RE: Confreg problem...help! [7:57732]

[Godswill HO]

Robert,

Aux could only work if you had configured the router
before now to accept Aux connections.

The only posible solution is for you to go through the
console port.

Using a PC with a Terminal emulator set its parameters
to:
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control

Using the appropraite console cable, connect the
router to the PC, run the terminal software and set
the parameters as suggested above. Then:

1. Switch off the Router

2. Press [Enter Key] to connect to the router (do not 
 mind, you will not see anything displayed on the 
 screen)

3. ON the router and type in the break sequence 
 (depending on your terminal emulaion software and the

 OS you are running, your break sequence could be
 i.Ctrl+Break ii.Ctrl+F6+Break iii.Ctrl+a+f iv.Ctrl+b
 v.Ctrl+End vi. Break vii.control+shift+6+b etc!!!  
 which ever works for you.)

4. Then on Rommon Type confreg 0X2142 ..To boot 
 from flash.

5. On rommon  type Reset
 This makes the router to boot from flash and ignore 
 its configurations.

6. Type No after the setup question of oress Ctrl+C
7. On Router type Enable
8. On Router#type copy startup-config running-config
9. On Router# type Config t
0. On Router(config-t)# type config-register 0x2102
1. On Router(config-t)#type end
2. On Router# type copy running-config startup-config

With these you are set.

If this work for you Bill, just send me a DEER for
thanksgiving day, else please feel free to ask more
questions.

my 0.2 cents

Regards
Godswill Oletu


--- dayo olabisi  wrote:
 Bill,
 
 telnet won't work if the router isn't up... I think
 connecting via the Aux port may be of help.
 
 dayo
 --- Creighton Bill-BCREIGH1
  wrote:
  I'm assuming you don't have VTY access - telnet,
 of
  course, doesn't care
  about console port settings...
  
  Bill Creighton CCNP
  Senior System Engineer
  Motorola
  iDEN CNRC Packet Data / MPS
  
  
  
  -Original Message-
  From: Robert Massiache
  [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, November 19, 2002 3:27 PM
  To: [EMAIL PROTECTED]
  Subject: Re: Confreg problem...help! [7:57732]
  
  
  Thanks for the reply.
  
  The problem is upon boot up I am getting only
  garbled asci characters and 
  the screen appears to be frozen. It don't let me
 see
  anything and type 
  anything to implement your suggestion...sorrry. I
  welcome if you could tell 
  me some alternative...thanks a lot!
  
  thanks
  Robert M
  
  
  
  
  
  
  From: miken
  To: Robert Massiache ,
  CC: ,
  Subject: Re: Confreg problem...help!
  Date: Tue, 19 Nov 2002 00:52:49 -0700
  
  I believe the config-register is stored in NVRAM.
  So in theory, if you 
  bypass the startup config, you may default to the
  standard 
  config-register settings. Haven't tried it though
  to know for sure. 
  Have you tried booting into rommon(control-break
  sequence) and then 
  stepping through the confreg steps? 
 

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products
  _comm
 

and_summary_chapter09186a0080087baf.html#xtocid43127http://www.cisco.com/en
  /
 

US/partner/products/sw/iosswrel/ps1831/products_command_summary_chapter0918
  6
  a0080087baf.html#xtocid43127HTH,Mike-
 Original
  Message -
  From: Robert Massiache 
  To: 
  Cc: ; 
  Sent: Monday, November 18, 2002 7:39 PM
  Subject: Confreg problem...help!
  
  
Hi,
I got a mc3810 router and was running perfect.
  Sometime ago I 
mistakenly typed a confreg value which I do
 not
  remeber exactly but 
I know it was
  not
  a
relevant one. I was actually practicing with
 the
  confreg entries.
   
What happened was that after I just rebooted
 the
  router I lost the
  console
screen. I tried with all sorts of console port
  values like changing 
the baud-rate, start stop bit etc.
   
I found it was responding to 1200 baud speed
 but
  all I could find is
  some
corrupted and garbled ascii characters on the
  Teraterm. Same is the 
case with hyprterm.
   
Any helpers please...
   
thanks
   
   
   
   
   
   
   
 

_
Add photos to your e-mail with MSN 8. Get 2
  months FREE*. 
   
 http://join.msn.com/?page=features/featuredemail
   
   
  
  
 

_
  Protect your PC - get McAfee.com VirusScan Online 
 

http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
 [EMAIL PROTECTED]
 
 
 __
 Do you Yahoo!?
 Yahoo! Web Hosting - Let the expert host your site
 http://webhosting.yahoo.com
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58021t=57732
--
FAQ, list archives, and subscription info: 

RE: CCSP [7:57713]

[Godswill HO]

If you take one of the 3 specialized courses plus MCNS
exam, you become a Specialist in that area eg
1. CSPFA+MCNS = Firewall Specialist
2. CSVPN+MCNS = VPN specialist
3. IDSPM+MCNS = IDS Specialsit

For a Limited time more:
CSPFA+CSVPN+IDSPM+MCNS = CSS1

Also
CSPFA+CSVPN+IDSPM+MCNS+SAFE= CCSP

From now till 09/03
People like my humble self who already have the CSS1
designation would need take only the SAFE exam to
become CCSP.

I did not see any true meaning to all these. Cisco
should know better.

my 0.02 

Regards
Godswill 
CCNP,CCDP,CSS1




(CSPFA for Firewall, CSVPN for
 VPN, and CSIDS for IDS)
--- Creighton Bill-BCREIGH1
 wrote:
 Nevermind - sometime earlier they enabled the
 links...
 
 -Original Message-
 From: Creighton Bill-BCREIGH1
 [mailto:[EMAIL PROTECTED]] 
 Sent: Tuesday, November 19, 2002 3:07 PM
 To: [EMAIL PROTECTED]
 Subject: RE: CCSP [7:57713]
 
 
 Good Info!
 I tried following the link for those new Specialist
 certs on Cisco's site,
 but the link is broken - are Specialists defined now
 by completing only the
 individual exams? (CSPFA for Firewall, CSVPN for
 VPN, and CSIDS for IDS)
 
 -Original Message-
 From: Peter.Walker:[EMAIL PROTECTED]
 [mailto:Peter.Walker:[EMAIL PROTECTED]] 
 Sent: Tuesday, November 19, 2002 2:53 PM
 To: [EMAIL PROTECTED]
 Subject: Re: CCSP [7:57713]
 
 
 Joshua
 
 The CCSP is basically just a realignment of the
 current Cisco Security
 Specialist 1 certification into the Cisco
 Professional track. It does add
 one more exam to the requirements but other than
 that no real change. Cisco
 has even 'generously' allowed current CSS1s to take
 the remaining exam to
 get the cert. :-)
 
 As for the new specialist level certs, they are just
 dumbed down
 ^H^H^H^H^H^H^H^H^H^H^H more focussed variations of
 the CSS1.
 
 I really dont think Cisco have thought this one
 through as anyone who
 attains CCSP (with the current versions of the
 exams), will also
 automatically get three specialist level certs. In
 my opinion this totally
 devalues the specialist level certs. They should be
 something that takes
 specific specialised skill and knowledge to attain,
 not something you get
 for free as part of the process of attaining an
 intermediate level
 professional qualification.
 
 Peter Walker
   CISSP, CSS1, CITPSS, CCNP, CCIP, CCDP, etc
 
 (Putting flame proof clothing on)
 
 Joshua Green wrote:
  
  Anyone else hear about the new CCSP cert that
 Cisco is offering?!
  It's about time!  Although I wish some of the
 other Professional level 
  certs would count towards it in some way...  I
 also like the three new 
  Specialist level certs!
  
  
  
  Thank you,
  
  Joshua Green; MCSE, CCNA
  [EMAIL PROTECTED]
  CityScape Communications
  2040 Timberbrooke Drive
  Springfield, IL  62702
  (217) 793.6238 x18
  (217) 793.6275 fax
  (217) 306.6201 cell
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57766t=57713
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Confreg problem...help! [7:57732]

[Godswill HO]

Robert,

Aux could only work if you had configured the router
before now to accept Aux connections.

The only posible solution is for you to go through the
console port.

Using a PC with a Terminal emulator set its parameters
to:
9600 baud rate
No parity
8 data bits
1 stop bit
No flow control

Using the appropraite console cable, connect the
router to the PC, run the terminal software and set
the parameters as suggested above. Then:

1. Switch off the Router

2. Press [Enter Key] to connect to the router (do not 
 mind, you will not see anything displayed on the 
 screen)

3. ON the router and type in the break sequence 
 (depending on your terminal emulaion software and the

 OS you are running, your break sequence could be
 i.Ctrl+Break ii.Ctrl+F6+Break iii.Ctrl+a+f iv.Ctrl+b
 v.Ctrl+End vi. Break vii.control+shift+6+b etc!!!  
 which ever works for you.)

4. Then on Rommon Type confreg 0X2142 ..To boot 
 from flash.

5. On rommon  type Reset
 This makes the router to boot from flash and ignore 
 its configurations.

6. Type No after the setup question of oress Ctrl+C
7. On Router type Enable
8. On Router#type copy startup-config running-config
9. On Router# type Config t
0. On Router(config-t)# type config-register 0x2102
1. On Router(config-t)#type end
2. On Router# type copy running-config startup-config

With these you are set.

