Re: Superstitious Switches? [7:72746]

[Kent Hundley]

It's a long story...

http://www.naplesnews.com/today/restate/a120401k.htm

-Kent

On Wed, 2003-07-23 at 11:28, Raj wrote:
> Anybody knows when and how did the number 13 get so unpopular? Whats the
> story behind it?
> 
> 
> ""MADMAN""  wrote in message
> news:[EMAIL PROTECTED]
> > There is a reason many hotels don't have a 13th floor;)
> >
> >Dave
> >
> > John Neiberger wrote:
> > > This is not a joke, I promise, but it is very strange. Have any of you
> > > noticed that by far the most problematic port on the Catalyst 2950
> switches
> > > is port 13?
> > >
> > > I'd bet money that at least 20% of the time we have a problem with a
> device
> > > connected to these switches they're connected to port 13. Just in the
> last
> > > two days we've had to troubleshoot *three* separate instances of users
> in
> > > port 13 on these switches, and I can think of at least three more in
the
> > > past. I once had to RMA a 2950 because port 13 died.
> > >
> > > Doesn't this seem a little odd?  I think I'm going to stop walking
> > > underneath ladders until I get this resolved!
> > >
> > > John
> > -- 
> > David Madland
> > CCIE# 2016
> > Sr. Network Engineer
> > Qwest Communications
> > 612-664-3367
> >
> > "Government can do something for the people only in proportion as it
> > can do something to the people." -- Thomas Jefferson




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=72822&t=72746
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Slow File Transfers After Server Upgrade [7:72402]

[Kent Hundley]

John,

A few things I would look at:

1) What is the MSS value that is passed between the servers during the
initial TCP setup?

2) What is the value of the MTU on the servers? 

3) Are there any name resolution issues? I have seen Solaris boxes keep
trying to resolve the DNS name of a client station and have extremely
slow network performance as a result.

4) Are there any "weird" TCP options being negotiated such as Selective
ACK or Windows Scale?  Since these options aren't often used there may
be a bug in a servers TCP stack if these options are negotiated at
startup.

5) Have you checked the speed and duplex settings on the Solaris box?

In any case, a sniffer should tell the story.  Just running snoop on the
Solaris box will probably give you the info you need.

HTH,
Kent

On Wed, 2003-07-16 at 11:57, John Neiberger wrote:
> We have a Windows server connected to a 6513 at 100/Full that does nightly
> backups (about 20GB) to a Solaris server connected to the same switch via
> gigabit ethernet. Prior to a recent upgrade the Windows server could upload
> approximately 5MBytes/s to the Solaris server. The Solaris server was
> replaced with much faster hardware and the OS was upgraded from Solaris 8
to
> Solaris 9. Novell servers doing backups to this server have continued to
> upload at about the same speed as before, while other Solaris servers seem
> to be uploading faster than before.
> 
> The weird thing is that the Windows server uploads have dropped in speed by
> about 80%! We now see only about 1MB/s. This drop was seen on all Windows
> servers doing backups to this Solaris server. My guess is that there is
some
> funky issue with TCP between Windows and Solaris 9. I'm going to capture
> some transfers to see if I can spot the problem.
> 
> Any ideas on what to look for right off the bat? Any tips from anyone who
> has seen this sort of thing before?
> 
> Thanks,
> John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=72421&t=72402
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Sniffer Recommendation [7:72372]

[Kent Hundley]

There are various tools to do this, as far as I know they all work based
on the ability to spoof arp replies.  Here are a few links:

http://monkey.org/~dugsong/dsniff/
(a host of tools for sniffing through various spoofing attacks)

http://www.phenoelit.de/fr/tools.html
(specifically just for arp spoofing although they have some other
interesting tools)

Be aware that if you have a busy network, some of these tools could
potentially be disruptive depending on how they are used.  Be also aware
that if you don't have authority to use these tools on the network in
question, using them is probably a good reason for termination of
employment.  

I don't recommend you use these tools unless you know what you are doing
_and_ you have explicit authorization from the network owner to use
them.  It's far better to just span the port or use VACL's. In other
words, use these tools at your own risk.

HTH,
Kent


On Wed, 2003-07-16 at 00:32, Nathan wrote:
> I need a sniffer that doesn't require spanning a port.  Any suggestions?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=72398&t=72372
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: hacking challenge [7:66720]

[Kent Hundley]

Rusty,

I'm not clear from your question if there is an acl blocking everything
inbound to the nt servers except smtp and telnet or if the acl is for
inbound to the router itself.  In the former case, unless your client is
forcing their users to use good passwords, it's likely that a brute
force telnet attempt would succeed in anywhere from a few hours to a few
days, ditto for brute force on the router. If they're not logging failed
login attempts, they would never know this was occurring.  

If they have no filtering if any kind inbound to their servers, there
are many netbios/nt vulnerabilities that they could be susceptible to,
without knowing more specifics about the patches applied and the
services being run I can't give you anything more specific.  You can
search on securityfocus.com to see what might be applicable to your
client.

One thing to keep in mind, for a small site the Cisco firewall feature
set may be adequate.  At the very least, a correctly configured
access-list provides some rudimentary protection.  See the cisco site or
Phrack issue 52 for info on Cisco router security. (phrack.com)  

Also, security works best when applied in layers.  It's not enough to
have a firewall, enabling centralized logging, patching and hardening
servers, backup procedures and implementing change control procedures
are just a few of the things that need to be done as well.  A firewall
is just the beginning.

HTH,
Kent

PS If your trying to get your client to take security seriously, you
should probably begin by asking business questions like: "What is the
worth of the information contained on your servers? How long could you
operate without that information?  If you lost all of the information on
your servers, could your business operate? Are you aware of how much
money businesses lost last year due to security breaches according to
the FBI/CSI annual report?  Are you aware of the potential legal issues
related to not following "due care" practices for securing your
information infrastructure, etc. etc."

On Wed, 2003-04-02 at 19:09, Wilmes, Rusty wrote:
> this is a general question for the security specialists.
> 
> Im trying to convince a client that they need a firewall
> 
> so hypothetically, 
> 
> if you had telnet via the internet open to a router (with an access list
> that allowed smtp and telnet) (assuming you didn't know the telnet password
> or the enable password)that had a bunch of nt servers on another interface,
> how long would it take a determined hacker a) cause some kind of network
> downtime and b) to map a network drive to a share on a file server over the
> internet. 
> 
> Thanks,
> Rusty
> 
> > -Original Message-
> > From: Larry Letterman [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, April 02, 2003 1:44 PM
> > To: [EMAIL PROTECTED]
> > Subject: RE: VLAN loop problem [7:66656]
> > 
> > 
> > Yes,
> > it prevents loops in spanning tree on layer 2 switches from 
> > causing a loop
> > by disabling the port on a cisco switch...
> > 
> > 
> > Larry Letterman
> > Network Engineer
> > Cisco Systems
> > 
> > 
> > 
> > 
> > 
> > > -Original Message-
> > > From: [EMAIL PROTECTED] 
> > [mailto:[EMAIL PROTECTED] Behalf Of
> > > Thomas N.
> > > Sent: Wednesday, April 02, 2003 12:18 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: VLAN loop problem [7:66656]
> > >
> > >
> > > What does "portfast bpdu-guard" do?  Does it prevent interfaces with
> > > portfast enabled from causing the loop in my scenario?
> > >
> > >
> > > ""Larry Letterman""  wrote in message
> > > news:[EMAIL PROTECTED]
> > >
> > > > port mac address security might work, altho its a lot of admin
> > > > overhead..are you running portfast bpdu-guard on the access ports?
> > > >
> > > >
> > > > Larry Letterman
> > > > Network Engineer
> > > > Cisco Systems
> > > >
> > > >
> > > >   - Original Message -
> > > >   From: Thomas N.
> > > >   To: [EMAIL PROTECTED]
> > > >   Sent: Tuesday, April 01, 2003 8:14 PM
> > > >   Subject: VLAN loop problem [7:66656]
> > > >
> > > >
> > > >   Hi All,
> > > >
> > > >   I got a problem in the production campus LAN here between
> > > VLANs.  Please
> > > >   help me out!  Below is the scenario:
> > > >
> > > >   We have VLAN 10 (10.10.x.x) and VLAN 20 (10.20.x.x) subnets.
> > > Routing is
> > > >   enable/allowed between the two subnets using MSFC of 
> > the 6500.  Each
> > > subnet
> > > >   has a DHCP server to assign IP address to devices on its subnet.
> > > >   Spanning-tree is enable; however, portfast is turned on on all
> > > >   non-trunking/uplink ports.  Recently, devices on VLAN 10 got
> > > assigned an
> > > IP
> > > >   address of 10.20.x.x , which is from the DHCP on the 
> > other scope and
> > > also
> > > >   from 10.10.x.x scope, and vice versa.  It seems that we a
> > > loop somewhere
> > > >   between the 2 subnets but we don't know where.  I 
> > noticed lots of end
> > > users
> > > >   have a little unmanged hub/switch hang off the network 
> > jack

Re: Info about cisco IDS [7:66238]

[Kent Hundley]

AFAIK, no. Cisco IDS was purchased from the Wheel Group and previously
went by the name Netranger.

Regards,
Kent

On Wed, 2003-03-26 at 07:12, ritul wrote:
> Hi !
> 
> I want to know is Snort used with CISCO IDS ?
> 
> Ritul




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=66255&t=66238
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX Question [7:65095]

[Kent Hundley]

Manny,

A couple of thoughts, not necessarily in order of applicability:

1) Change the timeout values for idle connections for conn (connection
slot) from 1 hr to 5-10 min and change the xlate timeout from 3 hrs to
5-10 minutes. These are idle timeouts and will probably work for most
environments unless you have a lot of low traffic, long timeout
connections. (uses the 'timeout' command)

2) Enable aaa authorization for at least ftp and http.  Force users to
authenticate before using those services.

3) Log PIX messages to a syslog server, monitor it for xlate problems
with something like logsurfer.

4) Install an IDS system and monitor for failed FTP logins.

Obviously, these are not mutually exclusive.

HTH,
Kent

On Tue, 2003-03-11 at 16:04, Manny wrote:
> I ran into a situation today where we had a machine that was trying to FTP
> through the firewall. We allow FTP outbound. The problem that came up was
> that the user had no idea that an FTP client was setup on his machine. The
> FTP client (spyware) kept trying to connect to a server (ispynow.com) using
> the incorrect user name and password. For every attempt an xlate entry was
> created. It created about 7000 entries in a matter of minutes. The firewall
> was paralyzed. I had to console in and look at the xlate table. Even
through
> the console I had a hard time viewing the table. Is there any way to
prevent
> this from happening again?This is the second time this year an incident of
> this nature with the xlate table has occurred. How can I monitor the xlate
> table for strange behavior?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65180&t=65095
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: can PIX IDS block spam?? [7:65017]

[Kent Hundley]

No. If you want mail content filtering (spam, virus, etc.) you need a
3rd party product like those from TrendMicro.

HTH,
Kent

On Tue, 2003-03-11 at 02:03, Carol smith wrote:
> Hi..  I wonder PIX generic IDS can block spam e-mail attack?
> 
> Thanks 
> 
> 
> 
> -
> Do you Yahoo!?
> Yahoo! Web Hosting - establish your business online




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=65106&t=65017
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VLAN Trunking + Access lista [7:63739]

[Kent Hundley]

No, subinterfaces on a trunked port fully support acl's in the same
manner as physical interfaces.  Same for other services such as NAT,
CBAC, policy routing, etc.

HTH,
Kent

On Tue, 2003-02-25 at 11:47, Skarphedinsson Arni V. wrote:
> Hi 
> 
> When using vlan trunking from a router, for example in a router on a stick
> enviroment, I would create subinterfaces on the ethernet interface on the
> router, does that in some way limit the use of access-lista to controle
> traffic, like traffic between the vlans and out of the router through
> another interface ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63771&t=63739
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ADSL and PIX puzzle [7:63458]

[Kent Hundley]

Change this:

ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80
extendable

to something like:

ip nat inside source static tcp 192.168.0.30 80 200.10.15.189 80
extendable

-The inside from the 827's perspective needs to be something in the
192.168.0.x address space

And change this:

static (inside,outside) 200.10.15.189 webserver

to something like:

static (inside,outside) 192.168.0.30 webserver

-From the PIX's perspective, the outside address of the webserver is
going to be something in the 192.168.0.x range, just as from the 827's
perspective, 192.168.0.x is the inside range.

HTH,
Kent


On Thu, 2003-02-20 at 20:33, dlci_16 wrote:
> Hello networkers,
> 
> I am trying to "conjure up" a working config for an ADSL link with static
IPs
> for a 827 series router,
> these public IPs are supposed to point to, say a webserver, that sits
behind
> a
> pix firewall
> (which is directly connected to 827 router4s ethernet interface),
> problem is when I try to come up with a working config. I find myself
> getting into trouble.
> (The catch is, I need the webserver behind that pix.)
> Now this gets me using NAT twice to get a public IP from
> the internet through the router past the pix and into my webserver,
> I know it doesn4t sound right and obviously does not work either ;),
> Any help/clue/criticisms are most welcome ;)
> Ok,
> What it looks like so far:
> 
> 
>  [internet] >[router] ->[pix] ->[lan/webserver]
> [827series]->[506E]--->[lan/webserver]
> 
> 
> IP addresses:
> For internet access I have 200.10.10.136 mask 255.255.255.0
> Public IPs: 200.10.15.184 255.255.255.248 (for example)
> Public IP for my webserver is 200.10.15.189
> 
> 
> Router 827:
> --
> 
> !
> int eth0
>   ip address 192.168.0.200 255.255.255.255.0
>   ip nat inside
> !
> int atm0
>   no ip address
>   dsl operating-mode auto
> !
> int atm0.1 point-to-point
>no ip address
>pvc 0/35
> pppoe-cliente dial-pool-number 1
> !
> int dialer1
>   ip address 200.10.10.136 255.255.255.0
>   ip nat outside
>   dialer pool 1
> !
> ip nat inside source list 1 interface dialer1 overload
> ip nat inside source static tcp 192.168.1.30 80 200.10.15.189 80 extendable
> access-list 1 permit 192.168.0.0 0.0.0.255
> !
> ip route 0.0.0.0 0.0.0.0 interface dialer1
> !
> 
> 
> PIX 506E:
> -
> 
> !
> nameif eth0 outside security0
> nameif eth1 inside security 100
> !
> ip address outside 192.168.0.201 255.255.255.0
> ip address inside 192.168.1.21 255.255.255.0
> !
> route outside 0.0.0.0 0.0.0.0 192.168.0.200 1
> !
> global (outside) 1 192.168.0.202-192.168.0.248
> nat (inside) 1 192.168.0.0 255.255.255.0
> !
> name 192.168.1.30 webserver
> !
> static (inside,outside) 200.10.15.189 webserver
> !
> access-list acl_out permit tcp any host 200.10.15.189 eq 80
> !
> access-group acl_out in interface outside
> !
> 
> 
> Maby I am going about this the wrong way,
> maby there is still hope just by tweaking my static nat translation at the
> router.
> If you have reached this far, thank you for your time and effort.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63476&t=63458
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Snort versus Cisco IDS [7:62939]

[Kent Hundley]

BTW, for the record I am personally a big fan of snort.  Snort is what I
use on my own home network. But then I'm a tech geek with limited funds,
so it fits my needs perfectly. ;-)

Regards,
Kent

On Fri, 2003-02-14 at 10:32, Kent Hundley wrote:
> The term "team" was meant to by inclusive of engineers as well as
> sales.  I can assure you I have talked to many competent Cisco
> engineers, some of them who specialize in security, who do in fact
> recommend the Cisco IDS to their large clients.  
> 
> And yes, salespeople will obviously always push their product.
> 
> Regards,
> Kent
> 
> On Fri, 2003-02-14 at 07:15, DeVoe, Charles (PKI) wrote:
> > 2) Has never talked to any of the Cisco teams that manage large global
> > accounts
> > 
> > Of course these are sales people.  Sales people make their livelihood
off of
> > the sales.  So obviously, they will push the product.  
> > 
> > Rule 1.  Never trust a salesperson.
> > Rule 2.  Never Believe a salesperson.
> > Rule 3.  Never forget Rules 1 & 2.
> > 
> > -Original Message-
> > From: Kent Hundley [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, February 13, 2003 4:39 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: Snort versus Cisco IDS [7:62939]
> > 
> > 
> > On Thu, 2003-02-13 at 00:06, Priscilla Oppenheimer wrote:
> > > Someone told me in an authoritative voice today that Cisco doesn't
> > recommend
> > > their IDS. They recommend Snort. Is this really true? Isn't Cisco's
IDS a
> > > big part of SAFE?
> > > 
> > 
> > Whomever told you this:
> > 
> > 1) Is extremely naiive (one Cisco engineer told them something and they
> > took it as gospel)
> > 
> > 2) Has never talked to any of the Cisco teams that manage large global
> > accounts
> > 
> > I can tell you for a 100% fact that Cisco recommends their IDS very
> > actively to their large global customers, I'm working on a Fortune 5
> > account right now and the Cisco team is heavily pushing a Cisco IDS
> > deployment.  If one of their engineers recommended snort, the AM would
> > have them bound and gagged and thrown in a very dark basement. ;-)
> > 
> > 
> > > Of course, the person who said this doesn't understand that Cisco is a
> > huge,
> > > chaotic organism, and that saying Cisco does something based on what
one
> > > person does, doesn't make sense.
> > > 
> > > But I'm just curious, what do you all recommend for intrusion
detection?
> > How
> > > do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more
> > > complicated, requiring appliances or IDS cards in a switch and a
console:
> > > 
> > 
> > Cisco IDS is a commercial, fully baked product in the sense that it has
> > a lot of bells and whistles for the end-user market.  Cisco is also
> > developing custom hardware such as blades that slide into a Cat 6500,
> > making for easy deployment and the ability to capture and process
> > traffic at Gigabit speeds.
> > 
> > Snort is much more of a tech geeks solution, although there are a lot of
> > talented people writing code to increase its ease of use such. (things
> > like ACID and Demarc)
> > 
> > The bottom line is that snort will do the job in a lot of environments,
> > but your going to need to have some very technical people to handle the
> > care and feeding of the system.  It is an open source solution and
> > doesn't come with built-in support other than what you get through
> > mailing lists.  The Cisco IDS comes with TAC behind it.  You pay more
> > for more support baked into the process and a large amount of dedicated
> > resources working on your issues. (it's the same old open source vs
> > commercial product argument)
> > 
> > For small environments where funds are very limited or for environments
> > with highly technical but cheap labor (such as universities), snort is
> > probably the better solution.  For large enterprises, Cisco would
> > probably be the better choice.  
> > 
> > Of course, YMMV, a lot depends on the environment, , that's my opinion,
> > take it with a grain of salt, yada, yada, yada, etc. etc. disclaimer,
> > disclaimer...
> > 
> > Regards,
> > Kent




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63039&t=62939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Snort versus Cisco IDS [7:62939]

[Kent Hundley]

The term "team" was meant to by inclusive of engineers as well as
sales.  I can assure you I have talked to many competent Cisco
engineers, some of them who specialize in security, who do in fact
recommend the Cisco IDS to their large clients.  

