RE: IGRP Routes - Classless Networks with Tunnels [7:47415]
Ed Sorry, I've just reread the title. Maybe I need more coffee. It's IGRP. Mike -Original Message- From: Ed [mailto:[EMAIL PROTECTED]] Sent: 25 June 2002 08:56 PM To: [EMAIL PROTECTED] Subject: IGRP Routes - Classless Networks with Tunnels [7:47415] How feasible is this, and has anyone tried it? R1 is connected to R2... in my case, it is an Ethernet link. The link is on the 172.16.64.0 network with a 24 bit mask. R1 has several subnets in the 172.16 major network, but with different masks. In my case, 24, 28 and 29 bit masks. R2 sees all of the networks with the 24 bit masks, but drops the networks with the odd masks.Basic classfull rules observed. The goal it to get the 28 and 29 bit masks to R2 WITHOUT the use of SUMMARIZATION. If I create a tunnel between R1 and R2 with a subnet of 172.16.81.0 29 bit mask the networks with the 29 bit masks show on R2. As soon as I create the second tunnel to take care of the 28 bit masks, the /29 routes disappear and the /28 doesn't make it. On R2, I am making the tunnels passive to prevent loops. Shouldn't this work? Am I missing something. Again, the goal is to get the networks with the specified subnet to appear on R2 without summarization. Comments are appreciated. Ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47471t=47415 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IGRP Routes - Classless Networks with Tunnels [7:47415]
Ed Here is my understanding of this. The 28 and 29 bit subnets will be auto summarized by one of the 24 bit subnets in your routing table when you are using a 24 bit mask between the two routers. I believe this is the expected operation of IGRP as it is a classfull routing protocol and will auto summarize. To achieve what you want maybe the use if EIGRP with auto summarization turned off and specifying manual summarization of a 29 bit mask for the out going interface of R1 will work. That's my 5cents worth, please correct me if I'm lost guys. Mike p.s. I've had that coffee now.. -Original Message- From: Ed [mailto:[EMAIL PROTECTED]] Sent: 25 June 2002 08:56 PM To: [EMAIL PROTECTED] Subject: IGRP Routes - Classless Networks with Tunnels [7:47415] How feasible is this, and has anyone tried it? R1 is connected to R2... in my case, it is an Ethernet link. The link is on the 172.16.64.0 network with a 24 bit mask. R1 has several subnets in the 172.16 major network, but with different masks. In my case, 24, 28 and 29 bit masks. R2 sees all of the networks with the 24 bit masks, but drops the networks with the odd masks.Basic classfull rules observed. The goal it to get the 28 and 29 bit masks to R2 WITHOUT the use of SUMMARIZATION. If I create a tunnel between R1 and R2 with a subnet of 172.16.81.0 29 bit mask the networks with the 29 bit masks show on R2. As soon as I create the second tunnel to take care of the 28 bit masks, the /29 routes disappear and the /28 doesn't make it. On R2, I am making the tunnels passive to prevent loops. Shouldn't this work? Am I missing something. Again, the goal is to get the networks with the specified subnet to appear on R2 without summarization. Comments are appreciated. Ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47472t=47415 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Carrier Guidance [7:47473]
Oracle and programming are the areas with huge demand at the moment. JR TV IT Helpdesk wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Friends, I am having MCSE, CCNA CCNP certification with around 6 years experience in networking. After seeing slump in IT. I am little scared about my future and want to do some certification which ensure my job stability. Request you guys to suggest me something which certification I should do and why? Thanks in advance for your valuable suggestion. M. Sathyanarayan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47475t=47473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco VPN client and NAT [7:47430]
So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47476t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DHCP question [7:47477]
Let's assume a Win2k DHCP server is set up correctly with different IP scopes for 2 remote sites. Let's also assume remote-site routers are set-up correctly with the correct IP helper-address. When remote DHCP clients start broadcasting for IP addresses at each remote site, and these broadcasts are then forwarded by the remote-site routers as unicast packets to the DHCP server, how does the DHCP server know from which scope of IP address to full-fill a DHCP client request for a given remote site. Is the information embbeded within the DHCP packet itself? thanks dj Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47477t=47477 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DHCP question [7:47477]
Yes. The DHCP packet will be sent out with the source address of the router in the unicast packet. Eric Lange dimitri@ptsci nti.com To: [EMAIL PROTECTED] Sent by: cc: nobody@groupsSubject: DHCP question [7:47477] tudy.com 06/26/2002 08:39 AM Please respond to dimitri Let's assume a Win2k DHCP server is set up correctly with different IP scopes for 2 remote sites. Let's also assume remote-site routers are set-up correctly with the correct IP helper-address. When remote DHCP clients start broadcasting for IP addresses at each remote site, and these broadcasts are then forwarded by the remote-site routers as unicast packets to the DHCP server, how does the DHCP server know from which scope of IP address to full-fill a DHCP client request for a given remote site. Is the information embbeded within the DHCP packet itself? thanks dj Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47478t=47477 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Devices serial ports [7:47465]
you would need an L2 device of some kind. might want to look through www.kentrox.com or www.adtran.com see what they have to offer. come to think of it, such devices would solve a number of problems. piesupport wrote in message news:[EMAIL PROTECTED]... Can any one tell me device which can be connected to V,35 port of a router and link to two alternate medias i.e DTU and radio modem.Main path should be DTU (Copper link) and on failure should sense radio link. Thanks Raza Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47481t=47465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47482t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE Security LAB Equipment [7:47484]
Hi, Does anybody know what equipment should I have on the rack for CCIE Security and CCIE Communications and Services Lab exam. Thank you Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47484t=47484 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DHCP question [7:47477]
Yes it will be. Setup a super scope then the two remote site scopes. From: dj Reply-To: dj To: [EMAIL PROTECTED] Subject: DHCP question [7:47477] Date: Wed, 26 Jun 2002 09:39:31 -0400 Let's assume a Win2k DHCP server is set up correctly with different IP scopes for 2 remote sites. Let's also assume remote-site routers are set-up correctly with the correct IP helper-address. When remote DHCP clients start broadcasting for IP addresses at each remote site, and these broadcasts are then forwarded by the remote-site routers as unicast packets to the DHCP server, how does the DHCP server know from which scope of IP address to full-fill a DHCP client request for a given remote site. Is the information embbeded within the DHCP packet itself? thanks dj _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47487t=47477 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Rogue Wireless LANs [7:47287]
Agreed. This could be a big legal trap. If you use something like Network Stumbler, you're not actually using their network. You're just seeing the broadcasts from it. Maybe that would be a good approach. Ken Thomas E. Lawrence 06/25/02 11:09AM I realize you are speaking in jest, but for those who might consider this approach as a means of drumming up business, you may want to give some thought. Connecting to a network to which you have no reason nor any right to connect can be considered hacking, and you could be subject to prosecution, ironically by an organization that is asking for trouble anyway.Just because I don't have locks on my doors does not mean it's ok for you to walk into my home any time you please. Please be careful how you approach a company when you have discovered by accident a particularly egregious vulnerability. Tom [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47488t=47287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47490t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Content Switching Books [7:47494]
Has Cisco Press or anyone put any Content Swtiching books out yet? Preferably one that covers CS11152 or similiar. thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47494t=47494 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RSPAN Problem [7:47493]
