RE: hacking challenge [7:66720]

[Evans, TJ (BearingPoint)]

I would have to take issue with the following statement:
"
You should of course harden any Internet facing network device, however
the point is not really the type of server OS you run, or the Apps on
it, but how good you are at proactively keeping them patched.
"


-MANY- so-called vulnerabilities are actually by design, we usually call
them features.  This is where the quality of the original coding, the
quality/details of the installation/configuration, and the layers wrapped
around all of this come together. 

Typically, we as users have no control over the coding aspect, aside from
auditing the application in question before deploying it and choosing your
vendor accordingly.

The installation / config is *very* important.  Nearly every vulnerability
would be bypassed if we could just disable all of the services, or leave the
machine without a network connection :).  Code Red and Slammer, to site two
VERY BIG examples, would never have been an issue if the "recommended best
practices" from the vendor (MS, in this case) had been followed.

Patching, of course, is not to be underrated.  This *REALLY* comes into play
when the vulnerability exists in the services you offer - web services or
SQL, for ex.



I hate to sound repetitive, but the key lies in knowing how to address all
applicable layers and do maintain vigilance in doing so.  "Defense in Depth"
Thanks!
TJ
-Original Message-
From: Symon Thurlow [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 03, 2003 4:09 PM
To: [EMAIL PROTECTED]
Subject: RE: hacking challenge [7:66720]

This prompts me to say something about a comment from a previous poster
about how vulnerable Windows is compared to Linux/xBSD etc

I see many, many vulnerability alerts weekly for *nix based systems.
Probably just as many as you see for Windows.

You should of course harden any Internet facing network device, however
the point is not really the type of server OS you run, or the Apps on
it, but how good you are at proactively keeping them patched. 

I suggest that you go to some firewall vendor sites and plagiarise a bit
of marketing guff if you want to sell the firewall idea to a sceptic,
although just plonking a firewall in front of your unpatched sendmail
server won't achieve a great deal.

My 2c, YMMV

Symon



-Original Message-
From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] 
Sent: 03 April 2003 20:05
To: [EMAIL PROTECTED]
Subject: RE: hacking challenge [7:66720]


there's an access list on the ethernet interface thats directly
connected to a dsl modem.

they're allowing telnet and smpt to basically, any any plus various
other protocols from/to specific addresses.  There're only two outside
addresses that are natted but its really hideous and the access list is
the only thing resembling a layer of security between the internet and
their server farm.  

I was just hoping to hear some really good verbage about how vulnerable
they are.  I've told them for 3 months to get a pix but it just aint
sinking in. Now they've got a worm loose on their mail server thats
bringing down their main host system and their internet line (but thats
another story).



> -Original Message-
> From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
> Sent: Thursday, April 03, 2003 8:46 AM
> To: [EMAIL PROTECTED]
> Subject: RE: hacking challenge [7:66720]
> 
> 
> Wilmes, Rusty wrote:
> > 
> > this is a general question for the security specialists.
> > 
> > Im trying to convince a client that they need a firewall
> > 
> > so hypothetically,
> > 
> > if you had telnet via the internet open to a router (with an access 
> > list that allowed smtp and telnet) (assuming you didn't know the
> > telnet password
> > or the enable password)that had a bunch of nt servers on
> > another interface,
> 
> Do you actually mean that you are allowing Telnet and SMTP to
> go through the
> router? You said "to" above which is confusing. Allowing Telnet to the
> router unrestricted would be a horrible security hole, even 
> for people who
> don't know the password because passwords are often guessable.
> 
> But I don't think that's what you meant...
> 
> Allowing Telnet and SMTP through the router is more common,
> especially SMTP.
> You have to allow SMTP if you have an e-mail server that gets 
> mail from the
> outside world. Avoid Telnet, though, if you can. It sends all 
> text as clear
> text, including passwords.
> 
> The question is really how vulnerable is the operating system
> that the SMTP
> server is running on? It's probably horribly vulnerable if your client
> hasn't kept up with the latest patches, and it sounds like 
> your client is
> the type that hasn't? In fact, the server is probably busy 
> attacking the
> rest of us right now! ;-0
> 
> So, as far as convicing your customer
> 
> The best way may be to put a free firewall, like Zone Alarm,
> on the decision
> maker's computer and show her/him all the attacks happening 
> all the time. Or
> if she already has a firewall,

RE: hacking challenge [7:66720]

[Evans, TJ (BearingPoint)]

So ... doesn't that give them enough supporting evidence all by itself?
If not, maybe it is a lost cause?

As an aside - a pix, if it was permitting the offending port through as
well, may not have stopped the worm either.  Think "Defense in Depth".  A
firewall, while a necessity for -everyone- (IMHO) is not a cure-all; it is a
piece of a very large, very complex puzzle (even for a small network!).

..
Have someone in a Decision-making position there read "Hacking __(pick an os
- Windows2k, Linux, etc.)", or attend a SANS course (or just visit their
reading room - TONS of articles).  Read Eric Cole's or Ed Skoudis's books.
.. or, teach him/her to use google ... 


Thanks!
TJ
-Original Message-
From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] 
Sent: Thursday, April 03, 2003 2:05 PM
To: [EMAIL PROTECTED]
Subject: RE: hacking challenge [7:66720]

there's an access list on the ethernet interface thats directly connected to
a dsl modem.

they're allowing telnet and smpt to basically, any any plus various other
protocols from/to specific addresses.  There're only two outside addresses
that are natted but its really hideous and the access list is the only thing
resembling a layer of security between the internet and their server farm.  

I was just hoping to hear some really good verbage about how vulnerable they
are.  I've told them for 3 months to get a pix but it just aint sinking in.
Now they've got a worm loose on their mail server thats bringing down their
main host system and their internet line (but thats another story).



> -Original Message-
> From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]
> Sent: Thursday, April 03, 2003 8:46 AM
> To: [EMAIL PROTECTED]
> Subject: RE: hacking challenge [7:66720]
> 
> 
> Wilmes, Rusty wrote:
> > 
> > this is a general question for the security specialists.
> > 
> > Im trying to convince a client that they need a firewall
> > 
> > so hypothetically, 
> > 
> > if you had telnet via the internet open to a router (with an
> > access list
> > that allowed smtp and telnet) (assuming you didn't know the
> > telnet password
> > or the enable password)that had a bunch of nt servers on
> > another interface,
> 
> Do you actually mean that you are allowing Telnet and SMTP to 
> go through the
> router? You said "to" above which is confusing. Allowing Telnet to the
> router unrestricted would be a horrible security hole, even 
> for people who
> don't know the password because passwords are often guessable.
> 
> But I don't think that's what you meant...
> 
> Allowing Telnet and SMTP through the router is more common, 
> especially SMTP.
> You have to allow SMTP if you have an e-mail server that gets 
> mail from the
> outside world. Avoid Telnet, though, if you can. It sends all 
> text as clear
> text, including passwords.
> 
> The question is really how vulnerable is the operating system 
> that the SMTP
> server is running on? It's probably horribly vulnerable if your client
> hasn't kept up with the latest patches, and it sounds like 
> your client is
> the type that hasn't? In fact, the server is probably busy 
> attacking the
> rest of us right now! ;-0
> 
> So, as far as convicing your customer
> 
> The best way may be to put a free firewall, like Zone Alarm, 
> on the decision
> maker's computer and show her/him all the attacks happening 
> all the time. Or
> if she already has a firewall, walk her through the log.
> 
> Good luck. I have a good book to recommend on this topic:
> 
> Greenberg, Eric. "Mission-Critical Security Planner." New 
> York, New York,
> Wiley Publishing, Inc., 2003.
> 
> Here's an Amazon link:
> 
> http://www.amazon.com/exec/obidos/ASIN/0471211656/opendoornetw
> inc/104-9901005-4572707
> 
> Priscilla
> 
> > how long would it take a determined hacker a) cause some kind
> > of network
> > downtime and b) to map a network drive to a share on a file
> > server over the
> > internet. 
> > 
> > Thanks,
> > Rusty
> > 
> > > -Original Message-
> > > From: Larry Letterman [mailto:[EMAIL PROTECTED]
> > > Sent: Wednesday, April 02, 2003 1:44 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: RE: VLAN loop problem [7:66656]
> > > 
> > > 
> > > Yes,
> > > it prevents loops in spanning tree on layer 2 switches from 
> > > causing a loop
> > > by disabling the port on a cisco switch...
> > > 
> > > 
> > > Larry Letterman
> > > Network Engineer
> > > Cisco Systems
> > > 
> > > 
> > > 
> > > 
> > > 
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED] 
> > > [mailto:[EMAIL PROTECTED] Behalf Of
> > > > Thomas N.
> > > > Sent: Wednesday, April 02, 2003 12:18 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: Re: VLAN loop problem [7:66656]
> > > >
> > > >
> > > > What does "portfast bpdu-guard" do?  Does it prevent
> > interfaces with
> > > > portfast enabled from causing the loop in my scenario?
> > > >
> > > >
> > > > ""Larry Letterman""  wrote in message
> > > > news:[EMAIL PROTECTED]
> > > >
> > > > > port mac

RE: PATCH PANEL stuff [7:64503]

[Evans, TJ (BearingPoint)]

Watch out for port specific settings (VLAN assignments, speed, duplex,
portfast, description/names, trunk settings, etc.) too; i.e. - once you
unplug everything you will need to either plug the cables into the same
ports or at the very least ensure the new port gets similar settings.

If this is an issue in your environment this can be the most time-consuming
part of the whole event!

Obviously - if you have a large flat network of all hosts (minus an uplink
or 12) most of these are less of an issue.  FWIW you should also ensure the
port description/names are 'descriptive' ... either the hostname, the
rack/server location, etc - what matters is that it is meaningful to you :)



TJ
-Original Message-
From: Nate [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, March 05, 2003 4:06 PM
To: [EMAIL PROTECTED]
Subject: Re: PATCH PANEL stuff [7:64503]

Sam,

  A lot of the questions can be answered by knowing how the cables are
strung into the racks.  For esthetics, I rewire everything, but each admin
is different as well as managements needs.  I'd say if you had to rewire and
repunch down everything for the patch panel as well as rewire all of the CAT
5 you'll have to allow yourself at lease a couple of hours of downtime for
rewiring, reorganizing, and testing.

  What I suggest is to label everything.  Labels save lives.  After that,
I'd suggest creating a step-by-step instructions for yourself (i.e.. [1]
Unplug all RJ45 cables. [2] Pull all punched cables from back of Patch
Panel. [3] Rewire RJ 45 cable. [4]  you get the picture).  That way,
there is no surprises and nothing you forgot.

  Just a suggestion.

-Nate


- Original Message -
From: "Sam" 
To: 
Sent: Wednesday, March 05, 2003 10:19 AM
Subject: PATCH PANEL stuff [7:64503]


> Hey Guys,
> In my wiring closet, I have about 3 racks and about 10 patch panels(The
> Racks got capacity for at least 30 PP's)
>
> I need to move a patch panel out and to the rack next to the one it
> currently is on. What is the best way to do this? Do i have to follow this
> kind of procedure:
>
> -remove all the cables connected to the back of this patch panel and then
> label the cables
> -move the patch panel to the other rack
> -looking at the labels, again punch-down these cables to their appropriate
> locations.
>
> Would this be the normal way of doing it? Or can I simply unscrew the
patch
> panel from the rack and then somehow move it with the cables still
connected
> to the other rack. This way, the cables won't be sorted as good as they
> would be normally but it should be ok i think..
>
> My other question is how long does it take on an average to punch down a
> single cable(4pairs) onto the back of the patch panel? I've never done it,
> though I think after I buy the tools, I would be able to figure it out.
> Please give me an approximation. For eg. Making a straight-cable takes
about
> 4-6 minutes
>
> Thx
> Sam
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64555&t=64503
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN client conflict [7:63951]

[Evans, TJ (BearingPoint)]

Dunno (if)/(how much) this helps - but I have heard similar complaints /
issues WRT the Nortel Contivity client and the Cisco VPN Client as well ... 


Thanks!
TJ
[EMAIL PROTECTED]
-Original Message-
From: Robert Edmonds [mailto:[EMAIL PROTECTED] 
Sent: Thursday, February 27, 2003 10:59 AM
To: [EMAIL PROTECTED]
Subject: Re: VPN client conflict [7:63951]

I'm not sure what the actual cause or fix is, but I had the same problem.  I
ended up uninstalling the AT&T client to get it to work.

""supernet""  wrote in message
news:[EMAIL PROTECTED]
> I have AT&T VPN client on my laptop. It stopped working after I
> installed Cisco VPN client. Is there any conflict between them? Is there
> a work around? Thanks. Yoshi.
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=64040&t=63951
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: L3 Switching Huh???? [7:63728]

[Evans, TJ (BearingPoint)]

That all looks pretty good ...


On the MSFC/RSM - do a "show interface":  (edited for length)
Vlan8 is up, line protocol is up 
  Hardware is Cat6k RP Virtual Ethernet, address is 00d0.d335.6614 

Vlan9 is up, line protocol is up 
  Hardware is Cat6k RP Virtual Ethernet, address is 00d0.d335.6614 
So ... each 'router interface' has a MAC.  The fact that it is the same is
irrelevant as they are on different network/logical segments .

So the frame comes in with a destination mac of 00d0.d335.6614, and when
forwarded will leave with a source mac of 00d0.d335.6614 (same) ...

Does that help?

Oh - and I think you meant to say "layer 3 switching" is a marketing term,
not scientific or engineering in nature. ... you said "layer 3 routing" ... 
Thanks!
TJ
[EMAIL PROTECTED]


-Original Message-
From: DeVoe, Charles (PKI) [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, February 26, 2003 7:45 AM
To: [EMAIL PROTECTED]
Subject: RE: L3 Switching Huh [7:63728]

OK, let me try this again.  I am trying to figure out the difference between
conventional layer 3 routing and layer 3 switching.  A little background.  I
am currently working towards my CCNA (have been for about 3 years).  At any
rate, everything I read and look at says that switching/bridging is a layer
2 function, routing is a layer 3 function.  

Either I don't have a good grasp of the OSI model, switching, routing, VLANs
or all of the above.

The network:

Host A  10.1.1.2 MAC 00.AA Host B
10.1.2.2 MAC 00.BB
  |10.1.1.1 MAC 01.AA  10.1.2.1 MAC 02.BB|
 switch A---Router-switch B
10.1.1.0/2410.1.2.0/24

This is an ethernet network.  Both segments are connected by a traditional
router say a 2500. 
In this instance the router interfaces are subnet A 10.1.1.1, and subnet B
10.1.2.1

For simplicity, assume ARP cache is empty.
Host A wishes to ping Host B
End user on Host A enters - ping 10.1.2.2
The IP packet places the source address 10.1.1.2 and the destination address
10.1.2.2 into the packet.
The IP protocol examines the IP address and based on the IP address
determines this is in another subnet.
An ARP request goes out for 10.1.1.1 (default gateway) and the MAC address
is found.
The DLL then places the source MAC address 00.AA and the destination MAC
01.AA into the frame.
The frame then goes out the wire to the destination MAC.
The router interface sees this frame as destined for itself.  It
de-encapsulates the frame removing the MAC addresses.  The router then
examines the IP address, based on the routing table it knows the destination
port.  
The router leaves the same IP source (10.1.1.2) and destination (10.1.2.2)
in the packet.
The frame is rebuilt with the new MAC address of source 02.BB and
destination 00.BB
Host B grabs this packet and does it's thing.

Now, if I replace the router with a 6509 switch, with routing, how does the
process change?
Said 6509 would be equipped with a 10/100 card so that the hosts are now
directly connected.  The router interface is now a virtual interface, there
is no physical interface.  Which is another question.  How does the 6509
determine this virtual address?  

Am I correct?  
Inter VLAN communication cannot occur without a router.
Switching is based on MAC address.
Routing is based on IP address.

I believe the term "layer 3 routing" is a marketing term, not scientific or
engineering in nature.
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63869&t=63728
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Network Blackholes. [7:63620]

[Evans, TJ (BearingPoint)]

Blackholing is frequently used to block traffic to known 'bad' addresses, or
to alleviate a (D)DoS attack victim's woes.

Using ACL's is not the preferred way however - just route traffic to nul0
(use no icmp unreachables too ... )


Google can be your friend!
Thanks!
TJ
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED] 
Sent: Monday, February 24, 2003 10:19 AM
To: [EMAIL PROTECTED]
Subject: Re: Network Blackholes. [7:63620]

AFAIK blackholes in networking have to do with reachability or more 
accurately lack thereof not something you block via access-lists.  I 
suppose you could create blackholes with access-lists though;)

   Dave

Manoj Ghorpade wrote:
> Hi All,
> Have a question for all the networking guru's.
> Can somebody explain me the concept of network blackholes.
> Any idea how to block these on the router using access-lists ?
> 
> Regards
> 
> Manoj Ghorpade.
-- 
David Madland
CCIE# 2016
Sr. Network Engineer
Qwest Communications
612-664-3367

"You don't make the poor richer by making the rich poorer." --Winston
Churchill
**
The information in this email is confidential and may be legally
privileged.  Access to this email by anyone other than the
intended addressee is unauthorized.  If you are not the intended
recipient of this message, any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful.  If you are not
the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments,
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63634&t=63620
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISS Real Secure Vs Cisco IDS [7:63461]

[Evans, TJ (BearingPoint)]

A good, relevant quote from one of the SANS instructors:  (Eric Cole, IIRC)
"Prevention is ideal, but detection is a must"

I.e. - stopping the attack altogether is the best possible outcome, but
failing that you must be able to know that something -has- happened or -is-
happening.  

Otherwise, you have nothing ... 
(quite literally)


Thanks!
TJ
[EMAIL PROTECTED]


-Original Message-
From: Jim Brown [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 21, 2003 11:27 PM
To: [EMAIL PROTECTED]
Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]

Come on now, the slammer worm? If you are security conscious this
shouldn't have had any effect on you. Microsoft released a patch last
summer.  Security is a best effort solution. It is about layers and
maintenance. You cannot eliminate risk, you can only reduce risk.

An IDSs responsibility is to pick up attacks on the wire, not prevent
them. I personally don't believe in allowing my IDS to respond to an
attack.

-Original Message-
From: cebuano [mailto:[EMAIL PROTECTED] 
Sent: Friday, February 21, 2003 8:22 PM
To: [EMAIL PROTECTED]
Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]


Hi Albert,
Very good point. Which brings me to this question - how can one measure
the security of a network? It almost always is an after-the-fact
response whichever vendor you choose. As you pointed out in your example
regarding the slammer virus, have you heard any vendor claiming immunity
from this?
Is "detecting" synonymous with "preventing"?
I'm also interested in this topic due to the fact that the pricing
structure from almost ALL the major players in the IDS/Firewall market
is astronomical.

Elmer

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Albert Lu
Sent: Friday, February 21, 2003 9:19 AM
To: [EMAIL PROTECTED]
Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]

Hi Troy,

Must be some secure site, reason I was interested is that I had a
discussion
with someone else before in regards to multi-vendor IDS solutions and
how
effective they might be.

So if you mostly rely on manual action, and an attack came in after
hours,
how quickly can you respond to your alerts? Since for some attacks, a
half
hour response time could cause your site to be down (eg. slammer virus).
If
that was the case, even if you had all the vendor's IDS, it will be
useless.

Albert

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, February 21, 2003 10:57 PM
To: [EMAIL PROTECTED]
Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]


As with most things, you need to way up costs againts your requirements.
IN
our case, security is absolutely essential, so having a multivendor
security
solutions (and indeed fully redundant) is costly, but we see it as
justified.

With regards to action during attacks etc.  We mostly rely on manual
actions
as we dont want to inadvertently block legitimate traffic (for example
if an
attack came from a spoofed IP). For automatic action, you can make use
of
Ciso Policy manage, which has the ability to dynamically rewrite ACL's,
on
Pix's, Routers, and indeed Cat's.  according to data from IDS.  So for
example, if you where really paraniod (like we are),. you could have
pix's
as the first firewall, with IDS on the inside / dmz etc (using IDSM or
standalone IDS), tie these together with Policy manager .. then taking a
further step into your network, a set of Nokia Fw1 NG, along with
further
Nokia IDS solutions on the inside, and tied together using the
enterprisef
software!



Albert Lu wrote:
>
> Hi,
>
> I'm just curious about your multi-vendor solution. It must cost
> quite alot
> in order to have 3 IDS running. What about redundancy, if you
> are using dual
> switch/router/fw/ids, you would have a total of 6 IDS.
>
> Being able to detect attacks with multiple IDS is one thing.
> What action can
> it take once the IDS detects an attack? Logging it into the
> syslog server is
> not enough.
>
> Albert
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Friday, February 21, 2003 7:53 PM
> To: [EMAIL PROTECTED]
> Subject: RE: ISS Real Secure Vs Cisco IDS [7:63461]
>
>
> Hi Sean,
>
> I currently use Cisco IDSM (IDS module for the Cat6500), Nokia
> IDS, and
> Snort on the server themselves.  You can never be paranoid
> enough about
> these sort of things.  Each vendor has different exploits etc,
> so by
> implementing a multi vendor path to your critical servers, you
> protect
> yourself from any signle vendor specific exploit!
>
>
>
>
> Sean Kim wrote:
> >
> > Hello all,
> >
> > My company is thinking about installing an IDS (dedicated
> > appliance type) for our network.
> > As far as I know, the Real Secure and the Cisco IDS are two
> > biggest names out there.  So I checked out the documents and
> > white papers provided by the each company, but I couldn't
> > really come up with what the differences are between them, and
> > w

RE: NT4.0 password crack tool [7:61807]

[Evans, TJ (BearingPoint)]

That's already been said (in fact - it was mentioned earlier in this thread
and was included below); but that can take time to run ... the only reason I
brought up LinNT (aside from just suggesting an alternative) is because it
take 10 minutes, counting the time for two server reboots :).


