Re: UDP port 1434 [7:61891]
Chuck, If I'm the Ken you're talking about and I actually said that, then I must really need a nap. :-) We're a university, where Microsoft rules. :-( I'd like to tell you how many MS-SQL servers we have, but I don't have a clue. There are probably some running in the dorms. We have entire labs where this stuff is installed so they can teach it. I'd like to tell you how many machines have the MSDE installed, but again I don't have a clue. Did I mention dorms? Changing the way the campus conducts network business is a difficult task. I'm doing a lot of educating - to the campus technicians. By this time next year, I hope to say we have 75% of the campus firewalled. While that may sound easy, it may be wishful thinking. Although... this worm might really make a difference in my timeline. :-) BTW, by now, one of my access-lists has probably broken the billion mark for blocking UDP 1434. That's only internal traffic. A question I have: Is anyone learning anything from my rambling? If not, I'll happily take questions and suggestions ranging from how did you do X to why don't you take that nap. Ken The Long and Winding Road 01/27/03 09:18PM [snip] in an earlier message, Ken spoke about his own network, where there are few if any Microsoft SQL servers. Yet their internet links were saturated because of the attacks, and internal network replies. [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62013t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: why I can't assign an ip address to virtual-TokenR [7:62014]
Cisco Internetwork Operating System Software IOS (tm) 2500 Software (C2500-D-L), Version 12.0(21), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2001 by cisco Systems, Inc. Compiled Mon 31-Dec-01 18:25 by nmasa Image text-base: 0x03038AE4, data-base: 0x1000 ROM: System Bootstrap, Version 4.14(9.1), SOFTWARE RouterA uptime is 7 hours, 43 minutes System restarted by reload System image file is flash:c2500-d-l.120-21.bin cisco 2509 (68030) processor (revision B) with 16384K/2048K bytes of memory. Processor board ID 46526614, with hardware revision Bridging software. X.25 software, Version 3.0.0. 1 Ethernet/IEEE 802.3 interface(s) 2 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read ONLY) Configuration register is 0x2102 RouterA#sh ru Building configuration... ! interface Virtual-TokenRing22 ip address 1.1.1.1 255.255.255.0 no ip directed-broadcast ring-speed 16 ! . soft map a icrit dans le message de news: [EMAIL PROTECTED] Hi. Now I take a test,The test Router is Cisco2611XM,I was upgraded the IOS.But why I can't assign an ip address to virtual-TokenRing 0 test(config)#inter virtual-TokenRing 0 test(config-if)#ip add test(config-if)#ip address 17 17:46:26: %LINK-3-UPDOWN: Interface Virtual-TokenRing0, changed state to up 17:46:27: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-TokenRing0, ch anged state to up test(config-if)#ip address 192.168.1.1 255.255.255.0 % IP addresses may not be configured on a Virtual-TokenRing interface. test(config-if)# BTW,The show version as below. test#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-DO3S-M), Version 12.1(14), RELEASE SOFTWARE (fc1) Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Mon 25-Mar-02 23:18 by kellythw Image text-base: 0x80008088, data-base: 0x80E4DE34 ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1) test uptime is 17 hours, 49 minutes System returned to ROM by power-on System image file is flash:c2600-do3s-mz.121-14.bin cisco 2611XM (MPC860) processor (revision 0x100) with 29696K/3072K bytes of memo ry. Processor board ID xxx M860 processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. 2 FastEthernet/IEEE 802.3 interface(s) 1 Serial network interface(s) 32K bytes of non-volatile configuration memory. 16384K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 thx. softmap Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62014t=62014 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
mesg on Acces Switch 3548 [7:62015]
Hi Buddy, In my network i hv 3548 Access Switch. Today i saw in show running-conf following mesg is coming.and that purticular command is not given by anybody. no spanning-tree vl vl number right now this mesg is for only 5 vlans. and i hv 20 vlans in my network. Thanks Regards, Milind Tare __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62015t=62015 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Internet Access Through Cisco VPN Concentrator? [7:61999]
I would check to see what your security policy is first before turning on split tunneling. If a clients laptop or machine is compromised then the violator could possibly have access to your network at that point. Though this is not the correct technical terms I see split tunneling as a dual homed pc sort of and we all know how much of a security nightmare that could be. -Original Message- From: Joseph Brunner [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 7:03 PM To: [EMAIL PROTECTED] Subject: RE: Internet Access Through Cisco VPN Concentrator? [7:61999] Yes. Do it all the time. I also use it as a remote office router for other clients on the lan behind the 3005. It has great built in nat functionality (PAT REALLY !). Along with filter lists for security your set. But for clients, just enable split tunneling. Let them get to the internet directly. Saves you bandwidth and overhead. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62016t=61999 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: must I have aaa server to configure SSH on PIX? [7:62008]
Configure the aaa, but use local login. You do need the aaa configuration for SSH to work. Doug -Original Message- From: Richard Campbell [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 12:07 AM To: [EMAIL PROTECTED] Subject: must I have aaa server to configure SSH on PIX? [7:62008] Hi.. I want to configure SSH on PIX 515 which has DES enabled. I saw the configuration as follows. But the problem is I don't have the aaa server in my network? Can I still implement SSH without aaa server. I configured it without the aaa command line, but it doesn't works. How should I do? Thanks a lot..!! pix#conf t pix(config)# pix(config)#domain domain_name pix(config)#ca generate rsa key 1024 pix(config)# ca save all pix(config)# ssh ip_address subnet_mask interface pix(config)# aaa-server RadiusServer_name (inside) host ip_address MySecure --aaa pix(config)# aaa-server RadiusServer_name protocol radius ---aaa pix(config)# aaa authenticate ssh console RadiusServer_name ---aaa Pix(config)# exit _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62017t=62008 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
640-100 MCNS Practice Tests [7:62018]
Hi Everybody, I'm almost finished reading Managing Cisco Network Security by Michael Wenstrom. I plan to take the 640-100 exam soon. Can anyone recommend some quality practice tests? Also, has anyone taken the new 640-100 exam? Thank you in advance. Joseph R. Taylor MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62018t=62018 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 640-100 MCNS Practice Tests [7:62018]
Passed yesterday 902/1000 Preparation mostly based on IOS 12.2 security guides and I also look through Wenstrom book too (Embedded image moved Joseph R. Taylor to file: 28.01.2003 15:54 pic23146.pcx) oTWETXTE, POVALUJSTA KOMU Joseph R. Taylor kOMU: [EMAIL PROTECTED] kOPIQ: (sk: Sergey S Ilyasov/SALES/MARVEL) tEMA: 640-100 MCNS Practice Tests [7:62018] Hi Everybody, I'm almost finished reading Managing Cisco Network Security by Michael Wenstrom. I plan to take the 640-100 exam soon. Can anyone recommend some quality practice tests? Also, has anyone taken the new 640-100 exam? Thank you in advance. Joseph R. Taylor MCSE, CCNP [GroupStudy.com removed an attachment of type application/octet-stream which had a name of pic23146.pcx] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62019t=62018 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
6509-6513 power-supplies [7:62020]
Guys, can you please help we have this setup at the moment and we wish to upgrade to 6513..(these are server farm switches and we need more ports basically ).. what i want to know is if i use the PSU from the 6509`s (see below) will they work ok in the current config ..i.e redundent mode on the 6513 ,which will be fully loaded (with 11 48 port cards + 2 sup`s).. any help ?? Cheers guv steve 6509_3 sh sys PS1-Status PS2-Status Fan-Status Temp-Alarm Sys-Status Uptime d,h:m:s Logout -- -- -- -- -- -- - ok ok ok offok 131,15:36:18 20 min PS1-Type PS2-Type Modem Baud Traffic Peak Peak-Time --- - --- - WS-CAC-1300W WS-CAC-1300W disable 9600 1% 8% Mon Jan 27 2003, 23:16:45 PS1 Capacity: 27.46 Amps PS2 Capacity: 27.46 Amps PS Configuration : PS1 and PS2 in Redundant Configuration. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62020t=62020 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Question for Sergey [7:62021]
Good Morning Sergey, Congrats on passing the exam. Was it the new Flash type exam where you actually enter commands? Also, what study reference did you use for the IOS 12.2 Security Guides. Someone in here asked me what passing score is required for this exam. Thank you, JoeT Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62021t=62021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 6509-6513 power-supplies [7:62020]
do a show environment all That will show you the cuurent load on the power supplies, then you can decide Andrew -Original Message- From: steve [mailto:[EMAIL PROTECTED]] Sent: 28 January 2003 15:57 To: [EMAIL PROTECTED] Subject: 6509-6513 power-supplies [7:62020] Guys, can you please help we have this setup at the moment and we wish to upgrade to 6513..(these are server farm switches and we need more ports basically ).. what i want to know is if i use the PSU from the 6509`s (see below) will they work ok in the current config ..i.e redundent mode on the 6513 ,which will be fully loaded (with 11 48 port cards + 2 sup`s).. any help ?? Cheers guv steve 6509_3 sh sys PS1-Status PS2-Status Fan-Status Temp-Alarm Sys-Status Uptime d,h:m:s Logout -- -- -- -- -- -- - ok ok ok offok 131,15:36:18 20 min PS1-Type PS2-Type Modem Baud Traffic Peak Peak-Time --- - --- - WS-CAC-1300W WS-CAC-1300W disable 9600 1% 8% Mon Jan 27 2003, 23:16:45 PS1 Capacity: 27.46 Amps PS2 Capacity: 27.46 Amps PS Configuration : PS1 and PS2 in Redundant Configuration. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62022t=62020 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Traceroute troubles [7:61247]---------- Thank You. [7:62023]
