RE: IGRP Routes - Classless Networks with Tunnels [7:47415]

[Magondo, Michael]

Ed

Sorry, I've just reread the title. Maybe I need more coffee. It's IGRP.

Mike


-Original Message-
From: Ed [mailto:[EMAIL PROTECTED]] 
Sent: 25 June 2002 08:56 PM
To: [EMAIL PROTECTED]
Subject: IGRP Routes - Classless Networks with Tunnels [7:47415]

How feasible is this, and has anyone tried it?

R1 is connected to R2... in my case, it is an Ethernet link.
The link is on the 172.16.64.0 network with a 24 bit mask.

R1 has several subnets in the 172.16 major network, but with different
masks.  In my case, 24,  28 and 29 bit masks.

R2 sees all of the networks with the 24 bit masks, but drops the
networks
with the odd masks.Basic classfull rules observed.

The goal it to get the 28 and 29 bit masks to R2 WITHOUT the use of
SUMMARIZATION.

If I create a tunnel between R1 and R2 with a subnet of 172.16.81.0 29
bit
mask the networks with the 29 bit masks show on R2.

As soon as I create the second tunnel to take care of the 28 bit masks,
the
/29 routes disappear and the /28 doesn't make it.

On R2, I am making the tunnels passive to prevent loops.

Shouldn't this work?  Am I missing something.
Again, the goal is to get the networks with the specified subnet to
appear
on R2  without summarization. Comments are appreciated.

Ed




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47471t=47415
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IGRP Routes - Classless Networks with Tunnels [7:47415]

[Magondo, Michael]

Ed

Here is my understanding of this. The 28 and 29 bit subnets will be auto
summarized by one of the 24 bit subnets in your routing table when you
are using a 24 bit mask between the two routers. I believe this is the
expected operation of IGRP as it is a classfull routing protocol and
will auto summarize. To achieve what you want maybe the use if EIGRP
with auto summarization turned off and specifying manual summarization
of a 29 bit mask for the out going interface of R1 will work.

That's my 5cents worth, please correct me if I'm lost guys.

Mike

p.s. I've had that coffee now..


-Original Message-
From: Ed [mailto:[EMAIL PROTECTED]] 
Sent: 25 June 2002 08:56 PM
To: [EMAIL PROTECTED]
Subject: IGRP Routes - Classless Networks with Tunnels [7:47415]

How feasible is this, and has anyone tried it?

R1 is connected to R2... in my case, it is an Ethernet link.
The link is on the 172.16.64.0 network with a 24 bit mask.

R1 has several subnets in the 172.16 major network, but with different
masks.  In my case, 24,  28 and 29 bit masks.

R2 sees all of the networks with the 24 bit masks, but drops the
networks
with the odd masks.Basic classfull rules observed.

The goal it to get the 28 and 29 bit masks to R2 WITHOUT the use of
SUMMARIZATION.

If I create a tunnel between R1 and R2 with a subnet of 172.16.81.0 29
bit
mask the networks with the 29 bit masks show on R2.

As soon as I create the second tunnel to take care of the 28 bit masks,
the
/29 routes disappear and the /28 doesn't make it.

On R2, I am making the tunnels passive to prevent loops.

Shouldn't this work?  Am I missing something.
Again, the goal is to get the networks with the specified subnet to
appear
on R2  without summarization. Comments are appreciated.

Ed




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47472t=47415
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Carrier Guidance [7:47473]

[Johnny Routin]

Oracle and programming are the areas with huge demand at the moment.

JR



TV IT Helpdesk  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi Friends,

 I am having MCSE, CCNA  CCNP certification with around 6 years
 experience in networking. After seeing slump in IT. I am little scared
 about my future and want to do some certification which ensure my job
 stability.

 Request you guys to suggest me something which certification I should do
 and why?

 Thanks in advance for your valuable suggestion.

 M. Sathyanarayan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47475t=47473
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco VPN client and NAT [7:47430]

[Alex Lee]

So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?
Thanks.

 Alex Lee

Lidiya White  wrote in message
news:[EMAIL PROTECTED]...
 PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do.
 It all depends on the device that is between your client and PIX, that
 is doing PAT.
 IPSec uses ESP protocol, that doesn't have ports, so how can you perform
 PAT (port address translation) for a protocol that doesn't understand
 port concept?
 Some routers can pass IPSec through the PAT (like Linksys, Cisco 800).
 So if the router/device that is doing PAT is IPSec aware, then you
 should be able to pass IPSec through. If not, then you have to make sure
 that one-to-one address translation happens for your VPN clients, not
 one-to-many (PAT)...
 Hope this helps...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47476t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

DHCP question [7:47477]

[dj]

Let's assume a Win2k DHCP server is set up correctly with different IP
scopes for 2 remote sites.  Let's also assume remote-site routers are
set-up correctly with the correct IP helper-address.  When remote DHCP
clients start broadcasting for IP addresses at each remote site, and
these broadcasts are then forwarded by the remote-site routers as
unicast packets to the DHCP server, how does the DHCP server know from
which scope of IP address to full-fill a DHCP client request for a given
remote site.  Is the information embbeded within the DHCP packet itself?

thanks
dj




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47477t=47477
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DHCP question [7:47477]

[[EMAIL PROTECTED]]

Yes. The DHCP packet will be sent out with the source address of the router
in the unicast packet.

Eric Lange



   

   
dimitri@ptsci
nti.com  To:
[EMAIL PROTECTED]
Sent by:
cc:
nobody@groupsSubject: DHCP question
[7:47477]
   
tudy.com
   

   

   
06/26/2002
08:39
AM
   
Please
respond
to
   
dimitri
   

   





Let's assume a Win2k DHCP server is set up correctly with different IP
scopes for 2 remote sites.  Let's also assume remote-site routers are
set-up correctly with the correct IP helper-address.  When remote DHCP
clients start broadcasting for IP addresses at each remote site, and
these broadcasts are then forwarded by the remote-site routers as
unicast packets to the DHCP server, how does the DHCP server know from
which scope of IP address to full-fill a DHCP client request for a given
remote site.  Is the information embbeded within the DHCP packet itself?

thanks
dj




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47478t=47477
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Devices serial ports [7:47465]

[Chuck]

you would need an L2 device of some kind. might want to look through

www.kentrox.com   or   www.adtran.com

see what they have to offer.

come to think of it, such devices would solve a number of problems.



piesupport  wrote in message
news:[EMAIL PROTECTED]...
 Can any one tell me device which can be connected to V,35 port of a router
 and link to two alternate medias i.e DTU and radio modem.Main path should
be
 DTU (Copper link) and on failure should sense radio link.

 Thanks
 Raza




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47481t=47465
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN client and NAT [7:47430]

Lidiya,

On the pix when you configure Ipsec you configure a pool of addresses that
your Ipsec clients will use on your own network.  For instance your inside
network will have the ip addressing scheme of 192.168.0.0 with a class c
subnet mask.  You set the pool to give the 10.0.0.0 subnet with a class C
subnet mask. Therefore when you your clients behind your firewall try to
talk to the 10.0.0.0 network they will hit the firewall and be passed to the
translation from the pool.  You cannot have any devices in the middle which
pat (IE a router which pats the ip address of your pix if your pix is
establishing the tunnel) It must be a one to one translation from one end of
the tunnel to the other.  Everyone feel free to correct me if I'm wrong
which I'm sure will be the case.

Jason

-Original Message-
From: Alex Lee [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, June 26, 2002 3:20 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN client and NAT [7:47430]

So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?
Thanks.

 Alex Lee

Lidiya White  wrote in message
news:[EMAIL PROTECTED]...
 PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do.
 It all depends on the device that is between your client and PIX, that
 is doing PAT.
 IPSec uses ESP protocol, that doesn't have ports, so how can you perform
 PAT (port address translation) for a protocol that doesn't understand
 port concept?
 Some routers can pass IPSec through the PAT (like Linksys, Cisco 800).
 So if the router/device that is doing PAT is IPSec aware, then you
 should be able to pass IPSec through. If not, then you have to make sure
 that one-to-one address translation happens for your VPN clients, not
 one-to-many (PAT)...
 Hope this helps...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47482t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE Security LAB Equipment [7:47484]

[Fer Saldaña del Castillo]

Hi,

Does anybody know what equipment should I have on the rack for CCIE Security
and CCIE Communications and Services Lab exam.

Thank you




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47484t=47484
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DHCP question [7:47477]

[Kevin Banifaz]

Yes it will be.  Setup a super scope then the two remote site scopes.

From: dj 
Reply-To: dj 
To: [EMAIL PROTECTED]
Subject: DHCP question [7:47477]
Date: Wed, 26 Jun 2002 09:39:31 -0400

Let's assume a Win2k DHCP server is set up correctly with different IP
scopes for 2 remote sites.  Let's also assume remote-site routers are
set-up correctly with the correct IP helper-address.  When remote DHCP
clients start broadcasting for IP addresses at each remote site, and
these broadcasts are then forwarded by the remote-site routers as
unicast packets to the DHCP server, how does the DHCP server know from
which scope of IP address to full-fill a DHCP client request for a given
remote site.  Is the information embbeded within the DHCP packet itself?

thanks
dj
_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47487t=47477
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

[Ken Diliberto]

Agreed.  This could be a big legal trap.

If you use something like Network Stumbler, you're not actually using
their network.  You're just seeing the broadcasts from it.  Maybe that
would be a good approach.

Ken

 Thomas E. Lawrence  06/25/02 11:09AM 
I realize you are speaking in jest, but for those who might consider
this
approach as a means of drumming up business, you may want to give some
thought.

Connecting to a network to which you have no reason nor any right to
connect
can be considered hacking, and you could be subject to prosecution,
ironically by an organization that is asking for trouble anyway.Just
because
I don't have locks on my doors does not mean it's ok for you to walk
into my
home any time you please.

Please be careful how you approach a company when you have discovered
by
accident a particularly egregious vulnerability.

Tom

[snip]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47488t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN client and NAT [7:47430]

[Robertson, Douglas]

In most cases the PIX does not support VPN's over PAT you need a static NAT
to establish a VPN tunnel.
Protocol 50 (Encapsulating Security Payload [ESP]) handles the
encrypted/encapsulated packets of IPSec. PAT devices
don't work with ESP since they have been programmed to work only with
Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and
Internet Control Message Protocol (ICMP). In addition, PAT devices are
unable to map multiple security parameter indexes (SPIs). An alternative is
implemented in some devices like the VPN 3000 Concentrator by encapsulating
ESP within UDP and sending it to a negotiated port.