Thanks!
TJ
-Original Message-
From: William [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 27, 2003 5:32 PM
To: 'Evans, TJ (BearingPoint)'; [EMAIL PROTECTED]
Subject: RE: NT4.0 password crack tool [7:61807]

One wordL0phtCrack

Will Gragido CISSP CCNP CIPTSS CCDA MCP
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Evans, TJ (BearingPoint)
Sent: Monday, January 27, 2003 3:58 PM
To: [EMAIL PROTECTED]
Subject: RE: NT4.0 password crack tool [7:61807]

Why not use LinNT?
... boot off of a linux floppy, reset admin password and boot up with new
password.

Since you are (presumably) not trying to be sneaky _and_ you have direct
access to the machine changing the PW should not be a problem, yes?

Oh - and it is free, and works with WinNT4 - WinXP.


Thanks!
TJ
-Original Message-
From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 25, 2003 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: NT4.0 password crack tool [7:61807]

Why do a command line?  Just rename user manager to logon.scr and reboot
(you'll need NTFSDOS Pro) and in 15 minutes you get user manager with root
perms.

"Imagination is more important than knowledge"
 
Albert Einstein


-Original Message-
From: Juntao [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 24, 2003 4:50 PM
To: [EMAIL PROTECTED]
Subject: Re: NT4.0 password crack tool [7:61807]


u'r talking about nt4 login passwords, the SAM database? lophtcrack works,
it takes a long time though systernals has tools to login to the box, and
change things. u can also change cmd.exe to the default screen savec name,
the command line will pope up after a while, after reboot. and change the
password with the net user command if the server or the box is part of the
global admin group, i'm sure u know u can change the password or reset it,
even just with, user manager for domains. and there is of course a lot of
other things that can be done, depending on ur situation.

hope the above helps
regards

""Kazan, Naim""  a icrit dans le message de news:
[EMAIL PROTECTED]
> I am trying to recover my password that someone set on my sniffer box 
> running on NT4.0. Any help will be greatly appreciated.
>
> Naim Kazan
> FISC-SDS
> WORK: 201-915-7347
> HOME: 973-492-1466
> CELL: 917-559-0591
> EMAIL: [EMAIL PROTECTED]
> PAGER: 800-759-8352 Pin 1145361

**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.

**
**
The information in this email is confidential and may be legally
privileged.  Access to this email by anyone other than the
intended addressee is unauthorized.  If you are not the intended
recipient of this message, any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful.  If you are not
the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments,
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61996&t=61807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NT4.0 password crack tool [7:61807]

[Evans, TJ (BearingPoint)]

Why not use LinNT?
... boot off of a linux floppy, reset admin password and boot up with new
password.

Since you are (presumably) not trying to be sneaky _and_ you have direct
access to the machine changing the PW should not be a problem, yes?

Oh - and it is free, and works with WinNT4 - WinXP.


Thanks!
TJ
-Original Message-
From: Arnold, Jamie [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, January 25, 2003 2:54 PM
To: [EMAIL PROTECTED]
Subject: RE: NT4.0 password crack tool [7:61807]

Why do a command line?  Just rename user manager to logon.scr and reboot
(you'll need NTFSDOS Pro) and in 15 minutes you get user manager with root
perms.

"Imagination is more important than knowledge"
 
Albert Einstein


-Original Message-
From: Juntao [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 24, 2003 4:50 PM
To: [EMAIL PROTECTED]
Subject: Re: NT4.0 password crack tool [7:61807]


u'r talking about nt4 login passwords, the SAM database? lophtcrack works,
it takes a long time though systernals has tools to login to the box, and
change things. u can also change cmd.exe to the default screen savec name,
the command line will pope up after a while, after reboot. and change the
password with the net user command if the server or the box is part of the
global admin group, i'm sure u know u can change the password or reset it,
even just with, user manager for domains. and there is of course a lot of
other things that can be done, depending on ur situation.

hope the above helps
regards

""Kazan, Naim""  a icrit dans le message de news:
[EMAIL PROTECTED]
> I am trying to recover my password that someone set on my sniffer box 
> running on NT4.0. Any help will be greatly appreciated.
>
> Naim Kazan
> FISC-SDS
> WORK: 201-915-7347
> HOME: 973-492-1466
> CELL: 917-559-0591
> EMAIL: [EMAIL PROTECTED]
> PAGER: 800-759-8352 Pin 1145361
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61960&t=61807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN Question [7:61148]

[Evans, TJ (BearingPoint)]

IMHO - it is all a question of usability/functionality vs. security ...

Ideally (from a security perspective) - you would not split tunnel; as the
hosts are then, in effect, multi-homed.  In fact, ideally, you wouldn't VPN
at all  ;>  

However, in the real world, there are issues with not using split tunnels -
Bandwidth utilization - every VPN user would be sending all traffic
to you ... may hit limits on VPN Concentrator, may overload your circuits,
would use more NAT/PAT resources, etc.
Work requirements - users may require ability to access local
servers as well as servers via the VPN ... in fact, users may have multiple
VPN's running at once (using non-cisco client).


You can also mitigate many of the security concerns with VPN's in general by
following other current-best-practices ... POLP, Layered defense,
auditing/accountability, default-deny policies/access-control, etc. etc.



Thanks!
TJ
-Original Message-
From: Mark W. Odette II [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 16, 2003 10:13 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN Question [7:61148]

> Split tunneling has been enabled up until now.
Does this mean you have recently DISabled split tunneling??

If not, does the newest client 3.6? have a function for keeping traffic
sourced from the internet from using the Split-tunneling host from
acting as a mirror to breach the corporate network??

>From what I understand, enabling the Split Tunnel feature is a BAD
option, Cisco just created it for those clients that didn't want their
remote users surfing the net via the corporate network.

Can anybody clarify on any of these points??

-Mark

-Original Message-
From: Kim Graham [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, January 16, 2003 5:57 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco VPN Question [7:61148]

Basically it performs as per stated.  We have VPN users that come into
our
concentrator from all over North American and abroad.  They have used a
variety of cable, dsl, dial-up providers and for the most part do not
have
any issues.  Split tunnelling has been enabled up until now.

As for private networks (home networks) we have some home users
utilizing
Nexlands and Ugates and probably other "Internet Sharing Boxes".  Some
cable
companies have had compatibiity issues with this but I believe the most
recent version of software on those boxes has corrected the problem. As
a
test while at Nanog I was able to log into my internal network from a
wireless laptop.

All and all it is a pretty solid client. 

Kim / Zukee
**
The information in this email is confidential and may be legally
privileged.  Access to this email by anyone other than the
intended addressee is unauthorized.  If you are not the intended
recipient of this message, any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful.  If you are not
the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments,
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61212&t=61148
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Automated Script for backing up Cisco configs and Image [7:61193]

[Evans, TJ (BearingPoint)]

In the past I have just scripted telnet in a batch file; that has my pw
passed as a command line parameter and a device list / device type setting
to account for differences between IOS and CatOS 

... oh yeah, and to 'script' telnet I used "pushkeys" ...


Thanks!
-Original Message-
From: Kerry Ogedegbe [ MTN - Portharcourt ] [mailto:[EMAIL PROTECTED]] 
Sent: 16 January 2003 11:12 AM
To: [EMAIL PROTECTED]
Subject: Automated Script for backing up Cisco configs and Image [7:61188]

Hello People,
Can anyone help me with were I can get an automated script / shareware
application
 that I could use in backing up my cisco router & switches config
 
Cheers

___

Kerry 

[GroupStudy.com removed an attachment of type image/jpeg which had a name of
Clear Day Bkgrd.JPG]
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61193&t=61193
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX access-list problem [7:61043]

[Evans, TJ (BearingPoint)]

Nice...

FYI - Another painful thing like this can happen if you have an interface
disabled on one but not the other, or even worse - different #'s of ports
(i.e. - one with 6 ports and one with 4 ... doh!)


Thanks!
TJ
-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, January 15, 2003 10:20 AM
To: [EMAIL PROTECTED]
Subject: Re: PIX access-list problem [7:61043]

Found problem. I had the 2 PIX's configured for failover. The problem was
that the failover cable was loose on one end so they both flip flopped each
taking control as master. Thanks for the help.

""Waters, Kristina""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Sam,
>
> Do you have any sort of statement that's translating the addresses in your
> DMZ? For example,
>
> static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255
>
> If you aren't nat'ing I believe you still have to translate the address.
>
> HTH,
> Kris.
>
> -Original Message-
> From: Sam Sneed [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 14, 2003 2:08 PM
> To: [EMAIL PROTECTED]
> Subject: PIX access-list problem [7:61043]
>
>
> I cannot seem to get the following config to work and am clueless why. My
> incoming access lists for DMZ and outside are wide open. The goal is not
to
> NAT DMZ ever since its public addressing. I can't even ping hosts on the
> outside network from PIX. Why am I having these problems?
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
>
> access-list internal permit ip 172.19.90.0 255.255.255.0 any
>
> access-list test permit ip any any
> access-list test permit icmp any any
>
> access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0
> 255.255.255.0
>
> ip address outside 83.23.44.60 255.255.255.192
> ip address inside 172.19.90.1 255.255.255.0
> ip address dmz 83.23.43.250 255.255.255.0
>
> global (outside) 1 83.23.44.58
> nat (inside) 0 access-list int-dmz
> nat (inside) 1 172.19.90.0 255.255.255.0 0 0
> nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
> access-group test in interface outside
> access-group test in interface dmz
> route outside 0.0.0.0 0.0.0.0 83.23.44.1 1
> **
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender by email, delete and destroy this message and its
> attachments.
> **
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61110&t=61043
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX access-list problem [7:61043]

[Evans, TJ (BearingPoint)]

Is your outside link up, and plugged into an enabled switch port that is on
the correct vlan/segment and set to correct speed/duplex?  

Can other devices on same switch communicate with anyone else?


Thanks!
TJ
[EMAIL PROTECTED]



-Original Message-
From: Sam Sneed [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 14, 2003 3:43 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX access-list problem [7:61043]

This type of NAT is required for incoming connections. I can't get access
going out so I haven't even looked at that yet. Even worse is from
83.23.44.60 (outside interface of PIX) I can't ping 83.23.44.50 which is
outside of the PIX. If you look at my access-list , this should not be a
problem. I am stumped on this.
""Waters, Kristina""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Sam,
>
> Do you have any sort of statement that's translating the addresses in your
> DMZ? For example,
>
> static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255
>
> If you aren't nat'ing I believe you still have to translate the address.
>
> HTH,
> Kris.
>
> -Original Message-
> From: Sam Sneed [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, January 14, 2003 2:08 PM
> To: [EMAIL PROTECTED]
> Subject: PIX access-list problem [7:61043]
>
>
> I cannot seem to get the following config to work and am clueless why. My
> incoming access lists for DMZ and outside are wide open. The goal is not
to
> NAT DMZ ever since its public addressing. I can't even ping hosts on the
> outside network from PIX. Why am I having these problems?
>
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 dmz security50
>
> access-list internal permit ip 172.19.90.0 255.255.255.0 any
>
> access-list test permit ip any any
> access-list test permit icmp any any
>
> access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0
> 255.255.255.0
>
> ip address outside 83.23.44.60 255.255.255.192
> ip address inside 172.19.90.1 255.255.255.0
> ip address dmz 83.23.43.250 255.255.255.0
>
> global (outside) 1 83.23.44.58
> nat (inside) 0 access-list int-dmz
> nat (inside) 1 172.19.90.0 255.255.255.0 0 0
> nat (dmz) 0 0.0.0.0 0.0.0.0 0 0
> access-group test in interface outside
> access-group test in interface dmz
> route outside 0.0.0.0 0.0.0.0 83.23.44.1 1
> **
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender by email, delete and destroy this message and its
> attachments.
> **
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61065&t=61043
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Question [7:60941]

[Evans, TJ (BearingPoint)]

If there is no route for that block, including summarizations thereof (and
no interface in that subnet), then it shouldn't go anywhere / be reachable.

So the next question - does it work?
*   Can that machine get out, and if so ... try
www.whatismyip.com
... and what is it's IP?

Also - is there another router somewhere that will route it, or another
router/FW that will re/de-NAT it to a routed IP?


Thanks!
TJ
[EMAIL PROTECTED]



-Original Message-
From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 13, 2003 8:44 AM
To: [EMAIL PROTECTED]
Subject: RE: PIX Question [7:60941]

The thing is the the router external to the pix, does not have a route for
the 157.157.0.0 network, considering that, whill this ever work ???

Although the address is a public IP address, this company uses it as an
internal address, and It sould not be visible on the internet, also the
server with the IP address in on the inside network, not the DMZ
**
The information in this email is confidential and may be legally
privileged.  Access to this email by anyone other than the
intended addressee is unauthorized.  If you are not the intended
recipient of this message, any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful.  If you are not
the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments,
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60961&t=60941
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Question [7:60941]

[Evans, TJ (BearingPoint)]

It is just a static NAT of the internal address to an external address, in
this case they happen to be the same address 

... sometimes used in conjunction with conduits/ACL's to permit certain
monitoring/syslog/tftp/etc. traffic to external devices (edge routers, for
ex.) without exposing the internal hosts globally.  However, this seems to
not by your case as you are using external IP's.

In this case, it may be an example of a network that was not behind a
firewall originally, but has now been moved behind one ... and they didn't
want to bother re-addressing :).



Just my $.01
Thanks!
TJ
[EMAIL PROTECTED]



-Original Message-
From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] 
Sent: Monday, January 13, 2003 6:13 AM
To: [EMAIL PROTECTED]
Subject: PIX Question [7:60941]

Hi

Can anyone please tell me what the point of the following command is

static (inside,outside) 157.157.146.13 157.157.146.13 netmask
255.255.255.255 0 0

Same IP address on the inside and the outside, I have seen this used on
production networks, but can not figure out why, can anyone please explain.
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60951&t=60941
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Load balancing & NAT [7:60663]

[Evans, TJ (BearingPoint)]

And more importantly, from a semantics perspective - is a "horrible kludge"
a bad thing or a good thing?  Or a case of two wrongs not making a right.



... double negatives are fun.
Thanks!
TJ
[EMAIL PROTECTED]



-Original Message-
From: Doug S [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 10, 2003 5:13 PM
To: [EMAIL PROTECTED]
Subject: Re: Load balancing & NAT [7:60663]

I liked the comment and definitely agree that some of the authors of Cisco
training material should be named and publicly humiliated, although the
sheer volume of mistakes could make this a somewhat overwhelming task for
the public doing the humiliating. Still, I want to add my opinion that Cisco
documentation and training material is of a lot higher quality a lot of
what's out there, not to name names like MS Press or anything.

The reason I blindly accepted and posted that particular quote is because it
DOES match my personal experience, which, I admit is considerably less than
the other posters in this thread.  The only experience I have is in a lab on
2500's and 2600's running something around IOS 12.1(T).

I also want to point of that this behavior of only overloading the first
address in the pool sounds like exactly what the original poster is
experiencing.  The fact that Emilia's and my experience contradicts Peter's
and TLaWR makes me think that there are differences in how this works on
different platforms, as TJ suggests.

I'd also like to hear people's opinions on why my solution is a "horrible"
kludge, as opposed to just a plain old vanilla kludge.
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60855&t=60663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Load balancing & NAT [7:60663]

[Evans, TJ (BearingPoint)]

I wonder - is this a situation where specific code level, or the family of
products in question, etc., is causing a discrepancy?

I know the PIX (currently), for example, works as TLaWR states below ... 

However, perhaps in IOS when you specify
ip nat pool overload (start) (finish) netmask (mask)
it treats it differently since you are explicitly saying to 'overload' ?


... just curious ... 
Thanks!
TJ
[EMAIL PROTECTED]



-Original Message-
From: The Long and Winding Road [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 10, 2003 11:12 AM
To: [EMAIL PROTECTED]
Subject: Re: Load balancing & NAT [7:60663]

""Doug S""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> The way PAT works when overloading multiple addresses is to overload the
> first address in the pool until ALL port numbers are used up.  I can't
point
> you to any publicly available documentation on this, but cut and pasted
from
> Network Academy curriculum:
>
> "However, on a Cisco IOS router, NAT will
>  overload the first address in the pool until
>  it's maxed out, and then move on to the
>  second address, and so on."


I don't think so. I think whoever put this into Cisco training materials
ought to be named and publicly humiliated.

I know from cold hard experience that if you have a pool with several
addresses and overload configured, each addres in the pool is translated one
to one, and then the last number is shared among all comers after that.

isn't there any real technical review of the training materials?


>
> I've seen people wanting to get around this behavior for a variety of
> reasons and I haven't seen anyone post a good reply.  I've come up with a
a
> workaround that I beleive should work for you, although you'll have to
take
> a good look at your inside local addresses and figure out how to best
define
> those in to two equal groups.  Each group could then be separately
> translated to a different address.
>
> For instance, if you are now transating 8000 inside addresses all in the
> range of 10.0.32.0/19 to one overloaded pool, you could configure it to
> translate 10.0.32.0/20 to one overloaded pool and 10.0.48.0/20 to a
separate
> overloaded pool something like
>
> #access-list 1 permit 10.0.32.0 0.0.15.255
> #access-list 2 permit 10.0.48.0 0.0.15.255
> #ip nat pool LOWER_ADDRESSES_TRANSLATE_TO 209.211.100.1 209.211.100.5 pre
24
> #ip nat pool HIGHER_ADDRESSES_TRANSLATE_TO 209.211.100.6 209.211.100.10
pre
> 24
> #ip nat inside source list 1 pool LOWER_ADDRESSES_TRANSLATE_TO overload
> #ip nat inside source list 2 pool HIGHER_ADDRESSES_TRANSLATE_TO overload
>
> Forgive me if I've screwed up the syntax somewhere, but the idea is there.
> As I said, you'll have to put some thought into what best works in your
> addressing scheme to best separate translated addresses in to two roughly
> equal groups.  You might even find it helpful to partition them in to more
> than two groups.
>
> Hope it helps.
**
The information in this email is confidential and may be legally
privileged.  Access to this email by anyone other than the
intended addressee is unauthorized.  If you are not the intended
recipient of this message, any review, disclosure, copying,
distribution, retention, or any action taken or omitted to be taken
in reliance on it is prohibited and may be unlawful.  If you are not
the intended recipient, please reply to or forward a copy of this
message to the sender and delete the message, any attachments,
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=60825&t=60663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN Concentrator #3030 [7:58982]

[Evans, TJ (BearingPoint)]

Minor comment - protocol 50 and 51, not port ... 
Also - worth noting, using TCP for remote client VPN's is useful as well ...
like 443 since it will be permitted out from just about everywhere!


Thanks!
TJ
[EMAIL PROTECTED]



-Original Message-
From: Elijah Savage III [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, December 11, 2002 4:18 PM
To: [EMAIL PROTECTED]
Subject: RE: VPN Concetrator #3030 [7:58982]

I have just finished a project like this. You can only do one or the
other you can't do redundant and load balancing all at once on the 3030.
If you want to be redundant where if one concentrator fails secondary
comes online and accepts request for it then you need to look into VRRP
so easy to do on the concentrator. If you want to do load balancing then
you will need to go to configuration, system, load balancing page on the
concentrator and set those options real easy also but Cisco has tons of
docs on CCO explaining it if you are not familiar. Now in load balancing
mode it is sort of redundant, because what happens; based on cpu usage
of your concentrators you have a master and slave the master will send a
redirect to the client and tells the client which concentrator to
connect to and if one fails then the other accepts all the connections
so what you have is if 100 connections are on the master and the slave
only has 50 connections more than likely the next connection to come in
will go to the slave. There is a myth that it round robins the
connections that is NOT true. There are also a few gotchas with this and
arp and such like if you are going to be giving out different ip address
for your dial in users than what subnet the concentrator is on then you
will have to route traffic from your internal network to the interface
of the concentrator because it does not answer arps for those clients,
(hope I did not confuse you with that last statement). If you are going
to put the concentrator behind a firewall make sure you pass all
appropriate vpn traffic without filtering, such as port 50 port 51 port
500 to the concentrator.

That should get you started in the right direction if you have any more
DIRECT questions please let us know and we will try to help you out, if
I missed anything I am sure someone else on the group will pick it up.

