RE: WIC-2T & 3725 routers [7:63095]
Hi, The problem actually is physical, the modules can not be fitted into any of the slots, even I tried more than one module, Please advise, Kindest regards, Mamoon -Original Message- From: Anne Beatriz [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 16, 2003 3:18 AM To: [EMAIL PROTECTED] Subject: Re: WIC-2T & 3725 routers [7:63095] Hello, I was having this problem with this module, what image are you using? I did a downgrade of the image. regards!! Anne Beatriz - Original Message - From: "Mamoon Dawood" To: Sent: Saturday, February 15, 2003 2:53 AM Subject: WIC-2T & 3725 routers [7:63095] > Hello, > > I am trying to install WIC-2T on the Cisco 3725/3745, it is not > fitting physically? > > Can you please advise if I can use the regular WIC-2T or there is > special 2T module for the Cisco 3725? > > Thanks. ___ Busca Yahoo! O servigo de busca mais completo da Internet. O que vocj pensar o Yahoo! encontra. http://br.busca.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63121&t=63095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
frame relay lmi-n39x functions [7:63120]
Hi all, while practicing frame-relay lmi-n39x commonds, i can not make the commonds work as they are supposed to be. Scenario: frame-relay switch RA on RA, use lmi autosense. basic FR function works fine, following config is abstract only serial 0 encapsulation frame-relay frame-relay interface-dlci 401 ip address 150.50.24.2 255.255.255.0 frame-relay lmi-n391dte 3 frame-relay lmi-n392dte 2 frame-relay lmi-n393dte 2 keepalive 10 If "debu frame lmi" is turned on, i would expect every 30 seconds, 3 status requests will be sent out serial0 as a result of "frame-relay lmi-n391dte 3" and "lmi autosense". But i can only see one status request is sent. Tried shut/no shut interface, etc to no vail. Any idea how these commands affect frame relay behaviors? Thanks Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63120&t=63120 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Site-to-Site and Remote Access VPN on PIX? [7:63100]
Kim, It will work, I've done it before. It is true that you can only have 1 crypto map per interface, but you can have multiple ISAKMP/IPSEC policies for different tunnels in that crypto map. However, for dynamic crypto map used for remote access VPN, what happens is that the dynamic crypto map is just like the normal crypto map in the way it's defined, but you hook up the dynamic crypto map to the crypto map which is applied to the interface. Check out the link below. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/config /ipsecint.htm One limitation I encountered with client VPN on a PIX is that you won't be able to use local authentication, since PIX doesn't support local usernames/password like the IOS. So you just login with groupname and password. Although you can hook it up to a ACS server to do your extended authentication to specify different users. Regards, Albert -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kim Seng Sent: Sunday, February 16, 2003 4:26 AM To: [EMAIL PROTECTED] Subject: Site-to-Site and Remote Access VPN on PIX? [7:63100] Greetings, Can I configure the PIX to do both site-to-site and Remote access VPN at the same time? I think it is impossible since I can only apply only one crypto map to the outside interface. Can someone confirm? Kim. __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63119&t=63100 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Ingress ACL for internet routers [7:63118]
Hello Group, I'm currently trying to refine security for my Internet routers by developing my ingress ACL. My routers aren't ISP routers, they are more of a gateway/border router for your standard enterprise which connects to the ISP. I know that the ISP may use some filtering on their end, but doing ingress filtering again on your router is always a good idea. Reading through MCSN and SAFE whitepapers, they pretty much suggest filtering for RFC1918 and RFC2827, which I don't think is enough for a production router. Also, you guys might suggest to use a firewall. The point of the gateway/border router is to function as the router that connects to the Internet before the firewall, so it is used in tandem with the firewall. Any sort of ACL to only permit certain ports for accessing backend servers should only be added on the firewall. Here are a couple of links I've been referring to for developing my ACL: http://www.cymru.com/Documents/icmp-messages.html http://www.cymru.com/Documents/secure-ios-template.html If you look at the ACL that the link above had, it is huge, does anyone think it is relevant for my requirements? What about the null0 routes, I would imagine that it's only useful for the ISP routers since they are routing ISP traffic and need to black-hole those routes. Here is the current ACL I'm using access-list 150 remark Inbound Packet Filter from Internet access-list 150 remark Limit ICMP messages access-list 150 deny icmp any any log-input fragments access-list 150 permit icmp any any echo access-list 150 permit icmp any any echo-reply access-list 150 permit icmp any any packet-too-big access-list 150 permit icmp any any source-quench access-list 150 permit icmp any any time-exceeded access-list 150 deny icmp any any log-input access-list 150 remark Deny invalid IP sources access-list 150 deny ip 0.0.0.0 0.255.255.255 any log-input access-list 150 deny ip 10.0.0.0 0.255.255.255 any log-input access-list 150 deny ip 127.0.0.0 0.255.255.255 any log-input access-list 150 deny ip 169.254.0.0 0.0.255.255 any log-input access-list 150 deny ip 172.16.0.0 0.15.255.255 any log-input access-list 150 deny ip 192.168.0.0 0.0.255.255 any log-input access-list 150 deny ip 192.0.2.0 0.0.0.255 any log-input access-list 150 deny ip 224.0.0.0 15.255.255.255 any log-input access-list 150 deny ip 240.0.0.0 7.255.255.255 any log-input access-list 150 deny ip 248.0.0.0 7.255.255.255 any log-input access-list 150 deny ip host 255.255.255.255 any log-input access-list 150 remark Permit all other traffic access-list 150 permit ip any any A couple of things I can think of in improving my ACL is firstly by logging all the ICMP traffic that I'm denying. Currently, I'm denying all other ICMP traffic that doesn't match the traffic I permitted, and logging it. In my production routers, I'm seeing my logs haved logged quite a few ICMP denies, I think it would be a good idea to log all the different ICMP message types that has been denied just to see what is being sent to my network that is being denied. eg. access-list 199 permit icmp any any host-redirect Secondly, maybe increasing the number of non-valid ip address ranges coming in, and using Turbo ACL. Has anyone had experience with Turbo ACL? What about egress ACL, should I consider an egress ACL? Maybe just to permit traffic from my network to go out the network, just in case someone within tries to spoof traffic? I'm trying to keep the ACL as generic as possible, so I can use it for all different routers that connects to the Internet, and add any changes as needed to tailor for each different network. Thanks in advance for your suggestions. Regards, Albert Lu Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63118&t=63118 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Layer3 Routers VS Switches [7:63072]
""Peter van Oene"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 12:22 PM 2/15/2003 +, Juntao wrote: > >indeed with L3 switching, we can more closely arrive at wire speed, but in > >the course of my practice, i seen L3 switches mainly interconnecting Lan's, > >yes a flexwan modul exists to interconnect wan's on the same box but usually > >we like to separate the lan's from wans for the sack of issolation and > >greater security implementation options. > > Routers have delivered OC-192 wire speed routing for a few years now. I > personally don't know what an L3 switch is technically. It reminds me of > the L2 switch. Just another bit of marketing. a switch with routing capability is an L3 switch. interestingly, there are modules for the 366x and, if memory serves, 37xx routers that provide 36 10/100 ports plug 2 gig ports, making these L2 routers, I guess. So the question is, which is better, and L3 switch or an L2 router? ;-> > > > >i hope the above helps > > > >""Larry Letterman"" a icrit dans le message de news: > >[EMAIL PROTECTED] > > > L3 is usually considered to be wire speed and uses faster > > > asics... > > > Routers such as 7200/7500 use older slower hardware to > > > route... > > > > > > > > > > > > Larry Letterman > > > Network Engineer > > > Cisco Systems > > > > > > > > > - Original Message - > > > From: "Nanda" > > > To: > > > Sent: Friday, February 14, 2003 4:46 PM > > > Subject: Layer3 Routers VS Switches [7:63072] > > > > > > > > > > Hi Guys... > > > > > > > > We have Layer3 Switches and routers...In what scenario one > > > would ideally use > > > > Layer3 switches over routers.. > > > > Do They have any significant advantage over using > > > routers > > > > Why do they have layer3 switches when we have routers are > > > good enough to do > > > > the job... > > > > I am confused...I wud appreciate if someone cud clarify. > > > > > > > > Thanks in Advance > > > > __ > > > > With Warm Regards... > > > > Nanda > > > [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63117&t=63072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dropped Packet on 6506 switch [7:63053]