If this work for you Bill, just send me a DEER for
thanksgiving day, else please feel free to ask more
questions.

my 0.2 cents

Regards
Godswill Oletu


--- dayo olabisi  wrote:
 Bill,
 
 telnet won't work if the router isn't up... I think
 connecting via the Aux port may be of help.
 
 dayo
 --- Creighton Bill-BCREIGH1
  wrote:
  I'm assuming you don't have VTY access - telnet,
 of
  course, doesn't care
  about console port settings...
  
  Bill Creighton CCNP
  Senior System Engineer
  Motorola
  iDEN CNRC Packet Data / MPS
  
  
  
  -Original Message-
  From: Robert Massiache
  [mailto:[EMAIL PROTECTED]] 
  Sent: Tuesday, November 19, 2002 3:27 PM
  To: [EMAIL PROTECTED]
  Subject: Re: Confreg problem...help! [7:57732]
  
  
  Thanks for the reply.
  
  The problem is upon boot up I am getting only
  garbled asci characters and 
  the screen appears to be frozen. It don't let me
 see
  anything and type 
  anything to implement your suggestion...sorrry. I
  welcome if you could tell 
  me some alternative...thanks a lot!
  
  thanks
  Robert M
  
  
  
  
  
  
  From: miken
  To: Robert Massiache ,
  CC: ,
  Subject: Re: Confreg problem...help!
  Date: Tue, 19 Nov 2002 00:52:49 -0700
  
  I believe the config-register is stored in NVRAM.
  So in theory, if you 
  bypass the startup config, you may default to the
  standard 
  config-register settings. Haven't tried it though
  to know for sure. 
  Have you tried booting into rommon(control-break
  sequence) and then 
  stepping through the confreg steps? 
 

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1831/products
  _comm
 

and_summary_chapter09186a0080087baf.html#xtocid43127http://www.cisco.com/en
  /
 

US/partner/products/sw/iosswrel/ps1831/products_command_summary_chapter0918
  6
  a0080087baf.html#xtocid43127HTH,Mike-
 Original
  Message -
  From: Robert Massiache 
  To: 
  Cc: ; 
  Sent: Monday, November 18, 2002 7:39 PM
  Subject: Confreg problem...help!
  
  
Hi,
I got a mc3810 router and was running perfect.
  Sometime ago I 
mistakenly typed a confreg value which I do
 not
  remeber exactly but 
I know it was
  not
  a
relevant one. I was actually practicing with
 the
  confreg entries.
   
What happened was that after I just rebooted
 the
  router I lost the
  console
screen. I tried with all sorts of console port
  values like changing 
the baud-rate, start stop bit etc.
   
I found it was responding to 1200 baud speed
 but
  all I could find is
  some
corrupted and garbled ascii characters on the
  Teraterm. Same is the 
case with hyprterm.
   
Any helpers please...
   
thanks
   
   
   
   
   
   
   
 

_
Add photos to your e-mail with MSN 8. Get 2
  months FREE*. 
   
 http://join.msn.com/?page=features/featuredemail
   
   
  
  
 

_
  Protect your PC - get McAfee.com VirusScan Online 
 

http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
 [EMAIL PROTECTED]
 
 
 __
 Do you Yahoo!?
 Yahoo! Web Hosting - Let the expert host your site
 http://webhosting.yahoo.com
[EMAIL PROTECTED]


__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57808t=57732
--
FAQ, list archives, and subscription info: 

CCIE Home Lab Materials and Equipments [7:57810]

[Godswill HO]

Hi group,

I want to get it right the first time. I intend
setting up my CCIE lab at home. I will appreciate if
someone that have taken the lab or preparing for it,
tell me what Switches, Routers, materials I need to
buy.

Also information about the various needed blades on
the switches is important, cables, cards, modules,
etc.

I currently have a cable connection and also a dialup
connection from home to the internet, are these enough
or do I need to get a second cable connection?

I curently have the following books:
1. CCIE Fundametals Network Design and Case Studies 
 2nd Edition by Cisco Press.

2. Routing TCP/IP, volume 1 by Cisco Press (Jeff
Doyle)

also
1. Cisco router 1601
2. Cisco router 2502
3. cisco router 3000

I intend buying Cisco Catalyst Switch 5000 within a
few days, but I need your assistance.


Please I will appreciate an answer for my big brothers
 sisters CCIEs and those who are currently working
towards it.

Thanks in advance.
Godswill Oletu
CCNP, CCDP, CSS1.

__
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57810t=57810
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Qualified specialist [7:47263]

[Godswill HO]

Hi,
They will send a congratulatory letter, a certificate
and nothing moreno ID card.

Enjoy
--- Dwayne Saunders  wrote:
 Hi all
   Was Just wondering after completing your  Cisco
 Qualified specialist
 exam what does Cisco send out if anything
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47319t=47263
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

How Faceless the CQS Logos are??? [7:36521]

[Godswill HO]

Hello,
I know the focus of any certification is not the certificate nor the logo,
the
joy of scaling through all the hurdles, the additional knowledge and
responsibilies it brings, etc out weighs the the certificate or the logo you
are given to put on your complimentary card of letter heading.

However, the logo and the certificate, etc should be appropriate in terms of
quality, representations and designs, no doubt it adds some prestige both to
the holder and the vendor. I was disappointed to find out that the Cisco CQS
certification in so faceless. All that you see in the logo is Cisco
Certified...No indication to the type of certification, no mention of
anything relating to it whatsoever. Logos are normally graphical
representations, But Cisco logos are not, no one who sees the CQS logo will
know what it stands for nor what it represents.

I think Cisco can do more, they have the money and resources. sometimes we
had
to pay through our nose to get these certifications, It is only fair one get
value for his hard earned money. It also tell how serious, dedicated and
committed the vendor is to their certifications process. If Cisco would
commit
half the money, strength and vigor they currently exhibits in pursuing and
executing their NDA into this, it would go a way to add more value to the
whole process.

I thought someone shares the same thought with me.

Enjoy.
Godswill Oletu CSS1,CCDP,CCNP.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36521t=36521
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Passed CSIDSPM Exam!!!!!!!!!!!!!!!! [7:36306]

[Godswill HO]

Am very grateful to you all. The group really helped me through out my CSS1
exam track. It has been a big learn place where knowledge is shared.I sat and
passed the Cisco Secure Intrusion Detection  Systems with Policy
Manager(CSIDSPM) version 2.1 exam today to complete the CSS1(Cisco Security
Specialist 1) track.

 It was a beast of an exam, totally different from the first three. It was a
tough battle but It is all over, thanks once more.

You might think CCIE would be the next, no not at all, next in the list is
CISSP (Certified Information Systems Security Professional) or CCSA
(Checkpoint Certified Security Administrator). I will be grateful if someone
who have taken the CCSA exam help me with the best book/study materials to
use. I can only locate materials for the CCSA CP 2000 exam, but I want to
take
the CCSA NG exam which is the latest version. Any help would be appreciated.

Enjoy.

Godswill Oletu CCNP,CCDP,CSS1.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36306t=36306
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Last Minute Prayers, Advice and Tips---CSIDSPM [7:36288]

[Godswill HO]

Hi all,

I have just 2 hours between me and my Cisco Secure Intrusion Detection
Systems
with Policy Manager(CSIDSPM) version 2.1 exam. It is the last lap to my CSS1
certification.

Please any last minute tips, advice and offcourse prayers would be
appreciated. Send an offline message where necessary.

Until I hear from you, Enjoy.

Regards.
Godswill Oletu CCNP,CCDP,CSS1(3/4).




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36288t=36288
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: DNS Request Redirection [7:35703]

[Godswill HO]

You can still use your former ISP's DNS records while using the new ISP's
bandwidth. It does not matter who owns the DNS server. Everybody have access
to it once they are in the internet. Except when they are specifically
filtered.

The only drawn back is that, Your new ISP have to forward the packet in a
round trip to the old ISP's network through the internet before they are
resolved and sent back to you machine, had it been you are using the DNS of
your new ISP, these request would stop there. Do not loose your sleep,
because at the worst these delays are in milisseconds and not easily
noticeable by the eye, more each machine have a cache so it does not forward
every request. Great if you have a Cache Engine to compliment the machine's
cache.

Whatever, you are kool and everything will be fine, switch to your new ISP
and enjoy.

Regards.
Oletu
- Original Message -
From: Michael Hair 
To: 
Sent: Sunday, February 17, 2002 8:07 PM
Subject: DNS Request Redirection [7:35703]


 I was wondering what is the best way to take care of the following:

 I have been using a private address space behind a Cisco 4500 router
 connected up to our current ISP using NAT, now we want to move our
 connection from our current ISP to a new ISP with better bandwidth. My
 problem is that we don't want to change all our client machines TCP/IP
 settings, which are all static, for some reason or another they were all
 setup to use our ISP's DNS. Not my idea but that another problem. So how
can
 I setup our router to forward requests looking from our current ISP's DNS
to
 our new ISP's DNS without touching all the client machines.

 Would the best way be to use policy-base routing?

 Would a static route work?

 Could I use a static route under NAT?

 If someone could proved me a sample of how you could do this I would be
 greatful...

 Thanks
 Michael
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35718t=35703
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: SNA in CCDP [7:35717]

[Godswill HO]

There are alot one cannot say because of NDA, however it would be safer you
read and know SNA very well.