-Original Message-
From: neil K. [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, December 11, 2002 12:16 PM
To: [EMAIL PROTECTED]
Subject: VPN Concetrator #3030 [7:58982]


Hi All,

Few questions regarding the VPN Concentrator

1. what do I do for Redundancy, ( VPN Redundant Bundle)
2. Load balancing
3. Where to put the Concentrator ( prefer putting the VPN Concetrator
behind Firewall).What are issues I will have to consider if I put the
concentrator behind Firewall.

Thanks,

Sunil
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=59022&t=58982
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OT finding station trying to become MasterBrowser [7:58701]

[Evans, TJ (BearingPoint)]

Along with MAC tracing, using CDP to id next-hop switches, etc. you can also
try to us something like psloggedon (or psshutdown if you have something of
a mean-streak) from sysinternals.com.  OR - if your domain is logging
successful logins, maybe you could look through them to see who is logging
in from that machine.

... get the user's name, send them a "friendly request" to modify their
system accordingly.


Or, if their policies permit, you could always sniff traffic from their IP
looking for login names.  May require some SPANning or 'traffic engineering'
to get their packets to you ...



(sorry the first couple weren't more 'network oriented' answers :))
Please let us know what you find / how you find it ...
Thanks!
TJ
-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Friday, December 06, 2002 1:23 PM
To: [EMAIL PROTECTED]
Subject: OT finding station trying to become MasterBrowser [7:58701]

I don't think there's any answer to this, but I thought I would check. How
can I find the physical location of a system if I know the following:
 
NetBIOS name, IP address, MAC Address, and the Domain it is attached too.

I have a system that is trying to become the Master Browser and I've
discovered all of the above information. The problem is, it's a large flat
network, so the IP address comes from a huge pool and doesn't help identify
a network segment. The NetBIOS name isn't helpful and the vendor code in the
MAC address is shared by almost all the systems.

Any utilities that you know of that could help find this station?

It's a city-wide school system and driving around from school to school
isn't practical, although it is a rather small city... :-)

Any info would be great. Thanks.

Priscilla
**
The information in this email is confidential and may be legally 
privileged.  Access to this email by anyone other than the 
intended addressee is unauthorized.  If you are not the intended 
recipient of this message, any review, disclosure, copying, 
distribution, retention, or any action taken or omitted to be taken 
in reliance on it is prohibited and may be unlawful.  If you are not 
the intended recipient, please reply to or forward a copy of this 
message to the sender and delete the message, any attachments, 
and any copies thereof from your system.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58717&t=58701
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OT: Serves Me Right - DHCP problem [7:54402]

[Evans, TJ]

Hmm ... that email seemed to make more sense when I sent it ...
Let's try this again-


IIRC - Win2k and later detect 'cable disconnects', and de-IP your system.
Strangely, they also detect 'cable reconnects' and attempt to re-IP (via
DHCP, or autoconfig if enabled) you at that time.




-Original Message-
From: Evans, TJ [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 01, 2002 1:49 PM
To: [EMAIL PROTECTED]
Subject: RE: OT: Serves Me Right - DHCP problem [7:54402]

Strangely, they also detect 'cable reconnects' and attempt to re-IP (via
DHCP, or autoconfig if enabled) you at that time.


Thanks!
TJ


-Original Message-
From: Larry Letterman [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 01, 2002 1:20 PM
To: [EMAIL PROTECTED]
Subject: Re: OT: Serves Me Right - DHCP problem [7:54402]

Nothing to fess up to, Chuck..My w2K works the same way at home..
connect, get a number..disconnect and reconnect , get a different number..
Linksys routers are pretty simple devices...I have two of them currently 
and
both give out dhcp on different subnets...I can get an address from 
either one
by the above functionno mobile ip..no special setup..just like 
Darrell said...

Larry

Chuck's Long Road wrote:

>well S*** Larry, thanks for providing that vital piece of troubleshooting
>relevant information!
>
>I still say you are using Mobile IP.
>
>fess up ;->
>
>Chuck
>
>--
>
>www.chuckslongroad.info
>like my web site?
>take the survey!
>
>
>
>""Larry Letterman""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
>>thats why we put in wireless in all our buildings..moving around is no
>>problem...
>>
>>Priscilla Oppenheimer wrote:
>>
>>>Darrell Newcomb wrote:
>>>
>>>>Because pre-W2K windows didn't automatically try to renew a
>>>>lease when the
>>>>ethernet interface comes back up after being down.  So...if the
>>>>old lease
>>>>hadn't come up for renewal during the time the machine moved
>>>>
>>>>from point A to
>>>
>>>>B.the users don't automatically get connectivity.
>>>>
>>>Plus with laptops, the user expects to not have to reboot. They may just
>>>move from building to building without shutting down the laptop. It might
>>>
>go
>
>>>to sleep, but you should just be able to hit a button and keep working.
>>>
>It
>
>>>seems like a reasonable user expectation, but alas, we as networkers
>>>
>haven't
>
>>>done a good job in this area. (at least with IP)
>>>
>>>The technical issue is that the user is in a different subnet and needs a
>>>new IP address and default gateway after moving to a new building,
>>>
>location,
>
>>>whatever.
>>>
>>>Priscilla
>>>
>>>>Lots of options to teach the helpdesk how to educate
>>>>usersbut since it
>>>>'worked before' in Chuck's case it's seen as a (big?)
>>>>problem(PITA).
>>>>
>>>>""Larry Letterman""  wrote in message
>>>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>>>
>>>>>why is that ? we have segmented avvid network across our
>>>>>
>>>>campus. The
>>>>
>>>>>laptops are all W2K and they work just
>>>>>fine without any issues on DHCP...The routers are all running
>>>>>
>>>>hsrp and
>>>>
>>>>>work correctly..
>>>>>
>>>>>Chuck's Long Road wrote:
>>>>>
>>>>>>I see I should have made this one a "Friday Folly" :->
>>>>>>
>>>>>>In a Big Flat Bridged Network, a mobile user unplugs the
>>>>>>
>>>>laptop at one
>>>>
>>>>>>office, drives over to the next office, plugs back in, and
>>>>>>
>>>>no further
>>>>action
>>>>
>>>>>>is required. The Windoze PC has retained it's IP address,
>>>>>>
>>>>and the network
>>>>
>>>>>>doesn't care about location, because it is one big flat
>>>>>>
>>>>network.
>>>>
>>>>>>However, in the brand new ATM based AVVID ready routed
>>>>>>
>>>>network, said
>>>>mobile
>>>>
>>>>>>user is now in a different segment in 

RE: OT: Serves Me Right - DHCP problem [7:54402]

[Evans, TJ]

Strangely, they also detect 'cable reconnects' and attempt to re-IP (via
DHCP, or autoconfig if enabled) you at that time.


Thanks!
TJ


-Original Message-
From: Larry Letterman [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 01, 2002 1:20 PM
To: [EMAIL PROTECTED]
Subject: Re: OT: Serves Me Right - DHCP problem [7:54402]

Nothing to fess up to, Chuck..My w2K works the same way at home..
connect, get a number..disconnect and reconnect , get a different number..
Linksys routers are pretty simple devices...I have two of them currently 
and
both give out dhcp on different subnets...I can get an address from 
either one
by the above functionno mobile ip..no special setup..just like 
Darrell said...

Larry

Chuck's Long Road wrote:

>well S*** Larry, thanks for providing that vital piece of troubleshooting
>relevant information!
>
>I still say you are using Mobile IP.
>
>fess up ;->
>
>Chuck
>
>--
>
>www.chuckslongroad.info
>like my web site?
>take the survey!
>
>
>
>""Larry Letterman""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
>>thats why we put in wireless in all our buildings..moving around is no
>>problem...
>>
>>Priscilla Oppenheimer wrote:
>>
>>>Darrell Newcomb wrote:
>>>
Because pre-W2K windows didn't automatically try to renew a
lease when the
ethernet interface comes back up after being down.  So...if the
old lease
hadn't come up for renewal during the time the machine moved

from point A to
>>>
B.the users don't automatically get connectivity.

>>>Plus with laptops, the user expects to not have to reboot. They may just
>>>move from building to building without shutting down the laptop. It might
>>>
>go
>
>>>to sleep, but you should just be able to hit a button and keep working.
>>>
>It
>
>>>seems like a reasonable user expectation, but alas, we as networkers
>>>
>haven't
>
>>>done a good job in this area. (at least with IP)
>>>
>>>The technical issue is that the user is in a different subnet and needs a
>>>new IP address and default gateway after moving to a new building,
>>>
>location,
>
>>>whatever.
>>>
>>>Priscilla
>>>
Lots of options to teach the helpdesk how to educate
usersbut since it
'worked before' in Chuck's case it's seen as a (big?)
problem(PITA).

""Larry Letterman""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...

>why is that ? we have segmented avvid network across our
>
campus. The

>laptops are all W2K and they work just
>fine without any issues on DHCP...The routers are all running
>
hsrp and

>work correctly..
>
>Chuck's Long Road wrote:
>
>>I see I should have made this one a "Friday Folly" :->
>>
>>In a Big Flat Bridged Network, a mobile user unplugs the
>>
laptop at one

>>office, drives over to the next office, plugs back in, and
>>
no further
action

>>is required. The Windoze PC has retained it's IP address,
>>
and the network

>>doesn't care about location, because it is one big flat
>>
network.

>>However, in the brand new ATM based AVVID ready routed
>>
network, said
mobile

>>user is now in a different segment in each location. With
>>
Windoze, you
have

>>to manually intervene. Sometimes you have to release the IP
>>
address,
reload

>>the computer, and then get your new DHCP assignment. Users
>>
don't like
this.

>>After all, now they have to do something, whereas before
>>
they did not.
Never

>>mind the higher speed, the failover capability of the
>>
routers, the new
100

>>mbs switches rather than 10mbs. They have to take an extra
>>
step or two in

>>order to log in.
>>
>>This is normal behaviour for Windoze machines, and maybe for
>>
DHCP clients
in

>>general. I have had to do this release / renew for years.
>>
>>But to the customer, who is pretty naive in terms of
>>
networking, there is
a

>>"problem" that was caused by the new routers.  To the users,
>>
there is a

>>problem that never existed before.
>>
>>Like I said, serves me right. You give a customer a great
>>
new network,
and

>>you break something so rudimentary that it never would have
>>
occurred

>>otherwise. :->
>>
>>--
>>
>>www.chuckslongroad.info
>>like my web site?
>>take the survey!
>>
>>
>>
>>""Priscilla Oppenheimer""  wrote in message
>>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>
>>>Spare us the mystery and tell us what you're getting at.
>>>
:-) Did  you

>>forget
>>
>>>to tell the DHCP server to provide the correct default
>>>
gateway address
to

>>>the PCs? That's my guess, since you say

VPN3k HW ... multiple Vulnerabilities [7:52666]

[Evans, TJ]

Don't know if this came through already and I missed it, but FYI:
(little issues like DoS, info leaking, etc.)

*   Advisory @
http://www.cisco.com/warp/public/707/vpn3k-multiple-vuln-pub.shtml 
*   SW @ http://www.cisco.com/cgi-bin/tablebuild.pl/vpn3000-3des 
(Beware the warp on the URLs)


Thanks!
TJ



*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=52666&t=52666
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco Security Advisory: Cisco VPN Client Multiple [7:51353]

[Evans, TJ]

In case you use the VPN Client, and missed the bulletin ... 


Thanks!
TJ


-Original Message-
From: CCO Field Notice [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, August 13, 2002 1:48 PM
To: [EMAIL PROTECTED]
Subject: Cisco Security Advisory: Cisco VPN Client Multiple Vulnerabilities

This e-mail is coming to you courtesy of the Cisco.com 
Field Notice tool. Thank you for indicating through your 
interest profile that you wish to receive these alerts.

Want to change your Alert Profile or create a new one?
Please go to:
http://www.cisco.com/cgi-bin/Support/FieldNoticeTool/field-notice

Title:   Cisco Security Advisory: Cisco VPN Client Multiple Vulnerabilities
URL: 
http://www.cisco.com/warp/customer/707/vpnclient-multiple-vuln-pub.shtml 
 (available to registered users)
http://www.cisco.com/warp/public/707/vpnclient-multiple-vuln-pub.shtml 
 (available to non-registered users)
Posted:  August 12, 2002

Summary: Multiple vulnerabilities exist in the Cisco Virtual Private Network
(VPN)
Client software. Exploitation of these vulnerabilities prevents the Cisco 
VPN Client software program from functioning correctly.
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51353&t=51353
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN and wildcard masking [7:51342]

[Evans, TJ]

Haven't had my coffee yet ... 

*) couldn't you just be more explicit/specific in your ACLs when specifying
interesting/matching traffic? ... IOW, don't summarize the whole range :)

(or - to go a step further, could you do the summarization but precede it
with a deny that specifies the other VPN(s) IP's?)



Thanks!
TJ


-Original Message-
From: John Brandis [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, August 14, 2002 12:59 AM
To: [EMAIL PROTECTED]
Subject: VPN and wildcard masking [7:51342]

Hi All.

On a spare time job I do with a charity, I have a remote client, that is
going to connect to our site via an IPSEC vpn tunnel. The problem is, that,
if you can imagine the remote site as a hub site, and my site as site-b,
that site-b is using internal networks that range from 172.16.0.0 -
172.32.0.0 which can easily be summarised as 172.16.0.0 0.15.255.255 ..The
problem is that the hub site, has connections to other parts of the world,
that use the same addressing scheme as my site, site-b. 

The question is, how do I get, if at all possible, the hub site, to filter
traffic to the appropriate subnet. A real example of this is The hub site
"needs" access to the following subnets in site-b

* 172.17.3.0
* 172.17.1.0
* 172.17.9.0
Yet, they need access to subnets described below, that are on another
completely seperate VPN

* 172.17.20.0
* 172.17.21.0

How if possible can this be done ? Would the hub site, (the hub site is
establinsh the connection) need to create a tunnel for each subnet they wish
to route ?

The equiptment in use is a Cisco 3005 VPN Accelerator and a watchguard
firewall at the hub site.

Thanks all for your input 

John 
Sydney Australia 


**

visit http://www.solution6.com
visit http://www.eccountancy.com - everything for accountants.

UK Customers - http://www.solution6.co.uk

*
This email message (and attachments) may contain information that is
confidential to Solution 6. If you are not the intended recipient you cannot
use, distribute or copy the message or attachments.  In such a case, please
notify the sender by return email immediately and erase all copies of the
message and attachments.  Opinions, conclusions and other information in
this message and attachments that do not relate to the official business of
Solution 6 are neither given nor endorsed by it.
*
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=51346&t=51342
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN not connecting [7:50144]

[Evans, TJ]

May not apply to your case, but good to keep in mind anyway :):

We have had issues creating VPN's between IOS-Routers+3DES and
VPN-Concentrators; the issue came down to a disagreement as to the default
DH group ... IOS defaulted to group 1 while Concentrator defaulted to group
2.  Drove us crazy.

IOS 
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2



another ugly workaround we have used is to switch from esp-md5-hmac to
esp-sha-hmac ... when going from PIXen to VPN Concentrators.  I suspect, bu
have never _actually_ verified that the issue would be the same as above;
with the PIXen defaulting to group 1 ... ?



HTH.

Thanks!
TJ
((As always - anything I say may not apply to your environment, in more
recent code releases or  I may have mis-read something and this may not even
relate to the conversation ... ))

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 30, 2002 6:04 PM
To: [EMAIL PROTECTED]
Subject: RE: VPN not connecting [7:50144]

I'm just learning this stuff, so I apoligize if I'm getting in the way, but
see my comments below.

[EMAIL PROTECTED] wrote:
> 
> I've gotten both sides of a VPN connected (site to site
> 501/515, static IPs,
> pre-shared keys, truly a basic setup).  While trying to ping
> the other
> network, with debug running, I get the following output; but no
> connection.
> 
> VPN Peer: ISAKMP: Added new peer: ip:X.X.X.X Total VPN Peers:1
> VPN Peer: ISAKMP: Peer ip:X.X.X.X Ref cnt incremented to:1
> Total VPN Peers:
> 1
> 
> ISAKMP (0): beginning Main Mode exchange
> crypto_isakmp_process_block: src X.X.X.X, dest Y.Y.Y.Y
> OAK_MM exchange
> ISAKMP (0): processing SA payload. message ID = 0
> 
> ISAKMP (0): Checking ISAKMP transform 1 against priority 20
> policy
> ISAKMP:  encryption 3DES-CBC
> ISAKMP:  hash SHA
> ISAKMP:  default group 2
> ISAKMP:  auth pre-share
> ISAKMP:  life type in seconds
> ISAKMP:  life duration (VPI) of  0x0 0x1 0x51 0x80
> ISAKMP (0): atts are acceptable. Next payload is 0
> ISAKMP (0): SA is doing pre-shared key authentication using id
> type
> ID_IPV4_ADDR
> 
> return status is IKMP_NO_ERROR

That's good news. The peers agree on the hash algorithm, that they are using
preshared keys, etc.

> crypto_isakmp_process_block: src X.X.X.X, dest Y.Y.Y.Y
> OAK_MM exchange
> ISAKMP (0): processing KE payload. message ID = 0
> 
> ISAKMP (0): processing NONCE payload. message ID = 0
> 
> ISAKMP (0): processing vendor id payload
> 
> ISAKMP (0): processing vendor id payload
> 
> ISAKMP (0): remote peer supports dead peer detection
> 
> ISAKMP (0): processing vendor id payload
> 
> ISAKMP (0): speaking to another IOS box!
> 
> ISAKMP (0): ID payload
> next-payload : 8
> type : 1
> protocol : 17
> port : 500
> length   : 8
> ISAKMP (0): Total payload length: 12
> return status is IKMP_NO_ERROR

Still in good shape at this point...

> ISAKMP (0): retransmitting phase 1...IPSEC(key_engine): request
> timer fired:

This is where it goes haywire. It shouldn't have to restart ISAKMP Phase 1. 

The preshared keys must be EXACTLY the same on both peers. Could there be a
typo in one of them? Could you retype them very carefully?

I suspect this is the problem simply because the preshared keys are compared
during Phase 1.

As someone else suggested, also check the IPSec access lists. Be sure not to
be confused by the fact that PIX does access lists with subnet masks, unlike
IOS which uses wildcard masks. Thank-you Cisco.

Once again, sorry if this is way offbase. I'm just learning all this cr*p.

Priscilla


> cou
> nt = 1,
>   (identity) local= Y.Y.Y.Y, remote= X.X.X.X,
> local_proxy= Jabbers_VPN/255.255.255.224/0/0 (type=4),
> remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)
> 
> ISAKMP (0): retransmitting phase 1...
> ISAKMP (0): deleting SA: src Y.Y.Y.Y, dst X.X.X.X
> ISADB: reaper checking SA 0x80a4c6f0, conn_id = 0  DELETE IT!
> 
> VPN Peer: ISAKMP: Peer ip:X.X.X.X Ref cnt decremented to:0
> Total VPN Peers:
> 1
> VPN Peer: ISAKMP: Deleted peer: ip:X.X.X.X Total VPN
> peers:0IPSEC(key_engin
> e): request timer fired: count = 2,
>   (identity) local= Y.Y.Y.Y, remote= X.X.X.X,
> local_proxy= Jabbers_VPN/255.255.255.224/0/0 (type=4),
> remote_proxy= 10.10.0.0/255.255.0.0/0/0 (type=4)
> 
> Any help/insight is Greatly appreciated.
> Thanx,
> mkj
> 
> 
> 
> ~~~
> Michael Jablonski
> ABN AMRO Asset Management Holdings, Inc.
> 161 North Clark St.
> 9th Flr
> Chicago, IL  60601-2468
> PH: 312.884.2996 
> FAX: 312.278.5550
> ~~~
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosu

RE: TCP sequence numbers question [7:49535]

[Evans, TJ]

Is it also relevant/correct that in a case like this, just under normal TCP
operation, HostB would assumes HostA did not receive the ACK, which resulted
in HostA restransmitting the original packet ... and HostB re-ACK'ing it ...
etc. etc.  ?


Thanks!
TJ


-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, July 25, 2002 2:12 PM
To: [EMAIL PROTECTED]
Subject: Re: TCP sequence numbers question [7:49535]

I already explained that, as does Stevens. (You have his book, I think. It's
great.) The RFCs may not explain it. The creators or TCP don't approve of
keeaplives.

Anyway, the sender purposely keeps the sequence number the same when
implementing the keepalive process. That causes the recipient to trash the
garbage byte instead of giving it to the application. Remember there's an
application running above all this (identified by the port number). The
transport layer does not pass the garbage byte to the application because it
appears to be a byte it already received. That's a basic TCP task.

