Re: PIX and Router Setup Question [7:74141]
I would let the Firewall handle the NATing. If you just want the router to perform NAT, you need to use NAT 0 on the PIX. The border router should only do basic filtering and routing. From: Michael Barnhart Date: 2003/08/18 Mon PM 11:06:03 EDT To: [EMAIL PROTECTED] Subject: PIX and Router Setup Question [7:74141] Greg Owens 202-398-2552 [GroupStudy removed an attachment with a content-type header it could not parse.] [Content-Type: null; name=replyAll] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=74170t=74141 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: RE: PIX translation problem [7:72567]
changing the timeout value worked, so the problem is fixed Thanks all From: Reimer, Fred Date: 2003/08/08 Fri AM 11:26:37 EDT To: [EMAIL PROTECTED] Subject: RE: PIX translation problem [7:72567] Greg Owens 202-398-2552 [GroupStudy removed an attachment with a content-type header it could not parse.] [Content-Type: null; name=replyAll] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73744t=72567 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Re: RE: PIX translation problem [7:72567]
4000 even though their 65000 ports available From: Lynne Padgett Date: 2003/08/08 Fri AM 11:11:01 EDT To: [EMAIL PROTECTED] Subject: RE: PIX translation problem [7:72567] Greg Owens 202-398-2552 [GroupStudy removed an attachment with a content-type header it could not parse.] [Content-Type: null; name=replyAll] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73743t=72567 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
PIX translation problem [7:72567]
have anybody seen this message. 07-15-2003 13:55:38Local4.Error192.168.1.1 Jul 15 2003 09:53:35: %PIX-3-202001: Out of address translation slots! I told the customer to change the translation time-out Greg Owens 202-398-2552 [GroupStudy removed an attachment with a content-type header it could not parse.] [Content-Type: null; name=replyAll] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=72567t=72567 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 6.3 [7:69876]
yES -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Manny Sent: Friday, May 30, 2003 11:26 AM To: [EMAIL PROTECTED] Subject: PIX 6.3 [7:69876] Has anyone upgraded to 6.3? Will I still be able to use conduits and static's? I currently have a 515 running 6.1(2). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69887t=69876 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Easy VPN [7:69804]
I am getting the following error 6d20h: %SYS-5-CONFIG_I: Configured from console !e 6d21h: EZVPN(hw2): Current State: READY 6d21h: EZVPN(hw2): Event: RESET 6d21h: EZVPN(hw2): ezvpn_close 6d21h: EZVPN(hw2): New State: CONNECT_REQUIRED 6d21h: EZVPN(hw2): Current State: CONNECT_REQUIRED 6d21h: EZVPN(hw2): Event: CONNECT 6d21h: EZVPN(hw2): ezvpn_connect_request 6d21h: EZVPN(hw2): New State: READY 6d21h: EZVPN(hw2): Current State: READY 6d21h: EZVPN(hw2): Event: CONN_DOWN 6d21h: EZVPN(hw2): ezvpn_close 6d21h: EZVPN(hw2): New State: CONNECT_REQUIRED 6d21h: EZVPN(hw2): Current State: CONNECT_REQUIRED 6d21h: EZVPN(hw2): Event: CONNECT 6d21h: EZVPN(hw2): ezvpn_connect_request 6d21h: EZVPN(hw2): New State: READY 6d21h: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Aggressive mode failed with pe er at 100.100.100.1 -Original Message- From: Greg Owens Jr [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 5:18 PM To: '[EMAIL PROTECTED]' Subject: Easy VPN Has anyone used a PIX and 1700 for Easy VPN configuration. I.E. PIX as the server and 1700 as remote device [GroupStudy removed an attachment of type text/x-vcard which had a name of Greg Owens Jr ([EMAIL PROTECTED]).vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69804t=69804 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Easy VPN [7:69608]
Has anyone used a PIX and 1700 for Easy VPN configuration. I.E. PIX as the server and 1700 as remote device Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69608t=69608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Easy VPN [7:69608]
I know it is the PIX. I really need a Server config. The Remote is simple. Greg Owens 202-398-2552 fax 202-399-7690 -Original Message- From: Elijah Savage [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 8:00 PM To: Greg Owens Jr; [EMAIL PROTECTED] Subject: RE: Easy VPN [7:69608] I do not know which your having the problem with but I have used it with a Cisco 3030 concentrator. If you think the router config is a issue I can provide you with one I used with the concentrator. But I suspect it is the pix giving you issues :) -Original Message- From: Greg Owens Jr [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 27, 2003 5:18 PM To: [EMAIL PROTECTED] Subject: Easy VPN [7:69608] Has anyone used a PIX and 1700 for Easy VPN configuration. I.E. PIX as the server and 1700 as remote device [GroupStudy removed an attachment of type text/x-vcard which had a name of Greg Owens Jr ([EMAIL PROTECTED]).vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=69618t=69608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: VPN Client behind PIX [7:64358]
I found this info under the 3.6 client Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the NAT/Firewall device may be closed due to the VPN Client's keepalive implementation, called DPD (Dead Peer Detection). When a Client is idle, it does not send a keepalive until it sends data and gets no response. To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the following parameter and setting to the [Main] section of any *.pcf (profile configuration file) for the affected connection profile. ForceKeepAlives=1 This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals. For more information, see Connection Profile Configuration Parameters in the VPN Client Administrator From: Kevin O'Gilvie Date: 2003/03/05 Wed PM 11:16:52 EST To: [EMAIL PROTECTED] Subject: RE: VPN Client behind PIX [7:64358] I couldnt have said it better myself!! From: brett spunt To: 'Kevin O'Gilvie' , Subject: RE: VPN Client behind PIX [7:64358] Date: Wed, 5 Mar 2003 19:17:26 -0800 It's not possible, and here's why. The pix Vpn only supports IPSEC over UDP. Ipsec over UDP is NOT supported when sitting behind a stateful firewall (such as the pix). You need to use Ipsec over TCP if using the vpn client sitting behind a pix, or like stated before, you could create a site to site VPN, setting up to peer with the pix at your work. The reason a concentrator will work, is it's supports ipsec over tcp connections, in addition to standard ipsec, and ipsec over UDP.. HTH, Brett Michael Spunt CCNP,CIPT,MCSE Computer Network Innovations [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin O'Gilvie Sent: Tuesday, March 04, 2003 7:23 PM To: [EMAIL PROTECTED] Subject: Re: VPN Client behind PIX [7:64358] I am assuming he is behind a cable modem or dsl. If so, even cisco says this is not possible. If someone has this working pleas advise.. From: Greg Owens Reply-To: Greg Owens To: [EMAIL PROTECTED] Subject: Re: VPN Client behind PIX [7:64358] Date: Tue, 4 Mar 2003 19:09:16 GMT You just need to open the ports you are using, ie 500, 47 1 From: Steve Smith Date: 2003/03/04 Tue AM 11:15:21 EST To: [EMAIL PROTECTED] Subject: VPN Client behind PIX [7:64358] OK gang here is the scenario. We have a PIX at work running VPN. I have a 515 at home. Before I put the 515 at home in I could use the VPN client to connect to work. Now I can not. I remember a year or so back reading a Cisco article about this and that you had to use a certain IP range on the remote (my house) network. Does anyone know anything about this? Any suggestions? Thanks! Steve Smith Enterprise Engineer 901-758-8179 ext. 108 TEKSELL [EMAIL PROTECTED] Greg Owens 202-398-2552 _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64603t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: VPN Client behind PIX [7:64358]
