Comment your access-list or conduit lines
to tell what the rule is doing. Now don't get me wrong you can look at the
rule and its pretty straight f

Help with RSP4+ and normal boot sequence in a 7 [7:47408]

2002-06-25 Thread David j 

Hi boys!
I'm having problems with a 7500 I have upgraded a few weeks ago, when I type
sh ver in others 7500 that I have, I can see these lines:
---xx---
Cisco Internetwork Operating System Software
IOS (tm) RSP Software (RSP-IK8SV-M), Version 12.2(7a), RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Thu 21-Feb-02 04:23 by pwade
Image text-base: 0x600109C8, data-base: 0x6179A000
ROM: System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1)
BOOTLDR: RSP Software (RSP-BOOT-M), Version 12.2(7a), RELEASE SOFTWARE (fc2)
---xx---
However when I do the same on the problematic router I can see the
following:

Cisco Internetwork Operating System Software
IOS (tm) RSP Software (RSP-JK8SV-M), Version 12.2(7c), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Sat 11-May-02 11:02 by pwade
Image text-base: 0x600109C8, data-base: 0x61B28000
ROM: System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1)

So as you can see, I can't see any reference to the BOOTLDR. I've talked
with the boys at TAC and they haven't got any solution (I've rebooted the
router 4 or 5 times, upgraded and downgraded the software)
Anybody knows what is the correct process for booting a 7500 with a RSP4+?
Cisco says that RSP4+ boots the main image directly without loading the
bootflash, but I have 7 routers loading the bootflash before loading the
main image.



Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47408&t=47408
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Shawn Heisey 

> Question: Is Cisco's LEAP better than WEP? Does it have the same purpose
> but without some of the issues? I should know this, but I don't use Cisco
> for wireless (shame, shame).

It's not that it's better than WEP, it just provides reasonably secure
authentication and a bandaid for WEP's security issues.

Using LEAP or EAP-TLS provides a dynamic unicast WEP key.  If you
specify RADIUS attribute 27 (Session-Timeout) then the connection will
be cut after that many seconds.  When it reauthenticates, a new WEP key
is in place.

Thanks,
Shawn




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47413&t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ISDN Problem [7:47411]

2002-06-25 Thread George Sherman 

I have two routers connect throgh an ISDN switch.
System image file is "flash:c2500-js56i-l.121-12.bin
 
When I change the address to 135.11.35.0 /24  I can not ping. I verified
that the call went through
11R3#ping 135.11.35.2
 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 135.11.35.2, timeout is 2 seconds:
.
Success rate is 0 percent (0/5)
R11R3#sh isdn act


ISDN ACTIVE CALLS


CallCalling  Called   Remote  Seconds Seconds Seconds
Charges
TypeNumber   Number   NameUsedLeftIdle
Units/Currency


In  8995101 899520136 114   5


 
If I change the address to 135.11.35.0 /27 it works well and if I change
to 135.110.35.0 /24 it works.  I am puzzled any ideas?
 
 
R11R3#sh run int bri0
Building configuration...
 
Current configuration : 182 byte
!
interface BRI0
 ip address 135.11.35.1 255.255.255.0
 dialer string 8995101
 dialer-group 1
 isdn switch-type basic-ni
 isdn spid1 8995201 8995201
 isdn spid2 8995202 8995202
end
 
 
R11R4#sh run int bri0
Building configuration...
 
Current configuration : 182 bytes
!
interface BRI0
 ip address 135.11.35.2 255.255.255.0
 dialer string 8995201
 dialer-group 1
 isdn switch-type basic-ni
 isdn spid1 8995101 8995101
 isdn spid2 8995102 8995102
end
 
 
 
HERE IS THE COMPLETE CONFIGURATION:
R11R3#sh run
Building configuration...
 
Current configuration : 1967 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R11R3
!
enable secret 5 $1$LX3.$7TGAHxWdu5Zw8iWCkIHhf1
enable password lab
!
username r4 password 0 r4
!
!
!
!
ip subnet-zero
ip tcp synwait-time 5
no ip domain-lookup
ip host R11R1 135.11.1.1
ip host R11R3 135.11.3.3
ip host R11R4 135.11.4.4
ip host R11R6 135.11.6.6
ip host R11R7 135.11.7.7
ip host R11R8 135.11.8.8
ip host R11R16 135.11.16.16
!
isdn switch-type basic-5ess
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 135.11.34.5
!
!
crypto ipsec transform-set tor7 esp-des
!
crypto map toR7 10 ipsec-isakmp
 set peer 135.11.34.5
 set transform-set tor7
 match address 101
!
!
!
!
interface Loopback0
 ip address 135.11.3.3 255.255.255.0
!
interface Loopback2
 no ip address
!
interface Ethernet0
 ip address 135.11.56.3 255.255.255.0
 crypto map toR7
!
interface Serial0
 no ip address
 shutdown
 no fair-queue
!
interface Serial1
 no ip address
 shutdown
!
interface Serial2
 no ip address
 shutdown
!
interface Serial3
 no ip address
 shutdown
!
interface BRI0
 ip address 135.11.35.1 255.255.255.0
 dialer string 8995101
 dialer-group 1
 isdn switch-type basic-ni
 isdn spid1 8995201 8995201
 isdn spid2 8995202 8995202
!
router igrp 10
 network 135.11.0.0
!
ip classless
ip http server
!
access-list 101 permit ip host 135.11.3.3 host 135.11.7.7
dialer-list 1 protocol ip permit
!
alias exec ct config t
alias exec sc show controllers serial
alias exec sci show cdp interface
alias exec scn sh cdp neighbor
alias exec sip show ip route
alias exec sipx show ipx route
alias exec cip clear ip route *
alias exec cib clear ip bgp *
alias exec sib show ip bgp
!
line con 0
 exec-timeout 0 0
 password lab
 logging synchronous
 login
line aux 0
 exec-timeout 0 0
 password lab
 logging synchronous
 login
line vty 0 4
 exec-timeout 0 0
 password lab
 logging synchronous
 login
!
end
 
R11R3#
 
R11R4#sh run
Building configuration...
 
Current configuration : 2781 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R11R4
!
enable secret 5 $1$wnCW$4qHyuNAOZk3Z2FYnq7IUG0
enable password lab
!
username cisco password 0 cisco
username r3 password 0 cisco
!
!
!
!
ip subnet-zero
ip tcp synwait-time 5
no ip domain-lookup
ip host R11R1 135.11.1.1
ip host R11R3 135.11.3.3
ip host R11R6 135.11.6.6
ip host R11R7 135.11.7.7
ip host R11R8 135.11.8.8
ip host R11R16 135.11.16.16
ip host R11R4 135.11.4.4
!
isdn switch-type basic-5ess
!
!
!
!
!
interface Loopback0
 ip address 135.11.4.4 255.255.255.0
!
interface Ethernet0
 ip address 135.11.36.4 255.255.255.240
!
interface Serial0
 ip address 135.11.14.4 255.255.255.224
 ip rip send version 2
 no fair-queue
 clockrate 64000
!
interface Serial1
 bandwidth 64000
 ip address 135.11.34.4 255.255.255.248
 encapsulation frame-relay
 ip ospf priority 0
 frame-relay map ip 135.11.34.3 403 broadcast
 frame-relay map ip 135.11.34.5 401 broadcast
 frame-relay lmi-type ansi
!
interface Serial2
 no ip address
 shutdown
!
interface Serial3
 no ip address
 shutdown
!
interface BRI0
 ip address 135.11.35.2 255.255.255.0
 dialer string 8995201
 di

Fw: WHEN WILL CCIE 350-001 EXPIRE [7:47184]

2002-06-25 Thread Shaheen Gagan 

- Original Message -
From: " Shaheen Gagan" 
To: "Clark Jason" 
Cc: 
Sent: Tuesday, June 25, 2002 1:04 PM
Subject: Re: WHEN WILL CCIE 350-001 EXPIRE [7:47184]


> These are just assumptions, there is no official
> date as of yet, I just talked to PROMETRIC,
> they are not even aware... there is a new version coming
> out, they said they have not received any such notice
> from CISCO.
>
> - Original Message -
> From: "Clark Jason" 
> To: 
> Sent: Tuesday, June 25, 2002 8:17 AM
> Subject: RE: WHEN WILL CCIE 350-001 EXPIRE [7:47184]
>
>
> > So offically, 7/31 is the last day that you can register to take the
> 350-001
> > version of the exam??? Is that correct??? I have heard no one explicitly
> say
> > that.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47412&t=47184
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: FYI Cisco Press sale [7:47383]

2002-06-25 Thread Mike Mandulak 

Just as a follow up since a couple of people asked direct... The sale books
are only available in the stores on separate sale racks near the book
section, they are not available through their web site.

There were a few books that they didn't have that I still want (I.I. Top
Down Network Design) so I'm going to visit a third store in the CT area
that's near my sister's house and I'll have to jump into her pool with her
kids and cook some burgers on the grill while I'm in the vicinity :-)


- Original Message -
From: "Mike Mandulak" 
To: 
Sent: Tuesday, June 25, 2002 10:39 AM
Subject: FYI Cisco Press sale [7:47383]


> CompUSA is doing a close out sale of all of it's Cisco Press books
(amongst
> others). I picked up a dozen books (that I've wanted for a while) from 2
> different stores for US $260, normally the collection would have run $680.
>
> MikeM
> [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47410&t=47383
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: WHEN WILL CCIE 350-001 EXPIRE [7:47184]

2002-06-25 Thread Shaheen Gagan 

These are just assumptions, there is no official
date as of yet, I just talked to PROMETRIC,
they are not even aware... there is a new version coming
out, they said they have not received any such notice
from CISCO.

- Original Message -
From: "Clark Jason" 
To: 
Sent: Tuesday, June 25, 2002 8:17 AM
Subject: RE: WHEN WILL CCIE 350-001 EXPIRE [7:47184]


> So offically, 7/31 is the last day that you can register to take the
350-001
> version of the exam??? Is that correct??? I have heard no one explicitly
say
> that.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47409&t=47184
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread Roberts, Larry 

1)I can look at every single ACL entry and tell you what its doing. I don't
use comments in a router either, but that my preference... 
I understand your point, but I want my ACL's to be as short as possible.
2)How I do it and I have a 200-300 line ACL. If I want to change it, I copy
the existing ACL into notepad. I then change the case ACL->acl or
visa-versa. I make the changes to the new ACL that I created and copy that
back to the firewall. There are then 2 ACL's on the firewall. The running
ACL, and the one that I want to apply. I change the access-group command (
their can only be 1 per interface so no need to remove the old one,just type
in the new one ) And its done. The PIX goes directly from 1 list to the
other. It doesn't kill any existing sessions or even cause a hiccup.
3)access-lists gets you a more "IOS like" interface. You can still use
conduits if you wish, but ACL's are the way of the future. 4)Understood. I
guess they want you to type out the full command, but Im just guessing. 
5)Raw throughput. Dude, If you want raw speed, you wouldn't use a DOS based
system at all. When you talk about small lightweight, what did you mean
then? I want a FW to do encryption/decryption and raw packet throughput as
fast as possible. What does the GUI give you other than a pretty UI? Does it
make the FW more secure? Does it give it more features ? It adds nothing and
slows it down. If you don't care about performance, then grab that old 486
and run linux on it. It would be secure, and with the newest Xwindows, would
give you a pretty interface to administer it. Performance would suck,but you
don't care about that.