And yes, salespeople will obviously always push their product.

Regards,
Kent

On Fri, 2003-02-14 at 07:15, DeVoe, Charles (PKI) wrote:
> 2) Has never talked to any of the Cisco teams that manage large global
> accounts
> 
> Of course these are sales people.  Sales people make their livelihood off
of
> the sales.  So obviously, they will push the product.  
> 
> Rule 1.  Never trust a salesperson.
> Rule 2.  Never Believe a salesperson.
> Rule 3.  Never forget Rules 1 & 2.
> 
> -Original Message-
> From: Kent Hundley [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 13, 2003 4:39 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Snort versus Cisco IDS [7:62939]
> 
> 
> On Thu, 2003-02-13 at 00:06, Priscilla Oppenheimer wrote:
> > Someone told me in an authoritative voice today that Cisco doesn't
> recommend
> > their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a
> > big part of SAFE?
> > 
> 
> Whomever told you this:
> 
> 1) Is extremely naiive (one Cisco engineer told them something and they
> took it as gospel)
> 
> 2) Has never talked to any of the Cisco teams that manage large global
> accounts
> 
> I can tell you for a 100% fact that Cisco recommends their IDS very
> actively to their large global customers, I'm working on a Fortune 5
> account right now and the Cisco team is heavily pushing a Cisco IDS
> deployment.  If one of their engineers recommended snort, the AM would
> have them bound and gagged and thrown in a very dark basement. ;-)
> 
> 
> > Of course, the person who said this doesn't understand that Cisco is a
> huge,
> > chaotic organism, and that saying Cisco does something based on what one
> > person does, doesn't make sense.
> > 
> > But I'm just curious, what do you all recommend for intrusion detection?
> How
> > do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more
> > complicated, requiring appliances or IDS cards in a switch and a console:
> > 
> 
> Cisco IDS is a commercial, fully baked product in the sense that it has
> a lot of bells and whistles for the end-user market.  Cisco is also
> developing custom hardware such as blades that slide into a Cat 6500,
> making for easy deployment and the ability to capture and process
> traffic at Gigabit speeds.
> 
> Snort is much more of a tech geeks solution, although there are a lot of
> talented people writing code to increase its ease of use such. (things
> like ACID and Demarc)
> 
> The bottom line is that snort will do the job in a lot of environments,
> but your going to need to have some very technical people to handle the
> care and feeding of the system.  It is an open source solution and
> doesn't come with built-in support other than what you get through
> mailing lists.  The Cisco IDS comes with TAC behind it.  You pay more
> for more support baked into the process and a large amount of dedicated
> resources working on your issues. (it's the same old open source vs
> commercial product argument)
> 
> For small environments where funds are very limited or for environments
> with highly technical but cheap labor (such as universities), snort is
> probably the better solution.  For large enterprises, Cisco would
> probably be the better choice.  
> 
> Of course, YMMV, a lot depends on the environment, , that's my opinion,
> take it with a grain of salt, yada, yada, yada, etc. etc. disclaimer,
> disclaimer...
> 
> Regards,
> Kent




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=63034&t=62939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Snort versus Cisco IDS [7:62939]

[Kent Hundley]

On Thu, 2003-02-13 at 00:06, Priscilla Oppenheimer wrote:
> Someone told me in an authoritative voice today that Cisco doesn't
recommend
> their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a
> big part of SAFE?
> 

Whomever told you this:

1) Is extremely naiive (one Cisco engineer told them something and they
took it as gospel)

2) Has never talked to any of the Cisco teams that manage large global
accounts

I can tell you for a 100% fact that Cisco recommends their IDS very
actively to their large global customers, I'm working on a Fortune 5
account right now and the Cisco team is heavily pushing a Cisco IDS
deployment.  If one of their engineers recommended snort, the AM would
have them bound and gagged and thrown in a very dark basement. ;-)


> Of course, the person who said this doesn't understand that Cisco is a
huge,
> chaotic organism, and that saying Cisco does something based on what one
> person does, doesn't make sense.
> 
> But I'm just curious, what do you all recommend for intrusion detection?
How
> do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more
> complicated, requiring appliances or IDS cards in a switch and a console:
> 

Cisco IDS is a commercial, fully baked product in the sense that it has
a lot of bells and whistles for the end-user market.  Cisco is also
developing custom hardware such as blades that slide into a Cat 6500,
making for easy deployment and the ability to capture and process
traffic at Gigabit speeds.

Snort is much more of a tech geeks solution, although there are a lot of
talented people writing code to increase its ease of use such. (things
like ACID and Demarc)

The bottom line is that snort will do the job in a lot of environments,
but your going to need to have some very technical people to handle the
care and feeding of the system.  It is an open source solution and
doesn't come with built-in support other than what you get through
mailing lists.  The Cisco IDS comes with TAC behind it.  You pay more
for more support baked into the process and a large amount of dedicated
resources working on your issues. (it's the same old open source vs
commercial product argument)

For small environments where funds are very limited or for environments
with highly technical but cheap labor (such as universities), snort is
probably the better solution.  For large enterprises, Cisco would
probably be the better choice.  

Of course, YMMV, a lot depends on the environment, , that's my opinion,
take it with a grain of salt, yada, yada, yada, etc. etc. disclaimer,
disclaimer...

Regards,
Kent




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62992&t=62939
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OT: migration from CheckPoint to PIX firewall [7:58957]

[Kent Hundley]

A) No
B) No

It appears that someone in mgmt. has made a layer 8 (political) decision to 
migrate your firewall since the PIX does not support features you are 
currently using and yet the decision has already been made.

At this point, I would recommend that you put together a brief presentation 
(no more than 4 slides) listing the features that you will lose, why they 
are important and how much it will cost to implement those features on 
extra hardware.  Make sure your mgmt. signs off _in writing_ that they are 
aware of the functionality that you are losing if they insist on migrating 
and refuse to buy additional hardware.  Save the written sign off for later 
CYA use.

Regards,
Kent

At 02:39 AM 12/11/2002 +, eric nguyen wrote:
>My company is looking to migrate from CheckPoint over to Pix Firewall in the
>next
>
>couple of months and I have been assigned to this project.  I have questions
>about
>
>Pix firewalls.   We are a small company, less than 50 people.
>
>a) Does pix firewall support QOS, traffic shaping or traffic
>prioritization?  The
>
>checkpoint firewall we are using has a feature called "flood-gate" that can
>
>prioritize both inbound and outbound traffic.  We would like to have this
>feature
>
>in Pix firewall as well.
>
>b) Does pix support http load balancing?  Checkpoint has a feature that
>
>supports http load-balancing for inbound traffic.  We need this feature to
>load
>
>balance our web servers.  I would like to have this feature in pix as well.
>We
>
>don't have the budget for dedicated load-balancer such as Cisco CSS.  Open
>
>freeware is out of the question, will not fly pass management.
>
>Can pix do those things above without additional hardware?
>
>Regards,
>
>Eric
>
>
>
>-
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58999&t=58957
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Traffic Analyses [7:58193]

[Kent Hundley]

You might also want to check out Ntop:

http://www.ntop.org/ntop.html

It's not for monitoring Cisco routers, but it will give you everything you 
want to know about the traffic on your network.

HTH,
Kent

At 04:02 PM 11/27/2002 +, Curious wrote:
>Is there a tool which gives me very good traffic analyses or traffic
>monitering on my Cisco Routers / PIX FW  (Serial and Eth) Interfaces, over
>Ethernet and T1 Link.
>
>Thanks,
>
>
>--
>Curious
>
>MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58262&t=58193
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2 IDS modules in a 6509 [7:58126]

[Kent Hundley]

Yes, you can use as many IDS modules as you have free slots for (minus the 
sups of course).  Each IDS is managed independently, one does not affect 
the other.  You would, of course, use different VACL's to point different 
traffic to each IDS blade, so each IDS "sees" different traffic.

HTH,
Kent

At 07:05 PM 11/26/2002 +, Marcos Casado Castaqo wrote:
>Maybe this is a stupid question, but can I use 2 IDS modules in a single
>switch 6509 chassis to increase scanning throughput? If yes, how does it
>work?
>
> >
> [EMAIL PROTECTED]
> MetroRed Telecomunicagues Ltda.
> PanAmirica ParK
> Av. Guido Caloi, 1000 - Ed. 3 -1: andar
> CEP 04578-903 - Sco Paulo - SP - Brasil
> Tel.: (5511) 5852-2503 - Fax: (5511) 5501-8777




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58184&t=58126
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Firewall Question [7:57893]

[Kent Hundley]

James,

Just to add a bit to what others have said, if your friend is cost 
constrained, going open source ala OpenBSD, FreeBSD, Linux, etc will no 
doubt be the cheapest in terms of immediate cost.  An additional option is 
the Cisco firewall feature set, it may require your friend to purchase 
additional software from Cisco, which would be more expensive than the open 
source option.  I agree completely with others, having some sort of 
firewall in place is the _minimum_ required for any business to connect to 
the Internet.  Not having at least a firewall borders on criminal 
facilitation and in the very near future we are going to start seeing 
companies held liable for not exercising due diligence with regard to basic 
security measures if they're sites are used to attack other sites.

Having said this, unless your friend knows specifically what they are 
doing, putting a firewall in place may not help. They may configure it 
incorrectly or the server may have been compromised through "legitimate" 
traffic such as an IIS exploit.  If the server is being used as the 
companies web server, putting a firewall in place might not help, they'll 
have to apply appropriate patches to the server or it will just be 
compromised again.

My advice to your friend is to buy a good book on implementing network 
security soup to nuts including writing policies, securing perimeters, 
etc.  It may seem like overkill for such a small network, but someone who 
doesn't understand the big picture is bound to end up leaving holes that 
will be exploited later.  One book I've seen that looks good in the regard 
is "Inside network perimeter security" by Northcutt: 
 


In the meantime I would suggest your friend do the following:

1) Put a filter on his router blocking everything excepted necessary 
services, guidelines are on CCO in this regard or they can check out phrack 
issue 55: 
2) Make sure both clients and server have the most current patch levels
3) Disable any services that are not required on the server, there is 
information on how to do this all over the web
4) Get a syslog server and log any denied packets from the router to the 
syslog server.  There are syslog daemons available for Windows that can be 
used for a limited time for free.  Syslog is standard on any Unix-like 
platform. 

Your friend can do these measures right now for no cost and minimal 
effort.  Then they can research installing a firewall and read up on 
additional prudent security measures.

A couple of good sites that might also help:

http://www.infosyssec.net/
http://www.cisecurity.org/
http://www.sans.org/newlook/home.php

HTH,
Kent





At 09:14 PM 11/22/2002 +, James Gruggett wrote:
>I have a friend that has a T1 going into his 1700 series cisco router.
>His ISp has stated that someone has hacked into his Win2k server and
>that he must put a firewall in place.
>
>Do you reccomend a software or hardware based firewall and what type.
>
>The network consist of 1 server, 1 switch, ans 10 workstations.
>
>
>Thanks
>
>[GroupStudy.com removed an attachment of type text/x-vcard which had a name
>of james.gruggett.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58067&t=57893
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: IGRP as proprietary? [7:57603]

[Kent Hundley]

Depends on your definition of "open standard".  As far as I can tell there 
are no RFC's for IGRP or EIGRP, which is pretty much the criteria for 
something to be considered an "open standard" in the Internet 
community.  Also, I don't believe Cisco has released the source code for 
either IGRP or EIGRP.  Based on that, I would consider both routing 
protocols to be proprietary.  I believe some non-Cisco companies have 
interoperable implementations of IGRP, but my guess would be they either 
reverse engineered it or paid Cisco for the code.

In short, by most definitions, IGRP/EIGRP would be considered proprietary.

Regards,
Kent

At 11:38 AM 11/18/2002 +, hktco wrote:
>When I learned it for CCNA and CCNP, I was told that IGRP is Cisco
>proprietary.  Until recent, I was being told that IGRP is no longer
>proprietary
>and became an open standard.
>
>I would like to verify on this.  Any input from authority would be nice.
>Thanks.
>
>hktco




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=57631&t=57603
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN Primer on Cisco site - FYI [7:56618]

[Kent Hundley]

FYI,

This paper and other Cisco security docs can also be found at:

http://www.cisco.com/go/safe

Which has that advantage of being easier to remember. ;-)

Regards,
Kent

At 07:58 PM 10/31/2002 +, The Long and Winding Road wrote:
>found this while stumbling around:
>
>http://www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/safev_wp.pdf
>
>enjoy
>
>--
>
>www.chuckslongroad.info




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=56686&t=56618
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall (6.2) General Questions RANT [7:47393]

[Kent Hundley]

Richard,

1) No comments are allowed right now.  Yes, its a pain.

2) Try using PDM, its a fairly nic GUI interface. For large enviro's try
CSPM.

3) The PIX's default stance is a holdover from the days when not a lot of
people were concerned about blocking outbound traffic.  Yes, it probably
should be changed and yes, a lot of security people don't like the "default
permit out" stance.

4) Yes, another pain, probably something that they will eventually include,
but I don't know specific details.

5) I don't think anyone would argue that the PIX lacks some of the "wiz
bang" features of other commercial firewalls.  The big selling points for
the PIX in the past have been speed and support.  The speed factor has been
taken out of the equation by new boxes from Nokia and others. (BSD kernel
running Firewall-1 at gigabit speeds)  The support factor is still a good
point, but it's clear to me that Cisco needs to step up their development
efforts on the PIX if they want to stay in the game.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Richard Tufaro
Sent: Tuesday, June 25, 2002 9:51 AM
To: [EMAIL PROTECTED]
Subject: PIX Firewall (6.2) General Questions RANT [7:47393]


Hey all, just recently got my hands on 4 new PIX firewalls and I am having
some issues with them that perhaps may be shortcoming of the PIX or me, but
I wanted to throw them out there and see if anyone has any comments:

1. Is there a way in the PIX to !Comment your access-list or conduit lines
to tell what the rule is doing. Now don't get me wrong you can look at the
rule and its pretty straight forward, but I would like to comment them much
like you can do in IOS. The only way that I have found to do this is by
taking every external or internal IP address that we have and are denying or
allowing and giving it a name. But this also has its shortcomings because of
the 16 character limit.

2. What is with the access-list rules and importing? I don't get it. Why do
they need to append instead of replace? I am going to assume that the
access-list is reading from the top down (just like in IOS) so if I export
my config, change around the order then try to paste *does not take*. The
workaround I found for this nifty problem is exporting the access-list to
Ultraedit, putting a "no" statement infront of all of the statements,
clearing them, then making the change and importing them. How do people in a
large PIX environment with a multitude of rules, and a dynamic environment
manage this? Or the PIX's for that matter as a side.

3. Tell me if im smoken crack here, but the default stance of the PIX is bas
acwards, when it comes to internal hosts to the outside. I mean look when I
put out the firewall and config my INBOUND lists, why do I want everyone in
the company to be able to NETBIOS across the firewall (outbound)?! I have
worked with one other firewall (CyberGuard) and there stance IMHO is the
best, DENY ALL, permit what I say to permit. Its a firewall, not a router
(in the security sense people, I now what it is REALLY, but relating to
Cisco).