I found this info under 3.6 client Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the NAT/Firewall device may be closed due to the VPN Client's keepalive implementation, called DPD (Dead Peer Detection). When a Client is idle, it does not send a keepalive until it sends data and gets no response. To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the following parameter and setting to the [Main] section of any *.pcf (profile configuration file) for the affected connection profile. ForceKeepAlives=1 This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals. For more information, see Connection Profile Configuration Parameters in the VPN Client Administrator From: Kevin O'Gilvie Date: 2003/03/05 Wed PM 11:16:52 EST To: [EMAIL PROTECTED] Subject: RE: VPN Client behind PIX [7:64358] I couldnt have said it better myself!! From: brett spunt To: 'Kevin O'Gilvie' , Subject: RE: VPN Client behind PIX [7:64358] Date: Wed, 5 Mar 2003 19:17:26 -0800 It's not possible, and here's why. The pix Vpn only supports IPSEC over UDP. Ipsec over UDP is NOT supported when sitting behind a stateful firewall (such as the pix). You need to use Ipsec over TCP if using the vpn client sitting behind a pix, or like stated before, you could create a site to site VPN, setting up to peer with the pix at your work. The reason a concentrator will work, is it's supports ipsec over tcp connections, in addition to standard ipsec, and ipsec over UDP.. HTH, Brett Michael Spunt CCNP,CIPT,MCSE Computer Network Innovations [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin O'Gilvie Sent: Tuesday, March 04, 2003 7:23 PM To: [EMAIL PROTECTED] Subject: Re: VPN Client behind PIX [7:64358] I am assuming he is behind a cable modem or dsl. If so, even cisco says this is not possible. If someone has this working pleas advise.. From: Greg Owens Reply-To: Greg Owens To: [EMAIL PROTECTED] Subject: Re: VPN Client behind PIX [7:64358] Date: Tue, 4 Mar 2003 19:09:16 GMT You just need to open the ports you are using, ie 500, 47 1 From: Steve Smith Date: 2003/03/04 Tue AM 11:15:21 EST To: [EMAIL PROTECTED] Subject: VPN Client behind PIX [7:64358] OK gang here is the scenario. We have a PIX at work running VPN. I have a 515 at home. Before I put the 515 at home in I could use the VPN client to connect to work. Now I can not. I remember a year or so back reading a Cisco article about this and that you had to use a certain IP range on the remote (my house) network. Does anyone know anything about this? Any suggestions? Thanks! Steve Smith Enterprise Engineer 901-758-8179 ext. 108 TEKSELL [EMAIL PROTECTED] Greg Owens 202-398-2552 _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64602t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: VPN Client behind PIX [7:64358]
I found this info under the 3.6 client Allowing the VPN Client to Work Through ESP-Aware NAT/Firewalls When using the VPN Client behind an ESP-aware NAT/Firewall, the port on the NAT/Firewall device may be closed due to the VPN Client's keepalive implementation, called DPD (Dead Peer Detection). When a Client is idle, it does not send a keepalive until it sends data and gets no response. To allow the VPN Client to work through ESP-aware NAT/Firewalls, add the following parameter and setting to the [Main] section of any *.pcf (profile configuration file) for the affected connection profile. ForceKeepAlives=1 This parameter enables IKE and ESP keepalives for the connection at approximately 20 second intervals. For more information, see Connection Profile Configuration Parameters in the VPN Client Administrator From: Kevin O'Gilvie Date: 2003/03/05 Wed PM 11:16:52 EST To: [EMAIL PROTECTED] Subject: RE: VPN Client behind PIX [7:64358] I couldnt have said it better myself!! From: brett spunt To: 'Kevin O'Gilvie' , Subject: RE: VPN Client behind PIX [7:64358] Date: Wed, 5 Mar 2003 19:17:26 -0800 It's not possible, and here's why. The pix Vpn only supports IPSEC over UDP. Ipsec over UDP is NOT supported when sitting behind a stateful firewall (such as the pix). You need to use Ipsec over TCP if using the vpn client sitting behind a pix, or like stated before, you could create a site to site VPN, setting up to peer with the pix at your work. The reason a concentrator will work, is it's supports ipsec over tcp connections, in addition to standard ipsec, and ipsec over UDP.. HTH, Brett Michael Spunt CCNP,CIPT,MCSE Computer Network Innovations [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin O'Gilvie Sent: Tuesday, March 04, 2003 7:23 PM To: [EMAIL PROTECTED] Subject: Re: VPN Client behind PIX [7:64358] I am assuming he is behind a cable modem or dsl. If so, even cisco says this is not possible. If someone has this working pleas advise.. From: Greg Owens Reply-To: Greg Owens To: [EMAIL PROTECTED] Subject: Re: VPN Client behind PIX [7:64358] Date: Tue, 4 Mar 2003 19:09:16 GMT You just need to open the ports you are using, ie 500, 47 1 From: Steve Smith Date: 2003/03/04 Tue AM 11:15:21 EST To: [EMAIL PROTECTED] Subject: VPN Client behind PIX [7:64358] OK gang here is the scenario. We have a PIX at work running VPN. I have a 515 at home. Before I put the 515 at home in I could use the VPN client to connect to work. Now I can not. I remember a year or so back reading a Cisco article about this and that you had to use a certain IP range on the remote (my house) network. Does anyone know anything about this? Any suggestions? Thanks! Steve Smith Enterprise Engineer 901-758-8179 ext. 108 TEKSELL [EMAIL PROTECTED] Greg Owens 202-398-2552 _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64604t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Client behind PIX [7:64358]
You just need to open the ports you are using, ie 500, 47 1 From: Steve Smith Date: 2003/03/04 Tue AM 11:15:21 EST To: [EMAIL PROTECTED] Subject: VPN Client behind PIX [7:64358] OK gang here is the scenario. We have a PIX at work running VPN. I have a 515 at home. Before I put the 515 at home in I could use the VPN client to connect to work. Now I can not. I remember a year or so back reading a Cisco article about this and that you had to use a certain IP range on the remote (my house) network. Does anyone know anything about this? Any suggestions? Thanks! Steve Smith Enterprise Engineer 901-758-8179 ext. 108 TEKSELL [EMAIL PROTECTED] Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64379t=64358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VPN and IPSEC [7:64017]
The command isakmp key ** address 0.0.0.0 is for Vpn client 1.1 not 3.x. If you protect all traffic the user will not be able to browse the internet. If you configure, Sliptunnel users can vpn into your network and browse the internet using there ISP not your VPN Greg Owens 202-398-2552 fax 202-399-7690 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, February 27, 2003 3:39 PM To: [EMAIL PROTECTED] Subject: PIX VPN and IPSEC [7:64017] I have a question regarding the configuration of manual IPSEC. I have to create an access list to define the traffice to protect. I want to connect to my office network from home. I have a DHCP assigned address from my ISP so I can't specify a peer address. So I will use isakmp key ** address 0.0.0.0 for now. Now as far as the traffic goes. Should I specify protect all traffic or what? What happens when I have multiple remote users? I would like the PIX to be the end point so I can travel over my entire network (email, shares, printers, etc). I'm a little confused on this.. Thanks in advance... [GroupStudy removed an attachment of type text/x-vcard which had a name of Greg Owens Jr ([EMAIL PROTECTED]).vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64026t=64017 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 520 Xlate Problem [7:63087]