it's real hard to offer any suggestions without knowing more. if you could provide a sanitized show run, that might help. also, can you provide the show int that is indicating dropped packets. I did not see anyting in your previous offerings. ""Sam Sneed"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > There are no static routes to these ports. I guess I am in Hybrid mode. I > need to enter session 15 command to connect to router module. Then its IOS > interface. The dropped packets don't appear when doing sh int on router. I'm > starting to wonder if it could be a bad card. > > > > > ""The Long and Winding Road"" wrote in > message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > ""Priscilla Oppenheimer"" wrote in message > > news:[EMAIL PROTECTED]... > > > If nothing's plugged in, it has to drop the packets!?! :-) Are you sure > > this > > > isn't normal? Being a switch, it shouldn't be sending any unicasts out > the > > > port, because it couldn't have learned a MAC address that is out that > > port, > > > but it could still send broadcasts and multicasts. > > > > > > Sorry, if that's a clueless answer, but it is a "common sense" answer > from > > > someone who doesn't work with 6505 switches.. :-) > > > > > > not at all clueless. I did not see a spot among all the "show" outputs > where > > packets dropped is indicated. > > > > I'm thinking "show interface" > > > > I'm also thinking that maybe there are static routes pointing out those > > ports, and someone somewhere is generating traffic destined for those > ports. > > Maybe the author of the original post could supply some more specific > > information - such as extensive outputs from the "show run" ?? > > > > for those unfamiliar with the higer end boxes, hyrid mode refers to > running > > Cat OS and and IOS on the same box. The lower end boxes - 2950, 3550, and > > 4xxx with sup 3 or better, run IOS native mode. > > > > cat 4xxx with the sup 2 run Cat OS mode. > > > > 65xx without the MSFC card run Cat OS mode. Add the MSCF card, and you > have > > hybrid mode. unless somethng has changed recently, you cannot run a 65xx > in > > native IOS mode only - it has to be an L2 box alone, or a hybrid box, > > running IOS and Cat OS. > > > > > > > > > > > > > > > > > > > > Priscilla > > > > > > Sam Sneed wrote: > > > > > > > > I'm not sure what you mean by hybrid mode. I have the sh ver, > > > > sh mod, sh ver > > > > for MSFC and below. I have nothing plugged into at leat 3 > > > > ports which still > > > > report dropped packets. 800,000 daily. Whats strange is that > > > > the 800,000 is > > > > almost the same on all 3 ports. I have disabled them since then > > > > but would > > > > like to know why I was getting those numbers. The MSFC does the > > > > layer 3 > > > > routing, but the dropped packets were at L2 I believe. Any > > > > ideas? > > > > > > > > Console1> sh ver > > > > WS-C6509 Software, Version NmpSW: 7.1(2) > > > > Copyright (c) 1995-2002 by Cisco Systems > > > > NMP S/W compiled on Feb 7 2002, 16:06:00 > > > > > > > > System Bootstrap Version: 5.3(1) > > > > > > > > Hardware Version: 2.0 Model: WS-C6509 Serial #: > > > > > > > > PS1 Module: WS-CAC-2500WSerial #: > > > > PS2 Module: WS-CAC-1300WSerial #: > > > > > > > > Mod Port Model Serial #Versions > > > > --- --- --- - > > > > 1 2WS-X6K-SUP1A-2GESA Hw : 3.1 > > > > Fw : 5.3(1) > > > > Fw1: 5.1(1)CSX > > > > Sw : 7.1(2) > > > > Sw1: 7.1(2) > > > > WS-F6K-PFC SHw : 1.1 > > > > 2 2WS-X6K-SUP1A-2GESAxx Hw : 3.1 > > > > Fw : 5.3(1) > > > > Fw1: 5.1(1)CSX > > > > Sw : 7.1(2) > > > > Sw1: 7.1(2) > > > > WS-F6K-PFC Sxx Hw : 1.1 > > > > 3 48 WS-X6348-RJ-45 SAx Hw : 1.4 > > > > Fw : 5.4(2) > > > > Sw : 7.1(2) > > > > 4 48 WS-X6348-RJ-45 Hw : 6.0 > > > > Fw : 5.4(2) > > > > Sw : 7.1(2) > > > > WS-F6K-VPWR Hw : 1.0 > > > > 5 48 WS-X6348-RJ-45 SAL0422 Hw : 6.0 > > > > Fw : 5.4(2) > > > > Sw : 7.1(2) > > > > WS-F6K-VPWR Hw : 1.0 > > > > 6 16 WS-X6416-GBIC SAx0JUW Hw : 1.2 > > > > Fw : 5.4(2) > > > > Sw : 7.1(2) > > > > 7 48
RE: access-group difference [7:62769]
Thanks Jose, I got the concept. Ismail Al-Shelh -Original Message- From: Jose Canillas [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 16, 2003 1:24 AM To: [EMAIL PROTECTED] Subject: Re: access-group difference [7:62769] Let me try to help you, "Access-group x in interface inside" means, apply x access-list restriction to all traffice entering the inside interface (AKA outbound traffic) "Access-group y in interface outside" means, apply y access-list restriction to all traffic entering the outside interface (AKA inbound traffic) Why can you apply in and out ACLs to any interface? this makes sense in three or more interface firewalls,the trick is that you could have traffic coming from the inside interface and going to the outside network OR going to another interface's network, that is basically the differece. Same thing happens with the traffic coming from the outside network, its destination could be the inside network, which is for sure in the case of two interfaces firewall, BUT, its destination could also be, lets say, the DMZ network, in the case of a three interface firewall. That's why you need out and in ACLs on every interface. About what you say: > If both commands acess-group in interface inside and access-group in > interface outside meant for the inbound traffic then why Cisco experts > designed the two commands for the same result ! Each command applies to different traffic, the first is for outbound and the second for inbound. Regards, Jose --- ""Ismail Al-Shelh"" escribis en el mensaje [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Well am again confused, because the thing which was in my mind that > access-group acl_in in interface inside means that the access-list binds to > the inside interface for the outbound traffic not the inbound traffic! > > I agree that the command access-group acl_out in interface outside mean that > the access-list bind to the outside interface for the inbound traffic, and > this is so clear because every thing from outside of the pix to the inside > is denied. > > The confusion right now in the real meaning of the > acess-group in interface inside > > Am I making any sense? > > If both commands acess-group in interface inside and access-group in > interface outside meant for the inbound traffic then why Cisco experts > designed the two commands for the same result ! > > > > > > Ismail Al-Shelh > Abdulla Fouad Company > Network Engineer > CD-Dammam > > > -Original Message- > From: BJ Rice [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 10, 2003 10:37 PM > To: [EMAIL PROTECTED] > Subject: RE: access-group difference [7:62769] > > oops, one mistake > > I meant to say this > > access-group acl_in in interface inside - binds the acl_in access list > (created above) to the inside interface . > > instead of this > access-group acl_in in interface inside - binds the acl_in access list > (created above) to the outside interface (for inbound traffic). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63115&t=62769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: FTP site needed for MPLS for 2500 files [7:63070]
Dennis, I tried to pull the images but identification (username,password) was asked from me. Dennis Laganiere wrote: > As long as it's available to everybody, that's good enough for me. > > Thanks... > > --- Dennis > > -Original Message- > From: Aidan Marks [mailto:[EMAIL PROTECTED]] > Sent: Friday, February 14, 2003 12:34 PM > To: Dennis Laganiere > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: FTP site needed for MPLS for 2500 files > > The 2500 mpls images are available here: > > ftp://ftp-eng.cisco.com/rraszuk/specials/ > > They have been there for a while. What more do you need? > > Aidan > > At 07:09 AM 15/02/2003, Dennis Laganiere wrote: > > >A few months ago I put together a free document for loading an experimental > >version of IOS that allows you to run MPLS on cheap 2500 series routers. I > >didn't create the software, I just gave instructions for installing it and > >then pointed out where the files were, for anybody who wanted to play with > >it. > > > >Since then the ftp site where the files were posted keeps deleting them > (not > >surprising, since I didn't ask permission)... Is anyone running an FTP > >server where the files can be posted for anybody who wants to play with > MPLS > >to be able to pull them down? Think of it as contributing to the common > >good of the group (or rather, groupstudy)... > > > >Let me know. Thanks... > > > >--- Dennis Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63114&t=63070 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT::: HorseTrade [7:63113]