4. Little things too...like why no command completion? I know that this is a
Cisco acquired device, but you would think that they would make it easy to
configure from the command line, especially with the influx of making it
more IOS'e. Is this going to be available in later versions? Anyone know?

5. I know the PIX was conceived as a small lightweight, "streamline" device
that is going to protect your network with but you should not do any WIZ
bang stuff with itbut then again Cisco markets to everyone and are
competing with the WIZ Bang firewall vendors like checkpoint. I mean come on
GROUPING was just added in 6.2!

If anyone can shed some light on these issues for me it would be much
appreciated. What im really looking for here is some guidance as to people
with large PIX deployments and how they manage day to day, and deploy new
ones. I know this is a long post but coming from Cyberguard, and going to
PIX there seems to be some major deficiencies as far as functionality and
manageability. Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47403&t=47393
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Microsoft VPN ports [7:47376]

[Kent Hundley]

http://www.cisco.com/warp/public/110/pix_pptp.html

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Spencer Plantier
Sent: Tuesday, June 25, 2002 6:14 AM
To: [EMAIL PROTECTED]
Subject: Microsoft VPN ports [7:47376]


Does anyone know which ports need to be opened up to
let MSCHAP2 VPN go through the PIX?

Thanks,

=
Spencer Plantier
Internet Solutions Engineer
Cell 919-696-8848

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=47388&t=47376
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix don't route [7:46356]

[Kent Hundley]

That assumes that he has an address space to announce via BGP, which I he
did not mention so I assumed he did not have one.  Without your own address
space, BGP isn't going to do anything for you.  Yes, if the T1 goes down,
the servers would be unreachable, but without your own address space and/or
running your own DNS and doing some NAT magic with the replies to DNS
queries, you won't be able to give the "correct" DNS answer. (i.e. return
the T1 IP when the T1 is up, return the DSL address when the T1 is down)

Since all the replies from the servers would go out the T1, if a query for
the server came in the DSL the conversation would break when the server
traffic went out the T1 and got translated to the IP address on that
interface. This assumes using PAT on each router interface.

Obviously, if the OP has his own address space, the scenario changes
considerably and there are more options.

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Kaberna
Sent: Wednesday, June 12, 2002 3:10 PM
To: [EMAIL PROTECTED]
Subject: Re: Pix don't route [7:46356]


What happens when the T1 provider goes down?  Those IP's will no longer be
reachable and the servers will be down.  Without BGP I don't see how you are
going to get the DSL circuit to take over the IP's that the T1 provider
advertises.  Assuming you have BGP, I would thing that policy routing and
using different global addresses would get the job done.  Sounds to me like
the only barrier is getting BGP.


""Kent Hundley""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Wayne,
>
> I would suggest disabling NAT on the PIX and performing your NAT on the
> router.  This eliminates the problem of not knowing what packets originate
> from the servers.  Then, setup Policy-Based Routing (PBR) on the router.
> You didn't post your config, so I assume you have 2 legal addresses, one
> from each ISP and you don't have your own address space.  If you want to
> setup inbound services you'll have to setup static NAT on the router for
the
> services you want to allow.  For outbound the PBR it's pretty simple:
>
> int s 0
>  interface to T1
>
> int e 0
>   interface to DSL
>
> int
>  ip policy route-map test
>
> access-list 100  any
>
> route-map test permit 10
>   match ip address 100
>   set int s 0
> route-map test permit 20
>
> For outbound traffic packets from the servers will be sent out the T1 as
> long as it is up, all other traffic will be forwarded normally.  You'll
want
> to set your routing so that the DSL line is the preferred path for all
> traffic.  If the T1 goes down, the traffic from the servers will be sent
out
> the DSL.
>
> Additional problems that I see are if your servers are to be accessible
from
> the Internet, you will need to have static translations setup for your
> services on both the T1 and the DSL.  You can do this, but the issue
becomes
> name resolution and which address is returned to users on the Internet.
> It's probably safer to just setup the translations for the T1 and leave it
> at that. (you could play some games if you ran your own DNS, but things
get
> complicated pretty quickly)
>
> You don't need the FFS on the router as long as everything is behind the
PIX
> (although it shouldn't hurt) and you don't need the link between the
router
> and the PIX to be have a public address space as long as you do the NAT on
> the router.
>
> Of course, you also will want to harden the Internet facing router if you
> have not already done so.
>
> One more thing, it's not really accurate to say the PIX "doesn't route".
> People say this all the time and what they really mean is that the PIX
> doesn't support routing protocols and some "fancy" routing techniques like
> PBR.  However, the PIX does perform layer 3 forwarding based on its
routing
> table, this means, by definition, it is "routing".  It just doesn't have
the
> same features and functions for layer 3 forwarding that cisco routers
have.
> (this is kind of a nit, but saying the PIX doesn't route tends to confuse
> people)
>
> HTH,
> Kent
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Wayne Jang
> Sent: Wednesday, June 12, 2002 10:10 AM
> To: [EMAIL PROTECTED]
> Subject: Pix don't route [7:46356]
>
>
> Hi,
>
> The Pix don't route, but can I do this?
>
> I have a 2 server 20 user small office.
>
> I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to
the
> Internet.  I'm not looking to load balance or even do redundancy.  I just
> want traffic f

RE: Pix don't route [7:46356]

[Kent Hundley]

Wayne,

I would suggest disabling NAT on the PIX and performing your NAT on the
router.  This eliminates the problem of not knowing what packets originate
from the servers.  Then, setup Policy-Based Routing (PBR) on the router.
You didn't post your config, so I assume you have 2 legal addresses, one
from each ISP and you don't have your own address space.  If you want to
setup inbound services you'll have to setup static NAT on the router for the
services you want to allow.  For outbound the PBR it's pretty simple:

int s 0
 interface to T1

int e 0
  interface to DSL

int 
 ip policy route-map test

access-list 100  any

route-map test permit 10
  match ip address 100
  set int s 0
route-map test permit 20

For outbound traffic packets from the servers will be sent out the T1 as
long as it is up, all other traffic will be forwarded normally.  You'll want
to set your routing so that the DSL line is the preferred path for all
traffic.  If the T1 goes down, the traffic from the servers will be sent out
the DSL.

Additional problems that I see are if your servers are to be accessible from
the Internet, you will need to have static translations setup for your
services on both the T1 and the DSL.  You can do this, but the issue becomes
name resolution and which address is returned to users on the Internet.
It's probably safer to just setup the translations for the T1 and leave it
at that. (you could play some games if you ran your own DNS, but things get
complicated pretty quickly)

You don't need the FFS on the router as long as everything is behind the PIX
(although it shouldn't hurt) and you don't need the link between the router
and the PIX to be have a public address space as long as you do the NAT on
the router.

Of course, you also will want to harden the Internet facing router if you
have not already done so.

One more thing, it's not really accurate to say the PIX "doesn't route".
People say this all the time and what they really mean is that the PIX
doesn't support routing protocols and some "fancy" routing techniques like
PBR.  However, the PIX does perform layer 3 forwarding based on its routing
table, this means, by definition, it is "routing".  It just doesn't have the
same features and functions for layer 3 forwarding that cisco routers have.
(this is kind of a nit, but saying the PIX doesn't route tends to confuse
people)

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Wayne Jang
Sent: Wednesday, June 12, 2002 10:10 AM
To: [EMAIL PROTECTED]
Subject: Pix don't route [7:46356]


Hi,

The Pix don't route, but can I do this?

I have a 2 server 20 user small office.

I have a Pix 506 sitting in front of a 2621 with a T1 and a DSL link to the
Internet.  I'm not looking to load balance or even do redundancy.  I just
want traffic from the servers to use the T1 and I want traffic from the
users to use DSL.  I could use access-lists on the 2621 to direct the
traffic based on source address, but how will the 2621 know where the
traffic came from?  Won't all traffic have a source address of the Pix
outside interface?  What if I Nat the servers(on PIx) so that they will
appear to have a different source IP than the users who will be behind the
global outside address?  I'll need more public addresses, but that would be
fine.

I can't get any help from Cisco Pre-Sales because they aren't sure.  I can't
get an engineer that knows more than me (not much).

My fall back plan is to only use the 2621 and have a firewall IOS.  But I
would rather use the Pix, especially because we have already quoted the
above solution and are working to save face.

Thanks

--
Wayne Jang
Advanced Computer Technologies, Inc.
108 Main Street
Norwalk, CT 06851
Wk 203-847-9433
Cell 203-943-6603




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46366&t=46356
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: how to filter a MAC packet at 6509 or 4006 and WIN2000 [7:45361]

[Kent Hundley]

First, I think you need to determine that this is an actual attack before
you start blocking anything.  It could be someone who didn't know better
enabled a DHCP server without even knowing what it did.  I would recommend
going to the person who did it and asking them why they are enabling a DHCP
server.  Even if it is malicious, a friendly visit can sometimes do wonders
to curtail future activity.

Second, there is probably something you can tweak to keep your DHCP server
from going down if it detects another DHCP server.  I don't think you want
your server so easily DOSed.

Finally, if you really want to block traffic at the MAC layer, you can do it
with access-lists on the router, but that won't stop someone from playing
havoc on they're own subnet.

http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/53998.h
tm#xtocid1116615


If you want to run a secure operation you should assign MAC addresses to
ports on your switch and require users to go through a registration process
to obtain access to a port.  Also make them sign an AUP stating they are
responsible for any and all activity from their MAC address.

You can research securing ports on your switches by doing a search on "port
security" at cisco's site.

More useful info on Cisco security is here:

http://www.cisco.com/warp/public/707/index.shtml

You can find sample AUP's and other good policy templates here:

http://www.sans.org/newlook/resources/policies/policies.htm

One final point, if you don't have a security policy in place, no amount of
work will keep malicious activity from occuring.  Malicious activity inside
your network is principally a "people" problem and it is highly unlikely
you'll be able to solve those problems just with technology.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
jackie xu
Sent: Wednesday, May 29, 2002 5:03 AM
To: [EMAIL PROTECTED]
Subject: how to filter a MAC packet at 6509 or 4006 and WIN2000 server
[7:45347]


hi,everybody here:
My dhcp server was attacked by a hacker,and the dhcp server would down
with the following messages(win2000 server platform):
"meet another server with the DHCP/BINL service, and the DHCP/BINL serivce
is closing"

I found that the attacking pc was a campus user,and i got its mac address
from arp table at router,so i want to filter the pc by its mac address not
ip address,but i don't know how to realize it?
any one can tell me?
Thank in advance!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45361&t=45361
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Anti-spoofing [7:45217]

[Kent Hundley]

You need to block more than just your own subnet.  You'll want to block at
least the RFC1918 address spaces and hosts that claim to be from 0.0.0.0,
255.255.255.255, 127.x.x.x and multicast addresses.  You can take a look at
the following for more info:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm

http://www.cisco.com/warp/public/779/largeent/issues/security/safe.html

http://www.cisco.com/warp/public/707/21.html

http://www.phrack.org/phrack/55/P55-10

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Postman Pat
Sent: Tuesday, May 28, 2002 1:35 AM
To: [EMAIL PROTECTED]
Subject: Anti-spoofing [7:45217]


Greetings,
Please help me, I am trying to configure anti-spoofing on a router:

Interface eth 0
Ip address 192.168.1.1 255.255.255.0

Interface ser 0
ip address 10.0.0.1 255.255.255.0
access-list 10 deny 192.168.1.0 0.0.0.255
access-class 10 in

Is my understanding of setting up anti-spoofing correct? Is there anything
I need to change to get this working? How do I improve the security on
this config?

Regards

LK




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=45287&t=45217
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Securing SNMP [7:44605]

[Kent Hundley]

Check out the SNMP section in this doc:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm

Additionally to the above suggestions, I would add:

-Do not allow SNMP write capability, you almost never need it

-Choose a _strong_ SNMP RO community.  It should contain special characters
such as #,$,@,&,^, etc.  It's usually useful to pick a phrase that you can
remember, such as "all engineers choose good passwords", pick the first
letter or letters from each word: "all e c g p" and then selectively
substitute special chars for certain alpha chars: "@ll $ c g )" for example.
DO NOT pick things like company name, organization name, sports team
mascots, pets names, etc.  In general, treat the SNMP community string with
the same care you would want the administrator of your payroll server to use
for their password. (and assume if the payroll gets compromised, you don't
get paid)

-Consider using SNMPv3 so that you can use encryption.  Alternatively, setup
an IPSec tunnel between the monitoring stations and the routers for securing
SNMP based communications.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Postman Pat
Sent: Tuesday, May 21, 2002 4:49 AM
To: [EMAIL PROTECTED]
Subject: Securing SNMP [7:44605]


Greetings,
I would like to run SNMP on my router and would like some advice on how I
could secure it. I would also like some input from you guys on whether you
recommend SNMP at all as it seems like the only route that I can take in
monitoring traffic on our internet access link.

Regards

LK




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44622&t=44605
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Fans too Noisey (2500 Series Router) [7:44571]

[Kent Hundley]

Maybe not if you keep the room temperature low enough, but your going to
need a lot of air conditioning. ;-)

Seriously, disconnecting fans will eventually cause your router, or any
computer, to fry.  Without heat dissapation, your components will eventually
just quit working and fill your house with the lovely smell of burning
circuits.

You might try buying/building some sort of enclosure, but that enclosure
will likely need a fan as well.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Will Francis
Sent: Monday, May 20, 2002 3:07 PM
To: [EMAIL PROTECTED]
Subject: Fans too Noisey (2500 Series Router) [7:44571]


Hi Guys

I've got 7 2500 Series routers in my home lab but its just getting a bit too
noisey, if the fans are unplug will this affect the routers.

cheers




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=44617&t=44571
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: why "ip inspect" block my traffic? [7:43802]

[Kent Hundley]

The command you reference is for context-based access control (cbac), part
of the firewall feature set (ffs).  What it is and how it works are clearly
explained in the cisco documentation at cisco.com.  Here's a shortcut link
that gives you all the basics:

http://www.cisco.com/warp/public/110/32.html

Your config was munged, so it's hard to say why your having the problems you
report.  Offhand it sounds like a dns lookup problem, but that's just a
guess.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kenny Smith
Sent: Thursday, May 09, 2002 7:51 PM
To: [EMAIL PROTECTED]
Subject: why "ip inspect" block my traffic? [7:43802]


Hi..  Can you tell me what is the function of the following command ?  My
previous administrator configured it.  But we found that the we can!&t surf
the net thru this router.  The www traffic take very long time to load and
pass thru this router.  But after I issue !'no ip inspect name fw in!(, we
are able to access the web traffic.  Why??

ip inspect name fw tcp
ip inspect name fw udp
ip inspect name fw smtp
ip inspect name fw ftp

interface ethernet0
!K!K!K!K.
!K!K!K!K.
interface ethernet1
!K!K!K!K..
!K!K!K!K..
ip inspect name fw


_
Join the worlds largest e-mail service with MSN Hotmail.
http://www.hotmail.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43829&t=43802
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NAT configuration for 2 service providers [7:43820]

[Kent Hundley]

You can find lots of good info on Cisco NAT by surfing to cisco.com and
searching for NAT tips.  Here's a shortcut:


http://www.cisco.com/warp/public/556/index.shtml

And here's an example to help with your specific question:

http://www.cisco.com/warp/public/105/nat_routemap.html

This whitepaper might help also:

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/tech/emios_wp.htm


HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 10, 2002 4:57 AM
To: [EMAIL PROTECTED]
Subject: NAT configuration for 2 service providers [7:43820]


Hi Friends,

I have 2 Internet links working at present. One link terminated on Cisco
router and another link terminated on Telindus Crocus router ( which doesnt
have NAT functionality) To facilitate internet access i have configured NAT
on Cisco with overload, for second i have installed Windows 2000 NAT and
configured all clients with gateway as NAT.

If i want to shift the second internet link to cisco device with 2 serial
ports, how do i create second NAT entry for 2nd provider.

Could you please help me.

Thanks in Advance

Brahmam.
415-339-0352 ex-0355




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43825&t=43820
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix load balance? [7:42974]

[Kent Hundley]

Brian,

Yes, most of them do nat.  From the client WS perspective, there is only a
single server IP, so it sends packets to that IP address.  Once the switch
gets the packet (since it is answering for that IP), it needs to forward the
packet to a server.  Normally, for the server to accept that packet the
switch must change the dst IP to the servers real IP address and likewise
alter the replies from the server so they appear to come from the virtual
IP. (i.e. NAT) Note that some switches support an option called "direct
sesrver return" in which the switch sets up the inital conversation, and
then the server talks directly back to the client without having to go
through the switch.  In this case NAT is not performed between the server
and the client. (I don't think this architecture is widely used though)

The layer 4-7 portion is really only relevant when the switch is deciding 1)
Is a service "up" on a particular server and 2) How does the switch
determine to which server an individual packet needs to be forwarded (i.e.
how much of the data portion of a packet has to be examined to determine
what traffic stream it belongs to)

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Brian Zeitz
Sent: Tuesday, May 07, 2002 9:25 AM
To: [EMAIL PROTECTED]
Subject: RE: Pix load balance? [7:42974]


Dumb question, does any of these devices use nat? I just read that pix
to DMZ interface uses dNat, not sure if that is faster. I was reading my
Alteon Web Switch book last night, it says you CAN do nat, but I don't
know if layer 4-7 switches actually DO nat normall. If it's a switch, it
should be switching right, the translation gets done in layer 4. kinda
confused.



