Re: Superstitious Switches? [7:72746]
It's a long story... http://www.naplesnews.com/today/restate/a120401k.htm -Kent On Wed, 2003-07-23 at 11:28, Raj wrote: > Anybody knows when and how did the number 13 get so unpopular? Whats the > story behind it? > > > ""MADMAN"" wrote in message > news:[EMAIL PROTECTED] > > There is a reason many hotels don't have a 13th floor;) > > > >Dave > > > > John Neiberger wrote: > > > This is not a joke, I promise, but it is very strange. Have any of you > > > noticed that by far the most problematic port on the Catalyst 2950 > switches > > > is port 13? > > > > > > I'd bet money that at least 20% of the time we have a problem with a > device > > > connected to these switches they're connected to port 13. Just in the > last > > > two days we've had to troubleshoot *three* separate instances of users > in > > > port 13 on these switches, and I can think of at least three more in the > > > past. I once had to RMA a 2950 because port 13 died. > > > > > > Doesn't this seem a little odd? I think I'm going to stop walking > > > underneath ladders until I get this resolved! > > > > > > John > > -- > > David Madland > > CCIE# 2016 > > Sr. Network Engineer > > Qwest Communications > > 612-664-3367 > > > > "Government can do something for the people only in proportion as it > > can do something to the people." -- Thomas Jefferson Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72822&t=72746 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Slow File Transfers After Server Upgrade [7:72402]
John, A few things I would look at: 1) What is the MSS value that is passed between the servers during the initial TCP setup? 2) What is the value of the MTU on the servers? 3) Are there any name resolution issues? I have seen Solaris boxes keep trying to resolve the DNS name of a client station and have extremely slow network performance as a result. 4) Are there any "weird" TCP options being negotiated such as Selective ACK or Windows Scale? Since these options aren't often used there may be a bug in a servers TCP stack if these options are negotiated at startup. 5) Have you checked the speed and duplex settings on the Solaris box? In any case, a sniffer should tell the story. Just running snoop on the Solaris box will probably give you the info you need. HTH, Kent On Wed, 2003-07-16 at 11:57, John Neiberger wrote: > We have a Windows server connected to a 6513 at 100/Full that does nightly > backups (about 20GB) to a Solaris server connected to the same switch via > gigabit ethernet. Prior to a recent upgrade the Windows server could upload > approximately 5MBytes/s to the Solaris server. The Solaris server was > replaced with much faster hardware and the OS was upgraded from Solaris 8 to > Solaris 9. Novell servers doing backups to this server have continued to > upload at about the same speed as before, while other Solaris servers seem > to be uploading faster than before. > > The weird thing is that the Windows server uploads have dropped in speed by > about 80%! We now see only about 1MB/s. This drop was seen on all Windows > servers doing backups to this Solaris server. My guess is that there is some > funky issue with TCP between Windows and Solaris 9. I'm going to capture > some transfers to see if I can spot the problem. > > Any ideas on what to look for right off the bat? Any tips from anyone who > has seen this sort of thing before? > > Thanks, > John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72421&t=72402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffer Recommendation [7:72372]
There are various tools to do this, as far as I know they all work based on the ability to spoof arp replies. Here are a few links: http://monkey.org/~dugsong/dsniff/ (a host of tools for sniffing through various spoofing attacks) http://www.phenoelit.de/fr/tools.html (specifically just for arp spoofing although they have some other interesting tools) Be aware that if you have a busy network, some of these tools could potentially be disruptive depending on how they are used. Be also aware that if you don't have authority to use these tools on the network in question, using them is probably a good reason for termination of employment. I don't recommend you use these tools unless you know what you are doing _and_ you have explicit authorization from the network owner to use them. It's far better to just span the port or use VACL's. In other words, use these tools at your own risk. HTH, Kent On Wed, 2003-07-16 at 00:32, Nathan wrote: > I need a sniffer that doesn't require spanning a port. Any suggestions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=72398&t=72372 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: hacking challenge [7:66720]
Rusty, I'm not clear from your question if there is an acl blocking everything inbound to the nt servers except smtp and telnet or if the acl is for inbound to the router itself. In the former case, unless your client is forcing their users to use good passwords, it's likely that a brute force telnet attempt would succeed in anywhere from a few hours to a few days, ditto for brute force on the router. If they're not logging failed login attempts, they would never know this was occurring. If they have no filtering if any kind inbound to their servers, there are many netbios/nt vulnerabilities that they could be susceptible to, without knowing more specifics about the patches applied and the services being run I can't give you anything more specific. You can search on securityfocus.com to see what might be applicable to your client. One thing to keep in mind, for a small site the Cisco firewall feature set may be adequate. At the very least, a correctly configured access-list provides some rudimentary protection. See the cisco site or Phrack issue 52 for info on Cisco router security. (phrack.com) Also, security works best when applied in layers. It's not enough to have a firewall, enabling centralized logging, patching and hardening servers, backup procedures and implementing change control procedures are just a few of the things that need to be done as well. A firewall is just the beginning. HTH, Kent PS If your trying to get your client to take security seriously, you should probably begin by asking business questions like: "What is the worth of the information contained on your servers? How long could you operate without that information? If you lost all of the information on your servers, could your business operate? Are you aware of how much money businesses lost last year due to security breaches according to the FBI/CSI annual report? Are you aware of the potential legal issues related to not following "due care" practices for securing your information infrastructure, etc. etc." On Wed, 2003-04-02 at 19:09, Wilmes, Rusty wrote: > this is a general question for the security specialists. > > Im trying to convince a client that they need a firewall > > so hypothetically, > > if you had telnet via the internet open to a router (with an access list > that allowed smtp and telnet) (assuming you didn't know the telnet password > or the enable password)that had a bunch of nt servers on another interface, > how long would it take a determined hacker a) cause some kind of network > downtime and b) to map a network drive to a share on a file server over the > internet. > > Thanks, > Rusty > > > -Original Message- > > From: Larry Letterman [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, April 02, 2003 1:44 PM > > To: [EMAIL PROTECTED] > > Subject: RE: VLAN loop problem [7:66656] > > > > > > Yes, > > it prevents loops in spanning tree on layer 2 switches from > > causing a loop > > by disabling the port on a cisco switch... > > > > > > Larry Letterman > > Network Engineer > > Cisco Systems > > > > > > > > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of > > > Thomas N. > > > Sent: Wednesday, April 02, 2003 12:18 PM > > > To: [EMAIL PROTECTED] > > > Subject: Re: VLAN loop problem [7:66656] > > > > > > > > > What does "portfast bpdu-guard" do? Does it prevent interfaces with > > > portfast enabled from causing the loop in my scenario? > > > > > > > > > ""Larry Letterman"" wrote in message > > > news:[EMAIL PROTECTED] > > > > > > > port mac address security might work, altho its a lot of admin > > > > overhead..are you running portfast bpdu-guard on the access ports? > > > > > > > > > > > > Larry Letterman > > > > Network Engineer > > > > Cisco Systems > > > > > > > > > > > > - Original Message - > > > > From: Thomas N. > > > > To: [EMAIL PROTECTED] > > > > Sent: Tuesday, April 01, 2003 8:14 PM > > > > Subject: VLAN loop problem [7:66656] > > > > > > > > > > > > Hi All, > > > > > > > > I got a problem in the production campus LAN here between > > > VLANs. Please > > > > help me out! Below is the scenario: > > > > > > > > We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets. > > > Routing is > > > > enable/allowed between the two subnets using MSFC of > > the 6500. Each > > > subnet > > > > has a DHCP server to assign IP address to devices on its subnet. > > > > Spanning-tree is enable; however, portfast is turned on on all > > > > non-trunking/uplink ports. Recently, devices on VLAN 10 got > > > assigned an > > > IP > > > > address of 10.20.x.x , which is from the DHCP on the > > other scope and > > > also > > > > from 10.10.x.x scope, and vice versa. It seems that we a > > > loop somewhere > > > > between the 2 subnets but we don't know where. I > > noticed lots of end > > > users > > > > have a little unmanged hub/switch hang off the network > > jack
Re: Info about cisco IDS [7:66238]
AFAIK, no. Cisco IDS was purchased from the Wheel Group and previously went by the name Netranger. Regards, Kent On Wed, 2003-03-26 at 07:12, ritul wrote: > Hi ! > > I want to know is Snort used with CISCO IDS ? > > Ritul Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66255&t=66238 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Question [7:65095]
Manny, A couple of thoughts, not necessarily in order of applicability: 1) Change the timeout values for idle connections for conn (connection slot) from 1 hr to 5-10 min and change the xlate timeout from 3 hrs to 5-10 minutes. These are idle timeouts and will probably work for most environments unless you have a lot of low traffic, long timeout connections. (uses the 'timeout' command) 2) Enable aaa authorization for at least ftp and http. Force users to authenticate before using those services. 3) Log PIX messages to a syslog server, monitor it for xlate problems with something like logsurfer. 4) Install an IDS system and monitor for failed FTP logins. Obviously, these are not mutually exclusive. HTH, Kent On Tue, 2003-03-11 at 16:04, Manny wrote: > I ran into a situation today where we had a machine that was trying to FTP > through the firewall. We allow FTP outbound. The problem that came up was > that the user had no idea that an FTP client was setup on his machine. The > FTP client (spyware) kept trying to connect to a server (ispynow.com) using > the incorrect user name and password. For every attempt an xlate entry was > created. It created about 7000 entries in a matter of minutes. The firewall > was paralyzed. I had to console in and look at the xlate table. Even through > the console I had a hard time viewing the table. Is there any way to prevent > this from happening again?This is the second time this year an incident of > this nature with the xlate table has occurred. How can I monitor the xlate > table for strange behavior? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65180&t=65095 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: can PIX IDS block spam?? [7:65017]
No. If you want mail content filtering (spam, virus, etc.) you need a 3rd party product like those from TrendMicro. HTH, Kent On Tue, 2003-03-11 at 02:03, Carol smith wrote: > Hi.. I wonder PIX generic IDS can block spam e-mail attack? > > Thanks > > > > - > Do you Yahoo!? > Yahoo! Web Hosting - establish your business online Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65106&t=65017 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VLAN Trunking + Access lista [7:63739]
No, subinterfaces on a trunked port fully support acl's in the same manner as physical interfaces. Same for other services such as NAT, CBAC, policy routing, etc. HTH, Kent On Tue, 2003-02-25 at 11:47, Skarphedinsson Arni V. wrote: > Hi > > When using vlan trunking from a router, for example in a router on a stick > enviroment, I would create subinterfaces on the ethernet interface on the > router, does that in some way limit the use of access-lista to controle > traffic, like traffic between the vlans and out of the router through > another interface ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63771&t=63739 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ADSL and PIX puzzle [7:63458]
Change this: ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80 extendable to something like: ip nat inside source static tcp 192.168.0.30 80 200.10.15.189 80 extendable -The inside from the 827's perspective needs to be something in the 192.168.0.x address space And change this: static (inside,outside) 200.10.15.189 webserver to something like: static (inside,outside) 192.168.0.30 webserver -From the PIX's perspective, the outside address of the webserver is going to be something in the 192.168.0.x range, just as from the 827's perspective, 192.168.0.x is the inside range. HTH, Kent On Thu, 2003-02-20 at 20:33, dlci_16 wrote: > Hello networkers, > > I am trying to "conjure up" a working config for an ADSL link with static IPs > for a 827 series router, > these public IPs are supposed to point to, say a webserver, that sits behind > a > pix firewall > (which is directly connected to 827 router4s ethernet interface), > problem is when I try to come up with a working config. I find myself > getting into trouble. > (The catch is, I need the webserver behind that pix.) > Now this gets me using NAT twice to get a public IP from > the internet through the router past the pix and into my webserver, > I know it doesn4t sound right and obviously does not work either ;), > Any help/clue/criticisms are most welcome ;) > Ok, > What it looks like so far: > > > [internet] >[router] ->[pix] ->[lan/webserver] > [827series]->[506E]--->[lan/webserver] > > > IP addresses: > For internet access I have 200.10.10.136 mask 255.255.255.0 > Public IPs: 200.10.15.184 255.255.255.248 (for example) > Public IP for my webserver is 200.10.15.189 > > > Router 827: > -- > > ! > int eth0 > ip address 192.168.0.200 255.255.255.255.0 > ip nat inside > ! > int atm0 > no ip address > dsl operating-mode auto > ! > int atm0.1 point-to-point >no ip address >pvc 0/35 > pppoe-cliente dial-pool-number 1 > ! > int dialer1 > ip address 200.10.10.136 255.255.255.0 > ip nat outside > dialer pool 1 > ! > ip nat inside source list 1 interface dialer1 overload > ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80 extendable > access-list 1 permit 192.168.0.0 0.0.0.255 > ! > ip route 0.0.0.0 0.0.0.0 interface dialer1 > ! > > > PIX 506E: > - > > ! > nameif eth0 outside security0 > nameif eth1 inside security 100 > ! > ip address outside 192.168.0.201 255.255.255.0 > ip address inside 192.168.1.21 255.255.255.0 > ! > route outside 0.0.0.0 0.0.0.0 192.168.0.200 1 > ! > global (outside) 1 192.168.0.202-192.168.0.248 > nat (inside) 1 192.168.0.0 255.255.255.0 > ! > name 192.168.1.30 webserver > ! > static (inside,outside) 200.10.15.189 webserver > ! > access-list acl_out permit tcp any host 200.10.15.189 eq 80 > ! > access-group acl_out in interface outside > ! > > > Maby I am going about this the wrong way, > maby there is still hope just by tweaking my static nat translation at the > router. > If you have reached this far, thank you for your time and effort. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63476&t=63458 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Snort versus Cisco IDS [7:62939]
BTW, for the record I am personally a big fan of snort. Snort is what I use on my own home network. But then I'm a tech geek with limited funds, so it fits my needs perfectly. ;-) Regards, Kent On Fri, 2003-02-14 at 10:32, Kent Hundley wrote: > The term "team" was meant to by inclusive of engineers as well as > sales. I can assure you I have talked to many competent Cisco > engineers, some of them who specialize in security, who do in fact > recommend the Cisco IDS to their large clients. > > And yes, salespeople will obviously always push their product. > > Regards, > Kent > > On Fri, 2003-02-14 at 07:15, DeVoe, Charles (PKI) wrote: > > 2) Has never talked to any of the Cisco teams that manage large global > > accounts > > > > Of course these are sales people. Sales people make their livelihood off of > > the sales. So obviously, they will push the product. > > > > Rule 1. Never trust a salesperson. > > Rule 2. Never Believe a salesperson. > > Rule 3. Never forget Rules 1 & 2. > > > > -Original Message- > > From: Kent Hundley [mailto:[EMAIL PROTECTED]] > > Sent: Thursday, February 13, 2003 4:39 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Snort versus Cisco IDS [7:62939] > > > > > > On Thu, 2003-02-13 at 00:06, Priscilla Oppenheimer wrote: > > > Someone told me in an authoritative voice today that Cisco doesn't > > recommend > > > their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a > > > big part of SAFE? > > > > > > > Whomever told you this: > > > > 1) Is extremely naiive (one Cisco engineer told them something and they > > took it as gospel) > > > > 2) Has never talked to any of the Cisco teams that manage large global > > accounts > > > > I can tell you for a 100% fact that Cisco recommends their IDS very > > actively to their large global customers, I'm working on a Fortune 5 > > account right now and the Cisco team is heavily pushing a Cisco IDS > > deployment. If one of their engineers recommended snort, the AM would > > have them bound and gagged and thrown in a very dark basement. ;-) > > > > > > > Of course, the person who said this doesn't understand that Cisco is a > > huge, > > > chaotic organism, and that saying Cisco does something based on what one > > > person does, doesn't make sense. > > > > > > But I'm just curious, what do you all recommend for intrusion detection? > > How > > > do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more > > > complicated, requiring appliances or IDS cards in a switch and a console: > > > > > > > Cisco IDS is a commercial, fully baked product in the sense that it has > > a lot of bells and whistles for the end-user market. Cisco is also > > developing custom hardware such as blades that slide into a Cat 6500, > > making for easy deployment and the ability to capture and process > > traffic at Gigabit speeds. > > > > Snort is much more of a tech geeks solution, although there are a lot of > > talented people writing code to increase its ease of use such. (things > > like ACID and Demarc) > > > > The bottom line is that snort will do the job in a lot of environments, > > but your going to need to have some very technical people to handle the > > care and feeding of the system. It is an open source solution and > > doesn't come with built-in support other than what you get through > > mailing lists. The Cisco IDS comes with TAC behind it. You pay more > > for more support baked into the process and a large amount of dedicated > > resources working on your issues. (it's the same old open source vs > > commercial product argument) > > > > For small environments where funds are very limited or for environments > > with highly technical but cheap labor (such as universities), snort is > > probably the better solution. For large enterprises, Cisco would > > probably be the better choice. > > > > Of course, YMMV, a lot depends on the environment, , that's my opinion, > > take it with a grain of salt, yada, yada, yada, etc. etc. disclaimer, > > disclaimer... > > > > Regards, > > Kent Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63039&t=62939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Snort versus Cisco IDS [7:62939]
The term "team" was meant to by inclusive of engineers as well as sales. I can assure you I have talked to many competent Cisco engineers, some of them who specialize in security, who do in fact recommend the Cisco IDS to their large clients. And yes, salespeople will obviously always push their product. Regards, Kent On Fri, 2003-02-14 at 07:15, DeVoe, Charles (PKI) wrote: > 2) Has never talked to any of the Cisco teams that manage large global > accounts > > Of course these are sales people. Sales people make their livelihood off of > the sales. So obviously, they will push the product. > > Rule 1. Never trust a salesperson. > Rule 2. Never Believe a salesperson. > Rule 3. Never forget Rules 1 & 2. > > -Original Message- > From: Kent Hundley [mailto:[EMAIL PROTECTED]] > Sent: Thursday, February 13, 2003 4:39 PM > To: [EMAIL PROTECTED] > Subject: Re: Snort versus Cisco IDS [7:62939] > > > On Thu, 2003-02-13 at 00:06, Priscilla Oppenheimer wrote: > > Someone told me in an authoritative voice today that Cisco doesn't > recommend > > their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a > > big part of SAFE? > > > > Whomever told you this: > > 1) Is extremely naiive (one Cisco engineer told them something and they > took it as gospel) > > 2) Has never talked to any of the Cisco teams that manage large global > accounts > > I can tell you for a 100% fact that Cisco recommends their IDS very > actively to their large global customers, I'm working on a Fortune 5 > account right now and the Cisco team is heavily pushing a Cisco IDS > deployment. If one of their engineers recommended snort, the AM would > have them bound and gagged and thrown in a very dark basement. ;-) > > > > Of course, the person who said this doesn't understand that Cisco is a > huge, > > chaotic organism, and that saying Cisco does something based on what one > > person does, doesn't make sense. > > > > But I'm just curious, what do you all recommend for intrusion detection? > How > > do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more > > complicated, requiring appliances or IDS cards in a switch and a console: > > > > Cisco IDS is a commercial, fully baked product in the sense that it has > a lot of bells and whistles for the end-user market. Cisco is also > developing custom hardware such as blades that slide into a Cat 6500, > making for easy deployment and the ability to capture and process > traffic at Gigabit speeds. > > Snort is much more of a tech geeks solution, although there are a lot of > talented people writing code to increase its ease of use such. (things > like ACID and Demarc) > > The bottom line is that snort will do the job in a lot of environments, > but your going to need to have some very technical people to handle the > care and feeding of the system. It is an open source solution and > doesn't come with built-in support other than what you get through > mailing lists. The Cisco IDS comes with TAC behind it. You pay more > for more support baked into the process and a large amount of dedicated > resources working on your issues. (it's the same old open source vs > commercial product argument) > > For small environments where funds are very limited or for environments > with highly technical but cheap labor (such as universities), snort is > probably the better solution. For large enterprises, Cisco would > probably be the better choice. > > Of course, YMMV, a lot depends on the environment, , that's my opinion, > take it with a grain of salt, yada, yada, yada, etc. etc. disclaimer, > disclaimer... > > Regards, > Kent Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63034&t=62939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Snort versus Cisco IDS [7:62939]
On Thu, 2003-02-13 at 00:06, Priscilla Oppenheimer wrote: > Someone told me in an authoritative voice today that Cisco doesn't recommend > their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a > big part of SAFE? > Whomever told you this: 1) Is extremely naiive (one Cisco engineer told them something and they took it as gospel) 2) Has never talked to any of the Cisco teams that manage large global accounts I can tell you for a 100% fact that Cisco recommends their IDS very actively to their large global customers, I'm working on a Fortune 5 account right now and the Cisco team is heavily pushing a Cisco IDS deployment. If one of their engineers recommended snort, the AM would have them bound and gagged and thrown in a very dark basement. ;-) > Of course, the person who said this doesn't understand that Cisco is a huge, > chaotic organism, and that saying Cisco does something based on what one > person does, doesn't make sense. > > But I'm just curious, what do you all recommend for intrusion detection? How > do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more > complicated, requiring appliances or IDS cards in a switch and a console: > Cisco IDS is a commercial, fully baked product in the sense that it has a lot of bells and whistles for the end-user market. Cisco is also developing custom hardware such as blades that slide into a Cat 6500, making for easy deployment and the ability to capture and process traffic at Gigabit speeds. Snort is much more of a tech geeks solution, although there are a lot of talented people writing code to increase its ease of use such. (things like ACID and Demarc) The bottom line is that snort will do the job in a lot of environments, but your going to need to have some very technical people to handle the care and feeding of the system. It is an open source solution and doesn't come with built-in support other than what you get through mailing lists. The Cisco IDS comes with TAC behind it. You pay more for more support baked into the process and a large amount of dedicated resources working on your issues. (it's the same old open source vs commercial product argument) For small environments where funds are very limited or for environments with highly technical but cheap labor (such as universities), snort is probably the better solution. For large enterprises, Cisco would probably be the better choice. Of course, YMMV, a lot depends on the environment, , that's my opinion, take it with a grain of salt, yada, yada, yada, etc. etc. disclaimer, disclaimer... Regards, Kent Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62992&t=62939 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: migration from CheckPoint to PIX firewall [7:58957]