Doug

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 26, 2002 11:20 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN client and NAT [7:47430]


Lidiya,

On the pix when you configure Ipsec you configure a pool of addresses that
your Ipsec clients will use on your own network.  For instance your inside
network will have the ip addressing scheme of 192.168.0.0 with a class c
subnet mask.  You set the pool to give the 10.0.0.0 subnet with a class C
subnet mask. Therefore when you your clients behind your firewall try to
talk to the 10.0.0.0 network they will hit the firewall and be passed to the
translation from the pool.  You cannot have any devices in the middle which
pat (IE a router which pats the ip address of your pix if your pix is
establishing the tunnel) It must be a one to one translation from one end of
the tunnel to the other.  Everyone feel free to correct me if I'm wrong
which I'm sure will be the case.

Jason

-Original Message-
From: Alex Lee [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, June 26, 2002 3:20 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN client and NAT [7:47430]

So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?
Thanks.

 Alex Lee

Lidiya White  wrote in message
news:[EMAIL PROTECTED]...
 PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do.
 It all depends on the device that is between your client and PIX, that
 is doing PAT.
 IPSec uses ESP protocol, that doesn't have ports, so how can you perform
 PAT (port address translation) for a protocol that doesn't understand
 port concept?
 Some routers can pass IPSec through the PAT (like Linksys, Cisco 800).
 So if the router/device that is doing PAT is IPSec aware, then you
 should be able to pass IPSec through. If not, then you have to make sure
 that one-to-one address translation happens for your VPN clients, not
 one-to-many (PAT)...
 Hope this helps...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47490t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Content Switching Books [7:47494]

[sam sneed]

Has Cisco Press or anyone put any Content Swtiching books out yet?
Preferably one that covers CS11152 or similiar.

thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47494t=47494
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RSPAN Problem [7:47493]

[[EMAIL PROTECTED]]

Greetings,

I'm using RSPAN with our 65XX switches with 6.3(3) code.  When I enable
RSPAN between to two switches it works fine but, when I try to rspan
between three switches it doesn't work.  I only see broadcasts from IP
and IPX, any ideas???


Two switches:

Source Port  : Port 9/3-switch A
-TRUNK-switch B-7/38 :
Destination Port


Three Swich:  This scenario doesn't work.

Source Port  : Port 6/10-switch A
-TRUNK-switch
B-TRUNK--switch C--7/38
: Destination Port


Thanks...Nabil

I have never let my schooling interfere with my education.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47493t=47493
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CID [7:47496]

[sajith nair]

Hi,
Whether anyone attempted CID recently?I am curious
whether there are questions from SNA ATM?
Thanks.
Saj

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47496t=47496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Rogue Wireless LANs [7:47287]

[Dan Penn]

I think the take the company would take on it would depend highly on how
worried they are about security.  If they have a well written security
policy I think you would be in for some arguments from their legal
department.  On the other hand what if it's a company that doesn't even
know that employee Joe Schmoe has installed a WAP under his desk running
802.11 unsecured to world...I think in that situation they might be
interested to hear what you have to say.

Over all this whole deal is very cloudy to say the least.  What legal
rights does a company have if they are broadcasting wireless
unsecured...it is like throwing money into the air then trying to arrest
someone if they take it.  It's an old well known fact you don't say
welcome in your motd banner because you welcomed the intruder in.
You could say, you didn't know that you were unauthorized because you
could connect to it from somewhere not on their property and you were
never warned that you were unauthorized.  I'm not saying you would win
the legal battle...but there would most likely be a legal battle over
it. 

I am interested to know the outcome if anybody does actually try this
and approaches the company about it.

Dan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Ken Diliberto
Sent: Wednesday, June 26, 2002 11:04 AM
To: [EMAIL PROTECTED]
Subject: Re: Rogue Wireless LANs [7:47287]

Agreed.  This could be a big legal trap.

If you use something like Network Stumbler, you're not actually using
their network.  You're just seeing the broadcasts from it.  Maybe that
would be a good approach.

Ken

 Thomas E. Lawrence  06/25/02 11:09AM 
I realize you are speaking in jest, but for those who might consider
this
approach as a means of drumming up business, you may want to give some
thought.

Connecting to a network to which you have no reason nor any right to
connect
can be considered hacking, and you could be subject to prosecution,
ironically by an organization that is asking for trouble anyway.Just
because
I don't have locks on my doors does not mean it's ok for you to walk
into my
home any time you please.

Please be careful how you approach a company when you have discovered
by
accident a particularly egregious vulnerability.

Tom

[snip]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47497t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

frame relay question [7:47498]

[GEORGE]

I have a newbie question, regarding frame-relay. When I order a frame
relay circuit for two locations
Do the telco provide the dlci? Or I make it up? Once the frame relay is
installed on both locations I guess using the dlci numbers it makes the
connection , besides the ip and all other stuff
Can someone explain it please
thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47498t=47498
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: frame relay question [7:47498]

[Steven A. Ridder]

The Telco's usually provide the DLCI.  They provide two separate DLCI's, one
for each side.  Then they map the DLCI to the other DLCI, usually over ATM
PVC's, but it could be IP as well.

Steve

GEORGE  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have a newbie question, regarding frame-relay. When I order a frame
 relay circuit for two locations
 Do the telco provide the dlci? Or I make it up? Once the frame relay is
 installed on both locations I guess using the dlci numbers it makes the
 connection , besides the ip and all other stuff
 Can someone explain it please
 thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47499t=47498
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: frame relay question [7:47498]

[Chuck]

good questions.

in theory, you may request any dlci you wish, so long as it is in the legal
range for the carrier. this would be numbers 16 through 996? for some, or
through 1004? for others

in fact, if you have a good rapport with your carrier, and they in turn have
their act together, this is common practice.

OTOH, in my experience, telcos just want to get the work done, and they will
configure the dlci starting with 16 because it's easy to remember. the
switch techs just bang out their configs with no conscious thought
intervention.

if you have nothing fancy going on ( and it appears you don't ) the only
required configuration on your router is setting the frame relay
encapsulation, and setting the ip address. at that point the circuit will
come up. you can check this using the show frame pvc, show frame lmi and
show ip interface brief commands. lmi will detect and use the single pvc
with no other tweaks required. if you have multiple pvcs on a circuit, you
would, of course have to use frame map commands, or use point-to-point
subinterfaces in conjunction with the frame interface-dlci command.

best wishes.


GEORGE  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have a newbie question, regarding frame-relay. When I order a frame
 relay circuit for two locations
 Do the telco provide the dlci? Or I make it up? Once the frame relay is
 installed on both locations I guess using the dlci numbers it makes the
 connection , besides the ip and all other stuff
 Can someone explain it please
 thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47500t=47498
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CID [7:47496]

[Andy Barkl]

Cisco has made changes to its CID objectives. The following is the
updated link: 
http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_
exams/640-025.html

No AppleTalk, IPX, SNA, nor Stratacom.  The test is 75 questions in 90
minutes, pass mark 755/1000.

Get the Cisco Press Top-Down Network Design guide and if you have passed
the CCNP, you should have no problems.

-Original Message-
From: sajith nair [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, June 26, 2002 11:17 AM
To: [EMAIL PROTECTED]
Subject: CID [7:47496]

Hi,
Whether anyone attempted CID recently?I am curious
whether there are questions from SNA ATM?
Thanks.
Saj

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47502t=47496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: frame relay question [7:47498]

[Brian Backer]

You can specify the dlci or they can assign.  
I always found it advantageous to specify that way I can
 set ranges for different areas or purposes...


I have a newbie question, regarding frame-relay. When I
 order a frame
relay circuit for two locations
Do the telco provide the dlci? Or I make it up? Once the
 frame relay is
installed on both locations I guess using the dlci numbers
 it makes the
connection , besides the ip and all other stuff
Can someone explain it please
thanks
 [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47501t=47498
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall simulator ? Pls help [7:47466]

[Andy Barkl]

The PIX 501 can be purchased for as little as $450 at many online
locations.

-Original Message-
From: Mr piyush shah [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, June 25, 2002 11:41 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX Firewall simulator ? Pls help [7:47466]

Dear all
 I am planning to appear for CCIP security exams and I
am going through this study group regularly . In the
security exams I need a help from you all. In the
company  where I am working we have Checkpoint f/w
hence I can't do any hands-on practice for PIX
Firewall . My sincere request you to all that Is there
any site which provides free PIX Firewall hands-on or
any free PIX Simulator available for download. I will
be very thankful as I needs to appear for exam at the
earliest.
Thanks in advance.
Regards

Parag Chavan


Want to sell your car? advertise on Yahoo Autos Classifieds. It's Free!!
   visit http://in.autos.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47503t=47466
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: frame relay question [7:47498]

[Richard Tufaro]

either way. You can provide DLCI's or you can have them assigned to you.
They are locally specific. Some companies like having there own range of
DLCI's for admin and management purposes.

 GEORGE  06/26 2:35 PM 
I have a newbie question, regarding frame-relay. When I order a frame
relay circuit for two locations
Do the telco provide the dlci? Or I make it up? Once the frame relay is
installed on both locations I guess using the dlci numbers it makes the
connection , besides the ip and all other stuff
Can someone explain it please
thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47504t=47498
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Off Topic - Cisco vis a vis World Com [7:47505]

[Chuck]

So far today I have seen no word from Cisco on its exposure to World Com.

the other so called players in the networking industry - Redback, Nortel,
and Lucent, have all said they have very little on the line with WorldCom.
Of course, these are companies with one foot in the grave already.

WorldCom is one of Cisco's MAJOR customers.  Cisco stock is back close to
it's low of the last year. Maybe Cisco believes nothing needs be said? Maybe
Cisco figures they can still sell their stuff through other channels?

As an employee of another of Cisco's major customers, maybe this bodes well
for me? with WorldCom out of the way, and no longer selling at cost to steal
my customers, maybe my own business will pick up?

Sheesh, this is scary.

Anybody out there know how what used to be UUNet is doing?  Viable? Any
repercussions through the ISP world?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47505t=47505
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

NE Indiana [7:47507]

[R. Benjamin Kessler]

Sorry for the cross-post.  Anyone from Northeast Indiana please reply to
me  off-list.

Thanks,

Ben




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47507t=47507
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - Cisco vis a vis World Com [7:47505]

[Chuck]

Not too long ago, John Chambers was quoted in one of the networking
magazines talking about erosion of margins, and partners who sold very
cheaply. The talk on the street was that it was no secret he was talking
about WorldCom, who have been notorious for their pricing of Cisco products
as an inducement to use worldCom data circuits.

I believe what used to be UUNet is a major user of Cisco equipment. that's
one reason I asked about UUNet's viability. WCOM is going to end up selling
assets, and it seems to me that the ISP is about the best asset they have.
The network / fiber assets only contribute to the current fiber glut, so
become less of a source of hope for revenue from sales.