I am sorry i am late in getting back to you.. You have answered my question precisely You just cleared all the doubts i had... I donot think we can get any better explanation than this.Thank you very much. -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, January 20, 2003 2:53 PM To: [EMAIL PROTECTED] Subject: RE: Traceroute troubles [7:61247] Your question isn't clear. Maybe you could start over in a new thread and explain your question clearly, if the following info doesn't help. Once a thread gets this old, a lot of people ignore it. ;-) However, I think I understand your confusion. You are worried because Cisco and UNIX use a UDP message for trace route. So how could disabling the rate limiting of ICMP fix the problem where trace route seems to fail every so often? Yes, they send a UDP packet, but they depend on routers returning an ICMP Time-To-Live Exceeded message (ICMP type 11, code 0). If ICMP rate limiting is enabled on those routers, they won't send the message very time, making it appear as if trace route fails sometimes. Here's how it works, from my book Troubleshooting Campus Networks, that everyone should get, especially if you are studying for the Support test for CCNP. It covers all topics for that test. Hey, my publisher won't do any marketing for me. I'll have to do it myself. Hope that's OK, if I keep it to a minimum. :-) Anyway, here's the info. (There are more details in the book.) Trace-route displays the sequence of hops a packet traverses to get from a source to a destination. The results provided by trace-route are a measurement of the round-trip time to each router in the path to a destination and also a measurement of the round-trip time to the actual destination. The timing measurements account for processing time at the recipients in addition to propagation delay. Trace-route can be used as a rough estimate of delays on a network. It is most useful, however, as a method for determining the path to a remote destination. With UNIX and Cisco IOS operating systems, an IP trace-route packet is a User Datagram Protocol (UDP) probe sent to a high UDP port number, usually in the 33,000 to 43,000 range. Trace-route works by taking advantage of the ICMP error message a router generates when a packet exceeds its time-to-live (TTL) value. TTL is a field in the IP header of an IP packet. Trace-route starts by sending a UDP probe packet with a TTL of 1. This causes the first router in the path to discard the probe and send back a TTL exceeded message. One of the first things a router does when forwarding IP packets is decrement the TTL (which is essentially a hop count value). If the decrement causes the TTL to reach 0, then the packet is dead (discarded) and a TTL exceeded message is sent. The trace-route command sends several probes, increasing the TTL by 1 after sending three packets at each TTL value. For example, trace-route sends three packets with TTL equal to 1, then three packets with TTL equal to 2, then three packets with TTL equal to 3, and so on, until the destination host is reached or a configured maximum number of tries (usually 30) is reached. Each router in the path decrements the TTL. The router that decrements the TTL to 0 sends back the TTL exceeded message. The final destination host sends back a port unreachable ICMP message, because the high UDP port number is not a well-known port number. This process allows a user to see a message from every router in the path to the destination, and a message from the destination. The trace-route facility in Microsoft operating systems sends a ping (ICMP echo) rather than a UDP packet. The trace-route command makes use of the IP TTL feature and router behavior with respect to TTL, but the packet is an ICMP echo instead of a UDP probe. The only real difference is that when the message reaches the final destination, the destination normally responds to the ping, rather than sending a port unreachable message. Hope that helps!? ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com Kumar, N K. Satish, NSPM wrote: Guys, Have anybody figured this out.I seem to go nowhere thinking about this.. Your help appreciated as i am loosing sleep. Thanks -Original Message- From: Kumar, N K. Satish, NSPM Sent: Saturday, January 18, 2003 8:36 PM To: [EMAIL PROTECTED] Subject: RE: Traceroute troubles [7:61247] I agree this works, but still that doesn;t answers one thingCisco and unix boxes where this * trouble is seen doesn;t use ICMP but uses UDP port for the trace output then howcome this is the fix ! Thanks -Original Message- From: William Pearch [mailto:[EMAIL PROTECTED]] Sent: Friday, January 17, 2003 1:13 AM To: [EMAIL PROTECTED] Subject: RE: Traceroute troubles [7:61247] Solved my own problem - see CSCdu43762 on the CCO.
Static overlaps error??????? [7:62024]
I have a mail server that handles email for 2 domains. I am trying to map 2 global addresses to 1 internal server. I am receiving the following error: ERROR: static overlaps with /25 to /25 What is the command to fix this? Thanks in advance... Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62024t=62024 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Study groups in Palm Beach/Martin County area [7:62025]
Are there any study groups for CISSP / CCSP in my area? Palm Beach or Martin County Florida areas.. i'm looking at the Pix Firewall test first... Thanks in advance.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62025t=62025 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Static overlaps error??????? [7:62024]
It might help to send the snip of your router configuration. Marko. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: ~ripjudagur, 28. janzar 2003. 14:55 To: [EMAIL PROTECTED] Subject: Static overlaps error??? [7:62024] I have a mail server that handles email for 2 domains. I am trying to map 2 global addresses to 1 internal server. I am receiving the following error: ERROR: static overlaps with /25 to /25 What is the command to fix this? Thanks in advance... Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Tvlvupsstur ~essi er fra Margmiplun hf., Supurlandsbraut 4, Reykjavmk. Fyrirvara og leipbeiningar til viptakenda tvlvupssts fra Margmiplun hf. er ap finna a vefsmpunni http://www.mi.is/fyrirvari Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62026t=62024 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
ACL memory space [7:62028]
Is there a way to devote separate memory space for ACLs? I just opened a TAC case; but I'm still having problems with my lists getting dropped, I've even went so far as to delete all the entries and reenter only a couple. Scenario: I shell into the router, add one additional host to access-list 1. As soon as I hit enter, all the acls from list one dissappear. It's gotten to the point where the ACL allowing access to the router dissappeared. This is driving me crazy I'm thinking it's a bad image.?.?.? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62028t=62028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Too much Security Overkill on wireless network??? [7:62010]
I'm testing this very scenario at the moment. Just force the use of EAP and turn off Open and Shared authentication. I would probably pick (LEAP/PEAP + (BKR or TKIP)) or IPSEC. Although the IPSEC-only route wouldn't afford you the ability to deny surfing from the DMZ. EAP locks down the network access except for authenticated users. IPSEC might be overkill on top of PEAP. You could use PEAP to protect unicast transmissions and Broadcast Key Rotation to protect multicast/broadcast traffic. The broadcast key is securely transmitted to the client during the EAP authentication process. I will be forced to use LEAP instead of PEAP at the moment because of some CE devices, but the process is exactly the same except PEAP is slightly more secure. Can someone, Mas, please let me know if I need to enter in a WEP transmission key when using EAP and Broadcast Key Rotation? I know I need to turn WEP on, but I think I can just leave out the key and specify the length. Is this right? The documentation isn't very clear. -Original Message- From: 910T [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 11:53 PM To: [EMAIL PROTECTED] Subject: Re: Too much Security Overkill on wireless network??? [7:62010] Eric, Sorry to pile it on, but the error correction in an 802.11 wireless radio transmission also takes up almost half the throughput right off the bat (11 Mbit/s becomes about 6.5 Mbit/s net, best case). Perhaps SSH, SSL and EAP/WEP are superflurous when used with IPSec, but I would imagine that you need SSH and SSL to support users coming in from the outside, or perhaps as an additional level of protection for individual users of sensitive applications from those with general network access (most attacks come from within...). Typically, WEP is done in hardware, so theoretically, there shouldn't be any overhead if that is the case. But if you want to eliminate it, why not use force the use of EAP for wireless admission control but leave WEP off? (I think you can either not enter a key at all or enter one and then select 'No Encryption.) Regards, Mas Kato https://ecardfile.com/id/mkato - Original Message - From: eric nguyen To: ; Sent: Thursday, January 23, 2003 8:51 AM Subject: Too much Security Overkill on wireless network??? Hi, I have assigned the task of setting up a wireless network for my company and I am wondering that I use too much security for the wireless. Currently, I am setting a test wireless network for about 5 users. Eventually, this network will have about 50 users. My set up is as follows: 1) The wireless network is sitting on the DMZ network. This DMZ network is hang off an interface of a pix firewall (Pix-525). Wireless users are required to use Protected Extensible Authentication Protocol (PEAP) in order to log onto the wireless DMZ network. 2) In order to access the company iternal network which hang off the inside interface of the pix firewall, wireless users must use Cisco VPN Client IPSec to establish a secure VPN tunnel between their device and the Pix firewall. 3) After succesfully establish the VPN tunnel between the wireless device and the Pix firewall, wireless can only access the company internal network applications via SSL, SSH, POP3s and IMAPs. I have a few users that tunnel X-application via SSH connections. Applications such as POP3, telnet and IMAP are not allowed from the DMZ network into the company internal network. So far the test is going well. However, my concern is that this will not scale well for a large number of wireless users. For example, let say for SSH connection, the traffic is encrypted by SSH. Below that, it is encrypted via IPSec. Finally, it is encrypted by PEAP. I've not done any analysis yet but it is possible that 50% of the traffic is just overhead traffic for encryption. Anyone has successfully implemented a secure wireless network on large scale? I would like to get your advise on this. I have to present a recommendation to my CTO in a next few days. By the way, my company did hire a CCIE security consultant to work with me on this project; however, this CCIE security is a f_cking moron. Not only he doesn't know anything about PEAP, but he even suggested that we use Cisco LEAP because LEAP is much more secure than PEAP. After he couldn't get PEAP to work, the SOB suggested that we switch to Cisco LEAP. When we don't want to use Cisco LEAP, he suggested that we just use shared (aka STATIC WEP) authentication because we are using IPSec and Secure applications to access the company internal network anyway. The problem with this idea is that once wireless users are on the dmz wireless network, they can surf the Internet without restrictions. I don't want strangers (if they get a hold of the STATIC WEP KEY) to use my company bandwith to use the Internet. I want PEAP because it is safe and secure. I am also testing EAP-TTLS but haven't had much luck with it. I am sure
Richard A. Deal Books [7:62027]
Hi Everyone, I'm interested in knowing how good Richard A. Deal's books are. Especially in reference to MCNS. Thank you in advance. Joseph R. Taylor MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62027t=62027 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Richard A. Deal Books [7:62027]
His PIX firewall book is OK. It does have a lot of errors in it though. Hope his other books have proofreaders. Joseph R. Taylor wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, I'm interested in knowing how good Richard A. Deal's books are. Especially in reference to MCNS. Thank you in advance. Joseph R. Taylor MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62030t=62027 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: must I have aaa server to configure SSH on PIX? [7:62008]