-Original Message-
From: Gragido, William [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 07, 2002 12:09 PM
To: Brian Zeitz; [EMAIL PROTECTED]
Subject: RE: Pix load balance? [7:42974]

The best way to load balance is to use an application layer (layer 4-7)
switch.  I am not too familiar with Cisco's offering of this technology
(sadly), but have worked extensively with Foundry's ServerIrons and they
are
excellent devices!

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Brian Zeitz
Sent: Tuesday, May 07, 2002 8:50 AM
To: [EMAIL PROTECTED]
Subject: RE: Pix load balance? [7:42974]


Load balancing is supposed to be done on content switches according to
what I am reading. I cannot be done on the firewall withing the site,
nor can it be done with different ISPs.

Brian Zeitz MCSE, CCNP

-Original Message-
From: Gaz [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 07, 2002 6:58 AM
To: [EMAIL PROTECTED]
Subject: Re: Pix load balance? [7:42974]

What's the reason?
I'm not disputing the fact, just wondering what the limitation is. I
take it
that the limitation is only that it cannot do stateful failover with two
active PIXes?

Cheers,

Gaz

 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Yeah, I asked the same questions last month.  They can not.  If you
really
> need firewall and Load balancing, FW-1 is the way to go.
>
> Theo
> CSS1, CCNP, CCSE
>
>
>
>
>
>
> "Patrick"
> Sent by: [EMAIL PROTECTED]
> 05/06/2002 06:28 AM
> Please respond to "Patrick"
>
>
> To: [EMAIL PROTECTED]
> cc:
> Subject:Re: Pix load balance? [7:42974]
>
>
> No.
>
> ""GEORGE""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Can you load balance to pix firewalls?
> > Has anyone done this?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43535&t=42974
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Installing New PIX [7:43369]

[Kent Hundley]

The short answer is no.  The PIX does not support a true http proxy, so
you'll need to reconfigure your clients or continue to use a cache/proxy in
addition to the PIX.

For info on the PIX, the documentation is fairly good:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/inde
x.htm

You can find this off the cisco home page by clicking 'technical documents'
and then selecting 'Cisco secure pix firewall' under the drop down 'network
security' tab.

You should also browse through the security technical tips links to get
familiar with various PIX configs:

http://www.cisco.com/warp/public/707/

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jeffrey Reed
Sent: Sunday, May 05, 2002 8:39 PM
To: [EMAIL PROTECTED]
Subject: Installing New PIX [7:43369]


I have the job of installing a new PIX 525. We are replacing several
Microsoft proxy servers with the single PIX. At this time we have several
thousand students and staff using a proxy script. For the IE users, we can
rip the script out with a registry hack, but for the Netscape users, we don
t have a clean way of removing the setting. And we have a hundred or so MAC
users with similar problems.

One thing Im curious aboutis there any way to configure the PIX to respond
to the scripts like the proxy would have responded? Im a bit short in the
clue department with both the PIX and MS Proxy to even know if that was a
really dumb question, so take it easy on the answer!!

Are there any good places on Ciscos web site to plan for a PIX install? I
was looking and couldnt find a good resource. Any suggestions would be
appreciated.

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43511&t=43369
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security for router connected to Cable Service provider [7:43510]

[Kent Hundley]

First, take a look at the following links:

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ics/cs003.htm

http://phrack.org/phrack/55/P55-10

Then, you might want to consider using CBAC:

http://www.cisco.com/warp/public/110/32.html

Finally, for performance you may want to consider using a cache such as
those from network appliance or you can look at the open source squid
solution:

http://www.squid-cache.org

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Johnzaggat
Sent: Saturday, May 04, 2002 10:13 PM
To: [EMAIL PROTECTED]
Subject: Security for router connected to Cable Service provider
[7:43322]


I just wanted to know what everyone is using on there connections to
outside. For now I am just using NAT on a 1605R. I am only using it to go to
outside. What can I do to secure this router. All of the traffic will either
be http or ftp going out. Is there any thing I can do to improve performance
as well. I appreciate any suggestions.
Thanks
JZ




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43510&t=43510
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Closing Ports Part 2 [7:43145]

[Kent Hundley]

In general, any Application Layer Gateway (ALG) firewall, or any firewall
that has a true http proxy, will only allow sessions on port 80 that are
actually http.  Some examples of ALG's are Gauntlet and Raptor.  An example
of a firewall that is not an ALG but that does support a true http proxy is
FW-1. (PIX does not have a true http proxy)

Unfortunately, the problem is worse than you describe.  There are programs
that actually use legitimate http protocol calls to tunnel other traffic,
such as httptunnel.  There are other programs that use ICMP echo-request and
echo-reply (Loki and icmptunnel) and at least one implemenation of a tunnel
using DNS request/replies:

http://online.securityfocus.com/archive/1/8990

In practice, it is very difficult, though not impossible, to detect these
sorts of programs with current FW and IDS systems, mostly due to the number
of false pos's your likely to get and the amount of processing that has to
be done on the payload in each packet.  However, using a good proxy is at
least a starting point and raises the bar for an attacker.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
exchange
Sent: Thursday, May 02, 2002 10:34 AM
To: [EMAIL PROTECTED]
Subject: Closing Ports Part 2 [7:43145]


I know blocking ports isn't really going to stop people who can tunnel
through via http or some other open ports.  Are there firewalls that
will look into specific traffic streams and drop connections that are
not really http sessions?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43508&t=43145
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Content engine question! [7:43101]

[Kent Hundley]

Go to

http://www.cisco.com/go/fn

and search for WCCP version 2

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Magdy H. Ibrahim
Sent: Thursday, May 02, 2002 4:19 AM
To: [EMAIL PROTECTED]
Subject: Content engine question! [7:43101]


Dear All,

I am studying this days on How to configure and implement Cisco Content
Engine590 on my network...
When I browsed Cisco online Guide I found the following regarding Router
configuration for HTTP traffice and WCCP version2.
I found the following:
"The router or switch must be running a version of IOS that supports the Web
Cache Communication Protocol (WCCP) Version 2."
My question is: How to know if the Router Or switch IOS supports the Web
Cache Communicatio Protocol (WCCP) Version2

Please Advice me

Regards,,

Magdy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43120&t=43101
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Question on VPN [7:43110]

[Kent Hundley]

This is possible in a number of different ways, but it really depends on
what VPN hardware and software you will be using, which you didn't specify.

If it's a cisco router to cisco router implementation, you can find an
example here:

http://www.cisco.com/warp/public/707/ios_804.html

If your talking about using client VPN software, nearly all VPN clients have
the option to use a combination of a shared secret key and a userid/password
combo for authentication, not IP address, so again it should not be a
problem.

You can find information on many Cisco security topics such as VPN by doing
a search on CCO for "security tips".

HTH,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Anil Kumar
Sent: Thursday, May 02, 2002 6:12 AM
To: [EMAIL PROTECTED]
Subject: Question on VPN [7:43110]


Hi All,
Need a small clarifcation on VPN.

One of the customer is having a Lease Line connection to
Internet at the head office and they are having branch
offices at remote location.Since being a lease line they
have obtained static IP address from ISP.
The branch locations will be dialing into the local ISP and
all the times the remote locations will be getting dynamic
IP address. Since the customer want to have a secure
connection through VPN is it possible to attain and
establish a IPSEC VPN tunnel between a dialup connection
and the lease line router. If so please let me know how the
same can be attanied.

Thanks in advance.

Regards.. Anil Kumar.


=
Thanks & Regards

V Anil Kumar

__
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43119&t=43110
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: help is needed! [7:43035]

[Kent Hundley]

Place an access-list on the FE interface that only allows traffic with a
source IP of the Squid server.  Configure your clients to use the Squid
proxy.  If you run into issues of users trying to get around your proxy,
it's a matter of policy, not technology, and should be addressed by your
security policy and your management.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
a. ahmad
Sent: Wednesday, May 01, 2002 1:50 PM
To: [EMAIL PROTECTED]
Subject: help is needed! [7:43035]


Dear Members,

We have 2620 router with Fastethenet port and a Serial Interface. We just
want that no user traffic should directly go to router and only the traffic
that is coming through Squid should reach the router. How can we accomplish
this task?

Thank You In Advance!
Ahmad




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=43057&t=43035
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix load balance? [7:42974]

[Kent Hundley]

George,

Yes, you can  LB PIXen, but there are caveats:

1) PIXes can only do state sharing if one is in failover mode.  If you have
2 active PIXen, you cannot share state so if one PIX fails, all active
sessions on that PIX will drop and have to start over on the other PIX.

2) It's usually not necessary to LB PIXen, they have very high throughput
unless you are using the very low-end boxes, so for most environments its
better to simply have a active-standby configuration so you get the
state-sharing. (it's also cheaper since you get a discount on the standby
PIX)

However, if you want to LB PIXen anyway, the best practice is to have an
external LB solution like a Cisco content switch, you'll need one on the
inside and outside of the PIX "farm", which can get expensive.  The other
way you could do it is with a routing protocol passed through the PIX from
the outside routers to the inside routers, but you have to be careful that
all your flows go through the same PIX or your sessions will drop since
there will be no state sharing between the PIXen.  You can normally achieve
this by using fast switching on your internal and external routers since the
next hop for destinations is cached for all subsequent packets.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 01, 2002 6:32 AM
To: [EMAIL PROTECTED]
Subject: Pix load balance? [7:42974]


Can you load balance to pix firewalls?
Has anyone done this?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42983&t=42974
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ways to seperate IP and IPX traffic? [7:42855]

[Kent Hundley]

That is exactly the way I would do it.  In fact, it's probably the only way
to accomplish your goal.  One additional thing to consider is assisting your
client with a migration to 100% IP.  Netware has supported native IP (not
IPX in IP) for some time now, and this is a logical next step. (though not a
trivial one)

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Steven Ridder
Sent: Tuesday, April 30, 2002 10:59 AM
To: [EMAIL PROTECTED]
Subject: Re: ways to seperate IP and IPX traffic? [7:42855]


Believe me, I've confused myself.

What I have is a customer that has a mixed IP/IPX network.  ALL machines are
dual IP/IPX, so those two protocols will be on one switchport.  He is going
to add some servers to the network, but dosen't want IPX on that new network
at all.  And he only wants selective IP machines talking to the servers.

What I think I'll do is just create 2 Vlans, 1 for the dual IP/IPX machines
and 1 for the IP servers.  If a dual IP/IPX machine wishes to speak to an IP
server, they'll have to use IP and be routed over via a L3 device.  I just
want to make sure that the IPX traffic/babble dosen't "leak" onto the IP
only network somehow just because they're on same switch.   I think with
VLANS, it will be solved, as broadcasts and other babble will never get
there.  But I just want to be sure.

Is my solution the way to go?


From: "Patrick Ramsey"
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: ways to seperate IP and IPX traffic? [7:42855]
Date: Tue, 30 Apr 2002 13:49:36 -0400
MIME-Version: 1.0
Received: from [63.103.193.207] by hotmail.com (3.2) with ESMTP id
MHotMailBE98247F0068400431E23F67C1CF05480; Tue, 30 Apr 2002 10:50:57 -0700
Received: from 192.168.250.16 by appsrvnt92 with SMTP (SMTP Relay (MMS
v5.0)); Tue, 30 Apr 2002 13:56:47 -0400
Received: from WSC-Message_Server by wellstar.org with Novell_GroupWise;
Tue, 30 Apr 2002 13:49:51 -0400
>From [EMAIL PROTECTED] Tue, 30 Apr 2002 10:51:08 -0700
X-Server-Uuid: 8CD06C93-AB11-4E1C-95FC-A727A4B65BA7
Message-ID:
X-Mailer: Novell GroupWise Internet Agent 5.5.6.1
X-WSS-ID: 10D0055528979-01-01

what?

Now you've compeltely lost me!

do you want to tunnel ipx and route to various vlans?

I mean... If you have ipx on 1 interface and ip on the other, and they are
on the same vlan, then you're done.  But they won't route between the two
because they are two different protocols.

If you want them on two separate vlans and want to route between them, then
you're back to square 1 and you have to place ipx and ip on on interfaces.

-Patrick

 >>> "Steven A. Ridder"  04/30/02 01:20PM >>>
One more thing, if I can tag IP and IPX, how do I route between the 2 vlans
if one is IP and the other IPX?


""Steven A. Ridder""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 > That's exactly what I was looking for, but can you tag IPX.  I kept
thinking
 > that you could only tag IP.   Now that I think of it, tagging is L2, so I
 > could tag it, couldn't I?
 >
 >
 > ""Chuck""  wrote in message
 > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 > > in the old days of vlan switching, there was serious discussion of
using
 > > vlans to separate traffic by protocol. set up ports 1,3 and 5 as IP and
 > > ports 2,4, and 6 as IPX. More importantly, put all those renegade
 > AppleTalk
 > > users on their own VLAN so their traffic doesn't bother people with
real
 > > work to do ( ;-> )  I don't know if there is serious talk of this any
 > more.
 > >
 > > Is this kinda what you had in mind?
 > >
 > > Chuck
 > >
 > >
 > > ""Steven A. Ridder""  wrote in message
 > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 > > > What are some good ways to separate IP and IPX traffic on a LAN?
 > > >
 > > > --
 > > >
 > > > RFC 1149 Compliant.
 > > > Get in my head:
 > > > http://sar.dynu.com
 >  Confidentiality Disclaimer   
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed.  This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.










_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42922&t=42855

RE: CSPM for IDS4210 [7:42788]

[Kent Hundley]

Mea culpa. I thought the current version I had was 3.0i, I now see that it
is 2.3.3i.

-Kent

-Original Message-
From: Tim O'Brien [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 30, 2002 10:28 AM
To: Kent Hundley; [EMAIL PROTECTED]
Subject: RE: CSPM for IDS4210 [7:42788]


Kent,

There is no such thing as CSPM 3.0i. There is only an "f" version. To run
IDS you will probably want to run 2.3.3i or wait till IDM (IDS Device
Manager) comes out.

Tim
CCIE 9015


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kent Hundley
Sent: Tuesday, April 30, 2002 12:53 PM
To: [EMAIL PROTECTED]
Subject: RE: CSPM for IDS4210 [7:42788]


There are different versions of CSPM 3.0.  CSPM 3.0f supports PIX and
routers, CSPM 3.0i supports IDS.  You can read about it here:

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver30/reln30.htm
#xtocid2

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, April 30, 2002 8:26 AM
To: [EMAIL PROTECTED]
Subject: Re: CSPM for IDS4210 [7:42788]


Hello,

On a special request we got CSPM 3.0 FROM Cisco and for your information
CSPM 3.0 does not support IDS.it only supports PIX.


Kind Regards /Thangavel

186K
Reading,Brkshire
Direct No   -0118 9064259
Mobile No  -07796292416
Post code: RG16LH
www.186k.co.uk

--
The greatest glory in living lies not in never falling,
 but in rising every time we fall ."
 -- Nelson Mandela






"CiscoEnthuas
tic" To:
[EMAIL PROTECTED]
   Fax
to:
Sent by: Subject: Re: CSPM for IDS4210
[7:42788]

nobody@groups

tudy.com



30/04/2002

15:01

Please
respond
to

"CiscoEnthuas

tic"






Unfortunately CSPM 3.0 Eval is not available from CCO even if you have a
CCO
account which has the pemittance to download
You can only get this software from VMS 2.0 set
""Timo Graser""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I just got a IDS 4210 and want to manage it now, where can I download
> a CSPM 3.0 Eval?
**
This e-mail is from 186k Ltd and is intended only for the
addressee named above. As this e-mail may contain confidential
or priveleged information, if you are not the named addressee or
the person responsible for delivering the message to the named
addressee, please advise the sender by return e-mail. The
contents should not be disclosed to any other person nor copies
taken.
186k Ltd is a Lattice Group company, registered in England
& Wales No. 3751494 Registered Office 130 Jermyn Street
London SW1Y 4UR
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42920&t=42788
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CSPM for IDS4210 [7:42788]

[Kent Hundley]

There are different versions of CSPM 3.0.  CSPM 3.0f supports PIX and
routers, CSPM 3.0i supports IDS.  You can read about it here:

http://www.cisco.com/univercd/cc/td/doc/product/ismg/policy/ver30/reln30.htm
#xtocid2

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, April 30, 2002 8:26 AM
To: [EMAIL PROTECTED]
Subject: Re: CSPM for IDS4210 [7:42788]


Hello,

On a special request we got CSPM 3.0 FROM Cisco and for your information
CSPM 3.0 does not support IDS.it only supports PIX.