As far as what's in the carrier networks themselves, maybe this is less
important to Cisco, as no carriers use their stuff anyway? ;-

BTW Juniper stock is not looking real good right now at all. Nor Ciena.


John Kaberna  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Talking with a couple of my students (employees at Cisco) WCOM is mostly a
 Nortel shop.  They said that ATT and Sprint are Cisco Powered Networks so
 they are the big providers that Cisco is interested in.  This is not
 official or anything from Cisco it's just what these guys are telling me.


 Chuck  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  So far today I have seen no word from Cisco on its exposure to World
Com.
 
  the other so called players in the networking industry - Redback,
Nortel,
  and Lucent, have all said they have very little on the line with
WorldCom.
  Of course, these are companies with one foot in the grave already.
 
  WorldCom is one of Cisco's MAJOR customers.  Cisco stock is back close
to
  it's low of the last year. Maybe Cisco believes nothing needs be said?
 Maybe
  Cisco figures they can still sell their stuff through other channels?
 
  As an employee of another of Cisco's major customers, maybe this bodes
 well
  for me? with WorldCom out of the way, and no longer selling at cost to
 steal
  my customers, maybe my own business will pick up?
 
  Sheesh, this is scary.
 
  Anybody out there know how what used to be UUNet is doing?  Viable? Any
  repercussions through the ISP world?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47508t=47505
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Rogue Wireless LANs [7:47287]

[Howard C. Berkowitz]

At 2:26 PM -0400 6/26/02, Dan Penn wrote:
I think the take the company would take on it would depend highly on how
worried they are about security.  If they have a well written security
policy I think you would be in for some arguments from their legal
department.  On the other hand what if it's a company that doesn't even
know that employee Joe Schmoe has installed a WAP under his desk running
802.11 unsecured to world...I think in that situation they might be
interested to hear what you have to say.

Over all this whole deal is very cloudy to say the least.  What legal
rights does a company have if they are broadcasting wireless
unsecured...it is like throwing money into the air then trying to arrest
someone if they take it.

No, there really are very specific rules for electromagnetic 
emissions, beginning with the (US) Communications Act of 1934. 
Essentially, it says that any signals not explicitly meant for public 
broadcast may be intercepted, but that disclosure of the content to 
third parties is illegal.

This is enforced by the Federal Communications Commission, which is 
the US agency that regulates, among other things, the use of spectrum 
space, and the licensing (when required) of parts of the spectrum.

There certainly are blurred areas, such as disclosing statistical 
aggregates that do not reveal content, or intercepting communications 
by other than the primary signal (i.e., eavesdropping through 
incidental radiation, power line coupling, etc.).

In general, though, the law is much more clear about hacking 
involving the electromagnetic spectrum in free space than it is on 
entering computers.

It's an old well known fact you don't say
welcome in your motd banner because you welcomed the intruder in.
You could say, you didn't know that you were unauthorized because you
could connect to it from somewhere not on their property and you were
never warned that you were unauthorized.  I'm not saying you would win
the legal battle...but there would most likely be a legal battle over
it.

I am interested to know the outcome if anybody does actually try this
and approaches the company about it.

Dan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Ken Diliberto
Sent: Wednesday, June 26, 2002 11:04 AM
To: [EMAIL PROTECTED]
Subject: Re: Rogue Wireless LANs [7:47287]

Agreed.  This could be a big legal trap.

If you use something like Network Stumbler, you're not actually using
their network.  You're just seeing the broadcasts from it.  Maybe that
would be a good approach.

Ken

  Thomas E. Lawrence  06/25/02 11:09AM 
I realize you are speaking in jest, but for those who might consider
this
approach as a means of drumming up business, you may want to give some
thought.

Connecting to a network to which you have no reason nor any right to
connect
can be considered hacking, and you could be subject to prosecution,
ironically by an organization that is asking for trouble anyway.Just
because
I don't have locks on my doors does not mean it's ok for you to walk
into my
home any time you please.

Please be careful how you approach a company when you have discovered
by
accident a particularly egregious vulnerability.

Tom

[snip]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47510t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - Cisco vis a vis World Com [7:47505]

[John Kaberna]

The Cisco guys are saying that UUNet converted a lot of stuff to Juniper and
a few other vendors.


Chuck  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Not too long ago, John Chambers was quoted in one of the networking
 magazines talking about erosion of margins, and partners who sold very
 cheaply. The talk on the street was that it was no secret he was talking
 about WorldCom, who have been notorious for their pricing of Cisco
products
 as an inducement to use worldCom data circuits.

 I believe what used to be UUNet is a major user of Cisco equipment. that's
 one reason I asked about UUNet's viability. WCOM is going to end up
selling
 assets, and it seems to me that the ISP is about the best asset they have.
 The network / fiber assets only contribute to the current fiber glut, so
 become less of a source of hope for revenue from sales.

 As far as what's in the carrier networks themselves, maybe this is less
 important to Cisco, as no carriers use their stuff anyway? ;-

 BTW Juniper stock is not looking real good right now at all. Nor Ciena.


 John Kaberna  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Talking with a couple of my students (employees at Cisco) WCOM is mostly
a
  Nortel shop.  They said that ATT and Sprint are Cisco Powered Networks
so
  they are the big providers that Cisco is interested in.  This is not
  official or anything from Cisco it's just what these guys are telling
me.
 
 
  Chuck  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   So far today I have seen no word from Cisco on its exposure to World
 Com.
  
   the other so called players in the networking industry - Redback,
 Nortel,
   and Lucent, have all said they have very little on the line with
 WorldCom.
   Of course, these are companies with one foot in the grave already.
  
   WorldCom is one of Cisco's MAJOR customers.  Cisco stock is back close
 to
   it's low of the last year. Maybe Cisco believes nothing needs be said?
  Maybe
   Cisco figures they can still sell their stuff through other channels?
  
   As an employee of another of Cisco's major customers, maybe this bodes
  well
   for me? with WorldCom out of the way, and no longer selling at cost to
  steal
   my customers, maybe my own business will pick up?
  
   Sheesh, this is scary.
  
   Anybody out there know how what used to be UUNet is doing?  Viable?
Any
   repercussions through the ISP world?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47512t=47505
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - Cisco vis a vis World Com [7:47505]

[Eric Rogers]

This is HUGE for Telco in general...With the restatement this company will
have actually LOST money for over the past year...

Just think about all the IOU's that this company has to all it's
vendor's, we're talking 30 Billion dollars in debt. It look's like
bankruptcy is coming soon for this company. What's Cisco's exposure to this?
I believe it's fair to say it's large, be it directly or indirectly. This
will be the largest bankruptcy in US history, hence world. WorldCom has
assets in excess of 105 Billion dollars. Compare this to Enron with 60
Billion dollars. They will be cutting an already planned 16,000 employee's
this week. Who's next: Qwest? Just follow [EMAIL PROTECTED]

I read a couple of week's ago from one of the wire services that 24 of
the 29 major Telco's will go under. The so called safe one's where
Bellsouth, Cisco, SBC and some others. I've also picked up off of both
Reuters.com and Bloomberg.com that the Telco market is not expected to turn
around until maybe late 2003 and will be the last thing to pick up in a
revived economy. Look at all the companies failing in the US and Europe, the
drastic slide in the value of the US Dollar against the Euro and the Yen and
the fact that 2 million layoff's in the US last year, with 500,000 of those
from tech related jobs alone, it should become apparent to even the simplest
minds that things will become worse with these scandals coming out. Should
the US housing bubble burst kiss this economy good bye for the next five
years.

  - There is already too much surplus equipment out there that it will take
years to absorb. And as far as jobs and hiring out in the world, well who's
going to quit there job because they didn't get a raise lately?-

JMHO :-0

-Eric

- Original Message -
From: Chuck 
To: 
Sent: Wednesday, June 26, 2002 12:31 PM
Subject: Off Topic - Cisco vis a vis World Com [7:47505]


 So far today I have seen no word from Cisco on its exposure to World Com.

 the other so called players in the networking industry - Redback, Nortel,
 and Lucent, have all said they have very little on the line with WorldCom.
 Of course, these are companies with one foot in the grave already.

 WorldCom is one of Cisco's MAJOR customers.  Cisco stock is back close to
 it's low of the last year. Maybe Cisco believes nothing needs be said?
Maybe
 Cisco figures they can still sell their stuff through other channels?

 As an employee of another of Cisco's major customers, maybe this bodes
well
 for me? with WorldCom out of the way, and no longer selling at cost to
steal
 my customers, maybe my own business will pick up?

 Sheesh, this is scary.

 Anybody out there know how what used to be UUNet is doing?  Viable? Any
 repercussions through the ISP world?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47514t=47505
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IGRP Routes - Classless Networks with Tunnels [7:47415]

[Ed]

Again, R10 is running OSPF and IGRP, with mutual redistribution.  R5 is only
running IGRP.  My goal is to get routes with native subnets (as shown on
R10) within the same major subnet into R5.  Without summarization.  Default
network, static routes and policy routing doesn't count either.

Keep this in mind - a more practical example of this would be if the link
between the routers had a /28 mask.   How would I get the /24s into IGRP?
We cant summarize the /24 because the bit boundary goes the wrong way.

Here is the info on my config, the routing table and debug
Note that the route 172.16.32.0 /28 and 132.16.40.0/29 are on R10 with the
correct mask.  The debug on R10 shows these routes being advertised out the
correct tunnels.  When R5 gets the routes, they are both installed with the
/28 mask!  Look at the Route table, note that 32.0 shows it was advertised
by 172.16.82.1 from Tunnel 2.  The route table shows 40.0 came from
172.16.81.1 but doesn't show the interface!   Now take a look at the debug
on R5, it shows that both routes came from Tunnel 2, but have different
source addresses.  172.16.81.1 should be sourced from Tunnel 1.

Since they both come in tunnel 2, the routes get installed with the tunnel 2
mask.

As a follow-up, I swapped the subnet masks between the two tunnels.  R5
still shows the routes came through Tunnel 2, but now they have the /29
mask.

Comments?

