RE: problem with initiating PPTP connection behind [7:59781]
Hi Eric You can make it work, but under the following restrictions: 1. You can only support a single PPTP connection from a single inside host 2. You need a static IP address All you need to do is configure a static for your inside host that needs the PPTP connections and map this to the outside IP address. I don't think the PIX allows you to define static one-to-one NATs for interfaces (i.e. the static NAT dynamically picks up your outside dynamic IP addressing), hence the requirement for a static IP address. You also need to use an ACL on the outside that permits incoming GRE packets from the PPTP server. If you have any ACLs defined on the internal interface, you need to permit TCP traffic to port 1723 on the PPTP server. Sample config: static (inside,outside) 200.1.1.1 192.168.1.10 access-list OUTSIDE permit gre host 210.1.1.1 host 200.1.1.1 ! This is only required if you have an ACL applied on the inside interface ! By default, this connection will be permitted from outside to inside access-list INSIDE permit tcp host 192.168.1.10 host 210.1.1.1 eq 1723 access-group OUTSIDE in interface outside access-group INSIDE in interface inside As indicated in other posts, PAT works with PPTP on Cisco IOS. This is because Cisco IOS snoops the TCP control channel for an identifier used to identify a particular PPTP connection, which is included within the GRE headers of each GRE packet. I agree the PIX should support PAT for PPTP, and I have no doubt it probably will at some stage as it is supported in IOS. HTH Justin -Original Message- From: eric nguyen [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 21, 2002 4:27 PM To: [EMAIL PROTECTED]; 'Chuck Church'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: problem with initiating PPTP connection behind a Pix Firewall via PAT Thanks for the info. This absolutely sucks. I am sure there are many folks out there with broadband connection like myself, cable modem or DSL, that has only one external IP address. Those folks might be using Cisco Pix501, Pix506 or Pix506E for their home firewall. I am sure they need to connect to their corporate network via PPTP just like myself. Now I have no choice but to switch back to my Linux firewall. Pix firewall, what a piece of shit. For an expensive product like that, you would think that Cisco makes an effort to make PPTP work via PAT. Enough of me venting off my frustration. Thanks everyone for your help. Eric Raymond Jett (rajett) wrote:Hmmm To quote cisco.com... PPTP through the PIX with Port Address Translation (PAT) does not work because there is no concept of ports in GRE. That was from: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configura tion_example09186a0080094a5a.shtml This URL shows you how to do it with NAT... Although, interestingly enough... You can do it with IOS: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xample09186a00800949c0.shtml Watch the word wrap on the URLs! Raymond -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of eric nguyen Sent: Friday, December 20, 2002 8:59 PM To: Chuck Church; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT Chuck, I did try the following: static (inside,outside) tcp interface 1723 172.16.1.100 1723 netmask 255.255.255.255 0 0 access-list 100 permit ip any any access-list 100 permit gre any any access-list 100 permit icmp any any access-group 100 in interface outside it still doesn't work. The example you provided has to do with Cisco IOS. Pix is not the same as Cisco IOS even though it comes from the same company. This is really frustrating. I feel like I am being ripped-off by Cisco Pix firewall (even though I am running a clone, there is no way in hell that Cisco will support it). It is really amazing that an expensive product like this one doesn't support PPTP with PAT (to my knowlegde). Even Linux firewall supports PPTP over PAT. I feel like I am hitting a brick wall here. Please help. Eric Chuck Church wrote:Eric, To get PPTP to work with PAT, you need to play with it like you do with IPSec. Check out: http://www.cisco.com/en/US/tech/tk648/tk369/technologies_configuration_e xamp le09186a00800949c0.shtml You need to statically map TCP 1723 on the outside to your inside PC, same port. At one time I thought it needed GRE, but I don't see it listed on that doc. HTH. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: Neil Moore To: eric nguyen ; ; Sent: Friday, December 20, 2002 5:58 PM Subject: Re: problem with initiating PPTP connection behind a Pix Firewall via PAT Its all broken... I will give you 500 bux for that pix ..no problem! Neil Moore CCIE#10044 - Original Message - From: eric nguyen To: ; Sent: Friday, December 20, 2002 4:47 PM Subject: problem with initiating PPTP