Greetings, I'm using RSPAN with our 65XX switches with 6.3(3) code. When I enable RSPAN between to two switches it works fine but, when I try to rspan between three switches it doesn't work. I only see broadcasts from IP and IPX, any ideas??? Two switches: Source Port : Port 9/3-switch A -TRUNK-switch B-7/38 : Destination Port Three Swich: This scenario doesn't work. Source Port : Port 6/10-switch A -TRUNK-switch B-TRUNK--switch C--7/38 : Destination Port Thanks...Nabil I have never let my schooling interfere with my education. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47493t=47493 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CID [7:47496]
Hi, Whether anyone attempted CID recently?I am curious whether there are questions from SNA ATM? Thanks. Saj __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47496t=47496 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Rogue Wireless LANs [7:47287]
I think the take the company would take on it would depend highly on how worried they are about security. If they have a well written security policy I think you would be in for some arguments from their legal department. On the other hand what if it's a company that doesn't even know that employee Joe Schmoe has installed a WAP under his desk running 802.11 unsecured to world...I think in that situation they might be interested to hear what you have to say. Over all this whole deal is very cloudy to say the least. What legal rights does a company have if they are broadcasting wireless unsecured...it is like throwing money into the air then trying to arrest someone if they take it. It's an old well known fact you don't say welcome in your motd banner because you welcomed the intruder in. You could say, you didn't know that you were unauthorized because you could connect to it from somewhere not on their property and you were never warned that you were unauthorized. I'm not saying you would win the legal battle...but there would most likely be a legal battle over it. I am interested to know the outcome if anybody does actually try this and approaches the company about it. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ken Diliberto Sent: Wednesday, June 26, 2002 11:04 AM To: [EMAIL PROTECTED] Subject: Re: Rogue Wireless LANs [7:47287] Agreed. This could be a big legal trap. If you use something like Network Stumbler, you're not actually using their network. You're just seeing the broadcasts from it. Maybe that would be a good approach. Ken Thomas E. Lawrence 06/25/02 11:09AM I realize you are speaking in jest, but for those who might consider this approach as a means of drumming up business, you may want to give some thought. Connecting to a network to which you have no reason nor any right to connect can be considered hacking, and you could be subject to prosecution, ironically by an organization that is asking for trouble anyway.Just because I don't have locks on my doors does not mean it's ok for you to walk into my home any time you please. Please be careful how you approach a company when you have discovered by accident a particularly egregious vulnerability. Tom [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47497t=47287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
frame relay question [7:47498]
I have a newbie question, regarding frame-relay. When I order a frame relay circuit for two locations Do the telco provide the dlci? Or I make it up? Once the frame relay is installed on both locations I guess using the dlci numbers it makes the connection , besides the ip and all other stuff Can someone explain it please thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47498t=47498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame relay question [7:47498]
The Telco's usually provide the DLCI. They provide two separate DLCI's, one for each side. Then they map the DLCI to the other DLCI, usually over ATM PVC's, but it could be IP as well. Steve GEORGE wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a newbie question, regarding frame-relay. When I order a frame relay circuit for two locations Do the telco provide the dlci? Or I make it up? Once the frame relay is installed on both locations I guess using the dlci numbers it makes the connection , besides the ip and all other stuff Can someone explain it please thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47499t=47498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame relay question [7:47498]
good questions. in theory, you may request any dlci you wish, so long as it is in the legal range for the carrier. this would be numbers 16 through 996? for some, or through 1004? for others in fact, if you have a good rapport with your carrier, and they in turn have their act together, this is common practice. OTOH, in my experience, telcos just want to get the work done, and they will configure the dlci starting with 16 because it's easy to remember. the switch techs just bang out their configs with no conscious thought intervention. if you have nothing fancy going on ( and it appears you don't ) the only required configuration on your router is setting the frame relay encapsulation, and setting the ip address. at that point the circuit will come up. you can check this using the show frame pvc, show frame lmi and show ip interface brief commands. lmi will detect and use the single pvc with no other tweaks required. if you have multiple pvcs on a circuit, you would, of course have to use frame map commands, or use point-to-point subinterfaces in conjunction with the frame interface-dlci command. best wishes. GEORGE wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a newbie question, regarding frame-relay. When I order a frame relay circuit for two locations Do the telco provide the dlci? Or I make it up? Once the frame relay is installed on both locations I guess using the dlci numbers it makes the connection , besides the ip and all other stuff Can someone explain it please thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47500t=47498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CID [7:47496]
Cisco has made changes to its CID objectives. The following is the updated link: http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_ exams/640-025.html No AppleTalk, IPX, SNA, nor Stratacom. The test is 75 questions in 90 minutes, pass mark 755/1000. Get the Cisco Press Top-Down Network Design guide and if you have passed the CCNP, you should have no problems. -Original Message- From: sajith nair [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:17 AM To: [EMAIL PROTECTED] Subject: CID [7:47496] Hi, Whether anyone attempted CID recently?I am curious whether there are questions from SNA ATM? Thanks. Saj __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47502t=47496 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame relay question [7:47498]
You can specify the dlci or they can assign. I always found it advantageous to specify that way I can set ranges for different areas or purposes... I have a newbie question, regarding frame-relay. When I order a frame relay circuit for two locations Do the telco provide the dlci? Or I make it up? Once the frame relay is installed on both locations I guess using the dlci numbers it makes the connection , besides the ip and all other stuff Can someone explain it please thanks [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47501t=47498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall simulator ? Pls help [7:47466]
The PIX 501 can be purchased for as little as $450 at many online locations. -Original Message- From: Mr piyush shah [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 11:41 PM To: [EMAIL PROTECTED] Subject: RE: PIX Firewall simulator ? Pls help [7:47466] Dear all I am planning to appear for CCIP security exams and I am going through this study group regularly . In the security exams I need a help from you all. In the company where I am working we have Checkpoint f/w hence I can't do any hands-on practice for PIX Firewall . My sincere request you to all that Is there any site which provides free PIX Firewall hands-on or any free PIX Simulator available for download. I will be very thankful as I needs to appear for exam at the earliest. Thanks in advance. Regards Parag Chavan Want to sell your car? advertise on Yahoo Autos Classifieds. It's Free!! visit http://in.autos.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47503t=47466 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: frame relay question [7:47498]