Kind Regards /Thangavel

186K
Reading,Brkshire
Direct No   -0118 9064259
Mobile No  -07796292416
Post code: RG16LH
www.186k.co.uk

--
The greatest glory in living lies not in never falling,
 but in rising every time we fall ."
 -- Nelson Mandela






"CiscoEnthuas
tic" To:
[EMAIL PROTECTED]
   Fax
to:
Sent by: Subject: Re: CSPM for IDS4210
[7:42788]

nobody@groups

tudy.com



30/04/2002

15:01

Please
respond
to

"CiscoEnthuas

tic"






Unfortunately CSPM 3.0 Eval is not available from CCO even if you have a
CCO
account which has the pemittance to download
You can only get this software from VMS 2.0 set
""Timo Graser""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I just got a IDS 4210 and want to manage it now, where can I download
> a CSPM 3.0 Eval?
**
This e-mail is from 186k Ltd and is intended only for the
addressee named above. As this e-mail may contain confidential
or priveleged information, if you are not the named addressee or
the person responsible for delivering the message to the named
addressee, please advise the sender by return e-mail. The
contents should not be disclosed to any other person nor copies
taken.
186k Ltd is a Lattice Group company, registered in England
& Wales No. 3751494 Registered Office 130 Jermyn Street
London SW1Y 4UR
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42905&t=42788
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Alternatives to Cisco VPN client [7:42604]

[Kent Hundley]

The issue isn't with IPSec per se, its with allowing split tunneling.  If a
user PC becomes compromised via a trojan that allows remote control such as
BackOrifice, Netbus, etc., if you allow split tunneling then not only can
the attacker control the users machine, they can use it as a jumping off
point into the the corporate network.  If split tunneling is disabled, then
the attacker would not be able to connect to the users machine while the
user was connected via the VPN.  Personal firewall software can assist with
this, but many corporations still don't allow split tunneling because of
this issue since it is very difficult to keep a home users PC's reasonably
secure.

Regards,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Lidiya White
Sent: Friday, April 26, 2002 3:34 PM
To: [EMAIL PROTECTED]
Subject: RE: Alternatives to Cisco VPN client [7:42604]


If you want your VPN client to have Internet connectivity while VPN
tunnel is up, the solutions is the split tunnel configuration.
PIX will push an access-list to a client, so only traffic between your
private networks will flow through the tunnel, but the rest will go out
to the Internet unencrypted.
I work with Microsoft, Cisco VPN and IRE clients, and I don't really
know what security holes people were talking about. No matter what, when
a computer has a connection to the Internet, it's already a "security
hole" right there. I don't see how adding IPSec on the client, will make
it less secure. As far as decreased security for the LAN behind the PIX,
again, I don't see a major hole there.
As far as Microsoft client goes, it doesn't have as strong encryption as
Cisco client does.

Example:
http://www.cisco.com/warp/public/110/pix3000.html
(search for "split").


-- Lidiya White



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Mark Odette II
Sent: Friday, April 26, 2002 11:20 AM
To: [EMAIL PROTECTED]
Subject: RE: Alternatives to Cisco VPN client [7:42604]

what's the security risk?

(putting on learning cap now... :)  )

Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Louie Belt
Sent: Thursday, April 25, 2002 8:12 PM
To: [EMAIL PROTECTED]
Subject: RE: Alternatives to Cisco VPN client [7:42604]


You are creating a security risk for the other end of the tunnel when
you
are using split-tunneling from your client.

louieb



-Original Message-
From: Craig Columbus [mailto:[EMAIL PROTECTED]]
Sent: Thursday, April 25, 2002 6:49 PM
To: [EMAIL PROTECTED]
Subject: RE: Alternatives to Cisco VPN client [7:42604]


Thanks for the responses.

I'm aware of split tunneling with a concentrator.  That's not what I
want.
I'm looking for something that lets me connect to any IPSEC compliant
endpoint, whether it's a PIX, a router, or a Linux box.  In other words,
the client shouldn't care what it's connecting to.  It should only care
whether the traffic has a destination within the remote network or not.
If
so, send through tunnel, if not, send to Internet.

Hope this helps clarify.

Thanks!
Craig

At 07:39 PM 4/25/2002 -0400, you wrote:
>You can definitely do this using the Cisco VPN client. This is a policy
push
>from the concentrator. If you would like split-tunneling you need to
enable
>that on the concentrator to allow the clients to do that.
>
>http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel3_5_1/adm
in_g
d
>/vca.pdf
>
>Tim
>CCIE 9015
>
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Craig Columbus
>Sent: Thursday, April 25, 2002 6:25 PM
>To: [EMAIL PROTECTED]
>Subject: Alternatives to Cisco VPN client [7:42604]
>
>
>Let me preface this by saying that all of my VPN experience has been
either
>peer-peer or client to peer with the Cisco VPN client 1.x or 3.x.
Please
>ignore my ignorance if I've missed something obvious.
>
>I've got a major complaint with the Cisco VPN client.  It's not smart
>enough to differentiate local traffic/Internet traffic from VPN
>traffic.  Therefore, you can't browse the Internet and your VPN network
at
>the same time.
>I'm looking for alternative software clients that are smart enough to
say
>"Ok.  Any traffic destined for 10.x.x.x (or whatever you define VPN
traffic
>to be) goes to the tunnel.  If the traffic has any destination other
than
>10.x.x.x, it's treated as if the tunnel weren't even present."  This
would
>allow my client machine to easily browse the Internet and the VPN
remote
>network at the same time.
>I've done some preliminary searches for third-party clients, but don't
want
>to waste time trying 50 clients that may not be any good.  I've found
some
>for Mac OS X that'll do what I want, but I haven't found one for Win
>9x/ME/NT/2K/XP.
>There's got to be a decent client that does this.
>Sorry for rambling :-)  It's been a long day.
>
>As usual, thanks in advance to everyone.
>
>Craig




Message Posted at:
http:

RE: Alternatives to Cisco VPN client [7:42604]

[Kent Hundley]

Craig,

I have done quite a bit of research in this area, and I'm pretty confident
that no product exists that does what your looking for.  There are plenty of
client side products that can simply peer with an IPSec gateway using a
shared secret or even a certificate, but as far as I have seen there is no
client product that can interoperate with VPN boxes that provide "extras"
such as client authentication based on userid and password and the passing
of routes to the client for split-tunneling.

The problem is that the IPSec standards bodies, in their infinite wisdom,
chose not to address these issues and simply "punted" the problem to the
vendors.  Given this, someone wishing to create a truly universal VPN client
that can handle all the extras not covered in the RFC's would have to make
the client work with each vendor independently, and then keep up with any
vendor changes, no small task obviously.  On top of these other extras one
could add the ability to do "nat transparency", which is currently
completely proprietary by vendor although there are bodies working on this
particular issue.

It's a good area for some smart coders to develop a product, and perhaps
someone will eventually.  Unfortunately, that doesn't really help you right
now. ;-)

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Craig Columbus
Sent: Thursday, April 25, 2002 4:49 PM
To: [EMAIL PROTECTED]
Subject: RE: Alternatives to Cisco VPN client [7:42604]


Thanks for the responses.

I'm aware of split tunneling with a concentrator.  That's not what I want.
I'm looking for something that lets me connect to any IPSEC compliant
endpoint, whether it's a PIX, a router, or a Linux box.  In other words,
the client shouldn't care what it's connecting to.  It should only care
whether the traffic has a destination within the remote network or not.  If
so, send through tunnel, if not, send to Internet.

Hope this helps clarify.

Thanks!
Craig

At 07:39 PM 4/25/2002 -0400, you wrote:
>You can definitely do this using the Cisco VPN client. This is a policy
push
>from the concentrator. If you would like split-tunneling you need to enable
>that on the concentrator to allow the clients to do that.
>
>http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/rel3_5_1/admin_g
d
>/vca.pdf
>
>Tim
>CCIE 9015
>
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Craig Columbus
>Sent: Thursday, April 25, 2002 6:25 PM
>To: [EMAIL PROTECTED]
>Subject: Alternatives to Cisco VPN client [7:42604]
>
>
>Let me preface this by saying that all of my VPN experience has been either
>peer-peer or client to peer with the Cisco VPN client 1.x or 3.x.  Please
>ignore my ignorance if I've missed something obvious.
>
>I've got a major complaint with the Cisco VPN client.  It's not smart
>enough to differentiate local traffic/Internet traffic from VPN
>traffic.  Therefore, you can't browse the Internet and your VPN network at
>the same time.
>I'm looking for alternative software clients that are smart enough to say
>"Ok.  Any traffic destined for 10.x.x.x (or whatever you define VPN traffic
>to be) goes to the tunnel.  If the traffic has any destination other than
>10.x.x.x, it's treated as if the tunnel weren't even present."  This would
>allow my client machine to easily browse the Internet and the VPN remote
>network at the same time.
>I've done some preliminary searches for third-party clients, but don't want
>to waste time trying 50 clients that may not be any good.  I've found some
>for Mac OS X that'll do what I want, but I haven't found one for Win
>9x/ME/NT/2K/XP.
>There's got to be a decent client that does this.
>Sorry for rambling :-)  It's been a long day.
>
>As usual, thanks in advance to everyone.
>
>Craig




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42652&t=42604
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Inside Interface - Secondary IP? [7:42567]

[Kent Hundley]

No, you'll need to use a router if you need this capability

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Audy Bautista
Sent: Thursday, April 25, 2002 10:24 AM
To: [EMAIL PROTECTED]
Subject: PIX Inside Interface - Secondary IP? [7:42567]


Is it possible to create a secondary IP address for the inside interface on
a PIX?


Audy Bautista
Network Engineer, IT Services
Hold Brothers On-Line Investment Services, Inc.
(201) 499-8764
[EMAIL PROTECTED]

"A job worth doing is a job worth doing well"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42587&t=42567
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cheap terminal server? [7:42536]

[Kent Hundley]

Craig,

I use the STS10 at home and it works great.  I got it off ebay for $70 about
2 years ago and the only problem I had was getting the pinouts right. (it's
not the traditional rollover)  Unfortunately, those boxes are EOL and seem
hard to come by.  You might want to look at xyplex, they have some decent
term servers and based on a quick review on ebay they seem to come pretty
cheap.  The Cisco 516-cs's seem to be more prevelant than the STS10's, but
the prices are generally around $300 bucks which is probably overkill for
what you need.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Craig Columbus
Sent: Thursday, April 25, 2002 6:37 AM
To: [EMAIL PROTECTED]
Subject: Cheap terminal server? [7:42536]


Can anyone recommend a cheap terminal server, used only for reverse telnet
remote management?  I only need three lines and I don't want to spend the
cash on a 2509.  Anyone like the STS10x?  Any other suggestions?

Thanks,
Craig




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42547&t=42536
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: External Tech support connecting on server - VPN is OK ? [7:42490]

[Kent Hundley]

Ah yes, security through obscurity. ;-)

If I would have had to guess, I would have guessed you were using one of the
following VPN products:

1) Cisco
2) Checkpoint
3) Nortel

I would have started with Cisco and assumed either a VPN concentrator or a
PIX. (in your case, I would have hit the first try)

And, let me guess, your using ESP only (no AH) in tunnel mode with a shared
secret, not certificates.

If I knew what company you worked for, I could probably find your VPN server
with a quick scan. If nothing else, I could just attempt an ISAKMP
connection on every IP address in your range and see what responds.

Bottom line, your not providing your vendor with any information they
couldn't find with a few minutes worth of work if they wanted to.  I _would_
create the vendor their own group with their own shared secret, no reason to
give them something they can't obtain on their own, but the information your
revealing is nothing that is not publically attainable.

In any case, unless you have a password protected modem, by using a modem
your creating an unauthenticated, probably unaudited backdoor into your
network via modem access, which is never a good idea.  Concentrate your
resources on monitoring the doors you do allow and be draconian in
eliminating all others.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Brown, M
Sent: Wednesday, April 24, 2002 4:51 PM
To: [EMAIL PROTECTED]
Subject: External Tech support connecting on server - VPN is OK ?
[7:42478]


I have to allow an external techinician to work on a third-party application
on my server.
Two options: Use connection through Modem or VPN Client (Cisco 3000
Concentrator).

I would go with the VPN account, and then at the end of the support work I
would disable the GuestTech account and change its password.

My co-worker argues that he doesn't want to grant VPN account to the techGuy
because that would release our VPN server name and configuration to the
external technician.
So my co-worker prefers that the tech guys sticks to the slow modem
solution.

Your thoughts ?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42490&t=42490
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Netmeeting [7:42012]

[Kent Hundley]

There are some pretty strict requirements for IOS based on the version of
netmeeting being used, you can check out the req's here:

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm

If you meet the req's, netmeeting should work.  However, I have had a lot of
problems in the past with netmeeting and similar apps through firewalls
and/or nat, so a solution I have used is to just create a workstation to
workstation tunnel using CIPE.  CIPE is an open source effort to create
software that allows for an encrypted tunnel between any 2 workstations
using only a UDP wrapper and a shared secret key, so it works great even
through firewalls and NAT (the src and dst ports are configurable). In fact,
it's specifically intended to be an app that people can use to create
encrypted tunnels that should work through and nating device or firewall.

It's available for Unix and Windows, it's easy to install and it works great
on Win2k.  I use it myself to "phone home" to video conference with the
missus as I travel quite a bit.  It works great through nating routers like
a linksys or cisco and in fact, I just used it last night to make a cable
modem to cable modem call.  Here's the link to the windows version:

http://cipe-win32.sourceforge.net/

The documentation is a bit sparse, so contact me offline if you choose to go
this route (no pun intended), and I'll do what I can to assist.  This
solution doesn't scale all that well since it requires configuration on each
ws, but for only a couple of hosts, it may be the path of least resistance
to getting netmeeting to work.

HTH,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
JunoGuy
Sent: Friday, April 19, 2002 1:55 PM
To: [EMAIL PROTECTED]
Subject: Netmeeting [7:42012]


Has anyone configured Netmeeting on a Cisco 2600?  I am running 12.1.2T
IP-H323 code.  I have 1 workstation that is running Netmeeting doing
messaging, voice and video conferencing out to the WAN through a NATed
interface.  Video and Teleconfercing do not work pass the router towards the
WAN side.  Everything works internal.  Any help would be greatly
appreciated.

JunoGuy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=42039&t=42012
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Linksys vs. Cisco [7:41829]

[Kent Hundley]

Rico,

I would have to agree with the other posts, the Linksys is intended for
Small Office, Home Office, not for a small branch.  It would typically fit
where you have somewhere between 1 and 10 users, not 100.  The Linksys and
other similar routers are clearly intended for the low-end, home user.
While the Linksys boxes function well in the home environment, I would not
deploy them at branch offices for a couple of reasons:

1) Configuration flexibility, they lack the flexibility of higher end
products (for example, you cannot forward non-TCP/UDP traffic and the
support for apps that dynamically assign ports such as netmeeting is very
limited)
2) Hardware robustness, they are very low end gear, which is why they are
inexpensive
3) Support, Linksys is targeted to support end users at their homes, not
corporate environments where you have mission critical business apps

Having said this, you should be aware that you have more choices than just
Cisco or Linksys/SOHO routers.  If you are looking for a small-midsize
VPN/firewall device, you may want to look at products from Nokia and
Netscreen. Both have full blown firewall and VPN capability, and it may be
cost competitive compared to the Cisco 1720.  Of course, a key question is
"who is going to support the solution".  If the local support people only
know Cisco, then Cisco is probably the best choice.  If you are going to do
the support, you should pick a product you are comfortable with but one that
is suitable for a corporate environment.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Rico Ortiz
Sent: Thursday, April 18, 2002 9:02 AM
To: [EMAIL PROTECTED]
Subject: OT: Linksys vs. Cisco [7:41829]


I always thought of Linksys as "Toy" Home  (SOHO) solutions. Lately I have
been seeing post of people using Linksys' VPN solution. What is the
different between
Linksys VPN Solution (BEFVP41) and Cisco's 1751 VPN router. I am working on
a project and if Cost is the only difference I will go with the cheaper
solution.

Now I am not talking about connecting up major sites with thousands of
users, what we are talking about is a corprate setup with 7-15 Servers and
approx. 100 users accessing
the network (not all at the same time).

Is the different price, packets per second (PPS), or are we just comfortable
with the vendor (CISCO)... Just would like to see what other people think of
these routers.



Rico Ortiz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41916&t=41829
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Signature for blocking telnet to SMTP server [7:41565]

[Kent Hundley]

Short answer: It's probably going to be impossible to write a signature that
won't give you tons of false positives.  The problem is that there is
virutally no difference between someone manually typing mail commands via
telnet to port 25 and a standard SMTP program sending the same commands.

Long answer: There was an interesting thread on this topic recently on the
firewalls mailing lists.  Go to the archives here:
http://www.nextrieve.com/knowledge/  and search in the firewalls list for
'telnet to port 25' for the year 2002 and you'll find some interesting
tidbits related to trying to distinguish between a manual telnet to port 25
and a connection via an SMTP program.  Bottom line, see the short answer.
;-)

As far as writing custom sigs, see the Cisco docs, they show you how to do
this.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Cisco Breaker
Sent: Monday, April 15, 2002 11:52 PM
To: [EMAIL PROTECTED]
Subject: Signature for blocking telnet to SMTP server [7:41565]


Hi,

Is it possible to block telnet to SMTP server from port 25 with IDS. I want
to create a custom signature for this but I don't know how this can be done.
If  I write a signature beginning with hello it will block all mail traffic
because all of them starts with hello as I know.  And are there any
resources that tells how to write a custom signature. We are using CSPM
2.3.3i.