Do this on the Pix, in configuration mode: hostname domain ca zeroize rsa ca generate rsa key 1024 ca save all ssh 209.100.11.0 255.255.255.0 outside ssh 0.0.0.0 0.0.0.0 inside passwd enable password write mem Now when you SSH into the Pix, SSH version 1 only, the username will be pix and the password will be the password in the passwd . If use ssh from a linux machine, make sure you do this: ssh -c des -l pix Enjoy Richard Campbell wrote:Hi.. I want to configure SSH on PIX 515 which has DES enabled. I saw the configuration as follows. But the problem is I don't have the aaa server in my network? Can I still implement SSH without aaa server. I configured it without the aaa command line, but it doesn't works. How should I do? Thanks a lot..!! pix#conf t pix(config)# pix(config)#domain domain_name pix(config)#ca generate rsa key 1024 pix(config)# ca save all pix(config)# ssh ip_address subnet_mask interface pix(config)# aaa-server RadiusServer_name (inside) host ip_address MySecure --aaa pix(config)# aaa-server RadiusServer_name protocol radius ---aaa pix(config)# aaa authenticate ssh console RadiusServer_name ---aaa Pix(config)# exit _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62032t=62008 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL memory space [7:62028]
What router and image is this happening on? John [EMAIL PROTECTED] 1/28/03 8:47:57 AM Is there a way to devote separate memory space for ACLs? I just opened a TAC case; but I'm still having problems with my lists getting dropped, I've even went so far as to delete all the entries and reenter only a couple. Scenario: I shell into the router, add one additional host to access-list 1. As soon as I hit enter, all the acls from list one dissappear. It's gotten to the point where the ACL allowing access to the router dissappeared. This is driving me crazy I'm thinking it's a bad image.?.?.? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62033t=62028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Richard A. Deal Books [7:62027]
Ask him yourself, he contributes to this group ;-) Rich's books are quite good. He clearly expresses his points and doesn't get lost in non-relevant idioms. Will Gragido CISSP CCNP CIPTSS CCDA MCP 9450 W. Bryn Mawr Ave. Suite 325 Rosemont, Il 60018 www.ins.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Joseph R. Taylor Sent: Tuesday, January 28, 2003 9:43 AM To: [EMAIL PROTECTED] Subject: Richard A. Deal Books [7:62027] Hi Everyone, I'm interested in knowing how good Richard A. Deal's books are. Especially in reference to MCNS. Thank you in advance. Joseph R. Taylor MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62034t=62027 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL memory space [7:62028]
The router is a 3640. I'm using the following image: c3640-ik9o3s-mz.122-11T -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 10:27 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: ACL memory space [7:62028] What router and image is this happening on? John [EMAIL PROTECTED] 1/28/03 8:47:57 AM Is there a way to devote separate memory space for ACLs? I just opened a TAC case; but I'm still having problems with my lists getting dropped, I've even went so far as to delete all the entries and reenter only a couple. Scenario: I shell into the router, add one additional host to access-list 1. As soon as I hit enter, all the acls from list one dissappear. It's gotten to the point where the ACL allowing access to the router dissappeared. This is driving me crazy I'm thinking it's a bad image.?.?.? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62035t=62028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Richard A. Deal Books [7:62027]
I think his PIX book is very good. I've not found many errors in it but then maybe I've not looked at it in as much depth as you have. If I have a gripe about it it's for one thing. I use it as a desktop reference. Sometimes I'm looking up how to accomplish X and find out that before I can do that I need to accomplish A, B and/or C. The instructions will simply say That process was covered earlier and won't be repeated here. Now to accomplish X. Earlier? WhereEXACTLY? I've spent more time looking for earlier sometimes than I do accomplishing the task at hand. Earlier in this chapter under the blah heading or this was covered in the chapter on blah blah would be helpful. As far as the info in the book goes I've found stuff in there that I can't find at CCO (it may be there but I can't find it) or anywhere other than maybe from tech in a TAC call. Either that or I've had to look for it in a dozen different places and now it's all together in one book. It's the best book I've found on using a PIX. Beats the Cisco Press book on the PIX by a long shot. Don't know about any others he's written. IMHO. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sam Sneed Sent: Tuesday, January 28, 2003 9:57 AM To: [EMAIL PROTECTED] Subject: Re: Richard A. Deal Books [7:62027] His PIX firewall book is OK. It does have a lot of errors in it though. Hope his other books have proofreaders. Joseph R. Taylor wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, I'm interested in knowing how good Richard A. Deal's books are. Especially in reference to MCNS. Thank you in advance. Joseph R. Taylor MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62036t=62027 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL memory space [7:62028]
Hmm you must have some freakin' long ACLs! :-) Still, that's pretty strange behavior. I don't know if the feature is available on that platform but you might try using access-list compiled to allow the router to process them more efficiently. I doubt that would even help this problem, though. If you're truly running out of config space try using service compress-config to free up some room. It sounds like you may be running into a 'feature' that TAC might be able to help with. John [EMAIL PROTECTED] 1/28/03 9:37:22 AM The router is a 3640. I'm using the following image: c3640-ik9o3s-mz.122-11T -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 10:27 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: ACL memory space [7:62028] What router and image is this happening on? John [EMAIL PROTECTED] 1/28/03 8:47:57 AM Is there a way to devote separate memory space for ACLs? I just opened a TAC case; but I'm still having problems with my lists getting dropped, I've even went so far as to delete all the entries and reenter only a couple. Scenario: I shell into the router, add one additional host to access-list 1. As soon as I hit enter, all the acls from list one dissappear. It's gotten to the point where the ACL allowing access to the router dissappeared. This is driving me crazy I'm thinking it's a bad image.?.?.? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62037t=62028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCNP Recertification [7:62038]
Team, When you take the recert exam for your CCNP do you have to take it before your cert expires? If your cert expires before you take that test then does that mean you need to retake all 4 exams again? Travis Bolton Web Media CCNP,CCDA Try not to become a man of success, but rather try to become a man of value. - Albert Einstein Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62038t=62038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: Reversed IP addresses (Strange) [7:62039]
This problem is thoroughly baking my noodle so I thought I'd post it here. It involves some hardware and software I wouldn't normally be involved in, but they've come to me for help. We have Novell Migration Agent running on a bunch of servers in our network. The MA is in constant communication with several other servers. Just this morning, the destination IP addresses of MA-generated packets are being reversed. For example, a server is trying to reach 10.20.30.40, the destination is being rewritten as 40.30.20.10 before it goes out onto the wire. Have any of you seen anything like this? No one here has, and we're not really sure how to proceed. It appears to be a problem with Novell Migration Agent, but it's an awfully strange problem. Any ideas? Thanks, John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62039t=62039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: RADIUS command accounting [7:61990]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Windows 2000 ias works fine. Free when you already bought the product ;-) http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml aaa-server RADIUS protocol radius aaa-server partnerauth protocol radius aaa-server partnerauth (inside) host 172.18.124.196 cisco123 timeout 5 Martijn - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Jim Newton Verzonden: maandag 27 januari 2003 23:07 Aan: [EMAIL PROTECTED] Onderwerp: RADIUS command accounting [7:61990] I know that for the longest time Cisco didn't support aaa accounting of commands to be sent to a RADIUS server. It was supported via TACACS+ but not RADIUS. I have seen recently that this has changed (in O'Reilly's book on hardening routers and in a couple different lists). Does anyone have any information on this? Is it true? What is the minimum version of IOS (I have heard 12.2)? Do you need a specific RADIUS server? I know that moving to TACACS+ would fix my problem, but staying with Radius would be preferable. TIA Version: PGP 8.0 iQA/AwUBPjWv8Xdq56XWk+VyEQK2bACbBS/TGN6NjvFebQ7H/VqaNocc95kAoNYh X4yQnwXihV+KP7co/MOX62Wr =6ao8 -END PGP SIGNATURE- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61991t=61990 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: lab date --- 10/15/2003 [7:62000]
Pretty much, the cmd. and config guides on cco. You will be pretty much set. Read on how to configure strange topics like DLSW+, Mobile IP, WCCP etc. I have been reading these guides for a couple of months now, and I am still reading.. Obviously, you need to be practicing pretty much each and every example in the Tech. Tips section and in these guides. Along with this, you will have to read the Halabi book inside out, PSV I by Solie, Doyle Vol. I (II), and the great Caslow 'bible'. Once you finish this, if you have the 'dough', do the CCBootcamp Labs, IPexpert Labs(have heard you cannot live without these 2 labs) and ALL the freebie labs that are out there, fatkid.com, sitamoht.com, bradshawlabs.com. There is also a very good lab in cyscoexpert.com and the guys out there rock!! And if you still have the 'dough', take the one week class from Cyscoexpert guys or with the guru himself, Bruce Caslow. This should make you Golden !! Good Luck. From: nettable_walker Reply-To: nettable_walker To: [EMAIL PROTECTED] Subject: lab date --- 10/15/2003 [7:62000] Date: Mon, 27 Jan 2003 23:52:57 GMT 1/27/2003 5:55pm Monday Has anyone been to the CCIE R/S lab recently who might want to offer some general suggestions on what to study (besides the obvious BGP ISIS) ? misconduct and Nondisclosure violations to [EMAIL PROTECTED] Help STOP SPAM with the new MSN 8 and get 2 months FREE* Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62031t=62000 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NT4.0 password crack tool [7:61807]