U may want to change your xlate timeout -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Danial Morison Sent: Saturday, February 15, 2003 2:58 AM To: [EMAIL PROTECTED] Subject: PIX 520 Xlate Problem [7:63087] Hi group , Any idea where the problem is..thanks.. We have implemented PIX with the following configuration.We have a 3 inside networks mapped with 2 different public IP pools 203.125.152.0/26 and 203.125.150.0/24.Problem is the inside network 10.0.0.0/17(10.0.0.0 subnet mask 255.255.128.0) is not able to go to internet after a certain period of time ( 2 or 3 days). Any idea where the problem is..thanks.. 172.0.0.0/8 10.0.0.0/8 10.0.0.0/17 Here are the details. pixfirewall# sh global global (outside) 1 203.125.152.194-203.125.152.236 netmask 255.255.255.192 global (outside) 4 203.125.150.1-203.125.150.126 netmask 255.255.255.128 global (outside) 2 203.125.152.244 netmask 255.255.255.192 global (outside) 3 203.125.152.248 netmask 255.255.255.192 global (outside) 1 203.125.152.193 netmask 255.255.255.192 global (outside) 4 203.125.150.249 netmask 255.255.255.128 global (dmz) 1 172.16.13.11-172.16.13.20 netmask 255.255.255.0 global (dmz) 2 172.16.13.51-172.16.13.60 netmask 255.255.255.0 global (dmz) 3 172.16.13.61-172.16.13.70 netmask 255.255.255.0 global (dmz) 4 172.16.13.71-172.16.13.80 netmask 255.255.255.0 global (dmz) 1 172.16.13.10 netmask 255.255.255.0 global (dmz) 2 172.16.13.9 netmask 255.255.255.0 global (dmz) 3 172.16.13.8 netmask 255.255.255.0 global (dmz) 4 172.16.13.6 netmask 255.255.255.0 pixfirewall# sh nat nat (inside) 2 172.16.1.115 255.255.255.255 0 0 nat (inside) 3 172.16.11.76 255.255.255.255 0 0 nat (inside) 3 172.16.11.80 255.255.255.255 0 0 nat (inside) 3 172.16.11.84 255.255.255.255 0 0 nat (inside) 2 172.16.11.224 255.255.255.240 0 0 nat (inside) 4 10.0.0.0 255.255.128.0 0 0 nat (inside) 1 10.0.0.0 255.0.0.0 0 0 nat (inside) 1 172.0.0.0 255.0.0.0 0 0 nat (dmz) 1 172.16.13.0 255.255.255.0 0 0 pixfirewall# sh xlate Global 203.125.152.220 Local 172.16.11.71 Global 203.125.152.221 Local 172.16.11.149 Global 172.16.13.11 Local 172.16.11.139 PAT Global 203.125.152.193(52641) Local 172.16.11.57(1155) Global 203.125.152.222 Local 172.16.11.120 Global 203.125.152.223 Local 172.16.152.37 Global 203.125.152.216 Local 172.17.1.94 Global 203.125.152.217 Local 172.16.1.20 Global 203.125.152.218 Local 172.16.5.20 Global 172.16.13.12 Local 172.16.1.205 Global 203.125.152.219 Local 172.16.11.139 Global 172.16.13.13 Local 172.16.154.75 Global 203.125.152.212 Local 172.16.11.194 Global 203.125.152.213 Local 172.17.11.91 Global 203.125.152.214 Local 172.17.1.91 Global 203.125.152.215 Local 172.16.5.78 Global 203.125.152.208 Local 172.16.1.22 Global 203.125.152.209 Local 172.16.5.15 Global 203.125.152.210 Local 172.16.151.75 Global 203.125.152.211 Local 172.17.1.23 Global 203.125.152.204 Local 172.16.5.79 Global 203.125.152.205 Local 172.16.5.13 PAT Global 203.125.152.193(52640) Local 172.16.11.57(1154) Global 203.125.152.206 Local 172.18.1.22 Global 203.125.152.207 Local 172.18.1.104 Global 203.125.152.200 Local 172.16.11.192 Global 203.125.152.201 Local 172.18.1.24 Global 203.125.152.203 Local 172.16.5.17 PAT Global 172.16.13.6(43713) Local 10.0.12.137(12875) Global 203.125.152.203 Local 172.16.151.72 Global 203.125.152.196 Local 172.16.5.21 Global 203.125.152.197 Local 10.120.10.51 Global 172.16.13.19 Local 172.18.1.254 Global 203.125.152.198 Local 172.17.1.93 Global 203.125.152.199 Local 172.16.11.186 Global 203.125.150.193 Local 172.16.206.30 static PAT Global 203.125.152.244(21827) Local 172.16.11.233(4493) PAT Global 203.125.152.244(21811) Local 172.16.11.233(4480) Global 203.125.152.194 Local 172.16.5.18 Global 172.16.13.20 Local 172.17.1.110 Global 203.125.152.195 Local 172.16.5.14 Global 203.125.150.252 Local 172.16.1.40 static Global 203.125.152.252 Local 172.16.13.21 static Global 172.16.13.42 Local 172.18.1.22 static Global 172.16.13.43 Local 172.17.1.21 static PAT Global 203.125.152.193(52643) Local 172.16.11.57(1158) Global 172.16.13.40 Local 172.16.11.21 static Global 172.16.13.41 Local 172.16.206.21 static Global 203.125.150.249 Local 172.16.13.27 static Global 203.125.152.249 Local 172.16.13.23 static Global 172.16.13.47 Local 10.160.10.53 static Global 203.125.152.250 Local 172.16.1.41 static Global 203.125.150.250 Local 172.16.1.24 static PAT Global 172.16.13.6(43714) Local 10.0.12.140(14384) Global 172.16.13.44 Local 172.16.152.21 static Global 203.125.152.251 Local 172.16.13.22 static Global 172.16.13.45 Local 10.160.10.51 static Global 203.125.152.245 Local 10.160.10.51 static Global 203.125.152.246 Local 172.16.13.26 static Global 203.125.152.247 Local 172.16.13.25 static Global 203.125.152.240 Local 10.160.10.52 static Global 203.125.152.241 Local 172.16.18.51 static PAT Global 203.125.152.244(22080) Local 172.16.11.229(1026)
Re: DES license on PIX free? [7:61201]
it is true From: Sam Sneed Date: 2003/01/16 Thu AM 09:41:25 EST To: [EMAIL PROTECTED] Subject: DES license on PIX free? [7:61201] I read in PIX book all PIX's come with the 56 bit DES license free. Can anyone verfiy this before I spend money? I'm looking at a 501 or 506E. Thanks Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61210t=61201 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP load balancing questions [7:61095]
can buy and hardware loadbalancer from f5. From: Robert Fowler Date: 2003/01/15 Wed AM 09:31:49 EST To: [EMAIL PROTECTED] Subject: BGP load balancing questions [7:61095] Hello groupstudy, I've been banging my head against the wall and figured I would defer this question to those of you more learned and experienced. Here is the the scenario: 2 routers running BGP Router 1 has a connection to ISP 1 and router 2 has a connection to ISP 2 Each receives full routes. Each provider has given us a class C address Only the class C from provider 1 is actively used, because provider 2 will probably be dropped eventually(ssshhh don't tell ARIN) The class C is advertised to both ISPs, however ISP 1 aggregates this address space so instead of being 1.1.1.x /24 it's 1.1.x.x /16 This was checked using various looking glasses. What that means is that traffic to my Class C will arrive primarily via ISP 2 because it will see the /24 I advertise though it. That is bad, for various reasons. Mainly because we are charged by usage from ISP2, but also because we are going to upgrade ISP1 to a fractional t3 and use ISP 2 primarily as a backup eventually. Also the traffic coming in is 90% via ISP 2 and 10% via ISP 1. If I remember from my studying so long ago, even prepending my AS number to ISP 2 will not work, becuase it doesn't even make it to that criteria, but rather see the /24 and chooses that route. I searched some newsgroups, but amazingly enough nobody seemed to have this issue. I saw someone who had a larger block than /24 and some suggestions there but that would not work in this case. Options not available: Using the Class C from Carrier 2 to load balance using IP space and traffic types Getting a class C independant of a provider from ARIN. (That costs money :)) Robert Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61106t=61095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IAS Authentication with Pix 515 [7:61023]
By default, it should authenticate to AD first if it is part of the domain and you have to enable the user object to have remote connective. I did it three months ago. Greg Owens 202-398-2552 fax 202-399-7690 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Patrick Matthews Sent: Tuesday, January 14, 2003 9:34 AM To: [EMAIL PROTECTED] Subject: Re: IAS Authentication with Pix 515 [7:61023] I used the following document and it worked great - Very easy. Logs all VPN access in both the IAS log files and on the Domain Controller running AD. The 3rd part of the document explains the Win2k/IAS portion of the config. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration _example09186a00800b6099.shtml Kevin O'Gilvie wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, Does anyone know how to make IAS use Active directory to authenticate VPN users.. I have the sample from cisco but that only displays local authentication.. Thanks a bunch, Kevin [GroupStudy.com removed an attachment of type text/x-vcard which had a name of Greg Owens Jr ([EMAIL PROTECTED]).vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61050t=61023 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN dialup Outlook Exchange Do I need Help [7:60669]
