RE: PIX 501 PPOE Verizon [7:58796]
This is from a 501 configuration used in conjunction with Verizon dsl: vpdn group groupname request dialout pppoe vpdn group groupname ppp authentication chap vpdn username abcdefg password 123456 -Original Message- From: Curious [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 8:01 AM To: [EMAIL PROTECTED] Subject: PIX 501 PPOE Verizon [7:58796] Any one of you every use PIX 501 with Verizon DSL modem, which uses PPOE. How we can specify and user name and password in PIX 501 so that it can connect with Verizon DSL modem. -- Curious MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58802&t=58796 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:58623]
Use the alias command: http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_tech_ note09186a0080094aee.shtml -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 7:22 AM To: [EMAIL PROTECTED] Subject: PIX question [7:58623] If I have a pix seperating my network from the internet with an inside and an outside interface, then I have some servers on the inside network that I use Static to give an ip address on the outside network for host4s on the internet to access. that4s the easy part, now the question Is it possible for the inside hosts to access the servers that I have using the public ip address, I.E. as my inside hosts wear accessing them from the internet, so they would go out the pix and then back in using the public IP address of the server they are connecting to. does this make any sense ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58627&t=58623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Show running-config all at once [7:54367]
Hello.
A customer asked me if I knew of a way to show the running configuration all
at once, not page-at-a-time ("-more-"). I have no idea, but any hints,
clues, or outright answers would be appreciated.
Thanks.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=54367&t=54367
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Static NAT Problem [7:49714]
Thanks, Johnny, but I know the protocol around here and I note with irony that in your misguided attempt to keep me from being rude, you were more than a little rude yourself. I checked the website (as opposed to the email feed) and it hadn't shown up after about 45 minutes or so, and so I assumed that the first one just didn't make it for whatever reason. I apologize for making the mistake, detracting from the quality of your day, and forcing you to publicly admonish me when I'm sure you had better things to do. BTW, the "extendable" keyword adds itself to the configuration. How would you suggest I remove this, Mr. Routen? Don Claybrook CCNP, CCDP, CSS1 - Original Message - From: "Johnny Routin" To: Sent: Thursday, July 25, 2002 3:30 PM Subject: Re: Static NAT Problem [7:49714] > BTW, only post once... we'll see you and we'll get to it. If you post the > same thing multiple times you'll be ignored for being rude. > > > JR > -- > Johnny Routin > > > > > ""Don Claybrook"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I have a customer using a single address for port forwarding. The > > translation > > for 192.168.1.2 to > > 12.13.14.15 using port 5631 works fine. When I issue the command show ip > nat > > translations, I get > > the output as shown on the last line. The inside global and inside local > are > > both listed on > > port 5631. > > > > However, the translation for 192.168.1.3 to 12.13.14.15, both using port > > 5993, > > does not work. > > This shows up on the inside global as 12.13.14.15:1062 and on the inside > > local > > as 192.168.1.3:5993. > > > > Both translations are configured the same. Can anyone tell me what it is > I'm > > doing wrong? > > > > The nat configuration, along with the show ip nat translation, is listed > > below. > > > > Thanks for your help. > > > > > > > > ip nat translation timeout 300 > > ip nat inside source list 1 interface Serial0.1 overload > > ip nat inside source list 18 interface Serial0.1 overload > > ip nat inside source static tcp 192.168.1.3 5993 12.13.14.15 5993 > extendable > > ip nat inside source static tcp 192.168.1.2 22 12.13.14.15 22 extendable > > ip nat inside source static tcp 192.168.1.2 5631 12.13.14.15 5631 > extendable > > ip nat inside source static tcp 192.168.1.2 5632 12.13.14.15 5632 > extendable > > ip nat inside source static tcp 192.168.1.2 65301 12.13.14.15 65301 > > extendable > > ip nat inside source static udp 192.168.1.2 5632 12.13.14.15 5632 > extendable > > > > > > > > Router#sh ip nat trans > > Pro Inside global Inside local Outside local Outside > global > > > > tcp 12.13.14.15:5631 192.168.1.2:5631 ------ > > tcp 12.13.14.15:5632 192.168.1.2:5632 ------ > > udp 12.13.14.15:5632 192.168.1.2:5632 ------ > > tcp 12.13.14.15:1062 192.168.1.3:5993 21.22.23.24:2282 > 21.22.23.24:2282 > > tcp 12.13.14.15:65301 192.168.1.2:65301 ------ > > tcp 12.13.14.15:5993 192.168.1.3:5993 ------ > > tcp 12.13.14.15:22192.168.1.2:22 ------ > > tcp 12.13.14.15:5631 192.168.1.2:5631 21.22.23.24:2281 > 21.22.23.24:2281 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49729&t=49714 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Static NAT Problem [7:49714]
I have a customer using a single address for port forwarding. The translation for 192.168.1.2 to 12.13.14.15 using port 5631 works fine. When I issue the command show ip nat translations, I get the output as shown on the last line. The inside global and inside local are both listed on port 5631. However, the translation for 192.168.1.3 to 12.13.14.15, both using port 5993, does not work. This shows up on the inside global as 12.13.14.15:1062 and on the inside local as 192.168.1.3:5993. Both translations are configured the same. Can anyone tell me what it is I'm doing wrong? The nat configuration, along with the show ip nat translation, is listed below. Thanks for your help. ip nat translation timeout 300 ip nat inside source list 1 interface Serial0.1 overload ip nat inside source list 18 interface Serial0.1 overload ip nat inside source static tcp 192.168.1.3 5993 12.13.14.15 5993 extendable ip nat inside source static tcp 192.168.1.2 22 12.13.14.15 22 extendable ip nat inside source static tcp 192.168.1.2 5631 12.13.14.15 5631 extendable ip nat inside source static tcp 192.168.1.2 5632 12.13.14.15 5632 extendable ip nat inside source static tcp 192.168.1.2 65301 12.13.14.15 65301 extendable ip nat inside source static udp 192.168.1.2 5632 12.13.14.15 5632 extendable Router#sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 12.13.14.15:5631 192.168.1.2:5631 ------ tcp 12.13.14.15:5632 192.168.1.2:5632 ------ udp 12.13.14.15:5632 192.168.1.2:5632 ------ tcp 12.13.14.15:1062 192.168.1.3:5993 21.22.23.24:2282 21.22.23.24:2282 tcp 12.13.14.15:65301 192.168.1.2:65301 ------ tcp 12.13.14.15:5993 192.168.1.3:5993 ------ tcp 12.13.14.15:22192.168.1.2:22 ------ tcp 12.13.14.15:5631 192.168.1.2:5631 21.22.23.24:2281 21.22.23.24:2281 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49714&t=49714 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Static NAT Problem [7:49685]