A) No B) No It appears that someone in mgmt. has made a layer 8 (political) decision to migrate your firewall since the PIX does not support features you are currently using and yet the decision has already been made. At this point, I would recommend that you put together a brief presentation (no more than 4 slides) listing the features that you will lose, why they are important and how much it will cost to implement those features on extra hardware. Make sure your mgmt. signs off _in writing_ that they are aware of the functionality that you are losing if they insist on migrating and refuse to buy additional hardware. Save the written sign off for later CYA use. Regards, Kent At 02:39 AM 12/11/2002 +, eric nguyen wrote: >My company is looking to migrate from CheckPoint over to Pix Firewall in the >next > >couple of months and I have been assigned to this project. I have questions >about > >Pix firewalls. We are a small company, less than 50 people. > >a) Does pix firewall support QOS, traffic shaping or traffic >prioritization? The > >checkpoint firewall we are using has a feature called "flood-gate" that can > >prioritize both inbound and outbound traffic. We would like to have this >feature > >in Pix firewall as well. > >b) Does pix support http load balancing? Checkpoint has a feature that > >supports http load-balancing for inbound traffic. We need this feature to >load > >balance our web servers. I would like to have this feature in pix as well. >We > >don't have the budget for dedicated load-balancer such as Cisco CSS. Open > >freeware is out of the question, will not fly pass management. > >Can pix do those things above without additional hardware? > >Regards, > >Eric > > > >- >Do you Yahoo!? >Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58999&t=58957 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Traffic Analyses [7:58193]
You might also want to check out Ntop: http://www.ntop.org/ntop.html It's not for monitoring Cisco routers, but it will give you everything you want to know about the traffic on your network. HTH, Kent At 04:02 PM 11/27/2002 +, Curious wrote: >Is there a tool which gives me very good traffic analyses or traffic >monitering on my Cisco Routers / PIX FW (Serial and Eth) Interfaces, over >Ethernet and T1 Link. > >Thanks, > > >-- >Curious > >MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58262&t=58193 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2 IDS modules in a 6509 [7:58126]
Yes, you can use as many IDS modules as you have free slots for (minus the sups of course). Each IDS is managed independently, one does not affect the other. You would, of course, use different VACL's to point different traffic to each IDS blade, so each IDS "sees" different traffic. HTH, Kent At 07:05 PM 11/26/2002 +, Marcos Casado Castaqo wrote: >Maybe this is a stupid question, but can I use 2 IDS modules in a single >switch 6509 chassis to increase scanning throughput? If yes, how does it >work? > > > > [EMAIL PROTECTED] > MetroRed Telecomunicagues Ltda. > PanAmirica ParK > Av. Guido Caloi, 1000 - Ed. 3 -1: andar > CEP 04578-903 - Sco Paulo - SP - Brasil > Tel.: (5511) 5852-2503 - Fax: (5511) 5501-8777 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58184&t=58126 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Firewall Question [7:57893]
James, Just to add a bit to what others have said, if your friend is cost constrained, going open source ala OpenBSD, FreeBSD, Linux, etc will no doubt be the cheapest in terms of immediate cost. An additional option is the Cisco firewall feature set, it may require your friend to purchase additional software from Cisco, which would be more expensive than the open source option. I agree completely with others, having some sort of firewall in place is the _minimum_ required for any business to connect to the Internet. Not having at least a firewall borders on criminal facilitation and in the very near future we are going to start seeing companies held liable for not exercising due diligence with regard to basic security measures if they're sites are used to attack other sites. Having said this, unless your friend knows specifically what they are doing, putting a firewall in place may not help. They may configure it incorrectly or the server may have been compromised through "legitimate" traffic such as an IIS exploit. If the server is being used as the companies web server, putting a firewall in place might not help, they'll have to apply appropriate patches to the server or it will just be compromised again. My advice to your friend is to buy a good book on implementing network security soup to nuts including writing policies, securing perimeters, etc. It may seem like overkill for such a small network, but someone who doesn't understand the big picture is bound to end up leaving holes that will be exploited later. One book I've seen that looks good in the regard is "Inside network perimeter security" by Northcutt: In the meantime I would suggest your friend do the following: 1) Put a filter on his router blocking everything excepted necessary services, guidelines are on CCO in this regard or they can check out phrack issue 55: 2) Make sure both clients and server have the most current patch levels 3) Disable any services that are not required on the server, there is information on how to do this all over the web 4) Get a syslog server and log any denied packets from the router to the syslog server. There are syslog daemons available for Windows that can be used for a limited time for free. Syslog is standard on any Unix-like platform. Your friend can do these measures right now for no cost and minimal effort. Then they can research installing a firewall and read up on additional prudent security measures. A couple of good sites that might also help: http://www.infosyssec.net/ http://www.cisecurity.org/ http://www.sans.org/newlook/home.php HTH, Kent At 09:14 PM 11/22/2002 +, James Gruggett wrote: >I have a friend that has a T1 going into his 1700 series cisco router. >His ISp has stated that someone has hacked into his Win2k server and >that he must put a firewall in place. > >Do you reccomend a software or hardware based firewall and what type. > >The network consist of 1 server, 1 switch, ans 10 workstations. > > >Thanks > >[GroupStudy.com removed an attachment of type text/x-vcard which had a name >of james.gruggett.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58067&t=57893 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IGRP as proprietary? [7:57603]
Depends on your definition of "open standard". As far as I can tell there are no RFC's for IGRP or EIGRP, which is pretty much the criteria for something to be considered an "open standard" in the Internet community. Also, I don't believe Cisco has released the source code for either IGRP or EIGRP. Based on that, I would consider both routing protocols to be proprietary. I believe some non-Cisco companies have interoperable implementations of IGRP, but my guess would be they either reverse engineered it or paid Cisco for the code. In short, by most definitions, IGRP/EIGRP would be considered proprietary. Regards, Kent At 11:38 AM 11/18/2002 +, hktco wrote: >When I learned it for CCNA and CCNP, I was told that IGRP is Cisco >proprietary. Until recent, I was being told that IGRP is no longer >proprietary >and became an open standard. > >I would like to verify on this. Any input from authority would be nice. >Thanks. > >hktco Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57631&t=57603 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Primer on Cisco site - FYI [7:56618]
FYI, This paper and other Cisco security docs can also be found at: http://www.cisco.com/go/safe Which has that advantage of being easier to remember. ;-) Regards, Kent At 07:58 PM 10/31/2002 +, The Long and Winding Road wrote: >found this while stumbling around: > >http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safev_wp.pdf > >enjoy > >-- > >www.chuckslongroad.info Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56686&t=56618 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
Richard, 1) No comments are allowed right now. Yes, its a pain. 2) Try using PDM, its a fairly nic GUI interface. For large enviro's try CSPM. 3) The PIX's default stance is a holdover from the days when not a lot of people were concerned about blocking outbound traffic. Yes, it probably should be changed and yes, a lot of security people don't like the "default permit out" stance. 4) Yes, another pain, probably something that they will eventually include, but I don't know specific details. 5) I don't think anyone would argue that the PIX lacks some of the "wiz bang" features of other commercial firewalls. The big selling points for the PIX in the past have been speed and support. The speed factor has been taken out of the equation by new boxes from Nokia and others. (BSD kernel running Firewall-1 at gigabit speeds) The support factor is still a good point, but it's clear to me that Cisco needs to step up their development efforts on the PIX if they want to stay in the game. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Tufaro Sent: Tuesday, June 25, 2002 9:51 AM To: [EMAIL PROTECTED] Subject: PIX Firewall (6.2) General Questions RANT [7:47393] Hey all, just recently got my hands on 4 new PIX firewalls and I am having some issues with them that perhaps may be shortcoming of the PIX or me, but I wanted to throw them out there and see if anyone has any comments: 1. Is there a way in the PIX to !Comment your access-list or conduit lines to tell what the rule is doing. Now don't get me wrong you can look at the rule and its pretty straight forward, but I would like to comment them much like you can do in IOS. The only way that I have found to do this is by taking every external or internal IP address that we have and are denying or allowing and giving it a name. But this also has its shortcomings because of the 16 character limit. 2. What is with the access-list rules and importing? I don't get it. Why do they need to append instead of replace? I am going to assume that the access-list is reading from the top down (just like in IOS) so if I export my config, change around the order then try to paste *does not take*. The workaround I found for this nifty problem is exporting the access-list to Ultraedit, putting a "no" statement infront of all of the statements, clearing them, then making the change and importing them. How do people in a large PIX environment with a multitude of rules, and a dynamic environment manage this? Or the PIX's for that matter as a side. 3. Tell me if im smoken crack here, but the default stance of the PIX is bas acwards, when it comes to internal hosts to the outside. I mean look when I put out the firewall and config my INBOUND lists, why do I want everyone in the company to be able to NETBIOS across the firewall (outbound)?! I have worked with one other firewall (CyberGuard) and there stance IMHO is the best, DENY ALL, permit what I say to permit. Its a firewall, not a router (in the security sense people, I now what it is REALLY, but relating to Cisco). 4. Little things too...like why no command completion? I know that this is a Cisco acquired device, but you would think that they would make it easy to configure from the command line, especially with the influx of making it more IOS'e. Is this going to be available in later versions? Anyone know? 5. I know the PIX was conceived as a small lightweight, "streamline" device that is going to protect your network with but you should not do any WIZ bang stuff with itbut then again Cisco markets to everyone and are competing with the WIZ Bang firewall vendors like checkpoint. I mean come on GROUPING was just added in 6.2! If anyone can shed some light on these issues for me it would be much appreciated. What im really looking for here is some guidance as to people with large PIX deployments and how they manage day to day, and deploy new ones. I know this is a long post but coming from Cyberguard, and going to PIX there seems to be some major deficiencies as far as functionality and manageability. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47403&t=47393 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Microsoft VPN ports [7:47376]
http://www.cisco.com/warp/public/110/pix_pptp.html -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Spencer Plantier Sent: Tuesday, June 25, 2002 6:14 AM To: [EMAIL PROTECTED] Subject: Microsoft VPN ports [7:47376] Does anyone know which ports need to be opened up to let MSCHAP2 VPN go through the PIX? Thanks, = Spencer Plantier Internet Solutions Engineer Cell 919-696-8848 __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47388&t=47376 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix don't route [7:46356]
That assumes that he has an address space to announce via BGP, which I he did not mention so I assumed he did not have one. Without your own address space, BGP isn't going to do anything for you. Yes, if the T1 goes down, the servers would be unreachable, but without your own address space and/or running your own DNS and doing some NAT magic with the replies to DNS queries, you won't be able to give the "correct" DNS answer. (i.e. return the T1 IP when the T1 is up, return the DSL address when the T1 is down) Since all the replies from the servers would go out the T1, if a query for the server came in the DSL the conversation would break when the server traffic went out the T1 and got translated to the IP address on that interface. This assumes using PAT on each router interface. Obviously, if the OP has his own address space, the scenario changes considerably and there are more options. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Kaberna Sent: Wednesday, June 12, 2002 3:10 PM To: [EMAIL PROTECTED] Subject: Re: Pix don't route [7:46356] What happens when the T1 provider goes down? Those IP's will no longer be reachable and the servers will be down. Without BGP I don't see how you are going to get the DSL circuit to take over the IP's that the T1 provider advertises. Assuming you have BGP, I would thing that policy routing and using different global addresses would get the job done. Sounds to me like the only barrier is getting BGP. ""Kent Hundley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Wayne, > > I would suggest disabling NAT on the PIX and performing your NAT on the > router. This eliminates the problem of not knowing what packets originate > from the servers. Then, setup Policy-Based Routing (PBR) on the router. > You didn't post your config, so I assume you have 2 legal addresses, one > from each ISP and you don't have your own address space. If you want to > setup inbound services you'll have to setup static NAT on the router for the > services you want to allow. For outbound the PBR it's pretty simple: > > int s 0 > interface to T1 > > int e 0 > interface to DSL > > int > ip policy route-map test > > access-list 100 any > > route-map test permit 10 > match ip address 100 > set int s 0 > route-map test permit 20 > > For outbound traffic packets from the servers will be sent out the T1 as > long as it is up, all other traffic will be forwarded normally. You'll want > to set your routing so that the DSL line is the preferred path for all > traffic. If the T1 goes down, the traffic from the servers will be sent out > the DSL. > > Additional problems that I see are if your servers are to be accessible from > the Internet, you will need to have static translations setup for your > services on both the T1 and the DSL. You can do this, but the issue becomes > name resolution and which address is returned to users on the Internet. > It's probably safer to just setup the translations for the T1 and leave it > at that. (you could play some games if you ran your own DNS, but things get > complicated pretty quickly) > > You don't need the FFS on the router as long as everything is behind the PIX > (although it shouldn't hurt) and you don't need the link between the router > and the PIX to be have a public address space as long as you do the NAT on > the router. > > Of course, you also will want to harden the Internet facing router if you > have not already done so. > > One more thing, it's not really accurate to say the PIX "doesn't route". > People say this all the time and what they really mean is that the PIX > doesn't support routing protocols and some "fancy" routing techniques like > PBR. However, the PIX does perform layer 3 forwarding based on its routing > table, this means, by definition, it is "routing". It just doesn't have the > same features and functions for layer 3 forwarding that cisco routers have. > (this is kind of a nit, but saying the PIX doesn't route tends to confuse > people) > > HTH, > Kent > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Wayne Jang > Sent: Wednesday, June 12, 2002 10:10 AM > To: [EMAIL PROTECTED] > Subject: Pix don't route [7:46356] > > > Hi, > > The Pix don't route, but can I do this? > > I have a 2 server 20 user small office. > > I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the > Internet. I'm not looking to load balance or even do redundancy. I just > want traffic f
RE: Pix don't route [7:46356]
Wayne, I would suggest disabling NAT on the PIX and performing your NAT on the router. This eliminates the problem of not knowing what packets originate from the servers. Then, setup Policy-Based Routing (PBR) on the router. You didn't post your config, so I assume you have 2 legal addresses, one from each ISP and you don't have your own address space. If you want to setup inbound services you'll have to setup static NAT on the router for the services you want to allow. For outbound the PBR it's pretty simple: int s 0 interface to T1 int e 0 interface to DSL int ip policy route-map test access-list 100 any route-map test permit 10 match ip address 100 set int s 0 route-map test permit 20 For outbound traffic packets from the servers will be sent out the T1 as long as it is up, all other traffic will be forwarded normally. You'll want to set your routing so that the DSL line is the preferred path for all traffic. If the T1 goes down, the traffic from the servers will be sent out the DSL. Additional problems that I see are if your servers are to be accessible from the Internet, you will need to have static translations setup for your services on both the T1 and the DSL. You can do this, but the issue becomes name resolution and which address is returned to users on the Internet. It's probably safer to just setup the translations for the T1 and leave it at that. (you could play some games if you ran your own DNS, but things get complicated pretty quickly) You don't need the FFS on the router as long as everything is behind the PIX (although it shouldn't hurt) and you don't need the link between the router and the PIX to be have a public address space as long as you do the NAT on the router. Of course, you also will want to harden the Internet facing router if you have not already done so. One more thing, it's not really accurate to say the PIX "doesn't route". People say this all the time and what they really mean is that the PIX doesn't support routing protocols and some "fancy" routing techniques like PBR. However, the PIX does perform layer 3 forwarding based on its routing table, this means, by definition, it is "routing". It just doesn't have the same features and functions for layer 3 forwarding that cisco routers have. (this is kind of a nit, but saying the PIX doesn't route tends to confuse people) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wayne Jang Sent: Wednesday, June 12, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: Pix don't route [7:46356] Hi, The Pix don't route, but can I do this? I have a 2 server 20 user small office. I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the Internet. I'm not looking to load balance or even do redundancy. I just want traffic from the servers to use the T1 and I want traffic from the users to use DSL. I could use access-lists on the 2621 to direct the traffic based on source address, but how will the 2621 know where the traffic came from? Won't all traffic have a source address of the Pix outside interface? What if I Nat the servers(on PIx) so that they will appear to have a different source IP than the users who will be behind the global outside address? I'll need more public addresses, but that would be fine. I can't get any help from Cisco Pre-Sales because they aren't sure. I can't get an engineer that knows more than me (not much). My fall back plan is to only use the 2621 and have a firewall IOS. But I would rather use the Pix, especially because we have already quoted the above solution and are working to save face. Thanks -- Wayne Jang Advanced Computer Technologies, Inc. 108 Main Street Norwalk, CT 06851 Wk 203-847-9433 Cell 203-943-6603 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46366&t=46356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: how to filter a MAC packet at 6509 or 4006 and WIN2000 [7:45361]
First, I think you need to determine that this is an actual attack before you start blocking anything. It could be someone who didn't know better enabled a DHCP server without even knowing what it did. I would recommend going to the person who did it and asking them why they are enabling a DHCP server. Even if it is malicious, a friendly visit can sometimes do wonders to curtail future activity. Second, there is probably something you can tweak to keep your DHCP server from going down if it detects another DHCP server. I don't think you want your server so easily DOSed. Finally, if you really want to block traffic at the MAC layer, you can do it with access-lists on the router, but that won't stop someone from playing havoc on they're own subnet. http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/53998.h tm#xtocid1116615 If you want to run a secure operation you should assign MAC addresses to ports on your switch and require users to go through a registration process to obtain access to a port. Also make them sign an AUP stating they are responsible for any and all activity from their MAC address. You can research securing ports on your switches by doing a search on "port security" at cisco's site. More useful info on Cisco security is here: http://www.cisco.com/warp/public/707/index.shtml You can find sample AUP's and other good policy templates here: http://www.sans.org/newlook/resources/policies/policies.htm One final point, if you don't have a security policy in place, no amount of work will keep malicious activity from occuring. Malicious activity inside your network is principally a "people" problem and it is highly unlikely you'll be able to solve those problems just with technology. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of jackie xu Sent: Wednesday, May 29, 2002 5:03 AM To: [EMAIL PROTECTED] Subject: how to filter a MAC packet at 6509 or 4006 and WIN2000 server [7:45347] hi,everybody here: My dhcp server was attacked by a hacker,and the dhcp server would down with the following messages(win2000 server platform): "meet another server with the DHCP/BINL service, and the DHCP/BINL serivce is closing" I found that the attacking pc was a campus user,and i got its mac address from arp table at router,so i want to filter the pc by its mac address not ip address,but i don't know how to realize it? any one can tell me? Thank in advance! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45361&t=45361 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Anti-spoofing [7:45217]
You need to block more than just your own subnet. You'll want to block at least the RFC1918 address spaces and hosts that claim to be from 0.0.0.0, 255.255.255.255, 127.x.x.x and multicast addresses. You can take a look at the following for more info: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html http://www.cisco.com/warp/public/707/21.html http://www.phrack.org/phrack/55/P55-10 HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Postman Pat Sent: Tuesday, May 28, 2002 1:35 AM To: [EMAIL PROTECTED] Subject: Anti-spoofing [7:45217] Greetings, Please help me, I am trying to configure anti-spoofing on a router: Interface eth 0 Ip address 192.168.1.1 255.255.255.0 Interface ser 0 ip address 10.0.0.1 255.255.255.0 access-list 10 deny 192.168.1.0 0.0.0.255 access-class 10 in Is my understanding of setting up anti-spoofing correct? Is there anything I need to change to get this working? How do I improve the security on this config? Regards LK Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45287&t=45217 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Securing SNMP [7:44605]