Enjoy.

Regards.
Oletu
- Original Message -
From: Emil 
To: 
Sent: Monday, February 18, 2002 1:46 AM
Subject: SNA in CCDP [7:35717]


 Hello
 I'm a little bit confusing about CCDP exam topics. According to the Cisco
 site there is no SNA on CCDP , also there is no VoIP.
 In  the CID training there is no SNA but there is some VoIP.
 In the CID book by Birkner ( Cisco Press) there is SNA

 The question is: What is on the exam?
 Regards
 EMIL
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35719t=35717
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIx 501 [7:35635]

[Godswill HO]

The new Cisco Secure PIX Firewalls book edited by David and Andy is an
excellent guide. In case you decide going into cisco security certification,
the book will help with the PIX exam as well.

Good hands on you new baby-PIX 501.

Regards.
Oletu

- Original Message -
From: Juan Blanco 
To: 
Sent: Saturday, February 16, 2002 4:30 PM
Subject: PIx 501 [7:35635]


 Team,
 I just got my 501 pix, which book is a good one that I could use to fully
 understand this small box(very small).
 Thanks,

 Juan Blanco
 MCSE, CCNA, CCNP, CCDA, CCDP...One day CCIE
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35650t=35635
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: access-group ## in or out? [7:35578]

[Godswill HO]

Look at it from both the Router and the Interface perpective.eg if the
interface facing your LAN is E0 and the interface to the internet is S0.

For traffics coming from your LAN into the Router through the E0 interface,
as the traffic is entering that interface from your LAN it is 'in' and as it
passes and go out of that interface into the backplane of the router, it is
considered 'out' relative to interface E0 and 'in' relative to interface S0,
when it leaves interface S0 into the internet, it is then considered 'out'
relative to interface S0.

For traffics coming from the internet into the Router through the S0
interface, as the traffic is entering that interface from the internet it is
'in' and as it passes and go out of that interface into the backplane of the
router, it is considered 'out' relative to interface S0 and 'in' relative to
interface E0, when it leaves interface E0 into your LAN, it is then
considered 'out' relative to interface E0.

You now see that each interface have two instances of 'in' and two instances
of 'out'. Most security designs uses 'in' more often than 'out' and you
should consider using it as well, if tight security implementation is your
goal. The 'in' keyword makes the router to examine the packets before they
enter the interface and impose the Access-list on the traffic before they
ever have the chance of either entering the Router or your network, while
the 'out' keyword only do that after the traffic have pass through the
interface in question, this should only be allowed for trusted traffics for
which you only want to disallow access to certain services.

If you want to restrict a particular source address from entering into your
network or router, using the 'out' keyword have no effect and it is a
security breach because the traffic would have entered your router or
network before it is acted upon.

Have a clear picture of what you want the access-list to do against the
particular traffic, that will give you a clue on the keyword to use. However
for me security is always at the back of my mind, so by default I use the
'in' keyword except where otherwise unnecessary.

Regards.
Oletu

- Original Message -
From: none ya 
To: 
Sent: Friday, February 15, 2002 6:03 PM
Subject: access-group ## in or out? [7:35578]


 Would someone please give me a simple explanation/example that will
clarify
 when to use in or out when you apply an ACL to a router interface?
 Thanks!
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35651t=35578
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hacking a firewall [7:34978]

[Godswill HO]

O boy user Network Scanner na?

Regards.
- Original Message -
From: sami natour 
To: 
Sent: Saturday, February 09, 2002 12:13 PM
Subject: hacking a firewall [7:34978]


 Hi ,
 I am trying to test how secure BigFire firewall.I need
 to run some tests in other words I want to find if I
 can hack it or not.It is very important to our company
 to know how secure it is .

 Best Regards ,
 sami ,


 __
 Do You Yahoo!?
 Send FREE Valentine eCards with Yahoo! Greetings!
 http://greetings.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35003t=34978
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Question [7:34497]

[Godswill HO]

I guess you are behind the news. I thin Cisco have pulled them to Court to
answer some questions, that was few months ago.

However, I have not heard anything about the final outcome of the case.

Regards.
Oletu

- Original Message -
From: Kazan, Naim 
To: 
Sent: Tuesday, February 05, 2002 11:43 AM
Subject: Question [7:34497]


 Guys,


 What the hell is up with cheet-sheets.com? I placed an order and they
don't
 seem to answer their phones or emails.  Are they down or out of business?


 Thanks
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34545t=34497
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE starting pay [7:33899]

[Godswill HO]

He should be getting ready for retirement so that the youngs ones should
take over.

- Original Message -
From: Jeff Buehler 
To: 
Sent: Sunday, February 03, 2002 2:22 PM
Subject: Re: CCIE starting pay [7:33899]


 Change the original posters question to include:

 How about a CCNA, CCDA, CCNP, CCDP, CCIE with 16 years of Telecom
 experience.  (DS0,DS1, DS3, OC-3 to OC-192, DWDM)  Telco switch etc.
 (test, turn-up, trouble-shooting)and only physical experience with IT?




 Guy  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Well, more power to you!!!
 
  As far as what you should expect
 
  An entry level NOC position If you go in with the attitude that you
  should be at a Senior Level because of the IE, then you will be one of
the
  ones crying about how theres no jobs available... Which ever way you go,
I
  doubt your CCIE will have any more leverage than your CCNP will...
 Something
  that might be a good move for you is a latteral move within your ISP. in
 the
  AS support or something  But it sounds like you are the person the
  average user calls when they cant get the little E thing on their
desktop
 to
  do anything If thats your position, get out and move... If you
support
  the companies about their T1, then your in a good starting place...
 
  Best of luck, everyone has to start, but Im afraid the CCIE at this
stage
  may hurt you...
 
  Heres what I mean You are qualified for entry level... Your
  Certifications say you are over qualified Your work experience says
 your
  under qualified for your certs...
 
  What does an employer do? If they have delt with a CCIE before, they
  probobly wont consider you because they dont have the confidence in you
to
  control their multi million dollar network
 
  On the otherside... Your certifications would get you overlooked for the
  positions you would excel at quickly and allow you to get the
experience,
  because they dont think you would accept any offer for a lower
position...
 
  So your resume gets dumped
 
  Some important things to consider.
 
  I would not consider your resume if it had all of that, and all within
one
  year... My first instinct would be BRAIN DUMPS... CHEET SHEETS
  TRANSCENDERS, and I would throw your resume away
 
  Now someone with CCNA, maybe CCNP, but not too much, would get my
 attention
  for a good paying entry to mid level position
 
  CCIE is upper level position Cant put you in charge of my team of
  engineers with experience levels ranging from 2-10 years when you have
  0-1 No one would folllow you. It would not be a good team
anymore
  These are things beyond the technical aspect that management must face.
 
  Just think about it.. Im not trying to keep you from succeding, just
 trying
  to keep you from hurting yourself...
 
  Its like the small company that saves up their money for a Super Bowl
 Ad...
  They get 3 million responses and their 2 man company cant handle it
 WHat
  happens to them?
 
  They run themselves out of business... too much too fast...
 
  - Original Message -
  From: John Neiberger
  To:
  Sent: Thursday, January 31, 2002 4:31 PM
  Subject: Re: CCIE starting pay [7:33899]
 
 
   To go through those certs that quickly is very impressive!  If you
pass
   the lab, I still think you will get a lot of funny looks when you say
   you have no work experience, yet you are a CCIE.  As long as you're
   prepared for that, it's up to you to sell yourself.  It will be tough
   but I think if you can show that you really know your stuff, you
should
   be able to find a pretty good job.
  
   However, I wouldn't count on a huge salary right at the begging simply
   because of the certifications.
  
   Good luck!
   John
  
Joe Carr  1/31/02 12:33:02 PM 
   I'm going for my CCIE now and I have completed the CCNA,CCDA,CCNP,CCIE
   written all within the last five months. I currently work for an ISP
in
   tech
   support (help desk) and I do not not have NOC experience. I have a
   very
   impressive lab and plan to boe done with the CCIE lab in about four
   months.
   am just wondering what I should expect out there, I just turrend 21 so
   I
   still pritty young yet but I have gotten all of these certs plus an
   MCDBA
   and A+ in less then a year.
  
   Joe Carr
   A+, MCDBA, CCNA, CCDA, CCNP
   - Original Message -
   From: John Neiberger
   To: ;
   Sent: Thursday, January 31, 2002 12:47 PM
   Subject: Re: CCIE starting pay [7:33899]
  
  
I'd be surprised if you could find a CCIE with no work experience.
   Even
if you could, they wouldn't be worth that much, IMHO.  Assuming I
   pass
in April, I'll have just over three years experience and a CCIE
certification.  What does that mean?
   
Well, it means that if I leave my current job to look for work
elsewhere, I'll be going up against CCIEs with 5-7+ years experience
plus degrees.  Someone with only 

Re: CCNP EXAM [7:34373]

[Godswill HO]

Buy Cisco Presss books for the series.

