RE: CCDA & CCDP [7:70637]
Go to Ciscopress.com and do a search on the test numbers. Cisco Press books are sometimes difficult to read, but this is where you can get the most pertinent information and is usually what the test is based upon. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70746&t=70637 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VPN home access question [7:65666]
The 515 is actually at my home and from my office, I VPN to it. Yeah I know it is quirky, but I do have a legitimate excuse. You asked what the ip address outside DHCP setroute command does. I have DSL at home with no static IP address. That line in my PIX essentially lets the PIX know that I will be receiving my outside IP address via DHCP. The setroute argument merely transfers the gateway IP address to my inside PCs. Yes, I am also using DHCP to serve internal IP addresses to my internal PCs. Your other question about VPN access and Internet. Not sure if I understand your question, but while I am VPN'd into my PIX from home, yes users at home (my wife) can access the Internet. Is this what you are asking? YOu should be able to VPN from your home to your 515 at work and still allow INternet access for the employees at your work. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66186&t=65666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VPN home access question [7:65666]
The software is available at http://www.cisco.com/kobayashi/sw-center/sw-vpn.shtml. Once you have the VPN tunnel established, there should be no need for a dial in line. Here is a sample configuration for my VPN tunnel to my home 515 PIX - I use DES, I would recommend 3DES. PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 pix/intf2 security10 nameif ethernet3 pix/intf3 security15 nameif ethernet4 pix/intf4 security20 nameif ethernet5 pix/intf5 security25 enable password XXX encrypted passwd XXX encrypted hostname X fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list 80 permit ip 10.0.0.0 255.255.255.0 10.0.0.0 255.255.255.0 pager lines 24 logging on logging timestamp logging trap debugging logging host inside 10.0.0.111 no logging message 305012 no logging message 305011 no logging message 302015 no logging message 302014 no logging message 302013 no logging message 302016 interface ethernet0 10full interface ethernet1 10full interface ethernet2 auto shutdown interface ethernet3 auto shutdown interface ethernet4 auto shutdown interface ethernet5 auto shutdown mtu outside 1500 mtu inside 1500 mtu pix/intf2 1500 mtu pix/intf3 1500 mtu pix/intf4 1500 mtu pix/intf5 1500 ip address outside dhcp setroute ip address inside 10.0.0.1 255.255.255.0 ip address pix/intf2 127.0.0.1 255.255.255.255 ip address pix/intf3 127.0.0.1 255.255.255.255 ip address pix/intf4 127.0.0.1 255.255.255.255 ip address pix/intf5 127.0.0.1 255.255.255.255 ip audit name IDSATTACK attack action alarm reset ip audit interface outside IDSATTACK ip audit info action alarm ip audit attack action alarm ip local pool REMOTEIPPOOLS 10.0.0.210-10.0.0.215 no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address pix/intf2 0.0.0.0 failover ip address pix/intf3 0.0.0.0 failover ip address pix/intf4 0.0.0.0 failover ip address pix/intf5 0.0.0.0 pdm location 10.0.0.4 255.255.255.255 inside pdm location 10.0.0.111 255.255.255.255 inside pdm location 10.0.0.0 255.0.0.0 inside pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 80 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http 10.0.0.111 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 10 set transform-set ESP-DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup GROUPNAME address-pool REMOTEIPPOOLS vpngroup GROUPNAME idle-time 1800 vpngroup GROUPNAME password xx telnet 10.0.0.0 255.255.255.0 inside telnet timeout 60 ssh timeout 30 dhcpd address 10.0.0.2-10.0.0.200 inside dhcpd lease 3600 dhcpd ping_timeout 750 dhcpd auto_config outside dhcpd enable inside username password encrypted privilege 2 terminal width 80 Cryptochecksum:dc24ebe736764b81a98b1e78c3f9f326 : end Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65684&t=65666 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Client behind PIX [7:64358]
I may be missing something, but are you asking whether you can establish a VPN tunnel using a VPN client behind a 515 PIX firewall. The answer is yes, I do it everyday. I have a 515 at home and I use the Nortel VPN client to connect to a Contivity box at work. My scenario is not exactly like yours, but here are the statements I added in the PIX to enable this. access-list VPN permit esp any any access-list VPN permit udp any any eq isakmp static (inside,outside)int 10.0.0.3 Make sure you are not using AH. You can't run AH behind a PIX due to NATing issues. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64494&t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Certified Cisco System Instructor (CCSI) [7:64319]
Check the Instructors Resource Website - http://64.139.25.96/. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64353&t=64319 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Static Xlates on PIX [7:63638]