That's already been said (in fact - it was mentioned earlier in this thread and was included below); but that can take time to run ... the only reason I brought up LinNT (aside from just suggesting an alternative) is because it take 10 minutes, counting the time for two server reboots :). Thanks! TJ -Original Message- From: William [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 27, 2003 5:32 PM To: 'Evans, TJ (BearingPoint)'; [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] One wordL0phtCrack Will Gragido CISSP CCNP CIPTSS CCDA MCP -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Evans, TJ (BearingPoint) Sent: Monday, January 27, 2003 3:58 PM To: [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] Why not use LinNT? ... boot off of a linux floppy, reset admin password and boot up with new password. Since you are (presumably) not trying to be sneaky _and_ you have direct access to the machine changing the PW should not be a problem, yes? Oh - and it is free, and works with WinNT4 - WinXP. Thanks! TJ -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 2:54 PM To: [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] Why do a command line? Just rename user manager to logon.scr and reboot (you'll need NTFSDOS Pro) and in 15 minutes you get user manager with root perms. Imagination is more important than knowledge Albert Einstein -Original Message- From: Juntao [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: Re: NT4.0 password crack tool [7:61807] u'r talking about nt4 login passwords, the SAM database? lophtcrack works, it takes a long time though systernals has tools to login to the box, and change things. u can also change cmd.exe to the default screen savec name, the command line will pope up after a while, after reboot. and change the password with the net user command if the server or the box is part of the global admin group, i'm sure u know u can change the password or reset it, even just with, user manager for domains. and there is of course a lot of other things that can be done, depending on ur situation. hope the above helps regards Kazan, Naim a icrit dans le message de news: [EMAIL PROTECTED] I am trying to recover my password that someone set on my sniffer box running on NT4.0. Any help will be greatly appreciated. Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61996t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NT4.0 password crack tool [7:61807]
One wordL0phtCrack Will Gragido CISSP CCNP CIPTSS CCDA MCP 9450 W. Bryn Mawr Ave. Suite 325 Rosemont, Il 60018 www.ins.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Evans, TJ (BearingPoint) Sent: Monday, January 27, 2003 3:58 PM To: [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] Why not use LinNT? ... boot off of a linux floppy, reset admin password and boot up with new password. Since you are (presumably) not trying to be sneaky _and_ you have direct access to the machine changing the PW should not be a problem, yes? Oh - and it is free, and works with WinNT4 - WinXP. Thanks! TJ -Original Message- From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 25, 2003 2:54 PM To: [EMAIL PROTECTED] Subject: RE: NT4.0 password crack tool [7:61807] Why do a command line? Just rename user manager to logon.scr and reboot (you'll need NTFSDOS Pro) and in 15 minutes you get user manager with root perms. Imagination is more important than knowledge Albert Einstein -Original Message- From: Juntao [mailto:[EMAIL PROTECTED]] Sent: Friday, January 24, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: Re: NT4.0 password crack tool [7:61807] u'r talking about nt4 login passwords, the SAM database? lophtcrack works, it takes a long time though systernals has tools to login to the box, and change things. u can also change cmd.exe to the default screen savec name, the command line will pope up after a while, after reboot. and change the password with the net user command if the server or the box is part of the global admin group, i'm sure u know u can change the password or reset it, even just with, user manager for domains. and there is of course a lot of other things that can be done, depending on ur situation. hope the above helps regards Kazan, Naim a icrit dans le message de news: [EMAIL PROTECTED] I am trying to recover my password that someone set on my sniffer box running on NT4.0. Any help will be greatly appreciated. Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61993t=61807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Static overlaps error??????? [7:62024]
interface ethernet1 auto interface ethernet2 auto shutdown mtu outside 1500 mtu inside 1500 mtu DMZ 1500 global (outside) 1 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0 I tried to add another statement below my last that read: static (inside,outside) tcp smtp 192.168.0.1 smtp netmask 255.255.255.255 0 0 then received the error thanks - Original Message - From: Marko Milivojevic To: '[EMAIL PROTECTED]' ; [EMAIL PROTECTED] Sent: Tuesday, January 28, 2003 10:36 AM Subject: RE: Static overlaps error??? [7:62024] It might help to send the snip of your router configuration. Marko. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: ~ripjudagur, 28. janzar 2003. 14:55 To: [EMAIL PROTECTED] Subject: Static overlaps error??? [7:62024] I have a mail server that handles email for 2 domains. I am trying to map 2 global addresses to 1 internal server. I am receiving the following error: ERROR: static overlaps with /25 to /25 What is the command to fix this? Thanks in advance... Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Tvlvupsstur ~essi er fra Margmiplun hf., Supurlandsbraut 4, Reykjavmk. Fyrirvara og leipbeiningar til viptakenda tvlvupssts fra Margmiplun hf. er ap finna a vefsmpunni http://www.mi.is/fyrirvari Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62040t=62024 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP Recertification [7:62038]
Yes, and I just reinforced my knowledge of this having just my CCNP expire this past Friday without taking the recert exam. Even though I have my CCDP, I have to take all CCNP tests over again. -Original Message- From: Bolton, Travis D [LTD] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 12:04 PM To: [EMAIL PROTECTED] Subject: CCNP Recertification [7:62038] Team, When you take the recert exam for your CCNP do you have to take it before your cert expires? If your cert expires before you take that test then does that mean you need to retake all 4 exams again? Travis Bolton Web Media CCNP,CCDA Try not to become a man of success, but rather try to become a man of value. - Albert Einstein Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62042t=62038 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
access the inside global from inside (NAT) [7:62041]
I have a web server with an inside local 192.168.0.5 and with static NAT I make an association with the inside global (e.g.) 222.222.222.222 (config)# ip nat inside source static 192.168.0.5 222.222.222.222 I can acces the web server from the internet and I can access the web server from my private network if I use the 192.168.0.5 address in my browser. My question is: Is it possible to access the web server using the 222.222.222.222 from my private network. Is there any way? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62041t=62041 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Too much Security Overkill on wireless network??? [7:62010]
I believe if you turn just EAP on, you'll get a dynamic WEP key for unicasts but you'll need to specify the static WEP key to be used for broad/multicasts. If you turn EAP with broadcast key rotation on, you don't need to specify a static WEP key for broad/multicasts because the AP will create and rotate them dynamically at the specified interval. Regards, Mas Kato https://ecardfile.com/id/mkato - Original Message - From: Jim Brown To: 910T ; Sent: Tuesday, January 28, 2003 7:48 AM Subject: RE: Too much Security Overkill on wireless network??? [7:62010] I'm testing this very scenario at the moment. Just force the use of EAP and turn off Open and Shared authentication. I would probably pick (LEAP/PEAP + (BKR or TKIP)) or IPSEC. Although the IPSEC-only route wouldn't afford you the ability to deny surfing from the DMZ. EAP locks down the network access except for authenticated users. IPSEC might be overkill on top of PEAP. You could use PEAP to protect unicast transmissions and Broadcast Key Rotation to protect multicast/broadcast traffic. The broadcast key is securely transmitted to the client during the EAP authentication process. I will be forced to use LEAP instead of PEAP at the moment because of some CE devices, but the process is exactly the same except PEAP is slightly more secure. Can someone, Mas, please let me know if I need to enter in a WEP transmission key when using EAP and Broadcast Key Rotation? I know I need to turn WEP on, but I think I can just leave out the key and specify the length. Is this right? The documentation isn't very clear. -Original Message- From: 910T [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 11:53 PM To: [EMAIL PROTECTED] Subject: Re: Too much Security Overkill on wireless network??? [7:62010] Eric, Sorry to pile it on, but the error correction in an 802.11 wireless radio transmission also takes up almost half the throughput right off the bat (11 Mbit/s becomes about 6.5 Mbit/s net, best case). Perhaps SSH, SSL and EAP/WEP are superflurous when used with IPSec, but I would imagine that you need SSH and SSL to support users coming in from the outside, or perhaps as an additional level of protection for individual users of sensitive applications from those with general network access (most attacks come from within...). Typically, WEP is done in hardware, so theoretically, there shouldn't be any overhead if that is the case. But if you want to eliminate it, why not use force the use of EAP for wireless admission control but leave WEP off? (I think you can either not enter a key at all or enter one and then select 'No Encryption.) Regards, Mas Kato https://ecardfile.com/id/mkato - Original Message - From: eric nguyen To: ; Sent: Thursday, January 23, 2003 8:51 AM Subject: Too much Security Overkill on wireless network??? Hi, I have assigned the task of setting up a wireless network for my company and I am wondering that I use too much security for the wireless. Currently, I am setting a test wireless network for about 5 users. Eventually, this network will have about 50 users. My set up is as follows: 1) The wireless network is sitting on the DMZ network. This DMZ network is hang off an interface of a pix firewall (Pix-525). Wireless users are required to use Protected Extensible Authentication Protocol (PEAP) in order to log onto the wireless DMZ network. 2) In order to access the company iternal network which hang off the inside interface of the pix firewall, wireless users must use Cisco VPN Client IPSec to establish a secure VPN tunnel between their device and the Pix firewall. 3) After succesfully establish the VPN tunnel between the wireless device and the Pix firewall, wireless can only access the company internal network applications via SSL, SSH, POP3s and IMAPs. I have a few users that tunnel X-application via SSH connections. Applications such as POP3, telnet and IMAP are not allowed from the DMZ network into the company internal network. So far the test is going well. However, my concern is that this will not scale well for a large number of wireless users. For example, let say for SSH connection, the traffic is encrypted by SSH. Below that, it is encrypted via IPSec. Finally, it is encrypted by PEAP. I've not done any analysis yet but it is possible that 50% of the traffic is just overhead traffic for encryption. Anyone has successfully implemented a secure wireless network on large scale? I would like to get your advise on this. I have to present a recommendation to my CTO in a next few days. By the way, my company did hire a CCIE security consultant to work with me on this project; however, this CCIE security is a f_cking moron. Not only he doesn't know anything about PEAP, but he even suggested that we use Cisco LEAP because LEAP is much more secure than PEAP. After he couldn't get PEAP to work, the SOB suggested that we switch to Cisco LEAP. When we don't
Need help with PIX natting [7:62044]