Priscilla

sam sneed wrote:
> 
> > > So using the example below (host A 192.168.133.21, B
> > > 10.10.10.12), A sends 1
> > > byte of data, last successful sent byte is 2653258021,
> >
> > No, the last successful byte is 2653258020. That's Host A's
> sequence
> number.
> > Host A sends only one byte, the byte numbered 2653258020.
> > The analyer you're using (is it TCPdump?) doesn't do a good
> job of making
> > this clear. I think it's trying to help you see what the
> expected ACK
> should
> > be. Don't read the second number as the sequence number of
> the last byte
> > sent. You'll be off by one if you do that.
> 
> 
> > A common mistake people make (and your analyzer may be
> making) is to add
> the
> > length of the data to the sequence number to get the sequence
> number of
> the
> > final byte of data in the segment. That's doesn't work.
> You're mixing
> apples
> > and oranges. Actually, you're mixing cardinal numbers (how
> many, length)
> > with ordinnal numbers (order, rank, sequence). You'll be off
> by one. I
> > explain this in detail in my new book, Troubleshooting Campus
> Networks, in
> > the TCP chapter. ;-)
> >
> > > shouldn't Host B ack
> > > (2653258021)+1 ?
> >
> > No, Host B's ACK should be 2653258021. Host B is saying I got
> 2653258020
> and
> > I'm expecting 2653258021 next. Once again, I think your
> analyzer's method
> of
> > display is confusing.
> >
> 
> Yes, the analyzer is tcpdump and now I understand the error in
> my
> intrepretation. There is still one thing bothering me.
> Host A is a sending a keepalive with 1 garbage as in my
> previous post
> 2653258020, B acks 2653258021 the next SN its expects to see.
> But in my
> example host A sends 2653258020 with 1 byte of garbage again.
> Wouldn't this
> look a duplicate or at least an out of sequence frame since
> host B is
> expecting 2653258021 and has already ack'd 2653258020? There
> are no other ID
> fields in the TCP header so how would it not ignore it as a
> duplicate frame
> when its [src IP dest IP] [src port dest port] and sequence #'s
> are
> identical?
> I imported the raw packets into Ethereal so I could see all
> fields, even the
> 1 byte of garbage data is the same (00 in hex) and the header
> checksum are
> equal.
> I hate to beat this to death,  but this stuff is a science and
> based on
> RFC's, so it kills me not to be able to interpret this exactly
> and
> correctly. There should be no mysteries behind this stuff. After
> troubleshooting my network problem for awhile, I've become more
> interested
> in understanding the exact workings of TCP than solving the
> original
> problem.
> 
> Thanks alot for your insight.
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49694&t=49535
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Proper network design? [7:49536]

[Evans, TJ]

If I read this correctly ... (always a big assumption :) )
This may also arise when a network outgrows an initial IP range, and rather
than redesign/re-address every host they just hemorrhage another block ...

Or, the .100 box could be hosting a DMZ ?


Or, for some reason, it was decided that one block was going to have 'more
access' than another, so the 2.x subnet was thrown behind another router as
a choke point?


Thanks!
TJ


-Original Message-
From: Frank H [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, July 24, 2002 12:52 PM
To: [EMAIL PROTECTED]
Subject: RE: Proper network design? [7:49536]

No subinterfaces are used. Here's the Cisco 2514 config:

Router#show startup-config
Using 940 out of 32762 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
ip subnet-zero
!
interface Ethernet0
 description outside
 ip address xxx.xxx.xxx.90 255.255.255.128
 ip nat outside
 no cdp enable
!
interface Ethernet1
 description inside
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 no cdp enable
!
interface Serial0
 no ip address
 shutdown
!
!
 no ip address
 shutdown
!
ip nat pool test xxx.xxx.xxx.90 xxx.xxx.xxx.90 netmask 255.255.255.128
ip nat inside source list 1 pool test overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
ip route 192.168.2.0 255.255.255.0 192.168.0.100
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
!
end
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49557&t=49536
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Teaming network cards causes flapping [7:49254]

[Evans, TJ]

So it is trying to do some load balancing/sharing ... ?
... on Compaq's teaming driver, IIRC they say you need to group the ports
for the load sharing option to work ... ?

Most teaming driver  do create a virtual MAC and
use that for normal traffic, and the heartbeats use 'true' Mac's for each
interface ... but you say yours does not?  

Does it create a third network interface ? 
Do an ipconfig /all ... do the adapters all have IP's, or only the team?
... and does the team have a mac as well?When I team our Intel NICs one of
the ports on our
> cat 3500xl shows 
> addr_flapp about once every minuet
> is they any thing you need to do to support teaming?
> 
> no errors in non teamed mode.
> 
> Thanks
> 
> Gary
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=49515&t=49254
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Rogue Wireless LANs [7:47287]

[Evans, TJ]

I am not, by any stretch of the imagination, a lawyer ... however my
understanding of the current interpretation of the laws applicable to
WarDriving are that if the owner/operator does not make atleast some minimal
effort to secure the transmissions then it is considered 'for public use'.
So if the WAP is happily broadcasting it's SSID and no encryption is enabled
... OTOH, if you capture packets, crack a wep key and spoof a MAC you are
putting forth effort to get into somewhere that has the proverbial "No
Entry" sign.

Similar to how, currently, a basic port scan against someone's machine is
not illegal.  It may violate your acceptable-use/subscription
agreement/whatever and you may get a slap on the wrist or a nasty-gram from
the lucky recipient, but AFAIK that is about as far as it goes ... until you
actually attempt to launch an exploit against those services/ports.


... back to wardriving ...
"Simple Bandwidth Leeching" is about all you could do without crossing any
really bad lines, and even that is questionable - bandwidth is a company
resource that they must provision, pay for, etc. and you are depriving them
of the use of it.

Obviously, if you do any of this and then proceed maliciously into their
network, or pose as a member of that firm, etc. you are _at_that_point_
definitively violating the law and deserve whatever befalls you ;)


Again - that is my understanding of the current
laws/policies/interpretations.  Corrections always accepted ... 
Thanks!
TJ


-Original Message-
From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, June 26, 2002 4:02 PM
To: [EMAIL PROTECTED]
Subject: RE: Rogue Wireless LANs [7:47287]

At 2:26 PM -0400 6/26/02, Dan Penn wrote:
>I think the take the company would take on it would depend highly on how
>worried they are about security.  If they have a well written security
>policy I think you would be in for some arguments from their legal
>department.  On the other hand what if it's a company that doesn't even
>know that employee Joe Schmoe has installed a WAP under his desk running
>802.11 unsecured to world...I think in that situation they might be
>interested to hear what you have to say.
>
>Over all this whole deal is very cloudy to say the least.  What legal
>rights does a company have if they are broadcasting wireless
>unsecured...it is like throwing money into the air then trying to arrest
>someone if they take it.

No, there really are very specific rules for electromagnetic 
emissions, beginning with the (US) Communications Act of 1934. 
Essentially, it says that any signals not explicitly meant for public 
broadcast may be intercepted, but that disclosure of the content to 
third parties is illegal.

This is enforced by the Federal Communications Commission, which is 
the US agency that regulates, among other things, the use of spectrum 
space, and the licensing (when required) of parts of the spectrum.

There certainly are blurred areas, such as disclosing statistical 
aggregates that do not reveal content, or intercepting communications 
by other than the primary signal (i.e., eavesdropping through 
incidental radiation, power line coupling, etc.).

In general, though, the law is much more clear about hacking 
involving the electromagnetic spectrum in free space than it is on 
entering computers.

>It's an old well known fact you don't say
>"welcome" in your motd banner because you "welcomed" the intruder in.
>You could say, you didn't know that you were unauthorized because you
>could connect to it from somewhere not on their property and you were
>never warned that you were unauthorized.  I'm not saying you would win
>the legal battle...but there would most likely be a legal battle over
>it.
>
>I am interested to know the outcome if anybody does actually try this
>and approaches the company about it.
>
>Dan
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
>Ken Diliberto
>Sent: Wednesday, June 26, 2002 11:04 AM
>To: [EMAIL PROTECTED]
>Subject: Re: Rogue Wireless LANs [7:47287]
>
>Agreed.  This could be a big legal trap.
>
>If you use something like Network Stumbler, you're not actually using
>their network.  You're just seeing the broadcasts from it.  Maybe that
>would be a good approach.
>
>Ken
>
  "Thomas E. Lawrence"  06/25/02 11:09AM >>>
>I realize you are speaking in jest, but for those who might consider
>this
>approach as a means of drumming up business, you may want to give some
>thought.
>
>Connecting to a network to which you have no reason nor any right to
>connect
>can be considered hacking, and you could be subject to prosecution,
>ironically by an organization that is asking for trouble anyway.Just
>because
>I don't have locks on my doors does not mean it's ok for you to walk
>into my
>home any time you please.
>
>Please be careful how you approach a company when you have discovered
>by
>accident a particularly egregious vulnerability.
>
>Tom
>
>[snip]
***

RE: IP phone [7:44803]

[Evans, TJ]

Ask Google ... he(she?) knows damn near everything.
Maybe "Internet LineJACK" fits the bill?

In general - looking for answers on your own is not a bad idea ...


Thanks!
TJ


-Original Message-
From: Osama Kamal [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, May 23, 2002 8:31 AM
To: [EMAIL PROTECTED]
Subject: RE: IP phone [7:44803]

Is there any other IP phone that is capable of working as a stand alone voip
set?

Osama

-Original Message-
From: Michael J. Doherty [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, May 23, 2002 2:25 PM
To: Osama Kamal; [EMAIL PROTECTED]
Subject: Re: IP phone [7:44803]

The Cisco IP Phones are slave devices, incapable of independent thought (so
to speak).  While you can provide configuration parameters through the
telephone interface, you are limited to setting IP address, TFTP address and
default CallManager information.  Without a CallManager to communicate with,
the phones are not capable of any logical decisions (they receive all
information through TFTP files and RTP streams with the CallManager for
communication decisions).

Mike

- Original Message -
From: "Osama Kamal" 
To: 
Sent: Thursday, May 23, 2002 6:55 AM
Subject: IP phone [7:44803]


> Is it possible to configure Cisco IP phone from the phone set itself, and
> use it without Call Manager software?
>
> I need to use IP phone from home to place calls over internet without
> additional software or PC's, any idea?
>
>
>
> Regards
>
> Osama
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44822&t=44803
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

BGP Load-Balancing with 2 providers... plus new question [7:40490]

[Evans, TJ]

This is a case of Load Sharing vs. Load Balancing; very important
difference!

And unfortunately , this is
out of your control ... based totally  on BGP hop
counts.



On a related note - I would like to drop a question to the group:
Similar situation; i.e. - we have dual frac-DS3's to two ISP's and we are
using BGP for basic redundancy/load sharing.  The question now is how would
we do bandwidth management in this situation?  
 has signed us up for providing guaranteed bandwidth,
thank-you-very-much>>.

Specifically - say we have 6 clients, and want to enforce bandwidth cap's on
their usage .  The best we have
come up with is 
1   add another layer of routers between our Pices  and our border routers
... use HSRP groups to
traffic shape specific clients to specific "middle" routers by default.
These new "middle routers" would perform the rate-limiting and then forward
to the border routers.  The border routers would receive only partial routes
 and iBGP would route those accordingly, otherwise default to
send to default gateway.
2   get some third party - Packeteer  and use this for the rate
limiting / flow control.  Still use iBGP + HSRP groups for "ISP client"
routing and initial traffic shaping .


Any thoughts?  Have we overlooked something; the "automagic command" that
makes this work cleaner?  Some other  product that is all-encompassing and
functions as a magic bullet for this ...



Thanks!
TJ


-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, April 03, 2002 10:08 AM
To: [EMAIL PROTECTED]
Subject: Re: BGP Load-Balancing with 2 providers...Possible?? [7:40242]

I'm assuming your getting full routes from each provider.  You will
most likely get a rough load balance based on the randomness of the
sites your users are connecting to and your upstreams a roughly equal,
i.e. 90% of your routes are not learned via provider A.  But your not
going to get a 50/50 per packet load balance between 2 differant
poviders nor would you want to.

  Dave

Cisco Nuts wrote:
> 
> Hello,
> Is it possible to load-balance BGP traffic with 2 service providers...I
know
> it is possible to load balance with 2 circuits to the same provider using
> ebgp-multihop and update-source and cef but with 2 circuits to 2 different
> providers??
> Thank you for your help.
> 
> _
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

"Emotion should reflect reason not guide it"
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40490&t=40490
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix NAT - Two to one [7:37179]

[Evans, TJ]

The reply *should* come from the IP that the request arrived at ...  ...


Thanks!
TJ



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, March 05, 2002 12:38 AM
To: [EMAIL PROTECTED]
Subject: Re: Pix NAT - Two to one [7:37179]

When the two outside addresses are resolved to the single inside address
(port 80) everything is OK but when the web server sends back a reply
which of the address translations with be used? If the wrong one is
picked any firewall will choke on it, and if no firewall, the other end
of the connection may get traffic from a source address it doesn't know
anything about. End result is that the two outside addresses need to be
associated with two distict inside addresses.
Hope this helps,
Scott

--- On Mon 03/04, Gaz wrote:
> Eventually, two separate static commands for two separate outside
> addresses
> going to two separate DMZ addresses.
> At the moment there is just one machine inside. Possibility of putting
> multiple addresses on the server but preferred option is not to do
this.
> What I would like to miss out is the time required to wait for DNS to
> propagate when I split the single outside address to two. If I can
leave
> the
> DNS pointing to two addresses and make the changes at the required
time,
> there is no delay involved.
>
> Thanks,
>
> Gaz
>
>
> ""Patrick Ramsey"" wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > what is the overall goal?
> >
> > >>> Gaz 03/04/02 03:06PM >>>
> > Hi all,
> >
> > Has anybody tried NAT'ing two outside addresses to one internal
> (DMZ)
> > address on the same port (80) in some way.
> > Not too difficult to get round, as I can get the DNS of one site
> changed
> and
> > use the single address outside to single inside.
> > The advantage would be that when the web sites are separated, to two
> > machines inside, I would like to be able to change the pix settings
> > immediately rather than change DNS and wait a couple of days for DNS
> to
> > propagate.
> > I'm sure there may be some simple way of doing it, but I couldn't
> find it
> > whilst playing about today.
> >
> > Any ideas welcome.
> >
> > Thanks,
> >
> > Gaz
> > > Confidentiality
> Disclaimer This email and any files
> transmitted with it may contain confidential and
> > /or proprietary information in the possession of WellStar Health
> System,
> > Inc. ("WellStar") and is intended only for the individual
> or entity to
> whom
> > addressed. This email may contain information that is held to be
> > privileged, confidential and exempt from disclosure under applicable
> law.
> If
> > the reader of this message is not the intended recipient, you are
> hereby
> > notified that any unauthorized access, dissemination, distribution
> or
> > copying of any information from this email is strictly prohibited,
> and may
> > subject you to criminal and/or civil liability. If you have received
> this
> > email in error, please notify the sender by reply email and then
> delete
> this
> > email and its attachments from your computer. Thank you.
> >
> > 
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37559&t=37179
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Setting up Catalyst 6500 as a Layer 2 switch [7:37177]

[Evans, TJ]

Have you verified  that broadcast traffic is not flowing?
Also - when you say directed IP is, you have done it host to hsot and not
just host to switch, yes?

To show up in Network Neighborhood I believe they will also need to be in
the same workgroup ... or pointing to a WINS server for name resolution.


Thanks!
TJ



-Original Message-
From: Matt Fisher [mailto:[EMAIL PROTECTED]] 
Sent: Monday, March 04, 2002 4:12 PM
To: [EMAIL PROTECTED]
Subject: RE: Setting up Catalyst 6500 as a Layer 2 switch [7:37177]

I am setting this up in VLAN 1.  So the vlan was already setup in the VLAN
database.  I do have the ports in question set to switchport mode access. 
All of the ports are in the same vlan.

Matt




---Previous Message---
I'm trying to setup a Cat 6500 running IOS 12.1 (c6sup22-dsv-mz.121-8a.E5)
as a layer two switch and I'm running into some issues.  I have a group of
ports all on the same vlan, with "switchport" set to enable them as layer 2
switch ports.  Directed IP traffic flows fine, but broadcast traffic is not
flowing between the ports.

The short story of the problem.  In this test environment I have 5 NT
servers plugged into the Cat 6500 and they can't see each other view
"Network Neighborhood".

My current goal is to just get this switch to act like your basic unmanaged
switch (I'll work on the more interesting settings after I get this basic
functionality working.)

Any ideas what I might be missing?

Matt

*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37249&t=37177
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX questions [7:37129]

[Evans, TJ]

Hmm .. never tried this , and
assuming it works I certainly would never recommend /do it ...

If you are truly desperate for telnet  - would the pix allow you to make a
static external address for the inside interface of the pix itself, and
allow telnet to that  and as part
of the telnet permitted pool ?


Anyway - if telnet is required, the usual ways are to either do a bounce
telnet as below or to take it a step further use some port redirection on an
internal host to accomplish the same thing .


Probably worth saying one more time, for emphasis - none of these are
recommended!  

a)  Use SSH, it is free ...

b)  Even better - use 3DES VPN 
... and then telnet from that host to the inside interface
c)  The bestest - use a 3DES VPN to a host and run SSH from there to the
inside interface :)
>


Thanks!
TJ



-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] 
Sent: Monday, March 04, 2002 3:15 PM
To: [EMAIL PROTECTED]
Subject: RE: PIX questions [7:37129]

If you really want to create a loophole so you can telnet into the firewall
from the outside, and you do not want to create a secure connection to it,
you can place a dummy router (or other telnet ready device) on the inside,
allow telnet to it from the outside, allow the device to telnet to the PIX,
telnet to it and reverse telnet back to the PIX.