- Original Message -
From: Aslam Rafay 
To: 
Sent: Monday, February 04, 2002 1:06 PM
Subject: CCNP EXAM [7:34373]


 Guys
 I am taking CCNP cource, any one who recently passed all CCNP exams tell
me
 good resources i can utlitize to pass my exmas..

 thanks,

 Rafay.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34383t=34373
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passing CID [7:33784]

[Godswill HO]

Hi David,

The CSS1 track looks easier to me than the CCNP track. Among others, the
major reason reason is that, they are a lot of overlapping areas in all four
exams, If you write MCNS, start preparing for the PIX exam, you will
discover that, you are familar with almost 75% of the material, same for the
VPN exam, all you just have to do is to note the specific applications
within the current context. Very unlike the CCNP each four exams deals with
a complete different world of knowledge. For you to see clearly what am
saying: I wrote all four of my CCNP exams within six(6) weeks, but I have
written three of the CSS1 exams in just one(1) week ! (MCNS=22/1/1,
PIX=25/1/1 and VPN=29/1/1), left with IDS. However you need to know your
stuff, but it is not really a terrior of an exam.

Please tell me more about the Checkpoint exam, my next target is either
checkpoint or CISSP, though am more likely to give CISSP a look first,
however Checkpoint will follow vey soon.

Regards.
Oletu.

- Original Message -
From: David L. Blair 
To: 
Sent: Thursday, January 31, 2002 5:26 AM
Subject: Re: Passing CID [7:33784]


 How would you compare the CSS1 tests to the CCNP tests?  I am thinking
about
 going after my CSS1 after I pass the Checkpoint CCSA and CCSE tests.

 -dlb

 Godswill HO  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi Priscilla,
 
  Questions like which answer doesnt not belong  means what??? Is Cisco
  implying that the double negative means positive as we were taught years
 ago
  in algebra class or it should be ignored and taken for one negative.
 
  Am currently taking my CSS1 track, I wrote Cisco Secure VPN yesterday
 which
  happens to be the third exam in the series. I came accross a lot
questions
  which made no sense at all. Looking at the question, it was not a
question
  at all. it was not asking any particular thing, it had no meaning, no
  bearing, no sense in it, they are just like saying
 blablablablablablablabla.
  The more I read them the more I get confused and lost at what Cisco was
  tring to ask. Have you come accross questions that made you think 'What
 must
  be in the mind of the examiner when he was asking this question, which
  aspect of Network or Security implementation was he thinking of? What I
  normally do is to completely ignore the questions and eliminate the odd
  options in the answer, at the end of the day in many questions like
these,
 I
  come out with NOT THE BEST ANSWER as they use to tell one, but rather a
  choice that made a different SENSE and MEANING than the other three or
 four.
 
  I sometimes ask whether the current Cisco questions were not originally
  written in English but were translated from another language and as such
 the
  transators did not do a good job or is it a deliberate action on the
part
 of
  Cisco? If it were the former it is long time they take a closer look at
it
  and if it is the later, what must have informed their actions?
 
  Regards.
  Godswill Oletu CCNP, CCDP.
 
  - Original Message -
  From: Priscilla Oppenheimer
  To:
  Sent: Wednesday, January 30, 2002 4:57 PM
  Subject: Re: Passing CID [7:33784]
 
 
   At 07:19 PM 1/30/02, brian hall wrote:
   Passing this test #640-025 was the hardest yet. It took a couple of
  times.
   Now its on to CCIE and then the lab were the truth comes out.
   Some tell me that passing this brings you close to being prepared to
 take
   the CCIE written. I'll find out soon enough.
   
   To any one who cares using boson CCDP #1  #3 helped .
   
   I started using the latest version of the CID exam prep from cisco
 press
  but
  
   Exam prep guides are written with the goal of summarizing what you
need
 to
   know. They are not the course materials, but go beyond in some ways,
and
   may also skip some basic stuff. They can be great for review, but
don't
   work for everyone as the primary source.
  
   found the earlier version of the book written by birkner a better
 source.
  
   This wasn't an earlier version of the same book. It's a different
book.
   This was the course materials ported to book format. The author should
 be
   Cisco (course developers) although in this case Birkner didn't exactly
   follow the script and added his own material and left some out.
  
   In general, Cisco Press develops at least two types of books:
  
   Certification guides: not written by Cisco, but still often very
helpful
   Course book: training written by Cisco, ported to book format by an
 editor
   paid by Cisco Press, usually an excellent resource as the tests are
 taken
   from the course.
  
   A question came up about the different types of Cisco Press books in a
   different thread, so I responded here. (My other response never made
 it?)
  
   Anyway, congratulations on passing CID! It's a hard test. Good luck
with
   CCIE.
  
   Priscilla
  
  
   The answers are very close to each other and need to be read
carefully,
  they
   can be tricky. W

Re: Passing CID [7:33784]

[Godswill HO]

That might be the likely case. But what stops them from correcting these
mistakes each time they review their questions? Why do we have such frequent
typo errors in other exams like microsoft, checkpoint, etc?...just thinking
aloud.


Regards.
Oletu

- Original Message -
From: brian hall 
To: 
Sent: Thursday, January 31, 2002 9:45 AM
Subject: RE: Passing CID [7:33784]


 Its just a typo. I meant, which answer does not belong
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33903t=33784
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Telnet to inside through VPN [7:33589]

[Godswill HO]

Try specifying the exact IP address of the PC from where you want to
initiate the Telnet session and not the block of IP.

Regard.
Oletu
- Original Message -
From: Dante Martins 
To: 
Sent: Tuesday, January 29, 2002 10:50 AM
Subject: PIX: Telnet to inside through VPN [7:33589]


 How can I telnet to PIX inside interface from the VPN (I.E. from
 10.128.128.0 telnet 172.16.3.252).

 I have tried using telnet command:
 telnet 10.128.128.0 inside but still no working.

 Can you help me?

 Dante




 CONF MAIN PIX
 PIX Version 6.0(1)
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2 DMZ1 security10
 nameif ethernet3 intf3 security15
 nameif ethernet4 intf4 security20
 nameif ethernet5 intf5 security25
 enable password *** encrypted
 passwd ** encrypted
 hostname MAIN
 fixup protocol ftp 21
 fixup protocol http 80
 fixup protocol h323 1720
 fixup protocol rsh 514
 fixup protocol smtp 25
 fixup protocol sqlnet 1521
 fixup protocol sip 5060
 fixup protocol skinny 2000
 names
 access-list 101 permit ip 10.128.128.0 255.255.224.0 172.16.3.0
 255.255.255.0
 access-list 102 permit ip 10.128.128.0 255.255.224.0 192.168.3.0
 255.255.255.0
 access-list 103 permit ip 10.128.128.0 255.255.224.0 10.250.1.0
 255.255.255.0
 access-list 103 permit ip 10.128.128.0 255.255.224.0 10.249.0.0
 255.255.240.0
 access-list 104 permit ip 10.128.128.0 255.255.224.0 10.250.11.0
 255.255.255.0
 access-list 105 permit ip 10.128.128.0 255.255.224.0 10.250.95.0
 255.255.255.0
 pager lines 24
 logging on
 interface ethernet0 auto
 interface ethernet1 auto
 interface ethernet2 auto
 interface ethernet3 auto
 interface ethernet4 auto shutdown
 interface ethernet5 auto shutdown
 mtu outside 1500
 mtu inside 1500
 mtu DMZ1 1500
 mtu intf3 1500
 mtu intf4 1500
 mtu intf5 1500
 ip address outside 200.219.100.2 255.255.255.0
 ip address inside 10.128.159.253 255.255.224.0
 ip address DMZ1 10.255.255.254 255.255.224.0
 ip address intf3 10.250.11.254 255.255.255.0
 ip address intf4 127.0.0.1 255.255.255.255
 ip address intf5 127.0.0.1 255.255.255.255
 ip audit info action alarm
 ip audit attack action alarm
 no failover
 failover timeout 0:00:00
 failover poll 15
 failover ip address outside 0.0.0.0
 failover ip address inside 0.0.0.0
 failover ip address DMZ1 0.0.0.0
 failover ip address intf3 0.0.0.0
 failover ip address intf4 0.0.0.0
 failover ip address intf5 0.0.0.0
 pdm history enable
 arp timeout 14400
 global (outside) 1 200.219.100.100-200.219.100.199
 global (outside) 1 200.219.100.200
 global (DMZ1) 1 10.255.224.10-10.255.224.70
 nat (inside) 1 0.0.0.0 0.0.0.0 0 0
 nat (DMZ1) 1 0.0.0.0 0.0.0.0 0 0
 alias (inside) 200.219.100.26 10.255.224.3 255.255.255.255
 alias (inside) 200.219.100.30 10.128.128.30 255.255.255.255
 alias (inside) 200.219.100.31 10.255.224.9 255.255.255.255
 alias (inside) 200.219.100.54 10.255.224.4 255.255.255.255

 static (inside,outside) 200.219.100.26 10.128.128.26 netmask
 255.255.255.255 0 0
 static (inside,outside) 200.219.100.30 10.128.128.30 netmask
 255.255.255.255 0 0
 static (inside,outside) 200.219.100.31 10.128.128.32 netmask
 255.255.255.255 0 0
 static (inside,outside) 200.219.100.54 10.128.128.54 netmask
 255.255.255.255 0 0