I am using 3 interfaces, Inside 100 and Eth2(Vendor1) 90 and eth3(Vendor2) 80 I want all traffic leaving the inside going to ethernet 2 to not have nat. So I have setup statics as follows: access-list vendor1-outbound permit tcp host 204.26.258.32 host 254.254.254.254 eq ftp access-list vendor1-outbound deny ip host 204.26.258.32 any access-list vendor1-outbound permit ip any any access-list vendor2-outbound permit ip any any ip address outside 127.0.0.1 255.255.255.255 ip address inside 172.31.1.10 255.255.0.0 ip address vendor1 172.30.254.10 255.255.255.0 ip address vendor2 67.128.7.129 255.255.255.192 ip address intf4 127.0.0.1 255.255.255.255 ip address intf5 127.0.0.1 255.255.255.255 static (inside,vendor1) 172.16.5.0 172.16.5.0 netmask 255.255.255.0 0 0 static (inside,vendor1) 172.16.4.0 172.16.4.0 netmask 255.255.255.0 0 0 static (inside,vendor1) 172.31.0.0 172.31.0.0 netmask 255.255.0.0 0 0 static (inside,vendor1) 254.254.254.254 254.254.254.254 netmask 255.255.255.255 access-group vendor1-outbound in interface vendor1 access-group vendor2-outbound in interface vendor2 Now this all works beautifully but I want to change it so that when 172.16.5 goes to 204.26.258.32 it gets natted to 254.254.254.254 otherwise it stays the same going anywhere else. PLEASE HELP *** | Bob Perez | | Intercept Payment Solutions | | [EMAIL PROTECTED] | | 100 West Commons BLVD | | New Castle, DE 19720 | | Phone: 302.326.0700 | | Cell: 302.420.6883 | | www.intercept.net | | | -- | | || || | :|: :|: | | :|||: :|||: | | ..:|||:...:|||:.. | | ___ | | C i s c o S y s t e m s | | CCNA CCNP MCSE NET+ | | | *** Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62044t=62044 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
trunking 10/100 access ports for avaya ip phone [7:62045]
Anyone have any insight on the pro's or con's regarding applying trunks to all 10/100 access ports on a 6509. Presently, I have a cisco voIP environment - using a data vlan and an auxiliary vlan for voice traffic. I've been asked to make an avaya phone work in this environment. Input from Avaya had me make the access port a trunk, make the data vlan the default vlan and apply the aux vlan to the port as well. It does work - my question is in regards to performance and/or design best practices. TIA Robert LEGAL NOTICE Unless expressly stated otherwise, this message is confidential and may be privileged. It is intended for the addressee(s) only. Access to this E-mail by anyone else is unauthorized. If you are not an addressee, any disclosure or copying of the contents of this E-mail or any action taken (or not taken) in reliance on it is unauthorized and may be unlawful. If you are not an addressee, please inform the sender immediately. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62045t=62045 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ACL memory space [7:62028]
At 4:57 PM + 1/28/03, John Neiberger wrote: Hmm you must have some freakin' long ACLs! :-) Still, that's pretty strange behavior. I don't know if the feature is available on that platform but you might try using access-list compiled to allow the router to process them more efficiently. I doubt that would even help this problem, though. If you're truly running out of config space try using service compress-config to free up some room. It sounds like you may be running into a 'feature' that TAC might be able to help with. John There is a problem that affects some large ISPs with extremely long access lists. I've seen Tier 1 routers with large warnings on the console, DO NOT SAVE RUNNING-CONFIG STARTING-CONFIG. Their lists are too long to have the config fit into NVRAM, but their workaround is always to load configs from TFTP. Do check that you aren't short on NVRAM. This doesn't sound quite the same as your problem, though. [EMAIL PROTECTED] 1/28/03 9:37:22 AM The router is a 3640. I'm using the following image: c3640-ik9o3s-mz.122-11T -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 10:27 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: ACL memory space [7:62028] What router and image is this happening on? John [EMAIL PROTECTED] 1/28/03 8:47:57 AM Is there a way to devote separate memory space for ACLs? I just opened a TAC case; but I'm still having problems with my lists getting dropped, I've even went so far as to delete all the entries and reenter only a couple. Scenario: I shell into the router, add one additional host to access-list 1. As soon as I hit enter, all the acls from list one dissappear. It's gotten to the point where the ACL allowing access to the router dissappeared. This is driving me crazy I'm thinking it's a bad image.?.?.? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62046t=62028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX Scenario [7:62047]
Hello everyone, I would like to install a PIX behind a router and had some questions... 1. Can the VPN clients connect to a public ip that translates ( static nat ) to the private ip assigned to the outside interface of the PIX?( if i use esp) 2. Will it work if I use IKE Mode Configuration to auto assign IPs to the remote clientsor does the vpngroup configuration with PIX v6.01 work the same way? Thanks for any suggestions...If i am being to vague I would be happy to discuss in more detail. Thanks! -- Dain Deutschman CCNP, CSS-1, CCNA, MCP, CNA Data Communications Manager New Star Sales and Service, Inc. 800.261.0475 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62047t=62047 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: One arm routing?? with a Cisco 2500 router and a Cicso [7:62048]
I think I should be able to do Nat on a stick but I don't have that version of the IOS. Do you know where I can get Cisco IOS. version 12.1(5)T9 Thanks in advance I appreciate the help. Lupi, Guy wrote: You may also want to have a look at this link NAT on a stick: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080 094430.shtml It isn't one arm routing, but you should be able to connect your dsl to your switch, your router to your switch, and make this work without vlans while using multiple computers behind it. Let me know if you get it to work, I have never tried it but always wanted to. -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 4:43 PM To: [EMAIL PROTECTED] Subject: Re: One arm routing?? with a Cisco 2500 router and a Cicso [7:61988] that type of setup should be done with an ISL/Dot1q trunk, I dont believe 2500 routers are capable of that type of function on 10Bt interfaces... You could however split the DSL connection by aggregating the dsl into one vlan on the switch, then connecting a crossover to other vlans. That will allow several networks to use the DSL at the same time, providing you have more than one IP... Larry Letterman Network Engineer Cisco Systems - Original Message - From: tafnap To: Sent: Monday, January 27, 2003 1:13 PM Subject: One arm routing?? with a Cisco 2500 router and a Cicso catalyst [7:61983] I am working on a home network lab and I was wondering is it possible to take my DSL connection and connect it though my switch to my router then back to my switch via a one routing type setup? I have been playing with it for a couple days and can't get the vlans setup and working properly on my switch or router to route the traffic via two vlans...any thoughts? [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62048t=62048 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
MPLS Labs [7:62049]
Hello People... Do you guys know where I can get some labs to play with MPLS. I got some 7200 routers and some 2651 routers. Thanks...Nabil I have never let my schooling interfere with my education. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62049t=62049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
smart serial v/s hssi [7:62050]
Is there any differnce between smart serial and hssi (high speed serial interface) or are they one and the same as far as hardware connectors go. thank you Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62050t=62050 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco 831 routers [7:61707]
Glad to help Thomas. My experience with lower-end 2600's (2611/2621) is that they can reach approximately 500-750Kbps of 3DES IPsec performance (depending upon traffic type; purely 1440-byte packets might get you north of 800Kbps). The 831 is rated, as per Cisco (http://tools.cisco.com/cmn/jsp/index.jsp?id=20753), at around 2Mbps with standard traffic, so real world performance should be better (64-byte packets induce the greatest amount of stress). This, plus the punting of LLQ into the crypto engine, Websense/N2H2 content filtering and virtual AUX makes this little router quite acceptable for small offices, though there isn't any modularity of course (e.g. no WICs, no NMs). Cheers. Paul Forbes Network Engineer Trimble -Original Message- From: Thomas N. [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 11:15 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 831 routers [7:61707] Thanks Paul. Do you have any chance to test out for performance of GRE+IPSec? Is it better than that of software-based encryption on the 2600 routers? Paul Forbes wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... They're available (we have four in house ready for deployment). I haven't tested them with all knobs on (GRE+IPsec, CBAC, IDS, QoS, EIGRP/OSPF, etc.), but VPN+CBAC has worked beautifully. Check with your VAR or Cisco account team for leadtimes. Cheers. Paul -Original Message- From: Thomas N. [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 12:32 PM To: [EMAIL PROTECTED] Subject: Cisco 831 routers [7:61707] Hi All, I wonder if anyone here could get a hold of the new Cisco 831 VPN router? I am trying to get couple of these routers but being told they are onhold by Cisco. I am just curious why? and when they are available again? Thanks! Thomas. Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62051t=61707 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Inquiring Minds want to know [7:61985]
Normally you would want to fix the ports on connections you know will not change, like trunks, routers, servers, etc. You do have to watch out for vendor implementations however. When troubleshooting issues with an IBM 2216 router (think 7507 with CIP) I found a tech note from IBM stating that switch ports had to be in auto for the 2216 Fast Ethernet card ports to come up reliably. Kazan, Naim wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What kind of problems if any will occur if we had a nic card set to auto-sense along with the cat port? Naim Kazan FISC-SDS WORK: 201-915-7347 HOME: 973-492-1466 CELL: 917-559-0591 EMAIL: [EMAIL PROTECTED] PAGER: 800-759-8352 Pin 1145361 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62052t=61985 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NAT and VoIP [7:62053]
Anyone heard about having problems with NAT and running VoIP. I want run VoIP across a DSL link with NAT. Thanks in advance. neil K. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62053t=62053 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Inquiring Minds want to know [7:61985]
Normally you would want to fix the ports on connections you know will not change, like trunks, routers, servers, etc. You do have to watch out for vendor implementations however. When troubleshooting issues with an IBM 2216 router (think 7507 with CIP) I found a tech note from IBM stating that switch ports had to be in auto for the 2216 Fast Ethernet card ports to come up reliably. I'm finding that more and more often this is the case, especially with newer switches. According to spec, auto is the only way to go. Any other configuration is not mentioned in the spec and the behavior is vendor-dependent. That translates to more support calls, unfortunately. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62054t=61985 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCNP Recertification [7:62055]