Are u using MD5 or SHA because the higher the encryption the more over head you will have. Greg Owens -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Thursday, January 09, 2003 7:42 AM To: [EMAIL PROTECTED] Subject: RE: VPN dialup Outlook Exchange Do I need Help [7:60669] Yes I have looked at that and the client says it is just to much work. -Original Message- From: cebuano [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 09, 2003 1:09 AM To: Elijah Savage III Cc: [EMAIL PROTECTED] Subject: RE: VPN dialup Outlook Exchange Do I need Help [7:60669] Elijah, Just in case you haven't read this, here's what I found... Dec 19, 2002, 6:03am PST Not sure if you still have a problem, but... Have you tried to changing the Outlook Client so that it does NOT use the Logon Network Security? (To check this, Right click the Outlook Icon and go to properties- Select the MS Exchange server and click the properties button. Then select the Advanced tab, and set the Logon Network Security to NONE.) This will prompt the Outlook client to provide the NT domain authentication info - username; domain; password - rather than trying to take it from the OS. I had this same problem and this is what I did to resolve it. There may be a more elegant solution, but I am unaware of it. Hope this helps... [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Elijah Savage III Sent: Wednesday, January 08, 2003 9:00 PM To: [EMAIL PROTECTED] Subject: VPN dialup Outlook Exchange Do I need Help [7:60669] All, I need some serious help for a serious problem. We have implemented a vpn solution with 2 3030 concentrators. All work fine except for the dialin users, everything is terribly slow I used dialin tonight and had a 50.6 connection and it was creeping along like it was 9600 baud. I was getting dns resolution problems on web pages I knew were up like CCO. I have enabled LZS compression on both concentrators. I also have users complaining that they get exchange errors like can't contact server. Here is the confusing and tricky part. Now on the other hand broadband users just couldn't be happier. I have broadband at home also and all this crap I experienced tonight on dialup none of it has shown it's ugly head on broadband, no exchange error or anything. I have looked over CCO and looks like there was a few bugs for the vpn client but supposedly fixed and I am using the latest client. Also on the Network Professional news group on CCO there are just a TON of people complaining about VPN and outlook access in some form or another with no resolution. I called TAC and opened a case and the TAC engineer said yeah he knows about the errors and that is the nature of the VPN beast and said Cisco likes to recommend to custmers implementing VPN technology that they put a OWA(outlook Web Access) server in a dmz some place because web browsing is a much better experience over VPN. I just can't accept this as an answer I am out of ideas of what to try and there has to be someone out there in this big IT world that has happy dialup users using Outlook/Exchange through vpn concentrators. I did follow the recommendations on CCO about lowering the MTU settings on the client side but that does not fix it. If anyone has seen this and have a fix please let me know it would be greatly appreciated. Out of all honesty I am looking for any experience at all just to here what the general consensus is on this, so if you have a fix or not I would like to here about your overall experience. Thank You Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60697t=60669 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Pix Configuration Help? [7:60631]
You should let the PIX handle the NATing. Just put the 2600 and the PIX in outside interface in the same switch From: [EMAIL PROTECTED] Date: 2003/01/08 Wed PM 01:52:48 EST To: [EMAIL PROTECTED] Subject: Pix Configuration Help? [7:60631] Router Configuration Help. I am currently using a Cisco 2621 router for my company firewall. Serial 0's interface (CSU/DSU) is connected to the phone company. Ethernet 0 is connected to my LAN. I currently use CBAC / ACL's to control access from Inside/Outside and vica versa. The phone company has issued me 8 static class A ip addresses, and instructed me to setup a static route to a class B Address on their side (point to point connection between my router and their router). I just purchased a PIX 515E and have some questions about the configuration behind the 2621. What is the best way to set this up? How should I set up the static route between the routers now? Should I create a point to point connection between my PIX and the 2621 using a class C address. What about Nat'ing my internal addresses to the registered addresses that have been assigned (Global)? I know I probably missing some information but hopefully we can start there. Thanks in advance Help from another below: - It would be tons-o-fun to explain all the things you can do but the best approach should be to go to this website below. It gives some great small to medium design topologies and configuration examples as well. Best of luck! start here for all the white papers: www.cisco.com/go/safe This white paper best works for your environment www.cisco.com/en/US/netsol/ns110/ns129/ns131/ns128/networking_solutions_impl ementation_white_paper09186a008009c8a0.shtml My Reply: - Thanks for the info. I read the whole paper last night well most of the 76 pages. Some really good info... I'm still looking for more configuration scenarios so keep em coming if you got em. I'm still Fuzzy about the NAT configuration using my global address in the PIX versus keep the NAT configuration on my 2621. Should I just use extended access list on the 2621 and move all the NAT configuration to the PiX box? Right now I only have a 2621 with CBAC / ACLs between the me and the outside world. This is what I THINK I should do: Remove all the NAT pool and static mappings from the 2621. Keep the ip route statement (forwarding all packets to the S0 interface), the CBAC and some extended ACLs. Next: Change the E0 port (currently connected directly to my internal network used as the Gateway) on the 2621 from the class B internal LAN address to a 192.168.0.1 255.255.255.254. Configure my PiX E0 (outside) addresss to 192.168.0.2 255.255.255.254 creating a point to poing connection between the 2621 and the PiX. Then configure E1 (inside LAN) on the PiX to a class B address that I will use as the internal subnet's gateway. Now I will issue another ip route statement on the PiX to route all 0.0.0.0 0.0.0.0 to 192.168.0.2 (E0) Now here's where I get fuzzy. What to do now? Tell the PiX the Global interface is 192.168.02? Assign a pool of the registered addresses provided by my ISP and NAT all internal class B addresses. I know there's Ton's more but any help is good help. Please feel free to interject (NE1) :) Thanks again. Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60636t=60631 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Why PIX's IDS can't detect a port scan? [7:59052]
do you have a Syslog Server satup? From: Kenny Smith Date: 2002/12/12 Thu AM 03:44:10 EST To: [EMAIL PROTECTED] Subject: Why PIX's IDS can't detect a port scan? [7:59052] Hi.. I implemented IDS in both PIX firewall outside and inside interface, but when I do a portscan on my PIX firewall's inside interface IP, I can't see any IDS alarm on my PIX log. Why? Below is my IDS config on my PIX inside interface. ip audit name inside-attack attack action alarm ip audit name inside-info info action alarm ip audit interface inside inside-info ip audit interface inside inside-attack nameif ethernet0 outside security0 nameif ethernet1 inside security100 Q2) By the way, how to add a new IDS signature to our PIX config? upgrade the PIX Device Manager? _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59067t=59052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: why lose connection after apply IDS on PIX [7:58960]
I have implemented the same IDS on the PIX, however, I did not and would not drop informational alarms. That why you are lose connectivity. Just use the alarm option. From: Kenny Smith Date: 2002/12/10 Tue PM 10:18:16 EST To: [EMAIL PROTECTED] Subject: why lose connection after apply IDS on PIX [7:58960] HI... Dear Friends, I want to implement IDS on my PIX outside interface which facing internet. So that I can get alarm for external attack. Below is my interface config and global ip audit name config nameif ethernet0 outside security0 nameif ethernet1 inside security100 ip audit name outside-info info action alarm drop ip audit name outside-attack attack action alarm drop But I apply it on my outside interface as shown below..I immediately lose connection with outside. Can't ping and connect to external network? Why? PIX(config)#ip audit interface outside outside-info PIX(config)#ip audit interface outside outside-attack Thanks a lot _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58973t=58960 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: why lose connection after apply IDS on PIX [7:58960]