I have a customer using a single address for port forwarding. The translation for 192.168.1.2 to 12.13.14.15 using port 5631 works fine. When I issue the command show ip nat translations, I get the output as shown on the last line. The inside global and inside local are both listed on port 5631. However, the translation for 192.168.1.3 to 12.13.14.15, both using port 5993, does not work. This shows up on the inside global as 12.13.14.15:1062 and on the inside local as 192.168.1.3:5993. Both translations are configured the same. Can anyone tell me what it is I'm doing wrong? The nat configuration, along with the show ip nat translation, is listed below. Thanks for your help. ip nat translation timeout 300 ip nat inside source list 1 interface Serial0.1 overload ip nat inside source list 18 interface Serial0.1 overload ip nat inside source static tcp 192.168.1.3 5993 12.13.14.15 5993 extendable ip nat inside source static tcp 192.168.1.2 22 12.13.14.15 22 extendable ip nat inside source static tcp 192.168.1.2 5631 12.13.14.15 5631 extendable ip nat inside source static tcp 192.168.1.2 5632 12.13.14.15 5632 extendable ip nat inside source static tcp 192.168.1.2 65301 12.13.14.15 65301 extendable ip nat inside source static udp 192.168.1.2 5632 12.13.14.15 5632 extendable Router#sh ip nat trans Pro Inside global Inside local Outside local Outside global tcp 12.13.14.15:5631 192.168.1.2:5631 ------ tcp 12.13.14.15:5632 192.168.1.2:5632 ------ udp 12.13.14.15:5632 192.168.1.2:5632 ------ tcp 12.13.14.15:1062 192.168.1.3:5993 21.22.23.24:2282 21.22.23.24:2282 tcp 12.13.14.15:65301 192.168.1.2:65301 ------ tcp 12.13.14.15:5993 192.168.1.3:5993 ------ tcp 12.13.14.15:22192.168.1.2:22 ------ tcp 12.13.14.15:5631 192.168.1.2:5631 21.22.23.24:2281 21.22.23.24:2281 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49685&t=49685 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
How to keep multiple switch ports on the same VLAN from [7:49410]
I have a customer who needs to have several ports on a 2924XL-EN in the same VLAN. The customer does not want these ports to be able to communicate with one another, but would like all of them to be able to go to/through another port. E.g., ports 1 to 5 would be on VLAN 50, they'd all be able to access port 6, on VLAN 60, but not each other. I did find something on CCO about Private VLANs, but I see that the 2924 is not on the list of hardware that supports PVLAN's. Does anyone know of a way to accomplish this segregation within the same VLAN, short of PVLAN's? Any help is much appreciated. Thanks, Don Claybrook Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49410&t=49410 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco VPN client and NAT/PAT [7:45473]
Is the cable/dsl modem also doing any sort of firewalling or NAT'ting? If so, open holes for IPSec and/or turn off firewall functionality on the cable/adsl modem and/or create a static translation for the workstation on the inside. - Original Message - From: "Paul" To: Sent: Thursday, May 30, 2002 4:07 PM Subject: Cisco VPN client and NAT/PAT [7:45473] > Hi > > I have setup a Pix 515 so that it authenticates and accepts a remote user > via dial-up, allowing them full access to the corporate LAN. The only problem > that I have is that the remote user cannot connect via cable modem/adsl etc > the connection is initialised, the remote security gateway is contacted > and the error message is "Remote peer is no longer responding" ... Has > anyone ever come accross any issues similiar to this ??? Any help will be > greatly welcomed ... > > Sometimes ... I can get connected via cable modem/adsl etc ... but cannot > browse, ping or get access to any corporate site or applications ??? > > I can get several people simultaneously dialed-up and vpn'd onto the > corporate > LAN .. and I am using Cisco VPN Client 3.0.6 .. I have also tried with client > 3.5 with the same results ... > > Kind regards .. > > Paul .. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45476&t=45473 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Alternatives to Cisco VPN client [7:42604]
Have you tried split-tunneling? I think it's disabled by default because it's seen as a security risk, but it is doable. - Original Message - From: "Craig Columbus" To: Sent: Thursday, April 25, 2002 3:24 PM Subject: Alternatives to Cisco VPN client [7:42604] > Let me preface this by saying that all of my VPN experience has been either > peer-peer or client to peer with the Cisco VPN client 1.x or 3.x. Please > ignore my ignorance if I've missed something obvious. > > I've got a major complaint with the Cisco VPN client. It's not smart > enough to differentiate local traffic/Internet traffic from VPN > traffic. Therefore, you can't browse the Internet and your VPN network at > the same time. > I'm looking for alternative software clients that are smart enough to say > "Ok. Any traffic destined for 10.x.x.x (or whatever you define VPN traffic > to be) goes to the tunnel. If the traffic has any destination other than > 10.x.x.x, it's treated as if the tunnel weren't even present." This would > allow my client machine to easily browse the Internet and the VPN remote > network at the same time. > I've done some preliminary searches for third-party clients, but don't want > to waste time trying 50 clients that may not be any good. I've found some > for Mac OS X that'll do what I want, but I haven't found one for Win > 9x/ME/NT/2K/XP. > There's got to be a decent client that does this. > Sorry for rambling :-) It's been a long day. > > As usual, thanks in advance to everyone. > > Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42612&t=42604 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Basic PIX clarification ... [7:41779]
Higher security to Lower Security (inside to outside) connections are controlled by NAT and GLOBAL commands. Lower to Higher Security (outside to inside) connections are controlled by access-lists (or conduits) and static mapping. - Original Message - From: "Paul" To: Sent: Wednesday, April 17, 2002 2:59 PM Subject: Basic PIX clarification ... [7:41779] > Are the following statements correct ??? > Connections on the Pix are defined as either from lower to higher > security level or higher to lower security level. > > Higher to Lower security connections are controlled by the access-list > command. > > Lower to Higher security connections are controlled by nat and global > commands. > > Any help on clearing this will help me enormously ... > Many thanks in advance ... > Paul .. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41782&t=41779 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: TCP/IP and DOD [7:39657]
Sorry, Mr. Hall. Take a look at the order of operations. I was making the point that this was a technical forum that probably didn't need politics inserted. I was RESPONDING to someone who made the political remark in the first place. I'll discontinue this since the purpose is supposed to be all Cisco all the time here, but since you called me out by name, I thought I'd take a stab at defending my statement before bowing out. Thanks. Peace. Don Claybrook CCNP, CCDP, CSS1 (without much extra time on my hands) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeffrey W. Hall Sent: Friday, April 05, 2002 4:16 PM To: [EMAIL PROTECTED] Subject: RE: TCP/IP and DOD [7:39657] What?? Those of you who insist on detracting a good conversation with needless comments like that have to much time on your hands, Don. Why don't you and others like you stick to the topic and not be so tempted to provide such a short-sighted remark. Jeffrey W. Hall Network Administrator, MCSE, CCNA, SCSA -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Don Claybrook Sent: Friday, April 05, 2002 6:22 PM To: [EMAIL PROTECTED] Subject: Re: TCP/IP and DOD [7:39657] Well, if we're veering off into the realm of political commentary and putdown, I suppose