Any help will be appreciated.

Best regards,

Cisco Breaker




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41607&t=41565
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: silly encryption question [7:41583]

[Kent Hundley]

Tom,

It's all about performance.  Public key encryption/decryption such as DH is
about 100-1000 times slower than the same process using shared key
cryptography (it has to do with the type of algorithms required).  Given
this, the standard modus operandi is for two hosts to use public key
cryptography to setup the shared key and then use shared key algorithms such
as 3DES to achieve the best possible throughput for the least number of CPU
cycles on each host.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Tom Monte
Sent: Tuesday, April 16, 2002 5:01 AM
To: [EMAIL PROTECTED]
Subject: silly encryption question [7:41583]


I am studying for my MCNS test.  The Cisco Press book says that
Diffie-Hillman public key encryption is used to create a secure channel to
exchange DES private keys for data encryption.  If Diffie-Hillman is secure
enough to transfer the DES private keys, why not use it to transfer the
data?  This seems silly and needlessly complex.  Can someone explain this?


This e-mail and any files transmitted with it are intended solely for
the person(s) to whom it is addressed.  If you are not the intended
recipient, please delete the message and all copies of it from
your system, destroy any hard copies of it and contact the sender
by return e-mail.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41603&t=41583
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: traffic analyzer [7:41267]

[Kent Hundley]

If all that's needed is general traffic trend patterns, things like how much
traffic, what stations are talking to what other stations, protocols in use,
etc, then you can do no better than NTOP: http://www.ntop.org

It has a small footprint, fairly low overhead, gives you RMON type stats
through a nice web gui and much more.  Plus it's open source.  The main
disadvantage is a lack of comprehensive documentation, but there are mailing
lists for help, plus you get the source code.  I'm using it right now for
network trending info and the amount of detail it provides is outstanding.
It's much better than a sniffer for macro level network information.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Sean Knox
Sent: Friday, April 12, 2002 1:16 AM
To: [EMAIL PROTECTED]
Subject: RE: traffic analyzer [7:41267]


Agreed. Ethereal beats Sniffer Pro, Etherpeek, or any other sniffer I've
used hands down. Best of all, it's free.

Sean

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Patrick Ramsey
Sent: Thursday, April 11, 2002 11:58 PM
To: [EMAIL PROTECTED]
Subject: Re: traffic analyzer [7:41267]


send a linux box configured with X/ethereal and vnc out there and remote
control it from your end!

-Patrick

>>> supernet  04/12/02 12:42AM >>>
Hi Dear Friends,

I have 1 branch office connected to main office by frame relay. I
noticed a lot of traffic across this link and would like to find out
what they are. The problem is I don't have access to the branch office,
therefore, everything has to be done in main office. I tried sniffer
pro, etherpeek and anasil but they only allow me to specify a particular
source IP, not the whole branch office subnet. Is there any other
software I can use?

Thanks.
Yoshi
>  Confidentiality Disclaimer   
This email and any files transmitted with it may contain confidential and
/or proprietary information in the possession of WellStar Health System,
Inc. ("WellStar") and is intended only for the individual or entity to whom
addressed.  This email may contain information that is held to be
privileged, confidential and exempt from disclosure under applicable law. If
the reader of this message is not the intended recipient, you are hereby
notified that any unauthorized access, dissemination, distribution or
copying of any information from this email is strictly prohibited, and may
subject you to criminal and/or civil liability. If you have received this
email in error, please notify the sender by reply email and then delete this
email and its attachments from your computer. Thank you.






Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41375&t=41267
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: OT Question [7:41326]

[Kent Hundley]

In the proxy/cache space, the products from Network Appliance are considered
by many, including myself, to be the best of breed.  It meets all of your
listed requirements and is consistently rated high in 3rd party reviews. You
can check out their product line at http://www.netapp.com

As far as integrating with the PIX, no proxy will integrate directly with
the PIX.  This PIX has no built in ability to work with a proxy, so it will
have no knowledge of the proxies existence.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Richard Tufaro
Sent: Friday, April 12, 2002 8:53 AM
To: [EMAIL PROTECTED]
Subject: OT Question [7:41326]


Hey guys/gals,

 My company is going to be considering buying a Proxy server. Can I get
some feedback on the types of Proxy servers out there that this group is
using and how your experience's with them have been? Only real
considerations:

1. Fast as hell (of course)
2. Integration with NT/2000 AD
3. Easy Web or Console setup and continued maintenance
4. Redundancy options
5. Awesome reporting

Perks would be if it intergrates well with PIX.

Thanks in advance.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41374&t=41326
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Memory [7:41266]

[Kent Hundley]

This is in the list archives: http://www.memoryx.com

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
The Edward Groove
Sent: Thursday, April 11, 2002 9:38 PM
To: [EMAIL PROTECTED]
Subject: Cisco Memory [7:41266]


Has anyone done any research on cheaper, yet compatible memory for the
2500 series routers?  I'm looking for some cheap flash and DRAM for this
line.  Does anyone have any specs--or even better--manufacturer model
names that you've tested that works?

Thanks, in advance...

Eddie



_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41338&t=41266
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How can you block spam email with NBAR? [7:41029]

[Kent Hundley]

AFAIK, you can only block HTTP content using NBAR, although Cisco is working
on adding additional protocols for classifying content.

You can use the IDS features in the IOS to catch some SPAM related mail,
such as the number of recipients in an email message.  Based on this you
could setup your mail gateway to reject mail from certain domains in the
future.  Your best bet is to install a real SMTP gateway filter that will
allow you to block SPAM and emails with certain attachments. (i.e. .exe,
.vbs, .bat, etc)

You can find some open source tools for these sorts of tasks here:

http://www.linux.org/apps/all/Administration/Anti-Spam.html

and here:

http://www.amavis.org/

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
BH
Sent: Wednesday, April 10, 2002 6:29 AM
To: [EMAIL PROTECTED]
Subject: How can you block spam email with NBAR? [7:41029]


Can spam be blocked with NBAR? Perhaps similar to how urls can be blocked
with
match protocol http url "iishack" ?
The match protocol option does not allow any granularity with the smtp
directive.
THanks!
b




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41217&t=41029
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: What is the best HyperTerminal program for Linux? [7:41228]

[Kent Hundley]

minicom or, the x version, xminicom.  It should be included in most linux
distros.

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
hall
Sent: Thursday, April 11, 2002 1:16 PM
To: [EMAIL PROTECTED]
Subject: What is the best HyperTerminal program for Linux? [7:41228]


I'm looking for a good hyperterminal program for linux, if anyone has any
recommendations.

Thanks,

Jeff




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41237&t=41228
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How fast do bits travel ? [7:41192]

[Kent Hundley]

There are several factors:

1) Clock rate of the line
2) Buffering delay by any intermediary devices such as ATM/FR switches
3) Speed of light

If we take a simple case and say that there are no layer 2 devices in the
path and only digital cross-connects.  I have read (somewhere) that the
speed of electron transference in copper is a little faster than the speed
of light in fiber over short distance, so use the speed of light in fiber
(roughly .7 X 186,000 miles per second) as the baseline. (note that the
reference given by another poster says the speed of electromagnetic signals
in copper is .66 of the speed of light, which would mean it is slightly
slower than speed of light in fiber, either way its pretty close to a wash)
Given these assumptions you get:

speed of a single bit = speed of line insertion for 1 bit + speed of light
delay + speed of line removal for 1 bit

speed of line insertion for 1 bit = speed of line removal for 1 bit =
1/clock rate

speed of light delay = number of miles / (.7 * 186000 miles per second)



As an example, for a clock rate of 128Kbps and a distance of 1000 miles:

speed of line insertion and removal for 1 bit = 2 * (1/128000) = .15625
sec = .015625 ms

speed of light delay = 1000 / (.7 * 186000) = .00768 sec = 7.68 ms

7.68 ms + .015625 ms = 7.7 ms (roughly)

Again, this assumes no delay in buffering in the path of any kind.  It also
assumes that there is no congestion at either end of the link.  Bottom line,
keep in mind these are rough numbers, but I think you get the idea.

HTH,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Matthew Tayler
Sent: Thursday, April 11, 2002 9:01 AM
To: [EMAIL PROTECTED]
Subject: How fast do bits travel ? [7:41192]


Ok I have spent ages trying to find an answer to this question, and probably
only added to my confusion. You know how it is you spend ages looking at
something and become snow blind or get tunnel vision or whatever, but I
cannot see the answer to the following:

How far does a bit travel in say 1 second or put another way how long does a
bit take to travel a certain distance ?

I understand, or think I do that if the line is say 128kbps then I can, in
theory at least, expect 128,000 (approx) bits start down that line every
second.

But how long do they take to reach the other end, assuming a point to point
link and both ends being the same speed, obviously.

There has to be a nice simple formula for this somewhere, you know the sort
of thing x= line speed, y = distance z = time etc

Any ideas or poitners would be appreciated

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41210&t=41192
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: configure VPN on PIX which behind PAT router [7:41090]

[Kent Hundley]

You could, if the PIX supported NAT transparency for IPSec like the VPN 3000
does.  Unfortunately, this feature is not yet available.  My SE tells me its
on the road map for inclusion sometime this year, but there are no firm
dates yet.

Your other option would be to get rid of the cayman router, but you probably
would need PPPoE support on the PIX for your DSL connection, which according
to the 6.1.3 release notes is also not an option yet. (if you don't need
PPPoE, I'd get rid of the Cayman right now)  Otherwise, you'll have to wait
for PPPoE support in the PIX, which should be in the next major release.

The only option I see for you without using different hardware is to use
PPTP as an interim solution.  You'll need to allow certain ports and
protocols through the Cayman.  Here's a link that shows what you need, it's
for the PIX but you can adapt it for the Cayman:

http://www.cisco.com/warp/public/110/pix_pptp.html

Then you'll need to configure the PIX to support PPTP:

http://www.cisco.com/warp/public/110/pptppix.html

Keep in mind that PPTP is not as secure as IPSec.  Some of the problems with
PPTP were addressed by MS with MSCHAP-2, but there are still issues.  I
would only use this as a short term solution.  You can read about the
problems with PPTP here:

http://www.counterpane.com/pptpv2-paper.html


HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Xuhui martin1
Sent: Wednesday, April 10, 2002 6:34 PM
To: [EMAIL PROTECTED]
Subject: Re: configure VPN on PIX which behind PAT router [7:41090]


Thanks Mike. You are 100% correct when you describe my limitations. Well, I
am doing something " Mission Impossible".
I have setup the PIX firewall without NAT. It's the Cayman Router who did
the PAT. And I did Pinhole on Cayman router to the mail server which behind
the firewall. Everything works fine, except the VPN, I want to have some
ideas first before I try to configure it.
I know that on Cisco VPN Client, we can configure the IPsec over UDP or TCP.
I wonder if there is additional configuration on the PIX firewall as well to
support the UDP or TCP port 1. Because the VPN connection is always
initialized by the client, if client use the IPSec over UDP or TCP, in
theory I could configure the Cayman router to Pinhole port 1 to PIX ip
address.

Please correct me if I am wrong.

Daniel

""Mark Odette II""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Daniel- I may be clueless to some fancy configuration on PAT, but it is my
> belief from my experience that you can't do what you're trying to do.
>
> Your Limitations are:
> 1. The Cayman Router (It only Does PAT itself, and doesn't have the
ability
> to terminate VPNs- I can only PASS Thru the the IPSEC Traffic.)
> 2. The fact you only have 1 IP address for public use.
>
> From my understanding, with the release of PIX 6.1 code, you can configure
> "Dynamic NAT" on the PIX so that if you only get one IP address
Dynamically,
> you can use the PIX Outside Interface (not the IP itself) as a nat point
> between the Public IP and ONE Host on the inside network; this also
applies
> if you only get one Static IP from your ISP.  You can't use that one IP to
> PAT port 80 to one inside network host and port 25 to a different inside
> network host.  To make this work though, you have to replace the Cayman
DSL
> Router with a regular DSL Modem that you connect the DSL Modem's Ethernet
> Port to the Outside Interface of the PIX- or plug the outside interface
and
> the ethernet interface of the DSL Modem to a "Secure" Hub/Switch, i.e.,
> nothing else plugs into that hub/switch too.
>
> If you want to support NATing to multiple hosts on the Inside Network, you
> are going to have to get more Static IPs assigned to you by the ISP.
>
>
> Now of course, I'f I'm way off base, somebody else will correct me, I'm
sure
> :)
>
> HTHs
> -Mark
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Daniel Ma
> Sent: Wednesday, April 10, 2002 3:35 PM
> To: [EMAIL PROTECTED]
> Subject: configure VPN on PIX which behind PAT router [7:41090]
>
>
> I am configuring a PIX firewall behind a Cayman DSL router. The whole
> network only has one public IP address which is on the DSL interface. I
need
> to configure the PIX firewall for the remote VPN clients.
> My solution is to encapsulate all IPSEC traffic with TCP 1, or UDP
> 1, so the Cayman router could be configured Pinhole the port 1 to
> the PIX outside interface. But I could not find documents on how to
> configure it.
> It will be greatly appreciated if anyone could help me out, or probably
you
> have better solutions.
>
> Thanks,
>
> Daniel




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41191&t=41090
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations t

RE: Cisco VPN Client & PIX [7:40670]

[Kent Hundley]

I haven't tested it, but according to the Linksys release notes, they
support IPSec passthrough for multiple IPSec tunnels beginning in version
1.42.3 released Jan 25, 02.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Fly Ers
Sent: Tuesday, April 09, 2002 6:29 PM
To: [EMAIL PROTECTED]
Subject: Re: Cisco VPN Client & PIX [7:40670]


I didn't see an update on this, but unless there has been an upgrade to the
linksys, it will only pass 1 Ipsec tunnel.  If there is an existing
connection, and another is attempted, the original one will be dropped.
there are some higher end (higher priced) firewall devices, that will pass
large number of tunnels.  How many clients are you trying to terminate?
you might think about pix 501

hope this helps


>From: "Curious"
>Reply-To: "Curious"
>To: [EMAIL PROTECTED]
>Subject: Re: Cisco VPN Client & PIX [7:40670]
>Date: Sat, 6 Apr 2002 12:48:48 -0500
>
>Clients are behind Linksys Cable/DSL router and in the office we have PIX
>515.
>PIX assigns IP address from Local IP address Pool.
>
>""Curious""  wrote in message
>[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I am using Cisco VPN Client to connect with my Office PIX 515 firwall
>over
> > IPSEC 3DES encryption. My connection is droping automatically. It is not
> > because of idle time out or maximum time out. it happens on radomly. If
>some
> > one has any information on it.
_
Chat with friends online, try MSN Messenger: http://messenger.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=41063&t=40670
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX question, static, conduit, and alias [7:40722]

[Kent Hundley]

Mark,

Typically the alias command is used when:

1) You have overlapping addresses, ie. your using 10 net addressing and you
have to connect to someone else who is also using 10 net addressing (this is
done through DNS "doctoring") Or you have a split DNS. (see below)

2) You want to translate the dst address of packets going from inside to
outside on the PIX.

If you have a situation where your DNS is external and your servers are
internal, you probably don't want the internal hosts accessing the internal
servers using their external address. In order for the DNS replies to give
the internal hosts the internal address of the servers, you would use the
alias command to alter the reply to the internal hosts.

This comes into play when you have what is typically called a "split-brain"
DNS.  The external DNS can only resolve hosts which are accessible from the
outside.  The internal DNS forwards to the external for name resolution of
externally accessible hosts.  Since the DNS resolution yeilds an externally
reachable address, you would use the alias to make sure that the internal
hosts use the internal IP while the external hosts use the external IP.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mark Odette II
Sent: Tuesday, April 09, 2002 8:38 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Kent- What if you have your DNS Server(s) (resolving Public addresses for
the Web/Mail/Etc.), your Web Server, and Mail Server on the inside of the
PIX with all of them running RFC1918 addresses, and you want both inside and
outside sourced traffic (Any Any) to reach the Web or Mail Server?  Is the
Alias command used for the inside hosts to reach the servers when resolving
to the Public Addresses only??

Forgive my ignorance... I' just catching back up on my PIX studies, and see
where the above scenario comes into play on a regular basis for small/medium
networks where the Business/Organization hosts their own DNS and has their
ISP provide Secondary DNS for them.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kent Hundley
Sent: Tuesday, April 09, 2002 9:53 AM
To: [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Robert,

Ok, I'm more confused than before. :-)

You say "I do want any outside host to access the web server" and then you
say "So, I do want everyone to access the web server at ip address
xxx.yyy.115.190", this seems like contradictory statements to me unless your
saying you want only _internal_ hosts to access the web server, but use its
external address?

Let's keep it simple:

1) What source IP addresses do you want to have access to the web server?
Are they on the inside of the PIX or the outside of the PIX or both?

2) Where is your DNS server?  It appears that it is on the outside of the
PIX, correct?

3) Are you saying that you cannot have the internal hosts access the web
server by its internal IP address? I don't see why that would be the case.
Using the alias command, the DNS replies would be "doctored" so that the web
servers IP would appear to internal clients as 172.20l.21.241 and they
should just go directly to that address without having to go to the PIX.
(this assumes the DNS is on the external interfaces of the PIX and the web
servers DNS resolves to xxx.yyy.115.190)

If you want an external host to access the web server, your going to have to
modify your conduit statement(s).