Ed


R10
interface loopback 0
 ip address 172.16.10.10 255.255.255.0
!
interface FastEthernet0/0.5
 encapsulation isl 5
 ip address 172.16.64.10 255.255.255.0
 no ip redirects
 no ip directed-broadcast
!
interface Tunnel1
 ip address 172.16.81.1 255.255.255.248
 no ip directed-broadcast
 tunnel source 172.16.10.10
 tunnel destination 172.16.5.5
!
interface Tunnel2
 ip address 172.16.82.1 255.255.255.240
 no ip directed-broadcast
 tunnel source 172.16.10.10
 tunnel destination 172.16.5.5
!
router ospf 100
 redistribute igrp 300 subnets
!
router igrp 300
 redistribute ospf 100
 network 172.16.0.0
 default-metric 1500 100 254 1 1500

R5
interface loopback 0
 ip address 172.16.5.5 255.255.255.0
interface Tunnel1
 ip address 172.16.81.2 255.255.255.248
 tunnel source 172.16.5.5
 tunnel destination 172.16.10.10
!
interface Tunnel2
 ip address 172.16.82.2 255.255.255.240
 tunnel source 172.16.5.5
 tunnel destination 172.16.10.10
!
interface Ethernet0
 backup delay 2 30
 backup interface BRI0
 backup load 50 25
 ip address 172.16.64.5 255.255.255.0
!
router igrp 300
 no validate-update-source
 passive-interface Loopback0
 passive-interface Tunnel1
 passive-interface Tunnel2
 network 172.16.0.0



Routing table on R10
 172.16.0.0/16 is variably subnetted, 18 subnets, 3 masks
C   172.16.160.0/24 is directly connected, FastEthernet0/1
C   172.16.48.0/24 is directly connected, TokenRing1/0
C   172.16.40.0/29 is directly connected, Serial1/0.1
O   172.16.32.0/28 [110/54] via 172.16.40.3, 02:43:21, Serial1/0.1
C   172.16.10.0/24 is directly connected, Loopback0
O   172.16.4.0/24 [110/55] via 172.16.40.3, 02:43:21, Serial1/0.1
I   172.16.5.0/24 [100/610] via 172.16.64.5, 00:00:10, FastEthernet0/0.5
O   172.16.6.0/24 [110/49] via 172.16.40.2, 02:43:23, Serial1/0.1
O   172.16.7.0/24 [110/49] via 172.16.40.3, 02:43:23, Serial1/0.1
Serial1/0.1
C   172.16.96.0/24 is directly connected, Serial1/0.2
C   172.16.81.0/29 is directly connected, Tunnel1
C   172.16.82.0/28 is directly connected, Tunnel2
O E2172.16.72.0/24 [110/1] via 172.16.56.6, 02:43:23, BVI1
C   172.16.64.0/24 is directly connected, FastEthernet0/0.5
O E2 192.168.26.0/24 [110/1] via 172.16.56.6, 02:43:23, BVI1
O E2 192.168.20.0/24 [110/1] via 172.16.56.6, 02:43:23, BVI1
O E2 192.168.22.0/24 [110/1] via 172.16.56.6, 02:43:23, BVI1

Routing Table on R5
I170.100.0.0/16 [100/6767] via 172.16.64.10, 00:00:03, Ethernet0
I192.168.28.0/24 [100/6767] via 172.16.64.10, 00:00:03, Ethernet0
I192.168.24.0/24 [100/6767] via 172.16.64.10, 00:00:03, Ethernet0
 172.16.0.0/16 is variably subnetted, 18 subnets, 3 masks
I   172.16.160.0/24 [100/1110] via 172.16.64.10, 00:00:03, Ethernet0
I   172.16.128.0/24 [100/6767] via 172.16.64.10, 00:00:03, Ethernet0
I   172.16.56.0/24 [100/1600] via 172.16.64.10, 00:00:03, Ethernet0
I   172.16.48.0/24 [100/1163] via 172.16.64.10, 00:00:04, Ethernet0
I   172.16.40.0/28 [100/1163111] via 172.16.81.1, 00:00:04
I   172.16.32.0/28 [100/1161112] via 172.16.82.1, 00:00:04, Tunnel2
I   172.16.10.0/24 [100/1600] via 172.16.64.10, 00:00:04, Ethernet0
I   172.16.4.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0
C   172.16.5.0/24 is directly connected, Loopback0
I   172.16.6.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0
I   172.16.7.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0
I   172.16.1.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0
I   172.16.104.0/24 [100/6767] via 172.16.64.10, 00:00:04, Ethernet0
I   

RE: RSPAN Problem [7:47493]

[Greg Owens]

Are all the Switch 6000 because No third party or other Cisco switches
can be placed in the end-to-end path for RSPAN traffic.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, June 26, 2002 1:28 PM
To: [EMAIL PROTECTED]
Subject: RSPAN Problem [7:47493]

Greetings,

I'm using RSPAN with our 65XX switches with 6.3(3) code.  When I enable
RSPAN between to two switches it works fine but, when I try to rspan
between three switches it doesn't work.  I only see broadcasts from IP
and IPX, any ideas???


Two switches:

Source Port  : Port 9/3-switch A
-TRUNK-switch B-7/38 :
Destination Port


Three Swich:  This scenario doesn't work.

Source Port  : Port 6/10-switch A
-TRUNK-switch
B-TRUNK--switch C--7/38
: Destination Port


Thanks...Nabil

I have never let my schooling interfere with my education.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47518t=47493
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Can't see all PCs from within Network Neighborhood [7:47519]

[dj]

What is the most likely cause of not seeing all PCs from within Network
Neighborhood?  I know this is a common problem, but I just need a real
quick re-fresher on this topic.  There is also a WINS server in the
networkl.
Thanks,
dj




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47519t=47519
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco VPN client and NAT [7:47430]

[Paul]

Cool, so the PIX will not support VPN's over PAT !!! So if I had my Main
Office PIX, and a VPN Concentrator . could I succesfully connect from a
remote office via a cable/adsl modem that does PAT using the Cisco VPN
software client ???

If so ... and if I had say ... 30 - 40 remote offices, potentially
connecting simultaneously  would a VPN 3000 be overkill ??? or would I
be better getting a VAC for the PIX (would the PIX VAC supplrt VPN's over
PAT), or there other VPN concentrators that would do the job  

Regards ...

Paul ...

- Original Message -
From: Robertson, Douglas 
To: 
Sent: Wednesday, June 26, 2002 6:15 PM
Subject: RE: Cisco VPN client and NAT [7:47430]


 In most cases the PIX does not support VPN's over PAT you need a static
NAT
 to establish a VPN tunnel.
 Protocol 50 (Encapsulating Security Payload [ESP]) handles the
 encrypted/encapsulated packets of IPSec. PAT devices
 don't work with ESP since they have been programmed to work only with
 Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and
 Internet Control Message Protocol (ICMP). In addition, PAT devices are
 unable to map multiple security parameter indexes (SPIs). An alternative
is
 implemented in some devices like the VPN 3000 Concentrator by
encapsulating
 ESP within UDP and sending it to a negotiated port.

 Doug

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, June 26, 2002 11:20 AM
 To: [EMAIL PROTECTED]
 Subject: RE: Cisco VPN client and NAT [7:47430]


 Lidiya,

 On the pix when you configure Ipsec you configure a pool of addresses that
 your Ipsec clients will use on your own network.  For instance your inside
 network will have the ip addressing scheme of 192.168.0.0 with a class c
 subnet mask.  You set the pool to give the 10.0.0.0 subnet with a class C
 subnet mask. Therefore when you your clients behind your firewall try to
 talk to the 10.0.0.0 network they will hit the firewall and be passed to
the
 translation from the pool.  You cannot have any devices in the middle
which
 pat (IE a router which pats the ip address of your pix if your pix is
 establishing the tunnel) It must be a one to one translation from one end
of
 the tunnel to the other.  Everyone feel free to correct me if I'm wrong
 which I'm sure will be the case.

 Jason

 -Original Message-
 From: Alex Lee [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, June 26, 2002 3:20 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Cisco VPN client and NAT [7:47430]

 So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?
 Thanks.

  Alex Lee

 Lidiya White  wrote in message
 news:[EMAIL PROTECTED]...
  PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators do.
  It all depends on the device that is between your client and PIX, that
  is doing PAT.
  IPSec uses ESP protocol, that doesn't have ports, so how can you perform
  PAT (port address translation) for a protocol that doesn't understand
  port concept?
  Some routers can pass IPSec through the PAT (like Linksys, Cisco 800).
  So if the router/device that is doing PAT is IPSec aware, then you
  should be able to pass IPSec through. If not, then you have to make sure
  that one-to-one address translation happens for your VPN clients, not
  one-to-many (PAT)...
  Hope this helps...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47520t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

CCIE written questions [7:47517]

[Davis, Scott [ISE/RAC]]

First I have a specific question regarding canonical to non-canonical mac
conversion.

Given the mac 00b0.d059.8609 (canonical) is the correct conversion
000d.0b9a.6190?
Basically, do I understand what I have read?

And for the written, is Dennis' Boson #3 a good indicator of preparedness. I
have lots of study materials with which I continue to grow more comfortable.
Is this practice exam a realistic representation of the written? 

TIA
Scott




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47517t=47517
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CID [7:47496]

[Davis, Scott [ISE/RAC]]

I just completed the CID exam last week with an 872. I followed the exact
advice Andy has given you (thanks for the recommendation Andy and Leigh
Ann). I read Top-Down Network Design and it is exceptional (both for the
test and for general knowledge). I also used Boson #1 (not great but
adequate) and the CCxx Productions CID study guide, which is good. It has a
few errors and when you know the material well enough to spot them, you are
ready. I studied for 4 days and took the exam. Mainly I did it this way
because some of the sources conflicted on information and I decided to see
what was on the test and did not really expect to pass. The horror stories
about this exam are greatly exaggerated. It is 75 questions in 90 minutes
with a 755 to pass. I finished in 22 minutes. There was no more than a
couple of basic ATM questions, no Stratacom, and no SNA. No 2 page scenario
questions like the DA exam either. Some of the questions are definitely
value judgments that you need to know the Cisco answer to get them right.

-Original Message-
From: sajith nair [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 26, 2002 1:17 PM
To: [EMAIL PROTECTED]
Subject: CID [7:47496]


Hi,
Whether anyone attempted CID recently?I am curious
whether there are questions from SNA ATM?
Thanks.
Saj

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47516t=47496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Need help with PIX VPN specs [7:47521]

[Doug Korell]

I am gathering information so I can propose a VPN solution to my company. We
are currently using a vendor for VPN and would like to gain more control.
Here's what I have so far:

PIX running 6.2.1 with 56bit encryption
Plan to buy RSA SecureID Ace Server and Keyfobs
I plan to purchase the 168-bit 3DES key for the PIX.

Cisco recommended using a Cisco ACS server for AAA. Another option I guess
is to use a Radius server with access lists.

I guess my question is...is anyone using the Cisco ACS server and is this a
good solution or should I look at something easier, cheaper, etc? For a
complete solution, is the PIX, SecureID items, and something to do
authentication all I need?


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47521t=47521
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: T1 Cat5 Crossover Pinout (WIC-1DSU-T1) [7:47332]

[Kevin Love]

1-5
2-4

Worked - thanks guys!

Kevin


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47522t=47332
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

IOS firewall feature set for Cisco 2514 [7:47523]

[S M]

I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't
supports 25xx series anymore. 

Does anyone point me in the right direction to get the software.