Looking to do a "horse trade" What I have::: == 2511 RJ 01 Serial 01 Ether [AUI Transceiver included] 16 Async Ports [RJ, no Async cable required, 16 Rolled cables included] Memory/Flash ::: will match trade 11.2.18P What I'm looking for::: == 250x [2501, 2503, 2505, 2507] or 4000 ethernet modules I'm in Washington, so LOCAL [WA, OR] would get preference, but I'm willing to ship WITHIN THE U.S. [Registered mail, insured, etc] Thanks TroyC [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63113&t=63113 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
invalid checksum [7:63112]
Hi, I have a 4000-M router that I installed 2 4Meg flash modules in and I partitioned them to look like its an 8 Meg module. I loaded an ios image on it. Everything looks ok and it works fine until I power off the router. After I power down the router and than start it back up it boots in to the router prompt. On doing a show flash I see an invalid checksum. Is it because I am using 2 4 Meg flash modules. I know if I use a single 8 Meg module it works fine but I am just trying to put my 4 meg modules to good use. After I tftp another image it works fine until I power off the router and than again its the same thing. I would appreciate any help. Please let me know. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63112&t=63112 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AUX port and modems [7:62877]
Sure you can use a pair of modems, some where I heard it was done even with internal dial-up modems, I'm sure it can be done with any pair of analog leased-line modems. That would be useful only if the router you want to access to, is more than the length of a console cable away, otherway I don't see why not connect directly the serial of your host to the AUX of the router using the console cable and the appropriate adapter. Jose Canillas ""s vermill"" escribis en el mensaje [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > [EMAIL PROTECTED] wrote: > > > > J, > > > > Thanks for responding. What I am trying to do is simulate a > > dial-up > > connection to a router without an external telephone line. > > > > The first option looks to me good but I will not be able to > > program the AUX > > port. Or am I wrong? > > The AUX port can be set to act as a CONS port. You would be able to modify > any aspect of the router config from the AUX, including the AUX itself. But > it won't really *simulate* a dialup. > > > > > About the second option, can I connect the 2 modems back to > > back and still > > be able to program the router to accept dial-up? > > > > host---modem---modem--AUX (router) > > Two standard analog modems won't talk back to back. You need a telephone > line simulator to do that (or a telephone line!). I bought one about a year > ago for around $500. Got it from Black Box. > > > > > > > Regards, > > MO > > > > > > > > > > > > > > |+-> > > || "Jarett D. Chaiken"| > > || || kills.com> | > > || | > > || 10/02/2003 11:27 AM| > > || | > > |+-> > > > > > >--- ---| > > > > > | | > > | To: > >| > > | > > > cc: | > > | Subject: Re: AUX port and modems > > [7:62755] | > > > > > >--- ---| > > > > > > > > > > Well, I can think of a couple of ways. > > > > The first and most obvious to me is to not use the modem at > > all, and just > > connect the Host to the AUX port. > > > > The second method involves using a Phone system (Key System, > > PBX, FXS > > ports) to connect the 2 modems (You'll need 2 modems. > > Host->Modem---Modem->AUX Port). If I understood wha you were > > trying to > > accomplish I could assist you better. > > > > > > J > > > > wrote in message > > news:... > > > I need to connect to the AUX port using a modem. The only > > problem is that > > I > > > do not want to use an external telephone line. Is there a way > > to simulate > > : > > > > > > host--modemAUX (router) > > > > > > Where can I find the information? > > > > > > Thanks in advance. > > > MO Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63111&t=62877 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dropped Packet on 6506 switch [7:63053]
There are no static routes to these ports. I guess I am in Hybrid mode. I need to enter session 15 command to connect to router module. Then its IOS interface. The dropped packets don't appear when doing sh int on router. I'm starting to wonder if it could be a bad card. ""The Long and Winding Road"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > ""Priscilla Oppenheimer"" wrote in message > news:[EMAIL PROTECTED]... > > If nothing's plugged in, it has to drop the packets!?! :-) Are you sure > this > > isn't normal? Being a switch, it shouldn't be sending any unicasts out the > > port, because it couldn't have learned a MAC address that is out that > port, > > but it could still send broadcasts and multicasts. > > > > Sorry, if that's a clueless answer, but it is a "common sense" answer from > > someone who doesn't work with 6505 switches.. :-) > > > not at all clueless. I did not see a spot among all the "show" outputs where > packets dropped is indicated. > > I'm thinking "show interface" > > I'm also thinking that maybe there are static routes pointing out those > ports, and someone somewhere is generating traffic destined for those ports. > Maybe the author of the original post could supply some more specific > information - such as extensive outputs from the "show run" ?? > > for those unfamiliar with the higer end boxes, hyrid mode refers to running > Cat OS and and IOS on the same box. The lower end boxes - 2950, 3550, and > 4xxx with sup 3 or better, run IOS native mode. > > cat 4xxx with the sup 2 run Cat OS mode. > > 65xx without the MSFC card run Cat OS mode. Add the MSCF card, and you have > hybrid mode. unless somethng has changed recently, you cannot run a 65xx in > native IOS mode only - it has to be an L2 box alone, or a hybrid box, > running IOS and Cat OS. > > > > > > > > > > > Priscilla > > > > Sam Sneed wrote: > > > > > > I'm not sure what you mean by hybrid mode. I have the sh ver, > > > sh mod, sh ver > > > for MSFC and below. I have nothing plugged into at leat 3 > > > ports which still > > > report dropped packets. 800,000 daily. Whats strange is that > > > the 800,000 is > > > almost the same on all 3 ports. I have disabled them since then > > > but would > > > like to know why I was getting those numbers. The MSFC does the > > > layer 3 > > > routing, but the dropped packets were at L2 I believe. Any > > > ideas? > > > > > > Console1> sh ver > > > WS-C6509 Software, Version NmpSW: 7.1(2) > > > Copyright (c) 1995-2002 by Cisco Systems > > > NMP S/W compiled on Feb 7 2002, 16:06:00 > > > > > > System Bootstrap Version: 5.3(1) > > > > > > Hardware Version: 2.0 Model: WS-C6509 Serial #: > > > > > > PS1 Module: WS-CAC-2500WSerial #: > > > PS2 Module: WS-CAC-1300WSerial #: > > > > > > Mod Port Model Serial #Versions > > > --- --- --- - > > > 1 2WS-X6K-SUP1A-2GESA Hw : 3.1 > > > Fw : 5.3(1) > > > Fw1: 5.1(1)CSX > > > Sw : 7.1(2) > > > Sw1: 7.1(2) > > > WS-F6K-PFC SHw : 1.1 > > > 2 2WS-X6K-SUP1A-2GESAxx Hw : 3.1 > > > Fw : 5.3(1) > > > Fw1: 5.1(1)CSX > > > Sw : 7.1(2) > > > Sw1: 7.1(2) > > > WS-F6K-PFC Sxx Hw : 1.1 > > > 3 48 WS-X6348-RJ-45 SAx Hw : 1.4 > > > Fw : 5.4(2) > > > Sw : 7.1(2) > > > 4 48 WS-X6348-RJ-45 Hw : 6.0 > > > Fw : 5.4(2) > > > Sw : 7.1(2) > > > WS-F6K-VPWR Hw : 1.0 > > > 5 48 WS-X6348-RJ-45 SAL0422 Hw : 6.0 > > > Fw : 5.4(2) > > > Sw : 7.1(2) > > > WS-F6K-VPWR Hw : 1.0 > > > 6 16 WS-X6416-GBIC SAx0JUW Hw : 1.2 > > > Fw : 5.4(2) > > > Sw : 7.1(2) > > > 7 48 WS-X6248-TELSAD0x48 Hw : 1.0 > > > Fw : 4.2(0.24)VAI78 > > > Sw : 7.1(2) > > > 8 48 WS-X6248A-TEL SADxx0S Hw : 2.0 > > > Fw : 5.4(2) > > > Sw : 7.1(2) > > > 9 48 WS-X6248A-TEL SADxxRZ Hw : 2.0 > > > Fw : 5.4(2) > > > Sw : 7.1(2) > > > 15 1WS-F6K-MSFC S
Re: Dropped Packet on 6506 switch [7:63053]