it's ok to ask whether George W. Bush could spell TCP/IP "all by himself". - Original Message - From: "Brian Zeitz" To: Sent: Friday, April 05, 2002 2:09 PM Subject: RE: TCP/IP and DOD [7:39657] > Yea, it was Al Gore who invented TCP/IP and the internet, all by > himself. > > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 05, 2002 4:30 PM > To: [EMAIL PROTECTED] > Subject: RE: TCP/IP and DOD [7:39657] > > Vint Cerf wasn't commissioned. He was a graduate student at UCLA. BBN > set > up the infrastructure of the ARPANET and got the Interface Message > Processors (routers) and the 56-Kbps links up and running. To use the > ARPANET, universities had to write software for the devices that > connected > to the ARPANET. TCP/IP grew out of that effort. > > Priscilla > > At 03:47 PM 4/5/02, Rico Ortiz wrote: > >My understanding is Vint Cerf, was the creator of the TCP/IP protocols. > Not > >sure but was he not commissioned by DOD/BBN during the ARPAnet days.. > > > >-Original Message- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > >Steven A. Ridder > >Sent: Wednesday, March 27, 2002 2:05 PM > >To: [EMAIL PROTECTED] > >Subject: TCP/IP and DOD [7:39657] > > > > > >I am a technical reviewer for a book, and someone wrote that TCP/IP was > >written by the Depertment of Defense. I am confident that ARPAnet was > >commissiond by the DoD in the 60's to BBN, and maybe TCP/IP was derived > from > >these early protocls, but to say the the DoD, or BBN or anyone other > than > >the Internet community wrote TCP and IP would be incorrect, right? I > seem > >to remember that IP was used in ArpaNet, but not TCP. I thought TCP > was > >written in various universities. I could even look up the couple (who > used > >to work at Cisco) who wrote it. > > > >-- > > > >RFC 1149 Compliant. > >Get in my head: > >http://sar.dynu.com > > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40652&t=39657 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TCP/IP and DOD [7:39657]
Well, if we're veering off into the realm of political commentary and putdown, I suppose it's ok to ask whether George W. Bush could spell TCP/IP "all by himself". - Original Message - From: "Brian Zeitz" To: Sent: Friday, April 05, 2002 2:09 PM Subject: RE: TCP/IP and DOD [7:39657] > Yea, it was Al Gore who invented TCP/IP and the internet, all by > himself. > > -Original Message- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 05, 2002 4:30 PM > To: [EMAIL PROTECTED] > Subject: RE: TCP/IP and DOD [7:39657] > > Vint Cerf wasn't commissioned. He was a graduate student at UCLA. BBN > set > up the infrastructure of the ARPANET and got the Interface Message > Processors (routers) and the 56-Kbps links up and running. To use the > ARPANET, universities had to write software for the devices that > connected > to the ARPANET. TCP/IP grew out of that effort. > > Priscilla > > At 03:47 PM 4/5/02, Rico Ortiz wrote: > >My understanding is Vint Cerf, was the creator of the TCP/IP protocols. > Not > >sure but was he not commissioned by DOD/BBN during the ARPAnet days.. > > > >-Original Message- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > >Steven A. Ridder > >Sent: Wednesday, March 27, 2002 2:05 PM > >To: [EMAIL PROTECTED] > >Subject: TCP/IP and DOD [7:39657] > > > > > >I am a technical reviewer for a book, and someone wrote that TCP/IP was > >written by the Depertment of Defense. I am confident that ARPAnet was > >commissiond by the DoD in the 60's to BBN, and maybe TCP/IP was derived > from > >these early protocls, but to say the the DoD, or BBN or anyone other > than > >the Internet community wrote TCP and IP would be incorrect, right? I > seem > >to remember that IP was used in ArpaNet, but not TCP. I thought TCP > was > >written in various universities. I could even look up the couple (who > used > >to work at Cisco) who wrote it. > > > >-- > > > >RFC 1149 Compliant. > >Get in my head: > >http://sar.dynu.com > > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40642&t=39657 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Router question.. [7:39788]
Yes. Is it a 2611 or a 2621 or a 2651? If you have Fast Ethernet you can do ISL trunking or 802.1Q trunking. If not, you can do a secondary interface, but it's not recommended. - Original Message - From: "Ricky Chan" To: Sent: Thursday, March 28, 2002 9:42 AM Subject: Router question.. [7:39788] > Hi all, > > My boss just come up and give me a senario question like this. He told me > that I owned a company which uses 3 different LANs, for example, > 172.27.10.x, 172.27.11.x, 172.27.12.x. But I only have one cisco 2600 series > router and 2900 series switch. I can't use the serial ports from the router. > Just the two ethernet ports (by default). My question is, is it possible? > Please advice. > > Thanks > > Ricky Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39820&t=39788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco PIX firewall book [7:33216]
I have the book and I also attended the PIX course he teaches for Global Knowledge. I think the book covers everything it needs to, but even if it didn't, it's the only game in town. - Original Message - From: "sam sneed" To: Sent: Friday, January 25, 2002 9:40 AM Subject: Cisco PIX firewall book [7:33216] > Has anyone read the Cisco Secure PIX Firewalls by David W. Chapman Jr.? I > have no experience with PIX yet and need a good book to give me a > foundation. I don't trust the reviews on Amazon and feel I could get better > input from y'all. > > Thanks alot > > sam Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33229&t=33216 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT commands [7:27539]
Nope, didn't miss the point. Here's part of a working configuration, with port redirection. I'm not discounting that linux or BSD or any other number of firewalls can do it, I'm just saying I've configured it and it works. ip address outside 12.5.33.55 255.255.255.240 ip address inside 192.149.110.50 255.255.255.0 ip address dmz 192.168.1.1 255.255.255.0 ... static (dmz,outside) tcp 12.5.33.55 443 192.168.1.2 443 netmask 255.255.255.255 0 0 -Original Message- From: David Tran [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 28, 2001 5:46 PM To: Don Claybrook; [EMAIL PROTECTED] Subject:Re: NAT commands [7:27539] You are missing the point. Even if you are using "port mapping", you still need an additional IP address to redirect traffic to the Win2k. With linux or BSD, it is capable of redirecting traffic that hit the external IP address of the Firewall itself. Now, this is something the PIX can not do without using additional external IP. Even with version 6 ----- Original Message - From: "Don Claybrook" To: Sent: Wednesday, November 28, 2001 6:11 PM Subject: Re: NAT commands [7:27539] > If that's "why PIX sucks", then take heart. It sucks no more, as of Version > 6.0. Use port mapping. > > > - Original Message - > From: "David Tran" > To: > Sent: Wednesday, November 28, 2001 2:19 PM > Subject: Re: NAT commands [7:27539] > > > > That's why PIX sucks. Go with Linux or BSD > > - Original Message - > > From: "Rizzo, Damian" > > To: > > Sent: Wednesday, November 28, 2001 4:20 PM > > Subject: RE: NAT commands [7:27539] > > > > > > > I do not think this will work. I had the exact same problem as below, > > though > > > I was using a Cable connection. After talking with Cisco it was > determined > > > that the problem was attempting to forward GRE traffic. Since GRE is a > > > Protocol and not a Port, it is extremeley difficult to route