The Information in just for your information because those signature contain some normal data traffic, so you want to configure the information alarm as follow ip audit name outside-info info action alarm Greg Owens Jr -Original Message- From: Kenny Smith [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 9:18 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: why lose connection after apply IDS on PIX [7:58960] Hi.. Greg. Thanks 4 your guide. By the way, Are you saying that we can drop the attack alarm not the informational alarm? From: Greg Owens Reply-To: Greg Owens To: [EMAIL PROTECTED] Subject: Re: why lose connection after apply IDS on PIX [7:58960] Date: Wed, 11 Dec 2002 13:56:41 GMT I have implemented the same IDS on the PIX, however, I did not and would not drop informational alarms. That why you are lose connectivity. Just use the alarm option. From: Kenny Smith Date: 2002/12/10 Tue PM 10:18:16 EST To: [EMAIL PROTECTED] Subject: why lose connection after apply IDS on PIX [7:58960] HI... Dear Friends, I want to implement IDS on my PIX outside interface which facing internet. So that I can get alarm for external attack. Below is my interface config and global ip audit name config nameif ethernet0 outside security0 nameif ethernet1 inside security100 ip audit name outside-info info action alarm drop ip audit name outside-attack attack action alarm drop But I apply it on my outside interface as shown below..I immediately lose connection with outside. Can't ping and connect to external network? Why? PIX(config)#ip audit interface outside outside-info PIX(config)#ip audit interface outside outside-attack Thanks a lot _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail Greg Owens 202-398-2552 _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59031t=58960 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:58623]
All u need to do is create a static Private to Public address on the PIX. However, user in the inside will access the server via the Private address. Therefore, the packet will not leave the inside interface and come by in. Greg Owens -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 05, 2002 10:22 AM To: [EMAIL PROTECTED] Subject: PIX question [7:58623] If I have a pix seperating my network from the internet with an inside and an outside interface, then I have some servers on the inside network that I use Static to give an ip address on the outside network for host4s on the internet to access. that4s the easy part, now the question Is it possible for the inside hosts to access the servers that I have using the public ip address, I.E. as my inside hosts wear accessing them from the internet, so they would go out the pix and then back in using the public IP address of the server they are connecting to. does this make any sense ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58632t=58623 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: CCIP MCast and Qos Exam......How tough?? [7:58161]
is there a good book out for this test From: Mike Bernico Date: 2002/11/27 Wed AM 10:17:28 EST To: [EMAIL PROTECTED] Subject: RE: CCIP MCast and Qos Exam..How tough?? [7:58161] I've taken it. I believed I passed it first try although I recall it was difficult because of it's huge scope. It's not nearly as hard as the Optical test, it's pretty much on par with the MPLS test. I would say that it gets fairly detailed in both QoS and Multicast. I would know more than just an overview. I definitely recall it being very theory oriented. If you follow the outline I'm sure you'll be fine. Good Luck! --- Mike Bernico [EMAIL PROTECTED] Illinois Century Network http://www.illinois.net (217) 557-6555 -Original Message- From: Cisco Nuts [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 26, 2002 8:38 PM To: [EMAIL PROTECTED] Subject: CCIP MCast and Qos Exam..How tough?? [7:58161] Hello, Has anyone taken the CCIP Mcast and Qos exam? Need to know how tough it is going to be. Do they drill you in the intricacies of PIM-SM, DM, Diffserv using DSCP, NBar etc. Now, I have been told my some that since this exam is like 2 exams combined into one, the exam questions are going to be more general and just need a real good overview of all the Qos and MCast topics. Is this any true? Please advise.Thank you.Sincerely, CN -- -- Protect your PC - Click here for McAfee.com VirusScan Online Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58194t=58161 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: Cisco 3005 VPN concentrator issues. [7:57495]
What is the limitation of a PIX with a VPN Accerator card? From: lounelson Date: 2002/11/21 Thu PM 08:59:22 EST To: [EMAIL PROTECTED] Subject: RE: Cisco 3005 VPN concentrator issues. [7:57495] I note you said 200 users The 3005 is limited to 100 simultaneous user http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_models_compar ison.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Umar Ahmed Sent: Friday, November 15, 2002 3:00 AM To: [EMAIL PROTECTED] Subject: Cisco 3005 VPN concentrator issues. [7:57495] Hi all, Ive got a customer who has a 3005 concentrator connected to our network. He has setup a vpn connection which he accesses from home over the public internet. The problem he and the other 200 users are having is that they are loosing connectivity to the box intermittently throughtout the day. When he has loss of service, I can ping the vpn box directly connected to my network, whats even more strange, is that I can ping other customer hosts on the same subnet . Any ideas ?? Regards, Umar. Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57888t=57495 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: VTP modes Server/Client vs Transparent [7:57650]
Depending on the size of the network VTP is being deployed, you can divide the VTP domain into geograhical area or sites that would decrease the VTP traffic. From: Zim Date: 2002/11/19 Tue AM 07:01:02 EST To: [EMAIL PROTECTED] Subject: Re: VTP modes Server/Client vs Transparent [7:57650] Like most networking problems it depends. How large is your switch domain? Are you doing End to End VLANs or Local? How large is your STP domain now? Will it grow larger? Here a link I would start with http://www.cisco.com/warp/customer/473/21.html ( stater for VTP) then hit this one http://www.cisco.com/warp/public/cc/so/neso/lnso/cpso/gcnd_wp.htm (covers GigE Design) Design solutions are usually need and resource driven...as for standards they change(some daily). JMHO Newell Ryan D SrA 18 CS/SCBT wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Network is migrating from ATM to Gigabit Ethernet. Transparent mode was default VTP for all distribution layer switches. We had hubs for all access layer switches. With the new migration to Gigabit switches would be at all access layer buildings. Would it be beneficial to run transparent abroad or a server/client model. Thanks Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57697t=57650 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
have anyone had this IGMP problem [7:57126]