If the port is no connected why would it attempt to send unicasts packets through it? Passing packets to a switchport in the diconnected state would not make sense. I imagine that the logic built into the siwtch would not do this. I have other switches, Extreme networks, that do not register any dropped packets for unplugged interfaces. Neither do Cisco 2924XL aor 3548XL. I believe for some reason its dropping valid packets. It would be hard to confirm this but it seems TCP connections are being dropped on some servers. ""Priscilla Oppenheimer"" wrote in message news:[EMAIL PROTECTED]... > If nothing's plugged in, it has to drop the packets!?! :-) Are you sure this > isn't normal? Being a switch, it shouldn't be sending any unicasts out the > port, because it couldn't have learned a MAC address that is out that port, > but it could still send broadcasts and multicasts. > > Sorry, if that's a clueless answer, but it is a "common sense" answer from > someone who doesn't work with 6505 switches.. :-) > > Priscilla > > Sam Sneed wrote: > > > > I'm not sure what you mean by hybrid mode. I have the sh ver, > > sh mod, sh ver > > for MSFC and below. I have nothing plugged into at leat 3 > > ports which still > > report dropped packets. 800,000 daily. Whats strange is that > > the 800,000 is > > almost the same on all 3 ports. I have disabled them since then > > but would > > like to know why I was getting those numbers. The MSFC does the > > layer 3 > > routing, but the dropped packets were at L2 I believe. Any > > ideas? > > > > Console1> sh ver > > WS-C6509 Software, Version NmpSW: 7.1(2) > > Copyright (c) 1995-2002 by Cisco Systems > > NMP S/W compiled on Feb 7 2002, 16:06:00 > > > > System Bootstrap Version: 5.3(1) > > > > Hardware Version: 2.0 Model: WS-C6509 Serial #: > > > > PS1 Module: WS-CAC-2500WSerial #: > > PS2 Module: WS-CAC-1300WSerial #: > > > > Mod Port Model Serial #Versions > > --- --- --- - > > 1 2WS-X6K-SUP1A-2GESA Hw : 3.1 > > Fw : 5.3(1) > > Fw1: 5.1(1)CSX > > Sw : 7.1(2) > > Sw1: 7.1(2) > > WS-F6K-PFC SHw : 1.1 > > 2 2WS-X6K-SUP1A-2GESAxx Hw : 3.1 > > Fw : 5.3(1) > > Fw1: 5.1(1)CSX > > Sw : 7.1(2) > > Sw1: 7.1(2) > > WS-F6K-PFC Sxx Hw : 1.1 > > 3 48 WS-X6348-RJ-45 SAx Hw : 1.4 > > Fw : 5.4(2) > > Sw : 7.1(2) > > 4 48 WS-X6348-RJ-45 Hw : 6.0 > > Fw : 5.4(2) > > Sw : 7.1(2) > > WS-F6K-VPWR Hw : 1.0 > > 5 48 WS-X6348-RJ-45 SAL0422 Hw : 6.0 > > Fw : 5.4(2) > > Sw : 7.1(2) > > WS-F6K-VPWR Hw : 1.0 > > 6 16 WS-X6416-GBIC SAx0JUW Hw : 1.2 > > Fw : 5.4(2) > > Sw : 7.1(2) > > 7 48 WS-X6248-TELSAD0x48 Hw : 1.0 > > Fw : 4.2(0.24)VAI78 > > Sw : 7.1(2) > > 8 48 WS-X6248A-TEL SADxx0S Hw : 2.0 > > Fw : 5.4(2) > > Sw : 7.1(2) > > 9 48 WS-X6248A-TEL SADxxRZ Hw : 2.0 > > Fw : 5.4(2) > > Sw : 7.1(2) > > 15 1WS-F6K-MSFC SAD04xx0DSF Hw : 1.4 > > Fw : 12.1(3a)E4 > > Sw : 12.1(3a)E4 > > 16 1WS-F6K-MSFC SAD04xx0BHV Hw : 1.4 > > Fw : 12.1(3a)E4 > > Sw : 12.1(3a)E4 > > > >DRAMFLASH NVRAM > > Module Total UsedFreeTotal UsedFreeTotal U > > -- --- --- --- --- --- --- - - > > 1 65408K 44172K 21236K 16384K 9786K 6598K 512K > > > > Uptime is 352 days, 4 hours, 30 minutes > > > > > > Console1> sh mod > > Mod Slot Ports Module-Type Model > > Sub Status > > --- - - --- > > --- -- > > 1 12 1000BaseX Supervisor WS-X6K-SUP1A-2GE > > yes ok > > 15 11 Multilayer Switch Feature WS-F6K-MSFC > > no ok > > 2 2
Re: Layer3 Routers VS Switches [7:63072]
At 12:22 PM 2/15/2003 +, Juntao wrote: >indeed with L3 switching, we can more closely arrive at wire speed, but in >the course of my practice, i seen L3 switches mainly interconnecting Lan's, >yes a flexwan modul exists to interconnect wan's on the same box but usually >we like to separate the lan's from wans for the sack of issolation and >greater security implementation options. Routers have delivered OC-192 wire speed routing for a few years now. I personally don't know what an L3 switch is technically. It reminds me of the L2 switch. Just another bit of marketing. >i hope the above helps > >""Larry Letterman"" a icrit dans le message de news: >[EMAIL PROTECTED] > > L3 is usually considered to be wire speed and uses faster > > asics... > > Routers such as 7200/7500 use older slower hardware to > > route... > > > > > > > > Larry Letterman > > Network Engineer > > Cisco Systems > > > > > > - Original Message - > > From: "Nanda" > > To: > > Sent: Friday, February 14, 2003 4:46 PM > > Subject: Layer3 Routers VS Switches [7:63072] > > > > > > > Hi Guys... > > > > > > We have Layer3 Switches and routers...In what scenario one > > would ideally use > > > Layer3 switches over routers.. > > > Do They have any significant advantage over using > > routers > > > Why do they have layer3 switches when we have routers are > > good enough to do > > > the job... > > > I am confused...I wud appreciate if someone cud clarify. > > > > > > Thanks in Advance > > > __ > > > With Warm Regards... > > > Nanda > > [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63108&t=63072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: WIC-2T & 3725 routers [7:63095]
Hello, I was having this problem with this module, what image are you using? I did a downgrade of the image. regards!! Anne Beatriz - Original Message - From: "Mamoon Dawood" To: Sent: Saturday, February 15, 2003 2:53 AM Subject: WIC-2T & 3725 routers [7:63095] > Hello, > > I am trying to install WIC-2T on the Cisco 3725/3745, it is not fitting > physically? > > Can you please advise if I can use the regular WIC-2T or there is > special 2T module for the Cisco 3725? > > Thanks. ___ Busca Yahoo! O servigo de busca mais completo da Internet. O que vocj pensar o Yahoo! encontra. http://br.busca.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63107&t=63095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-group difference [7:62769]
Let me try to help you, "Access-group x in interface inside" means, apply x access-list restriction to all traffice entering the inside interface (AKA outbound traffic) "Access-group y in interface outside" means, apply y access-list restriction to all traffic entering the outside interface (AKA inbound traffic) Why can you apply in and out ACLs to any interface? this makes sense in three or more interface firewalls,the trick is that you could have traffic coming from the inside interface and going to the outside network OR going to another interface's network, that is basically the differece. Same thing happens with the traffic coming from the outside network, its destination could be the inside network, which is for sure in the case of two interfaces firewall, BUT, its destination could also be, lets say, the DMZ network, in the case of a three interface firewall. That's why you need out and in ACLs on every interface. About what you say: > If both commands acess-group in interface inside and access-group in > interface outside meant for the inbound traffic then why Cisco experts > designed the two commands for the same result ! Each command applies to different traffic, the first is for outbound and the second for inbound. Regards, Jose --- ""Ismail Al-Shelh"" escribis en el mensaje [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Well am again confused, because the thing which was in my mind that > access-group acl_in in interface inside means that the access-list binds to > the inside interface for the outbound traffic not the inbound traffic! > > I agree that the command access-group acl_out in interface outside mean that > the access-list bind to the outside interface for the inbound traffic, and > this is so clear because every thing from outside of the pix to the inside > is denied. > > The confusion right now in the real meaning of the > acess-group in interface inside > > Am I making any sense? > > If both commands acess-group in interface inside and access-group in > interface outside meant for the inbound traffic then why Cisco experts > designed the two commands for the same result ! > > > > > > Ismail Al-Shelh > Abdulla Fouad Company > Network Engineer > CD-Dammam > > > -Original Message- > From: BJ Rice [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 10, 2003 10:37 PM > To: [EMAIL PROTECTED] > Subject: RE: access-group difference [7:62769] > > oops, one mistake > > I meant to say this > > access-group acl_in in interface inside - binds the acl_in access list > (created above) to the inside interface . > > instead of this > access-group acl_in in interface inside - binds the acl_in access list > (created above) to the outside interface (for inbound traffic). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63106&t=62769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Ping ethernet interface with datagram over 1500 [7:63085]