 conduit permit icmp any any
 conduit permit tcp host 200.219.100.30 eq www any
 conduit permit tcp host 200.219.100.30 eq domain any
 conduit permit udp host 200.219.100.30 eq domain any
 conduit permit tcp host 200.219.100.31 eq www any
 conduit permit tcp host 200.219.100.31 eq domain any
 conduit permit udp host 200.219.100.31 eq domain any
 conduit permit tcp host 200.219.100.26 eq 161 any
 conduit permit tcp host 200.219.100.26 eq 162 any
 conduit permit udp host 200.219.100.26 eq snmp any
 conduit permit udp host 200.219.100.26 eq snmptrap any
 conduit permit tcp host 200.219.100.54 eq domain any
 conduit permit udp host 200.219.100.54 eq domain any
 conduit permit tcp host 200.219.100.54 eq 22 any

 route outside 0.0.0.0 0.0.0.0 200.219.100.1 1
 route outside 10.0.64.0 255.255.224.0 10.128.159.252 1
 timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
 0:05:00 sip 0:30:00 sip_media 0:02:00
 timeout uauth 0:05:00 absolute
 aaa-server TACACS+ protocol tacacs+
 aaa-server RADIUS protocol radius
 snmp-server host inside 10.128.128.21
 snmp-server location mainsite
 snmp-server contact support@mainsite
 snmp-server community pixpix
 snmp-server enable traps
 floodguard enable
 sysopt connection permit-ipsec
 sysopt ipsec pl-compatible
 no sysopt route dnat

 crypto ipsec transform-set strong esp-des esp-sha-hmac
 crypto map cmap 1 ipsec-isakmp
 crypto map cmap 1 match address 101
 crypto map cmap 1 set peer 200.200.100.2
 crypto map cmap 1 set transform-set strong
 crypto map cmap 2 ipsec-isakmp
 crypto map cmap 2 match address 102
 crypto map cmap 2 set peer 200.200.111.2
 crypto map cmap 2 set transform-set strong
 crypto map cmap 3 ipsec-isakmp
 crypto map cmap 3 match 

Re: PIX % DNS Doctoring [7:33331]

[Godswill HO]

 200.219.100.2 netmask 255.255.255.255
 isakmp key  address 200.200.100.2 netmask 255.255.255.255

 isakmp identity address
 isakmp policy 10 authentication pre-share
 isakmp policy 10 encryption des
 isakmp policy 10 hash sha
 isakmp policy 10 group 1
 isakmp policy 10 lifetime 3600

 telnet 172.16.3.0 255.255.255.0 inside
 telnet timeout 5
 ssh timeout 5
 terminal width 80

 -Original Message-
 From: Godswill HO [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, January 26, 2002 7:43 PM
 To: [EMAIL PROTECTED]
 Subject: Re: PIX % DNS Doctoring [7:1]


 Hi,

 It really depends on what you want to do or implement for the DNS. The
 DNS
 guard on PIX is enabled by default and it cannot be disabled not
 configured.
 It help to prevent against DoS attacks by tearing down the UDP conduit
 on
 the PIX firewall as soon as the DNS response is received not waiting
 until
 thee the default UDO timer has expire which is 2 minutes( almost an
 eternity
 in the computer world).

 The other doctoring you can do on DNS is on CBAC (Context Based Access
 Control). Here you can alter the default DNS timeout which is 5 seconds
 by
 using:

 #IP inspect dns-timeout

 It simplyly specifies the length of time a DNS name lookup session will
 still be managed after no activity.

 In case you need further help, feel free to ask specific questions.

 Regards.
 Oletu

 - Original Message -
 From: Dante Martins
 To:
 Sent: Saturday, January 26, 2002 4:58 PM
 Subject: PIX % DNS Doctoring [7:1]


  Somebody knows how to do DNS doctoring on PIX
  I have the DNS on DMZ with static and the clients workstations are on
  inside interface.
  Dante
 
 
 
 
  This email has been scanned for all viruses by the MessageLabs
 service.
 _
 Do You Yahoo!?
 Get your free @yahoo.com address at http://mail.yahoo.com
 
 This email has been scanned for all viruses by the MessageLabs service.

 
 This email has been scanned for all viruses by the MessageLabs service.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33673t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Passing CID [7:33784]

[Godswill HO]

Hi Priscilla,

Questions like which answer doesnt not belong  means what??? Is Cisco
implying that the double negative means positive as we were taught years ago
in algebra class or it should be ignored and taken for one negative.

Am currently taking my CSS1 track, I wrote Cisco Secure VPN yesterday which
happens to be the third exam in the series. I came accross a lot questions
which made no sense at all. Looking at the question, it was not a question
at all. it was not asking any particular thing, it had no meaning, no
bearing, no sense in it, they are just like saying blablablablablablablabla.
The more I read them the more I get confused and lost at what Cisco was
tring to ask. Have you come accross questions that made you think 'What must
be in the mind of the examiner when he was asking this question, which
aspect of Network or Security implementation was he thinking of? What I
normally do is to completely ignore the questions and eliminate the odd
options in the answer, at the end of the day in many questions like these, I
come out with NOT THE BEST ANSWER as they use to tell one, but rather a
choice that made a different SENSE and MEANING than the other three or four.

I sometimes ask whether the current Cisco questions were not originally
written in English but were translated from another language and as such the
transators did not do a good job or is it a deliberate action on the part of
Cisco? If it were the former it is long time they take a closer look at it
and if it is the later, what must have informed their actions?

Regards.
Godswill Oletu CCNP, CCDP.

- Original Message -
From: Priscilla Oppenheimer 
To: 
Sent: Wednesday, January 30, 2002 4:57 PM
Subject: Re: Passing CID [7:33784]


 At 07:19 PM 1/30/02, brian hall wrote:
 Passing this test #640-025 was the hardest yet. It took a couple of
times.
 Now its on to CCIE and then the lab were the truth comes out.
 Some tell me that passing this brings you close to being prepared to take
 the CCIE written. I'll find out soon enough.
 
 To any one who cares using boson CCDP #1  #3 helped .
 
 I started using the latest version of the CID exam prep from cisco press
but

 Exam prep guides are written with the goal of summarizing what you need to
 know. They are not the course materials, but go beyond in some ways, and
 may also skip some basic stuff. They can be great for review, but don't
 work for everyone as the primary source.

 found the earlier version of the book written by birkner a better source.

 This wasn't an earlier version of the same book. It's a different book.
 This was the course materials ported to book format. The author should be
 Cisco (course developers) although in this case Birkner didn't exactly
 follow the script and added his own material and left some out.

 In general, Cisco Press develops at least two types of books:

 Certification guides: not written by Cisco, but still often very helpful
 Course book: training written by Cisco, ported to book format by an editor
 paid by Cisco Press, usually an excellent resource as the tests are taken
 from the course.

 A question came up about the different types of Cisco Press books in a
 different thread, so I responded here. (My other response never made it?)

 Anyway, congratulations on passing CID! It's a hard test. Good luck with
 CCIE.

 Priscilla


 The answers are very close to each other and need to be read carefully,
they
 can be tricky. Watch out for the  which answer doesnt not belong 
 questions those can be the most difficult.
 
 Good luck,
 

 Priscilla Oppenheimer
 http://www.priscilla.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33797t=33784
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: help me with the pix problem! [7:33287]

[Godswill HO]

Hi,

To really understand this stuff. There are only two ways by which a traffice
can pass from a lower security interface to a higer security interface.
1. Use the conduit or access-list command.
2. As a reply to an initial session.

For the traffic to be allow in (reply to a session initiated from an inside
interface, option 2 above) the ASA compares the traffic's source/destination
IP address and Port numbers and other parameters to what is in its state
table. All four paraments must be complete for the traffic to be allowed
back into the
inside interface by that only can the PIX know that the current traffic
session was indeed a reply to an outbound traffic. For protocols that behave
some what differently, the PIX have the various Fixup Protocol commands to
make adjustments for them the PIX ASA.

In the case of the ping, among the different types of ICMP messages, the PIX
firewall conduit command allow the filtering of 18 ICMP messages. The Ping
is echo and it is ICMP code 8, why the reply is echo-reply ICMP code 0. When
you intiate a ping from a higher security interface to a lower one, the ASA
allows the echo (ICMP type 8) access out, the host reply with echo-reply
(ICMP type 0), which was different from the ICMP type 8 that was sent out.
Naturally the PIX ASA will drop that packet and send 'Host Unreachable'
message to you. To receive your echo-reply you need to create an exception
in the ASA by using the conduit or access-list command.

My 0.02 cents
Regards.
Oletu

- Original Message -
From: chenyan 
To: Godswill HO 
Sent: Saturday, January 26, 2002 8:38 PM
Subject: Re: help me with the pix problem! [7:33287]


 hi,thanks your help.
 As you said, if the ping need the reply by the access-list, then the nat
command for the traffic to the outside need also the reply, but it seems
that there is not the command for the reply.

 regards.

 - Original Message -
 From: Godswill HO 
 To: cage ; 
 Sent: Sunday, January 27, 2002 2:52 PM
 Subject: Re: help me with the pix problem! [7:33287]


  Hi,
  The command:
  PIX#conduit permit icmp any any
  might just be your life saver. Do not forget that though by default
traffics
  are permitted from any inside interface to an outside interface, you
have to
  creat an except for the echo-reply packet from the outside interface to
the
  inside interface.
 