RE: CCIE Vs. BS or MS dergree [7:59481]
I think the key is to know what you are going to college for. I Have A degree from The Ohio State University, Max Fisher College of Business in MIS. I also, am enrolled at Franklin University MBA in MIS. Lastly,I admit to having my CCNP (working on CCDP). Of all the tests I have taken over the years the Cisco exams are by far the easiest. I think we need to be realistic when comparing Certs Vs. Education. It took me 4 months to get my CCNP it took me 6 Years to get my education. The CCIE would probably take me as long to prepare for as my MBA; however, I think the MBA will open up far more doors. Calculus, Physics, Finance, Accounting, Economics to name a few to receive a degree. Remember you don't just take one of each you take several. I agree with the course load listed in the e-mail below. -Original Message- From: J.D. Chaiken [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 10:07 AM To: [EMAIL PROTECTED] Subject: Re: CCIE Vs. BS or MS dergree [7:59481] If that were the real reading list for a BS degree, I would *LOVE* it. My problem is that they make you read all the fluffy stuff that you never wanted to read in the first place, and didnt go to college for, but they make you read anyway. And further, lets say you were an english major, do you really think that Calculus I would help you there? Jarett Charlie Wehner wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What's more difficult? a) Memorizing configuration scenerios and commands on a Cisco router b) Understanding Calculus, Differential Equations, Numerical Analysis, Chemistry, Physics and Electrical Engineering well enough to create a meaningful experiment. One of my friends is working on his masters in Physics right now. What he's working on makes the CCIE look like a walk through the park. Seriously, what if the recommended reading list for the CCIE exam looked like this: Physics I and II Calculus I,II,III Differential Equations Mechanics Circuit Analysis I and II Linear Systems Thermodynamics Quantum Mechanics Optics Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59799t=59481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Christmas non-NDA [7:59800]
In the first half hour of testing my proctor gave to me A test pod to-pol-o-gee In the second half hour of testing my proctor gave to me Two IGPs And a test pod to-pol-o-gee. In the third half hour of testing my proctor gave to me Three redistribution points Two IGPs And a test pod to-pol-o-gee In the fourth half hour of testing my proctor gave to me Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the fifth half hour of testing my proctor gave not to me Five token rings In the fifth and sixth half hour of testing my proctor gave to me A hurried pizza lunch In the seventh half hour of testing my proctor gave to me Five multilayer switched VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the eighth half hour of testing my proctor gave to me Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the fifth hour/ninth half hour of testing my proctor gave to me Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the sixth hour of testing my proctor gave to me Eight Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the sixth hour of testing my proctor gave to me Eight tunnels a-tunneling Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the sixth hour of testing my proctor gave to me Nine tunnels a-tunneling Eight routing policies Seven OSI layers to confirm Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the sixth hour of testing my proctor gave to me Ten addresses to NAT Nine tunnels a-tunneling Eight routing policies Seven OSI layers to confirm Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the seventh hour of testing I gave to myself Eleven potential bugs Ten addresses to NAT Nine tunnels a-tunneling Eight tunnels a-tunneling Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the last hour of testing I gave to myself Twelve bug fixes, or so I hoped Eleven potential bugs Ten addresses to NAT Nine tunnels a-tunneling Eight tunnels a-tunneling Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59800t=59800 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Vs. BS or MS dergree [7:59481]