Someone said "Think MTU," but I would say "Think IP Fragmentation and Reassembly." :) In other words, different MTUs isn't supposed to cause a problem for IP. However, your partner company could be sending pings with the Don't Fragment bit set, in which case it would fail, if there really is an MTU issue. See additional comment below. Sean Kim wrote: > > Hello, > > My company has this 3rd party connection through ATM. The ATM > TA has an ethernet outlet which is and connected to our core > router. Our parner company is connected with anATM module on > their router. > > Recently, I was told by our partner company that they were > running ping test and they could not ping my ethernet interface > (on the core router) with datagram over 1500 byte. > > From both the router itself and my workstation, I pinged my own > interface with 1600 byte, and I was able to ping it. But when > I pinged my partner company's interface with 1600 byte, it > failed. Well, this points to your partner's interface being the problem. Ping should reply with the same payload it received. With a large payload that needs to be broken up, problems could occur with either the request or reply. It sounds like the problems occur with the request when the partner pings and with the replies when you ping the partner. The "debug ip icmp" command might help you figure out what is happening. A protocol analyzer would help too. By the way, many firewalls are set to not allow IP fragments, since there's all sorts of evil things you can do with them. Check for the existance of firewalls, including any personal firewalls on the testing machines. Good luck with it. Keep us posted! Thanks, ___ Priscilla Oppenheimer www.troubleshootingnetworks.com www.priscilla.com > > In general it seems that pinging from other nodes, there is no > problem, but sitting on the routers itself, pinging the other > routers interface with the datagram size of over 1500 is failing. > > There isn't any problem with connection of performance. But I > am very curious about why this is happening. > Does anybody have any idea why this would happen? Or can > anybody give me a clue as to how to approach this problem? > > Thank you in advance. > > Sean Kim > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63105&t=63085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
5k module [7:63104]
Does this WS-X5534-E1-GESX supervisor module support L3 switching? Or do I still need a RSM. I tried looking it up in cisco's site but I haven't had any luck. -- _ The harder you work, the luckier you get! _ The only place success comes before work is in the dictionary!!! _ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63104&t=63104 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Layer3 Routers VS Switches [7:63072]
At 7:14 AM + 2/15/03, Larry Letterman wrote: >L3 is usually considered to be wire speed and uses faster >asics... >Routers such as 7200/7500 use older slower hardware to >route... But to answer Nanda's original question, router vs. L3 switch is really a marketing distinction. Yes, _campus_ L3 switches often use different hardware implementations than WAN-oriented routers, but this is a cost engineeering decision. Indeed, cost is more important than speed on SOHO and branch office routers, which require a different set of optimizations. Are we saying that routers intended to deal with multiple OC-192, like the 12000 or Juniper M40, are slow? The Nortel V15K router (no longer sold) was faster than a 7500, but nobody thought of it as a switch. While it did have multiple forwarding processors, the real difference was that it had a crossbar rather than a shared bus fabric. I worked on the internal design of its successors. I don't think you could go to the IETF or IRTF and find anyone in the ISP world that makes the distinction that "switches" are faster. Multilayer switching has just become, IMNSHO, a marketing term that confuses things. If you really want to look at high speed, consider a true optical (i.e., not optical-electronic-optical) relay. Is that a switch? Especially when it's switching lambdas, it's more of a layer 1 device. Its control, however, may very well be from a layer 3 engine, which runs routing protocols and controls the lambda switch by GMPLS. It isn't useful to say a "L3 switch" is better or worse than a "router". It's necessary, certainly, to identify speeds and feeds, but also to look at other functionality. It's no accident, for example, that a 3550 doesn't have full BGP functionality -- that's a good value engineering decision. Enterprise switches rarely need the advanced QoS functions that a WAN router will. The real difference is between "routing" (more precisely, path determination and setup) and "forwarding". The trend in high-end devices, more and more, is to separate these into different paths. See, for example, the work in the IETF FORCES WG, and know that there are lots of proprietary things in the labs that go much beyond. For SOHO and branch office devices, cost is more an issue than speed. For campus core devices, speed is an important factor, but it can be achieved with parallelism (EtherChannel) and such as well as interface speed. There are a wide range of design choices on the internal fabric, such as main memory in small routers, shared routing memory in Junipers, shared bus as in the 7500, and single or multistage crossbar. > > > >- Original Message - >From: "Nanda" >To: >Sent: Friday, February 14, 2003 4:46 PM >Subject: Layer3 Routers VS Switches [7:63072] > > >> Hi Guys... >> >> We have Layer3 Switches and routers...In what scenario one >would ideally use >> Layer3 switches over routers.. >> Do They have any significant advantage over using >routers >> Why do they have layer3 switches when we have routers are >good enough to do >> the job... >> I am confused...I wud appreciate if someone cud clarify. >> >> Thanks in Advance >> __ >> With Warm Regards... >> Nanda >[EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63103&t=63072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Site-to-Site and Remote Access VPN on PIX? [7:63100]
Look into Dynamic map configuration. It's an extension of the Crypto Map, as you can only apply one crypto map to the interface (outside). See CCO website for more details (search Google for "dynmap" and PIX, and you should find several examples). On CCO's site, do a search on Technical Tips on PIX HTH's -Mark -Original Message- From: Kim Seng [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 15, 2003 11:26 AM To: [EMAIL PROTECTED] Subject: Site-to-Site and Remote Access VPN on PIX? [7:63100] Greetings, Can I configure the PIX to do both site-to-site and Remote access VPN at the same time? I think it is impossible since I can only apply only one crypto map to the outside interface. Can someone confirm? Kim. __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63102&t=63100 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Setting Privilege Levels for Users [7:63073]
Jason, I'll take a stab at this one... Configure your vty lines to 'login local'. Create a user of any name and password. Create enable level and permitted command for certain commands and a password for level 15. You can also use AAA with Radius or Tacacs+ in order to centrally control these settings, but I'd guess you are looking for something more simple? #Router(config)# username user password cisco #Router(config)# privlege exec level 3 show ip route #Router(config)# privlege exec level 3 show ip interface #Router(config)# privlege exec level 3 show ip ospf neighbors #Router(config)# enable secret level 3 cisco3 #Router(config)# enable secret level 15 cisco15 #Router(config)# line vty 0 5 #Router(config)# login local When you telnet to the router you will get a login prompt and password. It's looking for user and cisco confgiured above. That user will already be at the user level 1. $ Telnet router Username: user Password: cisco Router> enable 3 ! gets you the additional commands defined for level 3 Password: cisco3 Router# enable 15 ! opens level 15 Password: cisco15 Router# You don't have to go to level 3 first, you can go directly to 15 provided you have the password. Richard Burdette ""Jason Steig"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I'am working on a Boson's CCIE lab with a friend and we are working on > setting up privilege levels for users who need to telnet to the router. > > User1 needs to have access to just the user level commands nothing more. > > User2 needs access to all the commands that user 1 has access to as well as > about 5 different exec commands. lets say "show ip interface" "show ip ospf > neighbors" "show ip route" and "show version" i think most of those are > exec commands. > > User3 needs access to every commands. This is privilege level 15 right? > > > How would you implement these? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63079&t=63073 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix 501 or 520? [7:63078]
You shuold purchase whichever one is cheaper. They should both do the trick for you. The only reason you would want the 520 over the 501 is if you wanted to have more than 2 interfaces. If it's the same cost, go with the 520, if the 501 is significantly cheaper, go with the 501. thanks, -Brad Ellis CCIE#5796 (R&S / Security) Network Learning Inc [EMAIL PROTECTED] www.ccbootcamp.com (Cisco Training) ""K Ali"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Hi all, > > Just want to clear that which Pix Firewall is being used in the following > modules. > > 1. Cisco Security specialist. > 2. Cisco VPN specialist. > 3. Cisco IDS specialist. > > Is it 501 or 520? Because at the moment I have got the optionto buy 501 or > 520. So which one I should go for? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63083&t=63078 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Ping ethernet interface with datagram over 150 [7:63085]