  Regards.
  Oletu
 
  - Original Message -
  From: cage 
  To: 
  Sent: Saturday, January 26, 2002 11:26 AM
  Subject: help me with the pix problem! [7:33287]
 
 
   hi,everybody.
   My envirment is:
   the outside interface of pix 525 is connected to the fibre-ethernet
   transceiver ,no router availble, and the dmz interface of the pix is
   connected to several severs like www,dns,etc. The inside interface is
   connected to the lan, no proxy availble.
   When I finished my configure, I met some problem:
   1 The dmz servers traffic can not be out. And at the same time,they
can
  not
   ping the outside interface address correctly.
   2 the inside lan nodes can not ping the dmz interface address,but can
ping
   other server in the dmz correctly.
  
   I know I should use the nat commands to bring the traffic of dmz to
the
   outside, but since the outside address provided by the isp are private
  ones,
   so I have to use NAT (dmz) 0, but why the dmz traffic can not be out?
   I hope the design is not wrong.
  
   the following is my config,help me,please.
  
   sh conf
   : Saved
   :
   PIX Version 6.0(1)
   nameif ethernet0 outside security0
   nameif ethernet1 inside security100
   nameif ethernet2 dmz security50
   nameif ethernet3 intf3 security15
   nameif ethernet4 intf4 security20
   enable password 8Ry2YjIyt7RRXU24 encrypted
   passwd 2KFQnbNIdI.2KYOU encrypted
   hostname pixfirewall
   fixup protocol ftp 21
   fixup protocol http 80
   fixup protocol h323 1720
   fixup protocol rsh 514
   fixup protocol smtp 25
   fixup protocol sqlnet 1521
   fixup protocol sip 5060
   fixup protocol skinny 2000
   names
   access-list acl_in permit tcp any host 202.99.33.69 eq smtp
   access-list acl_in permit tcp any host 202.99.33.72 eq www
   access-list acl_in permit tcp any host 202.99.33.66 eq domain
   access-list acl_in permit tcp any host 202.99.33.67 eq domain
   access-list acl_in permit icmp any any
   access-list ping_acl permit icmp any any
   pager lines 30
   interface ethernet0 auto
   interface ethernet1 auto
   interface ethernet2 auto
  
  
   interface ethernet3 auto shutdown
   interface ethernet4 auto shutdown
   mtu outside 1500
   mtu inside 1500
   mtu dmz 1500
   mtu intf3 1500
   mtu intf4 1500
   ip address outside 210.82.34.29 255.255.255.0
   ip address inside 192.168.4.1 255.255.255.0
   ip address dmz 202.99.33.254 255.255.255.0
   ip address intf3 127.0.0.1 255.255.255.255
   ip address intf4 127.0.0.1 255.255.255.255
   ip audit info action alarm
   ip audit attack action alarm
   no failover
   failover timeout 0:00:00
   failover poll 15
   failover

Re: help me with the pix problem! [7:33287]

[Godswill HO]

Hi,
The command:
PIX#conduit permit icmp any any
might just be your life saver. Do not forget that though by default traffics
are permitted from any inside interface to an outside interface, you have to
creat an except for the echo-reply packet from the outside interface to the
inside interface.

Regards.
Oletu

- Original Message -
From: cage 
To: 
Sent: Saturday, January 26, 2002 11:26 AM
Subject: help me with the pix problem! [7:33287]


 hi,everybody.
 My envirment is:
 the outside interface of pix 525 is connected to the fibre-ethernet
 transceiver ,no router availble, and the dmz interface of the pix is
 connected to several severs like www,dns,etc. The inside interface is
 connected to the lan, no proxy availble.
 When I finished my configure, I met some problem:
 1 The dmz servers traffic can not be out. And at the same time,they can
not
 ping the outside interface address correctly.
 2 the inside lan nodes can not ping the dmz interface address,but can ping
 other server in the dmz correctly.

 I know I should use the nat commands to bring the traffic of dmz to the
 outside, but since the outside address provided by the isp are private
ones,
 so I have to use NAT (dmz) 0, but why the dmz traffic can not be out?
 I hope the design is not wrong.

 the following is my config,help me,please.

 sh conf
 : Saved
 :
 PIX Version 6.0(1)
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2 dmz security50
 nameif ethernet3 intf3 security15
 nameif ethernet4 intf4 security20
 enable password 8Ry2YjIyt7RRXU24 encrypted
 passwd 2KFQnbNIdI.2KYOU encrypted
 hostname pixfirewall
 fixup protocol ftp 21
 fixup protocol http 80
 fixup protocol h323 1720
 fixup protocol rsh 514
 fixup protocol smtp 25
 fixup protocol sqlnet 1521
 fixup protocol sip 5060
 fixup protocol skinny 2000
 names
 access-list acl_in permit tcp any host 202.99.33.69 eq smtp
 access-list acl_in permit tcp any host 202.99.33.72 eq www
 access-list acl_in permit tcp any host 202.99.33.66 eq domain
 access-list acl_in permit tcp any host 202.99.33.67 eq domain
 access-list acl_in permit icmp any any
 access-list ping_acl permit icmp any any
 pager lines 30
 interface ethernet0 auto
 interface ethernet1 auto
 interface ethernet2 auto


 interface ethernet3 auto shutdown
 interface ethernet4 auto shutdown
 mtu outside 1500
 mtu inside 1500
 mtu dmz 1500
 mtu intf3 1500
 mtu intf4 1500
 ip address outside 210.82.34.29 255.255.255.0
 ip address inside 192.168.4.1 255.255.255.0
 ip address dmz 202.99.33.254 255.255.255.0
 ip address intf3 127.0.0.1 255.255.255.255
 ip address intf4 127.0.0.1 255.255.255.255
 ip audit info action alarm
 ip audit attack action alarm
 no failover
 failover timeout 0:00:00
 failover poll 15
 failover ip address outside 0.0.0.0
 failover ip address inside 0.0.0.0
 failover ip address dmz 0.0.0.0
 failover ip address intf3 0.0.0.0
 failover ip address intf4 0.0.0.0
 pdm history enable
 arp timeout 14400
 global (dmz) 1 202.99.33.73 netmask 255.255.255.0
 nat (inside) 1 192.168.4.250 255.255.255.255 0 0
 nat (dmz) 0 202.99.33.0 255.255.255.0 0 0
 static (dmz,outside) 202.99.33.69 202.99.33.69 netmask 255.255.255.255 0 0
 static (dmz,outside) 202.99.33.72 202.99.33.72 netmask 255.255.255.255 0 0
 static (dmz,outside) 202.99.33.66 202.99.33.66 netmask 255.255.255.255 0 0


 static (dmz,outside) 202.99.33.67 202.99.33.67 netmask 255.255.255.255 0 0
 access-group acl_in in interface outside
 access-group ping_acl in interface dmz
 access-group ping_acl in interface inside
 route outside 0.0.0.0 0.0.0.0 210.82.34.25 1
 timeout xlate 3:00:00
 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323
 0:05:00 sip 0:30:00 sip_media 0:02:00
 timeout uauth 0:05:00 absolute
 aaa-server TACACS+ protocol tacacs+
 aaa-server RADIUS protocol radius
 no snmp-server location
 no snmp-server contact
 snmp-server community public
 no snmp-server enable traps
 floodguard enable
 no sysopt route dnat
 telnet timeout 5
 ssh timeout 5
 terminal width 80
 Cryptochecksum:3be86ece2c90058e0c9190f986717d63

 pixfirewall#
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33343t=33287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco Secure ACS Server [7:33415]

[Godswill HO]

I know you can have a maximum of 16 groups and a maximum of 16 servers in
each group bring the total of allowable servers to 256.

Regards.
Oletu
- Original Message -
From: Joel Satterley 
To: 
Sent: Monday, January 28, 2002 3:50 AM
Subject: Cisco Secure ACS Server [7:33415]


 Anyone know what (if any) limitations there are on the amount of
replication
 servers you can have/configure are with ACS v2.6 and above ?

 Joel.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33432t=33415
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: pix [7:33352]

[Godswill HO]

YES!
- Original Message -
From: cage 
To: 
Sent: Sunday, January 27, 2002 12:55 AM
Subject: pix [7:33352]


 By using NAT 0#,the lower security traffic can connect to the higher
 security part, but is it necessary to use the access-list  access-groupp
 commands to allow the reply into the higher part?
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33367t=33352
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: TACAS + and RADIUS Authentication [7:33372]

[Godswill HO]

Yes!!! offcouse,

aaa authenticate login telnetusers tacacs+
!
!
!
Line vty 0 4
login authentication telnetusers
!
!
Henceforth anybody that login including users must be aunthenticated by the
tacacs+, however you have to be very careful with this command, because if
you tacacs+ server become unavailable, you might not be able to login. The
best option is to use this instead.

aaa authentication login telnetusers tacacs+ enable

This ensure that your enable password remains valid for a login into the
router even if the tacacs+ server fails.

Regards.
Oletu


- Original Message -
From: Pierre-Alex GUANEL 
To: 
Sent: Sunday, January 27, 2002 11:43 AM
Subject: TACAS + and RADIUS Authentication [7:33372]


 Can TACACS+ or RADIUS be used to authenticase users that are NOT dialing
in?

 (For example can I use either technology to authenticate users telneting
 directly to a router?).