Hi All I think the CCIE is a narrow focus as compared to a degree. What a person does or would like to do with either will determine which is the better route for that individual. It is going to be up to the individual and what he/she is looking to do in the future. You can get your CCIE but if you can't do the job your not going to get the 100,000.00 year position. You can also get the BS or MS and work at Burger World. The one problem I see is people with a CCIE are Network specific and to change to another branch of IT you will most likely need to get another cert. I see someone with a BS or MS being much more mobile as far as crossing departments if you will. I for example have been working in IT for 17 years. I have gone through numerous departments over the years. I started as a programmer, then to support and Help Desk, then to Network Operations. Network Operations is where I want to be. I don't have a Bachelors degree and don't want one. I have no aspirations of being a CIO, etc. I want to be hands on andSecurityork Secutity consulting, that's what I enjoy doing. So for me the CCIE is the next step. I see more value for me in the CISSP and CCIE certifications because I have experience to back up my certs which gets me into positions I want. I can get the Job done. There are however doors which will not open to me because I don't have the degree. Some Companies just won't even look at you if you don't have the Degree. I'm ok with that, I just don't work for companies who want a Degree over ExperienceBeurocracieson't work well in their Beurocracies anyway. Just my 2 cents. Regards Sal DiStefano --- Ladrach, Daniel E. wrote: I think the key is to know what you are going to college for. I Have A degree from The Ohio State University, Max Fisher College of Business in MIS. I also, am enrolled at Franklin University MBA in MIS. Lastly,I admit to having my CCNP (working on CCDP). Of all the tests I have taken over the years the Cisco exams are by far the easiest. I think we need to be realistic when comparing Certs Vs. Education. It took me 4 months to get my CCNP it took me 6 Years to get my education. The CCIE would probably take me as long to prepare for as my MBA; however, I think the MBA will open up far more doors. Calculus, Physics, Finance, Accounting, Economics to name a few to receive a degree. Remember you don't just take one of each you take several. I agree with the course load listed in the e-mail below. -Original Message- From: J.D. Chaiken [mailto:[EMAIL PROTECTED]] Sent: Friday, December 20, 2002 10:07 AM To: [EMAIL PROTECTED] Subject: Re: CCIE Vs. BS or MS dergree [7:59481] If that were the real reading list for a BS degree, I would *LOVE* it. My problem is that they make you read all the fluffy stuff that you never wanted to read in the first place, and didnt go to college for, but they make you read anyway. And further, lets say you were an english major, do you really think that Calculus I would help you there? Jarett Charlie Wehner wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What's more difficult? a) Memorizing configuration scenerios and commands on a Cisco router b) Understanding Calculus, Differential Equations, Numerical Analysis, Chemistry, Physics and Electrical Engineering well enough to create a meaningful experiment. One of my friends is working on his masters in Physics right now. What he's working on makes the CCIE look like a walk through the park. Seriously, what if the recommended reading list for the CCIE exam looked like this: Physics I and II Calculus I,II,III Differential Equations Mechanics Circuit Analysis I and II Linear Systems Thermodynamics Quantum Mechanics Optics Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59801t=59481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
GroupStudy Filtering?? [7:59802]
The question: Is there some sort of filter running on GroupStudy that is substituting the following string of text for what some folks are posting in their messages when referring to a website?? The offending text: @!#$.com Or, am I just retarded, and there is now a way to access a url made up of those special characters?? Thanx, Mark Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59802t=59802 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: GroupStudy Filtering?? [7:59802]