AH does work fine behind NAT, otherwise no one could ever run VPNs behind a firewall. I can run a VPN from behind my PIX with the following ACLs: access-list VPN permit ah any any access-list VPN permit esp any any access-list VPN permit udp any any eq isakmp Still, my question remains, is there anyway to have port redirected statics evaluate before a generic static? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63732&t=63638 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Static Xlates on PIX [7:63638]
To clarify, my PIX sits behind a DSL modem, not router. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63641&t=63638 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Static Xlates on PIX [7:63638]
I have a PIX sitting behind a DSL router with a public DHCP address. I would like to do the following: 1) If a www request comes in send to host A (10.0.0.111) 2) If a PCanywhere request comes in send to host A (10.0.0.111) 3) If a AH request(authentication header - needed for my VPN tunnel establishment from behind the PIX), send to host B (10.0.0.5) Here is how my PIX is setup now: static (inside,outside) tcp interface pcanywhere-data 10.0.0.111 www static (inside,outside) tcp interface pcanywhere-data 10.0.0.111 pcanywhere-data static (inside,outside) udp interface pcanywhere-status 10.0.0.111 pcanywhere-status This covers 1 & 2 fine. However, I can't make number three work without creating a plain static to 10.0.0.5, because the VPN tunnel establishment does not use TCP or UDP therefore, I can't do a port redirect. It uses AH. It seems to me that if I did the following setup, it would work because the PIX should evaluate statics sequentially. But is does not work, it sends all requests to 10.0.0.5, totally ignoring the port redirected statics to 10.0.0.111 static (inside,outside) tcp interface pcanywhere-data 10.0.0.111 www static (inside,outside) tcp interface pcanywhere-data 10.0.0.111 pcanywhere-data static (inside,outside) udp interface pcanywhere-status 10.0.0.111 pcanywhere-status static (inside,outside) interface 10.0.0.5 Does anyone have an idea of how I could get this to work? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63638&t=63638 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall/PIX help.... [7:63167]
The PIX does have IDS capabilities, but very rudimentary. no anti-virus or content filtering. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63296&t=63167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-group difference [7:62769]
oops, one mistake I meant to say this access-group acl_in in interface inside - binds the acl_in access list (created above) to the inside interface . instead of this access-group acl_in in interface inside - binds the acl_in access list (created above) to the outside interface (for inbound traffic). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62772&t=62769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-group difference [7:62769]
access-list acl_in permit tcp any any - creates an access list which permits all tcp from any source to any destination access-group acl_out in interface outside - binds the acl_out access list to the outside interface (for inbound traffic). You must determine what the acl_out access list contains before determining the impact of this access-group command. and Access-list acl_in permit tcp any any - creates an access list which permits all tcp from any source to any destination access-group acl_in in interface inside - binds the acl_in access list (created above) to the outside interface (for inbound traffic). The access-list command creates your access lists and the access-group command binds the list to an interface. You can have multiple access-lists and never bind them to an interface, however you can't have an access-group command without an associated access-list. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62770&t=62769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Gateway and Firewall [7:62358]
You may want to consider the concentrator in a dual DMZ scenario. The benefit of putting it in a dual DMZ scenario is not only can you control the outside access, you can also control the resources a remote can see in the inside once a tunnel is established. If you place it behind the firewall, once the remote has a tunnel they have complete access to your inside network. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62363&t=62358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Scenario [7:62047]
This isn't entirely correct. You can have a private IP address on your outside interface and have it NAT'd to a public IP address and then terminate the tunnel there. I am assuming this is what you are doing. Yes it can be done. Yes it will work with IKE Mode Configuration which is the same functionality of the "vpngroup". Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62225&t=62047 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MTU and TCP in PIX [7:61441]
Actually the PIX by default will allow fragmented packets. This can be a vulnerability for the PIX. A good policy is to enable FragGuard on the PIX. This insures the PIX sees the entire seegmented packet before letting it pass through its outside interface. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61603&t=61441 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