Hth,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job
~~~




-Original Message-
From: MJ [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 04, 2002 1:35 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX questions [7:37129]


Hunt/Swapnil - You can not telnet to the outside interface.  You will need
to configure SSH.

""Swapnil Jain""  wrote in message
news:[EMAIL PROTECTED].;
> u dont need to add a conduit for telnet unless u have blocked port 23.
>
> just add
> telnet ip_address [netmask] [if_name]
>
> to allow telnet from ip_address
>
> bye swapnil
>
> ""Hunt Lee""  wrote in message
> news:[EMAIL PROTECTED].;
> > Hi all,
> >
> > I have two questions about PIX 501, it would be great if someone can
shed
> > some light on this:
> >
> > 1)Currently, I'm using a software called RANCID to monitor and save
> > configs for my works' routers.I know that RANCID uses a Clogin to get
into
> > the router, it then do a show running-config command to veiw the
configs,
> > and then backs it up.
> > My question is, would PIX 501 supports Clogin?
> >
> > 2)Also, I know one can use "conduit permit icmp any any" to allow
the
> > PING packets to get thru the PIX.  Would I be able to use a similar
> command
> > which will allow me to telnet from "outside network" into the PIX?
> >
> > Please help...
> >
> > Best Regards,
> > Hunt Lee
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37251&t=37129
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix NAT - Two to one [7:37179]

[Evans, TJ]

Last I heard / checked this is not an option on the PIX.
Documentation is  very explicit - one for one mapping.

The typical workaround is to add a secondary ip address  to the machine.  We
have done this
repeatedly; for DNS changes, for ISP address space changes, etc.



Thanks!
TJ



-Original Message-
From: Gaz [mailto:[EMAIL PROTECTED]] 
Sent: Monday, March 04, 2002 3:51 PM
To: [EMAIL PROTECTED]
Subject: Re: Pix NAT - Two to one [7:37179]

Eventually, two separate static commands for two separate outside addresses
going to two separate DMZ addresses.
At the moment there is just one machine inside. Possibility of putting
multiple addresses on the server but preferred option is not to do this.
What I would like to miss out is the time required to wait for DNS to
propagate when I split the single outside address to two. If I can leave the
DNS pointing to two addresses and make the changes at the required time,
there is no delay involved.

Thanks,

Gaz


""Patrick Ramsey""  wrote in message
news:[EMAIL PROTECTED].;
> what is the overall goal?
>
> >>> Gaz  03/04/02 03:06PM >>>
> Hi all,
>
> Has anybody tried NAT'ing two outside addresses to one internal (DMZ)
> address on the same port (80) in some way.
> Not too difficult to get round, as I can get the DNS of one site changed
and
> use the single address outside to single inside.
> The advantage would be that when the web sites are separated, to two
> machines inside, I would like to be able to change the pix settings
> immediately rather than change DNS and wait a couple of days for DNS to
> propagate.
> I'm sure there may be some simple way of doing it, but I couldn't find it
> whilst playing about today.
>
> Any ideas welcome.
>
> Thanks,
>
> Gaz
> >  Confidentiality DisclaimerThis email and any files
transmitted with it may contain confidential and
> /or proprietary information in the possession of WellStar Health System,
> Inc. ("WellStar") and is intended only for the individual or entity to
whom
> addressed.  This email may contain information that is held to be
> privileged, confidential and exempt from disclosure under applicable law.
If
> the reader of this message is not the intended recipient, you are hereby
> notified that any unauthorized access, dissemination, distribution or
> copying of any information from this email is strictly prohibited, and may
> subject you to criminal and/or civil liability. If you have received this
> email in error, please notify the sender by reply email and then delete
this
> email and its attachments from your computer. Thank you.
>
> 
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37250&t=37179
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Standard Cisco ACL's for security [7:36931]

[Evans, TJ]

The NSA 60  minute guide to Securing your network is useful ... and
recommends a pretty decent list of ports to block.  Check google ... 


Thanks!
TJ



-Original Message-
From: Vaas [mailto:[EMAIL PROTECTED]] 
Sent: Friday, March 01, 2002 2:07 AM
To: [EMAIL PROTECTED]
Subject: Standard Cisco ACL's for security [7:36931]

Hi..

I had seen a 'txt' file explaining some standard access lists being
iplemented
(standard and extended) for filtering on the net sometime back. I am not
able
to trace it. If some one has one, Can you please provide me the link?

Thanks
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36976&t=36931
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: question about stateful inspection [7:36817]

[Evans, TJ]

I think we are confusing ourselves with Stateful Packet Filter vs. Stateful
Failover.

Stateful Failover, IIRC, is exactly for the 'higher layer protocols' ...
maintaining sessions, etc.


Thanks!
TJ


-Original Message-
From: Patrick Ramsey [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 28, 2002 1:00 PM
To: [EMAIL PROTECTED]
Subject: Re: question about stateful inspection [7:36817]

Well...if stateful inspection is used at layer three..then the device
utilizing this function is keeping track of the session flowing through...

I would think that stateful inspection at the application layer would be
doing the same...(at leastmaybe even extra stuff)

So if you have an smtp session open through a device that had statefull
inspection enabled for the application layer, then it would track the actual
communication and not the session per seof course... It would almost
seem weird to have stateful inspection in the higher levels without layer
3things that make you go hmmm. Tiem to go do some research...hehe

-Patrick

>>> "Steven A Ridder"  02/28/02 12:17PM >>>
I think it means the ability to check other layers such as 4-7.  For
example, the ability to check http or SMTP commands.

--
RFC 1149 Compliant


""John Green""  wrote in message
news:[EMAIL PROTECTED].;
> what is multilayer stateful inspection ?
>
> stateful inspection is understood fine. but what does
> the prefix multilayer denote or mean ?
>
> state refers to the state of a session information
> that is temporarily kept in a state table for open
> connections and is wiped or erased when the session
> ends. BUT what does multilayer mean here ?
>
> __
> Do You Yahoo!?
> Yahoo! Greetings - Send FREE e-cards for every occasion!
> http://greetings.yahoo.com 
>  Confidentiality Disclaimer   
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed.  This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.


*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36835&t=36817
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: netmeeting problem [7:36524]

[Evans, TJ]

Google
Netmeeting limitations
First hit = http://www.cwru.edu/net/csg/cmc/netmeeting.html
Click on limitations ...


4. NetMeeting Limitations
... NetMeeting limits the use of audio and/or video to two participants at
any one time. Using multipoint audio and/or video requires the use of
third-party conference servers that support these functions using the H.323
specification. 



So ... what netmeeting conference server // H.323 gateway are you using?  Is
it configured properly?



Thanks!
TJ


-Original Message-
From: Jim Bond [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, February 26, 2002 2:08 PM
To: [EMAIL PROTECTED]
Subject: OT: netmeeting problem [7:36524]

Hello,

I've got a netmeeting server, when users logon, only
first 2 users can see video, others can only use white
board, share directories. What's wrong?

Thanks.

Jim

__
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36528&t=36524
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Re: TWO ISP AND ONE FAILURE [7:36371]

[Evans, TJ]

This has turned into a really long thread ... Anyway:

HSRP + BGP would be, IMHO, the best option.  It would be graceful and
smooth, not to mention provide automatic failover.
The BIV CAVEAT - this is only true *IF* they can afford to UG their hardware
and if they can justify the IP address space.  If we are still just talking
about one server though this is a little too heavy ... 


For such a relatively small (1) group of servers/domains it may be worth
looking at something like a third-party IP forwarding service.  You have
your two IP's from two ISP's ... give your server one internal/private IP
, NAT on the two routers to the ISP-specific
address.  In the event of a failure, the forwarding service would need to be
notified .  A quick google search gave me a few results,
dynu.com for example.  Don't really have time to see if they do everything
you need, but it is atleast worth looking into!


Downsides:
Usually require SW to be installed on your server(s)
Reliant  on the third party to be in business and working
:)
Annual fee .. I think dynu.com said it is like $25/year 


Upsides:
No router upgrades  
(flash/nvram, licensing ... new routers altogether?)
No BGP activation costs 
(~$350 per ISP and I think $300 for the ASN)
Less config work on your part




... sorry to blaspheme and recommend a non-cisco solution :) ... 
Thanks!
TJ


-Original Message-
From: Yassel Omar Izquierdo Souchay [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 25, 2002 10:11 AM
To: [EMAIL PROTECTED]
Subject: TWO ISP AND ONE FAILURE [7:36371]


Hello i have a frecuent porblem with one of my isp, i have two cisco routers
and each one to different isp. Frequentily i have to change the gateway of
one of my servers, because one isp is failure. I want to know if with one of
BGP, OSPF, RIP, NAT or other protocol i could do the change automatically to
the other active isp. It happening me right now. And when i have to do that
i have to reset one of my servers.. :S. Is a costs operatrion its a mail
server. So if somebody knows how to resolve between routers with different
isp each one, how to route accross the other good gateway.

Thnx in advance
Yassl

*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36484&t=36371
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Access list question [7:36124]

[Evans, TJ]

Footnote - I believe this would also permit 'crafted' packets with the ack
bit set ... which is why a good firewall is better .


Thanks!
TJ



-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 21, 2002 8:25 PM
To: [EMAIL PROTECTED]
Subject: RE: Access list question [7:36124]

That's a good conceptual explanation. I would add that technically, it 
allows TCP packets that have the ACK bit set. In other words, it allows 
packets that are acknowledging another packet. That means it would not 
allow an incoming SYN used to set up a session, but it would allow a reply 
to a SYN that already happened.

Priscilla

At 06:26 PM 2/21/02, David Jones wrote:
>Justin,
>
>This is typically used in an Internet/NAT situation where you are allowing
>something from the Internet to come back in, only if it's a reply to a
>request that originated from inside your network.  For instance, with a
>router connected to the Internet, you typically want an access-list applied
>to your Internet-facing port that denies incoming traffic, as you don't
want
>them trying to walk all over your router or network.  However, this same
>access list will drop valid replies to requests from clients inside your
>network, i.e. http replies, etc.
>
>With the 'established' option, you can tell the router with access lists
>"drop everything inbound from the Internet, except replies to requests made
>from inside my network".
>
>Typically, people do this because they don't want to pay for a firewall,
but
>this isn't the best thing to do.  If you need to set this up for someone
for
>Internet access, you need to dig a little deeper into it because if my
>memory serves me right, this command may or may not work with UDP traffic
>and only TCP traffic.  I'm not sure and might be totally wrong, so you need
>to check.
>
>Hope this helps,
>
>Dave


Priscilla Oppenheimer
http://www.priscilla.com
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36206&t=36124
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX information [7:35294]

[Evans, TJ]

I believe it sync's them auto-magically, or perhaps on a timed basis.
Regardless ... I always do a wr standby ... just to be sure.


Thanks!
TJ

 -Original Message-
From:   Hartnell, George [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, February 13, 2002 12:46 PM
To: [EMAIL PROTECTED]
Subject:RE: PIX information [7:35294]

AND, am I to understand correctly, as the manual is quite vague, that an
upgrade of the primary failover unit also updates the secondary?  Or, must
the hapless administrator do each individually?

Best, G.

> -Original Message-
> From: Jose Celestino [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 13, 2002 7:12 AM
> To: [EMAIL PROTECTED]
> Subject: Re: PIX information [7:35294]
> 
> 
> PIX-FW1# copy ?
> usage: copy tftp[:[[//location][/pathname]]] flash
> 
> For instance:
> 
> copy tftp://192.168.2.2/configs/pix.cfg flash
> 
> 
> Thus spake BASSOLE Rock, on Wed, Feb 13, 2002 at 09:06:59AM -0500:
> > Hello group,
> > 
> > 
> > What command can I use to copy a configuraton form a tftp 
> server to a PIX
> > Firewall? I have look on the cisco web site for the command 
> but couldn't
> > find. Can somebody help.
> > 
> > Thank you.
> > 
> > Rock
> -- 
> Jose Celestino 
> -
> "Little prigs and three-quarter madmen may have the conceit 
> that the laws of
> nature are constantly broken for their sakes."
> -- Friedrich Nietzsche
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35326&t=35294
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX information [7:35294]

[Evans, TJ]

Config net TFTP_IP:FILENAME ?


Thanks!
TJ

 -Original Message-
From:   BASSOLE Rock [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, February 13, 2002 9:07 AM
To: [EMAIL PROTECTED]
Subject:PIX information [7:35294]

Hello group,


What command can I use to copy a configuraton form a tftp server to a PIX
Firewall? I have look on the cisco web site for the command but couldn't
find. Can somebody help.

Thank you.

Rock
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35295&t=35294
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Why do some TFTP sessions take a lot longer [7:35006]

[Evans, TJ]

Are all of the routers identical ?
Are all of your Ethernet interfaces 100mb/full duplex.
Do you see any errors on them? ... collisions, FCS, etc.
Are the PC NIC's configured the same ?
Out Of Curiosity - what make/model are the NICs?
Are the PC's OS and software loads identical - i.e., are any of then doing
anything funky?

Note - I would recommend, if you haven't already, making everything 
100mb/FD "locked", no auto anything :).

Or start troubleshooting the old-fashioned way ... 
Are they consistent - i.e. - is this week's "slow set" the same next week,
or no?
If you take a "slow set" and plug that router into a "fast set" ... and try
again ... does the "slow router" become "fast"?
... etc.


Thanks!
TJ

>""Ozzie Sutcliffe""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>>  When I do the TFTP lab in class..
>>  I have 6 routers 6 PC  and 6 Xover cables
>>  All have the same configs except for IP addy's
>>  Yet when the class pulls down the IOS the times for a 7 meg bin file
vary
>>  from 4 to 15 minutes.
>>  The cables are all the same length same company who made them.
>>  The routers are all 1601's the pc's and NIC's the same all running
windoze
>>  98 SE.
>>  Ideas anyone ??
>>  This week I will sniff each PC  and see what that bring up .
>>
>>
>>  Ideas anyone ??
>>
>>
>>  I will post the results next saturday
>>
>>  Oz


*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35081&t=35006
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: problem in int [7:34937]

[Evans, TJ]

Depends on the nature of your client and their network access patterns!  
For example - http  is very asynchronous traffic ...
always pulling more than pushing :).
Does this number remain consistently "high", or just when you happened to
check it this time?   

If it really bothers you, go to your next hop down switch and check the
interfaces  ... look for the "high bandwidth utilization"
there as well.  Continue doing so until you find the machine ... 



Thanks!
TJ

At 11:07 PM 2/8/02, kaushalender wrote:
>hi group
>I have  strage roblem .The problem is i have a 128 kbps link to my
>customer.When I see the interface on which customer is connected the
>incoming traffic is less and outgoing traffic is very high .Why this is
>happening .Plz tell me
>This is the int as u seeing clearly 47000 is incoming from customer and
>192000 is outgoing to customer
>Thanx
>
>
>Serial0/2 is up, line protocol is up
>   Hardware is PowerQUICC Serial
>   Description: "RAINBOW AND VERTEC" "REM-2"
>   Internet address is 216.252.243.1/30
>   MTU 2048 bytes, BW 512 Kbit, DLY 2 usec,
>  reliability 255/255, txload 95/255, rxload 23/255
>   Encapsulation PPP, loopback not set
>   Keepalive set (10 sec)
>   LCP Open
>   Listen: CDPCP
>   Open: IPCP
>   Last input 00:00:00, output 00:00:00, output hang never
>   Last clearing of "show interface" counters 2d02h
>   Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1769
>   Queueing strategy: weighted fair
>   Output queue: 0/1000/64/0 (size/max total/threshold/drops)
>  Conversations  0/30/256 (active/max active/max total)
>  Reserved Conversations 0/0 (allocated/max allocated)
>  Available Bandwidth 384 kilobits/sec
>   5 minute input rate 47000 bits/sec, 68 packets/sec
>   5 minute output rate 192000 bits/sec, 58 packets/sec
>  4251918 packets input, 655572206 bytes, 0 no buffer
>  Received 0 broadcasts, 0 runts, 1 giants, 0 throttles
>  94 input errors, 2 CRC, 87 frame, 0 overrun, 0 ignored, 5 abort
>  4168853 packets output, 1573135961 bytes, 0 underruns
>  0 output errors, 0 collisions, 13 interface resets
>  0 output buffer failures, 0 output buffers swapped out
>  0 carrier transitions
>  DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35080&t=34937
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 3DES [7:34756]

[Evans, TJ]

I heard it put very well, and wish I could attribute it but I don't recall
the source:
To paraphrase, it goes something like this:
<>  
Think of what it is your company makes, does or sells ... or is planning on
doing so in the future.
... and how it makes it and/or does it, how much it costs to do so, etc.
... and who it sells it to ... and for how much .. and where this money goes

Think of what differentiates you from your competitors .. quality, quantity,
unique products/information/processes, etc.
Now think of what would happen to your company if your competition
knew all of this.




Granted - you can argue that this oversimplifies things a little bit, but it
makes a point that will readily hit home with management if nothing else!
Thanks!
TJ
... just because you are paranoid doesn't mean they aren't out to get you.

 -Original Message-
From:   Chuck Larrieu [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, February 08, 2002 11:07 AM
To: [EMAIL PROTECTED]
Subject:Re: 3DES [7:34756]

The paranoid among us can think of other industries where industrial
espionage might play a part. Insurance, medical, any industry where there
are proprietary processes in place.

Imagine if people had been able to hack Enron :->

Chuck


""Joel Satterley""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Here, here, as long as you re-key every so often, who's going to bother ??
>
>
> ""Daniel Cotts""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > My opinion is that nobody is going to try to intercept and decrypt your
> > traffic unless you deal in very large amounts of money. DES will keep
the
> > curious at bay. It is less processor intensive.
> >
> > > -Original Message-
> > > From: Brian Zeitz [mailto:[EMAIL PROTECTED]]
> > > Sent: Thursday, February 07, 2002 9:46 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: 3DES [7:34756]
> > >
> > >
> > > I have been looking at routers/firewalls. I am thinking of going with
> > > the 2611 with a ADSL card, I also want to get a 515. Our office is not
> > > that big yet, but I want to plan for the future. I see that
> > > the Pix 515R
> > > only does DES, but doesn't do 3DES. But when I buy the
> > > router, I can get
> > > it with 3DES. I am just kinda confused, where is the best place to use
> > > 3DES, on the firewall, or on the router? Or it doesn't
> > > matter. The way I
> > > see it, if I wanted to do 3DES on the firewall with the 515, I would
> > > have to buy the 515UR, which is about 10K. I don't really need the
> > > thoughput for 100,000 users just yet though. Any suggestions on this?
> > >
> > >
> > >
> > > Thanks in advance...
> > >
> > >
> > >
> > > Brian Zee MCSE, CCNA, A+
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34854&t=34756
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

3DES [7:34754]

[Evans, TJ]

IMHO the best place to do VPN termination is on a VPN Concentrator, but
there is obviously a not-too-insignificant cost involved there.  In fact, to
then do that right you would need another FW ... or atleast a FW with
multiple interfaces to route the VPN traffic through .

When possible, according to Layer 8 , I always try to make each
box do what it is really good at - i.e., routers route and firewalls block.

Given that this is not always an option, a router based 3DES VPN works fine
... but requires a couple of upgrades to support .  Barring any of those,
there is always the option
of stepping outside of Cisco products - but we don't like to talk about that



Thanks!
TJ




>>> "Brian Zeitz"  02/07/02 10:38AM >>>
I have been looking at routers/firewalls. I am thinking of going with
the 2611 with a ADSL card, I also want to get a 515. Our office is not
that big yet, but I want to plan for the future. I see that the Pix 515R
only does DES, but doesn't do 3DES. But when I buy the router, I can get
it with 3DES. I am just kinda confused, where is the best place to use
3DES, on the firewall, or on the router? Or it doesn't matter. The way I
see it, if I wanted to do 3DES on the firewall with the 515, I would
have to buy the 515UR, which is about 10K. I don't really need the
thoughput for 100,000 users just yet though. Any suggestions on this?



Thanks in advance...



Brian Zee MCSE, CCNA, A+

*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34774&t=34754
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NAT vs ACL [7:34728]

[Evans, TJ]

The NSA put together a "60 minute guide to securing your network"; which has
an excellent breakdown of what ports you will want to block inbound and
outbound,  It also breaks them up into "should never be open", "may be open
if needed", etc. type of categories.

The question I have is - What is going behind this router?  Do you have /
will you have a firewall as well ?  If not, please consider the security
implications of
this - you would want to pay special attention to *every* machine to harden
it and ensure that you also perform rudimentary patch=management .


For thoroughness - the short answer to the original question is "both". :)



Thanks!
TJ

 -Original Message-
From:   Kent Hundley [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, February 07, 2002 10:18 AM
To: [EMAIL PROTECTED]
Subject:RE: NAT vs ACL [7:34728]

It's not a question of either/or, NAT and ACL's will work perfectly fine
together.  Strictly speaking, NAT is not a security feature, although it
does have some security related properties depending on how its implemented.
For example, many NAT implementations will not allow inbound initiated
connections to NATed IP addresses. (don't know if Cisco NAT has this
property or not)  Also, if you use PAT (also called NAT overload and
Masquerading), inbound connections to the PAT address to non-mapped ports
will be dropped, offering some level of protection to internal hosts.

However, NAT is not a replacement for ACL's and some applications don't play
well with NAT.  If you have a registered address space, you don't _need_ NAT
but your certainly need ACL's to protect yourself.  If you properly use