There is no filter that causes this sort of substitution. What you are seeing is people purposefully substituting nonsense characters in place of certain words to test the filters. They're simply trying to figure out which words are being blocked to figure out a way around the filters. John Mark W. Odette II 12/26/02 2:18:50 PM The question: Is there some sort of filter running on GroupStudy that is substituting the following string of text for what some folks are posting in their messages when referring to a website?? The offending text: @!#$.com Or, am I just retarded, and there is now a way to access a url made up of those special characters?? Thanx, Mark Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59803t=59802 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ADSL QUESTION with 3600/2600 routers [7:59805]
Hi All Long time no speak hope everyone is having a blessed Christmas I've a Client who has a WAN network comprising of a Cisco 3660(centre) several 2600's (currently each WAN link is a 256k lease line, each line will soon be upgraded to LES10 Circuits). The client has ISDN backup on all their sites but are looking to replace this with a ADSL Solution. What is the best ADSL Solution should I recommend for my client.Many Thanks Simon. STOP MORE SPAM with the new MSN 8 and get 3 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59805t=59805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
4500 Series Router [7:59806]
All, Anyone know how to recover from a empty flash on a 4500 series router? I'm getting the following message: device does not contain a valid magic number boot: cannot open bootflash: an alternate boot helper program is not specified (monitor variable BOOTLDR is not set) and unable to determine first file in bootflash loadprog: error - on file open boot: cannot load cisco2-C4500 I combed the CCO, no luck. TIA Jim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59806t=59806 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Passed BSCI (640-901) [7:59807]
Hello friends and gurus, I had been a silent observer in this group. After a long break of more than an year, today I got the courage to face the tiger in its den :-) (of course I mean BSCI). The verdict was Tiger 0 and Sudarshan 1. There were 57 questions with all kinds of old timer multi-choice and also the new kind of scenarios. I am sure I have not said anything that will be challenged by the NDA :-). OK one more to go.and I am hoping to face the Lion soon (Support exam is to be completed). Will talk you all soon. Hopefully it should be good news. Thanks to all in this group. I learnt many things from the email exchanges here. Regards Sudarshan __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59807t=59807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Christmas non-NDA [7:59800]
Very funny, Howard. :-) I'm glad Group Study is back. What would we do without it? Thank-you Paul for bringing it back. I hope it didn't disrupt your holiday too much. This is a great thing that you do. I hope this won't start a long thread, but I would like to say Merry Christmas to everyone who celebrates it! Peace, Priscilla Howard C. Berkowitz wrote: In the first half hour of testing my proctor gave to me A test pod to-pol-o-gee In the second half hour of testing my proctor gave to me Two IGPs And a test pod to-pol-o-gee. In the third half hour of testing my proctor gave to me Three redistribution points Two IGPs And a test pod to-pol-o-gee In the fourth half hour of testing my proctor gave to me Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the fifth half hour of testing my proctor gave not to me Five token rings In the fifth and sixth half hour of testing my proctor gave to me A hurried pizza lunch In the seventh half hour of testing my proctor gave to me Five multilayer switched VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the eighth half hour of testing my proctor gave to me Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the fifth hour/ninth half hour of testing my proctor gave to me Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the sixth hour of testing my proctor gave to me Eight Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the sixth hour of testing my proctor gave to me Eight tunnels a-tunneling Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the sixth hour of testing my proctor gave to me