Try this ping from the nodes: ping -f -l 1600 node-on-other-side-of-ATM If this doesn't ping, then the ATM connection is only letting 1500 through. The Ethernet router interface is fragmenting packets to 1500 bytes (1600 packet becomes 2 packets) from the nodes. When doing a ping from the router, if using ATM interface as source then it is going across ATM as 1600 bytes. --- Sean Kim wrote: > Hello Erick, > > If that's the case, than wouldn't I have problem > pinging any nodes (with > over 1500 byte datagram) across the ATM link? > But I do not have pinging any other nodes. It only > happens, when I am > sitting on my router pinging the other router's > interface and vice-versa... > > Sean > > > > Erick B. wrote: > > > > The ATM connection (provider) is probably limiting > > payload size to 1500. They may doing some form of > > traffic policing - common these days. Ethernet LAN > MTU > > is 1500 so there really isn't a need to send > greater > > than that across ATM in this case. > > > > --- Sean Kim wrote: > > > Hello, > > > > > > My company has this 3rd party connection through > > > ATM. The ATM TA has an > > > ethernet outlet which is and connected to our > core > > > router. Our parner > > > company is connected with anATM module on their > > > router. > > > > > > Recently, I was told by our partner company that > > > they were running ping test > > > and they could not ping my ethernet interface > (on > > > the core router) with > > > datagram over 1500 byte. > > > > > > From both the router itself and my workstation, > I > > > pinged my own interface > > > with 1600 byte, and I was able to ping it. But > when > > > I pinged my partner > > > company's interface with 1600 byte, it failed. > > > > > > In general it seems that pinging from other > nodes, > > > there is no problem, but > > > sitting on the routers itself, pinging the other > > > routers interface with the > > > datagram size of over 1500 is failing. > > > > > > There isn't any problem with connection of > > > performance. But I am very > > > curious about why this is happening. > > > Does anybody have any idea why this would > happen? > > > Or can anybody give me a > > > clue as to how to approach this problem? > > > > > > Thank you in advance. > > > > > > Sean Kim > > [EMAIL PROTECTED] > > > > > > __ > > Do you Yahoo!? > > Yahoo! Shopping - Send Flowers for Valentine's Day > > http://shopping.yahoo.com [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63101&t=63085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Site-to-Site and Remote Access VPN on PIX? [7:63100]
Greetings, Can I configure the PIX to do both site-to-site and Remote access VPN at the same time? I think it is impossible since I can only apply only one crypto map to the outside interface. Can someone confirm? Kim. __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63100&t=63100 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
pix and inside networks [7:63099]
Hello all, I have a feeling this is more on the remote network routers, but here goes! I have a client with several remote branches and a frame network. The local network is 192.168.1.x. The remotes are 192.168.y.x (y=branch number). They have a pix that I have setup with pptp and it works... kinda sorta... I can pptp to the 192.168.1.x network and work just fine. But when I try to get to 192.168.3.x (or any remote), it doesn't work. I have this command on the pix: route inside 192.168.0.0 255.255.0.0 192.168.0.2 1 The 192.168.0.2 is e0/0 on a 3620 and the fe0/1 is 192.168.1.1. The next router behind the 3620 is a 3640 and AT&T manages that (it is their frame). All the remote sites come in from remote routers (2610's... also managed by AT&T) to the 3640, then to the internal 192.168.1.x. I was led to believe by an AT&T guy at one point that all remotes had defaults pointing back to the core. Basically, my question is this... If I am going to call up AT&T, (like I think I need to do) am I going to A. tell them to point 10.10.10.x (pool for pptp users) on their remote routers to the 3620 (ours) and point a route to 10.10.10.x myself towards the pix or B. should I ask them to point the 10.10.10.x to our pix I always get confused here because everyone says the pix isn't a router. I understand that, but then where do I put this route? The remotes have to know a way to get back to it, but I figured that since the local network can get to it, I could just tell AT&T to point to our 3620 but I don't have anything on our 3620 that says anything about 10.10.10.x?? Any help?? thanks bk Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63099&t=63099 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT Re: Snort versus Cisco IDS [7:62939]
> I've also had trouble with RedHat...with Snort as well as other apps. I > switched to FreeBSD and have been very pleased so far. Interesting... I'll give that a try... thanks mate! JR -- Johnny Routin )?) - ""Craig Columbus"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > At 06:32 PM 2/13/2003 +, you wrote: > >I've been having trouble with Snort on Red Hat and I've searched high and > >low and can't find a resolution. My alert file grows to 2GB very quickly and > >then crashes the process. I've seen one or two mentions of this same issue > >in NG searches but haven't found a resolution. So like someone already said, > >your mileage may vary. > > > >JR > >-- > >Johnny Routin > > > > )?) > >- > > > > > > > > > >""Carroll Kong"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Backing up what Craig said, Snort is probably better performing in > > > terms of cost/performance than almost all the IDSes out there, > > > including Cisco. It does not have a end to end solution to make > > > one's life easier though, at least not out of the box. > > > > > > Of course, you will need some sort of a unix background to set it up, > > > and I do not mean installing Solaris with GUI tools. Pretty easy to > > > anyone who has worked with a FreeBSD or a Linux box (without using > > > GUI all over the place and/or rpms everywhere). The idea of no GUI > > > is probably quite daunting to "enterprise" level engineers. > > > > > > You COULD make it have a lot of the "enterprise level" features, but > > > it requires a lot of work on your part, and of course no commercial > > > support, so you are on your own. (So, add this to your end cost...) > > > > > > If you want a GUI frontend to snort, you can try Demarc, or what they > > > call themselves "PureSecure" now. There are also some freeware > > > analyzers, but Demarc/PureSecure is definately one of the nicest > > > ones. Albeit, it had some bugs, fortunately since they give you > > > their cgis, if you know some perl, you can patch it yourself before > > > they get around to it. (unless they changed this behavior, the last > > > I used was 1.05). > > > > > > Puresecure DOES charge for commercial usage, which I suppose puts a > > > damper on it. Their licensing is a bit ridiculous. However, the > > > pricing should still be very competitive. > > > > > > It's a mixed bag, but if you know your Unix, seems like Snort is a > > > much cheaper (if you know Unix and programming very well, the > > > disadvantages aren't that big) IDS solution. > > > > > > If you don't, oh well, like all things in life, pay the price for > > > one's ignorance. :) > > > > > > > Someone told me in an authoritative voice today that Cisco doesn't > > > recommend > > > > their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS > >a > > > > big part of SAFE? > > > > > > > > Of course, the person who said this doesn't understand that Cisco is a > > > huge, > > > > chaotic organism, and that saying Cisco does something based on what > one > > > > person does, doesn't make sense. > > > > > > > > But I'm just curious, what do you all recommend for intrusion > detection? > > > How > > > > do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more > > > > complicated, requiring appliances or IDS cards in a switch and a > >console: > > > > > > > > Cisco Secure IDS DirectorHP OpenView Network Node Manager "plug-in" > >that > > > > runs on UNIX (Solaris and HP-UX) > > > > > > > > Cisco Secure Policy Manager (v2.2+)Windows NT-based package > > > > > > > > Thanks. > > > > > > > > Priscilla > > > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63098&t=62939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 520 Xlate Problem [7:63087]