Anybody passed CCNP recertification test recently. Any suggestions, what to look for and what books to refer. Thanks, neil K. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62055t=62055 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: smart serial v/s hssi [7:62050]
. wrote: Is there any differnce between smart serial and hssi (high speed serial interface) or are they one and the same as far as hardware connectors go. thank you They are not one and the same. The HSSI interface is mechanically identical to the SCSI2 connector, which is a couple of inches wide. The newer Smart Serial is a very compact little dude that you find on the WIC series of interfaces. I though Smart Serial was Cisco-proprietary, but I understand a few others are using it as well. I've never been able to find any kind of spec on it. As far as I know, the Smart Serial has only been used by Cisco for lower-speed interfaces (up to E1) whereas the HSSI goes up to around 50 Mbps. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62056t=62050 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
HSRP PROBLEM [7:62057]
HSRP PROBLEM x.x.x.36 and x.x.x.37 are two routers. x.x.x.x.36 config: standby 1 ip x.x.x.35 standby 1 priority 150 standby 1 preempt delay minimum 2 standby 1 track serial0 10 x.x.x.x.37 config: standby 1 ip x.x.x.35 standby 1 priority 140 standby 1 prempt standby 1 track serial0 20 Problem: Both routers keep switching roles. The serial interface ain't that bad at all. It hardly goes down on both the routers. What can be the problem? Any possible solutions to test out? Thank You Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62057t=62057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN with cilents behind NAT [7:62058]
Hello I need to implement VPN, which will be able to used by data transfers and VoIP with server on public IP and clients, connected to internet by xDSL router/modem/switch with real dynamic IP (allocated by DHCP). As far as I understood, I need to setup IPSec tunnel from CO to each client. And VPDN is not the way to go. Am I correct? Any help would be fine. Thanks. -- Michael Vasilenko Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62058t=62058 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT and VoIP [7:62053]
You may indeed experience issues with NAT and VoIP. You will have to revisit your NAT pool and review the address schema for your IP telephony end points and most likely adjust your pools accordingly. This will also, depending on the size of the deployment and enterprise, probably cause you to have to review your DHCP scope(s) as well. Will Gragido CISSP CCNP CIPTSS CCDA MCP 9450 W. Bryn Mawr Ave. Suite 325 Rosemont, Il 60018 www.ins.com [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of neil K. Sent: Tuesday, January 28, 2003 2:14 PM To: [EMAIL PROTECTED] Subject: NAT and VoIP [7:62053] Anyone heard about having problems with NAT and running VoIP. I want run VoIP across a DSL link with NAT. Thanks in advance. neil K. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62059t=62053 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 831 routers [7:61707]
Thanks much Paul! Now I am waiting to get those boxes :). Thomas. Paul Forbes wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Glad to help Thomas. My experience with lower-end 2600's (2611/2621) is that they can reach approximately 500-750Kbps of 3DES IPsec performance (depending upon traffic type; purely 1440-byte packets might get you north of 800Kbps). The 831 is rated, as per Cisco (http://tools.cisco.com/cmn/jsp/index.jsp?id=20753), at around 2Mbps with standard traffic, so real world performance should be better (64-byte packets induce the greatest amount of stress). This, plus the punting of LLQ into the crypto engine, Websense/N2H2 content filtering and virtual AUX makes this little router quite acceptable for small offices, though there isn't any modularity of course (e.g. no WICs, no NMs). Cheers. Paul Forbes Network Engineer Trimble -Original Message- From: Thomas N. [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 11:15 PM To: [EMAIL PROTECTED] Subject: Re: Cisco 831 routers [7:61707] Thanks Paul. Do you have any chance to test out for performance of GRE+IPSec? Is it better than that of software-based encryption on the 2600 routers? Paul Forbes wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... They're available (we have four in house ready for deployment). I haven't tested them with all knobs on (GRE+IPsec, CBAC, IDS, QoS, EIGRP/OSPF, etc.), but VPN+CBAC has worked beautifully. Check with your VAR or Cisco account team for leadtimes. Cheers. Paul -Original Message- From: Thomas N. [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 12:32 PM To: [EMAIL PROTECTED] Subject: Cisco 831 routers [7:61707] Hi All, I wonder if anyone here could get a hold of the new Cisco 831 VPN router? I am trying to get couple of these routers but being told they are onhold by Cisco. I am just curious why? and when they are available again? Thanks! Thomas. Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62060t=61707 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL memory space [7:62028]
If this is the same thread I thought Mike wrote back to me that is was something like 64 lines, that's nothing. If you open a case with Cisco they will probably tell you to upgrade. I'll save you the trouble, try upgrading, 12.2.13T is available :) Dave Howard C. Berkowitz wrote: At 4:57 PM + 1/28/03, John Neiberger wrote: Hmm you must have some freakin' long ACLs! :-) Still, that's pretty strange behavior. I don't know if the feature is available on that platform but you might try using access-list compiled to allow the router to process them more efficiently. I doubt that would even help this problem, though. If you're truly running out of config space try using service compress-config to free up some room. It sounds like you may be running into a 'feature' that TAC might be able to help with. John There is a problem that affects some large ISPs with extremely long access lists. I've seen Tier 1 routers with large warnings on the console, DO NOT SAVE RUNNING-CONFIG STARTING-CONFIG. Their lists are too long to have the config fit into NVRAM, but their workaround is always to load configs from TFTP. Do check that you aren't short on NVRAM. This doesn't sound quite the same as your problem, though. [EMAIL PROTECTED] 1/28/03 9:37:22 AM The router is a 3640. I'm using the following image: c3640-ik9o3s-mz.122-11T -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 10:27 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: ACL memory space [7:62028] What router and image is this happening on? John [EMAIL PROTECTED] 1/28/03 8:47:57 AM Is there a way to devote separate memory space for ACLs? I just opened a TAC case; but I'm still having problems with my lists getting dropped, I've even went so far as to delete all the entries and reenter only a couple. Scenario: I shell into the router, add one additional host to access-list 1. As soon as I hit enter, all the acls from list one dissappear. It's gotten to the point where the ACL allowing access to the router dissappeared. This is driving me crazy I'm thinking it's a bad image.?.?.? -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62061t=62028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ACL memory space [7:62028]
Heck, we have one that's over 120 lines long! :-) It's a tad complex. John MADMAN 1/28/03 2:25:20 PM If this is the same thread I thought Mike wrote back to me that is was something like 64 lines, that's nothing. If you open a case with Cisco they will probably tell you to upgrade. I'll save you the trouble, try upgrading, 12.2.13T is available :) Dave Howard C. Berkowitz wrote: At 4:57 PM + 1/28/03, John Neiberger wrote: Hmm you must have some freakin' long ACLs! :-) Still, that's pretty strange behavior. I don't know if the feature is available on that platform but you might try using access-list compiled to allow the router to process them more efficiently. I doubt that would even help this problem, though. If you're truly running out of config space try using service compress-config to free up some room. It sounds like you may be running into a 'feature' that TAC might be able to help with. John There is a problem that affects some large ISPs with extremely long access lists. I've seen Tier 1 routers with large warnings on the console, DO NOT SAVE RUNNING-CONFIG STARTING-CONFIG. Their lists are too long to have the config fit into NVRAM, but their workaround is always to load configs from TFTP. Do check that you aren't short on NVRAM. This doesn't sound quite the same as your problem, though. [EMAIL PROTECTED] 1/28/03 9:37:22 AM The router is a 3640. I'm using the following image: c3640-ik9o3s-mz.122-11T -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 10:27 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: ACL memory space [7:62028] What router and image is this happening on? John [EMAIL PROTECTED] 1/28/03 8:47:57 AM Is there a way to devote separate memory space for ACLs? I just opened a TAC case; but I'm still having problems with my lists getting dropped, I've even went so far as to delete all the entries and reenter only a couple. Scenario: I shell into the router, add one additional host to access-list 1. As soon as I hit enter, all the acls from list one dissappear. It's gotten to the point where the ACL allowing access to the router dissappeared. This is driving me crazy I'm thinking it's a bad image.?.?.? -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62062t=62028 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
cat6500 ethernet module question [7:62063]
Hello listers, does anyone know the technical difference between the ws-x6148-rj-45 and ws-x6348-rj-45 modules for the cat6500 switches? the price difference is very significant though the documentation on Cisco's web site doesn't show any technical difference. Rgds, dayo __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62063t=62063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
URGENT HSRP PROBLEM [7:62064]
HSRP PROBLEM x.x.x.36 and x.x.x.37 are two routers. f0 interface config: x.x.x.x.36 config: standby 1 ip x.x.x.35 standby 1 priority 150 standby 1 preempt delay minimum 2 standby 1 track serial0 15 f0 interface config: x.x.x.x.37 config: standby 1 ip x.x.x.35 standby 1 priority 140 standby 1 prempt standby 1 track serial0 20 Problem: Both routers keep switching roles. The serial interfaces and links are perfect. They never go down. I have disabled f0 on .37 router and when i enable it, it seems to be stuck in speak state and even takes over as active but the .36 router never registers any changes in its state during this time. Access-lists,etc arent a problem.. Thank You Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62064t=62064 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: URGENT HSRP PROBLEM [7:62064]
what are the routers connected too that allows the routers to talk hsrp to each other...? Larry Letterman Network Engineer Cisco Systems - Original Message - From: Raj To: Sent: Tuesday, January 28, 2003 2:03 PM Subject: URGENT HSRP PROBLEM [7:62064] HSRP PROBLEM x.x.x.36 and x.x.x.37 are two routers. f0 interface config: x.x.x.x.36 config: standby 1 ip x.x.x.35 standby 1 priority 150 standby 1 preempt delay minimum 2 standby 1 track serial0 15 f0 interface config: x.x.x.x.37 config: standby 1 ip x.x.x.35 standby 1 priority 140 standby 1 prempt standby 1 track serial0 20 Problem: Both routers keep switching roles. The serial interfaces and links are perfect. They never go down. I have disabled f0 on .37 router and when i enable it, it seems to be stuck in speak state and even takes over as active but the .36 router never registers any changes in its state during this time. Access-lists,etc arent a problem.. Thank You [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62067t=62064 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: URGENT HSRP PROBLEM [7:62064]