Thanks

SM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47523t=47523
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IOS firewall feature set for Cisco 2514 [7:47523]

[John Kaberna]

www.cisco.com

It is most certainly still supported and available if you have download
privileges.  Did you even check?


S M  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't
 supports 25xx series anymore.

 Does anyone point me in the right direction to get the software.

 Thanks

 SM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47524t=47523
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Can't see all PCs from within Network Neighborhood [7:47525]

[cebuano]

Dimitri,
The only way for WINS clients to browse resources across a ROUTED WINS
network is to configure your WINS server at each subnet to be Push/Pull
replication partners. A small caveat: make sure you are not dealing with
layer 2 or 3 issues that may be preventing upper layer services from
funtioning properly.

HTH,
Elmer
- Original Message -
From: dj 
To: 
Sent: Wednesday, June 26, 2002 5:56 PM
Subject: Can't see all PCs from within Network Neighborhood [7:47519]


 What is the most likely cause of not seeing all PCs from within Network
 Neighborhood?  I know this is a common problem, but I just need a real
 quick re-fresher on this topic.  There is also a WINS server in the
 networkl.
 Thanks,
 dj




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47525t=47525
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: T1 Cat5 Crossover Pinout (WIC-1DSU-T1) [7:47332]

[Rick]

2-5
1-4
will also work :)


Kevin Love  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 1-5
 2-4

 Worked - thanks guys!

 Kevin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47527t=47332
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IOS firewall feature set for Cisco 2514 [7:47523]

[Rick]

Where did you find info that Cisco does not support
25xx series anymore? I have 156 support contracts
on 2509, 2511, and 2520's. I also just finished a
network wide upgrade of IOS on these same boxes.
I am concerned that Cisco just announced this and
this leaves me with a serious problem.



S M  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't
 supports 25xx series anymore.

 Does anyone point me in the right direction to get the software.

 Thanks

 SM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47528t=47523
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Off Topic - Cisco vis a vis World Com [7:47505]

[Rick]

Cisco is not a Telco, so the wire service is not a valid source for info.
I could name at least 12 ILEC's that are making profits and have been for
many years and this is only just a stagnant time for them. They will be
moving
forward in another year with huge network expansions. The profitable and
low debt companies are not too worried right now. they will just ride the
wave
and use this time to cut some cost that is long over due. just think of all
the
very large customers that will be fleeing WCOM. Most will head to the
nearest
ILEC. At first thought is all the  government contracts they have. Every
governmet contract, state or federal, usually has provisions for them to
null
the contract if the company files Bankruptcy or is found to have commited
illegal acts.


Eric Rogers  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 This is HUGE for Telco in general...With the restatement this company will
 have actually LOST money for over the past year...

 Just think about all the IOU's that this company has to all it's
 vendor's, we're talking 30 Billion dollars in debt. It look's like
 bankruptcy is coming soon for this company. What's Cisco's exposure to
this?
 I believe it's fair to say it's large, be it directly or indirectly. This
 will be the largest bankruptcy in US history, hence world. WorldCom has
 assets in excess of 105 Billion dollars. Compare this to Enron with 60
 Billion dollars. They will be cutting an already planned 16,000 employee's
 this week. Who's next: Qwest? Just follow [EMAIL PROTECTED]

 I read a couple of week's ago from one of the wire services that 24 of
 the 29 major Telco's will go under. The so called safe one's where
 Bellsouth, Cisco, SBC and some others. I've also picked up off of both
 Reuters.com and Bloomberg.com that the Telco market is not expected to
turn
 around until maybe late 2003 and will be the last thing to pick up in a
 revived economy. Look at all the companies failing in the US and Europe,
the
 drastic slide in the value of the US Dollar against the Euro and the Yen
and
 the fact that 2 million layoff's in the US last year, with 500,000 of
those
 from tech related jobs alone, it should become apparent to even the
simplest
 minds that things will become worse with these scandals coming out. Should
 the US housing bubble burst kiss this economy good bye for the next five
 years.

   - There is already too much surplus equipment out there that it will
take
 years to absorb. And as far as jobs and hiring out in the world, well
who's
 going to quit there job because they didn't get a raise lately?-

 JMHO :-0

 -Eric

 - Original Message -
 From: Chuck
 To:
 Sent: Wednesday, June 26, 2002 12:31 PM
 Subject: Off Topic - Cisco vis a vis World Com [7:47505]


  So far today I have seen no word from Cisco on its exposure to World
Com.
 
  the other so called players in the networking industry - Redback,
Nortel,
  and Lucent, have all said they have very little on the line with
WorldCom.
  Of course, these are companies with one foot in the grave already.
 
  WorldCom is one of Cisco's MAJOR customers.  Cisco stock is back close
to
  it's low of the last year. Maybe Cisco believes nothing needs be said?
 Maybe
  Cisco figures they can still sell their stuff through other channels?
 
  As an employee of another of Cisco's major customers, maybe this bodes
 well
  for me? with WorldCom out of the way, and no longer selling at cost to
 steal
  my customers, maybe my own business will pick up?
 
  Sheesh, this is scary.
 
  Anybody out there know how what used to be UUNet is doing?  Viable? Any
  repercussions through the ISP world?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47526t=47505
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN client and NAT [7:47430]

[Lidiya White]

IP Security Through Network Address Translation Support
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_fix/827/827rl
nts/820feat.htm

I think Linksys just has an option for a checkmark on IPSec through
NAT.  

-- Lidiya White


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Alex Lee
Sent: Wednesday, June 26, 2002 8:20 AM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN client and NAT [7:47430]

So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?
Thanks.

 Alex Lee

Lidiya White  wrote in message
news:[EMAIL PROTECTED]...
 PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators
do.
 It all depends on the device that is between your client and PIX, that
 is doing PAT.
 IPSec uses ESP protocol, that doesn't have ports, so how can you
perform
 PAT (port address translation) for a protocol that doesn't understand
 port concept?
 Some routers can pass IPSec through the PAT (like Linksys, Cisco 800).
 So if the router/device that is doing PAT is IPSec aware, then you
 should be able to pass IPSec through. If not, then you have to make
sure
 that one-to-one address translation happens for your VPN clients, not
 one-to-many (PAT)...
 Hope this helps...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47529t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN client and NAT [7:47430]

[Lidiya White]

VPN traffic can pass through the PAT, if the device that does PAT is
IPSec aware. Remember, that device will only see the
encrypted/encapsulated traffic, so the ip header will have ip src: your
client's public ip; dst: PIX's outside interface. Doesn't matter what
your pool is configured for...
It's not just in the theory. From my own experience, I had 3 VPN clients
that were behind Cisco 806, that was configured for PAT, simultaneously
connecting to the same PIX via VPN and pass traffic.

-- Lidiya White

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, June 26, 2002 10:20 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN client and NAT [7:47430]

Lidiya,

On the pix when you configure Ipsec you configure a pool of addresses
that
your Ipsec clients will use on your own network.  For instance your
inside
network will have the ip addressing scheme of 192.168.0.0 with a class c
subnet mask.  You set the pool to give the 10.0.0.0 subnet with a class
C
subnet mask. Therefore when you your clients behind your firewall try to
talk to the 10.0.0.0 network they will hit the firewall and be passed to
the
translation from the pool.  You cannot have any devices in the middle
which
pat (IE a router which pats the ip address of your pix if your pix is
establishing the tunnel) It must be a one to one translation from one
end of
the tunnel to the other.  Everyone feel free to correct me if I'm wrong
which I'm sure will be the case.

Jason

-Original Message-
From: Alex Lee [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, June 26, 2002 3:20 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN client and NAT [7:47430]

So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?
Thanks.

 Alex Lee

Lidiya White  wrote in message
news:[EMAIL PROTECTED]...
 PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators
do.
 It all depends on the device that is between your client and PIX, that
 is doing PAT.
 IPSec uses ESP protocol, that doesn't have ports, so how can you
perform
 PAT (port address translation) for a protocol that doesn't understand
 port concept?
 Some routers can pass IPSec through the PAT (like Linksys, Cisco 800).
 So if the router/device that is doing PAT is IPSec aware, then you
 should be able to pass IPSec through. If not, then you have to make
sure
 that one-to-one address translation happens for your VPN clients, not
 one-to-many (PAT)...
 Hope this helps...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47530t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN client and NAT [7:47430]

[Lidiya White]

See inlines

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Paul
Sent: Wednesday, June 26, 2002 5:11 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN client and NAT [7:47430]

 

 Cool, so the PIX will not support VPN's over PAT !!!

 

If you are talking about passing IPSec through the PIX (not PIX
terminating VPN tunnel) then you are correct. PIX has to have a pool of
ip addresses for one-to-one NAT for your VPN clients. 

If you are talking about PIX terminating VPN, then PIX won't even know
the difference if the packet went through the PAT/NAT device.

 

 So if I had my Main Office PIX, and a VPN Concentrator . could I

 succesfully connect from a remote office via a cable/adsl modem that
does 

 PAT using the Cisco VPN software client ???

 

Are your cable modem IPSec aware (supports IPSec through PAT)?

 

If yes, then you can terminate VPN tunnels on the VPN Concentrator or
the PIX.

If not, then you can use VPN Concentrator with IPSec over TCP option.
PIX doesn't support IPSec over TCP for now. PIX only listens on udp port
500.

 

 

-- Lidiya White

 

 If so ... and if I had say ... 30 - 40 remote offices, potentially

 connecting simultaneously  would a VPN 3000 be overkill ??? or
would 

 I be better getting a VAC for the PIX (would the PIX VAC supplrt
VPN's

 over PAT), or there other VPN concentrators that would do the job


 

Regards ...

 

Paul ...

 

- Original Message -

From: Robertson, Douglas 

To: 

Sent: Wednesday, June 26, 2002 6:15 PM

Subject: RE: Cisco VPN client and NAT [7:47430]

 

 

 In most cases the PIX does not support VPN's over PAT you need a
static

NAT

 to establish a VPN tunnel.

 Protocol 50 (Encapsulating Security Payload [ESP]) handles the

 encrypted/encapsulated packets of IPSec. PAT devices

 don't work with ESP since they have been programmed to work only with

 Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and

 Internet Control Message Protocol (ICMP). In addition, PAT devices are

 unable to map multiple security parameter indexes (SPIs). An
alternative

is

 implemented in some devices like the VPN 3000 Concentrator by

encapsulating

 ESP within UDP and sending it to a negotiated port.