U may want to change your xlate timeout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Danial Morison Sent: Saturday, February 15, 2003 2:58 AM To: [EMAIL PROTECTED] Subject: PIX 520 Xlate Problem [7:63087] Hi group , Any idea where the problem is..thanks.. We have implemented PIX with the following configuration.We have a 3 inside networks mapped with 2 different public IP pools 203.125.152.0/26 and 203.125.150.0/24.Problem is the inside network 10.0.0.0/17(10.0.0.0 subnet mask 255.255.128.0) is not able to go to internet after a certain period of time ( 2 or 3 days). Any idea where the problem is..thanks.. 172.0.0.0/8 10.0.0.0/8 10.0.0.0/17 Here are the details. pixfirewall# sh global global (outside) 1 203.125.152.194-203.125.152.236 netmask 255.255.255.192 global (outside) 4 203.125.150.1-203.125.150.126 netmask 255.255.255.128 global (outside) 2 203.125.152.244 netmask 255.255.255.192 global (outside) 3 203.125.152.248 netmask 255.255.255.192 global (outside) 1 203.125.152.193 netmask 255.255.255.192 global (outside) 4 203.125.150.249 netmask 255.255.255.128 global (dmz) 1 172.16.13.11-172.16.13.20 netmask 255.255.255.0 global (dmz) 2 172.16.13.51-172.16.13.60 netmask 255.255.255.0 global (dmz) 3 172.16.13.61-172.16.13.70 netmask 255.255.255.0 global (dmz) 4 172.16.13.71-172.16.13.80 netmask 255.255.255.0 global (dmz) 1 172.16.13.10 netmask 255.255.255.0 global (dmz) 2 172.16.13.9 netmask 255.255.255.0 global (dmz) 3 172.16.13.8 netmask 255.255.255.0 global (dmz) 4 172.16.13.6 netmask 255.255.255.0 pixfirewall# sh nat nat (inside) 2 172.16.1.115 255.255.255.255 0 0 nat (inside) 3 172.16.11.76 255.255.255.255 0 0 nat (inside) 3 172.16.11.80 255.255.255.255 0 0 nat (inside) 3 172.16.11.84 255.255.255.255 0 0 nat (inside) 2 172.16.11.224 255.255.255.240 0 0 nat (inside) 4 10.0.0.0 255.255.128.0 0 0 nat (inside) 1 10.0.0.0 255.0.0.0 0 0 nat (inside) 1 172.0.0.0 255.0.0.0 0 0 nat (dmz) 1 172.16.13.0 255.255.255.0 0 0 pixfirewall# sh xlate Global 203.125.152.220 Local 172.16.11.71 Global 203.125.152.221 Local 172.16.11.149 Global 172.16.13.11 Local 172.16.11.139 PAT Global 203.125.152.193(52641) Local 172.16.11.57(1155) Global 203.125.152.222 Local 172.16.11.120 Global 203.125.152.223 Local 172.16.152.37 Global 203.125.152.216 Local 172.17.1.94 Global 203.125.152.217 Local 172.16.1.20 Global 203.125.152.218 Local 172.16.5.20 Global 172.16.13.12 Local 172.16.1.205 Global 203.125.152.219 Local 172.16.11.139 Global 172.16.13.13 Local 172.16.154.75 Global 203.125.152.212 Local 172.16.11.194 Global 203.125.152.213 Local 172.17.11.91 Global 203.125.152.214 Local 172.17.1.91 Global 203.125.152.215 Local 172.16.5.78 Global 203.125.152.208 Local 172.16.1.22 Global 203.125.152.209 Local 172.16.5.15 Global 203.125.152.210 Local 172.16.151.75 Global 203.125.152.211 Local 172.17.1.23 Global 203.125.152.204 Local 172.16.5.79 Global 203.125.152.205 Local 172.16.5.13 PAT Global 203.125.152.193(52640) Local 172.16.11.57(1154) Global 203.125.152.206 Local 172.18.1.22 Global 203.125.152.207 Local 172.18.1.104 Global 203.125.152.200 Local 172.16.11.192 Global 203.125.152.201 Local 172.18.1.24 Global 203.125.152.203 Local 172.16.5.17 PAT Global 172.16.13.6(43713) Local 10.0.12.137(12875) Global 203.125.152.203 Local 172.16.151.72 Global 203.125.152.196 Local 172.16.5.21 Global 203.125.152.197 Local 10.120.10.51 Global 172.16.13.19 Local 172.18.1.254 Global 203.125.152.198 Local 172.17.1.93 Global 203.125.152.199 Local 172.16.11.186 Global 203.125.150.193 Local 172.16.206.30 static PAT Global 203.125.152.244(21827) Local 172.16.11.233(4493) PAT Global 203.125.152.244(21811) Local 172.16.11.233(4480) Global 203.125.152.194 Local 172.16.5.18 Global 172.16.13.20 Local 172.17.1.110 Global 203.125.152.195 Local 172.16.5.14 Global 203.125.150.252 Local 172.16.1.40 static Global 203.125.152.252 Local 172.16.13.21 static Global 172.16.13.42 Local 172.18.1.22 static Global 172.16.13.43 Local 172.17.1.21 static PAT Global 203.125.152.193(52643) Local 172.16.11.57(1158) Global 172.16.13.40 Local 172.16.11.21 static Global 172.16.13.41 Local 172.16.206.21 static Global 203.125.150.249 Local 172.16.13.27 static Global 203.125.152.249 Local 172.16.13.23 static Global 172.16.13.47 Local 10.160.10.53 static Global 203.125.152.250 Local 172.16.1.41 static Global 203.125.150.250 Local 172.16.1.24 static PAT Global 172.16.13.6(43714) Local 10.0.12.140(14384) Global 172.16.13.44 Local 172.16.152.21 static Global 203.125.152.251 Local 172.16.13.22 static Global 172.16.13.45 Local 10.160.10.51 static Global 203.125.152.245 Local 10.160.10.51 static Global 203.125.152.246 Local 172.16.13.26 static Global 203.125.152.247 Local 172.16.13.25 static Global 203.125.152.240 Local 10.160.10.52 static Global 203.125.152.241 Local 172.16.18.51 static PAT Global 203.125.152.244(22080) Local 172.16.11.229(1026) PA
Re: Layer3 Routers VS Switches [7:63072]
indeed with L3 switching, we can more closely arrive at wire speed, but in the course of my practice, i seen L3 switches mainly interconnecting Lan's, yes a flexwan modul exists to interconnect wan's on the same box but usually we like to separate the lan's from wans for the sack of issolation and greater security implementation options. i hope the above helps ""Larry Letterman"" a icrit dans le message de news: [EMAIL PROTECTED] > L3 is usually considered to be wire speed and uses faster > asics... > Routers such as 7200/7500 use older slower hardware to > route... > > > > Larry Letterman > Network Engineer > Cisco Systems > > > - Original Message - > From: "Nanda" > To: > Sent: Friday, February 14, 2003 4:46 PM > Subject: Layer3 Routers VS Switches [7:63072] > > > > Hi Guys... > > > > We have Layer3 Switches and routers...In what scenario one > would ideally use > > Layer3 switches over routers.. > > Do They have any significant advantage over using > routers > > Why do they have layer3 switches when we have routers are > good enough to do > > the job... > > I am confused...I wud appreciate if someone cud clarify. > > > > Thanks in Advance > > __ > > With Warm Regards... > > Nanda > [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63096&t=63072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
WIC-2T & 3725 routers [7:63095]
Hello, I am trying to install WIC-2T on the Cisco 3725/3745, it is not fitting physically? Can you please advise if I can use the regular WIC-2T or there is special 2T module for the Cisco 3725? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63095&t=63095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix 501 or 520? [7:63078]
Hi, the PIX used in the labs is one or two PIX 515 with three or more interfaces. I bought a 501 because of the price. But I do not have a DMZ and I cannot failover between two Firewalls. Jens Neelsen --- K Ali wrote: > Hi all, > > Just want to clear that which Pix Firewall is being used in > the following > modules. > > 1. Cisco Security specialist. > 2. Cisco VPN specialist. > 3. Cisco IDS specialist. > > Is it 501 or 520? Because at the moment I have got the > optionto buy 501 or > 520. So which one I should go for? [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63094&t=63078 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco works 2000 cd one 5th Edition [7:63023]
I have too received this problem. To get around this I totally removed Ciscoworks and all the modules and re-installed 5th Edition and it all works fine. ""Mung Go"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I tried to upgrade Ciscoworks 2000 cd one from 4th edition to 5th edition, I > experienced a lot of problem. Also, I prefer to have fresh install rather > than upgrade. You can backup your database and restore it back after your > Ciscoworks2000 is newly installed. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63093&t=63023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Ping ethernet interface with datagram over 150 [7:63085]