and/or > > forward, > > > and in the event you are using a PIX firewall, as I found out, it is > just > > > not possible. I actually had to purchase another IP address from my ISP > so > > I > > > could Static map it and use ACL's to open the GRE protocol. Hope this > > helps. > > > > > > > > > -Rizzo > > > > > > > > > > > > -Original Message- > > > From: NKP [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, November 28, 2001 8:50 AM > > > To: [EMAIL PROTECTED] > > > Subject: NAT commands [7:27539] > > > > > > > > > Hi All > > > I have the following scenario . > > > I have a Cisco 2600 router which is connected to the ISDN and I have > got > > a > > > fixed Ip address from my ISP which is assigned to the bri interface , > it > > is > > > connecting fine .All the internal addresses are translated on ethernet > > >on my ethernet I have a Windows 2K server . > > > I want a remote user to connect to my Win2K server , how should I > > > configure my router to send the request for authentication to this win2K > > > server via VPN as it has a translated IP address . . My remote client is > > on > > > Win 98 . > > > > > > My present router configs are given below > > > > > > thanks in advance , > > > > > > Navin Parwal > > > > > > > > > > > > > > > Router# > > > Router# > > > Router#sh run > > > Building configuration... > > > > > > Current configuration: > > > ! > > > version 12.0 > > > service timestamps debug uptime > > > service timestamps log uptime > > > no service password-encryption > > > ! > > > hostname Router > > > ! > > > ! > > > memory-size iomem 10 > > > ip subnet-zero > > > ! > > > ip dhcp pool local > > >network 192.168.1.0 255.255.255.0 > > >default-router 192.168.1.1 > > >dns-server 12.10.194.34 > > > ! > > > isdn switch-type basic-net3 > > > ! > > > ! > > > ! > > > ! > > > interface Ethernet0/0 > > > ip address 192.168.1.1 255.255.255.0 > > > no ip directed-broadcast > > > ip nat inside > > > no cdp enable > > > no mop enabled > > > ! > > > interface Serial0/0 > > > no ip address > > > no ip directed-broadcast > > > no ip mroute-cache &g
Re: NAT commands [7:27539]
If that's "why PIX sucks", then take heart. It sucks no more, as of Version 6.0. Use port mapping. - Original Message - From: "David Tran" To: Sent: Wednesday, November 28, 2001 2:19 PM Subject: Re: NAT commands [7:27539] > That's why PIX sucks. Go with Linux or BSD > - Original Message - > From: "Rizzo, Damian" > To: > Sent: Wednesday, November 28, 2001 4:20 PM > Subject: RE: NAT commands [7:27539] > > > > I do not think this will work. I had the exact same problem as below, > though > > I was using a Cable connection. After talking with Cisco it was determined > > that the problem was attempting to forward GRE traffic. Since GRE is a > > Protocol and not a Port, it is extremeley difficult to route and/or > forward, > > and in the event you are using a PIX firewall, as I found out, it is just > > not possible. I actually had to purchase another IP address from my ISP so > I > > could Static map it and use ACL's to open the GRE protocol. Hope this > helps. > > > > > > -Rizzo > > > > > > > > -Original Message- > > From: NKP [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, November 28, 2001 8:50 AM > > To: [EMAIL PROTECTED] > > Subject: NAT commands [7:27539] > > > > > > Hi All > > I have the following scenario . > > I have a Cisco 2600 router which is connected to the ISDN and I have got > a > > fixed Ip address from my ISP which is assigned to the bri interface , it > is > > connecting fine .All the internal addresses are translated on ethernet > >on my ethernet I have a Windows 2K server . > > I want a remote user to connect to my Win2K server , how should I > > configure my router to send the request for authentication to this win2K > > server via VPN as it has a translated IP address . . My remote client is > on > > Win 98 . > > > > My present router configs are given below > > > > thanks in advance , > > > > Navin Parwal > > > > > > > > > > Router# > > Router# > > Router#sh run > > Building configuration... > > > > Current configuration: > > ! > > version 12.0 > > service timestamps debug uptime > > service timestamps log uptime > > no service password-encryption > > ! > > hostname Router > > ! > > ! > > memory-size iomem 10 > > ip subnet-zero > > ! > > ip dhcp pool local > >network 192.168.1.0 255.255.255.0 > >default-router 192.168.1.1 > >dns-server 12.10.194.34 > > ! > > isdn switch-type basic-net3 > > ! > > ! > > ! > > ! > > interface Ethernet0/0 > > ip address 192.168.1.1 255.255.255.0 > > no ip directed-broadcast > > ip nat inside > > no cdp enable > > no mop enabled > > ! > > interface Serial0/0 > > no ip address > > no ip directed-broadcast > > no ip mroute-cache > > shutdown > > no fair-queue > > clockrate 64000 > > ! > > interface BRI0/0 > > ip address 202.157.70.61 255.255.255.0 > > no ip directed-broadcast > > ip nat outside > > encapsulation ppp > > dialer string 226476 > > dialer-group 1 > > isdn switch-type basic-net3 > > no cdp enable > > ppp chap refuse > > ppp pap sent-username jbc password > > hold-queue 75 in > > ! > > ip nat inside source list 10 interface BRI0/0 overload > > ip classless > > ip route 0.0.0.0 0.0.0.0 BRI0/0 > > no ip http server > > ! > > access-list 10 permit any > > dialer-list 1 protocol ip permit > > ! > > ! > > line con 0 > > transport input none > > line aux 0 > > line vty 0 4 > > login > > ! > > no scheduler allocate > > end > > This electronic mail transmission contains confidential information > intended > > only for the person(s) named. Any use, distribution, copying, or > disclosure > > by any other person is strictly prohibited. If you received this > > transmission in error, please notify the sender by replying to e-mail and > > destroy message. Opinions, conclusions, and other information in this > > message that do not relate to the official business of MARAKON ASSOCIATES > > shall be understood to be neither given nor endorsed by the company. When > > addressed to MARAKON clients, any information contained in this e-mail is > > subject to the terms and conditions in the governing client contract. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27599&t=27539 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: The Scoop on PIX? [7:26607]
Benefits of PIX over FFS: More scalable, according to Cisco. They also push the separation of functions, i.e., let a router route and let a firewall stop the bad guys. Best I can do from memory from the MCNS text. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mcfadden, Chuck Sent: Wednesday, November 28, 2001 12:03 PM To: [EMAIL PROTECTED] Subject:RE: The Scoop on PIX? [7:26607] 1. (Probably the only real reason) Off load processor overhead by having packet filtering happen somewhere other than the device that is trying to also perform routing tasks. 2. DMZ? (Can be handled via router, though [processor issue - see above]) 3. Redundancy without the need for dual WAN connectivity Those are about the only reasons I can think of. Any one else think of any? I have no idea what PIX stands for...GREAT Question!!! ccie1ab -Original Message- From: BASSOLE Rock [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 28, 2001 11:01 AM To: [EMAIL PROTECTED] Subject: RE: The Scoop on PIX? [7:26607] -Message d'origine- De : Andrew Michael [mailto:[EMAIL PROTECTED]] Envoyi : dimanche 18 novembre 2001 00:09 @ : [EMAIL PROTECTED] Objet : The Scoop on PIX? [7:26607] Hi all. What are some of the reasons why a person would choose a PIX solution rather than a good router with the the right IOS for security? From what I've read on Cisco's site, there does not seem to be the huge gap between using a router as a firewall solution vs. using a PIX, as some people make it sound. One last thing...for the life of me, I can't find what "PIX" stands for! Any help appreciated! Thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27566&t=26607 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX 501 [7:27002]