ACL's, it's likely that NAT isn't going to buy you much, if any, additional
security.  If you don't have registered address space, you will need to use
NAT, and you definitely should use ACL's as well.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 06, 2002 8:43 PM
To: [EMAIL PROTECTED]
Subject: NAT vs ACL [7:34728]


If my Cisco router needs to connect to the internet, what should I
enable/use by default? NAT or Access List?
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=34755&t=34728
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ethernet errors explained [7:33687]

[Evans, TJ]

You can also get these nice kind of hard-to-troubleshoot issues if your
cables are not wired properly; i.e. 'crossed or mismatched pairs' on some
cable-testers.
Specifically - if the pinout is such that the wrong wires are being twisted
around each other ... would normally work just fine for really short runs,
but get into 20' or longer and you get the problems listed below.

Also - just for the record - we had absolute fits  with our RS6k's as well
until hard-coding each
side at the same speed and duplex; 100/FULL. In our case .


Thanks!
TJ

>""Steven A. Ridder""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Are you sure switch and NIC are the same speed and duplex?  Looks like
>port
> > speed/duplex mismatch.
> > ""Patrick Donlon""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hi Everyone
> > >
> > >  I trying to find some information on some Ethernet errors that I see
on
>a
> > >  port, see the text below. The machine is an RS6000 and was
experiencing
> > > some
> > >  performance problems, the NIC was set to auto negotiation and there
>were
> > > the
> > >  usual errors. The port and NIC are now both fixed and the errors are
> > >  increasing steadily, I've had a good search on the CCO but I can't
find
> > any
> > >  explanation of what causes the errors, any advice will be appreciated
> > >
> > >  Regards
> > >
> > >  Patrick

*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=33881&t=33687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Fwd: Re: Why use wildcard mask [7:30600]

[Evans, TJ]

Although I am inclined to stay out of this, I would like to ask a question
of the heretofore nameless one ...
"Most ISP's today" ... that would imply that you have spoken with a
majority  of all of the current ISP's

Have you done so?  Or was this factoid picked up from a book somewhere?  If
from a book - well, then you are listening to the same professors you
bemoan.
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DHCP, WK2 and default gateway PROBLEM [7:29732]

[Evans, TJ]

Just my $.02 ... secondary addresses cover this quite well!!
, and then again as we phased providers out ... >


Thanks!
TJ

 -Original Message-
From:   Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, December 19, 2001 11:26 PM
To: [EMAIL PROTECTED]
Subject:Re: DHCP, WK2 and default gateway PROBLEMMM + [7:29732]

The default gateway has to be on the same subnet as the clients that use 
it, as you probably know.

What is the default gateway? Is it a Cisco router? You could give it a 
secondary address on the new 192.168.40.0. network. Then use that address 
for the clients on the 192.168.40.0 subnet as their default gateway.

Another thought: what is the subnet mask? I'm assuming it's 255.255.255.0. 
You could change it temporarily to 255.255.0.0 while doing the changeover. 
That way 192.168.50.0 and 192.168.40.0 are on the same subnet. Clients with 
addresses that start with 192.168.40.0 could still use 192.168.50.7 as 
their default gateway.

Priscilla

At 10:43 PM 12/19/01, Juan Blanco wrote:
>Team,
> I am working in a project for a company that has almost 600 users 
> with
>static ip. What I have to do is move everyone to a dynamic ip environment,
>without affecting the current network functionality. The problem that I am
>having is when I created my new scope in wk2 I am not able to provide the
>default gateway to my clients because the DG is not the same network like
>the one in the scope
>
>DHCP server(w2k) which is not able to provide my default
> My scope = 192.168.40.50 .. 100
>New segment ip is 192.168.40
>DG for the segment is the DG for the others users in the same segment
>MY DG = 192.168.50.7
>
>How will I be able to define two IP address to the same interface in which
>both IP address can be define as the DG
>
>Thanks,
>
>JB


Priscilla Oppenheimer
http://www.priscilla.com
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=30691&t=29732
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Looking for a CCNP [7:28907]

[Evans, TJ]

Don't forget about the latency involved in all packets traveling through
Springfield, or the frequent collisions that occur on these specific routes.
>

... I usually wish I *didn't* live in Springfield.
Thanks!
TJ

 -Original Message-
From:   Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, December 12, 2001 2:52 PM
To: [EMAIL PROTECTED]
Subject:RE: Looking for a CCNP [7:28907]

Be careful of what you wish for.  I'm still laughing at the thought 
of just what sort of Traffic Director the (inappropriate) ad is 
looking for. Springfield contains the most complex freeway 
intersection in the Washington DC metro area, which is under MASSIVE 
reconstruction.

Indeed, I even use the roads around Springfield in explaining weird 
routing. While traveling south from DC, up to the famed Beltway, you 
are on 395 South. You are presented with a routing table giving you 
exits to 95/495 North, 95 South, and 495 South. The only problem is 
that 95 South is exactly the same road you are on, but just changes 
name. Federal highway regulations require there be an exit sign for 
every new numbered Interstate, so exit 4B is right in the middle of 
the road. There _is_ no turnoff. It's like your subnet changes number 
somewhere in the middle.

BGP blackhole routes are simple compared to the Springfield interchanges.


>Hmmm.
>
>Wish I lived in Springfield.
>
>Heather
>
>>  -Original Message-
>>  From:   Jeff Rollins [SMTP:[EMAIL PROTECTED]]
>>  Sent:   Wednesday, December 12, 2001 11:25 AM
>>  To: [EMAIL PROTECTED]
>>  Subject:Looking for a CCNP [7:28907]
>>
>>  Hello,
>> 
>>  My name is Jeff Rollins I am the Technical Resource Manager for
>>  ViSTECH
>>  Systems I am looking for a strong Cisco Network Engineer with a CCNP
>>  certification. Needs strong Cisco, TCP/IP, and WAN experience. Must
>>  have
>>  documentation experience of there work. Some products you will be
>>  working using are: Traffic Director, Sniffer, and Concord. Salary
>>  range
>>  is 75k max. The location is Springfield, Va.
>> 
>> 
>> 
>> 
>>  Jeff Rollins
>>  Technical Resourc Mgr.
>>  866-322-8005 x225
>>  703-273-8004 x225
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=28965&t=28907
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Vlan Design [7:23928]

[Evans, TJ]

As with most design issues, a lot of the answer will depend on individual
circumstances.
Including, but certainly not limited to:
Cost
Size of environment
Traffic Flow
Security Concerns
Summed up as what is your "Overall Goal"



If your primary concern is COST, then the size  will obviously heavily
influence your architecture ... you may
get no VLANs, especially if you are talking about 10 users with one server,
etc.

etc. etc. etc.


Also - Doug - Since you mention doing it this way - let me add:
If your goal is 'simple' collision reduction, or ease of management, then
yes - making each closet / floor / 'physical area'  it's own VLAN  is fine;
and works VERY well.  This is an elegant, scalable way to manage bandwidth
and traffic flow.  I worked with a client and that is how the whole building
is done   and the LAN
infrastructure easily supports the 2000+ local users.
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OT: The most powerful Unix command EVER!!! (3rd trail!!!) [7:21886]

[Evans, TJ]

Rm -rf ... 
rm  "remove">
-r  recursive   
-f  force   

all together --> same effect as a "deltree /y ."; namely - everything on HDD
is no longer present :).
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX - VERY URGENT [7:21569]

[Evans, TJ]

Can the firewall ping your router?  
Can the firewall ping the inside 'host'?
Did you create the NAT addresses / pool?
 Do a show xlate ... what xlates
are listed?

Do you have an external route on your FW and is the def gateway of your
host(s) set correctly?  



Thanks!
TJ

 -Original Message-
From:   C.E.O Dickson [mailto:[EMAIL PROTECTED]] 
Sent:   Monday, October 01, 2001 11:35 AM
To: [EMAIL PROTECTED]
Subject:PIX - VERY URGENT [7:21569]

Please Help - Have configure a PIX Firewall with basic NAT. Cant get can
connection through the firewall. Have set up the
PING command - access-list acl_out permit icmp any any
access-group acl_out in interface outside
access-group acl_out in interface inside
 cant ping through even, keep getting this message
302010: 0 in use, 36 most used
Can some one help please.

Thanks
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=21578&t=21569
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Active Directory Ports & PIX [7:19772]

[Evans, TJ]

You also need to specify what is where ...
... AD servers in DMZ / outside or the client PC's in the DMZ / outside?
Hopefully, AD inside ... but then again, hopefully you would use a VPN for
the outside boxes to connect.


One possible, semi-allowable exception - multiple firewalls; either layered
or separate .. AD is supposed to be all encrypted, no?

Separate:
Running on theory here ... you would still hopefully use a PIX2PIX VPN!
But ... I believe TCP ports 135-139 and 445 are used, dunno if all are
needed tho'.  

Layered:
We have one client that has the primary firewall, which has the AD server
and some Web/APP server ... they also have another PIX behind the first PIX,
which then houses some DB servers.  I believe, the DB servers were able to
join the domain w/o any config changes as they were outbound connections.
One issue we had - the DB server registered themselves in DDNS with their
INTERNAL addresses  so all of the other boxes
using AD provided DNS could not reach them  address to reach them>.


Thanks!
TJ

 -Original Message-
From:   Patrick Ramsey [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, September 13, 2001 11:24 AM
To: [EMAIL PROTECTED]
Subject:Re: Active Directory Ports & PIX [7:19772]

Allowing a server access to all domain functions completely defies putting
it in a DMZ...  That means if any one person broke into a box in the dmz, he
has access to the entire domain not a good idea..

-Patrick

>>> "Dave Luancing"  09/13/01 10:36AM >>>
Does anyone know what ports need to be opened in a PIX
to allow servers to join the domain and replicate.

Thanks,
 Dave

__
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=20092&t=19772
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Multihoming BGP with two seperate ISP's via single router [7:19393]

[Evans, TJ]

As long as the PIX is 'pointed to' the inside Ethernet interface of the
router  the PIX should never know  about anything
past that.

Does your PIX point to the router as its DG?
Do you have the address space for your BGP AS# configured properly with your
ISP's? 
Does this happen regardless of which ISP is left & which one is removed?
... and when you say the router is routing to the remaining ISP; do you mean
you see routes forming or do you mean you can pass packets?

>


Thanks!
TJ

 -Original Message-
From:   Bob [mailto:[EMAIL PROTECTED]] 
Sent:   Monday, September 10, 2001 6:01 PM
To: [EMAIL PROTECTED]
Subject:Multihoming BGP with two seperate ISP's via single router
that [7:19328]

Hello,

I am multihoming BGP with two seperate ISP's via single router that is
connected to a PIX.
When I shutdown the one of my serial ports to one of the ISP's you can
see the BGP table
removing paths. All trace's show that the router starts routing to the
ISP
that is still active, but all the workstations on the inside of the pix
interface can no
longer route. I've read where the PIX Firewall does not support the use
of BGP, and that I
could use RIP between them. Does anyone have an example of this
configuration? My searches
on this subject within Cisco's knowledgebase have not been very
successfull. Or if you can
think of another solution for my setup, please let me know.

Thank you,
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=19393&t=19393
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: I HAVE QUESTION How can i know who conn to my rout [7:17843]

[Evans, TJ]

Is the FTP server telling you someone is connected, or is the OS telling you
someone is connected ... ?

>From what I am reading below  it sounds more like the
OS is telling you someone is connected, a la terminal services or whatever
XP calls the built in remote control app.  I would check your user list and
(a) make sure nothing out of the ordinary is there and (b) check the "remote
control app" manager and see if anyone is connected  and (c) do a netstat
-an to get the current connections ...

Or WinXP could just be buggy ... something about it being BETA  


Thanks!
TJ


At 11:57 PM 8/28/01, PHIMHONGKONG wrote:
>hehehe
>
>Sorry it is not what i want to know
>
>Let me say
>
>I have a Router with 2 E
>
>I run a Ftp for 50 user download to my server
>I use to shut down my computer ( server) at night
>
>when i going to shut it off
>
>The computer promt me a message some one connecting and it wont shut down
>
>The OS is Window XP Professional
>
>I check the Servu Ftp and all clear + i turn off the FTP
>
>At that time there is no more connection to my computer
>But the Computer keep telling me ther is some one on computer and it wont
>shut down ..
>
>My Computer run Os and didnot set any fancy thing except a Servu Ftp port
21
>
>I knew some one on my computer and Xp wont shut down
>
>I have to press Turn off button to turn it off
>:-0
>
>ANy suggestion ?
>
>I want to know the command show who conn to your router   when ever u want
>to check how many conn from outside to your router...
>
>
>any suggestion ??
>
>Thanks
>
>
>
>""Donny Mateo""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I believe another command would also accomplish the same thing, correct
me
> > if I'm wrong :
> >
> > show users
> >
> > Donny
> >
> >
> > >From: "Priscilla Oppenheimer"
> > >Reply-To: "Priscilla Oppenheimer"
> > >To: [EMAIL PROTECTED]
> > >Subject: Re: I HAVE QUESTION How can i know who conn to my rout
[7:17611]
> > >Date: Tue, 28 Aug 2001 22:08:17 -0400
> > >
> > >Oh, so you are considering connections TO the router, not connections
> > >through the router. You must be asking about Telnet sessions (or HTTP
on
> > >some routers) used for configuring or managing the router.
> > >
> > >So, in that case, use the show tcp brief command, as John suggested.
> > >
> > >Here's an example courtesy of Leigh Anne:
> > >
> > >RouterD#show tcp brief
> > >TCB   Local Address   Foreign Address(state)
> > >81770CA8  172.16.1.110.23 172.16.1.1.1067ESTAB
> > >
> > >Priscilla
> > >
> > >At 07:24 PM 8/28/01, PHIMHONGKONG wrote:
> > > >MaizeHello
> > > >Sorry  I confuse all you guy
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >Let say  In Window xx You Put a command NETSTATS
> > > >
> > > >It will OUTPUT  some thing like this
> > > >
> > > >Active Connections
> > > >
> > > >   Proto  Local Address  Foreign AddressState
> > > >   TCPcx541749-a:ftp-databb-62-5-49-77.bb.tninet.se:4227  =
> > > >TIME_WAIT
> > > >   TCPcx541749-a:ftp-databb-62-5-49-77.bb.tninet.se:4228  =
> > > >TIME_WAIT
> > > >   TCPcx541749-a:ftp-databb-62-5-49-77.bb.tninet.se:4229  =
> > > >TIME_WAIT
> > > >   TCPcx541749-a:ftp-databb-62-5-49-77.bb.tninet.se:4230  =
> > > >TIME_WAIT
> > > >   TCPcx541749-a:ftp-databb-62-5-49-77.bb.tninet.se:4231  =
> > > >TIME_WAIT
> > > >   TCPcx541749-a:ftp-datac1771000-a.stcla1.sfba.home.com:2815
>=
> > > >ESTABLISHE
> > > >D
> > > >   TCPcx541749-a:ftp bb-62-5-49-77.bb.tninet.se:4226  =
> > > >ESTABLISHED
> > > >   TCPcx541749-a:ftp c1771000-a.stcla1.sfba.home.com:2810
>=
> > > >ESTABLISHE
> > > >D
> > > >   TCPcx541749-a:ftp h230n3fls21o906.telia.com:65002  =
> > > >ESTABLISHED
> > > >
> > > >
> > > >
> > > >I would like to know !!1 is it possible i can do the same on
router
>=
> > > >??
> > > >
> > > >If yes What command !! Thanks
> > > >
> > > >If no
> > > >
> > > >What the most closest command :-)
> > > >
> > > >Thanks
> > > >
> > > >
> > > >
> > > >IF some hacker log in to your rotuer and network ( he delete history
>and
> > >=
> > > >log)
> > > >
> > > >How can you know your network  hacked=20
> > > >
> > > >Thanks
> > > >
> > > >[GroupStudy.com removed an attachment of type image/gif which had a
>name
> > >of
> > > >amaizrul.gif]
> > > >
> > > >[GroupStudy.com removed an attachment of type image/jpeg which had a
>name
> > >of
> > > >Maize Bkgrd.jpg]
> > >
> > >
> > >Priscilla Oppenheimer
> > >http://www.priscilla.com
> > _
> > Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp


Priscilla Oppenheimer
http://www.priscilla.com
**
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this em

RE: Rapid spanning-tree 802.1w [7:16524]

[Evans, TJ]

Just go to google, type in your desired search words and add
"site:cisco.com" ...




Thanks!
TJ

 -Original Message-
From:   Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent:   Monday, August 20, 2001 2:32 
To: [EMAIL PROTECTED]
Subject:Re: Rapid spanning-tree 802.1w [7:16524]

A search on Google discovered that Cisco has a patent for the technologies 
in 802.1W!? So, I'm sure Cisco is working on support for 802.1W. See this
link:

http://standards.ieee.org/db/patents/pat802.html

A search at Cisco's site found nothing, but that's partly because their 
search engine is SO AWFUL. A Cisco person yelled at me for saying this 
once, but I'm sticking to my guns. The search engine at Cisco's site found 
a bunch of pages with 802.1 in then, in some language other than English 
that seems to use "w" as a word. Interesting, but not helpful.

Someone had a link for doing a Google search on Cisco's Web site? What was 
that? Anyone still have it?

Priscilla

At 09:27 AM 8/20/01, Semion Lisyansky wrote:
>Hi List,
>
>As far as I understand UplinkFast/BackboneFast are partial
>implementation of 802.1w, Does Cisco has full implementation
>of rapid spanning-tree 802.1w? If yes, in which product, where
>can I get some more info about those products?
>Please cc me directly 'cause I'm a digest subscriber.
>
>--
>Semion Lisyansky
>
>
>
>
>
>--
>Semion Lisyansky
>
>
>_
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


Priscilla Oppenheimer
http://www.priscilla.com
**
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16637&t=16524
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX static map question [7:15983]

[Evans, TJ]

With regards to reload - almost never required, a good "wr mem" and
sometimes a "clear xlate" .

With regards to ordering - within an individual portion  they are just
sorted by order of entry ...

With regards to ping-ability - you have not listed a conduit permitting ping
... so by default it is blocked .


Thanks!
TJ


- Original Message -
From: "Munzir Khan" 
To: 
Sent: Thursday, August 16, 2001 1:11 AM
Subject: RE: PIX static map question [7:15983]


> Question for MAJDI & EVANS
>
> just a quick question, Is it really require to restart the pix firewall to
> take effect the new settings??
>
> another question is defining static map for INSIDE/DMZ/OUTSIDE should be
in
> sequence or it does not mater whatever sequence you make.
>
> for example
>
> static (inside,outside) 212.x.x.10 192.168.0.30 netmask 255.255.255.255.
0.0
>
> static (inside, DMZ)
> static (inside)
> static (inside,outisde)
>
> see above it is not in sequence i have the same case, I applied the
settings
> you have suggested but it is not even ping to that IP from outside ...
also
> tell me Conduit need to be also arranged by the Ip addresses ???
>
> please suggest!!!
**
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16307&t=15983
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Re: CODE RED protection ! ! ! [7:15989]

[Evans, TJ]

Blocking all access to port 80? ... must be nice to have that much leeway in
what you are able to block.

There are free scanners available to scan entire class-c equivalent network
blocks for vulnerable &/or infected systems  ... run
it, then patch/repair/reboot those machines.   


Thanks!
TJ

 -Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, August 15, 2001 4:06 
To: [EMAIL PROTECTED]
Subject:Re:  Re: CODE RED protection ! ! ! [7:15989]

my company just got hit by code red last week. the only logical thing to
deploy on your routers is to block all access to port 80 in and out of all
the interfaces by ACL.

Unless you have the luxury of running IOS 12.1 and above on all your
routers, you will not be able to use NBAR. Deployed the ACLs onto all
interfaces to control all port 80 traffic.

Use "ip route-cache flow" and "show ip cache flow" on your interfaces to
detect the IP addresses that are propagating http traffic to port 80. You
will have to look out for port 0050 under destination port when you perform
a "show ip cache flow".

Cheers.

- Original Message -
From:  "Dennis Bailey" 
To:  [EMAIL PROTECTED]
Sent: Tue, 14 Aug 2001 15:34:19 -0400
Subject:  Re: CODE RED protection ! ! ! [7:15989]
Depending upon the router platform you can use NBAR.

 I am just really depressed right now because there are costumers getting
involved in our business.  I knew I wasn't the only one who liked to get
dressed up but now think of the pressure that there will be with
professionals out there..


""Hamid""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi group
>
> I have some costumers whom I belive are infected with CODE RED. Any ideas
> how I can deny any traffic related to CODE RED on my router?
>
> Thanks
>
> Hamid
--
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Check any e-mail over the Web for free at MailBreeze
(http://www.mailbreeze.com)
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16154&t=15989
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX static map question [7:15983]

[Evans, TJ]

Assuming you have a static statement for each server, *that part* is
correct.
However - the conduit lines will need a port# ... web tcp/80 ... smtp/pop
25/110.
Conduit permit tcp host   __extIPaddress__   eq   __port#__   any
External address of each server
Port# for service


Also - make sure the server(s) has(have) been patched, etc ... 
... another note - I am sure someone will mention that you should use ACL's
instead of conduits as they are being deprecated ... 


not really related - but directions for blocking code-red propagation
attempts on routers:
http://www.cisco.com/warp/public/63/nbar_acl_codered.shtml#1


Thanks!
TJ

 -Original Message-
From:   Munzir Khan [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, August 14, 2001 3:45 
To: [EMAIL PROTECTED]
Subject:PIX static map question [7:15983]

I want to add another global outside ip address in pix firewall for outlook
web server, basically i want to seperate exchange server and outlook web in
different machines, outlook web & exchange Servers are intsalled inside the
network, I also want alow outside users to access their e-mails connecting
with any internet provider thru outlook web, so this would be like this???

static (inside,outside) 212.x.x.10 192.168.0.30 netmask 255.255.255.255. 0.0
(is this correct)

conduit permit tcp host 192.168.0.30 any
conduit permit tcp host 212.x.x.10 any

Please help!!!
**
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=16000&t=15983
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Got A Side Job and am baffled by one client...... [7:9612]

[Evans, TJ]

... or you could try changing the SID just to see what happens ... there are
utils for that.
YMMV.


Thanks!
TJ

 -Original Message-
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent:   Saturday, June 23, 2001 09:33
To: [EMAIL PROTECTED]
Subject:Re: Got A Side Job and am baffled by one client..
[7:9612]

George,
I think you just answered your own question.  IMHO, if the other PC's have 
the sameconfig and are able to get an address, it is most likely a SID that 
is gotten corrupt on the box in question.  I would back up data, rebuild,
and
readd it to the workgroup.
My .02c,
BTW, if you want to block by MAC address, use an access list # 700 - 799.
Robert Hugo

*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9963&t=9612