Check out the SNMP section in this doc: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm Additionally to the above suggestions, I would add: -Do not allow SNMP write capability, you almost never need it -Choose a _strong_ SNMP RO community. It should contain special characters such as #,$,@,&,^, etc. It's usually useful to pick a phrase that you can remember, such as "all engineers choose good passwords", pick the first letter or letters from each word: "all e c g p" and then selectively substitute special chars for certain alpha chars: "@ll $ c g )" for example. DO NOT pick things like company name, organization name, sports team mascots, pets names, etc. In general, treat the SNMP community string with the same care you would want the administrator of your payroll server to use for their password. (and assume if the payroll gets compromised, you don't get paid) -Consider using SNMPv3 so that you can use encryption. Alternatively, setup an IPSec tunnel between the monitoring stations and the routers for securing SNMP based communications. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Postman Pat Sent: Tuesday, May 21, 2002 4:49 AM To: [EMAIL PROTECTED] Subject: Securing SNMP [7:44605] Greetings, I would like to run SNMP on my router and would like some advice on how I could secure it. I would also like some input from you guys on whether you recommend SNMP at all as it seems like the only route that I can take in monitoring traffic on our internet access link. Regards LK Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44622&t=44605 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Fans too Noisey (2500 Series Router) [7:44571]
Maybe not if you keep the room temperature low enough, but your going to need a lot of air conditioning. ;-) Seriously, disconnecting fans will eventually cause your router, or any computer, to fry. Without heat dissapation, your components will eventually just quit working and fill your house with the lovely smell of burning circuits. You might try buying/building some sort of enclosure, but that enclosure will likely need a fan as well. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Will Francis Sent: Monday, May 20, 2002 3:07 PM To: [EMAIL PROTECTED] Subject: Fans too Noisey (2500 Series Router) [7:44571] Hi Guys I've got 7 2500 Series routers in my home lab but its just getting a bit too noisey, if the fans are unplug will this affect the routers. cheers Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44617&t=44571 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: why "ip inspect" block my traffic? [7:43802]
The command you reference is for context-based access control (cbac), part of the firewall feature set (ffs). What it is and how it works are clearly explained in the cisco documentation at cisco.com. Here's a shortcut link that gives you all the basics: http://www.cisco.com/warp/public/110/32.html Your config was munged, so it's hard to say why your having the problems you report. Offhand it sounds like a dns lookup problem, but that's just a guess. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kenny Smith Sent: Thursday, May 09, 2002 7:51 PM To: [EMAIL PROTECTED] Subject: why "ip inspect" block my traffic? [7:43802] Hi.. Can you tell me what is the function of the following command ? My previous administrator configured it. But we found that the we can!&t surf the net thru this router. The www traffic take very long time to load and pass thru this router. But after I issue !'no ip inspect name fw in!(, we are able to access the web traffic. Why?? ip inspect name fw tcp ip inspect name fw udp ip inspect name fw smtp ip inspect name fw ftp interface ethernet0 !K!K!K!K. !K!K!K!K. interface ethernet1 !K!K!K!K.. !K!K!K!K.. ip inspect name fw _ Join the worlds largest e-mail service with MSN Hotmail. http://www.hotmail.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43829&t=43802 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT configuration for 2 service providers [7:43820]
You can find lots of good info on Cisco NAT by surfing to cisco.com and searching for NAT tips. Here's a shortcut: http://www.cisco.com/warp/public/556/index.shtml And here's an example to help with your specific question: http://www.cisco.com/warp/public/105/nat_routemap.html This whitepaper might help also: http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htm HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, May 10, 2002 4:57 AM To: [EMAIL PROTECTED] Subject: NAT configuration for 2 service providers [7:43820] Hi Friends, I have 2 Internet links working at present. One link terminated on Cisco router and another link terminated on Telindus Crocus router ( which doesnt have NAT functionality) To facilitate internet access i have configured NAT on Cisco with overload, for second i have installed Windows 2000 NAT and configured all clients with gateway as NAT. If i want to shift the second internet link to cisco device with 2 serial ports, how do i create second NAT entry for 2nd provider. Could you please help me. Thanks in Advance Brahmam. 415-339-0352 ex-0355 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43825&t=43820 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix load balance? [7:42974]
Brian, Yes, most of them do nat. From the client WS perspective, there is only a single server IP, so it sends packets to that IP address. Once the switch gets the packet (since it is answering for that IP), it needs to forward the packet to a server. Normally, for the server to accept that packet the switch must change the dst IP to the servers real IP address and likewise alter the replies from the server so they appear to come from the virtual IP. (i.e. NAT) Note that some switches support an option called "direct sesrver return" in which the switch sets up the inital conversation, and then the server talks directly back to the client without having to go through the switch. In this case NAT is not performed between the server and the client. (I don't think this architecture is widely used though) The layer 4-7 portion is really only relevant when the switch is deciding 1) Is a service "up" on a particular server and 2) How does the switch determine to which server an individual packet needs to be forwarded (i.e. how much of the data portion of a packet has to be examined to determine what traffic stream it belongs to) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Tuesday, May 07, 2002 9:25 AM To: [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] Dumb question, does any of these devices use nat? I just read that pix to DMZ interface uses dNat, not sure if that is faster. I was reading my Alteon Web Switch book last night, it says you CAN do nat, but I don't know if layer 4-7 switches actually DO nat normall. If it's a switch, it should be switching right, the translation gets done in layer 4. kinda confused. -Original Message- From: Gragido, William [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 12:09 PM To: Brian Zeitz; [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] The best way to load balance is to use an application layer (layer 4-7) switch. I am not too familiar with Cisco's offering of this technology (sadly), but have worked extensively with Foundry's ServerIrons and they are excellent devices! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Tuesday, May 07, 2002 8:50 AM To: [EMAIL PROTECTED] Subject: RE: Pix load balance? [7:42974] Load balancing is supposed to be done on content switches according to what I am reading. I cannot be done on the firewall withing the site, nor can it be done with different ISPs. Brian Zeitz MCSE, CCNP -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 07, 2002 6:58 AM To: [EMAIL PROTECTED] Subject: Re: Pix load balance? [7:42974] What's the reason? I'm not disputing the fact, just wondering what the limitation is. I take it that the limitation is only that it cannot do stateful failover with two active PIXes? Cheers, Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Yeah, I asked the same questions last month. They can not. If you really > need firewall and Load balancing, FW-1 is the way to go. > > Theo > CSS1, CCNP, CCSE > > > > > > > "Patrick" > Sent by: [EMAIL PROTECTED] > 05/06/2002 06:28 AM > Please respond to "Patrick" > > > To: [EMAIL PROTECTED] > cc: > Subject:Re: Pix load balance? [7:42974] > > > No. > > ""GEORGE"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Can you load balance to pix firewalls? > > Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43535&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Installing New PIX [7:43369]
The short answer is no. The PIX does not support a true http proxy, so you'll need to reconfigure your clients or continue to use a cache/proxy in addition to the PIX. For info on the PIX, the documentation is fairly good: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/inde x.htm You can find this off the cisco home page by clicking 'technical documents' and then selecting 'Cisco secure pix firewall' under the drop down 'network security' tab. You should also browse through the security technical tips links to get familiar with various PIX configs: http://www.cisco.com/warp/public/707/ HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeffrey Reed Sent: Sunday, May 05, 2002 8:39 PM To: [EMAIL PROTECTED] Subject: Installing New PIX [7:43369] I have the job of installing a new PIX 525. We are replacing several Microsoft proxy servers with the single PIX. At this time we have several thousand students and staff using a proxy script. For the IE users, we can rip the script out with a registry hack, but for the Netscape users, we don t have a clean way of removing the setting. And we have a hundred or so MAC users with similar problems. One thing Im curious aboutis there any way to configure the PIX to respond to the scripts like the proxy would have responded? Im a bit short in the clue department with both the PIX and MS Proxy to even know if that was a really dumb question, so take it easy on the answer!! Are there any good places on Ciscos web site to plan for a PIX install? I was looking and couldnt find a good resource. Any suggestions would be appreciated. Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43511&t=43369 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security for router connected to Cable Service provider [7:43510]
First, take a look at the following links: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm http://phrack.org/phrack/55/P55-10 Then, you might want to consider using CBAC: http://www.cisco.com/warp/public/110/32.html Finally, for performance you may want to consider using a cache such as those from network appliance or you can look at the open source squid solution: http://www.squid-cache.org HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Johnzaggat Sent: Saturday, May 04, 2002 10:13 PM To: [EMAIL PROTECTED] Subject: Security for router connected to Cable Service provider [7:43322] I just wanted to know what everyone is using on there connections to outside. For now I am just using NAT on a 1605R. I am only using it to go to outside. What can I do to secure this router. All of the traffic will either be http or ftp going out. Is there any thing I can do to improve performance as well. I appreciate any suggestions. Thanks JZ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43510&t=43510 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Closing Ports Part 2 [7:43145]
In general, any Application Layer Gateway (ALG) firewall, or any firewall that has a true http proxy, will only allow sessions on port 80 that are actually http. Some examples of ALG's are Gauntlet and Raptor. An example of a firewall that is not an ALG but that does support a true http proxy is FW-1. (PIX does not have a true http proxy) Unfortunately, the problem is worse than you describe. There are programs that actually use legitimate http protocol calls to tunnel other traffic, such as httptunnel. There are other programs that use ICMP echo-request and echo-reply (Loki and icmptunnel) and at least one implemenation of a tunnel using DNS request/replies: http://online.securityfocus.com/archive/1/8990 In practice, it is very difficult, though not impossible, to detect these sorts of programs with current FW and IDS systems, mostly due to the number of false pos's your likely to get and the amount of processing that has to be done on the payload in each packet. However, using a good proxy is at least a starting point and raises the bar for an attacker. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of exchange Sent: Thursday, May 02, 2002 10:34 AM To: [EMAIL PROTECTED] Subject: Closing Ports Part 2 [7:43145] I know blocking ports isn't really going to stop people who can tunnel through via http or some other open ports. Are there firewalls that will look into specific traffic streams and drop connections that are not really http sessions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43508&t=43145 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Content engine question! [7:43101]
Go to http://www.cisco.com/go/fn and search for WCCP version 2 HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Magdy H. Ibrahim Sent: Thursday, May 02, 2002 4:19 AM To: [EMAIL PROTECTED] Subject: Content engine question! [7:43101] Dear All, I am studying this days on How to configure and implement Cisco Content Engine590 on my network... When I browsed Cisco online Guide I found the following regarding Router configuration for HTTP traffice and WCCP version2. I found the following: "The router or switch must be running a version of IOS that supports the Web Cache Communication Protocol (WCCP) Version 2." My question is: How to know if the Router Or switch IOS supports the Web Cache Communicatio Protocol (WCCP) Version2 Please Advice me Regards,, Magdy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43120&t=43101 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Question on VPN [7:43110]
This is possible in a number of different ways, but it really depends on what VPN hardware and software you will be using, which you didn't specify. If it's a cisco router to cisco router implementation, you can find an example here: http://www.cisco.com/warp/public/707/ios_804.html If your talking about using client VPN software, nearly all VPN clients have the option to use a combination of a shared secret key and a userid/password combo for authentication, not IP address, so again it should not be a problem. You can find information on many Cisco security topics such as VPN by doing a search on CCO for "security tips". HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Anil Kumar Sent: Thursday, May 02, 2002 6:12 AM To: [EMAIL PROTECTED] Subject: Question on VPN [7:43110] Hi All, Need a small clarifcation on VPN. One of the customer is having a Lease Line connection to Internet at the head office and they are having branch offices at remote location.Since being a lease line they have obtained static IP address from ISP. The branch locations will be dialing into the local ISP and all the times the remote locations will be getting dynamic IP address. Since the customer want to have a secure connection through VPN is it possible to attain and establish a IPSEC VPN tunnel between a dialup connection and the lease line router. If so please let me know how the same can be attanied. Thanks in advance. Regards.. Anil Kumar. = Thanks & Regards V Anil Kumar __ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43119&t=43110 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: help is needed! [7:43035]
Place an access-list on the FE interface that only allows traffic with a source IP of the Squid server. Configure your clients to use the Squid proxy. If you run into issues of users trying to get around your proxy, it's a matter of policy, not technology, and should be addressed by your security policy and your management. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of a. ahmad Sent: Wednesday, May 01, 2002 1:50 PM To: [EMAIL PROTECTED] Subject: help is needed! [7:43035] Dear Members, We have 2620 router with Fastethenet port and a Serial Interface. We just want that no user traffic should directly go to router and only the traffic that is coming through Squid should reach the router. How can we accomplish this task? Thank You In Advance! Ahmad Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43057&t=43035 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix load balance? [7:42974]
George, Yes, you can LB PIXen, but there are caveats: 1) PIXes can only do state sharing if one is in failover mode. If you have 2 active PIXen, you cannot share state so if one PIX fails, all active sessions on that PIX will drop and have to start over on the other PIX. 2) It's usually not necessary to LB PIXen, they have very high throughput unless you are using the very low-end boxes, so for most environments its better to simply have a active-standby configuration so you get the state-sharing. (it's also cheaper since you get a discount on the standby PIX) However, if you want to LB PIXen anyway, the best practice is to have an external LB solution like a Cisco content switch, you'll need one on the inside and outside of the PIX "farm", which can get expensive. The other way you could do it is with a routing protocol passed through the PIX from the outside routers to the inside routers, but you have to be careful that all your flows go through the same PIX or your sessions will drop since there will be no state sharing between the PIXen. You can normally achieve this by using fast switching on your internal and external routers since the next hop for destinations is cached for all subsequent packets. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 01, 2002 6:32 AM To: [EMAIL PROTECTED] Subject: Pix load balance? [7:42974] Can you load balance to pix firewalls? Has anyone done this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42983&t=42974 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ways to seperate IP and IPX traffic? [7:42855]
That is exactly the way I would do it. In fact, it's probably the only way to accomplish your goal. One additional thing to consider is assisting your client with a migration to 100% IP. Netware has supported native IP (not IPX in IP) for some time now, and this is a logical next step. (though not a trivial one) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven Ridder Sent: Tuesday, April 30, 2002 10:59 AM To: [EMAIL PROTECTED] Subject: Re: ways to seperate IP and IPX traffic? [7:42855] Believe me, I've confused myself. What I have is a customer that has a mixed IP/IPX network. ALL machines are dual IP/IPX, so those two protocols will be on one switchport. He is going to add some servers to the network, but dosen't want IPX on that new network at all. And he only wants selective IP machines talking to the servers. What I think I'll do is just create 2 Vlans, 1 for the dual IP/IPX machines and 1 for the IP servers. If a dual IP/IPX machine wishes to speak to an IP server, they'll have to use IP and be routed over via a L3 device. I just want to make sure that the IPX traffic/babble dosen't "leak" onto the IP only network somehow just because they're on same switch. I think with VLANS, it will be solved, as broadcasts and other babble will never get there. But I just want to be sure. Is my solution the way to go? From: "Patrick Ramsey" To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: ways to seperate IP and IPX traffic? [7:42855] Date: Tue, 30 Apr 2002 13:49:36 -0400 MIME-Version: 1.0 Received: from [63.103.193.207] by hotmail.com (3.2) with ESMTP id MHotMailBE98247F0068400431E23F67C1CF05480; Tue, 30 Apr 2002 10:50:57 -0700 Received: from 192.168.250.16 by appsrvnt92 with SMTP (SMTP Relay (MMS v5.0)); Tue, 30 Apr 2002 13:56:47 -0400 Received: from WSC-Message_Server by wellstar.org with Novell_GroupWise; Tue, 30 Apr 2002 13:49:51 -0400 >From [EMAIL PROTECTED] Tue, 30 Apr 2002 10:51:08 -0700 X-Server-Uuid: 8CD06C93-AB11-4E1C-95FC-A727A4B65BA7 Message-ID: X-Mailer: Novell GroupWise Internet Agent 5.5.6.1 X-WSS-ID: 10D0055528979-01-01 what? Now you've compeltely lost me! do you want to tunnel ipx and route to various vlans? I mean... If you have ipx on 1 interface and ip on the other, and they are on the same vlan, then you're done. But they won't route between the two because they are two different protocols. If you want them on two separate vlans and want to route between them, then you're back to square 1 and you have to place ipx and ip on on interfaces. -Patrick >>> "Steven A. Ridder" 04/30/02 01:20PM >>> One more thing, if I can tag IP and IPX, how do I route between the 2 vlans if one is IP and the other IPX? ""Steven A. Ridder"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > That's exactly what I was looking for, but can you tag IPX. I kept thinking > that you could only tag IP. Now that I think of it, tagging is L2, so I > could tag it, couldn't I? > > > ""Chuck"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > in the old days of vlan switching, there was serious discussion of using > > vlans to separate traffic by protocol. set up ports 1,3 and 5 as IP and > > ports 2,4, and 6 as IPX. More importantly, put all those renegade > AppleTalk > > users on their own VLAN so their traffic doesn't bother people with real > > work to do ( ;-> ) I don't know if there is serious talk of this any > more. > > > > Is this kinda what you had in mind? > > > > Chuck > > > > > > ""Steven A. Ridder"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > What are some good ways to separate IP and IPX traffic on a LAN? > > > > > > -- > > > > > > RFC 1149 Compliant. > > > Get in my head: > > > http://sar.dynu.com > Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42922&t=42855
RE: CSPM for IDS4210 [7:42788]
Mea culpa. I thought the current version I had was 3.0i, I now see that it is 2.3.3i. -Kent -Original Message- From: Tim O'Brien [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 10:28 AM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: CSPM for IDS4210 [7:42788] Kent, There is no such thing as CSPM 3.0i. There is only an "f" version. To run IDS you will probably want to run 2.3.3i or wait till IDM (IDS Device Manager) comes out. Tim CCIE 9015 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Tuesday, April 30, 2002 12:53 PM To: [EMAIL PROTECTED] Subject: RE: CSPM for IDS4210 [7:42788] There are different versions of CSPM 3.0. CSPM 3.0f supports PIX and routers, CSPM 3.0i supports IDS. You can read about it here: http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver30/reln30.htm #xtocid2 Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 30, 2002 8:26 AM To: [EMAIL PROTECTED] Subject: Re: CSPM for IDS4210 [7:42788] Hello, On a special request we got CSPM 3.0 FROM Cisco and for your information CSPM 3.0 does not support IDS.it only supports PIX. Kind Regards /Thangavel 186K Reading,Brkshire Direct No -0118 9064259 Mobile No -07796292416 Post code: RG16LH www.186k.co.uk -- The greatest glory in living lies not in never falling, but in rising every time we fall ." -- Nelson Mandela "CiscoEnthuas tic" To: [EMAIL PROTECTED] Fax to: Sent by: Subject: Re: CSPM for IDS4210 [7:42788] nobody@groups tudy.com 30/04/2002 15:01 Please respond to "CiscoEnthuas tic" Unfortunately CSPM 3.0 Eval is not available from CCO even if you have a CCO account which has the pemittance to download You can only get this software from VMS 2.0 set ""Timo Graser"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I just got a IDS 4210 and want to manage it now, where can I download > a CSPM 3.0 Eval? ** This e-mail is from 186k Ltd and is intended only for the addressee named above. As this e-mail may contain confidential or priveleged information, if you are not the named addressee or the person responsible for delivering the message to the named addressee, please advise the sender by return e-mail. The contents should not be disclosed to any other person nor copies taken. 186k Ltd is a Lattice Group company, registered in England & Wales No. 3751494 Registered Office 130 Jermyn Street London SW1Y 4UR ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42920&t=42788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CSPM for IDS4210 [7:42788]
There are different versions of CSPM 3.0. CSPM 3.0f supports PIX and routers, CSPM 3.0i supports IDS. You can read about it here: http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver30/reln30.htm #xtocid2 Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 30, 2002 8:26 AM To: [EMAIL PROTECTED] Subject: Re: CSPM for IDS4210 [7:42788] Hello, On a special request we got CSPM 3.0 FROM Cisco and for your information CSPM 3.0 does not support IDS.it only supports PIX. Kind Regards /Thangavel 186K Reading,Brkshire Direct No -0118 9064259 Mobile No -07796292416 Post code: RG16LH www.186k.co.uk -- The greatest glory in living lies not in never falling, but in rising every time we fall ." -- Nelson Mandela "CiscoEnthuas tic" To: [EMAIL PROTECTED] Fax to: Sent by: Subject: Re: CSPM for IDS4210 [7:42788] nobody@groups tudy.com 30/04/2002 15:01 Please respond to "CiscoEnthuas tic" Unfortunately CSPM 3.0 Eval is not available from CCO even if you have a CCO account which has the pemittance to download You can only get this software from VMS 2.0 set ""Timo Graser"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I just got a IDS 4210 and want to manage it now, where can I download > a CSPM 3.0 Eval? ** This e-mail is from 186k Ltd and is intended only for the addressee named above. As this e-mail may contain confidential or priveleged information, if you are not the named addressee or the person responsible for delivering the message to the named addressee, please advise the sender by return e-mail. The contents should not be disclosed to any other person nor copies taken. 186k Ltd is a Lattice Group company, registered in England & Wales No. 3751494 Registered Office 130 Jermyn Street London SW1Y 4UR ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42905&t=42788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Alternatives to Cisco VPN client [7:42604]