Regards,
Kent

-Original Message-
From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 07, 2002 8:35 PM
To: Kent Hundley; [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Please don't think I'm being argumentative, I'm trying to explain the
configuration I have and what I'm trying to accomplish.  This is coming
from my understanding and concept, which I am starting to think is way off
base.  What really throws me is that this configuration is working at
another site and at this site with my PIX 506 running Ver 5.1, just not
with their PIX running Ver 4.1.4.  Maybe that's my problem, I saw this type
of a configuration first and just assumed it's the norm, when in fact it
may be a kludge.

Now to answer your questions.
I do want any outside host to access the web server.
The public address for the web server is xxx.yyy.115.190.  When someone
does a DNS lookup for the www.domainname it resolves to
xxx.yyy.115.190.  Therefore the host goes to xxx.yyy.115.190.  While the
domainname has a public address of xxx.yyy.115.190 the actual ip address of
the server is 172.20.21.241.  That's where the static and conduit commands
come in to play.  The PIX accepts the address of xxx.yyy.115.190 (because
of the static statement) and sends it to 172.20.2

RE: Cisco PIX question, static, conduit, and alias [7:40722]

[Kent Hundley]

Robert,

Ok, I'm more confused than before. :-)

You say "I do want any outside host to access the web server" and then you
say "So, I do want everyone to access the web server at ip address
xxx.yyy.115.190", this seems like contradictory statements to me unless your
saying you want only _internal_ hosts to access the web server, but use its
external address?

Let's keep it simple:

1) What source IP addresses do you want to have access to the web server?
Are they on the inside of the PIX or the outside of the PIX or both?

2) Where is your DNS server?  It appears that it is on the outside of the
PIX, correct?

3) Are you saying that you cannot have the internal hosts access the web
server by its internal IP address? I don't see why that would be the case.
Using the alias command, the DNS replies would be "doctored" so that the web
servers IP would appear to internal clients as 172.20l.21.241 and they
should just go directly to that address without having to go to the PIX.
(this assumes the DNS is on the external interfaces of the PIX and the web
servers DNS resolves to xxx.yyy.115.190)

If you want an external host to access the web server, your going to have to
modify your conduit statement(s).

Regards,
Kent

-Original Message-
From: Robert T. Repko (R Squared Consultants) [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 07, 2002 8:35 PM
To: Kent Hundley; [EMAIL PROTECTED]
Subject: RE: Cisco PIX question, static, conduit, and alias [7:40722]


Please don't think I'm being argumentative, I'm trying to explain the
configuration I have and what I'm trying to accomplish.  This is coming
from my understanding and concept, which I am starting to think is way off
base.  What really throws me is that this configuration is working at
another site and at this site with my PIX 506 running Ver 5.1, just not
with their PIX running Ver 4.1.4.  Maybe that's my problem, I saw this type
of a configuration first and just assumed it's the norm, when in fact it
may be a kludge.

Now to answer your questions.
I do want any outside host to access the web server.
The public address for the web server is xxx.yyy.115.190.  When someone
does a DNS lookup for the www.domainname it resolves to
xxx.yyy.115.190.  Therefore the host goes to xxx.yyy.115.190.  While the
domainname has a public address of xxx.yyy.115.190 the actual ip address of
the server is 172.20.21.241.  That's where the static and conduit commands
come in to play.  The PIX accepts the address of xxx.yyy.115.190 (because
of the static statement) and sends it to 172.20.21.241 (I would use the
term routes it to 172.20.21.241 but I am afraid it would cause further
confusion ... to me).  So, I do want everyone to access the web server at
ip address xxx.yyy.115.190.  But that one address goes to 172.20.21.241.

If I don't use the alias command then the internal hosts can not see the
servers for which I have a conduit built, ie: web and mail servers.  When
the internal host performs DNS on their own name they are unable to get to
that server.  With the alias they are able to get to the server.  I'm not
sure I understand why, I just know that is what's happening.

I don't know if that clarifies anything.

At 4/7/2002 06:31 PM, Kent Hundley reminisced:
>Robert,
>
>Your conduit command doesn't look right.  Typically you want to allow any
>outside host to access the inside host specified in the conduit.  You can
>specify 'any' by using 0.0.0.0 or 0:
>
>
>conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0
>
>Also, I'm not sure what your trying to accomplish with those alias
commands:
>
>alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255
>
>Your telling the PIX to translate dst address 172.20.21.241 to
>xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190
>back to the same inside address?  Typically the internal hosts would just
go
>directly to the 172.20.21.241 address without having to go through the PIX
>in the first place.
>
>HTH,
>Kent
>
>-Original Message-
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
>Robert T. Repko (R Squared Consultants)
>Sent: Saturday, April 06, 2002 8:23 PM
>To: [EMAIL PROTECTED]
>Subject: Cisco PIX question, static, conduit, and alias [7:40722]
>
>
>I am having a problem getting to the inside Mail/Web servers from the
>outside and I can't determine why.
>
>I'm replacing an old Cisco 7000 router with a new 7206 VXR.  I'm also
>reconfiguring the way their PIX was setup.  The servers were configured
>with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement)
>which made them vulnerable.  I am moving them to an inside address and
>building a conduit from the outside to the inside.
>
>In order to leave their old netw

RE: port mirroring and vlans [7:40816]

[Kent Hundley]

Priscilla is correct, normally a span only shows unicast for the VLAN on the
switch where the span is enabled plus any bcast or mcast from other switches
that have active ports in the VLAN in question.  However, there is a "remote
span" capability that has been added to the 6000 series in 5.3 code that
does allow you to see the traffic for an entire vlan from any switch in the
net:

http://www.cisco.com/warp/public/473/41.html#remote

Regards,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Priscilla Oppenheimer
Sent: Monday, April 08, 2002 10:06 AM
To: [EMAIL PROTECTED]
Subject: RE: port mirroring and vlans [7:40816]


At 12:15 PM 4/8/02, Michael Williams wrote:
>AFAIK, if you have to two switches connected via a trunk link and you
mirror
>VLAN1 to a port, you should see all of the traffic in VLAN1 (i.e. from all
>switches involved in that VLAN).

Only traffic that actually crosses the mirrored port, though, right?
Broadcast /multicast traffic for the VLAN as well as traffic directed to
ports on the switch doing mirroring that are in VLAN 1.

I got the impression he thought he was going to see traffic on other
switches that happened to have ports in VLAN 1 too. I doubt that's true.
Think of all the extra work you would be requiring of the switches.

Priscilla

>  You'll probably run into a situation where
>all of the traffic in VLAN1 will overrun your mirror port (which on a busy
>switch isn't hard to do).  We have two 5500s trunked together, and we span
>(mirror) a port on a VLAN quite frequently.
>
>Mike W.


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40860&t=40816
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Hardening Ports? [7:40852]

[Kent Hundley]

Charlie,

As others noted, it depends on your OS.  I would recommend doing a search on
google for "your OS"+hardening.  You'll probably find what your looking for.
Also consult your vendors web site and http://www.sans.org for more info.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Charlie
Sent: Monday, April 08, 2002 12:51 PM
To: [EMAIL PROTECTED]
Subject: Hardening Ports? [7:40852]


Hello, all :-)

I was hoping one (or many) of you could help me with a question I have: how
do I lock-down ports on a server?  I know how to lock them down on firewalls
and routers, but how to do it on a server is my question.  I know it's a
general question but any assistance would be most appreciated.

Truly,
Charlie




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40861&t=40852
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Core layer question [7:40535]

[Kent Hundley]

Looking at the traffic should not slow anything down.  The IDS blade has its
own processor and is a completely separate device from the sup.  If
anything, the IDS blade may not be able to keep up with the traffic and you
may miss some traffic for inspection, ie. the IDS blade might not catch all
attacks.  This has nothing to do with the sup's or MSFC's ability to move
packets.

Access-lists are different in that they are actively inserted in the data
path.  An IDS is essentially a glorified sniffer.  No sniffer, or IDS for
that matter, that I have worked with has ever had any effect on traffic
flows.  It is a watcher only and does not influence the traffic flow.  Does
that mean that it is impossible that an IDS blade would affect traffic?  No
it doesn't, but it does mean that it would be a very significant bug and
absolutely should not happen.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Steven A. Ridder
Sent: Sunday, April 07, 2002 3:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Core layer question [7:40535]


I've always understood that anything in the core (access-lists, FW blades,
IDS modules, etc. ) is a bad design as it just slows down traffic as the
core is built for speed.  I was always told to move everything to the distro
or access-layer, depending on the function,  AFAIK, the IDS blades have to
look at all traffic, which could slow down core, and this core is for a
global bank on Wall St.  If it's not done right now, when they expand later
this year, the network will suck.

--

RFC 1149 Compliant.
Get in my head:
http://sar.dynu.com


""Kent Hundley""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> It's not a bad idea to have an IDS blade in the core, but if you have to
> pick either the DMZ and server blocks or the core, I would choose the
> former.  Having an IDS blade in the core should not affect any other
> processing of the switch since its a completely self contained module with
> its own processor. (course, murphy is always lurking)
>
> It's also a good idea to have redundant sup's, but cost may be a factor as
> well.  One can only have as much redundancy as your pocket book allows,
and
> sup's aren't cheap. :-)
>
> Regards,
> Kent
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Steven A. Ridder
> Sent: Thursday, April 04, 2002 2:20 PM
> To: [EMAIL PROTECTED]
> Subject: Core layer question [7:40535]
>
>
> Has anyone ever designed a network and put either a firewall or IDS blade
in
> the core switch block?  Even if the customer had no money, wouldn't this
> never be advisable?  Has anyone ever done it?
>
> As background for the questions, I started a new job, and so I took over
> some accounts, and who ever has been doing the configs ( I think some have
> been comming from Cisco!) has been making mistakes here and there.  One
> proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and
this
> one has a wan block going back to the core block (dual 6506's) with only 1
> sup in each and an IDS blade in each!  Isn't it advisable to move the
IDS's
> to the server and DMZ blocks?  Also, isn't it always advisable to go with
2
> sups?
>
> I just want to make sure I'm not crazy, as I'd not like to casue a ton of
> waves my first week on the job.
>
> --
>
> RFC 1149 Compliant.
> Get in my head:
> http://sar.dynu.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40812&t=40535
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Core layer question [7:40535]

[Kent Hundley]

It's not a bad idea to have an IDS blade in the core, but if you have to
pick either the DMZ and server blocks or the core, I would choose the
former.  Having an IDS blade in the core should not affect any other
processing of the switch since its a completely self contained module with
its own processor. (course, murphy is always lurking)

It's also a good idea to have redundant sup's, but cost may be a factor as
well.  One can only have as much redundancy as your pocket book allows, and
sup's aren't cheap. :-)

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Steven A. Ridder
Sent: Thursday, April 04, 2002 2:20 PM
To: [EMAIL PROTECTED]
Subject: Core layer question [7:40535]


Has anyone ever designed a network and put either a firewall or IDS blade in
the core switch block?  Even if the customer had no money, wouldn't this
never be advisable?  Has anyone ever done it?

As background for the questions, I started a new job, and so I took over
some accounts, and who ever has been doing the configs ( I think some have
been comming from Cisco!) has been making mistakes here and there.  One
proposal had a 500 phone IP Tel network running over Cat. 3 wiring, and this
one has a wan block going back to the core block (dual 6506's) with only 1
sup in each and an IDS blade in each!  Isn't it advisable to move the IDS's
to the server and DMZ blocks?  Also, isn't it always advisable to go with 2
sups?

I just want to make sure I'm not crazy, as I'd not like to casue a ton of
waves my first week on the job.

--

RFC 1149 Compliant.
Get in my head:
http://sar.dynu.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40765&t=40535
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX question, static, conduit, and alias [7:40722]

[Kent Hundley]

Robert,

Your conduit command doesn't look right.  Typically you want to allow any
outside host to access the inside host specified in the conduit.  You can
specify 'any' by using 0.0.0.0 or 0:


conduit (inside,outside) xxx.yyy.115.172 25 tcp 0 0

Also, I'm not sure what your trying to accomplish with those alias commands:

alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255

Your telling the PIX to translate dst address 172.20.21.241 to
xxx.yyy.115.190, which in turn has a static to translate xxx.yyy.115.190
back to the same inside address?  Typically the internal hosts would just go
directly to the 172.20.21.241 address without having to go through the PIX
in the first place.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Robert T. Repko (R Squared Consultants)
Sent: Saturday, April 06, 2002 8:23 PM
To: [EMAIL PROTECTED]
Subject: Cisco PIX question, static, conduit, and alias [7:40722]


I am having a problem getting to the inside Mail/Web servers from the
outside and I can't determine why.

I'm replacing an old Cisco 7000 router with a new 7206 VXR.  I'm also
reconfiguring the way their PIX was setup.  The servers were configured
with outside addresses (the PIX had a 'nat 0 xxx.yyy.115.0' statement)
which made them vulnerable.  I am moving them to an inside address and
building a conduit from the outside to the inside.

In order to leave their old network up and running while I configured the
7206VXR.  I used my PIX 506 (Ver 5.x) for configuration purposes.  I had
everything configured and working.  Then over the Easter holiday I
configured their PIX trying to use the same statements that I had in my PIX
506.  This is where I ran into problems.  Since they are running such an
old version (Ver 4.1.4) of the IOS I could not use the same exact
commands.  I'm not as familiar with the PIX 4.1.4 commands and obviously
have something stated incorrectly.  Below I have what I believe to be the
pertinent information from both the 7206 and PIX.  Can someone tell me
where I went wrong.  The xxx.yyy represent the same 2 octets through out
both configs.  Any help greatly appreciated.

Cisco 7206 VXR

interface FastEthernet0/1
  description ** Firewall Connection (inside area)**
  ip address xxx.yyy.115.18 255.255.255.240 secondary
  ip address 172.20.19.3 255.255.255.0

ip route 0.0.0.0 0.0.0.0 xxx.yyy.253.129!(points to the ISP)
ip route xxx.yyy.115.0 255.255.255.0 xxx.yyy.115.17 !(points to the PIX)


Cisco PIX 4.1.4 (this is just a PIX, not a PIX 515 or 525)

interface 0: ip address outside xxx.yyy.115.17 mask 255.255.255.240
interface 1: ip address inside 172.20.19.4 mask 255.255.255.0

global (outside) 1 xxx.yyy.115.14-xxx.yyy.115.14
global (outside) 1 xxx.yyy.115.7-xxx.yyy.115.13

static (inside,outside) xxx.yyy.115.172 172.20.18.172 0 255
static (inside,outside) xxx.yyy.115.190 172.20.21.241 0 255

conduit (inside,outside) xxx.yyy.115.172 25 tcp 172.20.18.172
255.255.255.255
conduit (inside,outside) xxx.yyy.115.172 110 tcp 172.20.18.172
255.255.255.255
conduit (inside,outside) xxx.yyy.115.190 80 tcp 172.20.21.241
255.255.255.255

alias (inside) 172.20.21.241 xxx.yyy.115.190 255.255.255.255
alias (inside) 172.20.18.210 xxx.yyy.115.174 255.255.255.255
alias (inside) 172.20.18.172 xxx.yyy.115.172 255.255.255.255

route outside 0.0.0.0 0.0.0.0 xxx.yyy.115.18 1
route inside 192.168.0.0 255.255.0.0 172.20.19.3 1
route inside 172.21.0.0 255.255.0.0 172.20.19.3 1
route inside 172.20.0.0 255.255.0.0 172.20.19.3 1
route inside 172.16.0.0 255.255.0.0 172.20.19.3 1


***
* Robert T. Repko - R Squared Consultants   |Voice: (610)
253-2849*
* Serving the Computing World for 20 years  |  Fax: (610)
253-0725*
* NT/UNIX/MAC Networking, Cisco Routers/Switches| Internet:
[EMAIL PROTECTED]  *
* Custom Programming|  Address: 4 Juniper
Ave.*
* NJDOE Provider ID#: 763 | SPIN: 143010681 |   Easton, PA
18045  *

***




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40764&t=40722
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Question !!! [7:40465]

[Kent Hundley]

Avi,

You have a few things in your config that look strange:

1) static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255

This creates a static with the outside address of 192.168.2.13, which you
indicate is your router's IP address, and an inside address of 216.6.24.129,
which you indicate is your inside PIX interface.  This makes no sense.  A
static translation is used to create a new address on the outside that is
not currently in use by any device to map to an inside end device, such as a
server.  I don't understand what you are trying to do with this command and
this may be the cause of your problem.

2) route inside 0.0.0.0 0.0.0.0 216.6.24.129 1

You are pointing the PIX's inside default route to its own interface?  I
don't see what you are trying to accomplish by doing this, if there is no
inside router you should just leave of the route inside command.

3) You say outside hosts are able to reach 216.6.24.130, do you mean they
are able to ping the host?  If the outside hosts can ping the inside host,
the inside host should be able to ping the outside hosts since you have a
conduit permit icmp any in your config.  If the .130 host is a unix box,
sometimes they try to resolve names during ping, so it may be that your ping
is failing because name lookups are failing.  Just a guess.