either way. You can provide DLCI's or you can have them assigned to you. They are locally specific. Some companies like having there own range of DLCI's for admin and management purposes. GEORGE 06/26 2:35 PM I have a newbie question, regarding frame-relay. When I order a frame relay circuit for two locations Do the telco provide the dlci? Or I make it up? Once the frame relay is installed on both locations I guess using the dlci numbers it makes the connection , besides the ip and all other stuff Can someone explain it please thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47504t=47498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Off Topic - Cisco vis a vis World Com [7:47505]
So far today I have seen no word from Cisco on its exposure to World Com. the other so called players in the networking industry - Redback, Nortel, and Lucent, have all said they have very little on the line with WorldCom. Of course, these are companies with one foot in the grave already. WorldCom is one of Cisco's MAJOR customers. Cisco stock is back close to it's low of the last year. Maybe Cisco believes nothing needs be said? Maybe Cisco figures they can still sell their stuff through other channels? As an employee of another of Cisco's major customers, maybe this bodes well for me? with WorldCom out of the way, and no longer selling at cost to steal my customers, maybe my own business will pick up? Sheesh, this is scary. Anybody out there know how what used to be UUNet is doing? Viable? Any repercussions through the ISP world? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47505t=47505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NE Indiana [7:47507]
Sorry for the cross-post. Anyone from Northeast Indiana please reply to me off-list. Thanks, Ben Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47507t=47507 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - Cisco vis a vis World Com [7:47505]
Not too long ago, John Chambers was quoted in one of the networking magazines talking about erosion of margins, and partners who sold very cheaply. The talk on the street was that it was no secret he was talking about WorldCom, who have been notorious for their pricing of Cisco products as an inducement to use worldCom data circuits. I believe what used to be UUNet is a major user of Cisco equipment. that's one reason I asked about UUNet's viability. WCOM is going to end up selling assets, and it seems to me that the ISP is about the best asset they have. The network / fiber assets only contribute to the current fiber glut, so become less of a source of hope for revenue from sales. As far as what's in the carrier networks themselves, maybe this is less important to Cisco, as no carriers use their stuff anyway? ;- BTW Juniper stock is not looking real good right now at all. Nor Ciena. John Kaberna wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Talking with a couple of my students (employees at Cisco) WCOM is mostly a Nortel shop. They said that ATT and Sprint are Cisco Powered Networks so they are the big providers that Cisco is interested in. This is not official or anything from Cisco it's just what these guys are telling me. Chuck wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... So far today I have seen no word from Cisco on its exposure to World Com. the other so called players in the networking industry - Redback, Nortel, and Lucent, have all said they have very little on the line with WorldCom. Of course, these are companies with one foot in the grave already. WorldCom is one of Cisco's MAJOR customers. Cisco stock is back close to it's low of the last year. Maybe Cisco believes nothing needs be said? Maybe Cisco figures they can still sell their stuff through other channels? As an employee of another of Cisco's major customers, maybe this bodes well for me? with WorldCom out of the way, and no longer selling at cost to steal my customers, maybe my own business will pick up? Sheesh, this is scary. Anybody out there know how what used to be UUNet is doing? Viable? Any repercussions through the ISP world? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47508t=47505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Rogue Wireless LANs [7:47287]
At 2:26 PM -0400 6/26/02, Dan Penn wrote: I think the take the company would take on it would depend highly on how worried they are about security. If they have a well written security policy I think you would be in for some arguments from their legal department. On the other hand what if it's a company that doesn't even know that employee Joe Schmoe has installed a WAP under his desk running 802.11 unsecured to world...I think in that situation they might be interested to hear what you have to say. Over all this whole deal is very cloudy to say the least. What legal rights does a company have if they are broadcasting wireless unsecured...it is like throwing money into the air then trying to arrest someone if they take it. No, there really are very specific rules for electromagnetic emissions, beginning with the (US) Communications Act of 1934. Essentially, it says that any signals not explicitly meant for public broadcast may be intercepted, but that disclosure of the content to third parties is illegal. This is enforced by the Federal Communications Commission, which is the US agency that regulates, among other things, the use of spectrum space, and the licensing (when required) of parts of the spectrum. There certainly are blurred areas, such as disclosing statistical aggregates that do not reveal content, or intercepting communications by other than the primary signal (i.e., eavesdropping through incidental radiation, power line coupling, etc.). In general, though, the law is much more clear about hacking involving the electromagnetic spectrum in free space than it is on entering computers. It's an old well known fact you don't say welcome in your motd banner because you welcomed the intruder in. You could say, you didn't know that you were unauthorized because you could connect to it from somewhere not on their property and you were never warned that you were unauthorized. I'm not saying you would win the legal battle...but there would most likely be a legal battle over it. I am interested to know the outcome if anybody does actually try this and approaches the company about it. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ken Diliberto Sent: Wednesday, June 26, 2002 11:04 AM To: [EMAIL PROTECTED] Subject: Re: Rogue Wireless LANs [7:47287] Agreed. This could be a big legal trap. If you use something like Network Stumbler, you're not actually using their network. You're just seeing the broadcasts from it. Maybe that would be a good approach. Ken Thomas E. Lawrence 06/25/02 11:09AM I realize you are speaking in jest, but for those who might consider this approach as a means of drumming up business, you may want to give some thought. Connecting to a network to which you have no reason nor any right to connect can be considered hacking, and you could be subject to prosecution, ironically by an organization that is asking for trouble anyway.Just because I don't have locks on my doors does not mean it's ok for you to walk into my home any time you please. Please be careful how you approach a company when you have discovered by accident a particularly egregious vulnerability. Tom [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47510t=47287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - Cisco vis a vis World Com [7:47505]
The Cisco guys are saying that UUNet converted a lot of stuff to Juniper and a few other vendors. Chuck wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Not too long ago, John Chambers was quoted in one of the networking magazines talking about erosion of margins, and partners who sold very cheaply. The talk on the street was that it was no secret he was talking about WorldCom, who have been notorious for their pricing of Cisco products as an inducement to use worldCom data circuits. I believe what used to be UUNet is a major user of Cisco equipment. that's one reason I asked about UUNet's viability. WCOM is going to end up selling assets, and it seems to me that the ISP is about the best asset they have. The network / fiber assets only contribute to the current fiber glut, so become less of a source of hope for revenue from sales. As far as what's in the carrier networks themselves, maybe this is less important to Cisco, as no carriers use their stuff anyway? ;- BTW Juniper stock is not looking real good right now at all. Nor Ciena. John Kaberna wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Talking with a couple of my students (employees at Cisco) WCOM is mostly a Nortel shop. They said that ATT and Sprint are Cisco Powered Networks so they are the big providers that Cisco is interested in. This is not official or anything from Cisco it's just what these guys are telling me. Chuck wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... So far today I have seen no word from Cisco on its exposure to World Com. the other so called players in the networking industry - Redback, Nortel, and Lucent, have all said they have very little on the line with WorldCom. Of course, these are companies with one foot in the grave already. WorldCom is one of Cisco's MAJOR customers. Cisco stock is back close to it's low of the last year. Maybe Cisco believes nothing needs be said? Maybe Cisco figures they can still sell their stuff through other channels? As an employee of another of Cisco's major customers, maybe this bodes well for me? with WorldCom out of the way, and no longer selling at cost to steal my customers, maybe my own business will pick up? Sheesh, this is scary. Anybody out there know how what used to be UUNet is doing? Viable? Any repercussions through the ISP world? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47512t=47505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - Cisco vis a vis World Com [7:47505]