5)Up until the latest version of Checkpoint, it would not allow you to do IP
nat prior to tunnelling for the entire routable space(class A - C )

I would advise that you read up on the mail guard feature. It does NOT act
as a SMTP relay/proxy. It acts as a SMTP filter.It prevents none RFC
commands (READ ESMTP), from passing through the FW. By blocking ESMTP
commands its doing exactly what it should. That's not a tendency to suck,
that's a tendency to protect you networks from ESMTP attacks. I would
complain bitterly if I didn't have the ability to block ESMTP commands. Does
any others give you that ability? ( I don't know anymore )

A FW should be a FW, and that's it. Why add a feature ( SMTP ) that may have
a bug in it? The reason that a PIX has never been hacked is because they
have avoided the do all/be all approach that throws to many variables into
the mix.


Thanks

Larry
 

-Original Message-
From: Richard Tufaro [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, June 25, 2002 12:32 PM
To: [EMAIL PROTECTED]
Subject: Re: RE: PIX Firewall (6.2) General Questions RANT [7:47393]


ok good answers on some, but you tap around a few things..

1) why no comments? do competent administrators not need any comments to
tell you what the rules are doing and where they are going (or not going?)
2) I don't get that part...change the name of the access-listno not an
instant change, there is a second step of applying it to the interface. Let
me see...4 step process to change a rule.
3) I understand the IOS access-lists (which 5.1? PIX just recently
introduced). Still the administration is a pain. All im doing is making
access-listsbig deal. What does PIX get you there "ASA" and "state full"
inspection.
4) I ment command completion..just a little thing. Like when im typing: >
object-group network. I want to be able to type obje. TAB and ten the IOS
complete the command. This is not being "competent" this is being efficient.
5) What basis to you say that the 535 will blow Checkpoint out of the water?
Because of speed? Dude little secret if you take Windows...and strip it to
DOS...its going to smoke. And please don't harp about doing things
"property". Because when you say "properly" you mean the Cisco way. Hate to
tell you, but they take "standards" all the time and fit them to there
devices.

To sum it up on your last comment let me say this. A FIREWALL is only as
good as its configuration. That being said, if I can mitigate the risk of
making a configuration mistake by having a "user friendly" way of doing it,
I don't see why that is so wrong. While I agree that I firewall should not
be a ONE ALL BE ALL on the network, having SMTP proxy's and such on your
firewall sometimes makes sense for:

outside address conservation (all MX records for example are routed back to
one IP on the outside then relayed to internal hosts). Oh and PIX does do a
chezzbal implementation of this (mailguard). Which has a tendency to suck as
far as I have seen (cant do ESMTP?! whats with that?) 

I have worked on CyberGuards for a long time...they are SCO unix. You want
to learn a little somehting about the backend of a firewall, get on the
command line on one of those and gopowerful but tricky. I dont mean to
come off crase becouse im not trying to..just some agrugments to throw
back..

>>> "Roberts, Larry"  06/25 12:

IGRP Routes - Classless Networks with Tunnels [7:47415]

2002-06-25 Thread Ed 

How feasible is this, and has anyone tried it?

R1 is connected to R2... in my case, it is an Ethernet link.
The link is on the 172.16.64.0 network with a 24 bit mask.

R1 has several subnets in the 172.16 major network, but with different
masks.  In my case, 24,  28 and 29 bit masks.

R2 sees all of the networks with the 24 bit masks, but drops the networks
with the odd masks.Basic classfull rules observed.

The goal it to get the 28 and 29 bit masks to R2 WITHOUT the use of
SUMMARIZATION.

If I create a tunnel between R1 and R2 with a subnet of 172.16.81.0 29 bit
mask the networks with the 29 bit masks show on R2.

As soon as I create the second tunnel to take care of the 28 bit masks,  the
/29 routes disappear and the /28 doesn't make it.

On R2, I am making the tunnels passive to prevent loops.

Shouldn't this work?  Am I missing something.
Again, the goal is to get the networks with the specified subnet to appear
on R2  without summarization. Comments are appreciated.

Ed




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47415&t=47415
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Stephen Manuel 

Tom,

I'm not speaking jest, I have used netstumbler to find wireless networks
that are wide open, some
are in major companies.

However, I turn off my client manager before I go wardriving, that way I
don't accidentially connect
to someone's network without authorization. I can't see how this is
considered hacking.

When I initially approached the 3 companies I mentioned earlier, I had a
developed a 3-page document
on the ease of implementation of wireless networks and the inherit security
risks associated with wireless networks. I
didn't mention to any of the 3 that I had already detected their networks
and how wide open they really were.

I am toying with the idea of sending specific information to them about
their wireless networks, like the MAC address of the AP, the SSID, the
network name, the exact location on a map of the AP, the manufacturer of the
AP,  if WEP is turned on, plus if I really want to get serious I could tell
them if the AP is issuing IP addresses via DHCP and their network settings
if it is.

The question I have is, would the company be happy to know that they have
security holes and were alerted to it, would they threaten me by calling law
enforcement, or would they ignore me as a nut or go and fix the problem
without hiring me to do it for them.

I was simply amazed at the shear number of AP's out there and how many were
in businesses wide open.

Stephen Manuel






- Original Message -
From: "Thomas E. Lawrence" 
To: 
Sent: Tuesday, June 25, 2002 2:09 PM
Subject: Re: Rogue Wireless LANs [7:47287]


> I realize you are speaking in jest, but for those who might consider this
> approach as a means of drumming up business, you may want to give some
> thought.
>
> Connecting to a network to which you have no reason nor any right to
connect
> can be considered hacking, and you could be subject to prosecution,
> ironically by an organization that is asking for trouble anyway.Just
because
> I don't have locks on my doors does not mean it's ok for you to walk into
my
> home any time you please.
>
> Please be careful how you approach a company when you have discovered by
> accident a particularly egregious vulnerability.
>
> Tom
>
>
> ""Dan Penn""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > You have given me an idea.  All I need is a laptop now =)  I would go
> > war driving in the area to specifically find businesses running
> > unsecured wireless.  I bet I would find some businesses that didn't even
> > know they were running wireless such as this thread started out.
> >
> > Dan
> >
> > -Original Message-
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
> > Stephen Manuel
> > Sent: Tuesday, June 25, 2002 10:02 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Rogue Wireless LANs [7:47287]
> >
> > Neil and others,
> >
> > Recently I installed in my home a linksys wireless router/switch/ap, it
> > works great, yes I have wep enabled.
> >
> > After installing the equipment, I became really interested in wireless
> > networking, reading some books, looking for a certification track,
> > scouring
> > websites, etc...
> >
> > I downloaded netstumbler and acquired all the necessary equipment to do
> > some
> > serious wardriving. I've logged over 300 AP's, mapped them using
> > Stumverter
> > and MS Mappoint 2002, it gets down to what side of the street the AP was
> > on,
> > just to add a little spice to the situation, I've got netstumbler to
> > play a
> > .wav file when it finds an AP.
> >
> > Amazingly, 75% of the AP's I've found don't have web enabled. A rather
> > large
> > number of the AP's use the company name as the SSID or use the vendor
> > default SSID, ie. tsunami for Cisco.
> >
> > I'm convinced this whole area of wireless networking is wide open to be
> > farmed for business. I've been trying formulate a business plan to
> > approach
> > businesses to help them install a wireless infrastructure properly and
> > setup
> > security measures for those companies already in the wireless business
> > without implementing security.
> >
> > What my research has shown me so far is that without upper managements
> > support for strict policies with regards to the installation of AP's the
> > company is playing a game of russian roulette because the current
> > Wireless
> > Implementation is FULL of security holes.
> >
> > Depending on how much security you want to implement here's what I would
> > recommend.
> >
> > Enable WEP - however airsnort a linux utility can crack wep in a
> > relatively
> > short time
> >
> > Disable the SSID Broadcast - most AP's have this option, this will
> > prevent
> > netstumbler from picking up the presence of the AP which makes it a
> > little
> > more difficult to associate with the AP. Kismet is a linux utility that
> > will
> > still detect the presence of the AP by passively sniffing for the
> > wireless
> > packets.
> >
> > MAC Filtering - enable it but most AP and Wireless cards allow you to
>

RE: Help with RSP4+ and normal boot sequence in a 7 [7:47408]

2002-06-25 Thread Daniel Cotts 

If you do a "show boot" is there any value for the BOOTLDR variable - on
either the questionable router or the others? My guess is that you have a
"boot bootldr filename" line in your config for those that show a boot
image. Second guess is that the questionable router doesn't have any
bootflash.
Please post your solution to the list.

> -Original Message-
> From: David j [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 25, 2002 1:39 PM
> To: [EMAIL PROTECTED]
> Subject: Help with RSP4+ and normal boot sequence in a 7 [7:47408]
> 
> 
> Hi boys!
> I'm having problems with a 7500 I have upgraded a few weeks 
> ago, when I type
> sh ver in others 7500 that I have, I can see these lines:
> ---xx---
> Cisco Internetwork Operating System Software
> IOS (tm) RSP Software (RSP-IK8SV-M), Version 12.2(7a), 
> RELEASE SOFTWARE (fc2)
> Copyright (c) 1986-2002 by cisco Systems, Inc.
> Compiled Thu 21-Feb-02 04:23 by pwade
> Image text-base: 0x600109C8, data-base: 0x6179A000
> ROM: System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1)
> BOOTLDR: RSP Software (RSP-BOOT-M), Version 12.2(7a), RELEASE 
> SOFTWARE (fc2)
> ---xx---
> However when I do the same on the problematic router I can see the
> following:
> 
> Cisco Internetwork Operating System Software
> IOS (tm) RSP Software (RSP-JK8SV-M), Version 12.2(7c), 
> RELEASE SOFTWARE (fc1)
> Copyright (c) 1986-2002 by cisco Systems, Inc.
> Compiled Sat 11-May-02 11:02 by pwade
> Image text-base: 0x600109C8, data-base: 0x61B28000
> ROM: System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1)
> 
> So as you can see, I can't see any reference to the BOOTLDR. 
> I've talked
> with the boys at TAC and they haven't got any solution (I've 
> rebooted the
> router 4 or 5 times, upgraded and downgraded the software)
> Anybody knows what is the correct process for booting a 7500 
> with a RSP4+?
> Cisco says that RSP4+ boots the main image directly without 
> loading the
> bootflash, but I have 7 routers loading the bootflash before 
> loading the
> main image.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47417&t=47408
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Problem [7:47363]

2002-06-25 Thread John Kaberna 

You cannot filter using FQDN.  You can use websense to block certain URL's
though.