There's only one "inside" interface. The remaining 3 ports act as switched ports on the same network you assign to the inside interface. - Original Message - From: "Ole Drews Jensen" To: Sent: Wednesday, November 21, 2001 9:31 AM Subject: RE: PIX 501 [7:27002] > Alex - you got me... > > I don't know if the 4 port switch works like one interface, of if you can > use each of them as different subnets, but I hope to learn about that soon. > > Ole > > ~~~ > Ole Drews Jensen > Systems Network Manager > CCNP, MCSE, MCP+I > RWR Enterprises, Inc. > [EMAIL PROTECTED] > ~~~ > http://www.RouterChief.com > ~~~ > NEED A JOB ??? > http://www.oledrews.com/job > ~~~ > > > -Original Message- > From: Alex Lee [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, November 21, 2001 11:01 AM > To: [EMAIL PROTECTED] > Subject: Re: PIX 501 [7:27002] > > > I followed the link. The data sheet says : > > Quote > Interfaces > Console Port: RS-232 (RJ-45) 9600 baud > Outside: Integrated 10BaseT port, half-duplex, RJ45 > Inside: Integrated auto-sensing, auto-MDIX 4-port 10/100 switch, RJ45 > Unquote > > The way I interpret this is that this PIX basically has two interfaces :- > one outside (10BaseT port) and one inside but implemented as 4-port switch, > which means you can only have two segments and no DMZ. Please correct me if > I am wrong. > > > > ""Ole Drews Jensen"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > If you look here (watch for wordwrap) > > > > http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/px501_ds.htm > > > > You will see that it has 4 x 10/100 Mbps ethernet interfaces. > > > > This could be a newer model, but this one with 10 users and 3DES > encryption > > license, can be bought from new for $495.- > > > > Hth, > > > > Ole > > > > ~~~ > > Ole Drews Jensen > > Systems Network Manager > > CCNP, MCSE, MCP+I > > RWR Enterprises, Inc. > > [EMAIL PROTECTED] > > ~~~ > > http://www.RouterChief.com > > ~~~ > > NEED A JOB ??? > > http://www.oledrews.com/job > > ~~~ > > > > > > -Original Message- > > From: David Tran [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, November 21, 2001 9:38 AM > > To: [EMAIL PROTECTED] > > Subject: Re: PIX 501 [7:27002] > > > > > > My take on the PIX501 is that it is similar to Cisco router 2501 in that > the > > hardware is > > FIXED. It only has two interfaces. If you want to add another segment to > > your network > > (i.e. DMZ) then you have no choice but to upgrade to either a 515 or > higher. > > Other than > > that, the PIX IOS code is the same through out the PIX Series (with the > > exception that for > > the 501 and 506 you don't have redundancy (fail-over support). > > > > - Original Message - > > From: "Alex Lee" > > To: > > Sent: Wednesday, November 21, 2001 9:57 AM > > Subject: Re: PIX 501 [7:27002] > > > > > > > Has anyone used this PIX yet ? > > > > > > There were some discussions about this topic 2 weeks(?) ago but none of > > the > > > participants to the discussion has had any actual hand-on experience > with > > > the PIX 501 at that time. > > > > > > I got a quote from our supplier for a new PIX DES bundle with 10 user > > > licence for less than $500.00. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27042&t=27002 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX 501 [7:27002]
Mine was back-ordered, but I finally got it about two weeks ago. I have had no problems at all with the box so far. In my home environment (w/dsl), it seems functionally equivalent to the 506. I have the DES/10 User license, using the 3.1 client to access my home network from work or on the road. I'm very pleased with the purchase so far. - Original Message - From: "Alex Lee" To: Sent: Wednesday, November 21, 2001 6:57 AM Subject: Re: PIX 501 [7:27002] > Has anyone used this PIX yet ? > > There were some discussions about this topic 2 weeks(?) ago but none of the > participants to the discussion has had any actual hand-on experience with > the PIX 501 at that time. > > I got a quote from our supplier for a new PIX DES bundle with 10 user > licence for less than $500.00. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27023&t=27002 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CSPFA 2.0 [7:25114]
I ordered the second one. I liked the questions and their level of difficulty. Unfortunately, while the test software seemed appropriate to the material, the test itself didn't. Without getting myself in dutch r.e. the NDA, I thought the test consisted in large part of questions that didn't have a great deal to do with PIX firewalls. Now that I've safely avoided breaching the NDA, let me just say on a personal level that I LOVE authentication proxy. You should too. Good luck. - Original Message - From: "John Chang" To: Sent: Friday, November 02, 2001 12:39 PM Subject: CSPFA 2.0 [7:25114] > Which of the 2 boson is the best for CSPFA 2.0? Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=25128&t=25114 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX with PAT and VPN [7:23490]
PAT can now use the same address as the outside interface with the 'interface' keyword: e.g., global (outside) 1 interface - Original Message - From: "Patrick Ramsey" To: Sent: Wednesday, October 24, 2001 7:34 AM Subject: RE: PIX with PAT and VPN [7:23490] > You definately want to use a different ip addres for PAT than what you have > set on the interface. I'm surprised PAT is even working, unless cisco has > made some changes to their code recently. > > -Patrick > > >>> "Theodore stout" 10/24/01 02:02AM >>> > I got the same access-lists on both sides and they have been verified by > other people. I know this will not take me down. > > If you can e-mail me the config it would be great! I would like to see how > it works in real life. So far 2 ISPs have failed to give me a working > config. Everything is theoritical and promises but it doesn't work like > Checkpoint. > > What I am fearing is that it is the command "Global (outside) 1 interface), > that is giving me the grief. I think that I will need another IP address > for PAT instead of using the same IP for the interface and PAT. In your > response, you said that the negociation is between (an) public IP address. > Yes this is true, but what if it is the same as the interface? > > So far I have only seen this work with a pool a public IPs.Hansraj Patil > wrote: > > > > I have seen this working. You have to use > > > > nat (inside) 0 access-list 101. > > > > The IPSec & IKE negotiation is between public IP address. So > > the question of > > port limitation > > does not arise. The internal IP addresses are not involved in > > IPSec > > negotiation. > > You use above statement to avoid routing problem between two > > LAN segments. > > > > Just make sure access-list is mirror image on both peers. > > > > > > > > -Original Message- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > > Sent: Monday, October 22, 2001 1:41 AM > > To: [EMAIL PROTECTED] > > Subject: Re: PIX with PAT and VPN [7:23490] > > > > > > I tried this and it did not work. When IPSEC negociates a VPN > > session > > between the two PIX's, it will PAT an internal device from > > Network A as > > 206.112.71.5 and use 206.112.71.5:500 for the negociation. > > Once another > > device wishes to access a device behind 206.112.71.6, it will > > have to use > > 206.112.71.5:500 as well. Cisco IPSEC will only allow one port > > 500 per IP. > > This means the original device will be moved from port 500 to a > > different > > port. IPSEC only uses port 500 for the negociation and > > therefore the > > original connection fails. > > > > I did as you said but I added another command like this. > > > > Global (outside) 1 interface > > nat (inside) 1 0.0.0.0 0.0.0.0 0 0. > > Nat (inside) 0 access-list 101 > > > > Access-list 101 is the traffic to be encrypted. I have tried > > not to use PAT > > with encrypted data because of the IP:Port limitation problem. > > However, it > > still won't work. > > > > Any more suggestions?