Some LAN Switches with IGMP Snooping Enabled Stop Forwarding Multicast Packets on RRAS Startup The information in this article applies to: * Microsoft Windows 2000 Advanced Server SUMMARY Routers connected to LAN switches configured with IGMP snooping may have problems when a Windows 2000 RRAS-capable server comes online or when OSPF or RIP version 2 is enabled. MORE INFORMATION Switches with IGMP snooping enabled have a feature that attempts to determine which ports connect to devices that belong to a particular multicast group. If the port does not connect to a device in the multicast group, the switch does not forward packets destined to the multicast group out that port. Some switches attempt to do this smart multicast forwarding for all multicast destinations, while others do this only for non-permanent groups (groups outside the range 224.0.0.1-224.0.0.255). Switches doing this for permanent groups, such as the all-routers group 224.0.0.2, the OSPF multicast groups 224.0.0.5 and 224.0.0.6, and the RIP 2 multicast group 224.0.0.9, could cause problems on the switched network. This behavior occurs if the switch has Cisco routers connected to it, running Hot Standby Routing Protocol, OSPF, or RIP 2, and a Windows 2000 server is connected to the switch and initialized. Other routers may be affected as well. Before the server is brought online, the routers are communicating through the switch using one or more of the above multicast addresses. The routers never send IGMP join packets for these groups so the switch never tries to parse which ports will receive the multicast packets. When the server with RRAS comes online, it sends an IGMP join packet for the all-routers multicast group (224.0.0.2), and for the OSPF and RIP 2 groups if the protocols are running. The switch sees the join message and sends a membership query out all its ports to determine which ports have devices that also belong to this group. The routers do not respond to membership queries for these multicast groups. The switch then stops sending packets destined to these multicast groups to the router's ports, and effectively disables the routing protocol communication between routers. Hewlett-Packard (HP) and Nortel Networks (formerly Bay) switches operate in this manner when IGMP snooping is enabled. Both switches have an option for defining filters that enable them to always forward multicast packets to all ports for specific groups. These filters must be enabled to assure that the routers will continue functioning. Other switches always forward all multicast packets for these groups to all ports without requiring filters be enabled. The IGMP join packets sent from the Windows 2000 server with RRAS can be observed by monitoring the data sent by the server when it first initializes. Without any RRAS configuration, the server sends the IGMP join for the all-routers group (224.0.0.2). When RRAS is started and OSPF is configured the server sends the join for the OSPF groups 224.0.0.5 and 224.0.0.6. When RIP 2 is configured, the server sends the join for the RIP 2 group 224.0.0.9. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57126t=57126 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Re: PIX and USB ports [7:56862]
Terminal Server or via IPSEC From: Ryan Finnesey Date: 2002/11/04 Mon PM 09:36:01 EST To: [EMAIL PROTECTED] CC: Greg Owens Subject: Re: PIX and USB ports [7:56862] What would be a good way to manage the IX remotely ? Ryan, Greg Owens wrote: It is for future use. -Original Message- From: [EMAIL PROTECTED] [mailto:nobody;groupstudy.com] On Behalf Of Firesox Sent: Monday, November 04, 2002 8:04 PM To: [EMAIL PROTECTED] Subject: PIX and USB ports [7:56862] I would like to setup and outband connection to the pix 506E/515E thru the USB ports. I have USB modem hooked up to my pixs, but I cannot find the article to setup the USB ports. When dialin to the modem, it wouldn't respond... Thanks Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56892t=56862 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX and USB ports [7:56862]
It is for future use. -Original Message- From: [EMAIL PROTECTED] [mailto:nobody;groupstudy.com] On Behalf Of Firesox Sent: Monday, November 04, 2002 8:04 PM To: [EMAIL PROTECTED] Subject: PIX and USB ports [7:56862] I would like to setup and outband connection to the pix 506E/515E thru the USB ports. I have USB modem hooked up to my pixs, but I cannot find the article to setup the USB ports. When dialin to the modem, it wouldn't respond... Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56864t=56862 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RE: PIX questions [7:53953]
I had the same problem because of the following 172.16.64.3 is a IP address in the inside network; however, in someone turn off 172.16.64.3 and if someone try to access the machine the routing protocol send it to the default gateway the PIX. However on the PIX it knows that 172.16.0.0 is the inside addresses thus the error message u are getting. From: Lidiya White Date: 2002/09/24 Tue PM 01:38:57 EDT To: [EMAIL PROTECTED] Subject: RE: PIX questions [7:53953] The problem here is the source and destination are outside. Why? PIX can't redirect traffic so even if conduit is allowing this traffic, PIX won't let it through, unless it's src outside and dst is inside. You either routing issue here or just something is misconfigured on the PIX. Use wr term on the PIX to view the current config. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Tuesday, September 24, 2002 10:50 AM To: [EMAIL PROTECTED] Subject: PIX questions [7:53953] I keep having the following log in my PIX. It is very frequent. What is that mean? It seems my PIX deny this connection, but actually I want to allow it now and make it no longer log to the PIX log. 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.173/58000 dst outside:192.168. 5.200/58000 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 106011: Deny inbound (No xlate) udp src outside:200.100.182.79/58000 dst outside:192.168.5 .200/58001 I tried to clear it by adding the following command in the PIX config to allow the connection to come in. However, I still found the same log in my PIX? What should be the correct command? conduit permit udp any range 58000 58001 any Question2- How to show the running-config in PIX? I found whenever I made a change on PIX. I can't see the change when I issue sh conf command until I do wr mem What is the router equivalent show running-config command in PIX? Thanks a lot == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53975t=53953 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: DNS Behind the firewall [7:53016]
Put the foward address in the DNS table From: Curious Date: 2002/09/10 Tue PM 03:05:40 EDT To: [EMAIL PROTECTED] Subject: DNS Behind the firewall [7:53016] My Company's DNS server resides on our External LAN (our Public LAN), yesterday we move it to our Private LAN (Behind our PIX 515), and Nated its Public IP address with its new Private IP Address in the Firewall and Open Port 53. After all that move and settings we were able to resolve domain names from Private LAN but not from Public Lan or Internet. Please let me know if some one has any idea Y...? Curious MCSE, CCNP Greg Owens 202-398-2552 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53021t=53016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VPN L2tp ? [7:48875]
I have a PIX 515E have the inside interface connected to a hub and the outside interface connected to a hub. A 1600 router connected to the outside interface hub with two addresses on Ethernet. A computer connected to the outside hub on a totally different subnet and I get the following error. Why? I think because they are on the hub, but not sure ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block: src 10.1.1.2, dest 64.67.69.50 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 2 protocol : 17 port : 500 length : 24 ISAKMP (0): Total payload length: 28 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 crypto_isakmp_process_block: src 10.1.1.2, dest 64.67.69.50 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 2232193573 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_3DES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90 ISAKMP: encaps is 2 ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): transform proposal (prot 3, trans 3, hmac_alg 1) not supported ISAKMP (0): atts not acceptable. Next payload is 3 ISAKMP: transform 2, ESP_3DES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90 ISAKMP: encaps is 2 ISAKMP: authenticator is HMAC-SHA ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 64.67.69.50, src= 10.1.1.2, dest_proxy= 64.67.69.50/255.255.255.255/17/0 (type=1), src_proxy= 10.1.1.2/255.255.255.255/17/1701 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 IPSEC(validate_transform_proposal): proxy identities not supported IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 63.167.65.150, src= 10.1.1.2, dest_proxy= 10.1.1.2/255.255.255.255/17/1701 (type=1), src_proxy= 64.67.69.50/255.255.255.255/17/0 (type=1), protocol= ESP, transform= esp-3des esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 IPSEC(validate_transform_proposal): proxy identities not supported ISAKMP: IPSec policy invalidated proposal ISAKMP : Checking IPSec proposal 2 ISAKMP: transform 1, AH_SHA ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x3 0xd0 0x90 ISAKMP: encaps is 2 ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform proposal (prot 2, trans 3, hmac_alg 2) not supported ISAKMP (0): atts not acceptable. Next payload is 0 ISAKMP (0): skipping next ANDed proposal (2) ISAKMP : Checking IPSec proposal 3 ISAKMP: transform 1, AH_MD5 ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (VPI) of 0x0 0x0 0xe 0x10 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 crypto_isakmp_process_block: src 10.1.1.2, dest 64.67.69.50 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 10.1.1.2, dest 64.67.69.50 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 10.1.1.2, dest 64.67.69.50 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 10.1.1.2, dest 64.67.69.50 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.30201 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48875t=48875 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX VPN L2tp ? [7:48748]