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: e-mail encryption [7:9109]

[Evans, TJ]

PGP also makes a 'pretty good' application/utility for encrypting email,
files, etc.

It *will* require you to have the public key of the person you are sending
to however  and there are public/free servers for key exchange 

PGP is free for personal use, but they do require corporate users to pay ...

Thanks!
TJ

 -Original Message-
From:   cheekin [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, June 20, 2001 06:06
To: [EMAIL PROTECTED]
Subject:Re: e-mail encryption [7:9109]

You can't encrypt the e-mail.  You can "sign" the the e-mail though.  Check
out MailSecure at www.baltimore.com.  No I don't work or sell Baltimore's
product.  You may want to look into the key management issue before
implementing it.

cheekin

- Original Message -
From: "anthony moore" 
To: 
Sent: Wednesday, June 20, 2001 05:31
Subject: e-mail encryption [7:9109]


> Does anyone use any type of e-mail encryption for their entire company.  I
> have been asked to implement some type of program whereby all the e-mail
the
> is sent out is encrypted.  Is this possible?  I know that you can encrypt
> between users that have one anothers' public keys but can you encrypt
> anything that you send to those that don't even use encryption?
>
> Thanks
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9958&t=9109
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Remote Access to Lan Switch [7:9435]

[Evans, TJ]

At the very least, I would recommend using a "secure" way to get into your
network; SSH, VPN, etc.
And then, once inside, you could access switch by internal address.

In general - I would *almost* never make a switch have an external address,
and would certainly never telnet into it from outside unless over an
encrypted tunnel ... unless I like having my switch access passwords being
world-readable as my telnet session is cruising through the 'net.  

... especially if you use the same access passwords on multiple network
devices, in which case you would be 'handing out' your passwords to other
things as well  ... *fun*.


Granted, the real world frequently gets in the way of great ideas ... but
this is one of those things that I would argue with a client  over.


Thanks!
TJ

 -Original Message-
From:   Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, June 22, 2001 13:09
To: [EMAIL PROTECTED]
Subject:Re: Remote Access to Lan Switch [7:9435]

And think about whether you really want to do this? It sounds like a 
security risk that may not be worth taking.

Priscilla

At 09:16 PM 6/21/01, EA Louie wrote:
>If you have control over the firewall, you'll have to map an address on the
>outside of the firewall to your switch.
>
>example:
>If your firewall outside interface is 121.1.5.2, and you have 121.1.5.3 as
>an available ip address on that outside subnet, and your switch was at
>198.1.1.1, then you'd map 121.1.5.3 to 198.1.1.1 in the firewall.
>
>If you had no available outside ip addresses, then you could map a port on
>your firewall's outside ip address to the inside switch.  In this example,
>maybe you'd map port 55 to the switch.
>
>Your firewall administrator can probably help you out with this.  If you
are
>the firewall administrator, then read up on the configuration of your
>firewall on how to do this.
>
>-e-
>
>- Original Message -
>From: Magenta Bloom
>To:
>Sent: Thursday, June 21, 2001 2:58 PM
>Subject: Remote Access to Lan Switch [7:9435]
>
>
> > I just gave my switch an Internal IP address.  How do I remotely access
>this
> > switch from outside the network?  The switch is behind a firewall.
> > I cannnot just type 198.x.x.x ... With a router, I can telnet using the
> > external address.  However, how would I get remote access to internal
> > clients?
> > _
> > Get your FREE download of MSN Explorer at http://explorer.msn.com


Priscilla Oppenheimer
http://www.priscilla.com
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9957&t=9435
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Catalyst Gurus [7:8177]

[Evans, TJ]

Is spanning-tree running? 
... or, to phrase it a little differently, have you enabled portfast on the
port(s) in question?


Thanks!
TJ

 -Original Message-
From:   Larry Ogun-Banjo [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, June 12, 2001 11:30
To: [EMAIL PROTECTED]
Subject:fao: Catalyst Gurus [7:8177]

We have just installed some new catalyst switches 650x and 69xx. I have
noticed
that whenever I connected with a fluke to test connectivity on the ports, it
takes approximately 20 secs to get its first contact with another device.
I'm
aware the switch port needs to learn the mac address etc but I would not
have
thought it would take so long. Are there any commands that would speedup the
network discovery or is this normal behaviour on a new port?
Pardon this trivial question but it would help.
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=8193&t=8177
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX static address translation question [7:8031]

[Evans, TJ]

... I am running 5.3(1) on a PIX520UR and use nothing but conduits ... and
all of my conduits still function  ... 


Thanks!
TJ

 -Original Message-
From:   Chris Agnoli [mailto:[EMAIL PROTECTED]] 
Sent:   Monday, June 11, 2001 20:20
To: [EMAIL PROTECTED]
Subject:Re: PIX static address translation question [7:8031]

If you are using IOS 5.23 or higher on the Pix, you can't use conduits
anymore. Access-Lists are the only supported way to permit inbound traffic.
(Really sucks when you upgrade a Pix running 5.12, with several hundred
conduits!!)

The Conduit Permit ICMP any any command still works, but that's it. To
further confuse things, the firewall lets you add the conduit statement, but
ignores it.

>>> "Allen May"  06/11/01 03:50PM >>>
If ICMP is disabled you won't be able to ping it.  Conduit statements must
open the correct protocol & ports to connect as well.  The router could
possibly be blocking ICMP or ports also.  Can the inside machine ping the
inside interface of the PIX?


- Original Message -
From: "Gary Crouch" 
To: 
Sent: Monday, June 11, 2001 2:06 PM
Subject: PIX static address translation question [7:8031]


> we have servers hosted at a ISP and have a back port connection
> and would like to give a client access thur our back port using one of our
> external IP address I have configure a static address translation for the
> external ip address
> and added a route for the internal address I can pig the internal address
> from the PIX
> but can not ping the server with the external address from outside.
> does the static and conduit commands work when there is a router between
the
> server?
> is there a way to make this work?
>
> Thanks for your help
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=8131&t=8031
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: BGP for 2 T1's to one LAN [7:7511]

[Evans, TJ]

I'll take a stab at some of this ...

First - If I recall, and I may very well be wrong here, I though DNS
round-robin was solely for load-sharing, not redundancy.



Second - Regarding BGP multi-homing ... some "gotchya's" that we ran into:
You will need an ASN 
Some ISP's have netblocks designated as re-routable, if your
netblock isn't one of them they will make you re-address .
Some ISP's require a /24 netblock to be used for BGP routing
Some ISP's require that you also register your maintainer object
with RADB 
Routers must have 64mb RAM for partial/default routes  and be BGP capable 

Also, since you are doing this for fault-tolerance reasons, I would also
recommend using:
two separate routers ... 
each with 1 WIC and 2 FastEthernet interfaces
the WIC  --> ISP
Fast 0/0 --> your LAN , running HSRP 
Fast 0/1 --> other router ... this will be for iBGP 
And you could then multi-home each of your servers to each of the switches
and use NIC teaming for redundancy there



In this case - all of your outbound traffic will use the ISP connected to
the router with the "active" HSRP address, while all inbound traffic will
come in via the ISP with the lowest BGP 'cost' from the source ... not
balancing, but load sharing .



I am probably forgetting something here, but the idea is to have no single
point of failure :)
Thanks!
TJ

-Original Message-
We are trying to have the web servers in our LAN accessible to the
internet via 2 T1's from different providers -- more for redundancy than

load sharing, though that matters too.  Currently we have 2 T1's, each
giving us a different set of IP addresses.  That just lets us put some
sites on each T1 -- doesn't give us an ounce of redundancy.

I've been told that if we get a router with 2 WIC's that can speak BGP
(Cisco 2600 or better) that may solve our problem.  I'm very new to
routing, so can someone answer some basic questions?


Thanks in advance.

--
Daniel Wilson, BSCS, MCP
Application Developer
http://www.compusoftsolutions.com/

*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=7528&t=7511
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix with 2 different ISPs [7:5349]

[Evans, TJ]

I am pretty sure you can only have one "outside" interface ... 
To achieve what you want, I would think you could connect it to an
intermediary router  and let the *it*
make the routing decisions between which ISP traffic goes to  ... 



Thanks!
TJ
(2 * PIX = Pices?)


 -Original Message-
From:   Andras Bellak [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, May 22, 2001 02:07
To: [EMAIL PROTECTED]
Subject:RE: Pix with 2 different ISPs [7:5349]

Have you tried putting a default route in for both of the cards? Will the
pix accept it? I don't have a pix with two Outside cards, just one outside
and one DMZ, and my lab system is in the middle of a different experiment.
If you could do each interface with a seperate default route, you might make
it work. The PIX knows what interface a packet came in from, and should put
the exiting packet back on the same wire it came in on. I'd be curious.
Might have to try that one tomorrow.

Tai Ngo wrote:
> 
> Hi All,
>  
> Can somebody tell me if this is possible?  If so, please provide
> configuration details.   We have 2 ISPs, one that is
> 204.23.23.x and the
> other is 205.23.23.x.  We have 2 Pix firewalls, one which is
> configured
> for active with both outside interfaces.  The other pix is
> configured as
> standby.  Will the Pix firewall be smart enough to know how to
> route
> traffic back out the network it came from?  For example, if a
> user came
> into our website from 204.23.23.x , will the Pix know how to
> route the
> info back out that interface instead of through the 205.23.23.x
> network?
> 
>  
> My guess is it's not possible because when you look at the
> configuration
> on the Pix, to route info outside, you would use "route 0.0.0.0
> 204.23.23.x 1" .  
>  
> Thanks!
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=5415&t=5349
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX and Windows 2000 [7:4163]

[Evans, TJ]

What sort of Issues?
... "simple" firewalling / port filtering?
What sot of VPNs?
... Pix 2 Pix?
... PPTP connections to PIX?

???


As far as a PIX and Win2k working together, just "in general" - my PIX's
 haven't had any issues ...


Thanks!
TJ

 -Original Message-
From:   Pickard, Richard [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 11, 2001 08:27
To: [EMAIL PROTECTED]
Subject:PIX and Windows 2000 [7:4163]

5/11/20017:11am  Friday

Has anyone heard that there are compatibility problems between PIX &
Windows 2000?
I have been asked to install a PIX at a small company that is doing VPN,
e-commerce, & so forth.  All servers are Windows 2000.


Thanks for any help,

Richard L. Pickard
CCNP NNCSE MCSE A+
[EMAIL PROTECTED]
(630) 508-1508

//
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=4166&t=4163
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE - the real world - daily life of CCIE's. [7:4122]

[Evans, TJ]

And to broaden the point a little:
Well, first - a disclaimer: Yes, certain fields pay more than others
 or Football Player's  salary to a
Police officers> ... is it fair or right? ... not my call, although in
general I would say not really all that fair from a social aspect.

Having said that - in general, regardless of what field you are in - if you
have atleast a couple of the following you will do well:
Natural / intuitive ability
Determination, drive for excellence
Intelligence - as in book smarts, including continual
self-improvement 
Mental Dexterity - fast thinking, fast adapting, etc.
Flexibility
Passion for what you do
Other may disagree on this next one, but I feel it is IMPERATIVE that you
truly enjoy your job ... both the tasks you are doing, the company you are
doing it for, etc.  Of course, this is partly related to the previous one,
but also includes various employment factors 


... and if you have all of the above, you will always be near / at the top
of your field, since not many people in any given field do have them all
.  

Additionally, a piece of paper is not much of a guarantee of anything ...
don't get me wrong, it proves you have applied yourself   but
I have almost literally no certifications  and am still doing pretty well
for a "half-alcoholic 26 year old
college drop out".



my turn to apologize for rambling ... hope everyone has a great Friday /
weekend.
Thanks!
TJ

 -Original Message-
From:   Chris & Cindy Watson [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 11, 2001 07:25
To: [EMAIL PROTECTED]
Subject:Re: CCIE - the real world - daily life of CCIE's. [7:4122]

AMEN!! =))

""scott mann""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I work with dozens of CCIE's in different departments on a day to day
basis.
> My company builds Router/Switch traffic/protocol generators/analyzers. Our
> equipment is in many buidlings on Cisco's San Jose campus. Being a support
> engineer affords me the opportunity to work hand in hand with these
> guys/gals(yes, quite a few are female) in developing tests for their
> particular group/project. With this said, I can tell you some real world
> truths;
> CCIEs come in every size, shape, and IQ level. Some are managers who
rarely
> involve themselves in test grunt work, while others are basking in the
glory
> of plain old hard work(with a matching 5 figure salary). I believe that
> being a CCIE gives someone a certain level of respect for their
> accomplishment, but that only takes you so far; after that you must prove
> yourself to be an intelligent, hard working person who is versitile,
> communicates well, and gets things done. Some of the CCIEs I work with
amaze
> me at their inability to solve/create solutions for what seem to be
> relatively minor issues. Am I putting them down - no way. Obviously the
have
> quite a bit of personal experience and knowledge going for them or else
they
> would not have the little circle emblem on their cube name-plate. But
> suffice it to say, that you don't have to be gifted to be a CCIE; hard
work
> can make up IQ points any day. You simply can't beat experience (5-10
years
> of working with routers/switches is worth a lot when sitting next to the
> protcor). But if you have a knack for this stuff, and a hell of a lot of
> determination, then there is no reason why you can't go from being a
network
> neophite to CCIE in a year or less. Becoming a CCIE is not like 8-12 years
> of school and internship; it's practically a crime how we can expect to be
> paid so much for so little in the way of real benefit to the world. Moving
> ones and zeros is cool, but don't cry about the state of affairs the
Future
> of Networking is in. This field will always pay the best people top dollar
> because these people provide value - their mind is in a continuing state
of
> evolution paralleling the advancment of technology. If you want to be a
CCIE
> just to make big money, great. But don't be disappointed at your salary
once
> you get there if you are not one of the best in your field. Work towards
> excellence everyday, learn every detail of the fundamentals, and value-add
> the latest technology to your skill set. Always provide more value than
your
> expense and you will never have to worry about $$$. 1 year ago I had no
job
> after having lost my business to some bad luck. I had no money and no
> skills, so I decided to go into the computer field. I taught myself MCSE
in
> about 3 months and got a job doing level 1 help desk. I then started my
> Cisco certs last november (CCNA) followed by CCNP & CCIE written and will
> pass the Lab within 3-4 months. I have less than a year in the field and I
> MAKE MORE THAN SOME CCIEs I work with. Does that mean that being a CCIE
> sucks? NO! But being good a what you do is more important. Be an expert at
> each new thing you learn, then the money will come along with self-respect
>

RE: Samba Client and FTP Client [7:4154]

[Evans, TJ]

Dunno' about when using Samba, but with FTP you can use the lcd  command to
specify where 'get'/'mget' drops the files ...
Ex - lcd c:\temp would make it so that any file you download will be saved
in c:\temp.


Thanks!
TJ

 -Original Message-
From:   Mr. Oletu Hosea Godswill, CCNA [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, May 11, 2001 07:23
To: [EMAIL PROTECTED]
Subject:Samba Client and FTP Client [7:4154]

IF i use samba client to retrieve a file from a samba
server, where will the retrieved file be placed in my
local machine? It is same with using FTP.

How can I control where the retrieved file(s) should
be placed in my local machine.

Regards.
Oletu.

__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=4157&t=4154
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Homepage [7:3994]

[Evans, TJ]

Technically - 
1 It isn't an html attachment, it's a vbs ... 
2 The listserv is nice enough to filter it out, so even if you wanted to
 you couldn't ... 



Thanks!
TJ

 -Original Message-
From:   David Toalson [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, May 10, 2001 10:43
To: [EMAIL PROTECTED]
Subject:FW: Homepage [7:3994]

Looks like someone has been hit with the new virus.  Don't open the .html in
this email or it will send this message to your entire mail list.

>From Norton:   (watch the word wrap)
http:[EMAIL PROTECTED]

David Toalson
816-701-4142

> --
> From: Stefano Andrello[SMTP:[EMAIL PROTECTED]]
> Reply To: Stefano Andrello
> Sent: Thursday, May 10, 2001 8:44 AM
> To:   [EMAIL PROTECTED]
> Subject:  Homepage [7:3994]
> 
> Hi!
> 
> You've got to see this page! It's really cool ;O)
> 
> [GroupStudy.com removed an attachment of type application/octet-stream
> which
> had a name of homepage.HTML.vbs]
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=4018&t=3994
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IP NAT Issue [7:3073]

[Evans, TJ]

I suspect it is to prevent a DoS type attack; something like the PIX not
responding to ARP's that it announces.
It would make my life a lot easier if the PIX would be smart enough to
resolve it internally; we are having an issue now with inter-interface
communication that I suspect is related.

 to
IF100  you use external addresses and all ACL's are applied ..
however going from IF100 to IF20 you need to set a NAT statement and a
global statement and then use INTERNAL addresses. ... I wish there was  a
way to use external addresses in both 'directions' ... or to have
the PIX act as above and accept these connections>.

If I am incorrect *please* let me know ... would make my life easier in so
many ways ... 


Thanks!
TJ

 -Original Message-
From:   Justin Emilio [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, May 03, 2001 14:53
To: [EMAIL PROTECTED]
Subject:Re: IP NAT Issue [7:3073]

I still don't understand why I shouldn't be able to translate an address
from one interface and out the same interface. I use that interface as my
gateway for private addresses, so it will obviously will not be able to use
the hub to get out on the internet.  It seems like a limitation from Cisco
that will not allow the "ip nat inside" and "ip nat outside" command to be
placed on one interface. If I am wrong and this logically cannot work please
fill me in. I just don't understand why I couldn't do that.

Justin Emilio
Tech Support
CCNP, CCNA, CCDA, CSE
MM Internet 888-654-4971
- Original Message -
From: "Daniel Cotts" 
To: 
Sent: Thursday, May 03, 2001 11:10 AM
Subject: RE: IP NAT Issue [7:3073]


> No you can't. The hub is just that - a hub. There is only one interface.
If
> you connected to the Internet via your serial port then the following
config
> should work. If you need ethernet on the Internet side, then time to buy a
> router with two ethernet interfaces.
>
> ip nat inside source list 1 interface Serial0 overload
>
> interface serial 0
> ip address aaa.xxx.yyy.zzz 255.255.255.0
> ip nat outside
>
> interface Ethernet0
> ip address 9.114.11.39 255.255.255.0
> ip nat inside
>
> access-list 1 permit 9.114.11.0 0.0.0.255
>
> > -Original Message-
> > From: Justin Emilio [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, May 03, 2001 12:46 PM
> > To: [EMAIL PROTECTED]
> > Subject: IP NAT Issue [7:3073]
> >
> >
> > I am using a Cisco 2505 router which has a built in 8 port
> > hub.  This hub
> > acts as 1 ethernet interface and I would like to use NAT to
> > allow a network
> > that is connected to the built in hub to be able to connect out to the
> > internet through another port on the hub using 1 globally
> > routable address
> > with overloading. I tried using both "ip nat inside" and "ip
> > nat outside" on
> > the ethernet interface, but you can only use one of those
> > commands on an
> > interface. I played with different configurations yesterday
> > and couldn't get
> > any to work correctly.  Should I be able to accomplish this?
> > If anyone could
> > help that would be greatly appreciated. Thanks
> >
> >
> > Justin Emilio
> > Tech Support
> > CCNP, CCNA, CCDA, CSE
> > MM Internet 888-654-4971
> > FAQ, list archives, and subscription info:
> > http://www.groupstudy.com/list/cisco.html
> > Report misconduct
> > and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3090&t=3073
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NAT question [7:3050]

[Evans, TJ]

If I recall correctly  access to/through
the external addresses of internal machines from internal machines is a
no-no.


Internally - all should be well; i.e. - machines are able to communicate
openly with each other 

Internal 2 External systems - all should be well, and if you have static
address assignments they should be used appropriately.


External 2 Internal - all should be well; i.e. - systems outside the
firewall can access your internal systems fine 

Internal 2 External address of Internal system - um, no.



Thanks!
TJ

 -Original Message-
From:   Greg Smythe [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, May 03, 2001 12:10
To: [EMAIL PROTECTED]
Subject:NAT question [7:3050]

Hello --

I have some static NAT translating going on in my lab, and if I am "inside"
and try to telnet to the "outside" IP address of a machine, I get connection
refused. Telnetting to the "inside" IP address of the machine works. I do
have
an inbound access list on the "outside" interface, but it is allowing telnet
to the machine. Upon doing a show access-list command I see that the line
for
telnet is not even getting hit. So why can't I telnet to an "ouside" IP from
the "inside"? Strange thing is that I can ping the "outside" IP ok, but any
other sort of connections to it fail.

Thanks!


Greg
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3061&t=3050
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

PIX telnet again [7:3003]

[Evans, TJ]

Use SSH ... 
I don't believe the PIX supports telnet sessions on the outside interface,
something about security risks ... ;)


=
FOR SSH:
http://www.cisco.com/warp/public/110/authtopix.shtml#localSSH
slightly modified excerpt:   authentication> 

hostname THISISMYHOSTNAME !--- should already be set!!

domain-name THISISMYDOMAIN
!---may or may not be set already!!

ca gen rsa key 1024
!---generates your key-pair if you do not have on already 

ssh timeout 60
!---set s disconnect timer ... always a good idea!

passwd THISISMYPASSWORD

ssh 0.0.0.0 0.0.0.0 outside 
!--- this allows anyone, anywhere to SSH to your PIX ... obviously
can/should be changed

ca save all
!--- as a wr mem does *NOT* save the key info!!

wr mem
=