 Doug



 -Original Message-

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]

 Sent: Wednesday, June 26, 2002 11:20 AM

 To: [EMAIL PROTECTED]

 Subject: RE: Cisco VPN client and NAT [7:47430]





 Lidiya,



 On the pix when you configure Ipsec you configure a pool of addresses
that

 your Ipsec clients will use on your own network.  For instance your
inside

 network will have the ip addressing scheme of 192.168.0.0 with a class
c

 subnet mask.  You set the pool to give the 10.0.0.0 subnet with a
class C

 subnet mask. Therefore when you your clients behind your firewall try
to

 talk to the 10.0.0.0 network they will hit the firewall and be passed
to

the

 translation from the pool.  You cannot have any devices in the middle

which

 pat (IE a router which pats the ip address of your pix if your pix is

 establishing the tunnel) It must be a one to one translation from one
end

of

 the tunnel to the other.  Everyone feel free to correct me if I'm
wrong

 which I'm sure will be the case.



 Jason



 -Original Message-

 From: Alex Lee [mailto:[EMAIL PROTECTED]]

 Sent: Wednesday, June 26, 2002 3:20 PM

 To: [EMAIL PROTECTED]

 Subject: Re: Cisco VPN client and NAT [7:47430]



 So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?

 Thanks.



  Alex Lee



 Lidiya White  wrote in message

 news:[EMAIL PROTECTED]...

  PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators
do.

  It all depends on the device that is between your client and PIX,
that

  is doing PAT.

  IPSec uses ESP protocol, that doesn't have ports, so how can you
perform

  PAT (port address translation) for a protocol that doesn't
understand

  port concept?

  Some routers can pass IPSec through the PAT (like Linksys, Cisco
800).

  So if the router/device that is doing PAT is IPSec aware, then you

  should be able to pass IPSec through. If not, then you have to make
sure

  that one-to-one address translation happens for your VPN clients,
not

  one-to-many (PAT)...

  Hope this helps...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47531t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IOS firewall feature set for Cisco 2514 [7:47523]

[Dan Penn]

Yes, that's quite bull.  Cisco still supports the 2500's.

Dan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
John Kaberna
Sent: Wednesday, June 26, 2002 6:41 PM
To: [EMAIL PROTECTED]
Subject: Re: IOS firewall feature set for Cisco 2514 [7:47523]

www.cisco.com

It is most certainly still supported and available if you have download
privileges.  Did you even check?


S M  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't
 supports 25xx series anymore.

 Does anyone point me in the right direction to get the software.

 Thanks

 SM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47532t=47523
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DHCP question [7:47477]

[Priscilla Oppenheimer]

At 10:01 AM 6/26/02, [EMAIL PROTECTED] wrote:
Yes. The DHCP packet will be sent out with the source address of the router
in the unicast packet.

A router had many IP addresses, however. To make your statement less 
ambiguous, it's important to state that the router uses the address 
associated with the interface that the DHCP request came in on.

For example, consider a router that has an Ethernet 0 interface that 
connects a LAN with DHCP clients on it. Let's say that the LAN is subnet 
10.10.10.0/24 and the router's IP address on that LAN (on e0) is 
10.10.10.1. There's no DHCP server on the LAN. So on e0, you configure an 
IP helper address to reach the DHCP server whose address is 172.16.0.2. 
Let's say network 172.16.0.0/16 is out the router's e1 interface and that 
the router's IP address on that interface is 172.16.0.1.

The router converts the DHCP broadcast coming in on e0 to a unicast and 
uses 10.10.10.1 as the IP source address. The router sends this unicast out
e1.

The router also puts the 10.10.10.1 IP address in the GIADDR field in the 
DHCP request. In fact, that's actually what the DHCP server looks at. I 
don't think the DHCP RFC requires the server to look at the source IP 
address. The RFC does say, however, that a BOOTP Relay Agent must put its 
IP address in the GIADDR field. The relay agent must fill this field with 
the IP address of the interface on which the request was received.  That's 
how the server knows which scope to use.

Priscilla




Eric Lange



 


dimitri@ptsci
 nti.com  To:
[EMAIL PROTECTED]
 Sent by:
cc:
 nobody@groupsSubject: DHCP question
[7:47477]

tudy.com
 

 


06/26/2002
 08:39
AM

Please
 respond
to

dimitri
 

 





Let's assume a Win2k DHCP server is set up correctly with different IP
scopes for 2 remote sites.  Let's also assume remote-site routers are
set-up correctly with the correct IP helper-address.  When remote DHCP
clients start broadcasting for IP addresses at each remote site, and
these broadcasts are then forwarded by the remote-site routers as
unicast packets to the DHCP server, how does the DHCP server know from
which scope of IP address to full-fill a DHCP client request for a given
remote site.  Is the information embbeded within the DHCP packet itself?

thanks
dj


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47533t=47477
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Fwd: RE: ISDN Gurus HElp! [7:47353]

[Juli Hato]

Hallo Pierre-Alex Guanel,
Below attached the show isdn status. Please find my configuration file.
Please check if I've wrong to configure it.

Once the remote router restart, the ISDN can connect to
HQ(isdnkotaconnect.txt)

Thank YOu for helping me ^-^

HATO

 From: Pierre-Alex Guanel 
 Reply-To: Pierre-Alex Guanel 
 To: [EMAIL PROTECTED]
 Subject: RE: ISDN Gurus HElp! [7:47353]
 Date: Tue, 25 Jun 2002 09:29:01 -0400
 
 Please send us the output of show isdn status on that router.
 
 Thanks,
 
 Pierre-Alex






_
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx
sh isdn st
Global ISDN Switchtype = basic-net3
ISDN BRI1/0 interface
dsl 8, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 8 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/1 interface
dsl 9, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 9 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/2 interface
dsl 10, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 10 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/3 interface
dsl 11, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 64, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 11 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/4 interface
dsl 12, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 96, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 12 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/5 interface
dsl 13, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 13 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/6 interface
dsl 14, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 14 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/7 interface
dsl 15, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 15 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- Total Allocated ISDN CCBs = 0
010_RO_01#

[GroupStudy.com removed an attachment of type application/msword which had a
name of FR and ISDN Backup.doc]
01:03:240518168576: Found idle channel B1
01:03:240518168576: CC_CHAN_GetIdleChanbri: dsl 12
01:03:240518168576: Found idle channel B1
01:03:242684896268: ISDN BR1/0: received HOST_PROCEEDING call_id 0x806D
01:03:240518168576: ISDN BR1/2: received HOST_PROCEEDING call_id 0x806F
01:03:240518168576: ISDN BR1/3: received HOST_INFORMATION call_id 0x8070
01:03:240518168576: ISDN Event: dsl 11 call_id 0x8070 B channel assigned by
switch 0
ISDN BR1/4: received HOST_INFORMATION call_id 0x8071
01:03:240518168576: ISDN Event: dsl 12 call_id 0x8071 B channel assigned by
switch 0
ISDN BR1/0: received HOST_DISCONNECT call_id 0x806D
01:03:240518168576: ISDN BR1/0: Event:  Call to 28600056 was hung up.
01:03:242684896140: ISDN BR1/0: process_disc_ack(): call id 0x806D, ces 1,
call type DATA
01:03:242684896520: ISDN BR1/0: received HOST_DISCONNECT_ACK call_id 0x806D
01:03:240518168576: ISDN BR1/0: HOST_DISCONNECT_ACK: call type is DATA
01:03:246979863564: ISDN BR1/2: received HOST_DISCONNECT call_id 0x806F
01:03:244813135872: ISDN BR1/2: Event:  Call to 26500071 was hung up.
01:03:246979863436: ISDN BR1/2: process_disc_ack(): call id 0x806F, ces 1,
call type DATA
01:03:246979863816: ISDN BR1/2: received HOST_DISCONNECT_ACK call_id 0x806F
01:03:244813135872: ISDN BR1/2: HOST_DISCONNECT_ACK: call type is DATA
01:03:244813135872: ISDN BR1/1: Activating

Wireless Training [7:47535]

[[EMAIL PROTECTED]]

Group-

Besides Cisco wireless related training, could anyone give me some feedback
on any wireless training courses anyone might have taken?

I know about various training centers, like www.trainingwireless.com and 
others, but I would like to know about engineer's experiences at these 
courses and which ones people are recommending.

Thanks!

Theo




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47535t=47535
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE written questions [7:47517]

[Tim Potier]

00b0.d059.8609
  1011  1101  0101 1001 1000 0110  1001
   1101  1011 1001 1010 0110 0001 1001 
000d.0b9a.6190


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47537t=47517
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IOS firewall feature set for Cisco 2514 [7:47523]

[Dan Penn]

No Rick that guy is MOST mistaken some of the 2500 series has been
EOS'd.  However cisco is pledging software support until 2005.

Dan

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Rick
Sent: Wednesday, June 26, 2002 8:31 PM
To: [EMAIL PROTECTED]
Subject: Re: IOS firewall feature set for Cisco 2514 [7:47523]

Where did you find info that Cisco does not support
25xx series anymore? I have 156 support contracts
on 2509, 2511, and 2520's. I also just finished a
network wide upgrade of IOS on these same boxes.
I am concerned that Cisco just announced this and
this leaves me with a serious problem.



S M  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I'm looking for Cisco 2514 IOS w/ firewall feature set. Cisco doesn't
 supports 25xx series anymore.

 Does anyone point me in the right direction to get the software.

 Thanks

 SM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47536t=47523
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CID [7:47496]

[Tim Potier]

ATM is there... no appletalk or SNA


Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47538t=47496
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PBR [7:47463]

[piesupport]

Thanks

I got info from somewhere else that If the next-hop IP address is not
reachable, then BAD luck, it won't go to next policy. You can though set 2
next-hops, if one fails, it will then it will use the next one.

eg;
route-map dummy permit 10
match ip address 1
set ip next-hop 1.1.1.1 2.2.2.2


Steven A. Ridder  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I think if it knows that the destination is down, it will use the next
route
 in the regular routing table, but I'm not sure.  Try it in a lab, as it's
a
 good question.


 piesupport  wrote in message
 news:[EMAIL PROTECTED]...
  I have enable PBR on one of my interfaces of 7513.which decide on basis
of
  source IP block and chosse next hop. My question is what will happen if
 next
  hop is unavialable (down).will it go to alternate hop as decided by
 BGP.( I
  am running BGP, OSPF in my network) and next hops are EBGP peers?
 
  REgards
  Raza Bhutta
 
  --




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47539t=47463
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN client and NAT [7:47430]

[supernet]

Lidiya,

I didn't try PIX, but I tried a 1605: Main office
3030---Internet---1605---VPN clients. It worked fine. 1605 was
configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is
IPSec aware, why PIX isn't?

Thanks.
Yoshi

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Lidiya White
Sent: Wednesday, June 26, 2002 7:56 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN client and NAT [7:47430]

See inlines

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Paul
Sent: Wednesday, June 26, 2002 5:11 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN client and NAT [7:47430]

 

 Cool, so the PIX will not support VPN's over PAT !!!