""Mamoon Dawood""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear All,
>
> I the PIX firewall, Can I make an access list using the FQDN (eg:
> www.yahoo.com)
> instead of using IP address, since I want to permit users to only enter
some
> sites,
> I think the problem is that we can not configure a name server,
>
> Kindest Regards,
> Mamoon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47418&t=47363
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CSS1 exams [7:47308]

2002-06-25 Thread John Kaberna 

Shahid is absolutely right.  You do not need to go to training for this.
The MCNS, PIX, and VPN exams are pretty easy if you read the CP books and
have some experience with them.  For IDS you can pass using just the Cisco
Press book if you have a good memory.  You're better off getting an NT4
server and downloading an eval copy of CSPM to get comfy with the GUI.  If
you really have trouble with the IDS part you should consider finding out
how to build an IDS Sensor out of a Solaris box.  It can be done.  :)


""Shahid Muhammad Shafi""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Trust me, u dont need classes. Just study 4 books from Cisco Press and ull
> do it fine. I passed 3 exams in 15 days and only one to go. If u appear
for
> MCNS, 95% CSVPN is covered and 75% Pix is covered. For IDS i am myself
> studying.
>
> Shahid
>   "[EMAIL PROTECTED]"  wrote: Since I can't get my cheap company to send me
to
> classes, I have to do
> self-study go get my Cisco Security Specialist Certification. Does anyone
> have any suggestion which books would help for each of the exams?
>
> Thank you in advance,
>
> Joy
> Shahid Muhammad Shafi
> "Every man dies; not every man really lives"
>
> remember, if God bringz u 2 it, He WILL bring u thru it!!!-
>
> Please help feed hungry people worldwide http://www.hungersite.com/
> A small thing each of us can do to help others less fortunate than
ourselves
>
>
> -
> Do You Yahoo!?
> Sign-up for Video Highlights of 2002 FIFA World Cup




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47419&t=47308
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN Problem [7:47411]

2002-06-25 Thread Chuck 

135.11.35.0/24 is a network address, and not a valid host address. I'm
surprised that the IOS actually lets you enter it onto an interface.



""George Sherman""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I have two routers connect throgh an ISDN switch.
> System image file is "flash:c2500-js56i-l.121-12.bin
>
> When I change the address to 135.11.35.0 /24  I can not ping. I verified
> that the call went through
> 11R3#ping 135.11.35.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 135.11.35.2, timeout is 2 seconds:
> .
> Success rate is 0 percent (0/5)
> R11R3#sh isdn act
> 
> 
> ISDN ACTIVE CALLS
> 
> 
> CallCalling  Called   Remote  Seconds Seconds Seconds
> Charges
> TypeNumber   Number   NameUsedLeftIdle
> Units/Currency
> 
> 
> In  8995101 899520136 114   5
> 
> 
>
> If I change the address to 135.11.35.0 /27 it works well and if I change
> to 135.110.35.0 /24 it works.  I am puzzled any ideas?
>
>
> R11R3#sh run int bri0
> Building configuration...
>
> Current configuration : 182 byte
> !
> interface BRI0
>  ip address 135.11.35.1 255.255.255.0
>  dialer string 8995101
>  dialer-group 1
>  isdn switch-type basic-ni
>  isdn spid1 8995201 8995201
>  isdn spid2 8995202 8995202
> end
>
>
> R11R4#sh run int bri0
> Building configuration...
>
> Current configuration : 182 bytes
> !
> interface BRI0
>  ip address 135.11.35.2 255.255.255.0
>  dialer string 8995201
>  dialer-group 1
>  isdn switch-type basic-ni
>  isdn spid1 8995101 8995101
>  isdn spid2 8995102 8995102
> end
>
>
>
> HERE IS THE COMPLETE CONFIGURATION:
> R11R3#sh run
> Building configuration...
>
> Current configuration : 1967 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R11R3
> !
> enable secret 5 $1$LX3.$7TGAHxWdu5Zw8iWCkIHhf1
> enable password lab
> !
> username r4 password 0 r4
> !
> !
> !
> !
> ip subnet-zero
> ip tcp synwait-time 5
> no ip domain-lookup
> ip host R11R1 135.11.1.1
> ip host R11R3 135.11.3.3
> ip host R11R4 135.11.4.4
> ip host R11R6 135.11.6.6
> ip host R11R7 135.11.7.7
> ip host R11R8 135.11.8.8
> ip host R11R16 135.11.16.16
> !
> isdn switch-type basic-5ess
> !
> !
> crypto isakmp policy 10
>  hash md5
>  authentication pre-share
> crypto isakmp key cisco address 135.11.34.5
> !
> !
> crypto ipsec transform-set tor7 esp-des
> !
> crypto map toR7 10 ipsec-isakmp
>  set peer 135.11.34.5
>  set transform-set tor7
>  match address 101
> !
> !
> !
> !
> interface Loopback0
>  ip address 135.11.3.3 255.255.255.0
> !
> interface Loopback2
>  no ip address
> !
> interface Ethernet0
>  ip address 135.11.56.3 255.255.255.0
>  crypto map toR7
> !
> interface Serial0
>  no ip address
>  shutdown
>  no fair-queue
> !
> interface Serial1
>  no ip address
>  shutdown
> !
> interface Serial2
>  no ip address
>  shutdown
> !
> interface Serial3
>  no ip address
>  shutdown
> !
> interface BRI0
>  ip address 135.11.35.1 255.255.255.0
>  dialer string 8995101
>  dialer-group 1
>  isdn switch-type basic-ni
>  isdn spid1 8995201 8995201
>  isdn spid2 8995202 8995202
> !
> router igrp 10
>  network 135.11.0.0
> !
> ip classless
> ip http server
> !
> access-list 101 permit ip host 135.11.3.3 host 135.11.7.7
> dialer-list 1 protocol ip permit
> !
> alias exec ct config t
> alias exec sc show controllers serial
> alias exec sci show cdp interface
> alias exec scn sh cdp neighbor
> alias exec sip show ip route
> alias exec sipx show ipx route
> alias exec cip clear ip route *
> alias exec cib clear ip bgp *
> alias exec sib show ip bgp
> !
> line con 0
>  exec-timeout 0 0
>  password lab
>  logging synchronous
>  login
> line aux 0
>  exec-timeout 0 0
>  password lab
>  logging synchronous
>  login
> line vty 0 4
>  exec-timeout 0 0
>  password lab
>  logging synchronous
>  login
> !
> end
>
> R11R3#
>
> R11R4#sh run
> Building configuration...
>
> Current configuration : 2781 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R11R4
> !
> enable secret 5 $1$wnCW$4qHyuNAOZk3Z2FYnq7IUG0
> enable password lab
> !
> username cisco password 0 cisco
> username r3 password 0 cisco
> !
> !
> !
> !
> ip subnet-zero
> ip tcp synwait-time 5
> no ip domain-lookup
> ip host R11R1 135.11.1.1
> ip host R11R3 135.11.3.3
> ip host R11R6 135.11.6.6
> ip host R11R7 135.11.7.7
> ip host R11R8 135.11.8.8
> ip host R11R16 135.11.16.16
> ip host R11R4 135.11.4.4
> !
> isdn switch-type basic-5ess
> !
> !
> !
> !
> !
> int

RE: Help with RSP4+ and normal boot sequence in a [7:47408]

2002-06-25 Thread David j 

Hi Daniel:
This is the show bootv in a "normal router":
BOOT variable does not exist
CONFIG_FILE variable does not exist
BOOTLDR variable does not exist
Configuration register is 0x102
Slave auto-sync config mode is on
Current slave is in slot 7.
slave BOOT variable =
slave CONFIG_FILE variable =
slave BOOTLDR variable =
slave Configuration register is 0x102
***
And this in the "problematic" one:
BOOT variable =
CONFIG_FILE variable =
BOOTLDR variable =
Configuration register is 0x102
Slave auto-sync config mode is on
Current slave is in slot 7.
slave BOOT variable =
slave CONFIG_FILE variable =
slave BOOTLDR variable =
slave Configuration register is 0x102
This is the output of show bootflash in the questionable router:
-#- ED --type-- --crc--- -seek-- nlen -length- -date/time-- name
1   .. image5BE93E76  6D42E8   22  6898280 Jun 11 2002 20:34:55
rsp-boot-mz.
122-7a.bin
9092376 bytes available (6898408 bytes used)
There isn't any "boot bootldr filename" line in "normal routers".
Now I'm thinking that it could be different BOOT variable = and doesn't
exist. Anybody knows how to erase this variable? Thanks


If you do a "show boot" is there any value for the BOOTLDR variable - on 
either the questionable router or the others? My guess is that you have a 
"boot bootldr filename" line in your config for those that show a boot 
image. Second guess is that the questionable router doesn't have any 
bootflash. 
Please post your solution to the list. 

> -Original Message- 
> From: David j [mailto:[EMAIL PROTECTED]] 
> Sent: Tuesday, June 25, 2002 1:39 PM 
> To: [EMAIL PROTECTED] 
> Subject: Help with RSP4+ and normal boot sequence in a 7 [7:47408] 
> 
> 
> Hi boys! 
> I'm having problems with a 7500 I have upgraded a few weeks 
> ago, when I type 
> sh ver in others 7500 that I have, I can see these lines: 
> ---xx--- 
> Cisco Internetwork Operating System Software 
> IOS (tm) RSP Software (RSP-IK8SV-M), Version 12.2(7a), 
> RELEASE SOFTWARE (fc2) 
> Copyright (c) 1986-2002 by cisco Systems, Inc. 
> Compiled Thu 21-Feb-02 04:23 by pwade 
> Image text-base: 0x600109C8, data-base: 0x6179A000 
> ROM: System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1) 
> BOOTLDR: RSP Software (RSP-BOOT-M), Version 12.2(7a), RELEASE 
> SOFTWARE (fc2) 
> ---xx--- 
> However when I do the same on the problematic router I can see the 
> following: 
> 
> Cisco Internetwork Operating System Software 
> IOS (tm) RSP Software (RSP-JK8SV-M), Version 12.2(7c), 
> RELEASE SOFTWARE (fc1) 
> Copyright (c) 1986-2002 by cisco Systems, Inc. 
> Compiled Sat 11-May-02 11:02 by pwade 
> Image text-base: 0x600109C8, data-base: 0x61B28000 
> ROM: System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1) 
> 
> So as you can see, I can't see any reference to the BOOTLDR. 
> I've talked 
> with the boys at TAC and they haven't got any solution (I've 
> rebooted the 
> router 4 or 5 times, upgraded and downgraded the software) 
> Anybody knows what is the correct process for booting a 7500 
> with a RSP4+? 
> Cisco says that RSP4+ boots the main image directly without 
> loading the 
> bootflash, but I have 7 routers loading the bootflash before 
> loading the 
> main image. 