Hello Erick, If that's the case, than wouldn't I have problem pinging any nodes (with over 1500 byte datagram) across the ATM link? But I do not have pinging any other nodes. It only happens, when I am sitting on my router pinging the other router's interface and vice-versa... Sean Erick B. wrote: > > The ATM connection (provider) is probably limiting > payload size to 1500. They may doing some form of > traffic policing - common these days. Ethernet LAN MTU > is 1500 so there really isn't a need to send greater > than that across ATM in this case. > > --- Sean Kim wrote: > > Hello, > > > > My company has this 3rd party connection through > > ATM. The ATM TA has an > > ethernet outlet which is and connected to our core > > router. Our parner > > company is connected with anATM module on their > > router. > > > > Recently, I was told by our partner company that > > they were running ping test > > and they could not ping my ethernet interface (on > > the core router) with > > datagram over 1500 byte. > > > > From both the router itself and my workstation, I > > pinged my own interface > > with 1600 byte, and I was able to ping it. But when > > I pinged my partner > > company's interface with 1600 byte, it failed. > > > > In general it seems that pinging from other nodes, > > there is no problem, but > > sitting on the routers itself, pinging the other > > routers interface with the > > datagram size of over 1500 is failing. > > > > There isn't any problem with connection of > > performance. But I am very > > curious about why this is happening. > > Does anybody have any idea why this would happen? > > Or can anybody give me a > > clue as to how to approach this problem? > > > > Thank you in advance. > > > > Sean Kim > [EMAIL PROTECTED] > > > __ > Do you Yahoo!? > Yahoo! Shopping - Send Flowers for Valentine's Day > http://shopping.yahoo.com > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63092&t=63085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Test Mail [7:63091]
Hi, Beg my pardon for test mail. _ Fe MSN Hotmail pe mobilen http://www.msn.dk/mobile Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63091&t=63091 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Ping ethernet interface with datagram over 150 [7:63085]
How are you doing, Marco? I actually DID think about this for a bit. To my knowledge Ethernet MTU is 1500, and ATM MTU depend on the connection. In my case we have 3M connection, but I am not sure what the MTU is because I have not looked at my partner company's 'sh int' result. But I would assume that it would be bigger than 1500. But at any rate, I am not sure if this will result in the ping failure. My understanding of MTU is that, if a node gets a datagram which is bigger than the set MTU, it will just break it up to smaller fragments and process them. If I am missing something, please let me know. Thank. Sean KimM.C. van den Bovenkamp wrote: > > Sean Kim wrote: > > > There isn't any problem with connection of performance. But > I am very > > curious about why this is happening. > > Does anybody have any idea why this would happen? Or can > anybody give me a > > clue as to how to approach this problem? > > Think MTU difference. > > Regards, > > Marco. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63090&t=63085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Ping ethernet interface with datagram over 1500 [7:63085]
The ATM connection (provider) is probably limiting payload size to 1500. They may doing some form of traffic policing - common these days. Ethernet LAN MTU is 1500 so there really isn't a need to send greater than that across ATM in this case. --- Sean Kim wrote: > Hello, > > My company has this 3rd party connection through > ATM. The ATM TA has an > ethernet outlet which is and connected to our core > router. Our parner > company is connected with anATM module on their > router. > > Recently, I was told by our partner company that > they were running ping test > and they could not ping my ethernet interface (on > the core router) with > datagram over 1500 byte. > > From both the router itself and my workstation, I > pinged my own interface > with 1600 byte, and I was able to ping it. But when > I pinged my partner > company's interface with 1600 byte, it failed. > > In general it seems that pinging from other nodes, > there is no problem, but > sitting on the routers itself, pinging the other > routers interface with the > datagram size of over 1500 is failing. > > There isn't any problem with connection of > performance. But I am very > curious about why this is happening. > Does anybody have any idea why this would happen? > Or can anybody give me a > clue as to how to approach this problem? > > Thank you in advance. > > Sean Kim [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63089&t=63085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX 520 Xlate Problem [7:63087]
Hi group , Any idea where the problem is..thanks.. We have implemented PIX with the following configuration.We have a 3 inside networks mapped with 2 different public IP pools 203.125.152.0/26 and 203.125.150.0/24.Problem is the inside network 10.0.0.0/17(10.0.0.0 subnet mask 255.255.128.0) is not able to go to internet after a certain period of time ( 2 or 3 days). Any idea where the problem is..thanks.. 172.0.0.0/8 10.0.0.0/8 10.0.0.0/17 Here are the details. pixfirewall# sh global global (outside) 1 203.125.152.194-203.125.152.236 netmask 255.255.255.192 global (outside) 4 203.125.150.1-203.125.150.126 netmask 255.255.255.128 global (outside) 2 203.125.152.244 netmask 255.255.255.192 global (outside) 3 203.125.152.248 netmask 255.255.255.192 global (outside) 1 203.125.152.193 netmask 255.255.255.192 global (outside) 4 203.125.150.249 netmask 255.255.255.128 global (dmz) 1 172.16.13.11-172.16.13.20 netmask 255.255.255.0 global (dmz) 2 172.16.13.51-172.16.13.60 netmask 255.255.255.0 global (dmz) 3 172.16.13.61-172.16.13.70 netmask 255.255.255.0 global (dmz) 4 172.16.13.71-172.16.13.80 netmask 255.255.255.0 global (dmz) 1 172.16.13.10 netmask 255.255.255.0 global (dmz) 2 172.16.13.9 netmask 255.255.255.0 global (dmz) 3 172.16.13.8 netmask 255.255.255.0 global (dmz) 4 172.16.13.6 netmask 255.255.255.0 pixfirewall# sh nat nat (inside) 2 172.16.1.115 255.255.255.255 0 0 nat (inside) 3 172.16.11.76 255.255.255.255 0 0 nat (inside) 3 172.16.11.80 255.255.255.255 0 0 nat (inside) 3 172.16.11.84 255.255.255.255 0 0 nat (inside) 2 172.16.11.224 255.255.255.240 0 0 nat (inside) 4 10.0.0.0 255.255.128.0 0 0 nat (inside) 1 10.0.0.0 255.0.0.0 0 0 nat (inside) 1 172.0.0.0 255.0.0.0 0 0 nat (dmz) 1 172.16.13.0 255.255.255.0 0 0 pixfirewall# sh xlate Global 203.125.152.220 Local 172.16.11.71 Global 203.125.152.221 Local 172.16.11.149 Global 172.16.13.11 Local 172.16.11.139 PAT Global 203.125.152.193(52641) Local 172.16.11.57(1155) Global 203.125.152.222 Local 172.16.11.120 Global 203.125.152.223 Local 172.16.152.37 Global 203.125.152.216 Local 172.17.1.94 Global 203.125.152.217 Local 172.16.1.20 Global 203.125.152.218 Local 172.16.5.20 Global 172.16.13.12 Local 172.16.1.205 Global 203.125.152.219 Local 172.16.11.139 Global 172.16.13.13 Local 172.16.154.75 Global 203.125.152.212 Local 172.16.11.194 Global 203.125.152.213 Local 172.17.11.91 Global 203.125.152.214 Local 172.17.1.91 Global 203.125.152.215 Local 172.16.5.78 Global 203.125.152.208 Local 172.16.1.22 Global 203.125.152.209 Local 172.16.5.15 Global 203.125.152.210 Local 172.16.151.75 Global 203.125.152.211 Local 172.17.1.23 Global 203.125.152.204 Local 172.16.5.79 Global 203.125.152.205 Local 172.16.5.13 PAT Global 203.125.152.193(52640) Local 172.16.11.57(1154) Global 203.125.152.206 Local 172.18.1.22 Global 203.125.152.207 Local 172.18.1.104 Global 203.125.152.200 Local 172.16.11.192 Global 203.125.152.201 Local 172.18.1.24 Global 203.125.152.203 Local 172.16.5.17 PAT Global 172.16.13.6(43713) Local 10.0.12.137(12875) Global 203.125.152.203 Local 172.16.151.72 Global 203.125.152.196 Local 172.16.5.21 Global 203.125.152.197 Local 10.120.10.51 Global 172.16.13.19 Local 172.18.1.254 Global 203.125.152.198 Local 172.17.1.93 Global 203.125.152.199 Local 172.16.11.186 Global 203.125.150.193 Local 172.16.206.30 static PAT Global 203.125.152.244(21827) Local 172.16.11.233(4493) PAT Global 203.125.152.244(21811) Local 172.16.11.233(4480) Global 203.125.152.194 Local 172.16.5.18 Global 172.16.13.20 Local 172.17.1.110 Global 203.125.152.195 Local 172.16.5.14 Global 203.125.150.252 Local 172.16.1.40 static Global 203.125.152.252 Local 172.16.13.21 static Global 172.16.13.42 Local 172.18.1.22 static Global 172.16.13.43 Local 172.17.1.21 static PAT Global 203.125.152.193(52643) Local 172.16.11.57(1158) Global 172.16.13.40 Local 172.16.11.21 static Global 172.16.13.41 Local 172.16.206.21 static Global 203.125.150.249 Local 172.16.13.27 static Global 203.125.152.249 Local 172.16.13.23 static Global 172.16.13.47 Local 10.160.10.53 static Global 203.125.152.250 Local 172.16.1.41 static Global 203.125.150.250 Local 172.16.1.24 static PAT Global 172.16.13.6(43714) Local 10.0.12.140(14384) Global 172.16.13.44 Local 172.16.152.21 static Global 203.125.152.251 Local 172.16.13.22 static Global 172.16.13.45 Local 10.160.10.51 static Global 203.125.152.245 Local 10.160.10.51 static Global 203.125.152.246 Local 172.16.13.26 static Global 203.125.152.247 Local 172.16.13.25 static Global 203.125.152.240 Local 10.160.10.52 static Global 203.125.152.241 Local 172.16.18.51 static PAT Global 203.125.152.244(22080) Local 172.16.11.229(1026) PAT Global 203.125.152.244(21856) Local 172.16.11.224(1473) Global 203.125.152.242 Local 172.16.206.31 static Global 203.125.152.243 Local 172.16.206.21 static Global 203.125.152.236 Local 172.16.1.25 PAT Global 203.125.152.193(52642) Local 172.16.11.