 Thanks,

 Pierre-Alex
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33378t=33372
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX [7:33281]

[Godswill HO]

Have try using nat/pat to allow both subnets in the inside interface access
to the internet? eg

#nat (inside) 1 0 0
#global(outside) 1 216.72.201.1

Will allow all inside users to initiat an outbound connection to the
internet using the public address 216.72.201.1 ie PAT.

Regards.
Oletu

- Original Message -
From: Glenn Johnson 
To: 
Sent: Saturday, January 26, 2002 10:32 AM
Subject: RE: PIX [7:33281]



 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
 WW
 Sent: Saturday, January 26, 2002 7:51 AM
 To: [EMAIL PROTECTED]
 Subject: PIX [7:33281]


 our company have two subnet need to go to internet. however, just one FE
 internal interface is availible, one is dmz and one is for internet.

 Since one FE interface can't bound two different subnet. Two subnet
 can't go to internet at the same time.

 Would anyone know how to solve the problem?
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33312t=33281
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: about the ping in pix ? [7:33333]

[Godswill HO]

No, though the PIX allow traffic from a higher security interface to a lower
one, you cannot ping the dmz interface from the inside interface
successfully because the echo-reply (response from the dmz interface) will
be disallowed from entering the inside interface, so you will end up having
time-outs.

The only way to have a successful pinging is to implete the permit icmp any
any command.

The ping failed not becaused it did not get to the dmz interface, but
because the PIX Adaptive Security Algorithm(ASA) disallow the response from
coming back to you. The only way to go about it is to use the conduit or
access-list command to create and exception for the ASA, so that it can
allow the returned ping response.

PIX#Conduit permit icmp any any

0.02 cents
Regards.
Oletu

- Original Message -
From: cage 
To: 
Sent: Saturday, January 26, 2002 5:08 PM
Subject: about the ping in pix ? [7:3]


 Is it true :Traffic is ALWAYS allowed between from a higher security
 interface to a lower security interface without doing anything special?
 If it is true,can I ping from the inside or dmz to outside without the
 configuring of the access-list icmp any any?
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=9t=3
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX % DNS Doctoring [7:33331]

[Godswill HO]

Hi,

It really depends on what you want to do or implement for the DNS. The DNS
guard on PIX is enabled by default and it cannot be disabled not configured.
It help to prevent against DoS attacks by tearing down the UDP conduit on
the PIX firewall as soon as the DNS response is received not waiting until
thee the default UDO timer has expire which is 2 minutes( almost an eternity
in the computer world).

The other doctoring you can do on DNS is on CBAC (Context Based Access
Control). Here you can alter the default DNS timeout which is 5 seconds by
using:

#IP inspect dns-timeout 

It simplyly specifies the length of time a DNS name lookup session will
still be managed after no activity.

In case you need further help, feel free to ask specific questions.

Regards.
Oletu

- Original Message -
From: Dante Martins 
To: 
Sent: Saturday, January 26, 2002 4:58 PM
Subject: PIX % DNS Doctoring [7:1]


 Somebody knows how to do DNS doctoring on PIX
 I have the DNS on DMZ with static and the clients workstations are on
 inside interface.
 Dante


 
 This email has been scanned for all viruses by the MessageLabs service.
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33342t=1
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN Error with Win2K server [7:30909]

[Godswill HO]

Hi,

Check lists...
1. Did you Logon to the Domain?
2. Make sure that Client for MS Network and File and Print sharing related
services
are on.
3. Try allow Ports 137, 138 and 139

Good Luck

Regards.
Oletu

- Original Message -
From: Navin Parwal 
To: 
Sent: Friday, January 04, 2002 3:26 AM
Subject: VPN Error with Win2K server [7:30909]


 Hi All ,
 I am facing a strange error , please guide me what I should do .
 I am able to create a tunnel  via dial up with VPN adapter from my
 remote  client which has Windows Millinieum to my Cisco Router which is in
 my HQ , I have done the VPDN set up , but I am not able to authenticate
with
 my Win2K server , it gives an error message saying that no domain server
is
 available to authenticate .
As soon as I click on OK , i get logged on to the VPN , but only till
the
 router , I am not a part of the domain , i can ping to the WIn2K domain
 controller and othe machines , but I can not access them .
   I have enabled the users access for remote access and VPN on the Win2K
 server, what could be
 wrong , please guide me .
   My show VPDN result is given below .

   If possible send me a mail at [EMAIL PROTECTED] as well

 thanks in advance

 Navin Parwal



 r4#
 r4#sh vpdn

 %No active L2TP tunnels

 %No active L2F tunnels

 PPTP Tunnel and Session Information Total tunnels 1 sessions 1

 LocID Remote Name StateRemote Address  Port  Sessions
 2 estabd   210.214.164.144 1130  1

 LocID RemID TunID IntfUsername  State   Last Chg
 2 32768 2 Vi1 technosys\adm estabd  00:01:33

 %No active PPPoE tunnels
 r4#
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30931t=30909
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access-List questions [7:31001]

[Godswill HO]

Hi,

Try the following:

IP access-list standard allowed
Permit 10.10.10.40 0.0.0.7
Permit  10.10.10.49 0.0.0.0

The first permit statement allow addresses n.n.n.40 to n.n.n.48, while the
last one allow address n.n.n.49. There is no way you can deny whole range
without affecting other addresses with one single statement.

When appliying it to your interface say:

Router(config-if)#IP access-group allowed in

Regards.
Oletu

- Original Message -
From: Hunt Lee 
To: 
Sent: Friday, January 04, 2002 9:29 PM
Subject: Access-List questions [7:31001]


 Hello there,

 I need some help on Access-Lists:

 Say if I want to permit network access to only 10.10.10.1 - 10.10.10.254

 I know you can simply use:

 Access-list 10 permit 10.10.10.0 0.0.0.255

 However, if I want to only permit the range of 10.10.10.40 to 10.10.10.49
 (inclusive), then what should I do?

 Any help is greatly appreciated.

 Best Regards,
 Hunt Lee
 IP Solution Analyst
 Cable  Wireless
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=31006t=31001
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Why use wildcard mask [7:30473]

[Godswill HO]

I think is all originated from the principles of:
1 = Do not Cares (Matches everything and anything)
0 = Cares ( Matches only identical corresponding digit)

Maybe it is a hang-on from the old binary digit stuff. Man you have no
choice than to do the inverse, else your access-list would not work, except
you are ready to develope a router IOS that will use the direct mask.

Goodluck

Regards.
Oletu

- Original Message -
From: 
To: 
Sent: Saturday, December 29, 2001 10:50 PM
Subject: Why use wildcard mask [7:30473]


 Hi All,

 I am trying to find out why we do an inverse/wildcard
 masks while using access lists?

 For example, if I want to deny 192.168.1.0 255.255.255.0
 network, on the access list, we configure this
 as 192.168.1.0 0.0.0.255, but why do we do it this
 way instead of 255.255.255.0.

 All this seems to be is just an inverse relationship pointing back at the
 same thing?  Even if I want to get specific and deny 192.168.1.0
 255.255.255.192, this translates to 192.168.1.0 0.0.0.63, which seems to
be
 just the standard mask and subtract 255.255.255.255.

 Is there a specific reason why we do inverse mask?  It seems to be easier
 just to configure it with normal masks.  This way, we skip on an extra
 procedure.

 thanks
 Mike
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30477t=30473
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Telnet to PIX from outside interface [7:30413]

[Godswill HO]

Hi,

It is genral knowledge that a PIX firewall can not be telneted into from the
outside interface, however some documentations am reviewing recently seem to
say the opposite. If you workstation IP address is eg 216.72.211.12, try the
command below:

PIX(config)#Telnet 216.72.211.12 255.255.255.255 outside

See whether it will sought out your problem.

Regards.
Oletu

- Original Message -
From: ietobe 
To: 
Sent: Friday, December 28, 2001 9:28 PM
Subject: Telnet to PIX from outside interface [7:30413]


 Hi,Guy
 Can anybody tell me how to allow telnet from outside network on PIX?

 Tks

 Gabriel
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30457t=30413
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help on CLID [7:30179]

[Godswill HO]

Enable this feature in the user group option in the Cisco Secure Access
Server on your Windon NT machine. All you need to do is to check the 'CLID'
box in the 'user group' option.

Then go to each individual account in the ACS and check this button as well,
but this time add the callers' phone number. Repeat this for all users you
want to be authenticated by CLID, however note that once you enable this
feature in the user group option, every user must be additionaly
authenticated by CLID, it then means if you did not suply a particular
user's phone number in his profile he likely would be deny access.

Regards
Oletu

- Original Message -
From: Anil Kumar 
To: 
Sent: Thursday, December 27, 2001 6:10 AM
Subject: Help on CLID [7:30179]


 For one customer I am implementing the dial solution. The
 customer has got a 3662 router with NM-16A card. For the
 authentication, the ACS for Windows NT/2000 has been
 configured. The username database for the ACS is obtanined
 through the Windows NT Domain. Inorder to have more
 security, apart for username / password authentication the
 customer wants the CLID facility to be enabled so that the
 users logs in through one telephone line only.
 How can the CLID be enabled on NM-16A for a 3660 router?
 Request for help.