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47420&t=47408
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Chuck 

the question is would you as the messenger be the one who is shot?

in a rational world, your idea is great.

in a world where people either 1) don't want to be bothered or 2) have a
strong desire to cover up any mistakes they may have made you might want to
carefully consider the wisdom of your plan.

Ironic, isn't it. You want to do some good, and you have to consider that
some people might want to punish you for it. I think they call it the "no
good deed goes unpunished" syndrome. A variant of Murphy's Law.

Chuck


""Stephen Manuel""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Tom,
>
> I'm not speaking jest, I have used netstumbler to find wireless networks
> that are wide open, some
> are in major companies.
>
> However, I turn off my client manager before I go wardriving, that way I
> don't accidentially connect
> to someone's network without authorization. I can't see how this is
> considered hacking.
>
> When I initially approached the 3 companies I mentioned earlier, I had a
> developed a 3-page document
> on the ease of implementation of wireless networks and the inherit
security
> risks associated with wireless networks. I
> didn't mention to any of the 3 that I had already detected their networks
> and how wide open they really were.
>
> I am toying with the idea of sending specific information to them about
> their wireless networks, like the MAC address of the AP, the SSID, the
> network name, the exact location on a map of the AP, the manufacturer of
the
> AP,  if WEP is turned on, plus if I really want to get serious I could
tell
> them if the AP is issuing IP addresses via DHCP and their network settings
> if it is.
>
> The question I have is, would the company be happy to know that they have
> security holes and were alerted to it, would they threaten me by calling
law
> enforcement, or would they ignore me as a nut or go and fix the problem
> without hiring me to do it for them.
>
> I was simply amazed at the shear number of AP's out there and how many
were
> in businesses wide open.
>
> Stephen Manuel
>
>
>
>
>
>
> - Original Message -
> From: "Thomas E. Lawrence"
> To:
> Sent: Tuesday, June 25, 2002 2:09 PM
> Subject: Re: Rogue Wireless LANs [7:47287]
>
>
> > I realize you are speaking in jest, but for those who might consider
this
> > approach as a means of drumming up business, you may want to give some
> > thought.
> >
> > Connecting to a network to which you have no reason nor any right to
> connect
> > can be considered hacking, and you could be subject to prosecution,
> > ironically by an organization that is asking for trouble anyway.Just
> because
> > I don't have locks on my doors does not mean it's ok for you to walk
into
> my
> > home any time you please.
> >
> > Please be careful how you approach a company when you have discovered by
> > accident a particularly egregious vulnerability.
> >
> > Tom
> >
> >
> > ""Dan Penn""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > You have given me an idea.  All I need is a laptop now =)  I would go
> > > war driving in the area to specifically find businesses running
> > > unsecured wireless.  I bet I would find some businesses that didn't
even
> > > know they were running wireless such as this thread started out.
> > >
> > > Dan
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
> > > Stephen Manuel
> > > Sent: Tuesday, June 25, 2002 10:02 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: Rogue Wireless LANs [7:47287]
> > >
> > > Neil and others,
> > >
> > > Recently I installed in my home a linksys wireless router/switch/ap,
it
> > > works great, yes I have wep enabled.
> > >
> > > After installing the equipment, I became really interested in wireless
> > > networking, reading some books, looking for a certification track,
> > > scouring
> > > websites, etc...
> > >
> > > I downloaded netstumbler and acquired all the necessary equipment to
do
> > > some
> > > serious wardriving. I've logged over 300 AP's, mapped them using
> > > Stumverter
> > > and MS Mappoint 2002, it gets down to what side of the street the AP
was
> > > on,
> > > just to add a little spice to the situation, I've got netstumbler to
> > > play a
> > > .wav file when it finds an AP.
> > >
> > > Amazingly, 75% of the AP's I've found don't have web enabled. A rather
> > > large
> > > number of the AP's use the company name as the SSID or use the vendor
> > > default SSID, ie. tsunami for Cisco.
> > >
> > > I'm convinced this whole area of wireless networking is wide open to
be
> > > farmed for business. I've been trying formulate a business plan to
> > > approach
> > > businesses to help them install a wireless infrastructure properly and
> > > setup
> > > security measures for those companies already in the wireless business
> > > without implementing security.
> > >
> > > What my research has shown me so far is that without upper managements
> > > support

Re: CSS1 exams [7:47308]

2002-06-25 Thread Peter Walker 

Any chance of a hint?  None of the search phrases I can think of are 
turning up any hits on google.

Having just passed the CCIE security written exam this morning I may be 
interested in how to do this for my home lab.

Thanks

Peter

--On Tuesday, June 25, 2002 3:37 PM -0400 John Kaberna 
 wrote:

> you should consider finding out
> how to build an IDS Sensor out of a Solaris box.  It can be done.  :)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47423&t=47308
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help with RSP4+ and normal boot sequence in a 7 [7:47408]

2002-06-25 Thread Joe Tutokey 

Hello (my first post!),

I have had a similar problem with my lab ls1010 ASP. It would always
load the image from the bootflash instead of the PCMCIA card camping in
slot0:. With the config register set to 0x2102 I tried the following:

-removing the flash simm from the ASP forced a boot to slot0: (there is
no image in the bootflash in this case)

-putting a "boot system flash slot0:" (pretty sure that is
the syntax) also worked, but the system takes a while to boot. It looks like
it loads the bootflash, then it interprets the config file and says to
itself "he wants a different image" and goes about loading it.


Hope this can help!

Joe Tutokey

""David j""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi boys!
> I'm having problems with a 7500 I have upgraded a few weeks ago, when I
type
> sh ver in others 7500 that I have, I can see these lines:
> ---xx---
> Cisco Internetwork Operating System Software
> IOS (tm) RSP Software (RSP-IK8SV-M), Version 12.2(7a), RELEASE SOFTWARE
(fc2)
> Copyright (c) 1986-2002 by cisco Systems, Inc.
> Compiled Thu 21-Feb-02 04:23 by pwade
> Image text-base: 0x600109C8, data-base: 0x6179A000
> ROM: System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1)
> BOOTLDR: RSP Software (RSP-BOOT-M), Version 12.2(7a), RELEASE SOFTWARE
(fc2)
> ---xx---
> However when I do the same on the problematic router I can see the
> following:
>
> Cisco Internetwork Operating System Software
> IOS (tm) RSP Software (RSP-JK8SV-M), Version 12.2(7c), RELEASE SOFTWARE
(fc1)
> Copyright (c) 1986-2002 by cisco Systems, Inc.
> Compiled Sat 11-May-02 11:02 by pwade
> Image text-base: 0x600109C8, data-base: 0x61B28000
> ROM: System Bootstrap, Version 12.0(10r)S1, RELEASE SOFTWARE (fc1)
>
> So as you can see, I can't see any reference to the BOOTLDR. I've talked
> with the boys at TAC and they haven't got any solution (I've rebooted the
> router 4 or 5 times, upgraded and downgraded the software)
> Anybody knows what is the correct process for booting a 7500 with a RSP4+?
> Cisco says that RSP4+ boots the main image directly without loading the
> bootflash, but I have 7 routers loading the bootflash before loading the
> main image.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47424&t=47408
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread david smith 

I do not want to get into this discussion; however, having worked with
both Pix and Checkpoint (Next Generation) for the past 12 months, here
is my .02c worth:

1) If you are a Managed Service Providers, CP running Nokia Platform
   (aka ipso) is a much better solution.  There are lot of built-in
   utilities that can help troubleshooting (i.e. tcpdump) when you need
   to verify that traffic is passing through the firewall.  Pix has
   something similar to tcpdump (in version 6.2(1)) but it is nowhere
   near tcpdump utility.  Another thing, try to run "debug" command
   on a "production" Pix when it is busy, there is no command to break
   out of the debug mode, except that you have to telnet or ssh to the
   pix and kill the other session.  That is really stupid.  At least
   with CP, you can "CONTROL^C" to break out of tcpdump.
2) Pix Device Manager (PDM) is a piece of sh_t.  I don't know if anyone
   has noticed but everytime you try to open an ssl connection via PDM,
   the cpu on the pix just spike.  Doing so might slow down other
   processes on the Pix.  Do you really want to do this on a production
   box?
3) If your pix configuration is about 2000 lines long and you try to
   "write term", you can not do a "CONTROL^C" to break out of the
   write term mode.  Again, this is really stupid.  Who wants to play
   around with the "pager" command anyway?
4) CP logging is excellent.  You can see how traffic come and leave
   the firewall.  Pix, on the other, everything is done via syslog.
   Have anyone actually looked at that syslog?  The messages in the
   syslog are not "human" readable.
5) How did you come up with a statement that the Pix has never been
   "hacked"?  Where are your evidences?  I remembered not too long
   ago that Pix also suffers from SNMP and SSH vulnerabilities just
   like any Cisco devices.
6) The pix is faster than CP because you are off-loading the logging
   (syslog)and authentication (TACACS or RADIUS) to external devices.
   I can make CP NG just as fast, if not faster, if I also off-load
   logging and authentication to external devices like Pix.
   Furthermore, please don't make comments like that without
   research.  Did you know that CP Next Generation can run on SMP
   (multi-processors) machines and also can run as Active/Active
   configuration?  I know for a fact that Pix can only do Active/
   Standby.  In that case, CP can beat Pix handily.
7) Pix only supports SSH version 1.  There are lot of vulnerabilities
   in SSH version 1.  CP supports both Version 1 and 2.  However,
   version 1 is OFF by default.
8) It is very difficult to automatically backup Pix configuration using
   script because since SSH in pix does NOT support key authentication,
   if one write a script to backup hundreds of pix firewalls, username
   and password have to be embedded into the script.  Not a good thing.
   On the other, CP supports key authentication (RSA and DSA).  Because
   of this, no password needed.  Very simple and secure.
9) At the moment, there is NO solution for managing multiple Pix
   firewalls for Managed Service Providers.  Managing a few pix
   firewalls via CLI might work for a small shop; however, that is
   NOT a solution for MSP.  With CP, you have Provider-1, which can
   manage hundreds, if not thousands of firewalls.
10)If Pix is a secure platform, how come telnet is ON by default?  It
   doesn't matter if it only open for connection on the inside?
11)The learning curve is much steeper for Pix than for CP,

Again, my .02c


>From: "Roberts, Larry" 
>Reply-To: "Roberts, Larry" 
>To: [EMAIL PROTECTED]
>Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393]
>Date: Tue, 25 Jun 2002 14:42:33 -0400
>
>1)I can look at every single ACL entry and tell you what its doing. I don't
>use comments in a router either, but that my preference...
>I understand your point, but I want my ACL's to be as short as possible.
>2)How I do it and I have a 200-300 line ACL. If I want to change it, I copy
>the existing ACL into notepad. I then change the case ACL->acl or
>visa-versa. I make the changes to the new ACL that I created and copy that
>back to the firewall. There are then 2 ACL's on the firewall. The running
>ACL, and the one that I want to apply. I change the access-group command (
>their can only be 1 per interface so no need to remove the old one,just 
>type
>in the new one ) And its done. The PIX goes directly from 1 list to the
>other. It doesn't kill any existing sessions or even cause a hiccup.
>3)access-lists gets you a more "IOS like" interface. You can still use
>conduits if you wish, but ACL's are the way of the future. 4)Understood. I
>guess they want you to type out the full command, but Im just guessing.
>5)Raw throughput. Dude, If you want raw speed, you wouldn't use a DOS based
>system at all. When you talk about small lightweight, what did you mean
>then? I want a FW to do encryption/decryption and raw packet throughput as
>fast as possible. What

Re: CSS1 exams [7:47308]

2002-06-25 Thread John Kaberna 

It used to be up on securityie.com but it got taken down.  I would rather
not post it here.  Email me off list.