Sorry, I don't have time to look into your problem. Try the Cisco article Avoiding HSRP Instability in a Switching Environment with Various Router Platforms. It might apply to your situation. -Original Message- From: Raj [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 4:04 PM To: [EMAIL PROTECTED] Subject: URGENT HSRP PROBLEM [7:62064] HSRP PROBLEM x.x.x.36 and x.x.x.37 are two routers. f0 interface config: x.x.x.x.36 config: standby 1 ip x.x.x.35 standby 1 priority 150 standby 1 preempt delay minimum 2 standby 1 track serial0 15 f0 interface config: x.x.x.x.37 config: standby 1 ip x.x.x.35 standby 1 priority 140 standby 1 prempt standby 1 track serial0 20 Problem: Both routers keep switching roles. The serial interfaces and links are perfect. They never go down. I have disabled f0 on .37 router and when i enable it, it seems to be stuck in speak state and even takes over as active but the .36 router never registers any changes in its state during this time. Access-lists,etc arent a problem.. Thank You Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62068t=62064 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: callmanager 3.1(3a) upgrade [7:61881]
Hi, I would really appreciate if you could point to the upgrade instruction in CCO. Regards, Zahid J M wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I did this recently. followed this guide. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62069t=61881 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cat6500 ethernet module question [7:62063]
the 6348 has the ability to supply inline power to IP Phones and AP units.. The 6248 does not have that ability I am not sure about the 6148. Larry Letterman Network Engineer Cisco Systems - Original Message - From: dayo olabisi To: Sent: Tuesday, January 28, 2003 1:53 PM Subject: cat6500 ethernet module question [7:62063] Hello listers, does anyone know the technical difference between the ws-x6148-rj-45 and ws-x6348-rj-45 modules for the cat6500 switches? the price difference is very significant though the documentation on Cisco's web site doesn't show any technical difference. Rgds, dayo __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62070t=62063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cat6500 ethernet module question [7:62063]
The 6348 is the higher-end model for the network core: http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_data_sheet09186a0080092393.html Dave dayo olabisi wrote: Hello listers, does anyone know the technical difference between the ws-x6148-rj-45 and ws-x6348-rj-45 modules for the cat6500 switches? the price difference is very significant though the documentation on Cisco's web site doesn't show any technical difference. Rgds, dayo __ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62066t=62063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: UDP port 1434 [7:61891]
sorry, Ken, I've read so much crap about saphire and 1434 the last couple of days that I forget who said what. sorry for misrepresenting you as a result of my frazzled brain. given the large installation of MS SQL devices on your campus, may we blame you and your wards for the problem? ;- Chuck -- TANSTAAFL there ain't no such thing as a free lunch Ken Diliberto wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Chuck, If I'm the Ken you're talking about and I actually said that, then I must really need a nap. :-) We're a university, where Microsoft rules. :-( I'd like to tell you how many MS-SQL servers we have, but I don't have a clue. There are probably some running in the dorms. We have entire labs where this stuff is installed so they can teach it. I'd like to tell you how many machines have the MSDE installed, but again I don't have a clue. Did I mention dorms? Changing the way the campus conducts network business is a difficult task. I'm doing a lot of educating - to the campus technicians. By this time next year, I hope to say we have 75% of the campus firewalled. While that may sound easy, it may be wishful thinking. Although... this worm might really make a difference in my timeline. :-) BTW, by now, one of my access-lists has probably broken the billion mark for blocking UDP 1434. That's only internal traffic. A question I have: Is anyone learning anything from my rambling? If not, I'll happily take questions and suggestions ranging from how did you do X to why don't you take that nap. Ken The Long and Winding Road 01/27/03 09:18PM [snip] in an earlier message, Ken spoke about his own network, where there are few if any Microsoft SQL servers. Yet their internet links were saturated because of the attacks, and internal network replies. [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62065t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: UDP port 1434 [7:61891]
Well, um, yes. Although I removed us as part of the problem as soon as I noticed we were. :-) The Long and Winding Road 01/28/03 02:36PM sorry, Ken, I've read so much crap about saphire and 1434 the last couple of days that I forget who said what. sorry for misrepresenting you as a result of my frazzled brain. given the large installation of MS SQL devices on your campus, may we blame you and your wards for the problem? ;- Chuck -- TANSTAAFL there ain't no such thing as a free lunch Ken Diliberto wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Chuck, If I'm the Ken you're talking about and I actually said that, then I must really need a nap. :-) We're a university, where Microsoft rules. :-( I'd like to tell you how many MS-SQL servers we have, but I don't have a clue. There are probably some running in the dorms. We have entire labs where this stuff is installed so they can teach it. I'd like to tell you how many machines have the MSDE installed, but again I don't have a clue. Did I mention dorms? Changing the way the campus conducts network business is a difficult task. I'm doing a lot of educating - to the campus technicians. By this time next year, I hope to say we have 75% of the campus firewalled. While that may sound easy, it may be wishful thinking. Although... this worm might really make a difference in my timeline. :-) BTW, by now, one of my access-lists has probably broken the billion mark for blocking UDP 1434. That's only internal traffic. A question I have: Is anyone learning anything from my rambling? If not, I'll happily take questions and suggestions ranging from how did you do X to why don't you take that nap. Ken The Long and Winding Road 01/27/03 09:18PM [snip] in an earlier message, Ken spoke about his own network, where there are few if any Microsoft SQL servers. Yet their internet links were saturated because of the attacks, and internal network replies. [snip] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62071t=61891 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Richard A. Deal Books [7:62027]
Mark, Thanks for the kudos. I worked really hard on the book and I know, after having written 6 books, that you can't please everyone. However, of all of the books that I've written, I'm proudest of this book. Yes, there are some errors that slipped in during my last review of the book and when it went to production, which does, unfortunately, happen. But as I discover these, I put them on my web site. As to my MCNS book, which is what the first poster asked, I had finished it, but before it went to print, the publisher (The Coriolis Group) went out of business. Since the MCNS has changed, I've decided not to create a new book. I'm getting a contract this week to write a CCNA book for McGraw-Hill and have been desparately trying to convince them to write a Cisco VPN book--one that covers ALL aspects of VPNS with Cisco products--PIX, router, concentrator, and their software clients. If you have any questions about my PIX book, please don't hesitate in shooting me an email. Thanks for your support! Cheers! Mark Smith wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think his PIX book is very good. I've not found many errors in it but then maybe I've not looked at it in as much depth as you have. If I have a gripe about it it's for one thing. I use it as a desktop reference. Sometimes I'm looking up how to accomplish X and find out that before I can do that I need to accomplish A, B and/or C. The instructions will simply say That process was covered earlier and won't be repeated here. Now to accomplish X. Earlier? WhereEXACTLY? I've spent more time looking for earlier sometimes than I do accomplishing the task at hand. Earlier in this chapter under the blah heading or this was covered in the chapter on blah blah would be helpful. As far as the info in the book goes I've found stuff in there that I can't find at CCO (it may be there but I can't find it) or anywhere other than maybe from tech in a TAC call. Either that or I've had to look for it in a dozen different places and now it's all together in one book. It's the best book I've found on using a PIX. Beats the Cisco Press book on the PIX by a long shot. Don't know about any others he's written. IMHO. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sam Sneed Sent: Tuesday, January 28, 2003 9:57 AM To: [EMAIL PROTECTED] Subject: Re: Richard A. Deal Books [7:62027] His PIX firewall book is OK. It does have a lot of errors in it though. Hope his other books have proofreaders. Joseph R. Taylor wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, I'm interested in knowing how good Richard A. Deal's books are. Especially in reference to MCNS. Thank you in advance. Joseph R. Taylor MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62072t=62027 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN with cilents behind NAT [7:62058]
If you have the DSL router just add this line ip nat inside source static that will allow your VPN clients through your NAT router to the VPN termination point. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Michael Vasilenko Sent: Tuesday, January 28, 2003 3:07 PM To: [EMAIL PROTECTED] Subject: VPN with cilents behind NAT [7:62058] Hello I need to implement VPN, which will be able to used by data transfers and VoIP with server on public IP and clients, connected to internet by xDSL router/modem/switch with real dynamic IP (allocated by DHCP). As far as I understood, I need to setup IPSec tunnel from CO to each client. And VPDN is not the way to go. Am I correct? Any help would be fine. Thanks. -- Michael Vasilenko Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62073t=62058 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cat6500 ethernet module question [7:62063]