Nine tunnels a-tunneling Eight routing policies Seven OSI layers to confirm Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the sixth hour of testing my proctor gave to me Ten addresses to NAT Nine tunnels a-tunneling Eight routing policies Seven OSI layers to confirm Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the seventh hour of testing I gave to myself Eleven potential bugs Ten addresses to NAT Nine tunnels a-tunneling Eight tunnels a-tunneling Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee In the last hour of testing I gave to myself Twelve bug fixes, or so I hoped Eleven potential bugs Ten addresses to NAT Nine tunnels a-tunneling Eight tunnels a-tunneling Seven routing policies Six BGP speakers a-speaking Five 802.1q VLANs Four calling voice cards Three redistribution points Two IGPs And a test pod to-pol-o-gee Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59808t=59800 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ADSL QUESTION with 3600/2600 routers [7:59805]
Simon Watson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All Long time no speak hope everyone is having a blessed Christmas I've a Client who has a WAN network comprising of a Cisco 3660(centre) several 2600's (currently each WAN link is a 256k lease line, each line will soon be upgraded to LES10 Circuits). The client has ISDN backup on all their sites but are looking to replace this with a ADSL Solution. What is the best ADSL Solution should I recommend for my client.Many Thanks Simon. !) what versions or varieties of DSL is available for each of your client sites? Gotta check with the telco. 2) what is the nature of the data flow? I.e. distributed? centralized? mix of both? 3) once you know the answers to both of these items, then you can start looking at a design. In some cases, you might want to terminate the DSL on a WIC card on the router. In other cases you might want a standalone DSL router. PS. in some areas you can terminate DSL to an ATM circuit at the central site. this might be a solution worth examining, as well. that way, your data does not touch the internet, and you don't have to bring VPN's into the mix. STOP MORE SPAM with the new MSN 8 and get 3 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59809t=59805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ADSL QUESTION with 3600/2600 routers [7:59805]
Depends on whether the primary motive is cost or reliability, and where this is at geographically. Typically business class dsl is pricier but more reliable, and dsl offerings vary by region/country. In the US, I like to refer people to www.dslreports.com to see what they qualify for. Speakeasy has a hi quality product. Brian - Original Message - From: Simon Watson To: Sent: Thursday, December 26, 2002 2:26 PM Subject: ADSL QUESTION with 3600/2600 routers [7:59805] Hi All Long time no speak hope everyone is having a blessed Christmas I've a Client who has a WAN network comprising of a Cisco 3660(centre) several 2600's (currently each WAN link is a 256k lease line, each line will soon be upgraded to LES10 Circuits). The client has ISDN backup on all their sites but are looking to replace this with a ADSL Solution. What is the best ADSL Solution should I recommend for my client.Many Thanks Simon. STOP MORE SPAM with the new MSN 8 and get 3 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59810t=59805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NAT in the Doc CD -- Where?? [7:59811]
Hello, I've been trying to find info. about NAT in the Doc Cd under the Command and Config. Guides. I tried under the Security Section but cannot seem to find any. Is there some other place in the Doc Cd that I could find config. examples on NAT?I am using the Online Doc Cd on CCO.Thank you for your help.Sincerely,CN MSN 8 helps eliminate e-mail viruses. Get 3 months FREE*. 3 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59811t=59811 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NAT in the Doc CD -- Where?? [7:59811]