--

""Peter Walker""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Any chance of a hint?  None of the search phrases I can think of are
> turning up any hits on google.
>
> Having just passed the CCIE security written exam this morning I may be
> interested in how to do this for my home lab.
>
> Thanks
>
> Peter
>
> --On Tuesday, June 25, 2002 3:37 PM -0400 John Kaberna
>  wrote:
>
> > you should consider finding out
> > how to build an IDS Sensor out of a Solaris box.  It can be done.  :)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47426&t=47308
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread Chuck 

""Roberts, Larry""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> A FW should be a FW, and that's it. Why add a feature ( SMTP ) that may
have
> a bug in it? The reason that a PIX has never been hacked is because they
> have avoided the do all/be all approach that throws to many variables into
> the mix.
>

CL: PIX does not allow telnet from the untrusted side, but it can be hacked
by anyone on the inside network, unless specifc actions have been taken.
anyone know if a Netscreen has ever been hacked? I'm asking because I forgot
my admin password, and I don't want to have to do a reset to factory and
lose my configured policies ;->



>
> Thanks
>
> Larry
>
>
> -Original Message-
> From: Richard Tufaro [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, June 25, 2002 12:32 PM
> To: [EMAIL PROTECTED]
> Subject: Re: RE: PIX Firewall (6.2) General Questions RANT [7:47393]
>
>
> ok good answers on some, but you tap around a few things..
>
> 1) why no comments? do competent administrators not need any comments to
> tell you what the rules are doing and where they are going (or not going?)
> 2) I don't get that part...change the name of the access-listno not an
> instant change, there is a second step of applying it to the interface.
Let
> me see...4 step process to change a rule.
> 3) I understand the IOS access-lists (which 5.1? PIX just recently
> introduced). Still the administration is a pain. All im doing is making
> access-listsbig deal. What does PIX get you there "ASA" and "state
full"
> inspection.
> 4) I ment command completion..just a little thing. Like when im typing: >
> object-group network. I want to be able to type obje. TAB and ten the IOS
> complete the command. This is not being "competent" this is being
efficient.
> 5) What basis to you say that the 535 will blow Checkpoint out of the
water?
> Because of speed? Dude little secret if you take Windows...and strip it to
> DOS...its going to smoke. And please don't harp about doing things
> "property". Because when you say "properly" you mean the Cisco way. Hate
to
> tell you, but they take "standards" all the time and fit them to there
> devices.
>
> To sum it up on your last comment let me say this. A FIREWALL is only as
> good as its configuration. That being said, if I can mitigate the risk of
> making a configuration mistake by having a "user friendly" way of doing
it,
> I don't see why that is so wrong. While I agree that I firewall should not
> be a ONE ALL BE ALL on the network, having SMTP proxy's and such on your
> firewall sometimes makes sense for:
>
> outside address conservation (all MX records for example are routed back
to
> one IP on the outside then relayed to internal hosts). Oh and PIX does do
a
> chezzbal implementation of this (mailguard). Which has a tendency to suck
as
> far as I have seen (cant do ESMTP?! whats with that?)
>
> I have worked on CyberGuards for a long time...they are SCO unix. You want
> to learn a little somehting about the backend of a firewall, get on the
> command line on one of those and gopowerful but tricky. I dont mean to
> come off crase becouse im not trying to..just some agrugments to throw
> back..
>
> >>> "Roberts, Larry"  06/25 12:51 PM >>>
> 1) not that I am aware of
> 2) Change the access-list name and paste it to the firewall. Then just
> change the access-group statement to the new one. Its an instant change.
> 3) I think your on crack. If your using access-lists on all interfaces (
you
> are aren't you ??? )then there is an implicit deny any any at the end. I
> find many people who put an permit ip any any for the inside access-list.
> While it makes administration much easier, it also is a BAD practice.
> Remember we want to explicitly approve ports, no explicitly deny. You
would
> be surprised the small number of ports that really need to be open!
> 4) This is a security device. You should always type the full command. I
> don't want to take any chances of typing one thing and the PIX taking it
as
> another. I realize that you should know exactly what command your
entering,
> but hey, not everyone is competent on the PIX so no chances.
> 5) Where did you get that info? The PIX 535 will absolutely blow any
> checkpoint device out of the water. Not to mention that checkpoint still
> hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only
> recently made to be a small lightweight FW with the 501. I don't know
about
> you, but I want a firewall to do one thing and one thing only. I don't
want
> a FW that is also a mail gateway, dns server and whatnot that so many
> devices try to be now.
>
> Many FW's are made to be user friendly, and cover the backend stuff that
> really happens. The PIX didn't take that approach. They want someone to
> understand what they are doing, and putting a pretty GUI on it will only
> lead to people who shouldn't be administering it, administrating it. That
is
> why I completely disagree with the PDM.
>
> Im  not dir

Re: CSS1 exams [7:47308]

2002-06-25 Thread Alex Lee 

It is still there. Make sure you select 'show all topics'.


""John Kaberna""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> It used to be up on securityie.com but it got taken down.  I would rather
> not post it here.  Email me off list.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47428&t=47308
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

New lab format/Scenarios -what will they focus on? [7:47429]

2002-06-25 Thread jack the 

Hi all,

I am wondering what the new lab will focus on now that IGRP, Token Ring,
Token Ring Switching and IPX will be dropped.
http://www.cisco.com/warp/public/625/ccie/ccie_program/whatsnew.html#18

I would guess BGP and OSPF will get a lift but since the 3550 is a QOS
switch I assume QOS/Voice will be a major player.

Anyone have any thoughts on this?

Jack.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47429&t=47429
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco VPN client and NAT [7:47430]

2002-06-25 Thread Paul 

Hi ...

Im using the Cisco VPN clients 3.1 and 3.0.6. When dialing up everything
works fine !!! However, when a user connects from a remote office, ie behind
some NAT'ing device ...  a connection is made .. but the remote office client
cannot access/ping any devices on the private IP address side like the dialup
client can  All the clients are using Microsoft 2000 or XP ... I have
tried enabling IPSec on the Win2K boxes without success ??

I am using Cisco Pix ver 6 at the main office. Do I need to configure the Pix
to allow IPSec from Win2K ???

I have looked at the Cisco site heaps ... but cannot really find any
solutions
. Any advice would be greatly received ...

Thanks

Paul ..




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47430&t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread Roberts, Larry 

1) Personal Opinion. The last breakdown I saw ( 5-6 months ago in network
world I believe ) shows Cisco with 70% market share in mid-top level space.
 Type no logg cons or no logg mon. It will break out of the debug. No your
letters aren't typed next to each other, but the PIX doesn't care.
I will give you that the DEBUG could use some work in that it is more
difficult to filter out what you want and what you don't when you logg to
console or monitor

2) I completely agree. I don't believe in GUI's for Network devices. 

3) I user the pager command all the time. I set it to 5000 to dump the whole
config and then capture the output. I will delete half my config to get to
your scenario and try. I set it to 15 when I am looking at debug

4) I user CiscoWorks 2K and can read the messages quite nicely. You could
also use Private-I.

5) I will search for the article. I didn't bookmark it. I also said the PIX
hadn't been hacked, not IP hasn't been hacked. No one has hacked Finesse. I
am sorry for the confusion.

6) Will either of those Active Active box's push 1.7Gbps cleartext or 95Mbps
3Des traffic and 1/2Mil connections.. I didn't say combined, I said
individually. I can run 2 PIX's and double my numbers as well. Can you
terminate a tunnel on both box's and load balance traffic over both of them
from the same source ? 
This is the latest performance briefs that I could fine. I have included
them to show you what I did review. I can send you the PDF of Cisco's
performance to back up my statistics for them if you would like. Perhaps you
should do some research before you question mine.
http://www.rainfinity.com/products/wp_performance_brief.pdf
Remember we are talking hardware vs. software FW's so CP's results are bound
to be lower.
Also to note for CP is that it is a MUCH cheaper solution. That's a plus for
it.

7) I only manage PIX's OOB so that point is mute for me.

8) I do it manually,every time I make a change. It helps limit the number of
copies of my config that are floating around.

9) Really, I don't believe in In-band management, so I assume that CP-1 will
dial-up and manage devices that way ?I also don't have many universal
changes that I can push out to 30+ devices, so that ability to manage that
many from one place is mute for me as well.

10) first see number 7, secondly its interfaces are all 127.0.0.1 so you
couldn't access it on a PC by default anyways. You also must specify WHAT
hosts can access it prior to it being accessed. Its turned on, but no one is
permitted.

11) Yes it is. But so is the learning curve for HP-UX over Windows 2k, but
which would you rather have running your daily operations on ?

This is becoming a pi$$ing match for Cisco vs. the world. I prefer PIX's,
you prefer CP's. We can take this off-line as it doesn't belong on this list
anymore if you wish.