 

If you are talking about passing IPSec through the PIX (not PIX
terminating VPN tunnel) then you are correct. PIX has to have a pool of
ip addresses for one-to-one NAT for your VPN clients. 

If you are talking about PIX terminating VPN, then PIX won't even know
the difference if the packet went through the PAT/NAT device.

 

 So if I had my Main Office PIX, and a VPN Concentrator . could I

 succesfully connect from a remote office via a cable/adsl modem that
does 

 PAT using the Cisco VPN software client ???

 

Are your cable modem IPSec aware (supports IPSec through PAT)?

 

If yes, then you can terminate VPN tunnels on the VPN Concentrator or
the PIX.

If not, then you can use VPN Concentrator with IPSec over TCP option.
PIX doesn't support IPSec over TCP for now. PIX only listens on udp port
500.

 

 

-- Lidiya White

 

 If so ... and if I had say ... 30 - 40 remote offices, potentially

 connecting simultaneously  would a VPN 3000 be overkill ??? or
would 

 I be better getting a VAC for the PIX (would the PIX VAC supplrt
VPN's

 over PAT), or there other VPN concentrators that would do the job


 

Regards ...

 

Paul ...

 

- Original Message -

From: Robertson, Douglas 

To: 

Sent: Wednesday, June 26, 2002 6:15 PM

Subject: RE: Cisco VPN client and NAT [7:47430]

 

 

 In most cases the PIX does not support VPN's over PAT you need a
static

NAT

 to establish a VPN tunnel.

 Protocol 50 (Encapsulating Security Payload [ESP]) handles the

 encrypted/encapsulated packets of IPSec. PAT devices

 don't work with ESP since they have been programmed to work only with

 Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and

 Internet Control Message Protocol (ICMP). In addition, PAT devices are

 unable to map multiple security parameter indexes (SPIs). An
alternative

is

 implemented in some devices like the VPN 3000 Concentrator by

encapsulating

 ESP within UDP and sending it to a negotiated port.



 Doug



 -Original Message-

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]

 Sent: Wednesday, June 26, 2002 11:20 AM

 To: [EMAIL PROTECTED]

 Subject: RE: Cisco VPN client and NAT [7:47430]





 Lidiya,



 On the pix when you configure Ipsec you configure a pool of addresses
that

 your Ipsec clients will use on your own network.  For instance your
inside

 network will have the ip addressing scheme of 192.168.0.0 with a class
c

 subnet mask.  You set the pool to give the 10.0.0.0 subnet with a
class C

 subnet mask. Therefore when you your clients behind your firewall try
to

 talk to the 10.0.0.0 network they will hit the firewall and be passed
to

the

 translation from the pool.  You cannot have any devices in the middle

which

 pat (IE a router which pats the ip address of your pix if your pix is

 establishing the tunnel) It must be a one to one translation from one
end

of

 the tunnel to the other.  Everyone feel free to correct me if I'm
wrong

 which I'm sure will be the case.



 Jason



 -Original Message-

 From: Alex Lee [mailto:[EMAIL PROTECTED]]

 Sent: Wednesday, June 26, 2002 3:20 PM

 To: [EMAIL PROTECTED]

 Subject: Re: Cisco VPN client and NAT [7:47430]



 So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?

 Thanks.



  Alex Lee



 Lidiya White  wrote in message

 news:[EMAIL PROTECTED]...

  PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators
do.

  It all depends on the device that is between your client and PIX,
that

  is doing PAT.

  IPSec uses ESP protocol, that doesn't have ports, so how can you
perform

  PAT (port address translation) for a protocol that doesn't
understand

  port concept?

  Some routers can pass IPSec through the PAT (like Linksys, Cisco
800).

  So if the router/device that is doing PAT is IPSec aware, then you

  should be able to pass IPSec through. If not, then you have to make
sure

  that one-to-one address translation happens for your VPN clients,
not

  one-to-many (PAT)...

  Hope this helps...




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47540t=47430
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html

ISDN Lab Tips [7:47541]

[cebuano]

Hi, all.
Here's a link that might be helpful in clearing up some issues that might
arise in the ISDN part of the lab.
http://www.cisco.com/warp/public/129/bri_invalid_spid.html

Regards,
Elmer




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47541t=47541
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN client and NAT [7:47430]

[Lidiya White]

I bet you were using IPSec over TCP. Then it really doesn't matter what
is in the 'middle'. Your Cisco 1605 will see only tcp traffic, not esp.
Cisco 1600 is not IPSec aware (and don't have to be in your setup).

-- Lidiya White


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
supernet
Sent: Wednesday, June 26, 2002 11:31 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN client and NAT [7:47430]

Lidiya,

I didn't try PIX, but I tried a 1605: Main office
3030---Internet---1605---VPN clients. It worked fine. 1605 was
configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is
IPSec aware, why PIX isn't?

Thanks.
Yoshi

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Lidiya White
Sent: Wednesday, June 26, 2002 7:56 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN client and NAT [7:47430]

See inlines

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Paul
Sent: Wednesday, June 26, 2002 5:11 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN client and NAT [7:47430]

 

 Cool, so the PIX will not support VPN's over PAT !!!

 

If you are talking about passing IPSec through the PIX (not PIX
terminating VPN tunnel) then you are correct. PIX has to have a pool of
ip addresses for one-to-one NAT for your VPN clients. 

If you are talking about PIX terminating VPN, then PIX won't even know
the difference if the packet went through the PAT/NAT device.

 

 So if I had my Main Office PIX, and a VPN Concentrator . could I

 succesfully connect from a remote office via a cable/adsl modem that
does 

 PAT using the Cisco VPN software client ???

 

Are your cable modem IPSec aware (supports IPSec through PAT)?

 

If yes, then you can terminate VPN tunnels on the VPN Concentrator or
the PIX.

If not, then you can use VPN Concentrator with IPSec over TCP option.
PIX doesn't support IPSec over TCP for now. PIX only listens on udp port
500.

 

 

-- Lidiya White

 

 If so ... and if I had say ... 30 - 40 remote offices, potentially

 connecting simultaneously  would a VPN 3000 be overkill ??? or
would 

 I be better getting a VAC for the PIX (would the PIX VAC supplrt
VPN's

 over PAT), or there other VPN concentrators that would do the job


 

Regards ...

 

Paul ...

 

- Original Message -

From: Robertson, Douglas 

To: 

Sent: Wednesday, June 26, 2002 6:15 PM

Subject: RE: Cisco VPN client and NAT [7:47430]

 

 

 In most cases the PIX does not support VPN's over PAT you need a
static

NAT

 to establish a VPN tunnel.

 Protocol 50 (Encapsulating Security Payload [ESP]) handles the

 encrypted/encapsulated packets of IPSec. PAT devices

 don't work with ESP since they have been programmed to work only with

 Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and

 Internet Control Message Protocol (ICMP). In addition, PAT devices are

 unable to map multiple security parameter indexes (SPIs). An
alternative

is

 implemented in some devices like the VPN 3000 Concentrator by

encapsulating

 ESP within UDP and sending it to a negotiated port.



 Doug



 -Original Message-

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]

 Sent: Wednesday, June 26, 2002 11:20 AM

 To: [EMAIL PROTECTED]

 Subject: RE: Cisco VPN client and NAT [7:47430]





 Lidiya,



 On the pix when you configure Ipsec you configure a pool of addresses
that

 your Ipsec clients will use on your own network.  For instance your
inside

 network will have the ip addressing scheme of 192.168.0.0 with a class
c

 subnet mask.  You set the pool to give the 10.0.0.0 subnet with a
class C

 subnet mask. Therefore when you your clients behind your firewall try
to

 talk to the 10.0.0.0 network they will hit the firewall and be passed
to

the

 translation from the pool.  You cannot have any devices in the middle

which

 pat (IE a router which pats the ip address of your pix if your pix is

 establishing the tunnel) It must be a one to one translation from one
end

of

 the tunnel to the other.  Everyone feel free to correct me if I'm
wrong

 which I'm sure will be the case.



 Jason



 -Original Message-

 From: Alex Lee [mailto:[EMAIL PROTECTED]]

 Sent: Wednesday, June 26, 2002 3:20 PM

 To: [EMAIL PROTECTED]

 Subject: Re: Cisco VPN client and NAT [7:47430]



 So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?

 Thanks.



  Alex Lee



 Lidiya White  wrote in message

 news:[EMAIL PROTECTED]...

  PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators
do.

  It all depends on the device that is between your client and PIX,
that

  is doing PAT.

  IPSec uses ESP protocol, that doesn't have ports, so how can you
perform

  PAT (port address translation) for a protocol that doesn't
understand

  port concept?

  Some routers can pass IPSec through the PAT (like Linksys, Cisco
800).

  So if the router/device that is doing 

Re: Off Topic - Cisco vis a vis World Com [7:47543]

[Eric Rogers]

Comments Inline:

Cisco is not a Telco, so the wire service is not a valid source for info.

--You might want to talk to Chambers and Wall $treet about that. Service
Provider, manufacturer they're all in the same financial boat. Just look at
the 18% drop in Juniper stock today off the news of WorldCom.

I could name at least 12 ILEC's that are making profits and have been for
many years and this is only just a stagnant time for them. They will be
moving forward in another year with huge network expansions.

--LOL!There's so much damn capacity now it's sickening. There's half
a
dozen empty Colo's here in San Francisco alone. Cogentco is dumping 100meg
garbage links for a $1000 a month. (Now only if they had decent peering.)

The profitable and low debt companies are not too worried right now.

--Doesn't that translate into Fat and Lazy. Jack be nimble, Jack be
quick, Jack just stole the competitors client base.

they will just ride the wave and use this time to cut some cost that is
long over due.

---This is called Piss down economics. 2,000,000 people and counting.

just think of all the very large customers that will be fleeing WCOM. Most
will head to the nearest ILEC.

---I think that most customers will look seriously at how much bandwidth
they really need and dumping the excess if possible.

At first thought is all the government contracts they have. Every
government contract, state or federal, usually has provisions for them to
null the contract if the company files Bankruptcy or is found to have
committed illegal acts.

Tax Bailout! Politicians rank high on the intelligence level, right
up
there with my toilet bowl. Look at the current California electrical power
situation where the Governor locked this state into paying billions of
dollars
more than it should have for years to come.

-EricRemember: Advice is worth only what you pay for it.



Eric Rogers  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 This is HUGE for Telco in general...With the restatement this company will
 have actually LOST money for over the past year...