This is HUGE for Telco in general...With the restatement this company will have actually LOST money for over the past year... Just think about all the IOU's that this company has to all it's vendor's, we're talking 30 Billion dollars in debt. It look's like bankruptcy is coming soon for this company. What's Cisco's exposure to this? I believe it's fair to say it's large, be it directly or indirectly. This will be the largest bankruptcy in US history, hence world. WorldCom has assets in excess of 105 Billion dollars. Compare this to Enron with 60 Billion dollars. They will be cutting an already planned 16,000 employee's this week. Who's next: Qwest? Just follow [EMAIL PROTECTED] I read a couple of week's ago from one of the wire services that 24 of the 29 major Telco's will go under. The so called safe one's where Bellsouth, Cisco, SBC and some others. I've also picked up off of both Reuters.com and Bloomberg.com that the Telco market is not expected to turn around until maybe late 2003 and will be the last thing to pick up in a revived economy. Look at all the companies failing in the US and Europe, the drastic slide in the value of the US Dollar against the Euro and the Yen and the fact that 2 million layoff's in the US last year, with 500,000 of those from tech related jobs alone, it should become apparent to even the simplest minds that things will become worse with these scandals coming out. Should the US housing bubble burst kiss this economy good bye for the next five years. - There is already too much surplus equipment out there that it will take years to absorb. And as far as jobs and hiring out in the world, well who's going to quit there job because they didn't get a raise lately?- JMHO :-0 -Eric - Original Message - From: Chuck To: Sent: Wednesday, June 26, 2002 12:31 PM Subject: Off Topic - Cisco vis a vis World Com [7:47505] So far today I have seen no word from Cisco on its exposure to World Com. the other so called players in the networking industry - Redback, Nortel, and Lucent, have all said they have very little on the line with WorldCom. Of course, these are companies with one foot in the grave already. WorldCom is one of Cisco's MAJOR customers. Cisco stock is back close to it's low of the last year. Maybe Cisco believes nothing needs be said? Maybe Cisco figures they can still sell their stuff through other channels? As an employee of another of Cisco's major customers, maybe this bodes well for me? with WorldCom out of the way, and no longer selling at cost to steal my customers, maybe my own business will pick up? Sheesh, this is scary. Anybody out there know how what used to be UUNet is doing? Viable? Any repercussions through the ISP world? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47514t=47505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IGRP Routes - Classless Networks with Tunnels [7:47415]
Again, R10 is running OSPF and IGRP, with mutual redistribution. R5 is only running IGRP. My goal is to get routes with native subnets (as shown on R10) within the same major subnet into R5. Without summarization. Default network, static routes and policy routing doesn't count either. Keep this in mind - a more practical example of this would be if the link between the routers had a /28 mask. How would I get the /24s into IGRP? We cant summarize the /24 because the bit boundary goes the wrong way. Here is the info on my config, the routing table and debug Note that the route 172.16.32.0 /28 and 132.16.40.0/29 are on R10 with the correct mask. The debug on R10 shows these routes being advertised out the correct tunnels. When R5 gets the routes, they are both installed with the /28 mask! Look at the Route table, note that 32.0 shows it was advertised by 172.16.82.1 from Tunnel 2. The route table shows 40.0 came from 172.16.81.1 but doesn't show the interface! Now take a look at the debug on R5, it shows that both routes came from Tunnel 2, but have different source addresses. 172.16.81.1 should be sourced from Tunnel 1. Since they both come in tunnel 2, the routes get installed with the tunnel 2 mask. As a follow-up, I swapped the subnet masks between the two tunnels. R5 still shows the routes came through Tunnel 2, but now they have the /29 mask. Comments? Ed R10 interface loopback 0 ip address 172.16.10.10 255.255.255.0 ! interface FastEthernet0/0.5 encapsulation isl 5 ip address 172.16.64.10 255.255.255.0 no ip redirects no ip directed-broadcast ! interface Tunnel1 ip address 172.16.81.1 255.255.255.248 no ip directed-broadcast tunnel source 172.16.10.10 tunnel destination 172.16.5.5 ! interface Tunnel2 ip address 172.16.82.1 255.255.255.240 no ip directed-broadcast tunnel source 172.16.10.10 tunnel destination 172.16.5.5 ! router ospf 100 redistribute igrp 300 subnets ! router igrp 300 redistribute ospf 100 network 172.16.0.0 default-metric 1500 100 254 1 1500 R5 interface loopback 0 ip address 172.16.5.5 255.255.255.0 interface Tunnel1 ip address 172.16.81.2 255.255.255.248 tunnel source 172.16.5.5 tunnel destination 172.16.10.10 ! interface Tunnel2 ip address 172.16.82.2 255.255.255.240 tunnel source 172.16.5.5 tunnel destination 172.16.10.10 ! interface Ethernet0 backup delay 2 30 backup interface BRI0 backup load 50 25 ip address 172.16.64.5 255.255.255.0 ! router igrp 300 no validate-update-source passive-interface Loopback0 passive-interface Tunnel1 passive-interface Tunnel2 network 172.16.0.0 Routing table on R10 172.16.0.0/16 is variably subnetted, 18 subnets, 3 masks C 172.16.160.0/24 is directly connected, FastEthernet0/1 C 172.16.48.0/24 is directly connected, TokenRing1/0 C 172.16.40.0/29 is directly connected, Serial1/0.1 O 172.16.32.0/28 [110/54] via 172.16.40.3, 02:43:21, Serial1/0.1 C 172.16.10.0/24 is directly connected, Loopback0 O 172.16.4.0/24 [110/55] via 172.16.40.3, 02:43:21, Serial1/0.1 I 172.16.5.0/24 [100/610] via 172.16.64.5, 00:00:10, FastEthernet0/0.5 O 172.16.6.0/24 [110/49] via 172.16.40.2, 02:43:23, Serial1/0.1 O 172.16.7.0/24 [110/49] via 172.16.40.3, 02:43:23, Serial1/0.1 Serial1/0.1 C 172.16.96.0/24 is directly connected, Serial1/0.2 C 172.16.81.0/29 is directly connected, Tunnel1 C 172.16.82.0/28 is directly connected, Tunnel2 O E2172.16.72.0/24 [110/1] via 172.16.56.6, 02:43:23, BVI1 C 172.16.64.0/24 is directly connected, FastEthernet0/0.5 O E2 192.168.26.0/24 [110/1] via 172.16.56.6, 02:43:23, BVI1 O E2 192.168.20.0/24 [110/1] via 172.16.56.6, 02:43:23, BVI1 O E2 192.168.22.0/24 [110/1] via 172.16.56.6, 02:43:23, BVI1 Routing Table on R5 I170.100.0.0/16 [100/6767] via 172.16.64.10, 00:00:03, Ethernet0 I192.168.28.0/24 [100/6767] via 172.16.64.10, 00:00:03, Ethernet0 I192.168.24.0/24 [100/6767] via 172.16.64.10, 00:00:03, Ethernet0 172.16.0.0/16 is variably subnetted, 18 subnets, 3 masks I 172.16.160.0/24 [100/1110] via 172.16.64.10, 00:00:03, Ethernet0 I 172.16.128.0/24 [100/6767] via 172.16.64.10, 00:00:03, Ethernet0 I 172.16.56.0/24 [100/1600] via 172.16.64.10, 00:00:03, Ethernet0 I 172.16.48.0/24 [100/1163] via 172.16.64.10, 00:00:04, Ethernet0 I 172.16.40.0/28 [100/1163111] via 172.16.81.1, 00:00:04 I 172.16.32.0/28 [100/1161112] via 172.16.82.1, 00:00:04, Tunnel2 I 172.16.10.0/24 [100/1600] via 172.16.64.10, 00:00:04, Ethernet0 I 172.16.4.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0 C 172.16.5.0/24 is directly connected, Loopback0 I 172.16.6.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0 I 172.16.7.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0 I 172.16.1.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0 I 172.16.104.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0 I
RE: RSPAN Problem [7:47493]
Are all the Switch 6000 because No third party or other Cisco switches can be placed in the end-to-end path for RSPAN traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 26, 2002 1:28 PM To: [EMAIL PROTECTED] Subject: RSPAN Problem [7:47493] Greetings, I'm using RSPAN with our 65XX switches with 6.3(3) code. When I enable RSPAN between to two switches it works fine but, when I try to rspan between three switches it doesn't work. I only see broadcasts from IP and IPX, any ideas??? Two switches: Source Port : Port 9/3-switch A -TRUNK-switch B-7/38 : Destination Port Three Swich: This scenario doesn't work. Source Port : Port 6/10-switch A -TRUNK-switch B-TRUNK--switch C--7/38 : Destination Port Thanks...Nabil I have never let my schooling interfere with my education. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47518t=47493 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Can't see all PCs from within Network Neighborhood [7:47519]