Thanks

Larry
 

-Original Message-
From: david smith [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, June 25, 2002 2:42 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393]


I do not want to get into this discussion; however, having worked with both
Pix and Checkpoint (Next Generation) for the past 12 months, here is my .02c
worth:

1) If you are a Managed Service Providers, CP running Nokia Platform
   (aka ipso) is a much better solution.  There are lot of built-in
   utilities that can help troubleshooting (i.e. tcpdump) when you need
   to verify that traffic is passing through the firewall.  Pix has
   something similar to tcpdump (in version 6.2(1)) but it is nowhere
   near tcpdump utility.  Another thing, try to run "debug" command
   on a "production" Pix when it is busy, there is no command to break
   out of the debug mode, except that you have to telnet or ssh to the
   pix and kill the other session.  That is really stupid.  At least
   with CP, you can "CONTROL^C" to break out of tcpdump.
2) Pix Device Manager (PDM) is a piece of sh_t.  I don't know if anyone
   has noticed but everytime you try to open an ssl connection via PDM,
   the cpu on the pix just spike.  Doing so might slow down other
   processes on the Pix.  Do you really want to do this on a production
   box?
3) If your pix configuration is about 2000 lines long and you try to
   "write term", you can not do a "CONTROL^C" to break out of the
   write term mode.  Again, this is really stupid.  Who wants to play
   around with the "pager" command anyway?
4) CP logging is excellent.  You can see how traffic come and leave
   the firewall.  Pix, on the other, everything is done via syslog.
   Have anyone actually looked at that syslog?  The messages in the
   syslog are not "human" readable.
5) How did you come up with a statement that the Pix has never been
   "hacked"?  Where are your evidences?  I remembered not too long
   ago that Pix also suffers from SNMP and SSH vulnerabilities just
   like any Cisco devices.
6) The pix is faster than CP because you are off-loading the logging
   (s

Re: a diversion for when you get too deep in studing... [7:47433]

2002-06-25 Thread Mark Godfrey 

OMG!! More! More! LOL

MG
""Jacobi Michael CRPH""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I found this.  be warned, it is big!  "my favorite net things"
>
> http://www.fazed.net/humor/videos/favorites.mpg




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47433&t=47433
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread Craig Columbus 

Actually, I hope you don't take it offline.  I enjoy reading both sides of 
the argument and there is merit to both viewpoints.  In my personal 
opinion, each firewall has its place, depending on the target 
customer.  There are also some customers for which I'd recommend Netscreen 
or Sonicwall over either PIX or CP-NG.

Larry:  Out of curiosity, why don't you like in-band management?  It seems 
that with proper configuration (SSH, etc.) that it can be quite secure.

Craig

At 05:16 PM 6/25/2002 -0400, you wrote:
>1) Personal Opinion. The last breakdown I saw ( 5-6 months ago in network
>world I believe ) shows Cisco with 70% market share in mid-top level space.
>  Type no logg cons or no logg mon. It will break out of the debug. No your
>letters aren't typed next to each other, but the PIX doesn't care.
>I will give you that the DEBUG could use some work in that it is more
>difficult to filter out what you want and what you don't when you logg to
>console or monitor
>
>2) I completely agree. I don't believe in GUI's for Network devices.
>
>3) I user the pager command all the time. I set it to 5000 to dump the whole
>config and then capture the output. I will delete half my config to get to
>your scenario and try. I set it to 15 when I am looking at debug
>
>4) I user CiscoWorks 2K and can read the messages quite nicely. You could
>also use Private-I.
>
>5) I will search for the article. I didn't bookmark it. I also said the PIX
>hadn't been hacked, not IP hasn't been hacked. No one has hacked Finesse. I
>am sorry for the confusion.
>
>6) Will either of those Active Active box's push 1.7Gbps cleartext or 95Mbps
>3Des traffic and 1/2Mil connections.. I didn't say combined, I said
>individually. I can run 2 PIX's and double my numbers as well. Can you
>terminate a tunnel on both box's and load balance traffic over both of them
>from the same source ?
>This is the latest performance briefs that I could fine. I have included
>them to show you what I did review. I can send you the PDF of Cisco's
>performance to back up my statistics for them if you would like. Perhaps you
>should do some research before you question mine.
>http://www.rainfinity.com/products/wp_performance_brief.pdf
>Remember we are talking hardware vs. software FW's so CP's results are bound
>to be lower.
>Also to note for CP is that it is a MUCH cheaper solution. That's a plus for
>it.
>
>7) I only manage PIX's OOB so that point is mute for me.
>
>8) I do it manually,every time I make a change. It helps limit the number of
>copies of my config that are floating around.
>
>9) Really, I don't believe in In-band management, so I assume that CP-1 will
>dial-up and manage devices that way ?I also don't have many universal
>changes that I can push out to 30+ devices, so that ability to manage that
>many from one place is mute for me as well.
>
>10) first see number 7, secondly its interfaces are all 127.0.0.1 so you
>couldn't access it on a PC by default anyways. You also must specify WHAT
>hosts can access it prior to it being accessed. Its turned on, but no one is
>permitted.
>
>11) Yes it is. But so is the learning curve for HP-UX over Windows 2k, but
>which would you rather have running your daily operations on ?
>
>This is becoming a pi$$ing match for Cisco vs. the world. I prefer PIX's,
>you prefer CP's. We can take this off-line as it doesn't belong on this list
>anymore if you wish.
>
>
>Thanks
>
>Larry
>
>
>-Original Message-
>From: david smith [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, June 25, 2002 2:42 PM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393]
>
>
>I do not want to get into this discussion; however, having worked with both
>Pix and Checkpoint (Next Generation) for the past 12 months, here is my .02c
>worth:
>
>1) If you are a Managed Service Providers, CP running Nokia Platform
>(aka ipso) is a much better solution.  There are lot of built-in
>utilities that can help troubleshooting (i.e. tcpdump) when you need
>to verify that traffic is passing through the firewall.  Pix has
>something similar to tcpdump (in version 6.2(1)) but it is nowhere
>near tcpdump utility.  Another thing, try to run "debug" command
>on a "production" Pix when it is busy, there is no command to break
>out of the debug mode, except that you have to telnet or ssh to the
>pix and kill the other session.  That is really stupid.  At least
>with CP, you can "CONTROL^C" to break out of tcpdump.
>2) Pix Device Manager (PDM) is a piece of sh_t.  I don't know if anyone
>has noticed but everytime you try to open an ssl connection via PDM,
>the cpu on the pix just spike.  Doing so might slow down other
>processes on the Pix.  Do you really want to do this on a production
>box?
>3) If your pix configuration is about 2000 lines long and you try to
>"write term", you can not do a "CONTROL^C" to break out of the
>write term mode.  Again, this

Cisco 3640 [7:47435]

2002-06-25 Thread tes tes 

I need to buy a new 3640 or 7200 series router.  Can
you recommend a good dealer and good prices too. 
Thanks.

John
e-mail me at [EMAIL PROTECTED]

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47435&t=47435
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

ccie real-time questions [7:47436]

2002-06-25 Thread Jerry Yu 

I just failed the 305-001, but I remember the following tricky questions.
pls. offer your opinion or answers to them.


thanks.

jyu


1)
A network administrator is using debug commands to check the performance of
a network. What steps can the administrator take to ensure that the "debug"
will not require too much CPU, or at least that she will not have to reboot
the router to disable debug?
(mulitple answer)
A. Make the debug command as specific as possible
B. Use the max-time parameter of the debug command
C. In configuration mode, enter 'scheduler interval 15'
D. Configure a loopback to channel debug traffic

2) NETBEUI is:
A. A routable protocol
B. A non-routable protocol designed for small networks
C. A routing protocol designed for large networks
D. A data-link layer protocol

3)In a Distance Vector protocol, "counting to infinity":
A. Calculates the time tacken for a protocol to converge
B. Checks to make sure the number of route entries do not exceed a set upper
limit
C. Counts the packets dropped during a routing loop
D. Sets an upper limit for hop count, so that routing loops can be broken if
this limit is reached

4)A network contains 2000 IPX services. Remote sites connected via 56 Kbps
lines intermittently lose the ability to logon to some NetWare servers. The
problem may be fixed by:
A. Filtering SAPs at the remote routers
B. Filtering SAPs at the central router
C. Filtering SAP type 4
D. Configuring "ipx maximum-paths 2" at the central router

5) In FDDI, the characteristics of "4B/5B Encoding" include: (multiple
answer)
A. Sending 4 bits of information using a 5 bit symbol
B. Increasing the clock rate of the transmitter and receiver to 125 Mhz,
which establishes an effective data rate of 100Mbps
C. Increasing the distance between two FDDI stations to more than 2km, when
using multimode fiber
D. Providing a workaround for the Optical Bypass Relay

6)The purpose of "Fast Link Pulse[FLP]" signals is:
A. To identify link quality and shutdown the Ethernet port of the computer
if the quality of a link is poor
B. To indicate that collisions has occurred in the Ethernet segment - this
is also known as a 'jam' signal
C. To auto-negotiate the capabilities of Fast Ethernet devices connecting
via 100BaseT technology
D. To support the proprietary implementation of Gigabit Ethernet of some
vendors








Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47436&t=47436
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco VPN client and NAT [7:47430]

2002-06-25 Thread Ruihai An 

On the VPN concentrator, system>>user management>>group>> IPsec tab >> you
need to check "IPSec through NAT"
Also you need to make sure your PIX is configured to pass IPsec(AH,ESP),
ISAKMP, and UDP encapsulation traffic.

Ruihai

""Paul""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi ...
>
> Im using the Cisco VPN clients 3.1 and 3.0.6. When dialing up
everything
> works fine !!! However, when a user connects from a remote office, ie
behind
> some NAT'ing device ...  a connection is made .. but the remote office
client
> cannot access/ping any devices on the private IP address side like the
dialup
> client can  All the clients are using Microsoft 2000 or XP ... I have
> tried enabling IPSec on the Win2K boxes without success ??
>
> I am using Cisco Pix ver 6 at the main office. Do I need to configure the
Pix
> to allow IPSec from Win2K ???
>
> I have looked at the Cisco site heaps ... but cannot really find any
> solutions
> . Any advice would be greatly received ...
>
> Thanks
>
> Paul ..




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47437&t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

2002-06-25 Thread Howard C. Berkowitz 

At 3:21 PM -0400 6/25/02, Stephen Manuel wrote:
>Tom,
>
>I'm not speaking jest, I have used netstumbler to find wireless networks
>that are wide open, some
>are in major companies.
>
>However, I turn off my client manager before I go wardriving, that way I
>don't accidentially connect
>to someone's network without authorization. I can't see how this is
>considered hacking.

In general, the US Communications Act of 1934, as amended, makes 
illegal the disclosure to a third party of any electromagnetic 
traffic you have received, assuming the transmission is not intended 
for the public.  Obviously, it gets a little blurry when you are 
disclosing the communication to its originator, but I still would be 
very careful here.

>
>When I initially approached the 3 companies I mentioned earlier, I had a
>developed a 3-page document
>on the ease of implementation of wireless networks and the inherit security
>risks associated with wireless networks. I
>didn't mention to any of the 3 that I had already detected their networks
>and how wide open they really were.
>
>I am toying with the idea of sending specific information to them about
>their wireless networks, like the MAC address of the AP, the SSID, the
>network name, the exact location on a map of the AP, the manufacturer of the
>AP,  if WEP is turned on, plus if I really want to get serious I could tell
>them if the AP is issuing IP addresses via DHCP and their network settings
>if it is.