 Thanks in Advance,

 Regards.. Anil Kumar


 __
 Do You Yahoo!?
 Send your FREE holiday greetings online!
 http://greetings.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=30181t=30179
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: need advice [7:29392]

[Godswill HO]

Hi Festus,

I do not see anyway one access-list command can help you achieve your
objective. If you were talking of chatting and other stuffs that uses a
particular port number, then an access-list would be the answer. To use
access-list, am afraid you have to know the IP addresses of these sites and
block then individually. I will not advice you go this way, because it is
going to slow down your router.

If you are using a proxy server to connct to the net, Zonealarm is a
freeware on the net, download zonealarm into the proxy server and have it
deny access to these sites.

However, if you are not using a proxy server, the handy solution for you
depending on how technically sound your internet users are. Sometime in the
evening when everybody have gone home, you need to go round each computer
and do the following:
Assuming you are using Internet Explorer
1. Click on the Tools then Pick Internet Options
2. Click on Content and Pick Content Advisor
3. On Content Advisor frame, Click on Enable then click on the Rating tab.
4. You have the option to restrict users to sites base on content of that
site eg
--Language, Nudity, Sex and Violence

The is posisble because at registerations sites are classified accordaing to
their contents and so each time anybody access the internet through that
computer, it validate the site againt the database stored on the internet
before pulling up that site.

On your second question, Remember you have to login into the domain to be
able to use the Network printer. Make sure, you are login and confirm from
the NT PDC that that computer had actually login with a valid user ID. Also
check privilidges and Access control list on the shared printer, make sure
that everyone have Full access to the Printer.

Regards.
Oletu
- Original Message -
From: mrfestus wariye 
To: 
Sent: Monday, December 17, 2001 1:21 PM
Subject: need advice [7:29392]


 i have just finished my ccna programme and i am
 currently doing a 2 month internship programme with an
 outfit that runs a cyber cafe business that provides
 internet access services for the public.
 i am their interim network administrator.
 i have noticed a lot of loopholes in the network. and
 some of my problems i need answers to are:-

 1. how do i use a single command line to deny access
 to all pornographic/adult sites on the network.
 2. some computers within the network are denied access
 to network(to use network resources like the network
 printer).but the same computers can see the shared
 internet access.

 your useful advise would be appreciated.
 yours truly,
 festus taferi.




 __
 Do You Yahoo!?
 Check out Yahoo! Shopping and Yahoo! Auctions for all of
 your unique holiday gifts! Buy at http://shopping.yahoo.com
 or bid at http://auctions.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29467t=29392
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is there a time limited for taking all the CCNP ex [7:29451]

[Godswill HO]

Hi Patrick,

In respective of the date you started any of your CCNP or CCDP track, you
are certified on the very date you wrote the last exam in each of the
serials. eg If I write Routing 2.0 on 1/1/2001 and wrote the other two any
date in between, but for one reason or the other I now write the last exam
say CIT 3.0 on 1/1/2003. You will become CCNP on 1/1/2003 ie if you passed
CIT 3.0 and the two years expiration of your certicate start counting from
1/1/2003 not 1/1/2001 when you first wrote the exam.

However, you might be having a problem if the course you are yet to write
get upgraded, it means, you probably are going to buy new books, look for
new exam scenerios, would not have a familar exam format and all that. Apart
from that, you will still be on course. If for example one of the exams you
have written got upgraded before you complete all four, you are not required
to go back and write that exam again, you have passed it already and it
still count towards your credit.

Another thing you also have to bear in mind is that, Cisco normally upgrade
the whole certificate at interval of times, eg the current CCNA v2 was
upgraded June 2000 from v1. I donot know the current version of CCNP we have
now, assuming it is version 2, and you were not able to upgrade before say
version 3 came up, You will still have the version 2 exams available for you
to write at the end of the day, you will have CCNP v2 for you to get CCNP
v3, you have to write just one upgrade exam and that is all., so your CCNP
v2 by that exam would be upgraded to CCNP v3.

Good luck

Regards.
Oletu
- Original Message -
From: Patrick Zhou 
To: 
Sent: Monday, December 17, 2001 7:51 PM
Subject: RE: Is there a time limited for taking all the CCNP ex [7:29449]


 Thanks for your reply!

 You meant, CCNA had 3 years to expire, but CCNP had only 2 years, right?

 Oh! I never knows that, I had thought that expiration of CCNP was also 3
 years!!

 But how comes, if I start my ccnp exam in 2002, while the exams will be
 upgraded in 2003? Would I have only 1 year time to finished all my ccnp
 exams? Even I pass, will my certifications be retired after 2003's ccnp
 exam upgrade?

 It's quite a confused question... thanks again for your kindness reply!

 Regards,

 Patrick
 MCSE, MCDBA, CCNA

 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
 Nick S.
 Sent: Tuesday, December 18, 2001 10:21 AM
 To: [EMAIL PROTECTED]
 Subject: RE: Is there a time limited for taking all the CCNP ex
 [7:29375]

 Well, the 2 yr. limit exists because the certification itself expires in
 2
 yrs.

 So if u begin ur ccnp today by going for 1 of the tests, the new version
 of
 that test usually comes out in 2 yrs time, by which if u have or have
 not
 finished ur ccnp, ur certification has retired.

 Nick
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29451t=29451
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help with IP Addressing/VLSM- work project [7:29160]

[Godswill HO]

Hi Sarah,

Since all you need is just five usable subnets, the way I go about it is:
2 raise to the power of 3=8 subnets. (You cannot use 2 raise to the power of
2, cos that would give me 4 subnets but I need at least 5 subnets).
It means you can not get exactly five subnets, you will have 3 extra subnets
for future use. From above you borrowed 3-bits from the last octet of the
given IP address for subnet purposes, then going by the last octet the eight
bit have these weights (128, 64, 32, 16, 8, 4, 2, 1), since you are using
the first three bits then it add up to be 128+64+32=224, now to get the
number of IP addresses in each subnet, 256-224=32. It also means your IP
addresses would be multiples of 32. The 8 subnets would now be:

1. 65.85.105.0 255.255.255.224
2. 65.85.105.32 255.255.255.224
3. 65.85.105.64 255.255.255.224
4. 65.85.105.96 255.255.255.224
5. 65.85.105.128 255.255.255.224
6. 65.85.105.160 255.255.255.224
7. 65.85.105.192 255.255.255.224
8. 65.85.105.224 255.255.255.224

It is now up to you which five to utilize first. For documentation purposes
and ease of troubleshooting, it will be appropriate you use the first five
and leave the rest for future development and expansion.

Regards
Oletu
- Original Message -
From: Sarah Parker 
To: 
Sent: Thursday, December 13, 2001 8:15 PM
Subject: Help with IP Addressing/VLSM- work project [7:29160]


 Hello Everyone,

 I am working on a small IP address project and trying
 to figure out VLSM.

 Since I am not very good and do not have much
 experience with IP addressing, I wanted to send this
 to make sure what I have is correct or if I am really
 wrong on this one.
 Thanks in advance for any feedback or corrections!!

 This is a new network-
 Current IP Address=65.85.105.0
 Mask=255.255.255.0

 I need a total of  5 subnets.

 What I did
 Took 65.85.105.0, 255.255.255.128 to subnet into  2
 networks,
 This gave me
 Subnet 1= 65.85.105.0, hosts 1-126, broadcast  127
 Subnet 2=65.85.105.128, hosts 129-254, broadcast 255

 Took 65.85,105.128 255.255.255.192 to subnet into 4
 subnets
 This gave me
 Subnet 1=65.85.105.0. hosts 1-62, broadcast 63
 Subnet 2=65.85.105.64, hosts 54-126, broadcast 127
 Subnet 3=65.85.105.128, hosts 129-190, broadcast 190
 Subnet 4=65.85.105.192, hosts 193.254, broadcast 255

 So this would give me to use on the network
 1=65.85.105.0 255.255.255.128 (17 mask?)
 2=65.85.105.0 255.255.255.192 (18 mask?)
 3=65.85.105.64 255.255.255.192
 4=65.85.105.128 255.255.255.192
 5=65.85.105.192 255.255.255.192


 Did I do this correctly? This is based on using subnet
 zero.

 I am using a public class A but for security reasons I
 did change the actual real address.

 Thanks again for everyones feedback.


 __
 Do You Yahoo!?
 Check out Yahoo! Shopping and Yahoo! Auctions for all of
 your unique holiday gifts! Buy at http://shopping.yahoo.com
 or bid at http://auctions.yahoo.com
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=29205t=29160
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Access Lists [7:28927]

[Godswill HO]

You Probably have to provide more information.

1. Are your users dialing into a router(Access server) or through a RAS card
on a
computer system?
2. The answer to ques1 is through a router, then is the router also the
router that
 connect to the internet or you have another gateway router?
3. Then the interfaces to which you apply the the access-list also counts,
so say more
on the interfaces you have on your router and the ones you applied the
access-list
   on and again in which direction (in or out)?

Regards

- Original Message -
From: J. Johnson 
To: 
Sent: Wednesday, December 12, 2001 11:24 AM
Subject: Access Lists [7:28927]


 We have a Cisco 5300 Dial-up.  We want to allow everyone to get to our
 network when they dial in.  We do not want everyone to get on the internet
 when they dial-in.  This is what my access list look like

 access-list 110 permit ip  165.5.0.0 0.0.255.255 any
  access-list 110 deny ip any any

 Everyone can get to our network and get on the internet with the above
list.
 Can you see anything wrong?

 Thanks.

 Jill
_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28967t=28927
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]