[EMAIL PROTECTED] wrote: > > > > > > With PIX you must have one legal address for the outside > > > interface on BOTH > > > PIXs. That's actually enough to do what you want to do. Say > > > that your > > > legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup > > > ipsec and > > > input "isakmp key 'your key' address 206.112.71.5". Then > > > input "crypto > > > map 'your map-name' 'your sequence number' set peer > > > 206.112.71.5" > > > Say that your legal address on PIX2 is 206.112.71.6/30. Go to > > > PIX1 startup > > > ipsec and input "isakmp key 'your key' address 206.112.71.6" > > > Then input > > > "crypto map 'your map-name' 'your sequence number' set peer > > > 206.112.71.6" > > > > > > Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then > > > input global > > > (outside) 1 206.112.71.5 > > > Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then > > > input global > > > (outside) 1 206.112.71.6 > > > Now just complete your isakmp and crypto-map settings and you > > > will be doing > > > one single VPN between peers and PAT to the Internet. That's > > > the best you > > > can do on PIX with only a 30 bit legal subnet mask. > > > > > > John Squeo > > > Technical Specialist > > > Papa John's Corporation > > > (502) 261-4035 > > > > > > > > > > > > > > > "Theodore > > > stout" To: > > > [EMAIL PROTECTED] > > > cc: > > > tudy.com>Subject: PIX with > > > PAT and VPN [7:23490] > > > Sent > > > by: > > > > > > nobody@groupst > > > > > > udy.com > > > > > > > > > 10/19/01 > > > 02:23 > > > > > > AM > > > Please > > > respond > > > to > > > "Theodore > > > > > > stout" > > > > > > > > > > > > > > > > > > > > > Hello everyone. > > > > > > I am trying to implement 2 Internet connectivity solutions > > > while at the > > > same > > > time creating
RE: help with troubleshooting Cisco VPN connection [7:23695]
Looks like you have the NAT 0 in place. I'm wondering about the IP Pool. I see your access-list 101 allows 172.16.1.0 to 172.16.2.0, both subnetted to /24. I wonder if maybe the PIX is looking at the IP Pool as a Class B address since you cannot specify the mask in the IP Pool statement? If so, would it work to do an access-list like: Access-list 101 permit ip 172.16.0.0 255.255.0.0 172.16.0.0 Just a guess. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Anh Lam Sent: Sunday, October 21, 2001 4:01 PM To: [EMAIL PROTECTED] Subject:help with troubleshooting Cisco VPN connection in [7:23695] Can someone in this group help me with this problem? I am trying to setup VPN connections for remote users (people who use laptops on the road or when people to who are on their own corporate network) to connect to my home network using IPSec. I am using a PIX515-UR Firewall at my home network. The external IP address (outside) of the PIX is 66.61.46.240 while the internal IP address (inside) of the PIX is 172.16.1.254. On the PIX, I also setup an IP pool so that the PIX will assign IP address to remote clients when they connect to my home network. This ip pool has ip range of 172.16.2.1-172.16.2.254. On the clients side, everyone is running Cisco VPN client software version 3.0.6.rel2-k9 which I download from Cisco website. The clients are running either WinNT 4.0 workstation, or Win2k Professional or RedHat Linux 7.1 with kernel 2.4.10. When a client attempts to make a VPN connection to the PIX (66.61.46.240), the connection is successfully and the client is also assigned an IP address of 172.16.2.1. So what is the problem you ask? Well, even though the client is successfully authenticated to my home network, he/she can NOT ping any of the devices in the 172.16.1.0/24 network. From the client, I can see the packet gets encrypted before sending out but nothing coming back (the counter on the packet decrypted on the client is zero). Rebooting the PIX several times didnot resolve the situation either. At this point, I decided to replace the PIX515 with a PIX520 with the exact configuration. With the PIX520, everything WORKS. Client can access devices on the 172.16.1.0/24 network. I am running the same PIX IOS code on both the 515 and 520. Am I missing something in the PIX515? I thought since I am running the Un-Restricted(UR) license, VPN is supported. Below is the configuration of the PIX515. Please help. Thanks. Anh ciscopix#sh ver Cisco PIX Firewall Version 6.1(1) Cisco PIX Device Manager Version 1.0(2) Compiled on Tue 11-Sep-01 07:45 by morlee ciscopix up 9 hours 37 mins Hardware: PIX-515, 96 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0050.54ff.7a24, irq 10 1: ethernet1: address is 0050.54ff.7a25, irq 7 2: ethernet2: address is 00aa.00bc.ba87, irq 11 Licensed Features: Failover: Enabled VPN-DES:Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Inside Hosts: Unlimited Throughput: Unlimited ISAKMP peers: Unlimited ciscopix# wr t Building configuration... : Saved : PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security99 enable password xxx encrypted passwd x encrypted hostname ciscopix domain-name micronet.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no names access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list 101 permit ip host 66.61.46.240 172.16.2.0 255.255.255.0 access-list 80 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 pager lines 24 interface ethernet0 auto interface ethernet1 auto interface ethernet2 100full shutdown mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside 66.61.46.240 255.255.248.0 ip address inside 172.16.1.254 255.255.255.0 ip address dmz 127.0.0.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool ippool 172.16.2.1-172.16.2.254 no failover failover timeout 0:00:00 failover poll 15 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 failover ip address dmz 0.0.0.0 pdm location 164.109.0.0 255.255.0.0 outside pdm location 172.16.1.0 255.255.255.0 inside pdm history enable arp timeout 14400 nat (inside) 0 access-list 101 conduit permit ip any any route outside 0.0.0.0 0.0.0.0 66.61.40.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http 172.16.1.0 255.255.255.0 inside
RE: Ask for suggestions about network security career [7:23816]