 And now you can use any one of the free SSH clients out there to
securely connect to your PIX :).


Thanks!
TJ
-Original Message-
From:   Jim Bond [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, May 03, 2001 02:08
To: [EMAIL PROTECTED]
Subject:PIX telnet again [7:3003]

Hello,

I have an IPSEC between central office router to site
office PIX. Central office uses public IP address,
site office has only 1 public IP address, therefore,
uses NAT. Everything works fines except I can't telnet
from central office to PIX (inside or outside). I can
telnet from central office to servers inside PIX. Is
there any command I need to add on the PIX? According
to CCO, if IPSEC is established, telnet to PIX outside
should work, right?

Thanks in advance.
Jim

__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3054&t=3003
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX telnet again [7:3003]

[Evans, TJ]

Use SSH ... 
I don't believe the PIX supports telnet sessions on the outside interface,
something about security risks ... ;)





=
FOR SSH:
http://www.cisco.com/warp/public/110/authtopix.shtml#localSSH

slightly modified excerpt:   authentication>
hostname THISISMYHOSTNAME
!--- should already be set!!

domain-name THISISMYDOMAIN
!---may or may not be set already!!

ca gen rsa key 1024
!---generates your key-pair if you do not have on already 

 ssh timeout 60
!---set s disconnect timer ... always a good idea!

passwd THISISMYPASSWORD

ssh 0.0.0.0 0.0.0.0 outside 
!--- this allows anyone, anywhere to SSH to your PIX ... obviously
can/should be changed

ca save all
!--- as a wr mem does *NOT* save the key info!!

wr mem
=

 And now you can use any one of the free SSH clients out there to
securely connect to your PIX :).



Thanks!
TJ

 -Original Message-
From:   Jim Bond [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, May 03, 2001 02:08
To: [EMAIL PROTECTED]
Subject:PIX telnet again [7:3003]

Hello,

I have an IPSEC between central office router to site
office PIX. Central office uses public IP address,
site office has only 1 public IP address, therefore,
uses NAT. Everything works fines except I can't telnet
from central office to PIX (inside or outside). I can
telnet from central office to servers inside PIX. Is
there any command I need to add on the PIX? According
to CCO, if IPSEC is established, telnet to PIX outside
should work, right?

Thanks in advance.

Jim

__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=3040&t=3003
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco VPN Client..... [7:2865]

[Evans, TJ]

Some remote control software  will allow you to
port-hop to a specific port ... but it is a major security risk :).



Thanks!
TJ

 -Original Message-
From:   Allen May [mailto:[EMAIL PROTECTED]] 
Sent:   Wednesday, May 02, 2001 11:14
To: [EMAIL PROTECTED]
Subject:Re: Cisco VPN Client. [7:2865]

hehe...funny.  If you could it'd be a big time security hole!  Besides...it
requires 2 ports to work.  I think this was the subject of the April fools
RFC this year too.  Port 80 being used to run tunnels so you don't have to
bother with the network admin to get your job done.  ;)  I noticed that
PCAnywhere won't allow you to go down to port 80 either.

Allen May
- Original Message -
From: "Greene, Patrick" 
To: 
Sent: Wednesday, May 02, 2001 4:48 AM
Subject: Cisco VPN Client. [7:2865]


> Is there anyway to force the Cisco VPN client to use port 80 for
> communications?  This would be used to get through firewall's allowing
only
> port 80.
>
> Thank You,
> Patrick Greene CCNP,CCDP,MCSE,MCNE
> Information Technologies Enterprises
> Email:[EMAIL PROTECTED]
> Office:800-535-6544
> Mobile:704-953-6949
> Fax:704-896-5797
> URL: www.infotechent.net   and
> www.alwaysweb.com
>
> [GroupStudy.com removed an attachment of type image/gif which had a name
of
> PRTNRPR.GIF]
>
> [GroupStudy.com removed an attachment of type image/bmp which had a name
of
> MCSP_P.bmp]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=2921&t=2865
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OT Virus Alert (7:2801) [7:2808]

[Evans, TJ]

Another thing to keep in mind - typically NAV, by default, does not check
*all* files.

I always recommend everyone  go into Options and set both
Auto-Protect and Scanner to "All Files".  Typically, I would also set the
Heuristics on the scanner to Highest .


Wow - this one does look nasty, especially bullet #2 ... ouch.

o Large scale e-mailing: Uses email addresses from the Windows Address Book
files and Outlook Express Sent Items folder. 
o Causes system instability: Overwrites hard drives, erases CMOS, flashes
the BIOS. 
o Releases confidential info: It could send confidential Microsoft Word
documents to others. 


...above 'tips' may not be relevant in this case, but still a good practice.
Thanks!
TJ

 -Original Message-
From:   Kelly Dew [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, May 01, 2001 17:35
To: [EMAIL PROTECTED]
Subject:RE: OT Virus Alert (7:2801) [7:2808]

According to Symantec if you had the latest virus definition files then you
should have been fine. This virus is in the March 13 virus definition file,
and I know that we are covered here at work with it. You might want to check
to make sure that the machines really did have the latest virus definition
files, and contact Symantec to be safe.
This virus is a HIGH threat it seems. l
Kelly Dew
Information Systems Security Officer
Information Security Services
USPS
[EMAIL PROTECTED]

Delivering Trust in a Changing World

-Original Message-
From:   [EMAIL PROTECTED] at INTERNET
Sent:   Tuesday, May 01, 2001 4:57 PM
To: Dew, Kelly W - Raleigh, NC; [EMAIL PROTECTED] at INTERNET
Subject:OT Virus Alert [7:2801]


there is a pretty nasty virus going around
http:[EMAIL PROTECTED]
hit our network yesterday spred to half our Novell users and to our Nt
servers
in a another domain
these user do not have any permissions in the development domain but that
did not stop the virus.
Show how much microsoft security sucks. Norton is slow to reconize this
virus all our machines had the lastest update.
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html Report misconduct and
Nondisclosure
violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=2874&t=2808
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Autonomous System number [7:752]

[Evans, TJ]

Also, one thing that caught us off guard was that one of our providers
 required us to register with RADB as well.

 to leave some static route entry for us, which
took priority over the BGP-provided route ... luckily we caught that before
we had a occasion requiring a failover.>>


Thanks!
TJ

 -Original Message-
From:   Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] 
Sent:   Monday, April 16, 2001 09:25
To: [EMAIL PROTECTED]
Subject:Re: Autonomous System number [7:752]

>Hi All - In the real world, how should I obtain an "autonomous system"
>number?  Will I be assigned from some organization or I just make it up?
>Sorry for the so simple question!


www.arin.net for the Americas
www.ripe.net for Europe
www.apnic.net for the Pacific rim

If you are thinking of participating in global Internet routing, you 
really can't make up very much.  The AS number and address space will 
be assigned to you, and you will need to justify them.  You can then 
work out your own routing policy, which I strongly suggest you 
register.  Each of the address registries above maintains a routing 
registry (not sure about APNIC).

Why do you need an AS? What problem will it solve?
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=768&t=752
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Telnet and mail problems [7:392]

[Evans, TJ]

~30 seconds or so is within reason ... 


Thanks!
TJ

 -Original Message-
From:   Luis Oliveira [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, April 12, 2001 17:31
To: [EMAIL PROTECTED]
Subject:Re: Telnet and mail problems [7:392]

Should the logon time be so long even if I telnet by numeric address, say
telnet xx.yy.zz.ww ?



Regards


// luis oliveira



> At 04:27 PM 4/12/01 -0400, Luis Oliveira wrote:
> 
>> Our machines have fixed IP addresses. We are experimenting a problem when
we
>> try to telnet a Unix machine. It takes forever (almost half a minute).
The
>> same problem with e-mail checking ( 30 seconds to logon on the server).
>> Before we had just two subnets. Now we have more (private networks), and
the
>> mail server is on a public network (DMZ) separated from us by a firewall.
We
>> think that the problem is related with the Ciscos or the implementation
of
>> the VLAN's. The company that implemented our network (which is a sister
>> company of my company) until now as not found a solution to our problem
and
>> the mail users, which is everyone is becoming very upset with all this.
>> Everything else works fine on the network works fine (copying files,
browse
>> the internet, that kind of stuff).
>> 
>> Anyone have seen this kind of trouble before ? Can give some advice or
steps
>> to follow to eliminate this ?
>> 
>> Sorry for the long post.
>> 
>> Thanks
>> 
>> // luis oliveira
> 
> Hm.  It sounds a lot like DNS issues.  Do you have guys pointing to an
> internal DNS server?  Does your mail server resolve to an internal IP?  If
> you do internal DNS, I can see where you might have "inside has problems",
> "outside is dandy" problems.  Can you time the telnetting to the Unix
> box?  Are you sure it is not 75 seconds?  (If it is, it is almost
> definitely DNS issues).  Have you tried doing "ping" floods to those hosts
> just to see what % of packet loss occurs, if any?  It could very well be
> other issues, but check your DNS setups to see if anything seems fishy
with
> your internal DNS.
> 
> -Carroll Kong
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=409&t=392
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Telnet and mail problems [7:392]

[Evans, TJ]

We have seen this when servers' DNS server entries are incorrect /
unreachable.



Thanks!
TJ

 -Original Message-
From:   Luis Oliveira [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, April 12, 2001 16:27
To: [EMAIL PROTECTED]
Subject:Telnet and mail problems [7:392]

Fellow Cisco users

This is my first post to the list. I've been watching the list for messages
regarding a problem that we have at my company (newspaper business) that's
probably related to our new network.


We have recently changed for a new building and since we are now placed in
several floors (as opposed to the situation we had before) we have taken
this opportunity to build a new network infrastructure.

We have a central Cisco Catalyst 6006 with 48 10/100 mbit ports, 2*8 fiber
optic modules that connect to 5 floors (Cisco 3548 XL and Cisco 3524
switches) by fiber cable.

We have a relatively large network of 400 machines (80% Macs, 20% PC's)
divided by VLAN's. We also have 30 or so servers (ranging from Sun Solaris
running Sybase, to Windows NT 4 and 2000 file servers, Microsoft SQL
servers, Appleshare File servers, AIX machines running Oracle, etc.

Our machines have fixed IP addresses. We are experimenting a problem when we
try to telnet a Unix machine. It takes forever (almost half a minute). The
same problem with e-mail checking ( 30 seconds to logon on the server).
Before we had just two subnets. Now we have more (private networks), and the
mail server is on a public network (DMZ) separated from us by a firewall. We
think that the problem is related with the Ciscos or the implementation of
the VLAN's. The company that implemented our network (which is a sister
company of my company) until now as not found a solution to our problem and
the mail users, which is everyone is becoming very upset with all this.
Everything else works fine on the network works fine (copying files, browse
the internet, that kind of stuff).

Anyone have seen this kind of trouble before ? Can give some advice or steps
to follow to eliminate this ?


Sorry for the long post.


Thanks



// luis oliveira
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=397&t=392
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IPsec port

[Evans, TJ]

One  distinction - AH and ESP are not on 'ports' per se, but
protocols...

i.e. - to allow AH thorugh PIX you *would not* use
conduit permit tcp host w.x.y.z eq AH any   >


http://www.chebucto.ns.ca/~rakerman/port-table.html  ... "Note
that certain services such as IPSec and Microsoft's PPTP use non-TCP/UDP
protocols so they are not covered on this page. In particular, PPTP uses GRE
(protocol 47) and IPSec uses ESP (protocol 50) and AH (protocol 51).
Protocol numbers are not the same as port numbers. IANA maintains the
Assigned Internet Protocol Numbers. ">


Thanks!
TJ

 -Original Message-
From:   Rizzo Damian [mailto:[EMAIL PROTECTED]] 
Sent:   Friday, March 30, 2001 12:19
To: 'Ruihai An'; [EMAIL PROTECTED]
Subject:RE: IPsec port

AH-port 50, ESP-port 51 and ISAKMP-port 500



-Original Message-
From: Ruihai An [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 30, 2001 12:05 PM
To: [EMAIL PROTECTED]
Subject: IPsec port


I configured my PIX as the IPsec VPN terminator to support DES VPN client.
I have an inbound access-list  on my perimeter router.  Does any one know
the ports I need to open for IPsec VPN traffic on my perimeter router ?

Ruihai


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: BGP over two ISP links

[Evans, TJ]

I know that in our case, trying to use BGP for failover between two
providers, we 
(a) were required to have a /24  ... no problem
(b) were required to have an AS#... no
problem
(c) PSI *required* us to 'take posssession' of the maintainer object for our
/24 ... still working on that part
a. <>
(d) once we finish (c) we *should* be all set .. unless PSInet finds another
way to delay us.

I only send this because the "RADB/ Maintainer Object" part has been a
really painful delay .. but, that should be resolved today :).


Thanks!
TJ

 -Original Message-
From:   John Neiberger [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, March 29, 2001 17:08
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject:Re: BGP over two ISP links

At a minimum you're going to need a single /24, not two.  You would
announce this prefix on both connections.  You're also going to need to
apply for an autonomous system number from ARIN.  Details can be found
at www.arin.net. 

I'm wondering what you're really trying to accomplish.  If this extra
link isn't for redundancy, just load sharing, then why not have two
connections to the same provider?  This is FAR easier to implement, does
not require a public AS number, and does not require using up an entire
/24 prefix unnecessarily.

Even if the link is for redundancy, you could multihome to different
POPs of the same provider.  Again, this is easier to implement, doesn't
require the AS number, and doesn't burn up so many addresses.  If you
have a good provider this is an excellent solution.

I'd seriously consider these other options before you make a decision.

Regards,
John

>>> "Ruihai An" <[EMAIL PROTECTED]> 3/29/01 2:11:17 PM >>>
Hi, All,

Here is a quick question:
We are planning to run BGP over two ISP links to provide loading
balance.
But we were told that we will run into major problems if we do not have
full
class Cs on both ends.

Could somebody make comment on this?

Thanks

Ruihai


_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html 
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Performance

[Evans, TJ]

Although I agree on the PIX being able to handle the load; other
considerations may include:
* The traffic from the DMZ though the PIX to the internal servers ...
depending on how their applications/web servers work in conjunction with the
db servers there could be significant load there

Of course, the counter-point to that is - even with the DMZ interface max'ed
out you are looking at 100mbps ... and 4 T1's max'ed out = 6mbps .. so still
a mx invcoming load of 106mbps, well below the PIX's ability.



Thanks!
TJ

 -Original Message-
From:   Groupstudy [mailto:[EMAIL PROTECTED]] 
Sent:   Thursday, March 15, 2001 22:47
To: [EMAIL PROTECTED]
Subject:Re: PIX Performance

Bottlenecks almost always end up being the smallest pipe on a network.  In
your case you have a possible 4 T1's which even when all are fully utilized
will only pass around 6mb of traffic per second.   Even your darn 10 baseT
ethernet pipes could handle that.  The PIX can handle up to 170mb per second
and won't even blink at 4 fully loaded T1's.  I suggest you give the client
the numbers and let them do the math.  After they have done their own math,
and if they are still not convinced your right, may I suggest you ask them
why they need your help, they obviously know more about the matter at hand
than you do :-)


- Original Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, March 15, 2001 6:33 PM
Subject: PIX Performance


> Hello everyone.  Here is the situation.  A client of mine plans on setting
up
> some DMZs off either a PIX 515 or 525.  Servers will consist of smtp
relay,
> ftp,  2 to 4 web servers, 2 OWA servers, and 5 to 10 web app servers.
Inside
> (the internal LAN), there are about 10 servers, some database, which dmz
> servers will need to access.  They currently have 2 T1s for external
access
> to these DMZ based servers (no internally initiated web traffic), and do
not
> plan to upgrade to more that 4 T1s anytime soon.  To the point, the client
> claims that the PIX will be unable to handle all the traffic from the
front
> end and the access to the back end and that it will become a performance
> bottleneck with an extremely complicated, long rule set.  My experience
and
> opinion tell me that the PIX will do just fine and could probably handle a
> hell of a lot more.  It is doing static NAT also but not any VPN stuff.
If
> anything, with about 6000 remote clients accessing certain servers
throughout
> the day, the potential bottleneck with be the 2 T1s or the 2610 router in
> front of the PIX, not the PIX itself - but he won't believe me!  I have
> plenty of performance test results and have implemented multiple PIXs and
> some Check Point Firewalls.  Am I missing something?  How do I convince
him?
> Since this may not be perceived as a certification issue, you should
probably
> answer me directly and not clog up the list.  Thank-you in advance...
>
> David Raker CCDP, CCNP, MCSE, MCP + Internet
>
> _
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: My CCNA test -Tips to follow

[Evans, TJ]

Drop the s in the middle ... 
www.sureshhomepage.com



Thanks!
TJ

 -Original Message-
From:   Jack  Nalbandian [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, March 27, 2001 15:11
To: [EMAIL PROTECTED]
Subject:RE: My CCNA test -Tips to follow

Paul,

The Suresh link didn't work for some reason.  Can you verify the url?

Paul Anderson [mailto:[EMAIL PROTECTED]] wrote:

[snip]

Microsoft does. The test was true to the objectives! Purchased the CCNA =
Preparation Kit from www.sureshshomepage.com and Todd Lammle's Sybex =
book. Suresh has got good amount stuffs really you can make use of it. =
To tell you the truth, out of the 65 questons I was asked at the real =
test, about 40Qs line-by-line were from Suresh's kit. I was really =
zapped.=20

[snip]

Regards,

Jack Nalbandian, CCNA, MCSE
Network Engineer
DATAFLEX - U.S. Operations
310.445.1052 x275
[EMAIL PROTECTED]
   
www.telephonyexperts.com  

The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.   If you received
this in error, please contact the sender and delete the material from any
computer.   

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco router is running very slow when SSh is implmented

[Evans, TJ]

I was going to suggest the use of an access class ... applied to the vty lines ... but thanks for the transport input
line!
< that outbound telnet from all boxes on the LAN would be
blocked as well; as there 'responses' would get dropped at the router ...
hence the use of access classes ...>>

Regarding the slow SSH ... have you run a sniffer on that segment to watch
the packets, and see if there is some disagreement between your router and
TACACS+ server ... or see if the TACACS_ server itself is causing the delay
... ?


Thanks!
TJ

 -Original Message-
From:   Sean Young [mailto:[EMAIL PROTECTED]] 
Sent:   Tuesday, March 27, 2001 14:58
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject:Re: Cisco router is running very slow when SSh is implmented

Curtis,
Thanks for the tip.  However, I just figure out.  The solution is:

line vty 0 4
transport input ssh

That effectively shut off telnet.

Sean


>From: Curtis Call <[EMAIL PROTECTED]>
>To: "Sean Young" <[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED]
>Subject: Re: Cisco router is running very slow when SSh is implmented
>Date: Tue, 27 Mar 2001 09:37:49 -0700
>
>Why not try to throw an access list on it that blocks the incoming telnet
>port?  I submit that I haven't read the document either so that might be a
>stupid suggestion :-)
>
>
>At 09:16 AM 3/27/01, you wrote:
>>Hope I am not offending you but did you read the document before giving
>>me advice or do you just give it out of the blue?  If I "no login"
>>under vty then users will NOT be able to SSH to the router period.
>>
>>Any more ideas?
>>
>>Sean
>>
>>
>> >From: "Mask Of Zorro" <[EMAIL PROTECTED]>
>> >To: [EMAIL PROTECTED], [EMAIL PROTECTED]
>> >CC: [EMAIL PROTECTED]
>> >Subject: Re: Cisco router is running very slow when SSh is implmented
>> >Date: Tue, 27 Mar 2001 11:04:33 -0500
>> >
>> >Enter a "no login" under the vty config and that will disable telnet
>> >authentication, effectively shutting off telnet...
>> >
>> >>From: "Sean Young" <[EMAIL PROTECTED]>
>> >>Reply-To: "Sean Young" <[EMAIL PROTECTED]>
>> >>To: [EMAIL PROTECTED]
>> >>CC: [EMAIL PROTECTED]
>> >>Subject: Re: Cisco router is running very slow when SSh is implmented
>> >>Date: Tue, 27 Mar 2001 10:38:38 -0500
>> >>
>> >>This is my configuration
>> >>
>> >>line con 0
>> >>logging synchronous
>> >>login authentication usetacacs
>> >>transport input lat pad v120 lapb-ta mop telnet rlogin udptn nasi ssh
>> >>line aux 0
>> >>line vty 0 4
>> >>exec-timeout 0 0
>> >>authorization commands 1 usetacacs1
>> >>login authentication usetacacs
>> >>!
>> >>
>> >>even when I set the "exec-timeout 0 0", I still can telnet to the
>> >>router which is something I would like to avoid.  I only want ssh to
>> >>work.  By the way, I use TACACS+ to authenticate users.
>> >>
>> >>Anymore ideas?
>> >>
>> >>Sean
>> >>
>> >>
>> >>
>> >> >From: "John Neiberger" <[EMAIL PROTECTED]>
>> >> >To: [EMAIL PROTECTED]
>> >> >CC: [EMAIL PROTECTED]
>> >> >Subject: Re: Cisco router is running very slow when SSh is implmented
>> >> >Date: Tue, 27 Mar 2001 08:20:26 -0700
>> >> >
>> >> >I don't know about the performance issue, that sounds like a 
>>"feature"
>> >> >since a 3640 shouldn't have much trouble handling that.
>> >> >
>> >> >As far as disabling telnet, the only way I know of is not to set a 
>>vty
>> >> >password.  While not disabling the telnet server, it will prevent any
>> >> >attempts to telnet to the router.
>> >> >
>> >> >John
>> >> >
>> >> > >>> "Sean Young" <[EMAIL PROTECTED]> 3/27/01 7:58:37 AM >>>
>> >> >Hi everyone,
>> >> >
>> >> >Is it just me or anyone in the group experiencing the same thing?
>> >> >I've implemented SSH features on one of our ACCESS servers and I
>> >> >notice
>> >> >that it is very slow.  The access server is a Cisco 3640 with 128MB
>> >> >RAM.
>> >> >I notice the performance is quited slow even on a Fast Ethernet LAN.
>> >> >I don't have any performance issues with Unix servers.  Another 
>>thing,
>> >> >now that I have SSH running on the access server, how can I turn off
>> >> >telnet completely on the router?  I check Cisco website but didn't 
>>see
>> >> >any solutions for it.
>> >> >
>> >> >Any ideas?  Thanks.
>> >> >
>> >> >Sean
>> >> >_
>> >> >Get your FREE download of MSN Explorer at http://explorer.msn.com
>> >> >
>> >> >_
>> >> >FAQ, list archives, and subscription info:
>> >> >http://www.groupstudy.com/list/cisco.html
>> >> >Report misconduct and Nondisclosure violations to 
>>[EMAIL PROTECTED]
>> >> >
>> >> >
>> >> >
>> >>
>> >>_
>> >>Get your FREE download of MSN Explorer at http://explorer.msn.com
>> >>
>> >>_
>> >>FAQ, list archives, and subscription info:
>> >>http://www.groupstudy.com/list/cisco.html
>> >>Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>> >
>>
>>_