dayo olabisi wrote in message ... does anyone know the technical difference between the ws-x6148-rj-45 and ws-x6348-rj-45 modules for the cat6500 switches? the price difference is very significant though the documentation on Cisco's web site doesn't show any technical difference. wx-x6148-rj-45 is a replacement for the ws-x6348-rj-45. they have identical functionality, but the 6148 uses newer, better (and yes, cheaper) parts. innovation. if you don't believe me, then why do the Cat6k bundles ship with ws-x6148's instead of 6348's or 6248's? the primary difference is that the ws-x6148-rj-45 can be UPGRADED to voice... while the ws-x6148-rj-45v SHIPS with the inline power already hardwired. the cost is _still_ significantly less than the 6248 or 6348 either way. definitely purchase the 6148 modules (with or without voice - whichever you need), because they have less bug issues, less problems, work better, and are more cost-efficient. the only other Cat6k Ehternet 10/100 module worth having besides the 6148 series is the 6548. the 6548 is fabric-enabled (you'll know if you need it - and in many cases, fabric-enabled for 10/100 ethernet is waaay overkill, normally the sfm2 is reserved for all gigabit+ ethernet and/or osm sonet interfaces). in sum, a 6548 module won't do you any good unless you are already using the Cat6k Supervisor 2 module and the SFM or SFM-2 modules. to properly calculate ROI for such blades, you need to first consider the following factors: -dre Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62074t=62063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cat6500 ethernet module question [7:62063]
dre wrote in message ... dayo olabisi wrote in message ... does anyone know the technical difference between the ws-x6148-rj-45 and ws-x6348-rj-45 modules for the cat6500 switches? the price difference is very significant though the documentation on Cisco's web site doesn't show any technical difference. to properly calculate ROI for such blades, you need to first consider the following factors: woops, sent the email too quickly here you go... normally one would consider TTM, however in this case, the upgrade fixes bugs and solves technology issues. there might not be heavy TTM considerations, but there are 10/100/1000 TTM considerations to make. you may realize that 1-3 years down the road you will be replacing 6148 modules with Cat6k modules (not currently available except on the Cat 4000, 3550, and 2950 platforms) that do 10/100/1000 (obviously copper). this should be calculated as a hard cost when doing returns-based investment for cisco gear. you should also consider the support costs and upgrade conditions, as well as many other soft costs for proper ROI. fortunately, for the Cat6k platform, you don't pay for anything support-wise besides the chassis, power supplies, and OSM modules (if you have any). I believe that Cisco also charges support on some fabric-enabled LC's, in particular - 16-port Gigabit Ethernet modules. You may see Cisco (as with other vendors) charge per LC on high-end platforms like the Cat6k, especially when feature-rich vs. feature-free modules are concerned. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62075t=62063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cat6500 ethernet module question [7:62063]
MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The 6348 is the higher-end model for the network core: http://www.cisco.com/en/US/customer/products/hw/switches/ps708/products_data _sheet09186a0080092393.html I believe the 6348 should only be used in the access layer (switched only environment running pure CatOS, no MSFC), and only in voice (or maybe 802.11 wireless - that's sort of streching the inline power value of the blades) applications. The 6148 should also only be used in the access layer, but should be purchased in favor of the 6348 today (the 6348 is outdated). the 6148-rj-45v module can be used for voice applications. The 6548 module is a 10/100 Ethernet module more suited for the network core, although I'm not sure what applications would be needed in the core (maybe at the edge for peering?) for 10/100 Ethernet. Possibly for packet capture devices run to SPAN/RSPAN -enabled ports? Other NMS devices?? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62076t=62063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Richard A. Deal Books [7:62027]
I know a lot of people on this group have been published, some multiple times, and I hope I'm not offending anyone by asking this question: How well does a book publisher pay for the books you write? I'm not expecting any specific figures, but a ballpark figure would be interesting. Thanks! GM -Original Message- From: Richard Deal [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 28, 2003 7:24 PM To: [EMAIL PROTECTED] Subject: Re: Richard A. Deal Books [7:62027] Mark, Thanks for the kudos. I worked really hard on the book and I know, after having written 6 books, that you can't please everyone. However, of all of the books that I've written, I'm proudest of this book. Yes, there are some errors that slipped in during my last review of the book and when it went to production, which does, unfortunately, happen. But as I discover these, I put them on my web site. As to my MCNS book, which is what the first poster asked, I had finished it, but before it went to print, the publisher (The Coriolis Group) went out of business. Since the MCNS has changed, I've decided not to create a new book. I'm getting a contract this week to write a CCNA book for McGraw-Hill and have been desparately trying to convince them to write a Cisco VPN book--one that covers ALL aspects of VPNS with Cisco products--PIX, router, concentrator, and their software clients. If you have any questions about my PIX book, please don't hesitate in shooting me an email. Thanks for your support! Cheers! Mark Smith wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think his PIX book is very good. I've not found many errors in it but then maybe I've not looked at it in as much depth as you have. If I have a gripe about it it's for one thing. I use it as a desktop reference. Sometimes I'm looking up how to accomplish X and find out that before I can do that I need to accomplish A, B and/or C. The instructions will simply say That process was covered earlier and won't be repeated here. Now to accomplish X. Earlier? WhereEXACTLY? I've spent more time looking for earlier sometimes than I do accomplishing the task at hand. Earlier in this chapter under the blah heading or this was covered in the chapter on blah blah would be helpful. As far as the info in the book goes I've found stuff in there that I can't find at CCO (it may be there but I can't find it) or anywhere other than maybe from tech in a TAC call. Either that or I've had to look for it in a dozen different places and now it's all together in one book. It's the best book I've found on using a PIX. Beats the Cisco Press book on the PIX by a long shot. Don't know about any others he's written. IMHO. Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sam Sneed Sent: Tuesday, January 28, 2003 9:57 AM To: [EMAIL PROTECTED] Subject: Re: Richard A. Deal Books [7:62027] His PIX firewall book is OK. It does have a lot of errors in it though. Hope his other books have proofreaders. Joseph R. Taylor wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, I'm interested in knowing how good Richard A. Deal's books are. Especially in reference to MCNS. Thank you in advance. Joseph R. Taylor MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62077t=62027 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: One arm routing?? with a Cisco 2500 router and a Cicso [7:62078]
NAT on a stick worked thank you very much for your advise. Now I just have to talk my wife into letting me keep the router and switch in my living room, LOL. Thanks again. Lupi, Guy wrote: You may also want to have a look at this link NAT on a stick: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080 094430.shtml It isn't one arm routing, but you should be able to connect your dsl to your switch, your router to your switch, and make this work without vlans while using multiple computers behind it. Let me know if you get it to work, I have never tried it but always wanted to. -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED]] Sent: Monday, January 27, 2003 4:43 PM To: [EMAIL PROTECTED] Subject: Re: One arm routing?? with a Cisco 2500 router and a Cicso [7:61988] that type of setup should be done with an ISL/Dot1q trunk, I dont believe 2500 routers are capable of that type of function on 10Bt interfaces... You could however split the DSL connection by aggregating the dsl into one vlan on the switch, then connecting a crossover to other vlans. That will allow several networks to use the DSL at the same time, providing you have more than one IP... Larry Letterman Network Engineer Cisco Systems - Original Message - From: tafnap To: Sent: Monday, January 27, 2003 1:13 PM Subject: One arm routing?? with a Cisco 2500 router and a Cicso catalyst [7:61983] I am working on a home network lab and I was wondering is it possible to take my DSL connection and connect it though my switch to my router then back to my switch via a one routing type setup? I have been playing with it for a couple days and can't get the vlans setup and working properly on my switch or router to route the traffic via two vlans...any thoughts? [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62078t=62078 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access the inside global from inside (NAT) [7:62041]
Hi Check out this link http://www.cisco.com/warp/public/110/pixfaq.shtml#Q15 fahim oscar wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a web server with an inside local 192.168.0.5 and with static NAT I make an association with the inside global (e.g.) 222.222.222.222 (config)# ip nat inside source static 192.168.0.5 222.222.222.222 I can acces the web server from the internet and I can access the web server from my private network if I use the 192.168.0.5 address in my browser. My question is: Is it possible to access the web server using the 222.222.222.222 from my private network. Is there any way? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62079t=62041 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Scenario [7:62047]
Hi If you want VPN client to connect to your pix, you need to assign a public IP to your outside interface and you can create a pool of private ip address to your vpn client by using (ip local pool start ip...end ip) and give the pool name in the vpngroup configuration (vpngroup address-pool . There are lot of document given in cisco's website. fahim Dain Deutschman wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello everyone, I would like to install a PIX behind a router and had some questions... 1. Can the VPN clients connect to a public ip that translates ( static nat ) to the private ip assigned to the outside interface of the PIX?( if i use esp) 2. Will it work if I use IKE Mode Configuration to auto assign IPs to the remote clientsor does the vpngroup configuration with PIX v6.01 work the same way? Thanks for any suggestions...If i am being to vague I would be happy to discuss in more detail. Thanks! -- Dain Deutschman CCNP, CSS-1, CCNA, MCP, CNA Data Communications Manager New Star Sales and Service, Inc. 800.261.0475 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62080t=62047 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: HSRP PROBLEM [7:62057]
the routers send hellp packets using a multicast address - check that this is not being blocked somewhere. -Original Message- From: . [mailto:[EMAIL PROTECTED]] Sent: 28 January 2003 22:46 To: [EMAIL PROTECTED] Subject: HSRP PROBLEM [7:62057] HSRP PROBLEM x.x.x.36 and x.x.x.37 are two routers. x.x.x.x.36 config: standby 1 ip x.x.x.35 standby 1 priority 150 standby 1 preempt delay minimum 2 standby 1 track serial0 10 x.x.x.x.37 config: standby 1 ip x.x.x.35 standby 1 priority 140 standby 1 prempt standby 1 track serial0 20 Problem: Both routers keep switching roles. The serial interface ain't that bad at all. It hardly goes down on both the routers. What can be the problem? Any possible solutions to test out? Thank You Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62082t=62057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]