I'm looking at this issue from the non-CCIE-of-any-sort-as-yet perspective, but doesn't the security CCIE require all of the knowledge of a R/S CCIE, plus the security components? And if so, why not get the R/S CCIE first and then work on the security CCIE? In this way, you could blow right past the 1700 CCIE per month thread posted here recently with the vaunted double-CCIE. Worn out brain cells or not, don't you have to have the knowledge of a Routing & Switching CCIE to be prepared for the Security CCIE? My two cents' worth. Would be interested in this subject as well. I'm at that point where I could go either way and have concentrated on subjects common to both CCIE R/S and CCIE Security but must commit to one path soon as it may well be I only get one shot at getting this right(for once). Security is pulling a lot of press attention but don't see the corresponding interest in the job market and what I see reflects a a lack of value of the skills(IMHO), course days are lean now and the current situation is volatile so we are looking into the future. R/S is more "fun" and perhaps more flexible but then we are in this for the money in the end. I know it would be great to do both but there are limits on my time and my worn out brain cells. Some help gurus? Fortune tellers? Ms Cleo? Wild as* guesses? All correct answers will receive a lifetime supply of bragging rights. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of swei yang Sent: Monday, October 22, 2001 4:17 PM To: [EMAIL PROTECTED] Subject: Ask for suggestions about network security career [7:23816] Just got CCNP last week. Not sure what to do next. I more interested in network security file. Show I go for CCIE or Cisco's security cert. If I really want join in computer/network security fild as my career, what's the best way to achieve it? Thanks for your suggestion. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=23833&t=23816 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: TCP TURN? [7:22083]
Were there any Marketing types in these meetings? - Original Message - From: "Ouellette, Tim" To: Sent: Thursday, October 04, 2001 11:23 AM Subject: TCP TURN? [7:22083] > Does anyone know what a TCP Turn is? I've heard this mentioned on a couple > of conference calls i've been on lately and I can't seem to find out much > information on it. Not sure if maybe it's a non-technical term used for a > syn-ack type deal or what. Can anyone shed some light on this? Thanks a > bunch! > > Tim > > > > > > > > > > Timothy Ouellette, Infrastructure Analyst > > MCSE, CCSE, CCNP/DP > > EDS - New Business Implementation > > 1075 W. Entrance Drive > > Auburn Hills, MI 48236 > > > > ( 01-248-754-7535 > > * [EMAIL PROTECTED] > > Pager 888-351-4584 > > www.eds.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=22111&t=22083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passed CCIE Wirtten [7:20719]
Many congratulations, especially under such tough circumstances. Without editorializing too much, your passing the written almost seems patriotic in a way, or maybe I'm just off base. In any case, more power to you, and I hope to be joining your ranks in a few short months. Don Claybrook - Original Message - From: "James Haynes" To: Sent: Friday, September 21, 2001 12:57 PM Subject: Passed CCIE Wirtten [7:20719] > Just wanted to thank all those who have provided answers to me over the last > year as I have worked on my cert's and to those people who post question and > answers that are just downright interesting. It was a little harrowing over > the last week and a half because I was scheduled to take the test on the > 15th, but my sister was caught at the Towers during the attack and it was > quite an emotional time. She made it out and is recovering , but it > certainly took alot of wind out of my sails as far a studying. I rescheduled > the test and passed it yesterday. I got an 85 on it and thought it wasn't as > bad as it could have been. I have to say that the Certification Zone was a > great place for papers on specific topics. I really liked the ATM paper and > since I don't work with ATM it made it understandable from the ground up in > a way I hadn't absorbed before. I used the same books as everyone here > Doyle, Caslow, etc and Boson #'s 1,2,and3. I must say that there was so much > that I learned just from the study process that brought a great many > concepts and ideas together that it was worth the effort just to do the > studying. Thanks again all, and it's on to the lab. > > -- > James Haynes > Network Architect > Cendant IT > A+,MCSE,CCNA,CCDA,CCNP,CCDP, > CQS-SNA/IPSS Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20721&t=20719 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN Client 3.0 Through Watchguard [7:20461]
Afternoon, all. I work for a reseller and support a good number of PIX firewalls with an outside telnet connection using the VPN 3.0 client. My company uses a Watchguard Firebox 2 as its own firewall (don't ask, I've tried). Right now, I'm dialing an ISP to get an outside address and launching the VPN client from this point; this isn't desirable. I'd like to open ports on the Watchguard, presumably TCP50 and 51 and UDP 500. The person here who takes care of the Watchguard isn't sure how to accomplish this. Busy guy, I guess. Anyhow, I've tried a few things with this person, but I have no complete fix so far. We have opened ports 50, 51, and UDP 500. I can get to the point where the tunnel is established, but I cannot get to the ethernet behind the remote firewall. The local (Watchguard) firewall has logging information that seems to indicate that it's trying to send my telnet or icmp request to the Internet where, of course, it's immediately dropped. This is a little confusing; I thought the packet would be encrypted, with the source and destination addresses matching the 2 firewalls' outside interfaces. I didn't think that the Watchguard would have the chance to even see the payload that contains my "real" destination. So I guess I'm wondering if there's anyone out there who has set up something similar or, if not, could at least give me some theory or tell me where I'm screwing up. I should mention that when I make a dialup connection to an ISP and use the VPN client from there, I can telnet to the outside interface, and I can access the inside network(s) behind the PIX, so I'm sure the PIX is set up right. Any guideposts appreciated. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20461&t=20461 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Telnet on PIX outside interface [7:20271]
I set up telnet to the outside if with every PIX I send out the door. It does require IPSec and I use v6.01 and VPN client 3.0/3.1 (don't know the ins and outs on older versions). Below is a sample configuration that's actually in use, with the IP's changed to protect the innocent. Note that the basic elements include: defining an IP local pool, creating an access list with source address being the outside interface of the PIX and the destination being the IP Pool range. Then, of course, you have to do the telnet outside statement and the rest of the IPSec stuff. Note that with this configuration you would need to set up a client to go to address 99.12.192.121, with the username vpnuser and the password idontthinkso. Below is a sample, from a 506: PIX Version 6.0(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable xoxoxoxo passwd abababab hostname asdf ... ... access-list 91 permit ip host 99.12.192.121 192.168.210.0 255.255.255.0 ... ... ip address outside 99.12.192.121 255.255.255.224 ip address inside 192.168.1.1 255.255.255.0 ... ... ip local pool vpnpool 192.168.210.1-192.168.210.30 ... ... sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set triple esp-3des esp-md5-hmac crypto dynamic-map dynmap 20 set transform-set triple ... ... crypto map clientmap 20 ipsec-isakmp dynamic dynmap crypto map clientmap client configuration address initiate crypto map clientmap client configuration address respond crypto map clientmap interface outside isakmp enable outside ... isakmp client configuration address-pool local vpnpool outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 28800 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 1000 vpngroup vpnuser address-pool vpnpool vpngroup vpnuser idle-time 1800 vpngroup vpnuser password idontthinkso telnet 192.168.210.0 255.255.255.0 outside ... telnet timeout 5 ... ... - Original Message - From: "MADMAN" To: Sent: Tuesday, September 18, 2001 8:09 AM Subject: Re: Telnet on PIX outside interface [7:20271] > If what you trying to do is telnet to the PIX outside interface, no > can do. > > dave > > NRB wrote: > > > > Guys/Gurus, > > > > Can anyone please help me in setting up Telnet access on outside > interface > > of PIX. > > I heard that we need to uses IPSec and Cisco VPN client. I do not have > VPN > > client, > > can it still be done. Please help. > > > > Thanks, > > NRB > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=20290&t=20271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: One Journalist's Opinion of CCIE [7:18843]