The issue isn't with IPSec per se, its with allowing split tunneling. If a user PC becomes compromised via a trojan that allows remote control such as BackOrifice, Netbus, etc., if you allow split tunneling then not only can the attacker control the users machine, they can use it as a jumping off point into the the corporate network. If split tunneling is disabled, then the attacker would not be able to connect to the users machine while the user was connected via the VPN. Personal firewall software can assist with this, but many corporations still don't allow split tunneling because of this issue since it is very difficult to keep a home users PC's reasonably secure. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Lidiya White Sent: Friday, April 26, 2002 3:34 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] If you want your VPN client to have Internet connectivity while VPN tunnel is up, the solutions is the split tunnel configuration. PIX will push an access-list to a client, so only traffic between your private networks will flow through the tunnel, but the rest will go out to the Internet unencrypted. I work with Microsoft, Cisco VPN and IRE clients, and I don't really know what security holes people were talking about. No matter what, when a computer has a connection to the Internet, it's already a "security hole" right there. I don't see how adding IPSec on the client, will make it less secure. As far as decreased security for the LAN behind the PIX, again, I don't see a major hole there. As far as Microsoft client goes, it doesn't have as strong encryption as Cisco client does. Example: http://www.cisco.com/warp/public/110/pix3000.html (search for "split"). -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Odette II Sent: Friday, April 26, 2002 11:20 AM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] what's the security risk? (putting on learning cap now... :) ) Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Louie Belt Sent: Thursday, April 25, 2002 8:12 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] You are creating a security risk for the other end of the tunnel when you are using split-tunneling from your client. louieb -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 6:49 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] Thanks for the responses. I'm aware of split tunneling with a concentrator. That's not what I want. I'm looking for something that lets me connect to any IPSEC compliant endpoint, whether it's a PIX, a router, or a Linux box. In other words, the client shouldn't care what it's connecting to. It should only care whether the traffic has a destination within the remote network or not. If so, send through tunnel, if not, send to Internet. Hope this helps clarify. Thanks! Craig At 07:39 PM 4/25/2002 -0400, you wrote: >You can definitely do this using the Cisco VPN client. This is a policy push >from the concentrator. If you would like split-tunneling you need to enable >that on the concentrator to allow the clients to do that. > >http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel3_5_1/adm in_g d >/vca.pdf > >Tim >CCIE 9015 > > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Craig Columbus >Sent: Thursday, April 25, 2002 6:25 PM >To: [EMAIL PROTECTED] >Subject: Alternatives to Cisco VPN client [7:42604] > > >Let me preface this by saying that all of my VPN experience has been either >peer-peer or client to peer with the Cisco VPN client 1.x or 3.x. Please >ignore my ignorance if I've missed something obvious. > >I've got a major complaint with the Cisco VPN client. It's not smart >enough to differentiate local traffic/Internet traffic from VPN >traffic. Therefore, you can't browse the Internet and your VPN network at >the same time. >I'm looking for alternative software clients that are smart enough to say >"Ok. Any traffic destined for 10.x.x.x (or whatever you define VPN traffic >to be) goes to the tunnel. If the traffic has any destination other than >10.x.x.x, it's treated as if the tunnel weren't even present." This would >allow my client machine to easily browse the Internet and the VPN remote >network at the same time. >I've done some preliminary searches for third-party clients, but don't want >to waste time trying 50 clients that may not be any good. I've found some >for Mac OS X that'll do what I want, but I haven't found one for Win >9x/ME/NT/2K/XP. >There's got to be a decent client that does this. >Sorry for rambling :-) It's been a long day. > >As usual, thanks in advance to everyone. > >Craig Message Posted at: http:
RE: Alternatives to Cisco VPN client [7:42604]
Craig, I have done quite a bit of research in this area, and I'm pretty confident that no product exists that does what your looking for. There are plenty of client side products that can simply peer with an IPSec gateway using a shared secret or even a certificate, but as far as I have seen there is no client product that can interoperate with VPN boxes that provide "extras" such as client authentication based on userid and password and the passing of routes to the client for split-tunneling. The problem is that the IPSec standards bodies, in their infinite wisdom, chose not to address these issues and simply "punted" the problem to the vendors. Given this, someone wishing to create a truly universal VPN client that can handle all the extras not covered in the RFC's would have to make the client work with each vendor independently, and then keep up with any vendor changes, no small task obviously. On top of these other extras one could add the ability to do "nat transparency", which is currently completely proprietary by vendor although there are bodies working on this particular issue. It's a good area for some smart coders to develop a product, and perhaps someone will eventually. Unfortunately, that doesn't really help you right now. ;-) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Craig Columbus Sent: Thursday, April 25, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: RE: Alternatives to Cisco VPN client [7:42604] Thanks for the responses. I'm aware of split tunneling with a concentrator. That's not what I want. I'm looking for something that lets me connect to any IPSEC compliant endpoint, whether it's a PIX, a router, or a Linux box. In other words, the client shouldn't care what it's connecting to. It should only care whether the traffic has a destination within the remote network or not. If so, send through tunnel, if not, send to Internet. Hope this helps clarify. Thanks! Craig At 07:39 PM 4/25/2002 -0400, you wrote: >You can definitely do this using the Cisco VPN client. This is a policy push >from the concentrator. If you would like split-tunneling you need to enable >that on the concentrator to allow the clients to do that. > >http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel3_5_1/admin_g d >/vca.pdf > >Tim >CCIE 9015 > > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Craig Columbus >Sent: Thursday, April 25, 2002 6:25 PM >To: [EMAIL PROTECTED] >Subject: Alternatives to Cisco VPN client [7:42604] > > >Let me preface this by saying that all of my VPN experience has been either >peer-peer or client to peer with the Cisco VPN client 1.x or 3.x. Please >ignore my ignorance if I've missed something obvious. > >I've got a major complaint with the Cisco VPN client. It's not smart >enough to differentiate local traffic/Internet traffic from VPN >traffic. Therefore, you can't browse the Internet and your VPN network at >the same time. >I'm looking for alternative software clients that are smart enough to say >"Ok. Any traffic destined for 10.x.x.x (or whatever you define VPN traffic >to be) goes to the tunnel. If the traffic has any destination other than >10.x.x.x, it's treated as if the tunnel weren't even present." This would >allow my client machine to easily browse the Internet and the VPN remote >network at the same time. >I've done some preliminary searches for third-party clients, but don't want >to waste time trying 50 clients that may not be any good. I've found some >for Mac OS X that'll do what I want, but I haven't found one for Win >9x/ME/NT/2K/XP. >There's got to be a decent client that does this. >Sorry for rambling :-) It's been a long day. > >As usual, thanks in advance to everyone. > >Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42652&t=42604 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Inside Interface - Secondary IP? [7:42567]
No, you'll need to use a router if you need this capability -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Audy Bautista Sent: Thursday, April 25, 2002 10:24 AM To: [EMAIL PROTECTED] Subject: PIX Inside Interface - Secondary IP? [7:42567] Is it possible to create a secondary IP address for the inside interface on a PIX? Audy Bautista Network Engineer, IT Services Hold Brothers On-Line Investment Services, Inc. (201) 499-8764 [EMAIL PROTECTED] "A job worth doing is a job worth doing well" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42587&t=42567 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cheap terminal server? [7:42536]
Craig, I use the STS10 at home and it works great. I got it off ebay for $70 about 2 years ago and the only problem I had was getting the pinouts right. (it's not the traditional rollover) Unfortunately, those boxes are EOL and seem hard to come by. You might want to look at xyplex, they have some decent term servers and based on a quick review on ebay they seem to come pretty cheap. The Cisco 516-cs's seem to be more prevelant than the STS10's, but the prices are generally around $300 bucks which is probably overkill for what you need. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Craig Columbus Sent: Thursday, April 25, 2002 6:37 AM To: [EMAIL PROTECTED] Subject: Cheap terminal server? [7:42536] Can anyone recommend a cheap terminal server, used only for reverse telnet remote management? I only need three lines and I don't want to spend the cash on a 2509. Anyone like the STS10x? Any other suggestions? Thanks, Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42547&t=42536 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: External Tech support connecting on server - VPN is OK ? [7:42490]
Ah yes, security through obscurity. ;-) If I would have had to guess, I would have guessed you were using one of the following VPN products: 1) Cisco 2) Checkpoint 3) Nortel I would have started with Cisco and assumed either a VPN concentrator or a PIX. (in your case, I would have hit the first try) And, let me guess, your using ESP only (no AH) in tunnel mode with a shared secret, not certificates. If I knew what company you worked for, I could probably find your VPN server with a quick scan. If nothing else, I could just attempt an ISAKMP connection on every IP address in your range and see what responds. Bottom line, your not providing your vendor with any information they couldn't find with a few minutes worth of work if they wanted to. I _would_ create the vendor their own group with their own shared secret, no reason to give them something they can't obtain on their own, but the information your revealing is nothing that is not publically attainable. In any case, unless you have a password protected modem, by using a modem your creating an unauthenticated, probably unaudited backdoor into your network via modem access, which is never a good idea. Concentrate your resources on monitoring the doors you do allow and be draconian in eliminating all others. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brown, M Sent: Wednesday, April 24, 2002 4:51 PM To: [EMAIL PROTECTED] Subject: External Tech support connecting on server - VPN is OK ? [7:42478] I have to allow an external techinician to work on a third-party application on my server. Two options: Use connection through Modem or VPN Client (Cisco 3000 Concentrator). I would go with the VPN account, and then at the end of the support work I would disable the GuestTech account and change its password. My co-worker argues that he doesn't want to grant VPN account to the techGuy because that would release our VPN server name and configuration to the external technician. So my co-worker prefers that the tech guys sticks to the slow modem solution. Your thoughts ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42490&t=42490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Netmeeting [7:42012]
There are some pretty strict requirements for IOS based on the version of netmeeting being used, you can check out the req's here: http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm If you meet the req's, netmeeting should work. However, I have had a lot of problems in the past with netmeeting and similar apps through firewalls and/or nat, so a solution I have used is to just create a workstation to workstation tunnel using CIPE. CIPE is an open source effort to create software that allows for an encrypted tunnel between any 2 workstations using only a UDP wrapper and a shared secret key, so it works great even through firewalls and NAT (the src and dst ports are configurable). In fact, it's specifically intended to be an app that people can use to create encrypted tunnels that should work through and nating device or firewall. It's available for Unix and Windows, it's easy to install and it works great on Win2k. I use it myself to "phone home" to video conference with the missus as I travel quite a bit. It works great through nating routers like a linksys or cisco and in fact, I just used it last night to make a cable modem to cable modem call. Here's the link to the windows version: http://cipe-win32.sourceforge.net/ The documentation is a bit sparse, so contact me offline if you choose to go this route (no pun intended), and I'll do what I can to assist. This solution doesn't scale all that well since it requires configuration on each ws, but for only a couple of hosts, it may be the path of least resistance to getting netmeeting to work. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of JunoGuy Sent: Friday, April 19, 2002 1:55 PM To: [EMAIL PROTECTED] Subject: Netmeeting [7:42012] Has anyone configured Netmeeting on a Cisco 2600? I am running 12.1.2T IP-H323 code. I have 1 workstation that is running Netmeeting doing messaging, voice and video conferencing out to the WAN through a NATed interface. Video and Teleconfercing do not work pass the router towards the WAN side. Everything works internal. Any help would be greatly appreciated. JunoGuy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42039&t=42012 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Linksys vs. Cisco [7:41829]
Rico, I would have to agree with the other posts, the Linksys is intended for Small Office, Home Office, not for a small branch. It would typically fit where you have somewhere between 1 and 10 users, not 100. The Linksys and other similar routers are clearly intended for the low-end, home user. While the Linksys boxes function well in the home environment, I would not deploy them at branch offices for a couple of reasons: 1) Configuration flexibility, they lack the flexibility of higher end products (for example, you cannot forward non-TCP/UDP traffic and the support for apps that dynamically assign ports such as netmeeting is very limited) 2) Hardware robustness, they are very low end gear, which is why they are inexpensive 3) Support, Linksys is targeted to support end users at their homes, not corporate environments where you have mission critical business apps Having said this, you should be aware that you have more choices than just Cisco or Linksys/SOHO routers. If you are looking for a small-midsize VPN/firewall device, you may want to look at products from Nokia and Netscreen. Both have full blown firewall and VPN capability, and it may be cost competitive compared to the Cisco 1720. Of course, a key question is "who is going to support the solution". If the local support people only know Cisco, then Cisco is probably the best choice. If you are going to do the support, you should pick a product you are comfortable with but one that is suitable for a corporate environment. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rico Ortiz Sent: Thursday, April 18, 2002 9:02 AM To: [EMAIL PROTECTED] Subject: OT: Linksys vs. Cisco [7:41829] I always thought of Linksys as "Toy" Home (SOHO) solutions. Lately I have been seeing post of people using Linksys' VPN solution. What is the different between Linksys VPN Solution (BEFVP41) and Cisco's 1751 VPN router. I am working on a project and if Cost is the only difference I will go with the cheaper solution. Now I am not talking about connecting up major sites with thousands of users, what we are talking about is a corprate setup with 7-15 Servers and approx. 100 users accessing the network (not all at the same time). Is the different price, packets per second (PPS), or are we just comfortable with the vendor (CISCO)... Just would like to see what other people think of these routers. Rico Ortiz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41916&t=41829 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Signature for blocking telnet to SMTP server [7:41565]
Short answer: It's probably going to be impossible to write a signature that won't give you tons of false positives. The problem is that there is virutally no difference between someone manually typing mail commands via telnet to port 25 and a standard SMTP program sending the same commands. Long answer: There was an interesting thread on this topic recently on the firewalls mailing lists. Go to the archives here: http://www.nextrieve.com/knowledge/ and search in the firewalls list for 'telnet to port 25' for the year 2002 and you'll find some interesting tidbits related to trying to distinguish between a manual telnet to port 25 and a connection via an SMTP program. Bottom line, see the short answer. ;-) As far as writing custom sigs, see the Cisco docs, they show you how to do this. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Cisco Breaker Sent: Monday, April 15, 2002 11:52 PM To: [EMAIL PROTECTED] Subject: Signature for blocking telnet to SMTP server [7:41565] Hi, Is it possible to block telnet to SMTP server from port 25 with IDS. I want to create a custom signature for this but I don't know how this can be done. If I write a signature beginning with hello it will block all mail traffic because all of them starts with hello as I know. And are there any resources that tells how to write a custom signature. We are using CSPM 2.3.3i. Any help will be appreciated. Best regards, Cisco Breaker Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41607&t=41565 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: silly encryption question [7:41583]
Tom, It's all about performance. Public key encryption/decryption such as DH is about 100-1000 times slower than the same process using shared key cryptography (it has to do with the type of algorithms required). Given this, the standard modus operandi is for two hosts to use public key cryptography to setup the shared key and then use shared key algorithms such as 3DES to achieve the best possible throughput for the least number of CPU cycles on each host. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tom Monte Sent: Tuesday, April 16, 2002 5:01 AM To: [EMAIL PROTECTED] Subject: silly encryption question [7:41583] I am studying for my MCNS test. The Cisco Press book says that Diffie-Hillman public key encryption is used to create a secure channel to exchange DES private keys for data encryption. If Diffie-Hillman is secure enough to transfer the DES private keys, why not use it to transfer the data? This seems silly and needlessly complex. Can someone explain this? This e-mail and any files transmitted with it are intended solely for the person(s) to whom it is addressed. If you are not the intended recipient, please delete the message and all copies of it from your system, destroy any hard copies of it and contact the sender by return e-mail. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41603&t=41583 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: traffic analyzer [7:41267]
If all that's needed is general traffic trend patterns, things like how much traffic, what stations are talking to what other stations, protocols in use, etc, then you can do no better than NTOP: http://www.ntop.org It has a small footprint, fairly low overhead, gives you RMON type stats through a nice web gui and much more. Plus it's open source. The main disadvantage is a lack of comprehensive documentation, but there are mailing lists for help, plus you get the source code. I'm using it right now for network trending info and the amount of detail it provides is outstanding. It's much better than a sniffer for macro level network information. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sean Knox Sent: Friday, April 12, 2002 1:16 AM To: [EMAIL PROTECTED] Subject: RE: traffic analyzer [7:41267] Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've used hands down. Best of all, it's free. Sean -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Patrick Ramsey Sent: Thursday, April 11, 2002 11:58 PM To: [EMAIL PROTECTED] Subject: Re: traffic analyzer [7:41267] send a linux box configured with X/ethereal and vnc out there and remote control it from your end! -Patrick >>> supernet 04/12/02 12:42AM >>> Hi Dear Friends, I have 1 branch office connected to main office by frame relay. I noticed a lot of traffic across this link and would like to find out what they are. The problem is I don't have access to the branch office, therefore, everything has to be done in main office. I tried sniffer pro, etherpeek and anasil but they only allow me to specify a particular source IP, not the whole branch office subnet. Is there any other software I can use? Thanks. Yoshi > Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. ("WellStar") and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41375&t=41267 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT Question [7:41326]
In the proxy/cache space, the products from Network Appliance are considered by many, including myself, to be the best of breed. It meets all of your listed requirements and is consistently rated high in 3rd party reviews. You can check out their product line at http://www.netapp.com As far as integrating with the PIX, no proxy will integrate directly with the PIX. This PIX has no built in ability to work with a proxy, so it will have no knowledge of the proxies existence. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Richard Tufaro Sent: Friday, April 12, 2002 8:53 AM To: [EMAIL PROTECTED] Subject: OT Question [7:41326] Hey guys/gals, My company is going to be considering buying a Proxy server. Can I get some feedback on the types of Proxy servers out there that this group is using and how your experience's with them have been? Only real considerations: 1. Fast as hell (of course) 2. Integration with NT/2000 AD 3. Easy Web or Console setup and continued maintenance 4. Redundancy options 5. Awesome reporting Perks would be if it intergrates well with PIX. Thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41374&t=41326 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Memory [7:41266]
This is in the list archives: http://www.memoryx.com -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of The Edward Groove Sent: Thursday, April 11, 2002 9:38 PM To: [EMAIL PROTECTED] Subject: Cisco Memory [7:41266] Has anyone done any research on cheaper, yet compatible memory for the 2500 series routers? I'm looking for some cheap flash and DRAM for this line. Does anyone have any specs--or even better--manufacturer model names that you've tested that works? Thanks, in advance... Eddie _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41338&t=41266 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How can you block spam email with NBAR? [7:41029]
AFAIK, you can only block HTTP content using NBAR, although Cisco is working on adding additional protocols for classifying content. You can use the IDS features in the IOS to catch some SPAM related mail, such as the number of recipients in an email message. Based on this you could setup your mail gateway to reject mail from certain domains in the future. Your best bet is to install a real SMTP gateway filter that will allow you to block SPAM and emails with certain attachments. (i.e. .exe, .vbs, .bat, etc) You can find some open source tools for these sorts of tasks here: http://www.linux.org/apps/all/Administration/Anti-Spam.html and here: http://www.amavis.org/ HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of BH Sent: Wednesday, April 10, 2002 6:29 AM To: [EMAIL PROTECTED] Subject: How can you block spam email with NBAR? [7:41029] Can spam be blocked with NBAR? Perhaps similar to how urls can be blocked with match protocol http url "iishack" ? The match protocol option does not allow any granularity with the smtp directive. THanks! b Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41217&t=41029 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: What is the best HyperTerminal program for Linux? [7:41228]
minicom or, the x version, xminicom. It should be included in most linux distros. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of hall Sent: Thursday, April 11, 2002 1:16 PM To: [EMAIL PROTECTED] Subject: What is the best HyperTerminal program for Linux? [7:41228] I'm looking for a good hyperterminal program for linux, if anyone has any recommendations. Thanks, Jeff Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41237&t=41228 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How fast do bits travel ? [7:41192]