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 63.167.65.153, dest 63.167.65.150 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 63.167.65.153, dest 63.167.65.150 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 63.167.65.153, dest 63.167.65.150 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 63.167.65.153, dest 63.167.65.150 ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet. crypto_isakmp_process_block: src 63.167.65.153, dest 63.167.65.150 ISAKMP (0): processing DELETE payload. message ID = 1112821428 ISAKMP (0): deleting SA: src 63.167.65.153, dst 63.167.65.150 return status is IKMP_NO_ERR_NO_TRANS ISADB: reaper checking SA 0x813505c0, conn_id = 0 DELETE IT! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Simer Mayo Sent: Saturday, July 13, 2002 7:57 PM To: [EMAIL PROTECTED] Subject: Re: Number of VPN session on PIX? [7:48738] Look at the CCO. Search for PIx models and most probably they will have it in there. Hope that helps SM - Original Message - From: Joe Lee To: Simer Mayo Sent: Saturday, July 13, 2002 3:26 AM Subject: Re: Number of VPN session on PIX? Hi, is there something like a table for reference? - Original Message - From: Simer Mayo To: Joe Lee Sent: Saturday, July 13, 2002 4:04 PM Subject: Re: Number of VPN session on PIX? Depends upon the license and the model of PIX firewall you have. PIX 501 and 506 can have max 5 VPN connections whereas the higher models can have either the restricted or unrestricted license pack depending upon your requirements SM - Original Message - From: Joe Lee To: Sent: Saturday, July 13, 2002 12:02 AM Subject: Number of VPN session on PIX? Hi all, Is there a limit on the number of VPN session on a PIX? If yes, where can I get this information? Thx __ To unsubscribe from the SECURITY list, send a message to [EMAIL PROTECTED] with the body containing: unsubscribe SECURITY Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=48748t=48748 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: RSPAN Problem [7:47493]
Are all the Switch 6000 because No third party or other Cisco switches can be placed in the end-to-end path for RSPAN traffic. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, June 26, 2002 1:28 PM To: [EMAIL PROTECTED] Subject: RSPAN Problem [7:47493] Greetings, I'm using RSPAN with our 65XX switches with 6.3(3) code. When I enable RSPAN between to two switches it works fine but, when I try to rspan between three switches it doesn't work. I only see broadcasts from IP and IPX, any ideas??? Two switches: Source Port : Port 9/3-switch A -TRUNK-switch B-7/38 : Destination Port Three Swich: This scenario doesn't work. Source Port : Port 6/10-switch A -TRUNK-switch B-TRUNK--switch C--7/38 : Destination Port Thanks...Nabil I have never let my schooling interfere with my education. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47518t=47493 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Free Sniffer download [7:43297]
I am searching for a Sniffer Download Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43297t=43297 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco - CCNP Recertification Exam (CCNPR640-519) [7:5454]
s/640-519.html [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Cisco - CCNP Recertification Exam (CCNPR640-519).url] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=5454t=5454 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to determine CIR and increase CIR of FR?
Sh frame map will show u the CIR -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen Skinner Sent: Monday, April 09, 2001 7:45 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: How to determine CIR and increase CIR of FR? your CIR (Committed information rate) is supplied by your SP ...you and him agree how much you can have( depending on how much you pay) usually the person setting up your router sets the "BANDWIDTH" command to the CIR+ BR (burst rate) I.E how high you CAN go up to for a limited amount of time ..again your service provider has set this for you . HTH steve From: "David Gollop" [EMAIL PROTECTED] Reply-To: "David Gollop" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: How to determine CIR and increase CIR of FR? Date: Mon, 09 Apr 2001 10:29:40 - Hi.. How to determine the CIR of a frame relay line? Like Result shown below, what is the CIR? How do I increase the CIR? Do we have to contact the Frame relay provider? What is the difference between CIR and EIR?? SIN01#sh int s1/1.19 Serial1/1.19 is up, line protocol is up Hardware is M4T Description: --- Connects to JKT01 Ser0.2 --- Internet address is 50.200.243.25/30 MTU 1500 bytes, BW 2048 Kbit, DLY 2 usec, reliability 255/255, txload 2/255, rxload 2/255 Encapsulation FRAME-RELAY IETF _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: RE: How to determine CIR and increase CIR of FR?
Positive it is from the frame switch that is sent via LMI -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, April 09, 2001 9:56 AM To: Greg Owens Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: RE: How to determine CIR and increase CIR of FR? Are you sure that information isn't just taken from the "bandwidth" statements on the subinterfaces? Greg Owens [EMAIL PROTECTED] wrote: Sh frame map will show u the CIR -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen Skinner Sent: Monday, April 09, 2001 7:45 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: How to determine CIR and increase CIR of FR? your CIR (Committed information rate) is supplied by your SP ...you and him agree how much you can have( depending on how much you pay) usually the person setting up your router sets the "BANDWIDTH" command to the CIR+ BR (burst rate) I.E how high you CAN go up to for a limited amount of time ..again your service provider has set this for you . HTH steve From: "David Gollop" Reply-To: "David Gollop" To: [EMAIL PROTECTED] Subject: How to determine CIR and increase CIR of FR? Date: Mon, 09 Apr 2001 10:29:40 - Hi.. How to determine the CIR of a frame relay line? Like Result shown below, what is the CIR? How do I increase the CIR? Do we have to contact the Frame relay provider? What is the difference between CIR and EIR?? SIN01#sh int s1/1.19 Serial1/1.19 is up, line protocol is up Hardware is M4T Description: --- Connects to JKT01 Ser0.2 --- Internet address is 50.200.243.25/30 MTU 1500 bytes, BW 2048 Kbit, DLY 2 usec, reliability 255/255, txload 2/255, rxload 2/255 Encapsulation FRAME-RELAY IETF _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ccnp question
Yes -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sammi Sent: Monday, April 09, 2001 10:08 AM To: [EMAIL PROTECTED] Subject: Re: ccnp question It does indeed say "valid CCNA certification" required. Is CCNA 1.0 still considered valid? On 9 Apr 2001 10:18:47 -0400, [EMAIL PROTECTED] ("Bob Timmons") wrote: Actually, it is required. See: http://www.cisco.com/warp/customer/10/wwtraining/certprog/lan/programs/ccnp . html Bob no, its not required, but recommended to get u started . Keyur. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of umer khan Sent: Monday, April 09, 2001 1:31 AM To: [EMAIL PROTECTED] Subject: ccnp question hi , is ccna required for starting the ccnp certification exams. well i know this question has been asked before but i seem to have deleted the thread. so sorry for asking it again. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: discussion of buffers