Cisco Nuts wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, I've been trying to find info. about NAT in the Doc Cd under the Command and Config. Guides. I tried under the Security Section but cannot seem to find any. Is there some other place in the Doc Cd that I could find config. examples on NAT?I am using the Online Doc Cd on CCO.Thank you for your help.Sincerely,CN it's under IP addressing and services, which in turn is under the IP and IP Routing sections of the configuration and comand references. when in doubt, you can use the master index to find things like NAT or any other service whose location may not be apparent from the section titles. HTH MSN 8 helps eliminate e-mail viruses. Get 3 months FREE*. 3 months FREE*. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59812t=59811 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Possible Attack???? [7:59813]
Hi all. I was wondering if someone can share some light on a wierd issues that I am seeing. This perhaps maybe an attack from an internal or infected host within the network or simply a malfunctioning NIC. Basically, I have a Cisco 3662 with 2 Satellite links. I noticed that the main WAN link (1.544mb) was bursting outbound to sometimes 20mb. I noticed a lot of output drops and the links started to flap and as a result BGP sessions starting going down causing huge problems. Once I was able to get the BGP under control, I enabled Netflow on the inbound interface (FE0/1) to see what type of traffic could be causing this issue and this is when I noticed the below: Here is the output of the Netflow: cisco_3600_one#show ip cache flow IP packet size distribution (4096357 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 978 active, 3118 inactive, 121929 added 2503952 ager polls, 0 flow alloc failures last clearing of statistics never Protocol TotalFlows Packets Bytes Packets Active(Sec) Idle(Sec) Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 41 0.05040 0.0 31.3 14.4 TCP-FTP 87 0.0 765 0.0 17.0 12.1 TCP-FTPD27 0.0 135 211 0.0 83.0 3.5 TCP-WWW 43121 0.3 8 335 2.8 3.6 2.7 TCP-SMTP 1137 0.0 6 173 0.0 9.8 9.7 TCP-BGP 1 0.0 67368 0.01796.8 3.6 TCP-Frag 2 0.0 140 0.0 0.0 15.5 TCP-other33285 0.214 246 3.7 24.0 10.3 UDP-DNS 6005 0.0 173 0.0 1.3 15.4 UDP-NTP 10 0.0 176 0.0 0.0 15.4 UDP-other13772 0.1 678 0.7 1.2 15.5 ICMP 2904 0.0 372 0.0 19.1 15.4 IP-other 20559 0.1 14820 24.5 6.8 15.4 Total: 120951 0.93376 32.2 9.9 9.4 FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 4500 Series Router [7:59806]
Jim, Based upon 12.1 IOS... See CCO for docs on how to copy a replacement image onto the router.. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ fun_c/fcprt2/fcd203.htm You obviously have local access to the device, as assumed by the output you have posted; from the console session, check the boot parameters with a SHOW BOOTVAR. If you are sure the flash memory is not damaged, then I would format the flash, and then tftp a new copy of the IOS image onto it. See CCO for information on setting the boot variable. http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121cgcr/ fun_c/fcprt2/fcd205.htm#xtocid2 HTHs, Mark -Original Message- From: Walker, James - Is [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 26, 2002 4:33 PM To: [EMAIL PROTECTED] Subject: 4500 Series Router [7:59806] All, Anyone know how to recover from a empty flash on a 4500 series router? I'm getting the following message: device does not contain a valid magic number boot: cannot open bootflash: an alternate boot helper program is not specified (monitor variable BOOTLDR is not set) and unable to determine first file in bootflash loadprog: error - on file open boot: cannot load cisco2-C4500 I combed the CCO, no luck. TIA Jim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59814t=59806 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ccbootcamp vs certzone labs [7:59815]
Hi All, hope noone had to work too long during the xmas break.. Was hoping to get a non-biased opinion(s) on the ccbootcamp labs and certificationzone labs.. was thinking of getting 1 of the 2.. but not both! :-) I know the ccbootcamp labs are quite beefy from what I remember a few years ago, but I'm not sure about the certficationzone labs. Any views would be appreciated. cheers, Mark. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59815t=59815 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IP Phone [7:59816]
Guy- I have seen a phone that you plug with you telehone line any where in the world ( in my case pakistan) and setup your ISP information in to this phone, and when ever to call to and from USA to/from that phone it will only cost you 5 c per min. Any one is familer with it, what kind of phone is this etc. thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59816t=59816 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Can cisco 2500 router support SSH? [7:59817]