I could see this part, fairly easily, as something an aggressive 
member of law enforcement considering a violation.  The law is less 
than ideally clear here. People certainly have sued successfully for 
invasion of privacy when someone gets on a ladder and photographs 
over a fence, but the courts have also stated that the role of 
"celebrity" waives some parts of an expectation of privacy.

Nevertheless, I wouldn't even think of doing this without getting 
legal advice, and also possibly discussing it first with local law 
enforcement (including the nearest FBI office with a technical group).

>
>The question I have is, would the company be happy to know that they have
>security holes and were alerted to it, would they threaten me by calling law
>enforcement, or would they ignore me as a nut or go and fix the problem
>without hiring me to do it for them.

It's a tossup.  In the present concern over both surveillance and 
terrorism, I wouldn't want to deal with explaining it to less than 
technically significant law enforcement.

>
>I was simply amazed at the shear number of AP's out there and how many were
>in businesses wide open.
>
>Stephen Manuel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47438&t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall (6.2) General Questions RANT [7:47393]

2002-06-25 Thread Roberts, Larry 

I don't mind in-band for internal router configuration, but since the FW is
the only line of defense between me and the rest of you guys :) I am very
very careful about how anyone can access it. Telnet is insecure, and I don't
like SSH ( personal preference ) so I am left with no options.
I also am concerned that I could loose in-band access to the devices ( a
switch fails, or looses power, or better yet the server guys uplug the wrong
cables) so I don't even bother accessing them that way anymore.

These are MY personal preferences and how I deal with some of the
limitations of the PIX ( did I say that ? ) as well as other security
concerns.

I'm afraid that this might become more of a personal preference attack
thread, of which I was finding myself getting involved admittedly.
I don't want to make enemies or have people loose respect for my opinion
just because I prefer brand A over brand B and I didn't think anyone was all
that interested in where it was going.

I did however find some additional information that may balance the scales
performance wise between the PIX and CP. I'm still researching so some of my
concerns might become mute...

Thanks

Larry
 

-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, June 25, 2002 4:06 PM
To: Roberts, Larry
Cc: [EMAIL PROTECTED]
Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393]


Actually, I hope you don't take it offline.  I enjoy reading both sides of 
the argument and there is merit to both viewpoints.  In my personal 
opinion, each firewall has its place, depending on the target 
customer.  There are also some customers for which I'd recommend Netscreen 
or Sonicwall over either PIX or CP-NG.

Larry:  Out of curiosity, why don't you like in-band management?  It seems 
that with proper configuration (SSH, etc.) that it can be quite secure.

Craig

At 05:16 PM 6/25/2002 -0400, you wrote:
>1) Personal Opinion. The last breakdown I saw ( 5-6 months ago in 
>network world I believe ) shows Cisco with 70% market share in mid-top 
>level space.
>  Type no logg cons or no logg mon. It will break out of the debug. No your
>letters aren't typed next to each other, but the PIX doesn't care.
>I will give you that the DEBUG could use some work in that it is more
>difficult to filter out what you want and what you don't when you logg to
>console or monitor
>
>2) I completely agree. I don't believe in GUI's for Network devices.
>
>3) I user the pager command all the time. I set it to 5000 to dump the 
>whole config and then capture the output. I will delete half my config 
>to get to your scenario and try. I set it to 15 when I am looking at 
>debug
>
>4) I user CiscoWorks 2K and can read the messages quite nicely. You 
>could also use Private-I.
>
>5) I will search for the article. I didn't bookmark it. I also said the 
>PIX hadn't been hacked, not IP hasn't been hacked. No one has hacked 
>Finesse. I am sorry for the confusion.
>
>6) Will either of those Active Active box's push 1.7Gbps cleartext or 
>95Mbps 3Des traffic and 1/2Mil connections.. I didn't say combined, I 
>said individually. I can run 2 PIX's and double my numbers as well. Can 
>you terminate a tunnel on both box's and load balance traffic over both 
>of them from the same source ? This is the latest performance briefs 
>that I could fine. I have included them to show you what I did review. 
>I can send you the PDF of Cisco's performance to back up my statistics 
>for them if you would like. Perhaps you should do some research before 
>you question mine. 
>http://www.rainfinity.com/products/wp_performance_brief.pdf
>Remember we are talking hardware vs. software FW's so CP's results are 
>bound to be lower. Also to note for CP is that it is a MUCH cheaper 
>solution. That's a plus for it.
>
>7) I only manage PIX's OOB so that point is mute for me.
>
>8) I do it manually,every time I make a change. It helps limit the 
>number of copies of my config that are floating around.
>
>9) Really, I don't believe in In-band management, so I assume that CP-1 
>will dial-up and manage devices that way ?I also don't have many 
>universal changes that I can push out to 30+ devices, so that ability 
>to manage that many from one place is mute for me as well.
>
>10) first see number 7, secondly its interfaces are all 127.0.0.1 so 
>you couldn't access it on a PC by default anyways. You also must 
>specify WHAT hosts can access it prior to it being accessed. Its turned 
>on, but no one is permitted.
>
>11) Yes it is. But so is the learning curve for HP-UX over Windows 2k, 
>but which would you rather have running your daily operations on ?
>
>This is becoming a pi$$ing match for Cisco vs. the world. I prefer 
>PIX's, you prefer CP's. We can take this off-line as it doesn't belong 
>on this list anymore if you wish.
>
>
>Thanks
>
>Larry
>
>
>-Original Message-
>From: david smith [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, June 25, 2002 2:42 PM
>To: [EMAIL PROTECT

dot1Q bridged across two 1721's? [7:47440]

2002-06-25 Thread Jeffrey Reed 

I have a scenario where I want to move part of two VLANs to a remote
building off campus. These two VLANs are already part of my internal network
and due to some layer 8 constraints, we cant put them on new subnets once
we move them to the new building. The VLANs need to be at both the remote
office as well as the core of the network. Connectivity will be facilitated
by a T1 and a pair of 1721s. I know the 1721s will run 802.1Q, but can I
bridge the two VLANs across the T1? I know its not a good idea to send
broadcasts across an expensive T1, but were dealing with folks who do not
care.

I wasnt sure how the WAN side would handle dot1q tagging. Thanks for any
thoughts!!


Jeff Reed
Confidential e-mail for addressee only.  Access to this e-mail by anyone
else is unauthorized.  If you have received this message in error, please
notify the sender immediately by reply e-mail and destroy the original
communication.  1




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47440&t=47440
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ccie real-time questions [7:47436]

2002-06-25 Thread John Kaberna 

You forgot to post the NDA you agreed to before you started the test.

--

""Jerry Yu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I just failed the 305-001, but I remember the following tricky questions.
> pls. offer your opinion or answers to them.
>
>
> thanks.
>
> jyu
>
>
> 1)
> A network administrator is using debug commands to check the performance
of
> a network. What steps can the administrator take to ensure that the
"debug"
> will not require too much CPU, or at least that she will not have to
reboot
> the router to disable debug?
> (mulitple answer)
> A. Make the debug command as specific as possible
> B. Use the max-time parameter of the debug command
> C. In configuration mode, enter 'scheduler interval 15'
> D. Configure a loopback to channel debug traffic
>
> 2) NETBEUI is:
> A. A routable protocol
> B. A non-routable protocol designed for small networks
> C. A routing protocol designed for large networks
> D. A data-link layer protocol
>
> 3)In a Distance Vector protocol, "counting to infinity":
> A. Calculates the time tacken for a protocol to converge
> B. Checks to make sure the number of route entries do not exceed a set
upper
> limit
> C. Counts the packets dropped during a routing loop
> D. Sets an upper limit for hop count, so that routing loops can be broken
if
> this limit is reached
>
> 4)A network contains 2000 IPX services. Remote sites connected via 56 Kbps
> lines intermittently lose the ability to logon to some NetWare servers.
The
> problem may be fixed by:
> A. Filtering SAPs at the remote routers
> B. Filtering SAPs at the central router
> C. Filtering SAP type 4
> D. Configuring "ipx maximum-paths 2" at the central router
>
> 5) In FDDI, the characteristics of "4B/5B Encoding" include: (multiple
> answer)
> A. Sending 4 bits of information using a 5 bit symbol
> B. Increasing the clock rate of the transmitter and receiver to 125 Mhz,
> which establishes an effective data rate of 100Mbps
> C. Increasing the distance between two FDDI stations to more than 2km,
when
> using multimode fiber
> D. Providing a workaround for the Optical Bypass Relay
>
> 6)The purpose of "Fast Link Pulse[FLP]" signals is:
> A. To identify link quality and shutdown the Ethernet port of the computer
> if the quality of a link is poor
> B. To indicate that collisions has occurred in the Ethernet segment - this
> is also known as a 'jam' signal
> C. To auto-negotiate the capabilities of Fast Ethernet devices connecting
> via 100BaseT technology
> D. To support the proprietary implementation of Gigabit Ethernet of some
> vendors




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47441&t=47436
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ccie real-time questions [7:47436]

2002-06-25 Thread Chuck 

answers in line


""Jerry Yu""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I just failed the 305-001, but I remember the following tricky questions.
> pls. offer your opinion or answers to them.
>
>
> thanks.
>
> jyu
>
>
> 1)
> A network administrator is using debug commands to check the performance
of
> a network. What steps can the administrator take to ensure that the
"debug"
> will not require too much CPU, or at least that she will not have to
reboot
> the router to disable debug?
> (mulitple answer)
> A. Make the debug command as specific as possible
> B. Use the max-time parameter of the debug command
> C. In configuration mode, enter 'scheduler interval 15'
> D. Configure a loopback to channel debug traffic

E: buy bigger faster high end routers for your network.
F: don't bother wirth the debugs at all. buy gigbit switches and give your
users all the bandwidth they want and need!