What is the most likely cause of not seeing all PCs from within Network Neighborhood? I know this is a common problem, but I just need a real quick re-fresher on this topic. There is also a WINS server in the networkl. Thanks, dj Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47519t=47519 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco VPN client and NAT [7:47430]
Cool, so the PIX will not support VPN's over PAT !!! So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47520t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE written questions [7:47517]
First I have a specific question regarding canonical to non-canonical mac conversion. Given the mac 00b0.d059.8609 (canonical) is the correct conversion 000d.0b9a.6190? Basically, do I understand what I have read? And for the written, is Dennis' Boson #3 a good indicator of preparedness. I have lots of study materials with which I continue to grow more comfortable. Is this practice exam a realistic representation of the written? TIA Scott Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47517t=47517 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CID [7:47496]
I just completed the CID exam last week with an 872. I followed the exact advice Andy has given you (thanks for the recommendation Andy and Leigh Ann). I read Top-Down Network Design and it is exceptional (both for the test and for general knowledge). I also used Boson #1 (not great but adequate) and the CCxx Productions CID study guide, which is good. It has a few errors and when you know the material well enough to spot them, you are ready. I studied for 4 days and took the exam. Mainly I did it this way because some of the sources conflicted on information and I decided to see what was on the test and did not really expect to pass. The horror stories about this exam are greatly exaggerated. It is 75 questions in 90 minutes with a 755 to pass. I finished in 22 minutes. There was no more than a couple of basic ATM questions, no Stratacom, and no SNA. No 2 page scenario questions like the DA exam either. Some of the questions are definitely value judgments that you need to know the Cisco answer to get them right. -Original Message- From: sajith nair [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 1:17 PM To: [EMAIL PROTECTED] Subject: CID [7:47496] Hi, Whether anyone attempted CID recently?I am curious whether there are questions from SNA ATM? Thanks. Saj __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47516t=47496 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Need help with PIX VPN specs [7:47521]
I am gathering information so I can propose a VPN solution to my company. We are currently using a vendor for VPN and would like to gain more control. Here's what I have so far: PIX running 6.2.1 with 56bit encryption Plan to buy RSA SecureID Ace Server and Keyfobs I plan to purchase the 168-bit 3DES key for the PIX. Cisco recommended using a Cisco ACS server for AAA. Another option I guess is to use a Radius server with access lists. I guess my question is...is anyone using the Cisco ACS server and is this a good solution or should I look at something easier, cheaper, etc? For a complete solution, is the PIX, SecureID items, and something to do authentication all I need? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47521t=47521 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: T1 Cat5 Crossover Pinout (WIC-1DSU-T1) [7:47332]
1-5 2-4 Worked - thanks guys! Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47522t=47332 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IOS firewall feature set for Cisco 2514 [7:47523]
I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't supports 25xx series anymore. Does anyone point me in the right direction to get the software. Thanks SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47523t=47523 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS firewall feature set for Cisco 2514 [7:47523]
www.cisco.com It is most certainly still supported and available if you have download privileges. Did you even check? S M wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't supports 25xx series anymore. Does anyone point me in the right direction to get the software. Thanks SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47524t=47523 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can't see all PCs from within Network Neighborhood [7:47525]
Dimitri, The only way for WINS clients to browse resources across a ROUTED WINS network is to configure your WINS server at each subnet to be Push/Pull replication partners. A small caveat: make sure you are not dealing with layer 2 or 3 issues that may be preventing upper layer services from funtioning properly. HTH, Elmer - Original Message - From: dj To: Sent: Wednesday, June 26, 2002 5:56 PM Subject: Can't see all PCs from within Network Neighborhood [7:47519] What is the most likely cause of not seeing all PCs from within Network Neighborhood? I know this is a common problem, but I just need a real quick re-fresher on this topic. There is also a WINS server in the networkl. Thanks, dj Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47525t=47525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: T1 Cat5 Crossover Pinout (WIC-1DSU-T1) [7:47332]
2-5 1-4 will also work :) Kevin Love wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... 1-5 2-4 Worked - thanks guys! Kevin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47527t=47332 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IOS firewall feature set for Cisco 2514 [7:47523]
Where did you find info that Cisco does not support 25xx series anymore? I have 156 support contracts on 2509, 2511, and 2520's. I also just finished a network wide upgrade of IOS on these same boxes. I am concerned that Cisco just announced this and this leaves me with a serious problem. S M wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't supports 25xx series anymore. Does anyone point me in the right direction to get the software. Thanks SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47528t=47523 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Off Topic - Cisco vis a vis World Com [7:47505]
Cisco is not a Telco, so the wire service is not a valid source for info. I could name at least 12 ILEC's that are making profits and have been for many years and this is only just a stagnant time for them. They will be moving forward in another year with huge network expansions. The profitable and low debt companies are not too worried right now. they will just ride the wave and use this time to cut some cost that is long over due. just think of all the very large customers that will be fleeing WCOM. Most will head to the nearest ILEC. At first thought is all the government contracts they have. Every governmet contract, state or federal, usually has provisions for them to null the contract if the company files Bankruptcy or is found to have commited illegal acts. Eric Rogers wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... This is HUGE for Telco in general...With the restatement this company will have actually LOST money for over the past year... Just think about all the IOU's that this company has to all it's vendor's, we're talking 30 Billion dollars in debt. It look's like bankruptcy is coming soon for this company. What's Cisco's exposure to this? I believe it's fair to say it's large, be it directly or indirectly. This will be the largest bankruptcy in US history, hence world. WorldCom has assets in excess of 105 Billion dollars. Compare this to Enron with 60 Billion dollars. They will be cutting an already planned 16,000 employee's this week. Who's next: Qwest? Just follow [EMAIL PROTECTED] I read a couple of week's ago from one of the wire services that 24 of the 29 major Telco's will go under. The so called safe one's where Bellsouth, Cisco, SBC and some others. I've also picked up off of both Reuters.com and Bloomberg.com that the Telco market is not expected to turn around until maybe late 2003 and will be the last thing to pick up in a revived economy. Look at all the companies failing in the US and Europe, the drastic slide in the value of the US Dollar against the Euro and the Yen and the fact that 2 million layoff's in the US last year, with 500,000 of those from tech related jobs alone, it should become apparent to even the simplest minds that things will become worse with these scandals coming out. Should the US housing bubble burst kiss this economy good bye for the next five years. - There is already too much surplus equipment out there that it will take years to absorb. And as far as jobs and hiring out in the world, well who's going to quit there job because they didn't get a raise lately?