http://www.cisco.com/warp/public/650/41.html http://www.cisco.com/warp/public/63/buffertuning.html http://www.cisco.com/warp/public/63/bufferleak_troubleshooting.html -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of george Sent: Thursday, March 08, 2001 8:35 PM To: [EMAIL PROTECTED] Subject: discussion of buffers Anyone have good a good refrence on cisco routers and their use of buffers, including discussions on optimizing their size? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Modem to Console Port
1)Connect the modem to a PC 2)Set the dip switches on the modem to 1,3, and 8 down, all the rest up. 3) Power on the modem 4) Begin a terminal session (9600,8,N,1) 5) Type AT and you should get an OK from the modem 6) Type ATFW0 7) Type ATI4 to get the current modem settings 8) Copy the following string on the terminal (this will also write it to the modem's NVRAM) ATE0F1Q1I0H0K0A0B1N6C1D0W0 (Note: This turns echo off as well, so you won't see any further commands you type.) 9) Type ATI4. You should see this: US Robotics Sportster 33600 Fax Settings... B0 E0 F1 M1 Q1 V1 X1 Y0 Baud=9600 Parity=N Wordlen=8 Dial=Tone On Hook A0 B1 C1 D0 G0 H0 I0 K0 M4 N6 P0 R1 S0 T5 U0 Y1 S00=001 S01=000 S02=043 S03=103 S04=010 S05=006 S06=002 S07=060 S08=002 S09=006 S10=014 S11=070 S12=050 S13=000 S15=000 S16=000 S18=000 S19=000 S21=010 S22=017 S23=019 S25=005 S27=000 S28=008 S29=020 S30=000 S31=128 S32=001 S33=000 S34=000 S36=014 S38=000 10) Power off the modem 11) Now set dip switches 1,4,8 to down and all others up 12) Connect modem to console of router 13) Power modem on 14) Dial the modem and you should get a router prompt after you hit return 15) Quit to close the session to the router 16) Disconnect Note: If you need to disconnect your modem while you are connected to the router, put in +++ at any prompt. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Sent: Wednesday, February 14, 2001 4:07 PM To: [EMAIL PROTECTED] Subject: Re: Modem to Console Port Jason, Thank you very much. The dip switch settings did the trick. I am installing these routers remote and from time to time when we turn up the circuits something doesn't work right. So, I ship a modem, have the customer plug it in to the fax machine jac and bingo, I can config it just like I was setting there. That way I don't have to be on a plane for a day and a half for a 5 min job. Another success story found on Groupstudy.com ""jason lynch"" [EMAIL PROTECTED] wrote in message 96ejci$c0b$[EMAIL PROTECTED]">news:96ejci$c0b$[EMAIL PROTECTED]... Or, if you're using a US Robotics Sportster, just set the dip switches to all up and 7 down and dial in. Make sure you specify login and password under line con 0. "Chris Lemagie" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... It is possible. There is actually no configuration on the router. You will need to set the modem to talk at 9600, 8, N, 1 with no local echo. You also need to set the modem to auto answer. Your modem should have documentation with the proper "AT" commands that you will need to issue. Save this configuration to the modems NVRAM and plug it into the router. Chris Lemagie... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Sent: Wednesday, February 14, 2001 7:51 AM To: [EMAIL PROTECTED] Subject: Modem to Console Port Is is possible to connect a modem to the console port for remote configuration on the Cisco 1600 series? If so would you please provide me with a sample configuration? Thank you in advance for your assistance. John Huston [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Setting up a DHCP server on a cisco router
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Lodwick Sent: Saturday, January 06, 2001 1:58 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Setting up a DHCP server on a cisco router Leroy, He said he wanted the router to give the client the IP addressing information. In your example the router is forwarding bootp broadcasts and a Windows box is giving the client the IP addressing information. Brian It's a brave man who, when things are at their darkest, can kick back and party! -- Dennis Quaid, "Inner Space" From: Leroy Burns [EMAIL PROTECTED] Reply-To: Leroy Burns [EMAIL PROTECTED] To: "'Andrew Larkins'" [EMAIL PROTECTED], "'[EMAIL PROTECTED]'" [EMAIL PROTECTED] Subject: RE: Setting up a DHCP server on a cisco router Date: Sat, 6 Jan 2001 13:36:21 -0500 I hope this will help using DHCP DHCP Relay DHCP relay typically runs on a router and the relay support is available on Windows NT Server version 4.0 and Windows 2000 Server. On Cisco 700 series routers, you can turn on DHCP relay with the set dhcp relay command. You can turn on DHCP relay on a Cisco IOS router by configuring ip helper-address with the address of the DHCP server on each interface that will have DHCP clients. The ip helper-address command forwards many other IP broadcasts, including DNS, Trivial File Transfer Protocol (TFTP), and NetBIOS name service packets. To forward only DHCP requests, see the following example configuration. For more information, see the "Configuring Broadcast Handling" section in the Network Protocols Configuration Guide, Part I. no ip forward-protocol udp tftp no ip forward-protocol udp dns [This command is not listed in IOS! J.R.] no ip forward-protocol udp time no ip forward-protocol udp netbios-ns no ip forward-protocol udp netbios-dgm no ip forward-protocol udp tacacs ip forward-protocol udp bootpc ! interface ethernet 0 ip helper-address 172.16.12.15 interface ethernet 1 ip helper-address 172.16.12.15 Exerpt from: http://www.cisco.com/warp/public/473/winnt_dg.htm#xtocid88299 You must apply the ip helper-address [dhcp server IP] to EVERY interface, including the serial. Whew! Makes a man feel mancho to solve such problems. ___ _ _ Leroy Burns - LAN Administrator 75 Piedmont Avenue, Suite 1200 Atlanta, GA 30303-2507 Direct Voice and Fax: 678.365.2661 mailto:[EMAIL PROTECTED] - http://www.skylight.net/ -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: Saturday, January 06, 2001 12:04 PM To: '[EMAIL PROTECTED]' Subject: Setting up a DHCP server on a cisco router Can anyone give me a sample config. I want the router to give the clienthe IP addressing information Thanks in advance Andrew _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] cisco2501#show running-config Building configuration... Current configuration: ! version 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname cisco2501 ! no logging console enable secret 5 $1$QAjL$5D.YF.Io57Fr02o5MG23U. enable password router ! ! ! ! ! ip subnet-zero no ip dhcp conflict logging ip dhcp excluded-address 192.168.0.49 192.168.0.50 ! ip dhcp pool test network 192.168.0.48 255.255.255.240 domain-name Rock.com dns-server 204.127.160.2 default-router 192.168.0.50 ! ip dhcp pool tes ! ! ! ! interface Ethernet0 ip address 192.168.0.49 255.255.255.240 ip helper-address 192.168.0.34 no ip mroute-cache ! interface Serial0 bandwidth 56 ip address 192.168.0.33 255.255.255.240 ip helper-address 192.168.0.33 ip helper-address 192.168.0.34 ip directed-broadcast no ip split-horizon no ip mroute-cache clockrate 56000 ! interface Serial1 no ip address no ip mroute-cache shutdown ! router eigrp 100 network 192.168.0.0 ! ip classless no ip http server ! snmp-server engineID local 000902000C0A109E snmp-server community public RO snmp-server packetsize 2048 ! line con 0 transport input none line aux 0 line vty 0 4 password router login ! end _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
how many question on CIT
_ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Loaded new IOS and now router will not boot
Press the ctrl and Del key @ the same time when the router is starting to boot. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Glenn Flood Sent: Wednesday, July 19, 2000 1:07 PM To: '[EMAIL PROTECTED]' Subject: Loaded new IOS and now router will not boot All, I have a 2621 with 8M flash and 24M RAM and loaded the Enterprise Plus 12.1(3) IOS. Now it tells me INSUFFICIENT MEMORY TO BOOT THE IMAGE!. Can someone direct me to the procedure on the Cisco site that will show me how to reload my previous image through rommon. Thanks, Glenn Glenn Flood MCSE, MCP+I, MCT, CCNA, CNA, A+