>
> 2) NETBEUI is:
> A. A routable protocol
> B. A non-routable protocol designed for small networks
> C. A routing protocol designed for large networks
> D. A data-link layer protocol

E. a very poor joke

>
> 3)In a Distance Vector protocol, "counting to infinity":
> A. Calculates the time tacken for a protocol to converge
> B. Checks to make sure the number of route entries do not exceed a set
upper
> limit
> C. Counts the packets dropped during a routing loop
> D. Sets an upper limit for hop count, so that routing loops can be broken
if
> this limit is reached

E. takes a VERY long time

>
> 4)A network contains 2000 IPX services. Remote sites connected via 56 Kbps
> lines intermittently lose the ability to logon to some NetWare servers.
The
> problem may be fixed by:
> A. Filtering SAPs at the remote routers
> B. Filtering SAPs at the central router
> C. Filtering SAP type 4
> D. Configuring "ipx maximum-paths 2" at the central router

E. stop being a cheapskate and spring for some real network bandwidth. 56K.
sheesh!

>
> 5) In FDDI, the characteristics of "4B/5B Encoding" include: (multiple
> answer)
> A. Sending 4 bits of information using a 5 bit symbol
> B. Increasing the clock rate of the transmitter and receiver to 125 Mhz,
> which establishes an effective data rate of 100Mbps
> C. Increasing the distance between two FDDI stations to more than 2km,
when
> using multimode fiber
> D. Providing a workaround for the Optical Bypass Relay

e. who cares about FDDI. Rip it out and replace it with GigE

>
> 6)The purpose of "Fast Link Pulse[FLP]" signals is:
> A. To identify link quality and shutdown the Ethernet port of the computer
> if the quality of a link is poor
> B. To indicate that collisions has occurred in the Ethernet segment - this
> is also known as a 'jam' signal
> C. To auto-negotiate the capabilities of Fast Ethernet devices connecting
> via 100BaseT technology
> D. To support the proprietary implementation of Gigabit Ethernet of some
> vendors
>
>

E. to provide the means of asking questions that help you realize how dumb
you really are, no matter how much you have studied!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47442&t=47436
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

FYI: BUY.COM ANNOUNCEMENT [7:47443]

2002-06-25 Thread CAROLINA-TEK 

Just incase you didn't see this announcement today .

=

ALISO VIEJO, Calif. -- Buy.com Inc. announced Tuesday it will offer
book titles at 10% below Amazon.com Inc.'s (AMZN) prices, effective
immediately.
Buy.com said the move is part of a strategy to win over Amazon's
customers and capture greater market share in online book sales.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47443&t=47443
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

rif calculator [7:47444]

2002-06-25 Thread GEORGE 

I saw some time ago a link posted here for  calculating rifs, would
someone kindly e-mail it?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47444&t=47444
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall simulator ? Pls help [7:47466]

2002-06-25 Thread Mr piyush shah 

Dear all
 I am planning to appear for CCIP security exams and I
am going through this study group regularly . In the
security exams I need a help from you all. In the
company  where I am working we have Checkpoint f/w
hence I can't do any hands-on practice for PIX
Firewall . My sincere request you to all that Is there
any site which provides free PIX Firewall hands-on or
any free PIX Simulator available for download. I will
be very thankful as I needs to appear for exam at the
earliest.
Thanks in advance.
Regards

Parag Chavan


Want to sell your car? advertise on Yahoo Autos Classifieds. It's Free!!
   visit http://in.autos.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47466&t=47466
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISDN Problem [7:47411]

2002-06-25 Thread cj jung 

I vould be wrong but you may need to configure "dialer map" statements for
each subnets..


- Original Message -
From: "George Sherman" 
To: 
Sent: Tuesday, June 25, 2002 2:40 PM
Subject: ISDN Problem [7:47411]


> I have two routers connect throgh an ISDN switch.
> System image file is "flash:c2500-js56i-l.121-12.bin
>
> When I change the address to 135.11.35.0 /24  I can not ping. I verified
> that the call went through
> 11R3#ping 135.11.35.2
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 135.11.35.2, timeout is 2 seconds:
> .
> Success rate is 0 percent (0/5)
> R11R3#sh isdn act
> 
> 
> ISDN ACTIVE CALLS
> 
> 
> CallCalling  Called   Remote  Seconds Seconds Seconds
> Charges
> TypeNumber   Number   NameUsedLeftIdle
> Units/Currency
> 
> 
> In  8995101 899520136 114   5
> 
> 
>
> If I change the address to 135.11.35.0 /27 it works well and if I change
> to 135.110.35.0 /24 it works.  I am puzzled any ideas?
>
>
> R11R3#sh run int bri0
> Building configuration...
>
> Current configuration : 182 byte
> !
> interface BRI0
>  ip address 135.11.35.1 255.255.255.0
>  dialer string 8995101
>  dialer-group 1
>  isdn switch-type basic-ni
>  isdn spid1 8995201 8995201
>  isdn spid2 8995202 8995202
> end
>
>
> R11R4#sh run int bri0
> Building configuration...
>
> Current configuration : 182 bytes
> !
> interface BRI0
>  ip address 135.11.35.2 255.255.255.0
>  dialer string 8995201
>  dialer-group 1
>  isdn switch-type basic-ni
>  isdn spid1 8995101 8995101
>  isdn spid2 8995102 8995102
> end
>
>
>
> HERE IS THE COMPLETE CONFIGURATION:
> R11R3#sh run
> Building configuration...
>
> Current configuration : 1967 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R11R3
> !
> enable secret 5 $1$LX3.$7TGAHxWdu5Zw8iWCkIHhf1
> enable password lab
> !
> username r4 password 0 r4
> !
> !
> !
> !
> ip subnet-zero
> ip tcp synwait-time 5
> no ip domain-lookup
> ip host R11R1 135.11.1.1
> ip host R11R3 135.11.3.3
> ip host R11R4 135.11.4.4
> ip host R11R6 135.11.6.6
> ip host R11R7 135.11.7.7
> ip host R11R8 135.11.8.8
> ip host R11R16 135.11.16.16
> !
> isdn switch-type basic-5ess
> !
> !
> crypto isakmp policy 10
>  hash md5
>  authentication pre-share
> crypto isakmp key cisco address 135.11.34.5
> !
> !
> crypto ipsec transform-set tor7 esp-des
> !
> crypto map toR7 10 ipsec-isakmp
>  set peer 135.11.34.5
>  set transform-set tor7
>  match address 101
> !
> !
> !
> !
> interface Loopback0
>  ip address 135.11.3.3 255.255.255.0
> !
> interface Loopback2
>  no ip address
> !
> interface Ethernet0
>  ip address 135.11.56.3 255.255.255.0
>  crypto map toR7
> !
> interface Serial0
>  no ip address
>  shutdown
>  no fair-queue
> !
> interface Serial1
>  no ip address
>  shutdown
> !
> interface Serial2
>  no ip address
>  shutdown
> !
> interface Serial3
>  no ip address
>  shutdown
> !
> interface BRI0
>  ip address 135.11.35.1 255.255.255.0
>  dialer string 8995101
>  dialer-group 1
>  isdn switch-type basic-ni
>  isdn spid1 8995201 8995201
>  isdn spid2 8995202 8995202
> !
> router igrp 10
>  network 135.11.0.0
> !
> ip classless
> ip http server
> !
> access-list 101 permit ip host 135.11.3.3 host 135.11.7.7
> dialer-list 1 protocol ip permit
> !
> alias exec ct config t
> alias exec sc show controllers serial
> alias exec sci show cdp interface
> alias exec scn sh cdp neighbor
> alias exec sip show ip route
> alias exec sipx show ipx route
> alias exec cip clear ip route *
> alias exec cib clear ip bgp *
> alias exec sib show ip bgp
> !
> line con 0
>  exec-timeout 0 0
>  password lab
>  logging synchronous
>  login
> line aux 0
>  exec-timeout 0 0
>  password lab
>  logging synchronous
>  login
> line vty 0 4
>  exec-timeout 0 0
>  password lab
>  logging synchronous
>  login
> !
> end
>
> R11R3#
>
> R11R4#sh run
> Building configuration...
>
> Current configuration : 2781 bytes
> !
> version 12.1
> service timestamps debug uptime
> service timestamps log uptime
> no service password-encryption
> !
> hostname R11R4
> !
> enable secret 5 $1$wnCW$4qHyuNAOZk3Z2FYnq7IUG0
> enable password lab
> !
> username cisco password 0 cisco
> username r3 password 0 cisco
> !
> !
> !
> !
> ip subnet-zero
> ip tcp synwait-time 5
> no ip domain-lookup
> ip host R11R1 135.11.1.1
> ip host R11R3 135.11.3.3
> ip host R11R6 135.11.6.6
> ip host R11R7 135.11.7.7
> ip host R11R8 135.11.8.8
> ip host R11R16 135.11.16.16
> ip host R11R4 135.11.4.4
> !
> isdn switch-type basic-5ess
> !
> !
> !
> !
> !
> interfa

RE: IGRP Routes - Classless Networks with Tunnels [7:47415]

2002-06-25 Thread Magondo, Michael 

Ed

What Routing protocol are you using?

Mike


-Original Message-
From: Ed [mailto:[EMAIL PROTECTED]] 
Sent: 25 June 2002 08:56 PM
To: [EMAIL PROTECTED]
Subject: IGRP Routes - Classless Networks with Tunnels [7:47415]

How feasible is this, and has anyone tried it?

R1 is connected to R2... in my case, it is an Ethernet link.
The link is on the 172.16.64.0 network with a 24 bit mask.

R1 has several subnets in the 172.16 major network, but with different
masks.  In my case, 24,  28 and 29 bit masks.

R2 sees all of the networks with the 24 bit masks, but drops the
networks
with the odd masks.Basic classfull rules observed.

The goal it to get the 28 and 29 bit masks to R2 WITHOUT the use of
SUMMARIZATION.

If I create a tunnel between R1 and R2 with a subnet of 172.16.81.0 29
bit
mask the networks with the 29 bit masks show on R2.

As soon as I create the second tunnel to take care of the 28 bit masks,
the
/29 routes disappear and the /28 doesn't make it.

On R2, I am making the tunnels passive to prevent loops.

Shouldn't this work?  Am I missing something.
Again, the goal is to get the networks with the specified subnet to
appear
on R2  without summarization. Comments are appreciated.

Ed




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47470&t=47415
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IGRP Routes - Classless Networks with Tunnels [7:47415]

2002-06-25 Thread Magondo, Michael 

Ed

Sorry, I've just reread the title. Maybe I need more coffee. It's IGRP.

Mike


-Original Message-
From: Ed [mailto:[EMAIL PROTECTED]] 
Sent: 25 June 2002 08:56 PM
To: [EMAIL PROTECTED]
Subject: IGRP Routes - Classless Networks with Tunnels [7:47415]

How feasible is this, and has anyone tried it?

R1 is connected to R2... in my case, it is an Ethernet link.
The link is on the 172.16.64.0 network with a 24 bit mask.

R1 has several subnets in the 172.16 major network, but with different
masks.  In my case, 24,  28 and 29 bit masks.

R2 sees all of the networks with the 24 bit masks, but drops the
networks
with the odd masks.Basic classfull rules observed.

The goal it to get the 28 and 29 bit masks to R2 WITHOUT the use of
SUMMARIZATION.

If I create a tunnel between R1 and R2 with a subnet of 172.16.81.0 29
bit
mask the networks with the 29 bit masks show on R2.

As soon as I create the second tunnel to take care of the 28 bit masks,
the
/29 routes disappear and the /28 doesn't make it.

On R2, I am making the tunnels passive to prevent loops.

Shouldn't this work?  Am I missing something.
Again, the goal is to get the networks with the specified subnet to
appear
on R2  without summarization. Comments are appreciated.

Ed




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47471&t=47415
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]