- JMHO :-0 -Eric - Original Message - From: Chuck To: Sent: Wednesday, June 26, 2002 12:31 PM Subject: Off Topic - Cisco vis a vis World Com [7:47505] So far today I have seen no word from Cisco on its exposure to World Com. the other so called players in the networking industry - Redback, Nortel, and Lucent, have all said they have very little on the line with WorldCom. Of course, these are companies with one foot in the grave already. WorldCom is one of Cisco's MAJOR customers. Cisco stock is back close to it's low of the last year. Maybe Cisco believes nothing needs be said? Maybe Cisco figures they can still sell their stuff through other channels? As an employee of another of Cisco's major customers, maybe this bodes well for me? with WorldCom out of the way, and no longer selling at cost to steal my customers, maybe my own business will pick up? Sheesh, this is scary. Anybody out there know how what used to be UUNet is doing? Viable? Any repercussions through the ISP world? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47526t=47505 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
IP Security Through Network Address Translation Support http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/827/827rl nts/820feat.htm I think Linksys just has an option for a checkmark on IPSec through NAT. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Alex Lee Sent: Wednesday, June 26, 2002 8:20 AM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47529t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
VPN traffic can pass through the PAT, if the device that does PAT is IPSec aware. Remember, that device will only see the encrypted/encapsulated traffic, so the ip header will have ip src: your client's public ip; dst: PIX's outside interface. Doesn't matter what your pool is configured for... It's not just in the theory. From my own experience, I had 3 VPN clients that were behind Cisco 806, that was configured for PAT, simultaneously connecting to the same PIX via VPN and pass traffic. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 26, 2002 10:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47530t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with IPSec over TCP option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47531t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IOS firewall feature set for Cisco 2514 [7:47523]
Yes, that's quite bull. Cisco still supports the 2500's. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John Kaberna Sent: Wednesday, June 26, 2002 6:41 PM To: [EMAIL PROTECTED] Subject: Re: IOS firewall feature set for Cisco 2514 [7:47523] www.cisco.com It is most certainly still supported and available if you have download privileges. Did you even check? S M wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't supports 25xx series anymore. Does anyone point me in the right direction to get the software. Thanks SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47532t=47523 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DHCP question [7:47477]
At 10:01 AM 6/26/02, [EMAIL PROTECTED] wrote: Yes. The DHCP packet will be sent out with the source address of the router in the unicast packet. A router had many IP addresses, however. To make your statement less ambiguous, it's important to state that the router uses the address associated with the interface that the DHCP request came in on. For example, consider a router that has an Ethernet 0 interface that connects a LAN with DHCP clients on it. Let's say that the LAN is subnet 10.10.10.0/24 and the router's IP address on that LAN (on e0) is 10.10.10.1. There's no DHCP server on the LAN. So on e0, you configure an IP helper address to reach the DHCP server whose address is 172.16.0.2. Let's say network 172.16.0.0/16 is out the router's e1 interface and that the router's IP address on that interface is 172.16.0.1. The router converts the DHCP broadcast coming in on e0 to a unicast and uses 10.10.10.1 as the IP source address. The router sends this unicast out e1. The router also puts the 10.10.10.1 IP address in the GIADDR field in the DHCP request. In fact, that's actually what the DHCP server looks at. I don't think the DHCP RFC requires the server to look at the source IP address. The RFC does say, however, that a BOOTP Relay Agent must put its IP address in the GIADDR field. The relay agent must fill this field with the IP address of the interface on which the request was received. That's how the server knows which scope to use. Priscilla Eric Lange dimitri@ptsci nti.com To: [EMAIL PROTECTED] Sent by: cc: nobody@groupsSubject: DHCP question [7:47477] tudy.com 06/26/2002 08:39 AM Please respond to dimitri Let's assume a Win2k DHCP server is set up correctly with different IP scopes for 2 remote sites. Let's also assume remote-site routers are set-up correctly with the correct IP helper-address. When remote DHCP clients start broadcasting for IP addresses at each remote site, and these broadcasts are then forwarded by the remote-site routers as unicast packets to the DHCP server, how does the DHCP server know from which scope of IP address to full-fill a DHCP client request for a given remote site. Is the information embbeded within the DHCP packet itself? thanks dj Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47533t=47477 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Fwd: RE: ISDN Gurus HElp! [7:47353]
Hallo Pierre-Alex Guanel, Below attached the show isdn status. Please find my configuration file. Please check if I've wrong to configure it. Once the remote router restart, the ISDN can connect to HQ(isdnkotaconnect.txt) Thank YOu for helping me ^-^ HATO From: Pierre-Alex Guanel Reply-To: Pierre-Alex Guanel To: [EMAIL PROTECTED] Subject: RE: ISDN Gurus HElp! [7:47353] Date: Tue, 25 Jun 2002 09:29:01 -0400 Please send us the output of show isdn status on that router. Thanks, Pierre-Alex _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx sh isdn st Global ISDN Switchtype = basic-net3 ISDN BRI1/0 interface dsl 8, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 8 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/1 interface dsl 9, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 9 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/2 interface dsl 10, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 10 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/3 interface dsl 11, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 64, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 11 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/4 interface dsl 12, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 96, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 12 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/5 interface dsl 13, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 13 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/6 interface dsl 14, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 14 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/7 interface dsl 15, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 15 CCBs = 0 The Free Channel Mask: 0x8003 --More-- Total Allocated ISDN CCBs = 0 010_RO_01# [GroupStudy.com removed an attachment of type application/msword which had a name of FR and ISDN Backup.doc] 01:03:240518168576: Found idle channel B1 01:03:240518168576: CC_CHAN_GetIdleChanbri: dsl 12 01:03:240518168576: Found idle channel B1 01:03:242684896268: ISDN BR1/0: received HOST_PROCEEDING call_id 0x806D 01:03:240518168576: ISDN BR1/2: received HOST_PROCEEDING call_id 0x806F 01:03:240518168576: ISDN BR1/3: received HOST_INFORMATION call_id 0x8070 01:03:240518168576: ISDN Event: dsl 11 call_id 0x8070 B channel assigned by switch 0 ISDN BR1/4: received HOST_INFORMATION call_id 0x8071 01:03:240518168576: ISDN Event: dsl 12 call_id 0x8071 B channel assigned by switch 0 ISDN BR1/0: received HOST_DISCONNECT call_id 0x806D 01:03:240518168576: ISDN BR1/0: Event: Call to 28600056 was hung up. 01:03:242684896140: ISDN BR1/0: process_disc_ack(): call id 0x806D, ces 1, call type DATA 01:03:242684896520: ISDN BR1/0: received HOST_DISCONNECT_ACK call_id 0x806D 01:03:240518168576: ISDN BR1/0: HOST_DISCONNECT_ACK: call type is DATA 01:03:246979863564: ISDN BR1/2: received HOST_DISCONNECT call_id 0x806F 01:03:244813135872: ISDN BR1/2: Event: Call to 26500071 was hung up. 01:03:246979863436: ISDN BR1/2: process_disc_ack(): call id 0x806F, ces 1, call type DATA 01:03:246979863816: ISDN BR1/2: received HOST_DISCONNECT_ACK call_id 0x806F 01:03:244813135872: ISDN BR1/2: HOST_DISCONNECT_ACK: call type is DATA 01:03:244813135872: ISDN BR1/1: Activating
Wireless Training [7:47535]