There are several factors: 1) Clock rate of the line 2) Buffering delay by any intermediary devices such as ATM/FR switches 3) Speed of light If we take a simple case and say that there are no layer 2 devices in the path and only digital cross-connects. I have read (somewhere) that the speed of electron transference in copper is a little faster than the speed of light in fiber over short distance, so use the speed of light in fiber (roughly .7 X 186,000 miles per second) as the baseline. (note that the reference given by another poster says the speed of electromagnetic signals in copper is .66 of the speed of light, which would mean it is slightly slower than speed of light in fiber, either way its pretty close to a wash) Given these assumptions you get: speed of a single bit = speed of line insertion for 1 bit + speed of light delay + speed of line removal for 1 bit speed of line insertion for 1 bit = speed of line removal for 1 bit = 1/clock rate speed of light delay = number of miles / (.7 * 186000 miles per second) As an example, for a clock rate of 128Kbps and a distance of 1000 miles: speed of line insertion and removal for 1 bit = 2 * (1/128000) = .15625 sec = .015625 ms speed of light delay = 1000 / (.7 * 186000) = .00768 sec = 7.68 ms 7.68 ms + .015625 ms = 7.7 ms (roughly) Again, this assumes no delay in buffering in the path of any kind. It also assumes that there is no congestion at either end of the link. Bottom line, keep in mind these are rough numbers, but I think you get the idea. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew Tayler Sent: Thursday, April 11, 2002 9:01 AM To: [EMAIL PROTECTED] Subject: How fast do bits travel ? [7:41192] Ok I have spent ages trying to find an answer to this question, and probably only added to my confusion. You know how it is you spend ages looking at something and become snow blind or get tunnel vision or whatever, but I cannot see the answer to the following: How far does a bit travel in say 1 second or put another way how long does a bit take to travel a certain distance ? I understand, or think I do that if the line is say 128kbps then I can, in theory at least, expect 128,000 (approx) bits start down that line every second. But how long do they take to reach the other end, assuming a point to point link and both ends being the same speed, obviously. There has to be a nice simple formula for this somewhere, you know the sort of thing x= line speed, y = distance z = time etc Any ideas or poitners would be appreciated Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41210&t=41192 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: configure VPN on PIX which behind PAT router [7:41090]
You could, if the PIX supported NAT transparency for IPSec like the VPN 3000 does. Unfortunately, this feature is not yet available. My SE tells me its on the road map for inclusion sometime this year, but there are no firm dates yet. Your other option would be to get rid of the cayman router, but you probably would need PPPoE support on the PIX for your DSL connection, which according to the 6.1.3 release notes is also not an option yet. (if you don't need PPPoE, I'd get rid of the Cayman right now) Otherwise, you'll have to wait for PPPoE support in the PIX, which should be in the next major release. The only option I see for you without using different hardware is to use PPTP as an interim solution. You'll need to allow certain ports and protocols through the Cayman. Here's a link that shows what you need, it's for the PIX but you can adapt it for the Cayman: http://www.cisco.com/warp/public/110/pix_pptp.html Then you'll need to configure the PIX to support PPTP: http://www.cisco.com/warp/public/110/pptppix.html Keep in mind that PPTP is not as secure as IPSec. Some of the problems with PPTP were addressed by MS with MSCHAP-2, but there are still issues. I would only use this as a short term solution. You can read about the problems with PPTP here: http://www.counterpane.com/pptpv2-paper.html HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Xuhui martin1 Sent: Wednesday, April 10, 2002 6:34 PM To: [EMAIL PROTECTED] Subject: Re: configure VPN on PIX which behind PAT router [7:41090] Thanks Mike. You are 100% correct when you describe my limitations. Well, I am doing something " Mission Impossible". I have setup the PIX firewall without NAT. It's the Cayman Router who did the PAT. And I did Pinhole on Cayman router to the mail server which behind the firewall. Everything works fine, except the VPN, I want to have some ideas first before I try to configure it. I know that on Cisco VPN Client, we can configure the IPsec over UDP or TCP. I wonder if there is additional configuration on the PIX firewall as well to support the UDP or TCP port 1. Because the VPN connection is always initialized by the client, if client use the IPSec over UDP or TCP, in theory I could configure the Cayman router to Pinhole port 1 to PIX ip address. Please correct me if I am wrong. Daniel ""Mark Odette II"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Daniel- I may be clueless to some fancy configuration on PAT, but it is my > belief from my experience that you can't do what you're trying to do. > > Your Limitations are: > 1. The Cayman Router (It only Does PAT itself, and doesn't have the ability > to terminate VPNs- I can only PASS Thru the the IPSEC Traffic.) > 2. The fact you only have 1 IP address for public use. > > From my understanding, with the release of PIX 6.1 code, you can configure > "Dynamic NAT" on the PIX so that if you only get one IP address Dynamically, > you can use the PIX Outside Interface (not the IP itself) as a nat point > between the Public IP and ONE Host on the inside network; this also applies > if you only get one Static IP from your ISP. You can't use that one IP to > PAT port 80 to one inside network host and port 25 to a different inside > network host. To make this work though, you have to replace the Cayman DSL > Router with a regular DSL Modem that you connect the DSL Modem's Ethernet > Port to the Outside Interface of the PIX- or plug the outside interface and > the ethernet interface of the DSL Modem to a "Secure" Hub/Switch, i.e., > nothing else plugs into that hub/switch too. > > If you want to support NATing to multiple hosts on the Inside Network, you > are going to have to get more Static IPs assigned to you by the ISP. > > > Now of course, I'f I'm way off base, somebody else will correct me, I'm sure > :) > > HTHs > -Mark > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Daniel Ma > Sent: Wednesday, April 10, 2002 3:35 PM > To: [EMAIL PROTECTED] > Subject: configure VPN on PIX which behind PAT router [7:41090] > > > I am configuring a PIX firewall behind a Cayman DSL router. The whole > network only has one public IP address which is on the DSL interface. I need > to configure the PIX firewall for the remote VPN clients. > My solution is to encapsulate all IPSEC traffic with TCP 1, or UDP > 1, so the Cayman router could be configured Pinhole the port 1 to > the PIX outside interface. But I could not find documents on how to > configure it. > It will be greatly appreciated if anyone could help me out, or probably you > have better solutions. > > Thanks, > > Daniel Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41191&t=41090 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations t
RE: Cisco VPN Client & PIX [7:40670]
I haven't tested it, but according to the Linksys release notes, they support IPSec passthrough for multiple IPSec tunnels beginning in version 1.42.3 released Jan 25, 02. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Fly Ers Sent: Tuesday, April 09, 2002 6:29 PM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN Client & PIX [7:40670] I didn't see an update on this, but unless there has been an upgrade to the linksys, it will only pass 1 Ipsec tunnel. If there is an existing connection, and another is attempted, the original one will be dropped. there are some higher end (higher priced) firewall devices, that will pass large number of tunnels. How many clients are you trying to terminate? you might think about pix 501 hope this helps >From: "Curious" >Reply-To: "Curious" >To: [EMAIL PROTECTED] >Subject: Re: Cisco VPN Client & PIX [7:40670] >Date: Sat, 6 Apr 2002 12:48:48 -0500 > >Clients are behind Linksys Cable/DSL router and in the office we have PIX >515. >PIX assigns IP address from Local IP address Pool. > >""Curious"" wrote in message >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I am using Cisco VPN Client to connect with my Office PIX 515 firwall >over > > IPSEC 3DES encryption. My connection is droping automatically. It is not > > because of idle time out or maximum time out. it happens on radomly. If >some > > one has any information on it. _ Chat with friends online, try MSN Messenger: http://messenger.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41063&t=40670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Mark, Typically the alias command is used when: 1) You have overlapping addresses, ie. your using 10 net addressing and you have to connect to someone else who is also using 10 net addressing (this is done through DNS "doctoring") Or you have a split DNS. (see below) 2) You want to translate the dst address of packets going from inside to outside on the PIX. If you have a situation where your DNS is external and your servers are internal, you probably don't want the internal hosts accessing the internal servers using their external address. In order for the DNS replies to give the internal hosts the internal address of the servers, you would use the alias command to alter the reply to the internal hosts. This comes into play when you have what is typically called a "split-brain" DNS. The external DNS can only resolve hosts which are accessible from the outside. The internal DNS forwards to the external for name resolution of externally accessible hosts. Since the DNS resolution yeilds an externally reachable address, you would use the alias to make sure that the internal hosts use the internal IP while the external hosts use the external IP. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Odette II Sent: Tuesday, April 09, 2002 8:38 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Kent- What if you have your DNS Server(s) (resolving Public addresses for the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the PIX with all of them running RFC1918 addresses, and you want both inside and outside sourced traffic (Any Any) to reach the Web or Mail Server? Is the Alias command used for the inside hosts to reach the servers when resolving to the Public Addresses only?? Forgive my ignorance... I' just catching back up on my PIX studies, and see where the above scenario comes into play on a regular basis for small/medium networks where the Business/Organization hosts their own DNS and has their ISP provide Secondary DNS for them. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kent Hundley Sent: Tuesday, April 09, 2002 9:53 AM To: [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Robert, Ok, I'm more confused than before. :-) You say "I do want any outside host to access the web server" and then you say "So, I do want everyone to access the web server at ip address xxx.yyy.115.190", this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be "doctored" so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.2
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Robert, Ok, I'm more confused than before. :-) You say "I do want any outside host to access the web server" and then you say "So, I do want everyone to access the web server at ip address xxx.yyy.115.190", this seems like contradictory statements to me unless your saying you want only _internal_ hosts to access the web server, but use its external address? Let's keep it simple: 1) What source IP addresses do you want to have access to the web server? Are they on the inside of the PIX or the outside of the PIX or both? 2) Where is your DNS server? It appears that it is on the outside of the PIX, correct? 3) Are you saying that you cannot have the internal hosts access the web server by its internal IP address? I don't see why that would be the case. Using the alias command, the DNS replies would be "doctored" so that the web servers IP would appear to internal clients as 172.20l.21.241 and they should just go directly to that address without having to go to the PIX. (this assumes the DNS is on the external interfaces of the PIX and the web servers DNS resolves to xxx.yyy.115.190) If you want an external host to access the web server, your going to have to modify your conduit statement(s). Regards, Kent -Original Message- From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 07, 2002 8:35 PM To: Kent Hundley; [EMAIL PROTECTED] Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722] Please don't think I'm being argumentative, I'm trying to explain the configuration I have and what I'm trying to accomplish. This is coming from my understanding and concept, which I am starting to think is way off base. What really throws me is that this configuration is working at another site and at this site with my PIX 506 running Ver 5.1, just not with their PIX running Ver 4.1.4. Maybe that's my problem, I saw this type of a configuration first and just assumed it's the norm, when in fact it may be a kludge. Now to answer your questions. I do want any outside host to access the web server. The public address for the web server is xxx.yyy.115.190. When someone does a DNS lookup for the www.domainname it resolves to xxx.yyy.115.190. Therefore the host goes to xxx.yyy.115.190. While the domainname has a public address of xxx.yyy.115.190 the actual ip address of the server is 172.20.21.241. That's where the static and conduit commands come in to play. The PIX accepts the address of xxx.yyy.115.190 (because of the static statement) and sends it to 172.20.21.241 (I would use the term routes it to 172.20.21.241 but I am afraid it would cause further confusion ... to me). So, I do want everyone to access the web server at ip address xxx.yyy.115.190. But that one address goes to 172.20.21.241. If I don't use the alias command then the internal hosts can not see the servers for which I have a conduit built, ie: web and mail servers. When the internal host performs DNS on their own name they are unable to get to that server. With the alias they are able to get to the server. I'm not sure I understand why, I just know that is what's happening. I don't know if that clarifies anything. At 4/7/2002 06:31 PM, Kent Hundley reminisced: >Robert, > >Your conduit command doesn't look right. Typically you want to allow any >outside host to access the inside host specified in the conduit. You can >specify 'any' by using 0.0.0.0 or 0: > > >conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 > >Also, I'm not sure what your trying to accomplish with those alias commands: > >alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 > >Your telling the PIX to translate dst address 172.20.21.241 to >xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 >back to the same inside address? Typically the internal hosts would just go >directly to the 172.20.21.241 address without having to go through the PIX >in the first place. > >HTH, >Kent > >-Original Message- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of >Robert T. Repko (R Squared Consultants) >Sent: Saturday, April 06, 2002 8:23 PM >To: [EMAIL PROTECTED] >Subject: Cisco PIX question, static, conduit, and alias [7:40722] > > >I am having a problem getting to the inside Mail/Web servers from the >outside and I can't determine why. > >I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also >reconfiguring the way their PIX was setup. The servers were configured >with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) >which made them vulnerable. I am moving them to an inside address and >building a conduit from the outside to the inside. > >In order to leave their old netw
RE: port mirroring and vlans [7:40816]
Priscilla is correct, normally a span only shows unicast for the VLAN on the switch where the span is enabled plus any bcast or mcast from other switches that have active ports in the VLAN in question. However, there is a "remote span" capability that has been added to the 6000 series in 5.3 code that does allow you to see the traffic for an entire vlan from any switch in the net: http://www.cisco.com/warp/public/473/41.html#remote Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Monday, April 08, 2002 10:06 AM To: [EMAIL PROTECTED] Subject: RE: port mirroring and vlans [7:40816] At 12:15 PM 4/8/02, Michael Williams wrote: >AFAIK, if you have to two switches connected via a trunk link and you mirror >VLAN1 to a port, you should see all of the traffic in VLAN1 (i.e. from all >switches involved in that VLAN). Only traffic that actually crosses the mirrored port, though, right? Broadcast /multicast traffic for the VLAN as well as traffic directed to ports on the switch doing mirroring that are in VLAN 1. I got the impression he thought he was going to see traffic on other switches that happened to have ports in VLAN 1 too. I doubt that's true. Think of all the extra work you would be requiring of the switches. Priscilla > You'll probably run into a situation where >all of the traffic in VLAN1 will overrun your mirror port (which on a busy >switch isn't hard to do). We have two 5500s trunked together, and we span >(mirror) a port on a VLAN quite frequently. > >Mike W. Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40860&t=40816 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Hardening Ports? [7:40852]
Charlie, As others noted, it depends on your OS. I would recommend doing a search on google for "your OS"+hardening. You'll probably find what your looking for. Also consult your vendors web site and http://www.sans.org for more info. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Charlie Sent: Monday, April 08, 2002 12:51 PM To: [EMAIL PROTECTED] Subject: Hardening Ports? [7:40852] Hello, all :-) I was hoping one (or many) of you could help me with a question I have: how do I lock-down ports on a server? I know how to lock them down on firewalls and routers, but how to do it on a server is my question. I know it's a general question but any assistance would be most appreciated. Truly, Charlie Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40861&t=40852 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Core layer question [7:40535]
Looking at the traffic should not slow anything down. The IDS blade has its own processor and is a completely separate device from the sup. If anything, the IDS blade may not be able to keep up with the traffic and you may miss some traffic for inspection, ie. the IDS blade might not catch all attacks. This has nothing to do with the sup's or MSFC's ability to move packets. Access-lists are different in that they are actively inserted in the data path. An IDS is essentially a glorified sniffer. No sniffer, or IDS for that matter, that I have worked with has ever had any effect on traffic flows. It is a watcher only and does not influence the traffic flow. Does that mean that it is impossible that an IDS blade would affect traffic? No it doesn't, but it does mean that it would be a very significant bug and absolutely should not happen. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Sunday, April 07, 2002 3:14 PM To: [EMAIL PROTECTED] Subject: Re: Core layer question [7:40535] I've always understood that anything in the core (access-lists, FW blades, IDS modules, etc. ) is a bad design as it just slows down traffic as the core is built for speed. I was always told to move everything to the distro or access-layer, depending on the function, AFAIK, the IDS blades have to look at all traffic, which could slow down core, and this core is for a global bank on Wall St. If it's not done right now, when they expand later this year, the network will suck. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com ""Kent Hundley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It's not a bad idea to have an IDS blade in the core, but if you have to > pick either the DMZ and server blocks or the core, I would choose the > former. Having an IDS blade in the core should not affect any other > processing of the switch since its a completely self contained module with > its own processor. (course, murphy is always lurking) > > It's also a good idea to have redundant sup's, but cost may be a factor as > well. One can only have as much redundancy as your pocket book allows, and > sup's aren't cheap. :-) > > Regards, > Kent > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > Steven A. Ridder > Sent: Thursday, April 04, 2002 2:20 PM > To: [EMAIL PROTECTED] > Subject: Core layer question [7:40535] > > > Has anyone ever designed a network and put either a firewall or IDS blade in > the core switch block? Even if the customer had no money, wouldn't this > never be advisable? Has anyone ever done it? > > As background for the questions, I started a new job, and so I took over > some accounts, and who ever has been doing the configs ( I think some have > been comming from Cisco!) has been making mistakes here and there. One > proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this > one has a wan block going back to the core block (dual 6506's) with only 1 > sup in each and an IDS blade in each! Isn't it advisable to move the IDS's > to the server and DMZ blocks? Also, isn't it always advisable to go with 2 > sups? > > I just want to make sure I'm not crazy, as I'd not like to casue a ton of > waves my first week on the job. > > -- > > RFC 1149 Compliant. > Get in my head: > http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40812&t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Core layer question [7:40535]
It's not a bad idea to have an IDS blade in the core, but if you have to pick either the DMZ and server blocks or the core, I would choose the former. Having an IDS blade in the core should not affect any other processing of the switch since its a completely self contained module with its own processor. (course, murphy is always lurking) It's also a good idea to have redundant sup's, but cost may be a factor as well. One can only have as much redundancy as your pocket book allows, and sup's aren't cheap. :-) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Thursday, April 04, 2002 2:20 PM To: [EMAIL PROTECTED] Subject: Core layer question [7:40535] Has anyone ever designed a network and put either a firewall or IDS blade in the core switch block? Even if the customer had no money, wouldn't this never be advisable? Has anyone ever done it? As background for the questions, I started a new job, and so I took over some accounts, and who ever has been doing the configs ( I think some have been comming from Cisco!) has been making mistakes here and there. One proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this one has a wan block going back to the core block (dual 6506's) with only 1 sup in each and an IDS blade in each! Isn't it advisable to move the IDS's to the server and DMZ blocks? Also, isn't it always advisable to go with 2 sups? I just want to make sure I'm not crazy, as I'd not like to casue a ton of waves my first week on the job. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40765&t=40535 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX question, static, conduit, and alias [7:40722]
Robert, Your conduit command doesn't look right. Typically you want to allow any outside host to access the inside host specified in the conduit. You can specify 'any' by using 0.0.0.0 or 0: conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0 Also, I'm not sure what your trying to accomplish with those alias commands: alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 Your telling the PIX to translate dst address 172.20.21.241 to xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190 back to the same inside address? Typically the internal hosts would just go directly to the 172.20.21.241 address without having to go through the PIX in the first place. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Robert T. Repko (R Squared Consultants) Sent: Saturday, April 06, 2002 8:23 PM To: [EMAIL PROTECTED] Subject: Cisco PIX question, static, conduit, and alias [7:40722] I am having a problem getting to the inside Mail/Web servers from the outside and I can't determine why. I'm replacing an old Cisco 7000 router with a new 7206 VXR. I'm also reconfiguring the way their PIX was setup. The servers were configured with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement) which made them vulnerable. I am moving them to an inside address and building a conduit from the outside to the inside. In order to leave their old network up and running while I configured the 7206VXR. I used my PIX 506 (Ver 5.x) for configuration purposes. I had everything configured and working. Then over the Easter holiday I configured their PIX trying to use the same statements that I had in my PIX 506. This is where I ran into problems. Since they are running such an old version (Ver 4.1.4) of the IOS I could not use the same exact commands. I'm not as familiar with the PIX 4.1.4 commands and obviously have something stated incorrectly. Below I have what I believe to be the pertinent information from both the 7206 and PIX. Can someone tell me where I went wrong. The xxx.yyy represent the same 2 octets through out both configs. Any help greatly appreciated. Cisco 7206 VXR interface FastEthernet0/1 description ** Firewall Connection (inside area)** ip address xxx.yyy.115.18 255.255.255.240 secondary ip address 172.20.19.3 255.255.255.0 ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points to the ISP) ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX) Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525) interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240 interface 1: ip address inside 172.20.19.4 mask 255.255.255.0 global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14 global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13 static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255 static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255 conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172 255.255.255.255 conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241 255.255.255.255 alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255 alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255 alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255 route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1 route inside 192.168.0.0 255.255.0.0 172.20.19.3 1 route inside 172.21.0.0 255.255.0.0 172.20.19.3 1 route inside 172.20.0.0 255.255.0.0 172.20.19.3 1 route inside 172.16.0.0 255.255.0.0 172.20.19.3 1 *** * Robert T. Repko - R Squared Consultants |Voice: (610) 253-2849* * Serving the Computing World for 20 years | Fax: (610) 253-0725* * NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet: [EMAIL PROTECTED] * * Custom Programming| Address: 4 Juniper Ave.* * NJDOE Provider ID#: 763 | SPIN: 143010681 | Easton, PA 18045 * *** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40764&t=40722 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question !!! [7:40465]