Hi.. May I know whether Cisco 2500 router and Cisco 2900 IOS switch support secure shell (SSH) or not? What is the requirement and where is the configuration guide? Question2, Do you know what is the required configuration to reset the ip accounting information per day? Thanks a lot _ The new MSN 8: smart spam protection and 3 months FREE*. http://join.msn.com/?page=features/junkmailxAPID=42PS=47575PI=7324DI=7474SU= http://www.hotmail.msn.com/cgi-bin/getmsgHL=1216hotmailtaglines_smartspamprotection_3mf Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59817t=59817 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Possible Attack???? [7:59813]
Sending with a source address of 127.x.x.x is often used in IP spoofing. You should try to find out which station is doing this. It could be compromised. Of course, it will be hard to find, but if the packets haven't crossed a router, the MAC address will have a clue. The first six bytes of the MAC address are a vendor code. Of course, if all your equipment is from one vendor, that doesn't help much! The destination address of 108.122.0.0 is strange also. I looked it up in the ARIN Whois database and it says it's part of a range reserved by IANA. I'm not sure why it's reserved, but it seems like a suspicious address to use. So, you're doing the right thing to filter out these packets. But you said the problem remained. The other thing I noticed that's strange is probably unrelated to a possible attack. Why are 75% of your packets in the 1-32 byte range? Those are illegal runt frames on Ethernet. Could you have a duplex mismatch problem?? You should check the output of show int Fa0/1. Good luck! Priscilla [EMAIL PROTECTED] wrote: Hi all. I was wondering if someone can share some light on a wierd issues that I am seeing. This perhaps maybe an attack from an internal or infected host within the network or simply a malfunctioning NIC. Basically, I have a Cisco 3662 with 2 Satellite links. I noticed that the main WAN link (1.544mb) was bursting outbound to sometimes 20mb. I noticed a lot of output drops and the links started to flap and as a result BGP sessions starting going down causing huge problems. Once I was able to get the BGP under control, I enabled Netflow on the inbound interface (FE0/1) to see what type of traffic could be causing this issue and this is when I noticed the below: Here is the output of the Netflow: cisco_3600_one#show ip cache flow IP packet size distribution (4096357 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 978 active, 3118 inactive, 121929 added 2503952 ager polls, 0 flow alloc failures last clearing of statistics never Protocol TotalFlows Packets Bytes Packets Active(Sec) Idle(Sec) Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 41 0.05040 0.0 31.3 14.4 TCP-FTP 87 0.0 765 0.0 17.0 12.1 TCP-FTPD27 0.0 135 211 0.0 83.0 3.5 TCP-WWW 43121 0.3 8 335 2.8 3.6 2.7 TCP-SMTP 1137 0.0 6 173 0.0 9.8 9.7 TCP-BGP 1 0.0 67368 0.0 1796.8 3.6 TCP-Frag 2 0.0 140 0.0 0.0 15.5 TCP-other33285 0.214 246 3.7 24.0 10.3 UDP-DNS 6005 0.0 173 0.0 1.3 15.4 UDP-NTP 10 0.0 176 0.0 0.0 15.4 UDP-other13772 0.1 678 0.7 1.2 15.5 ICMP 2904 0.0 372 0.0 19.1 15.4 IP-other 20559 0.1 14820 24.5 6.8 15.4 Total: 120951 0.93376 32.2 9.9 9.4 . . . SrcIf SrcIPaddressDstIf DstIPaddressPr SrcP DstP Pkts Fa0/1 127.0.0.124 Se1/2.500 108.122.0.0 00 285 Fa0/1 127.0.0.125 Se1/2.500 108.122.0.0 00 38 Fa0/1 127.0.0.122 Se1/2.500 108.122.0.0 00 35 Fa0/1 127.0.0.123 Se1/2.500 108.122.0.0 00 296 Fa0/1 127.0.0.120 Se1/2.500 108.122.0.0 00 33 Fa0/1 127.0.0.121 Se1/2.500 108.122.0.0 00 36 Fa0/1 127.0.0.118 Se1/2.500 108.122.0.0 00 52 Fa0/1 127.0.0.116 Se1/2.500 108.122.0.0 00 189 Fa0/1 127.0.0.117 Se1/2.500 108.122.0.0 00 277 Fa0/1 127.0.0.114 Se1/2.500 108.122.0.0 00 32 Fa0/1 127.0.0.115 Se1/2.500 108.122.0.0 00 215 Fa0/1 127.0.0.112 Se1/2.500 108.122.0.0 00 177 Fa0/1 127.0.0.113 Se1/2.500 108.122.0.0 00 80 Fa0/1 127.0.0.110 Se1/2.500 108.122.0.0 00 234 Fa0/1 127.0.0.111 Se1/2.500 108.122.0.0 00 279 Fa0/1 127.0.0.108 Se1/2.500 108.122.0.0 00 171 Fa0/1
Re: Can cisco 2500 router support SSH? [7:59817]