Group- Besides Cisco wireless related training, could anyone give me some feedback on any wireless training courses anyone might have taken? I know about various training centers, like www.trainingwireless.com and others, but I would like to know about engineer's experiences at these courses and which ones people are recommending. Thanks! Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47535t=47535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE written questions [7:47517]
00b0.d059.8609 1011 1101 0101 1001 1000 0110 1001 1101 1011 1001 1010 0110 0001 1001 000d.0b9a.6190 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47537t=47517 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IOS firewall feature set for Cisco 2514 [7:47523]
No Rick that guy is MOST mistaken some of the 2500 series has been EOS'd. However cisco is pledging software support until 2005. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Rick Sent: Wednesday, June 26, 2002 8:31 PM To: [EMAIL PROTECTED] Subject: Re: IOS firewall feature set for Cisco 2514 [7:47523] Where did you find info that Cisco does not support 25xx series anymore? I have 156 support contracts on 2509, 2511, and 2520's. I also just finished a network wide upgrade of IOS on these same boxes. I am concerned that Cisco just announced this and this leaves me with a serious problem. S M wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't supports 25xx series anymore. Does anyone point me in the right direction to get the software. Thanks SM Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47536t=47523 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CID [7:47496]
ATM is there... no appletalk or SNA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47538t=47496 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PBR [7:47463]
Thanks I got info from somewhere else that If the next-hop IP address is not reachable, then BAD luck, it won't go to next policy. You can though set 2 next-hops, if one fails, it will then it will use the next one. eg; route-map dummy permit 10 match ip address 1 set ip next-hop 1.1.1.1 2.2.2.2 Steven A. Ridder wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think if it knows that the destination is down, it will use the next route in the regular routing table, but I'm not sure. Try it in a lab, as it's a good question. piesupport wrote in message news:[EMAIL PROTECTED]... I have enable PBR on one of my interfaces of 7513.which decide on basis of source IP block and chosse next hop. My question is what will happen if next hop is unavialable (down).will it go to alternate hop as decided by BGP.( I am running BGP, OSPF in my network) and next hops are EBGP peers? REgards Raza Bhutta -- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47539t=47463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
Lidiya, I didn't try PIX, but I tried a 1605: Main office 3030---Internet---1605---VPN clients. It worked fine. 1605 was configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is IPSec aware, why PIX isn't? Thanks. Yoshi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lidiya White Sent: Wednesday, June 26, 2002 7:56 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with IPSec over TCP option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing PAT is IPSec aware, then you should be able to pass IPSec through. If not, then you have to make sure that one-to-one address translation happens for your VPN clients, not one-to-many (PAT)... Hope this helps... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47540t=47430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
ISDN Lab Tips [7:47541]
Hi, all. Here's a link that might be helpful in clearing up some issues that might arise in the ISDN part of the lab. http://www.cisco.com/warp/public/129/bri_invalid_spid.html Regards, Elmer Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47541t=47541 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN client and NAT [7:47430]
I bet you were using IPSec over TCP. Then it really doesn't matter what is in the 'middle'. Your Cisco 1605 will see only tcp traffic, not esp. Cisco 1600 is not IPSec aware (and don't have to be in your setup). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of supernet Sent: Wednesday, June 26, 2002 11:31 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, I didn't try PIX, but I tried a 1605: Main office 3030---Internet---1605---VPN clients. It worked fine. 1605 was configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is IPSec aware, why PIX isn't? Thanks. Yoshi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lidiya White Sent: Wednesday, June 26, 2002 7:56 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with IPSec over TCP option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do. It all depends on the device that is between your client and PIX, that is doing PAT. IPSec uses ESP protocol, that doesn't have ports, so how can you perform PAT (port address translation) for a protocol that doesn't understand port concept? Some routers can pass IPSec through the PAT (like Linksys, Cisco 800). So if the router/device that is doing
Re: Off Topic - Cisco vis a vis World Com [7:47543]
Comments Inline: Cisco is not a Telco, so the wire service is not a valid source for info. --You might want to talk to Chambers and Wall $treet about that. Service Provider, manufacturer they're all in the same financial boat. Just look at the 18% drop in Juniper stock today off the news of WorldCom. I could name at least 12 ILEC's that are making profits and have been for many years and this is only just a stagnant time for them. They will be moving forward in another year with huge network expansions. --LOL!There's so much damn capacity now it's sickening. There's half a dozen empty Colo's here in San Francisco alone. Cogentco is dumping 100meg garbage links for a $1000 a month. (Now only if they had decent peering.) The profitable and low debt companies are not too worried right now. --Doesn't that translate into Fat and Lazy. Jack be nimble, Jack be quick, Jack just stole the competitors client base. they will just ride the wave and use this time to cut some cost that is long over due. ---This is called Piss down economics. 2,000,000 people and counting. just think of all the very large customers that will be fleeing WCOM. Most will head to the nearest ILEC. ---I think that most customers will look seriously at how much bandwidth they really need and dumping the excess if possible. At first thought is all the government contracts they have. Every government contract, state or federal, usually has provisions for them to null the contract if the company files Bankruptcy or is found to have committed illegal acts. Tax Bailout! Politicians rank high on the intelligence level, right up there with my toilet bowl. Look at the current California electrical power situation where the Governor locked this state into paying billions of dollars more than it should have for years to come. -EricRemember: Advice is worth only what you pay for it. Eric Rogers wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... This is HUGE for Telco in general...With the restatement this company will have actually LOST money for over the past year... Just think about all the IOU's that this company has to all it's vendor's, we're talking 30 Billion dollars in debt. It look's like bankruptcy is coming soon for this company. What's Cisco's exposure to this? I believe it's fair to say it's large, be it directly or indirectly. This will be the largest bankruptcy in US history, hence world. WorldCom has assets in excess of 105 Billion dollars. Compare this to Enron with 60 Billion dollars. They will be cutting an already planned 16,000 employee's this week. Who's next: Qwest? Just follow [EMAIL PROTECTED] I read a couple of week's ago from one of the wire services that 24 of the 29 major Telco's will go under. The so called safe one's where Bellsouth, Cisco, SBC and some others. I've also picked up off of both Reuters.com and Bloomberg.com that the Telco market is not expected to turn around until maybe late 2003 and will be the last thing to pick up in a revived economy. Look at all the companies failing in the US and Europe, the drastic slide in the value of the US Dollar against the Euro and the Yen and the fact that 2 million layoff's in the US last year, with 500,000 of those from tech related jobs alone, it should become apparent to even the simplest minds that things will become worse with these scandals coming out. Should the US housing bubble burst kiss this economy good bye for the next five years. - There is already too much surplus equipment out there that it will take years to absorb. And as far as jobs and hiring out in the world, well who's going to quit there job because they didn't get a raise lately?- JMHO :-0 -Eric - Original Message - From: Chuck To: Sent: Wednesday, June 26, 2002 12:31 PM Subject: Off Topic - Cisco vis a vis World Com [7:47505] So far today I have seen no word from Cisco on its exposure to World Com. the other so called players in the networking industry - Redback, Nortel, and Lucent, have all said they have very little on the line with WorldCom. Of course, these are companies with one foot in the grave already. WorldCom is one of Cisco's MAJOR customers. Cisco stock is back close to it's low of the last year. Maybe Cisco believes nothing needs be said? Maybe Cisco figures they can still sell their stuff through other channels? As an employee of another of Cisco's major customers, maybe this bodes well for me? with WorldCom out of the way, and no longer selling at cost to steal my customers, maybe my own business will pick up? Sheesh, this is scary. Anybody out there know how what used to be UUNet is doing? Viable? Any repercussions through the ISP world? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47543t=47543 -- FAQ, list archives, and subscription info:
Fwd: RE: ISDN Gurus HElp! [7:47353]
Hallo Pierre-Alex Guanel, Below attached the show isdn status. Please find my configuration file. Please check if I've wrong to configure it. Once the remote router restart, the ISDN can connect to HQ(isdnkotaconnect.txt) Thank YOu for helping me ^-^ HATO From: Pierre-Alex Guanel Reply-To: Pierre-Alex Guanel To: [EMAIL PROTECTED] Subject: RE: ISDN Gurus HElp! [7:47353] Date: Tue, 25 Jun 2002 09:29:01 -0400 Please send us the output of show isdn status on that router. Thanks, Pierre-Alex _ Chat with friends online, try MSN Messenger: http://messenger.msn.com sh isdn st Global ISDN Switchtype = basic-net3 ISDN BRI1/0 interface dsl 8, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 8 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/1 interface dsl 9, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 9 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/2 interface dsl 10, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 10 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/3 interface dsl 11, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 64, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 11 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/4 interface dsl 12, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: TEI = 96, Ces = 1, SAPI = 0, State = TEI_ASSIGNED Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 12 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/5 interface dsl 13, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 13 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/6 interface dsl 14, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 14 CCBs = 0 The Free Channel Mask: 0x8003 --More-- ISDN BRI1/7 interface dsl 15, interface ISDN Switchtype = basic-net3 Layer 1 Status: DEACTIVATED Layer 2 Status: Layer 2 NOT Activated Layer 3 Status: 0 Active Layer 3 Call(s) Activated dsl 15 CCBs = 0 The Free Channel Mask: 0x8003 --More-- Total Allocated ISDN CCBs = 0 010_RO_01# [GroupStudy.com removed an attachment of type application/msword which had a name of FR and ISDN Backup.doc] 01:03:240518168576: Found idle channel B1 01:03:240518168576: CC_CHAN_GetIdleChanbri: dsl 12 01:03:240518168576: Found idle channel B1 01:03:242684896268: ISDN BR1/0: received HOST_PROCEEDING call_id 0x806D 01:03:240518168576: ISDN BR1/2: received HOST_PROCEEDING call_id 0x806F 01:03:240518168576: ISDN BR1/3: received HOST_INFORMATION call_id 0x8070 01:03:240518168576: ISDN Event: dsl 11 call_id 0x8070 B channel assigned by switch 0 ISDN BR1/4: received HOST_INFORMATION call_id 0x8071 01:03:240518168576: ISDN Event: dsl 12 call_id 0x8071 B channel assigned by switch 0 ISDN BR1/0: received HOST_DISCONNECT call_id 0x806D 01:03:240518168576: ISDN BR1/0: Event: Call to 28600056 was hung up. 01:03:242684896140: ISDN BR1/0: process_disc_ack(): call id 0x806D, ces 1, call type DATA 01:03:242684896520: ISDN BR1/0: received HOST_DISCONNECT_ACK call_id 0x806D 01:03:240518168576: ISDN BR1/0: HOST_DISCONNECT_ACK: call type is DATA 01:03:246979863564: ISDN BR1/2: received HOST_DISCONNECT call_id 0x806F 01:03:244813135872: ISDN BR1/2: Event: Call to 26500071 was hung up. 01:03:246979863436: ISDN BR1/2: process_disc_ack(): call id 0x806F, ces 1, call type DATA 01:03:246979863816: ISDN BR1/2: received HOST_DISCONNECT_ACK call_id 0x806F 01:03:244813135872: ISDN BR1/2: HOST_DISCONNECT_ACK: call type is DATA 01:03:244813135872: ISDN BR1/1: Activating 01:03:59: ISDN BR1/0: Outgoing call id =
RE: Cisco VPN client and NAT [7:47430]
My clients uses IPSec over UDP, not TCP. We do have to enable Allow IPSec through NAT on clients. I guess it's the same thing you were talking about, right? Thanks. Yoshi -Original Message- From: Lidiya White [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 9:56 PM To: 'supernet'; [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] I bet you were using IPSec over TCP. Then it really doesn't matter what is in the 'middle'. Your Cisco 1605 will see only tcp traffic, not esp. Cisco 1600 is not IPSec aware (and don't have to be in your setup). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of supernet Sent: Wednesday, June 26, 2002 11:31 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, I didn't try PIX, but I tried a 1605: Main office 3030---Internet---1605---VPN clients. It worked fine. 1605 was configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is IPSec aware, why PIX isn't? Thanks. Yoshi -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Lidiya White Sent: Wednesday, June 26, 2002 7:56 PM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] See inlines -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Paul Sent: Wednesday, June 26, 2002 5:11 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] Cool, so the PIX will not support VPN's over PAT !!! If you are talking about passing IPSec through the PIX (not PIX terminating VPN tunnel) then you are correct. PIX has to have a pool of ip addresses for one-to-one NAT for your VPN clients. If you are talking about PIX terminating VPN, then PIX won't even know the difference if the packet went through the PAT/NAT device. So if I had my Main Office PIX, and a VPN Concentrator . could I succesfully connect from a remote office via a cable/adsl modem that does PAT using the Cisco VPN software client ??? Are your cable modem IPSec aware (supports IPSec through PAT)? If yes, then you can terminate VPN tunnels on the VPN Concentrator or the PIX. If not, then you can use VPN Concentrator with IPSec over TCP option. PIX doesn't support IPSec over TCP for now. PIX only listens on udp port 500. -- Lidiya White If so ... and if I had say ... 30 - 40 remote offices, potentially connecting simultaneously would a VPN 3000 be overkill ??? or would I be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over PAT), or there other VPN concentrators that would do the job Regards ... Paul ... - Original Message - From: Robertson, Douglas To: Sent: Wednesday, June 26, 2002 6:15 PM Subject: RE: Cisco VPN client and NAT [7:47430] In most cases the PIX does not support VPN's over PAT you need a static NAT to establish a VPN tunnel. Protocol 50 (Encapsulating Security Payload [ESP]) handles the encrypted/encapsulated packets of IPSec. PAT devices don't work with ESP since they have been programmed to work only with Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP). In addition, PAT devices are unable to map multiple security parameter indexes (SPIs). An alternative is implemented in some devices like the VPN 3000 Concentrator by encapsulating ESP within UDP and sending it to a negotiated port. Doug -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Cisco VPN client and NAT [7:47430] Lidiya, On the pix when you configure Ipsec you configure a pool of addresses that your Ipsec clients will use on your own network. For instance your inside network will have the ip addressing scheme of 192.168.0.0 with a class c subnet mask. You set the pool to give the 10.0.0.0 subnet with a class C subnet mask. Therefore when you your clients behind your firewall try to talk to the 10.0.0.0 network they will hit the firewall and be passed to the translation from the pool. You cannot have any devices in the middle which pat (IE a router which pats the ip address of your pix if your pix is establishing the tunnel) It must be a one to one translation from one end of the tunnel to the other. Everyone feel free to correct me if I'm wrong which I'm sure will be the case. Jason -Original Message- From: Alex Lee [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 26, 2002 3:20 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN client and NAT [7:47430] So how does the Linksys or cisco 800 handles the IPSec thru PAT then ? Thanks. Alex Lee Lidiya White wrote in message news:[EMAIL PROTECTED]... PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do.