Avi, You have a few things in your config that look strange: 1) static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 This creates a static with the outside address of 192.168.2.13, which you indicate is your router's IP address, and an inside address of 216.6.24.129, which you indicate is your inside PIX interface. This makes no sense. A static translation is used to create a new address on the outside that is not currently in use by any device to map to an inside end device, such as a server. I don't understand what you are trying to do with this command and this may be the cause of your problem. 2) route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 You are pointing the PIX's inside default route to its own interface? I don't see what you are trying to accomplish by doing this, if there is no inside router you should just leave of the route inside command. 3) You say outside hosts are able to reach 216.6.24.130, do you mean they are able to ping the host? If the outside hosts can ping the inside host, the inside host should be able to ping the outside hosts since you have a conduit permit icmp any in your config. If the .130 host is a unix box, sometimes they try to resolve names during ping, so it may be that your ping is failing because name lookups are failing. Just a guess. It looks like something is not correct with your static command, so I would fix that first. Also, you are running a very old version of code at 4.4, you are 2 major release behind, so there may also be some weird bug present in this code rev, I would strongly consider upgrading the code to current levels. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Avi Sent: Thursday, April 04, 2002 9:01 AM To: [EMAIL PROTECTED] Subject: PIX Question !!! [7:40465] Hi, I am facing a problem on PIX 515 as described below. Firewall: Cisco PIX 515 Firewall Software Version: 4.4(7) PIX setup: - H - 216.6.24.130 255.255.255.192 | |Public Accessed Servers(216.6.24.0 - Public addresses) | | - 216.6.24.129 255.255.255.192 PIX | - 192.168.2.14 /30 | | | - 192.168.2.13 /30 R | - 192.168.2.6 /30 | | | - 192.168.2.5 /30 R (ISP Router) | | |Proxy Server | 192.118.52.54 Following is the config: -- PIX Version 4.4(7) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password 8Ry2YjIyt7RRXU24 encrypted passwd AoM2ZahaIYl9kEoj encrypted hostname nungunungu fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol smtp 25 fixup protocol sqlnet 1521 names pager lines 24 logging on no logging timestamp no logging console no logging monitor no logging buffered no logging trap logging facility 20 logging queue 512 inerface ethernet0 auto interface ethernet1 100basetx mtu outside 1500 mtu inside 1500 ip address outside 192.168.2.14 255.255.255.248 ip address inside 216.6.24.129 255.255.255.192 no failover failover timeout 0:00:00 failover ip address outside 0.0.0.0 failover ip address inside 0.0.0.0 arp timeout 14400 nat (inside) 0 216.6.24.0 255.255.255.0 0 0 static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0 0 conduit permit tcp host 216.6.24.177 eq smtp any conduit permit tcp host 216.6.24.186 eq smtp any conduit permit tcp any host 192.118.52.54 eq www conduit permit icmp any any conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001 conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001 conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306 conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306 conduit permit tcp host 216.6.24.10 eq domain any conduit permit tcp host 192.118.52.54 eq 8080 any conduit permit tcp host 192.118.52.54 eq 3180 any conduit permit tcp host 192.118.52.54 eq www any no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 192.168.2.13 1 route inside 0.0.0.0 0.0.0.0 216.6.24.129 1 timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius no snmp-server location no snmp-server contact snmp-server community mic-test-03 no snmp-server enable traps telnet 216.6.24.16 255.255.255
RE: Replacing a router with PIX [7:40454]
Jeffrey, A few things you'll need to be aware of: 1) If you want to get an additional Internet connection for redundancy, it will have to be Ethernet since the PIX does not support WAN connections. 2) The PIX cannot act as an HTTP proxy, so you may have to change the config on the clients so that they will work in transparent mode. Other than this, a PIX525 should handle 2000 users with no problem. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jeffrey Reed Sent: Thursday, April 04, 2002 4:03 AM To: [EMAIL PROTECTED] Subject: Replacing a router with PIX [7:40454] Im working on a design where we have a 3640 with dual T1s to the Internet. The customer is using MS Proxy as their security enforcement point with a few ACLs on the router. They are soon getting a new ISP who will be dropping off a 10M Ethernet connection to replace the T1s. Is there any reason we shouldnt drop a PIX in there to replace the 3640 (and MS Proxy)? This is a university with 2000+ students and were looking at a PIX-525. Any suggestions would be appreciated. Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40482&t=40454 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP Load-Balancing with 2 providers...Possible?? [7:40242]
Very possible, not much different from using 1 provider as long as you have your own address space. If you don't have your own address space, you'll have to either get it from ARIN or convince one provider to advertise addresses from another providers space. They will probably do this, for a price. Keep in mind though that the traffic patterns can vary a lot depending on the providers used. More traffic will flow through the provider that is "closer" to the peering points. The best advice is to use 2 Tier 1 providers like UUnet, ATT, Sprint, etc. I don't have it in front of me, but I'm sure there are examples of this in Sam Halabi's book "Internet Routing Architectures". HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Cisco Nuts Sent: Tuesday, April 02, 2002 2:11 PM To: [EMAIL PROTECTED] Subject: BGP Load-Balancing with 2 providers...Possible?? [7:40242] Hello, Is it possible to load-balance BGP traffic with 2 service providers...I know it is possible to load balance with 2 circuits to the same provider using ebgp-multihop and update-source and cef but with 2 circuits to 2 different providers?? Thank you for your help. _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40331&t=40242 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VS CheckPoint [7:40136]
Actually, depending on what Nokia boxes you compare with what PIXen and whose numbers you believe, the Nokia boxes may be faster. According to Nokia/Checkpoint, the high-end Nokia boxes are faster than the PIX 535's. Course, a lot depends on what your rule-set looks like. On the flexibility, I agree the CP's are definitely more flexible than the PIX. (which is why the PIXen are easier to install in simple environments) One thing that CP has that is fairly unique is the ability to write your own rules using CP's INSPECT language, which allows you to filter on any part of a packet, including the data portion. Not many people seem to use this feature, but it can come in handy if you have special filtering requirements such as when a new IIS exploit surfaces. ;-) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of nrf Sent: Tuesday, April 02, 2002 4:08 PM To: [EMAIL PROTECTED] Subject: Re: PIX VS CheckPoint [7:40136] On the other hand, there's a distinct third option, which is to run Checkpoint on a dedicated hardware appliance, for example the Nokia Ipso line of gear. This removes one of the Checkpoint disadvantages (don't need to know Unix or NT), but introduces another disadvantage (less flexible - you should have included in your advantages that regular Checkpoint is more flexible than Pix because you can integrate it with Unix and enjoy all the features of Unix, but of course with a Nokia, you don't have that). In fact, the Pix and the Nokia Checkpoint are so close that it's almost a wash. I believe the Pix is faster, but the Nokia Checkpoint is still more flexible (but not as flexible as Checkpoint software). ""Nurudeen Aderinto"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Dear x, > > I love your presentation. You spoke well. > > Nurudeen > ""x"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I have setup and managed both PIX and Checkpoint in a > > variety of environments. I think they are both solid > > options in different situations. Here is how I market > > these products. > > > > PIX > > - more cost effective > > - fast > > - you can have fail over > > - Can be more complicated to setup the CLI, but PIX > > has a nice feature of allowing all traffic out and > > none in by default. > > > > Who would I market this for? > > I would target this as an ideal candidate for small > > companies with rulesets that don't change much. They > > also need a Cisco savy person to manage it, usually a > > consultant. I am guessing you would fill this role. > > I have only made minor changes in the firewall I have > > managed for almost two years. > > > > Checkpoint > > - nice GUI for ruleset management > > - more expensive > > - required to know Unix or NT ( for the love of God > > don't use NT. Its security is very poor out of the > > box and requires a great deal of configuration to > > become mildly secure ) > > > > Who would I market this toward? > > I would target larger companies with Checkpoint. It > > is easier to manage the ruleset, but more setup time > > and more costly. I would also say this solution is > > slightly slower and more prone to security issues > > since you have to patch the OS and the firewall > > software. > > > > > > --- Jeffrey Reed wrote: > > > Has anyone performed or seen an in depth study of > > > PIX vs Checkpoint? I have > > > a customer who is looking at both. Ive read various > > > magazine articles, but > > > nothing from real people such as this group! :) > > > > > > Thanks!! > > > > > > Jeffrey Reed > > > Classic Networking, Inc. > > > Cell 717-805-5536 > > > Office 717-737-8586 > > > FAX 717-737-0290 > > [EMAIL PROTECTED] > > > > > > __ > > Do You Yahoo!? > > Yahoo! Tax Center - online filing with TurboTax > > http://http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40278&t=40136 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: please help **location migration** [7:40162]
Kevin, Check out "local area mobility", it looks like it may fit your needs: http://www.cisco.com/warp/public/cc/pd/iosw/ioft/lam/tech/lamso_wp.htm HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Campbell Sent: Tuesday, April 02, 2002 2:49 AM To: [EMAIL PROTECTED] Subject: please help **location migration** [7:40162] I work for a collocation and bandwidth provider and need help with an issue for a migration. We need to move about 30 servers from a offsite location to our data center. The move of the servers needs to be done over the period of a month. We need to do this without changing the ip addresses of the servers. so either through an internet connection or wan link (both possible) we need to share the ip block. It cannot be subnetted and must remain a single ip block. We have ruled out the use of bridge groups across a T1 circuit and would like a better option than using a VPN. If you have any ideas please help. thanks for the help and all the useful post. I have been in this group for about 6 months and have made very few posts but have benefited immensely from users in this group. I thank you for that. Kevin Campbell MCSE, MCT, CCNP [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40214&t=40162 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Contest [7:40072]
If memory serves, William S. Bonnie is "Billy the Kid" -K -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Zeitz Sent: Monday, April 01, 2002 10:54 AM To: [EMAIL PROTECTED] Subject: Contest [7:40072] Ill give you a free website that you can find tons of Free white papers, Recourses and everything you need for your exams if you can tell me who AKA William S. Bonnie is. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40086&t=40072 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SSH client for windows 95 [7:39869]
John, 3 ways to verify the host key: 1) Connect over a network which you have a reasonable degree of confidence is secure. This would normally mean connecting over a LAN to the host in question to get its key. For the truly paranoid, this would mean connecting over a x-over cable to the host in question. 2) Have someone send you the host key and then cut and paste the key into the appropriate file. To have a degree of confidence you would have to receive the key through some fairly secure means, i.e. have a floppy fedexed to you, sent imbedded in an email with PGP, etc. 3) Call the person who manages the server, connect to the server, get the key and have them verify the received key over the phone. (this is proabably the easiest method) The keys are stored in files on each host. For example, using openssh, the hosts key is normally stored in a file called ssh_host_rsa_key.pub. Different client ssh programs store the public keys of the servers they talk to in different places. F-Secure's ssh client store them in a directory called 'hostkeys' and they have names like 'key_22_10.1.1.1.pub'. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Green Sent: Friday, March 29, 2002 8:03 AM To: [EMAIL PROTECTED] Subject: RE: SSH client for windows 95 [7:39869] but when i connect using the ssh client i get this security alert. do you know what this means ? "PuTTY security alert The server's host key is not cached in the registry. You have no guarantee that the server is the computer you think it is. The server's key fingerprint is " 2048 1e:45:22:44:..:55:9a:7b If you trust this host hiy Yes and add the keys to the PuTTy's cache on connecting." how to recognise the fingerprint numbers that they belong to the host to which we are connecting. i don't think they refer to the MAC address because that is unique to the host. --- colin newman wrote: > Putty is a great SSH windows client. It supports > SSH versions 1 and 2. You __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39906&t=39869 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Unrelated question [7:39788]
Probably has something to do with the asymmetric nature of email and the inherent delays in various mail servers and the Internet. Right now I see no responses to your question in my inbox, but there could be 5 on their way by the time I type this and hit send. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 3:22 PM To: [EMAIL PROTECTED] Subject: Unrelated question [7:39788] OK, so at least 3/4 of the response to this question say the exact same thing. Or at least hint at it. (It doesn't make sense to me to take the time to answers someones question and do it with 2 words. "vlans" while correct is not, by itself, an answer.) My point is the redundancy. Do some people not read the upt-teen responses before jumping out with their own? Or do some people access these via some other transport (i.e. e-mail) and so don't see the responses? Or do some people just like seeing their names on a newsgroup? It just doesn't make sense. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39871&t=39788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Router question.. [7:39788]
I have tried it, it works provided you have appropriate IOS and use 802.1q. -Kent -Original Message- From: Walker, Jim [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 11:33 AM To: 'Kent Hundley'; [EMAIL PROTECTED] Subject: RE: Router question.. [7:39788] I never tried it, but I didn't think you could configure a sub-interface on a 10M ethernet port. -Original Message----- From: Kent Hundley [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 5:20 PM To: Walker, Jim; [EMAIL PROTECTED] Subject: RE: Router question.. [7:39788] It's not necessary to use secondary addressing. Configure a 802.1q trunk port on the 2900 switch and configure one of the ethernet ports on the 2611 as a trunk port. (yes, 802.1q trunking is supported on ethernet) Configure appropriate addressing on the sub-interfaces of the 2611 and you still have a single free ethernet port for other connections. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Walker, Jim Sent: Thursday, March 28, 2002 10:25 AM To: [EMAIL PROTECTED] Subject: RE: Router question.. [7:39788] 1. Create 2 separate vlans on the switch 2. Configure both ethernet ports, 1 with a secondary ip address 3. Connect up both ethernet ports on the router to 2 corresponding vlan configured port on the switch -Original Message- From: Ricky Chan [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 1:00 PM To: [EMAIL PROTECTED] Subject: RE: Router question.. [7:39788] It have only 2 regular ethernet port... -Original Message- From: Walker, Jim [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 12:55 PM To: Ricky Chan; [EMAIL PROTECTED] Subject: RE: Router question.. [7:39788] Yes, if 2600 series router has a fastethernet port. Router on a stick. -Original Message- From: Ricky Chan [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: Router question.. [7:39788] Hi all, My boss just come up and give me a senario question like this. He told me that I owned a company which uses 3 different LANs, for example, 172.27.10.x, 172.27.11.x, 172.27.12.x. But I only have one cisco 2600 series router and 2900 series switch. I can't use the serial ports from the router. Just the two ethernet ports (by default). My question is, is it possible? Please advice. Thanks Ricky Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39837&t=39788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: If it's a 2611, you're out of luck [7:39788]
Incorrect. Only ISL requires FastE, 802.1q works perfectly well on a standard Ethernet port. This was covered in another thread a few days ago. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 10:15 AM To: [EMAIL PROTECTED] Subject: If it's a 2611, you're out of luck [7:39788] Vlan trunking requires a fast ethernet connection. It cannot be trunked with a 261X. You'd need a 262X. If you have to deal with a 2611, your options become much more limited. You could replace the 2611 with a 2620. Or you could get a ethernet module for the 2611. Unfortunately, last time I checked (whish was a couple years ago, given) those ethernet modules came in two models, 1 and 4 port, and cost about $1000 per port. Another option would be to replace the 2611 with a 1750. It's got one fast ethernet port. If this network is as small as it sounds, it'd be a viable option. Oh, and about trunking, the way it works is you define the switch port connected to the router as a trunk. This allows multiple (in your case, all) vlans to use the one port. The router is configured with subinterfaces on the fastethernet port, one for each vlan. The router can then route between these vlans. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39827&t=39788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: TACACS+ [7:39297]
Yes, ACS supports TACACS+ or Radius on the front-end and many different user databases such as NT domain on the back-end. Yes, PIX is a TACACS+ client. Yes, the protocol is TACACS+ between PIX and ACS. You could call the PIX a NAS, but typically NAS refers to some sort of dial-in device, so calling the PIX a NAS might confuse some people. -Kent -Original Message- From: John Green [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 9:21 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: TACACS+ [7:39297] is the Cisco Secure ACS server a TACAS+ server ? ie the pix is acting as a tacas+ client to the ACS server ? is that correct ? if yes, then the protocol for user authentication and later access-control between the pix and ACS server called as TACAS+ protocol ? is this correct ? lastly if pix is our permiter firewall and set for aaa, then can we say that the pix is also a NAS, network access server ? would that be correct to say, atleast in this scenario where users connect to pix to say access a web server behind or protected by the pix. > ""Kent Hundley"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > IMO, the best way to study TACACS+ is to download > the free TACACS+ server > > from Cisco, install it on Linux and play around > with it. You'll learn > much > > more about how TACACS+ works by implementing it > and trying different > things > > than any WP (it helps a lot if you have a router > to work with as well). > If > > your goal is to learn CiscoSecure ACS, download an > eval copy of that and > > install it on Windows and play around. Either > way, you'll learn quite a > bit > > about AAA and Cisco. > > > > Regards, > > Kent > > > > -Original Message- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of > > [EMAIL PROTECTED] > > Sent: Saturday, March 23, 2002 8:00 AM > > To: [EMAIL PROTECTED] > > Subject: TACACS+ [7:39297] > > > > > > I have read the white paper on this. Does anyone > know of a good study > > source on this topic other than the white paper > itself? > > > > Thanks [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards. http://movies.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39810&t=39297 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: NAT [7:39601]
Yes, you are (lots of good info on NAT can be found by doing a search on CCO for "NAT tips") Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Wilson, Gavin (KBPB) Sent: Wednesday, March 27, 2002 6:00 AM To: [EMAIL PROTECTED] Subject: NAT [7:39601] Hi there Does anyone know if you are allowed more than one outside interface on a NAT router. Cheers Gavin Gavin Wilson Kleinwort Benson Private Bank Tel: 0207 4751771 Mobile: 07989441850 email: [EMAIL PROTECTED] This email and any files transmitted with it are intended solely for the addressee(s) and may be legally privileged and/or confidential. If you have received this email in error you may not copy, forward or use the contents, attachments or information in any way. Please destroy it and contact the sender via our switchboard on +44(0) 20 7475 6600 or via return email. Any unauthorised use or disclosure may be unlawful. Kleinwort Benson Private Bank give no warranty as to the accuracy or completeness of this email after it is sent over the Internet and accept no responsibility for change made after it was sent. Any opinions expressed in this email may be personal to the author and may not necessarily reflect the opinions of Dresdner Bank or its affiliates. They may also be subject to change without notice. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39627&t=39601 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:39560]
George, In current versions, it's "show access-list". :-) pix# sh ver Cisco Secure PIX Firewall Version 6.0(1) PIX Device Manager Version 1.0(1) pix# sh access-list access-list 1 permit icmp any any (hitcnt=27) access-list 1 permit ip any host 172.16.1.55 (hitcnt=0) access-list 1 permit ip any host 172.16.1.60 (hitcnt=16) access-list 1 permit tcp host 172.16.1.2 host 10.1.1.3 eq bgp (hitcnt=1) pix# Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 27, 2002 5:05 AM To: [EMAIL PROTECTED] Subject: pix question [7:39560] whats the equivelent of show access-list on the pix George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39620&t=39560 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to get running-config of cisco routers through SNMP [7:39619]
You can find this info and lots of other good SNMP info by searching on CCO for "snmp tips". Here's the relevant direct url: http://www.cisco.com/warp/public/477/SNMP/copy_configs_snmp.shtml HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of V\J@>| Sent: Wednesday, March 27, 2002 5:42 AM To: [EMAIL PROTECTED] Subject: How to get running-config of cisco routers through SNMP [7:39598] Hello,mrtg#! Any one can tell me whether I can get running-config of cisco routers through SNMP request!# And if we can ,what is the oid for this purpose? Thanks . [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39619&t=39619 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: picture attached-NAT question in BCRAN book-can work?? [7:39444]