No the 25xx series does not...we are changing out all our 2511 routers that we use for term servers to 2621's that support the ios for ssh. Richard Campbell wrote: Hi.. May I know whether Cisco 2500 router and Cisco 2900 IOS switch support secure shell (SSH) or not? What is the requirement and where is the configuration guide? Question2, Do you know what is the required configuration to reset the ip accounting information per day? Thanks a lot _ The new MSN 8: smart spam protection and 3 months FREE*. http://join.msn.com/?page=features/junkmailxAPID=42PS=47575PI=7324DI=7474SU= http://www.hotmail.msn.com/cgi-bin/getmsgHL=1216hotmailtaglines_smartspamprotection_3mf Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59819t=59817 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FR Low Latency Queuing (LLQ) [7:59820]
Hi, I would like to configure QoS by using FR LLQ. I have the following network test lab. pc1 --| ---router1FR network-router FTP server pc2---| I want to test the LLQ feature, ie, fixed bandwidth allocated to certain taffic. I tested with the following steps 1. upload from pc2 to FTP server to make the FR PVC congested. 2. then upload from pc1 to FTP server If no qos defined, the bandwidth will roughly equally shared. (This was tested and OK) 3. Then I define the LLQ on router1 to guarantee the bandwidth from PC1 by 'bandwidth' or 'priority' and test ftp upload again. Configuration is below: class-map match-all 1 match access-group 20 policy-map 1 class 1 bandwidth 80 or priority 80 (** define 80k to this policy) interface Serial0/0 bandwidth 128 no ip address encapsulation frame-relay IETF load-interval 30 no fair-queue frame-relay traffic-shaping frame-relay lmi-type ansi ! interface Serial0/0.1 point-to-point bandwidth 128 ip address 10.114.0.14 255.255.255.252 frame-relay interface-dlci 200 class llq1 map-class frame-relay llq1 frame-relay traffic-rate 128000 128000 no frame-relay adaptive-shaping frame-relay cir 128000 frame-relay bc 1280 frame-relay be 0 frame-relay mincir 128000 service-policy output 1 access-list 20 permit 192.168.10.2 (ip address of pc1) However, when I use 'bandwidth 80', I found the average throughput from pc1 will have around 80k but the traffic rate is vary from time to time. (somtimes 100k and sometimes 50k). Why? Even worse, if I use 'priority 80', the traffic from pc1 can only have average around 30k during link congestion. Why? Also, the ping delay from pc1 to router2 and pc2 to router2 are almost equal (either bandwidth or priority). I expected that the ping from pc1 will get better response as the bandwidth was guaranteed. Anyone can give me some hints on above questions? Thanks in advance. rgds, ivan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59820t=59820 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Finally CCNP! [7:59706]
Hey John-- Are you trying for CCIE? I live in Austin as well. Congrats on CCNP... John Jones, CCNP, RHCE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59821t=59706 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Off Topic - Please don't do stuff like this on a n [7:59822]
You wrote: I'm protecting myself from receiving junk mail. Just this once, click the link below so I can receive your emails. You won't have to do this again. http://spamarrest.com/a?66189601:223666 You are receiving this message in response to your email to ... a Spam Arrest customer. Spam Arrest requests that senders verify themselves before their email is delivered. When you click the above link, you will be taken to a page with a graphic on it. Simply read the word in the graphic, type it into the form, and you're verified. You will only need to do this once per Spam Arrest customer. -- not to be a jerk about this, but all I'm doing is posting to a news list. if you want to subscribe to a newslist, why do you think it incumbent upon all of us to accommodate you? Don't want spam on your regular e-mail account? use a yahoo account. they seem to be very good about blocking spam. yes it would have been simpler for me to click on the link. but then, that would mean I let you dictate to me the terms under which I use this list. You are not the list owner. Look, it is of little matter to me if you read my posts. OTOH, it DOES matter to me that I get these notifications from you. so stop it. BTW, since opening this particular e-mail account a few months ago, I have yet to get a spam identified as sourced from groupstudy. I have plenty which I have good reason to believe have been sourced from my domain registration public information. -- TANSTAAFL there ain't no such thing as a free lunch Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59822t=59822 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