 Just think about all the IOU's that this company has to all it's
 vendor's, we're talking 30 Billion dollars in debt. It look's like
 bankruptcy is coming soon for this company. What's Cisco's exposure to
this?
 I believe it's fair to say it's large, be it directly or indirectly. This
 will be the largest bankruptcy in US history, hence world. WorldCom has
 assets in excess of 105 Billion dollars. Compare this to Enron with 60
 Billion dollars. They will be cutting an already planned 16,000 employee's
 this week. Who's next: Qwest? Just follow [EMAIL PROTECTED]

 I read a couple of week's ago from one of the wire services that 24 of
 the 29 major Telco's will go under. The so called safe one's where
 Bellsouth, Cisco, SBC and some others. I've also picked up off of both
 Reuters.com and Bloomberg.com that the Telco market is not expected to
turn
 around until maybe late 2003 and will be the last thing to pick up in a
 revived economy. Look at all the companies failing in the US and Europe,
the
 drastic slide in the value of the US Dollar against the Euro and the Yen
and
 the fact that 2 million layoff's in the US last year, with 500,000 of
those
 from tech related jobs alone, it should become apparent to even the
simplest
 minds that things will become worse with these scandals coming out. Should
 the US housing bubble burst kiss this economy good bye for the next five
 years.

 - There is already too much surplus equipment out there that it will
take
 years to absorb. And as far as jobs and hiring out in the world, well
who's
 going to quit there job because they didn't get a raise lately?-

 JMHO :-0

 -Eric

 - Original Message -
 From: Chuck
 To:
 Sent: Wednesday, June 26, 2002 12:31 PM
 Subject: Off Topic - Cisco vis a vis World Com [7:47505]


  So far today I have seen no word from Cisco on its exposure to World
Com.
 
  the other so called players in the networking industry - Redback,
Nortel,
  and Lucent, have all said they have very little on the line with
WorldCom.
  Of course, these are companies with one foot in the grave already.
 
  WorldCom is one of Cisco's MAJOR customers. Cisco stock is back close
to
  it's low of the last year. Maybe Cisco believes nothing needs be said?
 Maybe
  Cisco figures they can still sell their stuff through other channels?
 
  As an employee of another of Cisco's major customers, maybe this bodes
 well
  for me? with WorldCom out of the way, and no longer selling at cost to
 steal
  my customers, maybe my own business will pick up?
 
  Sheesh, this is scary.
 
  Anybody out there know how what used to be UUNet is doing? Viable? Any
  repercussions through the ISP world?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47543t=47543
--
FAQ, list archives, and subscription info: 

Fwd: RE: ISDN Gurus HElp! [7:47353]

[Juli Hato]

Hallo Pierre-Alex Guanel,
Below attached the show isdn status. Please find my configuration file.
Please check if I've wrong to configure it.

Once the remote router restart, the ISDN can connect to
HQ(isdnkotaconnect.txt)

Thank YOu for helping me ^-^

HATO

 From: Pierre-Alex Guanel 
 Reply-To: Pierre-Alex Guanel 
 To: [EMAIL PROTECTED]
 Subject: RE: ISDN Gurus HElp! [7:47353]
 Date: Tue, 25 Jun 2002 09:29:01 -0400
 
 Please send us the output of show isdn status on that router.
 
 Thanks,
 
 Pierre-Alex






_
Chat with friends online, try MSN Messenger: http://messenger.msn.com
sh isdn st
Global ISDN Switchtype = basic-net3
ISDN BRI1/0 interface
dsl 8, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 8 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/1 interface
dsl 9, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 9 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/2 interface
dsl 10, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 80, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 10 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/3 interface
dsl 11, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 64, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 11 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/4 interface
dsl 12, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
TEI = 96, Ces = 1, SAPI = 0, State = TEI_ASSIGNED
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 12 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/5 interface
dsl 13, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 13 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/6 interface
dsl 14, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 14 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- ISDN BRI1/7 interface
dsl 15, interface ISDN Switchtype = basic-net3
Layer 1 Status:
DEACTIVATED
Layer 2 Status:
Layer 2 NOT Activated
Layer 3 Status:
0 Active Layer 3 Call(s)
Activated dsl 15 CCBs = 0
The Free Channel Mask:  0x8003
 --More-- Total Allocated ISDN CCBs = 0
010_RO_01#

[GroupStudy.com removed an attachment of type application/msword which had a
name of FR and ISDN Backup.doc]
01:03:240518168576: Found idle channel B1
01:03:240518168576: CC_CHAN_GetIdleChanbri: dsl 12
01:03:240518168576: Found idle channel B1
01:03:242684896268: ISDN BR1/0: received HOST_PROCEEDING call_id 0x806D
01:03:240518168576: ISDN BR1/2: received HOST_PROCEEDING call_id 0x806F
01:03:240518168576: ISDN BR1/3: received HOST_INFORMATION call_id 0x8070
01:03:240518168576: ISDN Event: dsl 11 call_id 0x8070 B channel assigned by
switch 0
ISDN BR1/4: received HOST_INFORMATION call_id 0x8071
01:03:240518168576: ISDN Event: dsl 12 call_id 0x8071 B channel assigned by
switch 0
ISDN BR1/0: received HOST_DISCONNECT call_id 0x806D
01:03:240518168576: ISDN BR1/0: Event:  Call to 28600056 was hung up.
01:03:242684896140: ISDN BR1/0: process_disc_ack(): call id 0x806D, ces 1,
call type DATA
01:03:242684896520: ISDN BR1/0: received HOST_DISCONNECT_ACK call_id 0x806D
01:03:240518168576: ISDN BR1/0: HOST_DISCONNECT_ACK: call type is DATA
01:03:246979863564: ISDN BR1/2: received HOST_DISCONNECT call_id 0x806F
01:03:244813135872: ISDN BR1/2: Event:  Call to 26500071 was hung up.
01:03:246979863436: ISDN BR1/2: process_disc_ack(): call id 0x806F, ces 1,
call type DATA
01:03:246979863816: ISDN BR1/2: received HOST_DISCONNECT_ACK call_id 0x806F
01:03:244813135872: ISDN BR1/2: HOST_DISCONNECT_ACK: call type is DATA
01:03:244813135872: ISDN BR1/1: Activating
01:03:59: ISDN BR1/0: Outgoing call id = 

RE: Cisco VPN client and NAT [7:47430]

[supernet]

My clients uses IPSec over UDP, not TCP. We do have to enable Allow
IPSec through NAT on clients. I guess it's the same thing you were
talking about, right? 

Thanks.
Yoshi

-Original Message-
From: Lidiya White [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, June 26, 2002 9:56 PM
To: 'supernet'; [EMAIL PROTECTED]
Subject: RE: Cisco VPN client and NAT [7:47430]

I bet you were using IPSec over TCP. Then it really doesn't matter what
is in the 'middle'. Your Cisco 1605 will see only tcp traffic, not esp.
Cisco 1600 is not IPSec aware (and don't have to be in your setup).

-- Lidiya White


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
supernet
Sent: Wednesday, June 26, 2002 11:31 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN client and NAT [7:47430]

Lidiya,

I didn't try PIX, but I tried a 1605: Main office
3030---Internet---1605---VPN clients. It worked fine. 1605 was
configured PAT inside. Does this mean 1650 is IPSec aware? If 1605 is
IPSec aware, why PIX isn't?

Thanks.
Yoshi

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Lidiya White
Sent: Wednesday, June 26, 2002 7:56 PM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN client and NAT [7:47430]

See inlines

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Paul
Sent: Wednesday, June 26, 2002 5:11 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN client and NAT [7:47430]

 

 Cool, so the PIX will not support VPN's over PAT !!!

 

If you are talking about passing IPSec through the PIX (not PIX
terminating VPN tunnel) then you are correct. PIX has to have a pool of
ip addresses for one-to-one NAT for your VPN clients. 

If you are talking about PIX terminating VPN, then PIX won't even know
the difference if the packet went through the PAT/NAT device.

 

 So if I had my Main Office PIX, and a VPN Concentrator . could I

 succesfully connect from a remote office via a cable/adsl modem that
does 

 PAT using the Cisco VPN software client ???

 

Are your cable modem IPSec aware (supports IPSec through PAT)?

 

If yes, then you can terminate VPN tunnels on the VPN Concentrator or
the PIX.

If not, then you can use VPN Concentrator with IPSec over TCP option.
PIX doesn't support IPSec over TCP for now. PIX only listens on udp port
500.

 

 

-- Lidiya White

 

 If so ... and if I had say ... 30 - 40 remote offices, potentially

 connecting simultaneously  would a VPN 3000 be overkill ??? or
would 

 I be better getting a VAC for the PIX (would the PIX VAC supplrt
VPN's

 over PAT), or there other VPN concentrators that would do the job


 

Regards ...

 

Paul ...

 

- Original Message -

From: Robertson, Douglas 

To: 

Sent: Wednesday, June 26, 2002 6:15 PM

Subject: RE: Cisco VPN client and NAT [7:47430]

 

 

 In most cases the PIX does not support VPN's over PAT you need a
static

NAT

 to establish a VPN tunnel.

 Protocol 50 (Encapsulating Security Payload [ESP]) handles the

 encrypted/encapsulated packets of IPSec. PAT devices

 don't work with ESP since they have been programmed to work only with

 Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and

 Internet Control Message Protocol (ICMP). In addition, PAT devices are

 unable to map multiple security parameter indexes (SPIs). An
alternative

is

 implemented in some devices like the VPN 3000 Concentrator by

encapsulating

 ESP within UDP and sending it to a negotiated port.



 Doug



 -Original Message-

 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]

 Sent: Wednesday, June 26, 2002 11:20 AM

 To: [EMAIL PROTECTED]

 Subject: RE: Cisco VPN client and NAT [7:47430]





 Lidiya,



 On the pix when you configure Ipsec you configure a pool of addresses
that

 your Ipsec clients will use on your own network.  For instance your
inside

 network will have the ip addressing scheme of 192.168.0.0 with a class
c

 subnet mask.  You set the pool to give the 10.0.0.0 subnet with a
class C

 subnet mask. Therefore when you your clients behind your firewall try
to

 talk to the 10.0.0.0 network they will hit the firewall and be passed
to

the

 translation from the pool.  You cannot have any devices in the middle

which

 pat (IE a router which pats the ip address of your pix if your pix is

 establishing the tunnel) It must be a one to one translation from one
end

of

 the tunnel to the other.  Everyone feel free to correct me if I'm
wrong

 which I'm sure will be the case.



 Jason



 -Original Message-

 From: Alex Lee [mailto:[EMAIL PROTECTED]]

 Sent: Wednesday, June 26, 2002 3:20 PM

 To: [EMAIL PROTECTED]

 Subject: Re: Cisco VPN client and NAT [7:47430]



 So how does the Linksys or cisco 800 handles the IPSec thru PAT then ?

 Thanks.



  Alex Lee



 Lidiya White  wrote in message

 news:[EMAIL PROTECTED]...

  PIX doesn't support IPSec transparency/IPSec over TCP. Concentrators
do.