Tong, There's no magic, you must either advertise a route for 192.168.2.0/24 or the upstream router(s) must have a static route for the the 192.168.2.0/24 pointing to your router. One way around this issue is to configure NAT to overload the routers interface IP or use addresses in the same range as the routers' IP. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Sim, CT (Chee Tong) Sent: Monday, March 25, 2002 1:49 AM To: [EMAIL PROTECTED] Subject: picture attached-NAT question in BCRAN book-can work?? [7:39410] Dear friends, Can I ask you the following question? It is what I see in the book. The network diagram and the NAT router config are shown below. Basically, when a packet going from a inside host to a outside hosts. Its source IP will change from 10.1.1.X to 192.168.2.2 after the NAT router. When the packet reply back from outside hosts, the destination IP will be 192.168.2.2. But I don't understand how the packet know to route back to the NAT's serial 0? The IP of router's serial 0 is 172.16.2.1. Unless we add route entry on the outside hosts, but how can we have the control on the outside hosts? Tong == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == [GroupStudy.com removed an attachment of type image/jpeg which had a name of image001.jpg] [GroupStudy.com removed an attachment of type image/jpeg which had a name of image002.jpg] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39444&t=39444 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: TACACS+ [7:39297]
The download still works fine for me from ftp-eng.cisco.com/pub/tacacs. (anonymous login) ftp> get tac_plus.F4.0.4.alpha.tar.Z local: tac_plus.F4.0.4.alpha.tar.Z remote: tac_plus.F4.0.4.alpha.tar.Z 200 PORT command successful. 150 Opening BINARY mode data connection for tac_plus.F4.0.4.alpha.tar.Z (193771 bytes). 226 Transfer complete. 193771 bytes received in 1.64 secs (1.2e+02 Kbytes/sec) ftp> bye -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Saturday, March 23, 2002 10:08 AM To: [EMAIL PROTECTED] Subject: Re: TACACS+ [7:39297] I think cisco stopped the DL of the free tacacs server a while ago. -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com ""Kent Hundley"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > IMO, the best way to study TACACS+ is to download the free TACACS+ server > from Cisco, install it on Linux and play around with it. You'll learn much > more about how TACACS+ works by implementing it and trying different things > than any WP (it helps a lot if you have a router to work with as well). If > your goal is to learn CiscoSecure ACS, download an eval copy of that and > install it on Windows and play around. Either way, you'll learn quite a bit > about AAA and Cisco. > > Regards, > Kent > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > [EMAIL PROTECTED] > Sent: Saturday, March 23, 2002 8:00 AM > To: [EMAIL PROTECTED] > Subject: TACACS+ [7:39297] > > > I have read the white paper on this. Does anyone know of a good study > source on this topic other than the white paper itself? > > Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39307&t=39297 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: TACACS+ [7:39297]
IMO, the best way to study TACACS+ is to download the free TACACS+ server from Cisco, install it on Linux and play around with it. You'll learn much more about how TACACS+ works by implementing it and trying different things than any WP (it helps a lot if you have a router to work with as well). If your goal is to learn CiscoSecure ACS, download an eval copy of that and install it on Windows and play around. Either way, you'll learn quite a bit about AAA and Cisco. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Saturday, March 23, 2002 8:00 AM To: [EMAIL PROTECTED] Subject: TACACS+ [7:39297] I have read the white paper on this. Does anyone know of a good study source on this topic other than the white paper itself? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39300&t=39297 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISL Trunking from a h/w's perspective [7:39246]
Danny, Sometimes even people who work for Cisco, even SE's who may by CCIE's, make mistakes. The router never lies: 3620(config)#int ethernet 0/0.1 3620(config-subif)#encap ? dot1Q IEEE 802.1Q Virtual LAN sdeIEEE 802.10 Virtual LAN - Secure Data Exchange Notice this is an Ethernet, not FastEthernet, and that it does indeed allow 802.1q trunking. ISL, on the other hand, does require FastEthernet. So maybe that is where the confusion lies. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Danny Andaluz, CCNP Sent: Friday, March 22, 2002 7:25 PM To: [EMAIL PROTECTED] Subject: Re: ISL Trunking from a h/w's perspective [7:39246] no you can't. I got straight from cisco that they have to be 100 meg full-dux interfaces. ""MADMAN"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Actually on some platforms with the right IOS you can trunk 10 meg ports: > > C3660B(config)#inter e2/0.1 > C3660B(config-subif)#encap dot1 1 > C3660B(config-subif)# > > Dave > > danny wrote: > > > The router's ethernet must be 100 full dux. You configure subinterfaces on > > the ethernet. a trunking protocol must be configured on each sub with the > > corresponding vlan #. The router will route between Vlans. > > > > Hope this helps. > > > > Danny > > ""George Siaw"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > Thanks for all your responses. > > > > > > One last question though. For external router, routing between vlans if > > > I have just one FastEthernet interface on the router can I route between > > > vlans? > > > > > > George. > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of > > > Scott H. > > > Sent: 23 March 2002 00:53 > > > To: [EMAIL PROTECTED] > > > Subject: Re: ISL Trunking from a h/w's perspective [7:39246] > > > > > > The only time the SC0 interface comes into play is for telnet into the > > > box. > > > If you have any 100 MB ports on your switch, you can run trunking. > > > > > > set trunk (mod/port) on isl > > > > > > If this trunk is running into a router, you need to create the > > > subinterfaces > > > on the router to enable routing between VLANS. > > > > > > int fa1/0.100 > > > ip address (the subnet of the vlan) > > > encap isl (the vlan #) > > > > > > HTH, > > > Scott > > > > > > ""George Siaw"" wrote in message > > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Do I need an Sc0 port when routing between Vlans? However, there's no > > > > uplink module on neither of my supervisor engines. Would you know a > > > s/w > > > > work around without having to buy the module? > > > > > > > > George. > > > > > > > > -Original Message- > > > > From: Larry Letterman [mailto:[EMAIL PROTECTED]] > > > > Sent: 23 March 2002 00:17 > > > > To: George Siaw; [EMAIL PROTECTED] > > > > Subject: RE: ISL Trunking from a h/w's perspective [7:39246] > > > > > > > > You dont have to configure SC0 interface to do isl or dot1q. Its only > > > > needed > > > > for management, telnet etc... > > > > > > > > > > > > Larry Letterman > > > > Cisco Systems > > > > [EMAIL PROTECTED] > > > > > > > > > > > > -Original Message- > > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of > > > > George Siaw > > > > Sent: Friday, March 22, 2002 3:45 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: ISL Trunking from a h/w's perspective [7:39246] > > > > > > > > > > > > Guys, > > > > > > > > > > > > > > > > Any ideas as how I can configure isl trunking without an Sc0 port on > > > the > > > > supervisor engines? Can I configure on of the ports to assume this > > > > position i.e. Sc0? If so what are the cmds? > > > > > > > > > > > > > > > > Regards, > > > > > > > > George. > > > > > > > > > > > > > > > > Configs as below: > > > > > > > > > > > > > > > > Console> (enable) sh mod 1 > > > > > > > > Mod Module-Name Ports Module-Type Model > > > Serial-Num > > > > Status > > > > > > > > --- --- - - - > > > - > > > > --- > > > > > > > > 1 ENGINE-10 Supervisor IIIWS-X5530 > > > 012144234 > > > > ok > > > > > > > > > > > > > > > > Mod MAC-Address(es)Hw Fw Sw > > > > > > > > --- -- -- -- > > > > - > > > > > > > > 1 00-50-f0-0c-64-00 to 00-50-f0-0c-67-ff 3.03.1.2 4.3(1a) > > > > > > > > > > > > > > > > Mod Sub-Type Sub-Model Sub-Serial Sub-Hw > > > > > > > > --- - -- -- > > > > > > > > 1 NFFC+WS-F5531 0012153640 1.0 > > > > > > > > > > > > > > > > Console> (enable) sh mod > > > > > > > > Mod Module-Name Ports Module-Type Model > > > Serial-Num > > > > Status > > > > > > > > --- --- - - - > > > - > > > > --- > > > > > > > > 1
RE: Catalyst 6509 [7:39192]
Correct, it's essentially a 802.1q native VLAN issue, not a VLAN 1 issue per se. I would note though that although the change to make a non-active VLAN the native VLAN is an obvious fix, it strikes me as a bug that Cisco does not perform a sanity check on native VLAN frames to ensure that they in fact, do not have a 802.1q frame tag. This is what causes the issue since packets on the native VLAN are not supposed to have a 802.1q frame tag. On a related note, it _is_ now possible to clear VLAN 1 from a trunk. It disallows all non-management related traffic, i.e. anything other than VTP, CDP, etc. So this should in theory also "fix" the VLAN hopping issue, although it's probably cleaner to just assign a non-active VLAN as the native VLAN. http://www.cisco.com/warp/public/473/21.html#case The Case of VLAN 1 VTP pruning cannot be applied to VLANs that need to exist everywhere and to be allowed on all switches in the campus (to be able to carry VTP, CDP traffic, and other control traffic). There is a way, however, to limit the extent of VLAN 1. This is a feature called VLAN 1 disable on trunk, and it is available on Catalyst 4000, 5000, and 6000 family switches since Cisco IOS releave 5.4(x). This allow you to prune VLAN 1 from a trunk as you would do for any other VLAN, but this pruning will not include all of the control protocol traffic that will still be allowed on the trunk (DTP, PagP, CDP, VTP, and so on). However, you will block all user traffic on that trunk. Using this feature, you can completely avoid the VLAN spanning the entire campus, and as such, STP loops will be limited in extent, even in VLAN 1. You can configure VLAN 1 to be disabled as you would configure other VLANs to be cleared from the trunk by issuing the following commands: Console> (enable) set trunk 2/1 des Port(s) 2/1 trunk mode set to desirable. Console> (enable) clear trunk 2/1 1 Removing Vlan(s) 1 from allowed list. Port 2/1 allowed vlans modified to 2-1005. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steven A. Ridder Sent: Friday, March 22, 2002 7:18 PM To: [EMAIL PROTECTED] Subject: Re: Catalyst 6509 [7:39192] I'm embarrased to say, I got it wrong, you must use any Vlan but 1 on the trunk port. Here's the direct quote from the link below" "... prolonged discussions took place with the switch vendor to discuss the implications of the results above. After consultation with their developers it was concluded that the traffic from VLAN 1 was allowed to hop to other VLANs because the trunk port was also set (implicitly) to native VLAN 1. They suggested that by changing the native VLAN of the trunk port the VLAN hopping could be eliminated. This was tested and was found to be true.." http://www.sans.org/newlook/resources/IDFAQ/vlan.htm -- RFC 1149 Compliant. Get in my head: http://sar.dynu.com ""MADMAN"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > How?? > > C6509> (enable) clear vlan 1 > VLAN number must be in the range 2..1000,1025..4094. > C6509> (enable) > > You can disable it on trunks however > > dave > > "Steven A. Ridder" wrote: > > > > The big problem with Vlan 1 is that if it exists on your network a hacker > > can do VLAN hopping (not a good thing). Cisco recommends deleting Vlan 1 > > from switches. > > > > -- > > > > RFC 1149 Compliant. > > Get in my head: > > http://sar.dynu.com > > > > ""maverick hurley"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > absoultly it will help for security, The thing to remember is that your > > > ports are default for native vlan1. You can specify a different vlan > > number > > > for your management like vlan 5. But in case of trunking mishaps/issues > > and > > > vlan pruning issues it is safer using vlan 1. > -- > David Madland > Sr. Network Engineer > CCIE# 2016 > Qwest Communications Int. Inc. > [EMAIL PROTECTED] > 612-664-3367 > > "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39275&t=39192 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN over Internet [7:39255]
SS, Point a route for the other ends LAN subnet to your IPSec peers address. For example, if the far LAN is 10.1.1.0/24 and your IPSec peer's address is 1.1.1.1: ip route 10.1.1.0 255.255.255.0 1.1.1.1 Create a similar route on the CES for the LAN subnet attached to the Cisco 2610. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 5:07 PM To: [EMAIL PROTECTED] Subject: VPN over Internet [7:39255] Hi I have a real bad problem. I have a Cisco 2610 Router with IPSEC 3DES IOS. On the other side, I have a Nortel CES 4500. The motive is to establish VPN tunnell between my router and their switch. On my Cisco router, I have a default gateway as my internet router's Lan interface. So although, the tunnell does build up I do not know how to route my LAN data to the LAN of the other side.? How would this data be routed? Traceroute shows that my data when directed towards the LAN range of the other side, goes to Internet and gets lost somewhere. Please help... SS Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39263&t=39255 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: what is TCP feature ? [7:38987]
John, I believe the matrix is a list of TCP features that are implemented on the router as an end-system and affect only TCP traffic with the router as the src or dst. 1) Socket API - sockets are a network programming application interface. To me this would only be of interest to Cisco code jockeys. 2) SACK - TCP Selective ACKnowledgement. RFC 2018 and RFC 2883. I think most of this would be of interest only to Cisco's own coders. It is interesting to know what versions support FTP and RCP, but the support for socket API's is largely irrelevant unless you need to write code to those sockets. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Green Sent: Wednesday, March 20, 2002 7:27 PM To: [EMAIL PROTECTED] Subject: what is TCP feature ? [7:38987] what is TCP feature in IOS ? (is this related to the tcp syn attack and is kind of a counter measure towards it ?) the closest reference to it in the cisco web site is in this http://www.cisco.com/warp/public/732/Tech/matrices/tcp_matrix.html what is Socket API over TCP ? what exactly is this web page trying to convey ? what is SACKS ? __ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards. http://movies.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39040&t=38987 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Stupid Rip/Default Route question [7:38999]
Aaron, Do a "debug rip" on each router and see what advertisements its receiving from the FW's. It sounds like one FW is not advertising any routes. You should see something like this: RIP: received v1 update from a.b.c.d on 0.0.0.0 in 1 hops If both FW's are advertising the routes, the routers should behave as you say, they should pick the best route based on metric (hop count). If they have equal cost paths, both routes should appear in the routing table: R* 0.0.0.0/0 [120/1] via a.b.c.d, 00:00:07, R0.0.0.0/0 [120/1] via e.f.g.h, 00:00:08, Once you have this working, a few things you might also want to consider: 1) Have the Internet router source the default. The best way to do this would be to receive a default route via BGP from your upstream provider and then redistribute the default route into RIP. There are other ways you could do this as well. (it keeps you from having to manually intervene to shut down a FW or an interface) 2) You may want to consider using RIPv2 and authenticated updates, and you may want to consider tweaking the RIP timers. RIP can take minutes to converge, but if you tweak the update, holddown and flush timers you can get it to converge in a few seconds. 3) You don't say if the outside routers are using the same provider or not and if you have your own address space. Depending on your setup, you'll need to think about a scenario where traffic leaves through one FW but returns through another FW. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Aaron Bowlsbey Sent: Wednesday, March 20, 2002 8:09 PM To: [EMAIL PROTECTED] Subject: Stupid Rip/Default Route question [7:38999] Sorry if this is obvious. My network: Router ---NortelFW--Lan1--router--router--Lan2--NortelFW--Router RIP is running on the both Firewalls and both internal routers. Both NortelFW are advertising their default route (out their connected external router). Users on both Lans are using their closest internal router as their default gateway. I had hoped that the internal routers would learn of both default routes and select the nearest Firewall as their default route. If anything happened to one of the local loops, I could switch off the connected firewall, which would end the rip advertisements, and the network would eventually reroute all external traffic out the working Internet link. I could've sworn that this was working in my test environment and for at least a week in production. Now both internal routers are selecting one default route or the other but not necessarily the best (hop count) route. Daa whats wrong with this approach? Firewalls aren't routers?? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39036&t=38999 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco's pps claims [7:38956]
Sam, IIRC, Cisco uses 64 byte packets as the baseline. FYI, I have been conducting some throughput tests on 2 2621's in the lab and here are some results for you. I used TTCP between 2 Sparc ultras for the traffic. The sparc ultras can generate about 90Mbps with no routers between them, so the 2621's are the limiting factor and not TTCP or the sparcs. I used a window size of 65,535 and the max packet size for my tests: No fast switching 9.3 Mbps W/ fast switching 51.2 Mbps W/ Netflow 46.5 Mbps W/ Cef 51.2 Mbps Nat, no fast switching 8.1 Mbps Nat, w/ fast switching 31.5 Mbps Nat, w/ netflow 14.1 Mbps Nat, w/ cef 29.5 Mbps ACL, no fast switching 8.7 Mbps ACL, w/ fast switching 40.4 Mbps ACL, w/ netflow 46.5 Mbps ACL, w/ cef 43.9 Mbps The IOS used for this testing was 12.1.5(T9) (the ACL was 20 entries, all numbers are averages of 5 tests, but the deviations were very small) The thing I found most interesting was that for the most part, using simple fast switching produced as good or better results than netflow or CEF. The only exception to this was with the ACL, but fast switching was only a few Mbps behind netflow and CEF. Also, notice the suprisingly bad performance of netflow when using NAT. I ran this test many times with different NAT configurations and the results were always consistent. My local Cisco SE didn't really have a good explanation, and I haven't tried to really track down the issue, but I wouldn't use netflow if your using NAT. :-) (also notice there is a 40% performance hit when using NAT in the best case) Keep in mind these were single, persistent flows, so they did not simulate real-world traffic patterns. However, it does give an idea of the top end performance of the 2621. (suprisingly better than I expected given the low-end nature of the box) I should also mention that the CPU hovered around 99% for the duration of the tests. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of sam sneed Sent: Wednesday, March 20, 2002 12:14 PM To: [EMAIL PROTECTED] Subject: Cisco's pps claims [7:38956] I noticed Cisco uses pps when they give their specs for routers, firewalls, etc. What is the assumed packet size when they come up with these specs? I'm planning on using 2 2621's in HSRP mode (getting default routes via BGP) and need to be able to support a constant 10 Mb/sec and would like know if these routers will do the trick. thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38976&t=38956 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX performance problem again ! [7:38955]
Mohannad, 1) Have you taken sniffer traces? If so, what information did they tell you? If you have not taken a sniffer trace, you absolutely need to do this. You need to look at the TCP windows and MSS values and compare the trace through the PIX and without the PIX. If you have the traces you can post a small sample of each trace. You need to provide this information if you want more assistance. 2) Have you opened a case with Cisco TAC? If so, have you escalated the case? This may be a known bug with the code you are running and if you have not opened a case I strongly suggest that you do so. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mohannad Khuffash Sent: Wednesday, March 20, 2002 11:47 AM To: [EMAIL PROTECTED] Subject: PIX performance problem again ! [7:38955] Dear all, My problem with th PIX still present! the throughput between my inside cleints an the out side ftp server still very low ! the only node between them is the PIX,and the speed cann't be more than 50K B/s, i have checked the two cisco fixing problem for such like these cases: DNS pointer and IDENT protocols, but the problem is still present Please can any one help me ? Thanks in advance for your efforts -- Mohannad N. Khuffash Network Administrator Palestine Telecommunication Company Tel: 00972-02-2982330 Fax:00972-02-2980235 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38975&t=38955 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to monitor the bridging traffic at routers [7:38758]
Some protocols don't have a layer 3 address, examples of this would be LAT and SNA. Since they have no layer 3 address, you must bridge them. The docs on CCO show how to enable bridging on a router: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/ibm_c /index.htm HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Green Sent: Tuesday, March 19, 2002 5:16 AM To: [EMAIL PROTECTED] Subject: Re: How to monitor the bridging traffic at routers [7:38758] can someone explain what does this statement mean ? (with an example of a non-routable protocol) "As we need to cater some non-routable protocols, bridging is also enabled at all routers." and how is bridging enabled at a router ? (is this referring to switching being enabled ?) --- dovelet wrote: > Hi all, > > Our company's network are connected using some Cisco > 2500 and Cisco 4000 > routers. As we need to cater some non-routable > protocols, bridging is also > enabled at all routers. I would like to know, is > there any methods to > monitor which hosts are using bridging through the > routers? Of course, I can > use a sniffer to capture the traffic, but the > network is too large for us to > do so. > > Please advise. > > Regards, > Dovelet [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38839&t=38758 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is cable network really a shared medium? [7:38705]
Sam, You can check out the DOCSIS standards here: http://www.cablemodem.com/ (check out the "specifications" section) You should, at a minimum, see broadcasts from the other devices on your cable network. Mostly you will see arp broadcasts, but some Windows users on "raw" cable may still be out there. Here's a quick snip of what I see if I sniff my connection (this is using snoop on solaris): 10.10.104.1 -> (broadcast) ARP C Who is 10.10.107.250, 10.10.107.250 ? 12.220.96.1 -> (broadcast) ARP C Who is 12.220.97.204, 12.220.97.204 ? 12.220.96.1 -> (broadcast) ARP C Who is 12.220.98.16, 12.220.98.16 ? 10.10.100.1 -> (broadcast) ARP C Who is 10.10.103.128, 10.10.103.128 ? 12.220.100.1 -> (broadcast) ARP C Who is 12.220.100.226, 12.220.100.226 ? (and much more of the same) HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of sam sneed Sent: Monday, March 18, 2002 11:57 AM To: [EMAIL PROTECTED] Subject: Is cable network really a shared medium? [7:38705] I just changed services from DSL to cable modem. I have heard from people, including verizon, that cable is not as secure as DSL becuase it is over a shared medium. I connected to my cable modem and fired up my packet sniffer. I did not see anyone elses traffic on the line so i am assuming the bandwith is shared( a known fact about cable access) but is somehow filtered at the cable modem(bridge). Does anyone know if this assumption is true and the inside details of the how data is transmitted over the cable network? A link to a whitepaer would be great. thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38720&t=38705 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 515 throughput problem ?! [7:38698]
Mohannad, Look at this link, it may be the cause of your problem: http://www.cisco.com/warp/public/110/21.html If this is not the reason, try sniffing the connection. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mohannad Khuffash Sent: Monday, March 18, 2002 10:45 AM To: [EMAIL PROTECTED] Subject: PIX 515 throughput problem ?! [7:38698] Dear All, I'm facing a problem for PIX 515 throughput, i have tried to download a file from an FTP server located directly at the outside subnet, and my PC located at the Inside subnet, both are connected at catalyst 2948G, so the only node between them is the PIX. the max speed i got was 60k B/s. and when i connect the two machines directly without PIX, the speed go up to 4 M B/s ! i have tried all the cases, i have used static NAT, PAT, but always get the same result. Activation key set to unlimited throughput, and cisco say the throughput for this type of machine should 188 M b/s, you can add to your information that i don't use any type of encrypction or VPN ! Please any one have a comment for this problem ? Regards, Mohannad N. Khuffash Network Administrator Palestine Telecommunication Company Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38706&t=38698 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Loopback Interfaces..long reply, read carefully please to [7:38335]