You might have a point, Chuck. And I've not attained a CCIE but if we can use CCNP/CCDP as an analogue, consider the following: when studying for Cisco tests, I've been as guilty as anyone else of "cramming" in order to pass the test. But I think (I hope) I have a sense of what the "meat" is versus what the "fluff" is, or those concepts that I will use over and over as opposed to those things I'm not likely to run into again and just need to memorize for purposes of a test. In any given week, I'm apt to run into frame relay, ISDN, PIX/VPN/FFS, dynamic routing, VLANs, Trunking, and on and on. In other words, it pays to read for understanding. It's not the same as a political science test that one might study for in college. The only real-world application (for most) is having an edge in good political conversation. But I see a direct corollary between test/study material and doing my job successfully, and I see it every day. I think that what I am saying is that studying for certifications in the manner I do has a direct and positive impact on the competence of my work. I'll grant that one may be able to pass a CCIE lab some other way, but I personally don't think I could succeed that way and I think it would be a terrible waste of time for me to engage in such a thing. Lastly, there's a fear factor. I have this dream about passing the lab the first time around (realistic? You tell me, but that's the dream). In order to have the faintest chance of passing on the first go-round, my knowledge had better be both deep and wide. Put another way, I don't want to "squeak by" in the lab. I would like for a proctor to look at my work and say, yes, this person does work commensurate with the CCIE-level. I want it to be a gauge of my overall ability and not a gauge of my temporary "ability" at some slice in time that's not sustainable. I don't think I'm alone in feeling this way. And so I took umbrage at the article when I saw the words "minimal competence" attached to CCIE. I guess you're right, Chuck. It depends. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chuck Larrieu Sent: Thursday, September 06, 2001 7:07 PM To: [EMAIL PROTECTED] Subject:RE: One Journalist's Opinion of CCIE [7:18843] like everything else in this business, the answer is "it depends". sorry folks, but CCIE's are not gods who walk among us. I personally know several CCIE's who are top notch and deserving of every dollar they get and every contract they land. I also personally know a couple who couldn't tell you how a packet gets from one interface to another in a router. all the CCIE certification proves is that you have passed Cisco's lab test. It does not prove one way or another whether you know jack about networking. I suggest that there is a percentage of the 2000 or so who have attained the cert since last year who did so only because they successfully memorized enough scenario configurations that they were able to luck their way through when their lab closely resembled one of those scenarios they memorized. I personally know several folks who passed over the last 18 months whose only hands on experience was in their practice labs. Of these, all were pretty sharp dudes, by the way. >From personal experience I can tell you that I saw absolutely nothing in my lab that made me wish I'd spent more time reading RFC's, or Comer, or any of the other great books of the networking world. I saw plenty that made me wish I'd spent more time on certain practice materials readily available ( I refer to the commercially available products. please do not contact me for names and sources ) whenever this topic comes up, I see the same kinds of thought processes as I used to see in the days when people asked what good an English degree did you in the job market. It isn't the degree. it's the intelligence behind it. hate to say it, kids, but the CCIE has no clothes. Experience is what really matters. the certification to many is just a ticket, just the beginning. to those with a lot of experience, it is merely a validation of the skill set. in and of itself it is like any other piece of paper - representative of something, but perhaps not representative of what you may think. Chuck back to the pod - got lots to do before December 3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Don Claybrook Sent: Thursday, September 06, 2001 11:32 AM To: [EMAIL PROTECTED] Subject: One Journalist's Opinion of CCIE [7:18843] I just ran across this one in Fortune Small Business. Below is an excerpt. The journalist (Larry Seltzer) is attempting to give tips on how to hire technical consultants to do work for your small business. He's talk
One Journalist's Opinion of CCIE [7:18843]
I just ran across this one in Fortune Small Business. Below is an excerpt. The journalist (Larry Seltzer) is attempting to give tips on how to hire technical consultants to do work for your small business. He's talking about how certifications aren't as important as one might think: "When looking for qualified help, don't read too much into a consultant's alphabet soup of certifications. They don't signify ability, just as my political science degree doesn't make me your next President. Terms like CCIE (Cisco Certified Internetwork Expert) indicate only successful completion of the program and minimal competence in the product." I wish I knew this guy's email address. Anyway, I thought the group might get a kick out of it. Here's the link in case you want to read the whole thing: http://netbusiness.netscape.com/fsb/features/sp_f_090601_1.psp Don Claybrook CCNP, CCDP (but not yet up to the minimal competence level of CCIE) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=18843&t=18843 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
1900 CLI Same as Cat5K? [7:17177]
Hello, all. I hope I'm not being redundant redundant, but I can't locate this in the archives, so here goes: I haven't had the occasion to do much with either the Catalyst 5000 or the 1900 series, I've only worked with 2912/24. For purposes of studying for an eventual CCIE lab, are the 'set' and 'clear' commands pretty much the same for both series? To get right to the point, can I purchase the cheaper 1900 series and essentially learn the CLI structure of the Catalyst 5000 in this manner? Thanks, Don Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=17177&t=17177 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