Mark, You can _advertise_ the whole subnet, but the problem is that once you assign a subnet to the loopback, you cannot assign another interface an IP address in the same address space. I'm still not sure I understand what your trying to accomplish here. If you have hosts that will have IP addresses, they'll have to be able to talk to the router using their IP addresses, which means the router will have to have an interface in the devices subnets. I don't see what the loopback buys you that simply assigning a secondary IP address to the ethernet interface does not. -Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mark Odette II Sent: Thursday, March 14, 2002 12:23 PM To: [EMAIL PROTECTED] Subject: RE: Loopback Interfaces..long reply, read carefully please to [7:38285] OK, For some reason, my first time of sending this reply got chopped, so here it is again. Brian, et al., Please Note the following: ***All I wanted to know was: Can the Loopback Interface be used to host a complete subnet (and the Router make routing decisions with this inteface), or is its functionality such that it will always respond like an interface configured with a 255.255.255.255 mask, and 86 traffic not destined for IT on the same subnet?? I'm not looking for someone to help me make a completely working config for all routers in this implementation. The idea is to do such: !Interface FastEthernet0 ! description Connected to PIX Outside Interface, and PIX Inside Interface is subnet for Data traffic. ! Ip adress x.x.x.x 255.255.255.x !Interface Loopback0 ! description VoIP subnet with VoIP originating/terminating on this Router... other hosts also placed on the same subnet at a later date, and connecting via the Ethernet Port which connects to a switch that the other hosts are also plugging into. ! Ip address 192.168.101.1 255.255.255.0 !Interface Serial0 ! NO IP ADDRESS ! Encap Frame-Relay !Interface Serial0.1 ! description Connected to the Internet ! Ip address x.x.x.x x.x.x.252 ! interface-dlci 16 !Interface Serial0.100 ! description Connected to HQ over PVT FR for Voice traffic ! ip unnumbered loopback0 ! interface-dlci 100 ! {insert Map-Class Tag here} !{Insert Route-Maps Here} !{Insert Voice configuration here... a.k.a. Dial Peers} !{Insert QoS config here... a.k.a. Map Classes} !Router EIGRP 1750 !Network 192.168.100.0 >>Brian ""Mark Odette II"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > OK, I'll make the question simpler. > > > Can you use a loopback interface in the same respect that you would use an > ethernet interface? > > Create the loopback: Interface Loopback0 > Assign it an IP with a /24 mask : ip address 192.168.10.1 > Configure the subnet assigned to the loopback interface to a routing > process, such as EIGRP or RIP. > Assign many other hosts on a LAN or a WAN an IP address that is in the same > subnet as the loopback interface. > Replicate the above configuration on Router at other end of FR network. > add subnet assigned to far-end routers' loopback interface to local EIGRP > AS, or RIP; do the same on the far-end routers' config for the same EIGRP AS > or RIP configuration. > > And then, configure FR Subinterface with IP Unnumbered Loopback0, and route > traffic across the FR network, with the traffic orininating from either the > Router, or another host (if configuration above is legal) on the subnet that > is assigned to the Loopback interface. > > What I want to do, is configure a VoIP enabled router with a loopback > interface assigned to 192.168.10.1, and several LAN hosts with the same > subnet assignment, i.e., 192.168.10.2, .3, .4, etc., and a /24 subnet mask > for all hosts including loopback interface. > I then want to create and assign IP Unnumbered loopbackX to a FR P-to-P > subinterface. > > Create EIGRP AS to route Subnets assigned to loopback interfaces on each > respective router. > > Mirror image this configuration on the other end of the "wire" (FR Network). > > Configure Dial-Peers with VOIP destinations pointing to the loopback > interface of the peer router (other end of the FR Network). > > Is this Possible?? > > > The reason why I want to use Loopback interfaces, is because I plan to > assign a separate subnet to the FastEthernet Interface, and don't believe > that the use of the Secondary command will work, i.e., you can't specify IP > Unnumbered FastEthernet0 and have the Secondary IP address used ip > unnumbered fastethernet0 will use the FastEthernets' Primary address, which > is not desired. > > The Primary Subnet assigned to the FastEthernet Interface will be NAT > Translating with a PIX FW (PIX will be doing the NAT) to hit the Internet. > > > For Topology description: > Router HQ connects to internet on one subinterface, while connecting to 3 > remote offices on a private FR network on a second subinterface. >
RE: Question on PIX 501 [7:38246]
Justin, I think you got your answer, but I just wanted to clarify for you that contrary to some of the information you were given, you do _not_ need to configure an access-list on the PIX for outbound traffic. You _do_ have to setup, at a minimum, a "nat" statement. If you are not using nat, you'll need a "nat (inside) 0 0 0" statement. If you are using nat, you'll need something like "nat (inside) 1 0 0" and a corresponding "global (outside) 1 x.x.x.x netmask x.x.x.x" specifying what addresses you are using for your NAT pool. Once the nat is setup, IP addresses are assigned to the PIX interfaces and default routes are setup, traffic will flow from the inside to the outside. Only return traffic will be allowed from the outside to the inside. All of this information is on the Cisco site. There are docs in the PIX section that walk you through step by step setting up a PIX for the first time: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/conf ig.htm HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Justin C Sent: Thursday, March 14, 2002 10:43 AM To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 [7:38246] Mark, My original question that I sent to the group somehow got lost. Ole was kind enough to respond to a direct query regarding to some fun I am having with installing a Pix (501) for the first time. My firewall background is SonicWall and Watchguard, both are very simple in configuration and work directly out of the box. I was under the impression it was pretty much plug and play, so I decided to test it by putting it between my PC and the rest of the LAN. However, after the initial setup, the Pix passed no information through it. So I went to a ping to start the troubleshooting. The curious (to me) issue was that from the console or the PDM of the Pix I can ping network addresses on both sides of the Pix. From the inside of the Pix, I cannot ping (or browse the web) through the Pix. I cannot even ping the outside interface of the Pix from the inside interface. The specific question is this ... is additional configuration of the Pix required to permit access from the inside interface to the outside interface and beyond? To expand on the topic you and Ole are discussing, is the use of the conduits (or access-lists) required for each and every type of service I want to send from the inside to the outside? I have no problem researching the commands to learn how it is done, I just want to make certain I am on the right path. Thanks, Justin From: "Mark Odette II" Reply-To: "Mark Odette II" To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 [7:38246] Date: Thu, 14 Mar 2002 12:45:59 -0500 Forgive me for not reading the book yet, as I've been quite busy too ... but, I have a question in regards to the config line you gave. I've used the PDM so far to most of the configuration of my PIX, and it creates access-lists rather than conduits. I know from others I've talked with, that Cisco is moving from conduits to access-lists on the PIX configs... this is the question I configure to allow ICMP any(Outside) any(Inside) = Echo Reply ICMP any(Outside) any(Inside) = Time Exceeded ICMP any(Outside) any(Inside) = Unreachable Does this do the same thing as what you were saying about "conduit permit any any X"?? I think it does, but just want to make sure that I haven't opened up ICMP completely with it being initiated from the outside. Thanks! Mark -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ole Drews Jensen Sent: Thursday, March 14, 2002 10:42 AM To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 [7:38246] Hi Justin, When you ping, you use the ICMP protocol. When A pings B, A sends ICMP echo-request (number 8) to B, and B sends ICMP echo-reply (number 0) back to A. The PIX does not allow ICMP traffic to come from the outside to the inside, so to change that, you will need to open up for ICMP number 0 (echo-reply). The command for that is: conduit permit icmp any any 0 This is a good way to do it, because then you allow outside devices to reply to your request, but they are not allowed to do a PING themself. If you want PING to work both ways, simply use this command: conduit permit icmp any any Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Justin C [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: RE: Question on PIX 501 Ole, Thanks for the reply. I understand being busy. I normally try to solve
RE: you American need to think [7:38323]
Jim, I normally ignore these sorts of wy OT posts, however I am so glad that individuals such as yourself feel that you can better the lives of all of us morally degenerate Americans by instructing us on the proper rules of life and giving us s much to think about. I am so glad that individuals such as yourself can stand at a distance and offer your opinions and advice to those of us who are obviously in so dire a need for it since you, wherever your from, have _such_ an obviously superior country since you have not had planes drop out of your sky into large buildings full of innocent people. Allow me to reciprocate. Here's my advice: The next time you feel the need to express your opinions, buy a dog. I'm sure it will be happy to listen to whatever topics you wish to expound on. (or a cat, hamster, whooping crane, or whatever pet seems best for you) Perhaps you can even get them an email and send them messages if you can't restrain your idle hands. Till then, try keeping your non-Cisco related opinions to yourself. I, for one, have had about as much Monday morning quarterbacking from non-Americans on this topic as I can stomach in this life, especially on mailing lists which have NOTHING WHATSOEVER TO DO WITH THIS BS! Warmest regards, Kent PS Apologies to the list members for the OT post -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Bond Sent: Thursday, March 14, 2002 4:26 PM To: [EMAIL PROTECTED] Subject: OT: you American need to think [7:38323] Sorry for wasting your bandwidth, but I have to say this. Being rich is good; being smart is good. But if you treat others like sxxt, others will treat you like sxxt too. Think about this: if you are a CCNA and your CCIE co-worker say your "stupid" or "dumb", will you respect him? There are so many knowledgeable and friendly people on this list, but there are some rude and arrogant people too. I agree that Bin Laden is a murderer, an evil, but you American need to think why he only attacks US, not Germany or Russia or Japan or others. Show some respect to others, it won't make you poor. Also remember that there are always someone richer and smarter than you. Over. Dismiss. Jim __ Do You Yahoo!? Yahoo! Sports - live college hoops coverage http://sports.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38333&t=38323 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Aironet to Cable Modem [7:38212]
The problem is that most likely you are using a subnet for your wireless net that is not routable. For example, if your using 192.168.1.0/24 for your wireless IP's, you cannot use those addresses on the Internet, you'll need a NATing device like a linksys router or some other low end NAT capable broadband router. This device will sit between your cable modem and your AP. The outside IP of the router will get its address from the cable provider and then you can use private addressing on your AP and the NAT gateway will take care of translating your internal addresses to the routers legal IP. You can pick up a linksys router at CompUSA for a little over a $100 that will work fine. You can get one with a built-in hub if you don't already have a hub/switch laying around, but it will cost a little more. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 1:46 AM To: [EMAIL PROTECTED] Subject: Aironet to Cable Modem [7:38212] First off I am not familiar with the aironet line! I have a cable modem (dynamic ip address) connected to a Aironet 350 AP (AIR-AP352E2C). I am able to get the aironet dynamic ip assigned to the ethernet interface (from the cable company dhcp servers). I was able to assign a static ip to the AP radio interface and connect via my wireless nic (static ip). But, I cannot access the internet via the cable modem. My guess is that it is more of a switch then a router. I was hopeful it had a little bit of routing capabilities. I assume that because the ethernet int and AP radio int are on different subnets that is the reason I can't talk. But, again I am not sure and hope someone can help me out!!! I would like any advice to get this working without any other equipment. I was hoping to do this without using one of my routers! Also, is there any way to configure it as a DHCP server? And any config advice would be helpful!!! Thanks for any advice you may give me ! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38331&t=38212 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Is this possible? [7:38098]
Yes, you'll need to configure the PIX to use AAA and have it speak Radius or TACACS+ to the ACE server: How to do AAA with the PIX: http://www.cisco.com/warp/public/110/atp52.html Info on Cisco talking to ACE server: http://www.rsasecurity.com/support/guides/imp_pdfs/Cisco_Remote_Access_Serve rs_and_Pix_FW.pdf You can probably get more info from the RSA site. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Johnson, Richard (NY Int) Sent: Wednesday, March 13, 2002 7:05 AM To: [EMAIL PROTECTED] Subject: Is this possible? [7:38098] Hi All, Is it possible to do the following.I have a Citrix server on my internal network which has an outside address via NAT. On the PIX port 1494, ICA client, is open and is obviously allowed to come in. The user is then prompted for a user name and password. Upon entering this information, they are then prompted for the pin and secure ID by our RSA server. My question is this, as opposed to having the Citrix server prompt them for their RSA info I would love for them to prompted by the firewall. Any ideas if it can? Thanks, Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38138&t=38098 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: EIGRP Metric and Route inconcistence [7:38043]
What your describing is fairly common and you can "fix" this by adjusting the delay metric of router interfaces in your path. In your example, you could adjust the delay between the routers so that the path metrics are equal. This is, as you note, the preferred approach with IGRP/EIGRP to manipulate metrics. One thing to note though is that by making the paths appear equal, you are, in fact, "lying" to the router R1. Since the real bw and delay are not equal, the router is doing what it should do, pick the path with the most preferred route based on these factors. If you have multiple routes with unequal cost, you can use the "variance" command in IGRP/EIGRP so that you can send a fraction of packets over the lesser preferred path. In your case, if you used the command "variance 2" under the EIGRP statement for R1, it would consider alternative, less preferred paths as long as they were less than or equal to (2*preferred path metric). The router would then send half as many packets along the less preferred path as the most preferred path. If you used "variance 3" it would use (3*preferred path metric) and send 1/3 as many packets, etc. etc. for any n value "variance n". In your scenario, using the variance command may be preferred since you may not want a less preferred path getting the same amount of packets as the most preferred path. Then again, since the delay values are so close, the paths may, for all practical purposes, be roughly equal in performance, so equal sharing of the paths may be better. That's something you would have to determine in practice, based on your particular network traffics characteristics. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 12, 2002 6:30 PM To: [EMAIL PROTECTED] Subject: EIGRP Metric and Route inconcistence [7:38043] Hi, By default EIGRP uses 2 metric: Bandwidth and Delay to calculate routes. It is recomended that we should not change the Actual Bandwith, but we can change the interface delay for the traffic enginering purposes. The metric is : Min Bandwidth + Cumulative Delay. This can end up with a problem of "route non-consiste1nce". Here is my counter example: R2 / \ /\ R1 R4-R5 \/ \ / R3 Link 1-2 : Bandwidth = 10M, delay = 10ms 2-4 : Bandwidth = 20M, delay = 5ms 1-3 : Bandwidth = 20M, delay = 15ms 3-4 : Bandwidth = 20M, delay = 5ms 4-5 : Bandwidth = 10M, delay = 10ms The traffic from R1 to a network directly connected to R4 will be load balance between routes R1-R2-R4 and R1-R3-R4. because the Metric of the two routes are the same: R1-R2-R4 = Bandwidth (i.e. 10^7 / 1) + Delay (i.e 1000 + 500) = = 1000 + 1000 + 500 = 2500 R1-R3-R4 = 500 + 1500 + 500 = 2500 However, traffic from R1 heading for R5 is not load-balanced because the Metric R1-R2-R4-R5 is 3500 while the metric R1-R3-R4-R5 = 4000 that means all traffic from R1 -> R5 will go via R2 That's is a kind of inconcistence, which may lead to bottleneck, and cause difficulty for traffic engineering. Could you please tell me if I am wrong or right ? If I am right, how we can overcome this problem. Thanks a lot. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38118&t=38043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DHCP across PIX [7:37286]
You cannot. The PIX does not support forwarding of DHCP requests (or any broadcast for that matter). Your only options are to hard-code your IP address or use the DHCP server built into the PIX. HTH, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of kenairs Sent: Tuesday, March 05, 2002 9:08 AM To: [EMAIL PROTECTED] Subject: DHCP across PIX [7:37286] Hi, My pc are located in one of the PIX interface. There is an DHCP server in the other interface. How to let the DHCP packet go through ? Broadcast ? Tks Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37329&t=37286 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Another Security Advisory [7:36823]
I assume that this would have to be a "crafted" packet since, as you say, it would be awfully strange to see normal traffic matching this description. For example, assume I created the following packet: [ethernet header] + 46 data bytes + 4 byte crc = 64 byte packet Normal IP total length = 46 bytes (20 byte header + 26 bytes of data) Now I forge the total length field in the IP header and change it to say the IP packet is actually 100 bytes long instead of only 46 bytes. This bug would cause the router to give me 54 bytes of previous packet data. I could expand this to "capture" up to 1500-46 = 1454 bytes of possibly useful data from previous packets. (there are programs that allow you to create packets in any way you want, such as those at http://www.packetfactory.net) In order for this to be really useful though, the attacker would have to have a way of viewing those packets after they transit the router, which implies that they can establish valid conversations through the router in question back to a host they have access to view the packets on. (or something listening on the other side of the router for them) Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Thursday, February 28, 2002 10:58 AM To: [EMAIL PROTECTED] Subject: Re: Another Security Advisory [7:36823] This is awfully strange. When would the "packet length described in the IP header be larger than the physical packet size?" I've never seen such a thing. If what they are really trying to say is that the packet must go out on a data-link that has a minimum size and thus must be padded, then the description of the problem makes sense. I've seen that. For example when IP has a packet to send that is shorter than the Ethernet 64-byte minimum, then padding is required. And I have seen security issues with this. I have seen hosts (not routers though) pad with left over data that was sensitive. (I saw a password in the Ethernet pad once!) OK, I've typed enough to avoid the GroupStudy bug that filters URLs at the beginning of messages. I really wanted to say that the URL in the original message got chopped. The URL to the security advisory is: http://www.cisco.com/warp/public/707/IOS-CEF-pub.shtml Priscilla At 12:38 PM 2/28/02, Kaminski, Shawn G wrote: >Here's another one: > >Cisco Security Advisory: Data Leak with Cisco Express Forwarding Enabled > >Revision 1.0 > >For Public Release 2002 February 27 08:00 (UTC -0800) > >- - - > >Summary >=== > >All Cisco devices running Cisco IOS(r) and having Cisco Express Forwarding >(CEF) enabled can leak information from previous packets that have been >handled by the device. This can happen if the packet length described in the >IP header is bigger than the physical packet size. Packets like these will >be expanded to fit the IP length and, during that expansion, an information >leak may occur. Please note that an attacker can only collect parts of some >packets but not the whole session. > >No other Cisco product is vulnerable. Devices that are having fast switching >enabled are not affected by this vulnerability. > >The workaround for this vulnerability is to disable CEF. > >This advisory is available at the http://www.cisco.com/warp/public/707/ > >IOS-CEF-pub.shtml. > >Affected Products >= > >All Cisco IOS releases that are supporting CEF are vulnerable. In order to >trigger this vulnerability CEF or dCEF must be enabled on the device. The >vulnerable Cisco IOS releases are (this is not an exhaustive list): > > * 11.1CC > * 12.0, 12.0S, 12.0T, 12.0ST > * 12.1, 12.1E, 12.1T > * 12.2, 12.2T > >No other Cisco products are affected. > >Details >=== > >When a router receives a packet where MAC level packet length is shorter >than is indicated by the IP level, the router will "extend" the packet to >the size indicated by the IP level. This extension will be done by padding >the packet with an arbitrary data. The issue here is that padding may >contain data from a previous packets that has not been erased. > >Although it is possible to trigger this vulnerability on command, it is not >possible to predict what information would be collected this way. It is not >possible for an attacker to selectively capture desired packets (for >example, packets with username and password combination). > >This vulnerability is specific to CEF. Fast switching is not affected by it. > >This vulnerability is documented as Cisco Bug ID CSCdu20643. For the Cisco >IOS 11.1CC image, this vulnerability is described as Cisco Bug ID >CSCdp58360. > >Impact >== > >By sending malformed packets, and capturing them after they have been >processed by CEF, an attacker may find a remnants of a previous packets in >them. The remnant data may contain whatever the previous packet has carried. >That may be parts of a document, mail or any other c
RE: question about stateful inspection [7:36817]
As far as I can tell, it means essentially nothing. All SPI is by definition, "multi layer" since it tracks at least both layer 3 and layer 4. It looks like a term added to SPI to make it sound like its looking at more "layers". It's probably a term cooked up by the marketing departments of SPI firewall vendors. You see things like this a lot, especially in the security product arena. Companies invent terms to make their technology sound new or unique when they are neither. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Green Sent: Thursday, February 28, 2002 9:13 AM To: [EMAIL PROTECTED] Subject: question about stateful inspection [7:36817] what is multilayer stateful inspection ? stateful inspection is understood fine. but what does the prefix multilayer denote or mean ? state refers to the state of a session information that is temporarily kept in a state table for open connections and is wiped or erased when the session ends. BUT what does multilayer mean here ? __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36832&t=36817 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: firewall feature set not in 4000 series [7:36768]
John, Your correct, there is no support for the FFS on the 4x00 platform and there probably will never be. Cisco has EOLed the 4x00 series and is not going to continue development on that platform, although they will continue supporting it for some time. The midrange router of choice is the 3600 series. Regards, Kent -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Green Sent: Wednesday, February 27, 2002 9:05 PM To: [EMAIL PROTECTED] Subject: firewall feature set not in 4000 series [7:36768] is it true that there is no support for firewall feature set for 4000 series cisco routers ? though they are supported in 7100 and 7200 series. why not 4000 series ? any specical reason. (rest all series are supported like 3600, 2500 and 2600 etc)... __ Do You Yahoo!? Yahoo! Greetings - Send FREE e-cards for every occasion! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36810&t=36768 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]