It looks like something is not correct with your static command, so I would
fix that first.  Also, you are running a very old version of code at 4.4,
you are 2 major release behind, so there may also be some weird bug present
in this code rev, I would strongly consider upgrading the code to current
levels.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Avi
Sent: Thursday, April 04, 2002 9:01 AM
To: [EMAIL PROTECTED]
Subject: PIX Question !!! [7:40465]


Hi,

I am facing a problem on PIX 515 as described  below.
Firewall: Cisco PIX 515
Firewall Software Version: 4.4(7)

PIX setup:
-


  H - 216.6.24.130  255.255.255.192
   |
   |Public Accessed Servers(216.6.24.0 - Public
addresses)
   |
   | - 216.6.24.129  255.255.255.192
PIX
   | - 192.168.2.14 /30
   |
   |
   | - 192.168.2.13 /30
  R
   | - 192.168.2.6 /30
   |
   |
   | - 192.168.2.5 /30
  R   (ISP Router)
   |
   |
   |Proxy Server
   |  192.118.52.54

Following is the config:
--
PIX Version 4.4(7)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd AoM2ZahaIYl9kEoj encrypted
hostname nungunungu
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol smtp 25
fixup protocol sqlnet 1521
names
pager lines 24
logging on
no logging timestamp
no logging console
no logging monitor
no logging buffered
no logging trap
logging facility 20
logging queue 512
inerface ethernet0 auto
interface ethernet1 100basetx
mtu outside 1500
mtu inside 1500
ip address outside 192.168.2.14 255.255.255.248
ip address inside 216.6.24.129 255.255.255.192
no failover
failover timeout 0:00:00
failover ip address outside 0.0.0.0
failover ip address inside 0.0.0.0
arp timeout 14400
nat (inside) 0 216.6.24.0 255.255.255.0 0 0
static (inside,outside) 192.168.2.13 216.6.24.129 netmask 255.255.255.255 0
0
conduit permit tcp host 216.6.24.177 eq smtp any
conduit permit tcp host 216.6.24.186 eq smtp any
conduit permit tcp any host 192.118.52.54 eq www
conduit permit icmp any any
conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp
conduit permit tcp host 216.6.24.189 host 216.6.24.5 eq ftp-data
conduit permit tcp host 216.6.24.185 host 216.6.24.40 eq smtp
conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq smtp
conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq smtp
conduit permit tcp host 216.6.24.185 host 216.6.24.19 eq 5001
conduit permit tcp host 216.6.24.185 host 216.6.24.10 eq 5001
conduit permit tcp host 216.6.24.185 host 216.6.24.5 eq 5001
conduit permit tcp host 216.6.24.184 host 216.6.24.21 eq 3306
conduit permit tcp host 216.6.24.184 host 216.6.24.28 eq 3306
conduit permit tcp host 216.6.24.10 eq domain any
conduit permit tcp host 192.118.52.54 eq 8080 any
conduit permit tcp host 192.118.52.54 eq 3180 any
conduit permit tcp host 192.118.52.54 eq www any
no rip outside passive
no rip outside default
no rip inside passive
no rip inside default
route outside 0.0.0.0 0.0.0.0 192.168.2.13 1
route inside 0.0.0.0 0.0.0.0 216.6.24.129 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community mic-test-03
no snmp-server enable traps
telnet 216.6.24.16 255.255.255

RE: Replacing a router with PIX [7:40454]

[Kent Hundley]

Jeffrey,

A few things you'll need to be aware of:

1) If you want to get an additional Internet connection for redundancy, it
will have to be Ethernet since the PIX does not support WAN connections.

2) The PIX cannot act as an HTTP proxy, so you may have to change the config
on the clients so that they will work in transparent mode.

Other than this, a PIX525 should handle 2000 users with no problem.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jeffrey Reed
Sent: Thursday, April 04, 2002 4:03 AM
To: [EMAIL PROTECTED]
Subject: Replacing a router with PIX [7:40454]


Im working on a design where we have a 3640 with dual T1s to the Internet.
The customer is using MS Proxy as their security enforcement point with a
few ACLs on the router. They are soon getting a new ISP who will be dropping
off a 10M Ethernet connection to replace the T1s. Is there any reason we
shouldnt drop a PIX in there to replace the 3640 (and MS Proxy)? This is a
university with 2000+ students and were looking at a PIX-525. Any
suggestions would be appreciated.

Jeffrey Reed
Classic Networking, Inc.
Cell 717-805-5536
Office 717-737-8586
FAX 717-737-0290




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40482&t=40454
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: BGP Load-Balancing with 2 providers...Possible?? [7:40242]

[Kent Hundley]

Very possible, not much different from using 1 provider as long as you have
your own address space.  If you don't have your own address space, you'll
have to either get it from ARIN or convince one provider to advertise
addresses from another providers space.  They will probably do this, for a
price.

Keep in mind though that the traffic patterns can vary a lot depending on
the providers used. More traffic will flow through the provider that is
"closer" to the peering points. The best advice is to use 2 Tier 1 providers
like UUnet, ATT, Sprint, etc.

I don't have it in front of me, but I'm sure there are examples of this in
Sam Halabi's book "Internet Routing Architectures".

HTH,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Cisco Nuts
Sent: Tuesday, April 02, 2002 2:11 PM
To: [EMAIL PROTECTED]
Subject: BGP Load-Balancing with 2 providers...Possible?? [7:40242]


Hello,
Is it possible to load-balance BGP traffic with 2 service providers...I know
it is possible to load balance with 2 circuits to the same provider using
ebgp-multihop and update-source and cef but with 2 circuits to 2 different
providers??
Thank you for your help.

_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40331&t=40242
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX VS CheckPoint [7:40136]

[Kent Hundley]

Actually, depending on what Nokia boxes you compare with what PIXen and
whose numbers you believe, the Nokia boxes may be faster.  According to
Nokia/Checkpoint, the high-end Nokia boxes are faster than the PIX 535's.
Course, a lot depends on what your rule-set looks like.

On the flexibility, I agree the CP's are definitely more flexible than the
PIX. (which is why the PIXen are easier to install in simple environments)
One thing that CP has that is fairly unique is the ability to write your own
rules using CP's INSPECT language, which allows you to filter on any part of
a packet, including the data portion.  Not many people seem to use this
feature, but it can come in handy if you have special filtering requirements
such as when a new IIS exploit surfaces. ;-)

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
nrf
Sent: Tuesday, April 02, 2002 4:08 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX VS CheckPoint [7:40136]


On the other hand, there's a distinct third option, which is to run
Checkpoint on a dedicated hardware appliance, for example the Nokia Ipso
line of gear.  This removes one of the Checkpoint disadvantages (don't need
to know Unix or NT), but introduces another disadvantage (less flexible -
you should have included in your advantages that regular Checkpoint is more
flexible than Pix because you can integrate it with Unix and enjoy all the
features of Unix, but of course with a Nokia, you don't have that).  In
fact, the Pix and the Nokia Checkpoint are so close that it's almost a wash.
I believe the Pix is faster, but the Nokia Checkpoint is still more flexible
(but not as flexible as Checkpoint software).



""Nurudeen Aderinto""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Dear x,
>
> I love your presentation. You spoke well.
>
> Nurudeen
> ""x""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > I have setup and managed both PIX and Checkpoint in a
> > variety of environments.  I think they are both solid
> > options in different situations.  Here is how I market
> > these products.
> >
> > PIX
> > - more cost effective
> > - fast
> > - you can have fail over
> > - Can be more complicated to setup the CLI, but PIX
> > has a nice feature of allowing all traffic out and
> > none in by default.
> >
> > Who would I market this for?
> > I would target this as an ideal candidate for small
> > companies with rulesets that don't change much.  They
> > also need a Cisco savy person to manage it, usually a
> > consultant.  I am guessing you would fill this role.
> > I have only made minor changes in the firewall I have
> > managed for almost two years.
> >
> > Checkpoint
> > - nice GUI for ruleset management
> > - more expensive
> > - required to know Unix or NT ( for the love of God
> > don't use NT.  Its security is very poor out of the
> > box and requires a great deal of configuration to
> > become mildly secure )
> >
> > Who would I market this toward?
> > I would target larger companies with Checkpoint.  It
> > is easier to manage the ruleset, but more setup time
> > and more costly.  I would also say this solution is
> > slightly slower and more prone to security issues
> > since you have to patch the OS and the firewall
> > software.
> >
> >
> > --- Jeffrey Reed  wrote:
> > > Has anyone performed or seen an in depth study of
> > > PIX vs Checkpoint? I have
> > > a customer who is looking at both. Ive read various
> > > magazine articles, but
> > > nothing from real people such as this group! :)
> > >
> > > Thanks!!
> > >
> > > Jeffrey Reed
> > > Classic Networking, Inc.
> > > Cell 717-805-5536
> > > Office 717-737-8586
> > > FAX 717-737-0290
> > [EMAIL PROTECTED]
> >
> >
> > __
> > Do You Yahoo!?
> > Yahoo! Tax Center - online filing with TurboTax
> > http://http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40278&t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: please help **location migration** [7:40162]

[Kent Hundley]

Kevin,

Check out "local area mobility", it looks like it may fit your needs:

http://www.cisco.com/warp/public/cc/pd/iosw/ioft/lam/tech/lamso_wp.htm

HTH,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Kevin Campbell
Sent: Tuesday, April 02, 2002 2:49 AM
To: [EMAIL PROTECTED]
Subject: please help **location migration** [7:40162]


I work for a collocation and bandwidth provider and need help with an issue
for a migration.

We need to move about 30 servers from a offsite location to our data center.
The move of the servers needs to be done over the period of a month.  We
need to do this without changing the ip addresses of the servers. so either
through an internet connection or wan link (both possible) we need to share
the ip block. It cannot be subnetted and must remain a single ip block.  We
have ruled out the use of bridge groups across a T1 circuit and would like a
better option than using a VPN. If you have any ideas please help.

thanks for the help and all the useful post.  I have been in this group for
about 6 months and have made very few posts but have benefited immensely
from users in this group.  I thank you for that.

Kevin Campbell MCSE, MCT, CCNP

[GroupStudy.com removed an attachment of type application/ms-tnef which had
a name of winmail.dat]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40214&t=40162
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Contest [7:40072]

[Kent Hundley]

If memory serves, William S. Bonnie is "Billy the Kid"

-K

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Brian Zeitz
Sent: Monday, April 01, 2002 10:54 AM
To: [EMAIL PROTECTED]
Subject: Contest [7:40072]


Ill give you a free website that you can find tons of Free white papers,
Recourses and everything you need for your exams if you can tell me who
AKA William S. Bonnie is.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=40086&t=40072
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: SSH client for windows 95 [7:39869]

[Kent Hundley]

John,

3 ways to verify the host key:

1) Connect over a network which you have a reasonable degree of confidence
is secure.  This would normally mean connecting over a LAN to the host in
question to get its key.  For the truly paranoid, this would mean connecting
over a x-over cable to the host in question.

2) Have someone send you the host key and then cut and paste the key into
the appropriate file.  To have a degree of confidence you would have to
receive the key through some fairly secure means, i.e. have a floppy fedexed
to you, sent imbedded in an email with PGP, etc.

3) Call the person who manages the server, connect to the server, get the
key and have them verify the received key over the phone. (this is proabably
the easiest method)

The keys are stored in files on each host.  For example, using openssh, the
hosts key is normally stored in a file called ssh_host_rsa_key.pub.
Different client ssh programs store the public keys of the servers they talk
to in different places.  F-Secure's ssh client store them in a directory
called 'hostkeys' and they have names like 'key_22_10.1.1.1.pub'.


HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Green
Sent: Friday, March 29, 2002 8:03 AM
To: [EMAIL PROTECTED]
Subject: RE: SSH client for windows 95 [7:39869]


but when i connect using the ssh client i get this
security alert. do you know what this means ?

"PuTTY security alert
The server's host key is not cached in the registry.
You have no guarantee that the server is the computer
you think it is. The server's key fingerprint is "
2048 1e:45:22:44:..:55:9a:7b

If you trust this host hiy Yes and add the keys to the
PuTTy's cache on connecting."

how to recognise the fingerprint numbers that they
belong to the host to which we are connecting. i don't
think they refer to the MAC address because that is
unique to the host.


--- colin newman  wrote:
> Putty is a great SSH windows client.  It supports
> SSH versions 1 and 2.  You


__
Do You Yahoo!?
Yahoo! Greetings - send holiday greetings for Easter, Passover
http://greetings.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39906&t=39869
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Unrelated question [7:39788]

[Kent Hundley]

Probably has something to do with the asymmetric nature of email and the
inherent delays in various mail servers and the Internet.  Right now I see
no responses to your question in my inbox, but there could be 5 on their way
by the time I type this and hit send.

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 3:22 PM
To: [EMAIL PROTECTED]
Subject: Unrelated question [7:39788]


OK, so at least 3/4 of the response to this question say the exact same
thing.  Or at least hint at it. (It doesn't make sense to me to take the
time to answers someones question and do it with 2 words.  "vlans" while
correct is not, by itself, an answer.)  My point is the redundancy.  Do
some people not read the upt-teen responses before jumping out with their
own?  Or do some people access these via some other transport (i.e. e-mail)
and so don't see the responses?  Or do some people just like seeing their
names on a newsgroup?  It just doesn't make sense.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39871&t=39788
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Router question.. [7:39788]

[Kent Hundley]

I have tried it, it works provided you have appropriate IOS and use 802.1q.

-Kent

-Original Message-
From: Walker, Jim [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 11:33 AM
To: 'Kent Hundley'; [EMAIL PROTECTED]
Subject: RE: Router question.. [7:39788]



I never tried it, but I didn't think you could configure a sub-interface on
a
10M ethernet port.



-Original Message-----
From: Kent Hundley [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 5:20 PM
To: Walker, Jim; [EMAIL PROTECTED]
Subject: RE: Router question.. [7:39788]


It's not necessary to use secondary addressing.  Configure a 802.1q trunk
port on the 2900 switch and configure one of the ethernet ports on the 2611
as a trunk port. (yes, 802.1q trunking is supported on ethernet)

Configure appropriate addressing on the sub-interfaces of the 2611 and you
still have a single free ethernet port for other connections.

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Walker, Jim
Sent: Thursday, March 28, 2002 10:25 AM
To: [EMAIL PROTECTED]
Subject: RE: Router question.. [7:39788]


1. Create 2 separate vlans on the switch
2. Configure both ethernet ports, 1 with a secondary ip address
3. Connect up both ethernet ports on the router to 2 corresponding vlan
configured port on the switch


-Original Message-
From: Ricky Chan [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 1:00 PM
To: [EMAIL PROTECTED]
Subject: RE: Router question.. [7:39788]


It have only 2 regular ethernet port...

-Original Message-
From: Walker, Jim [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 12:55 PM
To: Ricky Chan; [EMAIL PROTECTED]
Subject: RE: Router question.. [7:39788]


Yes, if 2600 series router has a fastethernet port.

Router on a stick.

-Original Message-
From: Ricky Chan [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 12:43 PM
To: [EMAIL PROTECTED]
Subject: Router question.. [7:39788]


Hi all,

My boss just come up and give me a senario question like this. He told me
that I owned a company which uses 3 different LANs, for example,
172.27.10.x, 172.27.11.x, 172.27.12.x. But I only have one cisco 2600 series
router and 2900 series switch. I can't use the serial ports from the router.
Just the two ethernet ports (by default). My question is, is it possible?
Please advice.

Thanks

Ricky




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39837&t=39788
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: If it's a 2611, you're out of luck [7:39788]

[Kent Hundley]

Incorrect.  Only ISL requires FastE, 802.1q works perfectly well on a
standard Ethernet port. This was covered in another thread a few days ago.

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 10:15 AM
To: [EMAIL PROTECTED]
Subject: If it's a 2611, you're out of luck [7:39788]


Vlan trunking requires a fast ethernet connection.  It cannot be trunked
with a 261X.  You'd need a 262X.

If you have to deal with a 2611, your options become much more limited.  You
could replace the 2611 with a 2620.  Or you could get a ethernet module for
the 2611.  Unfortunately, last time I checked (whish was a couple years ago,
given) those ethernet modules came in two models, 1 and 4 port, and cost
about $1000 per port.

Another option would be to replace the 2611 with a 1750.  It's got one fast
ethernet port.  If this network is as small as it sounds, it'd be a viable
option.

Oh, and about trunking, the way it works is you define the switch port
connected to the router as a trunk.  This allows multiple (in your case,
all) vlans to use the one port.  The router is configured with subinterfaces
on the fastethernet port, one for each vlan.  The router can then route
between these vlans.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39827&t=39788
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: TACACS+ [7:39297]

[Kent Hundley]

Yes, ACS supports TACACS+ or Radius on the front-end and many different user
databases such as NT domain on the back-end.

Yes, PIX is a TACACS+ client.

Yes, the protocol is TACACS+ between PIX and ACS.

You could call the PIX a NAS, but typically NAS refers to some sort of
dial-in device, so calling the PIX a NAS might confuse some people.

-Kent

-Original Message-
From: John Green [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 9:21 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: TACACS+ [7:39297]


is the Cisco Secure ACS server a TACAS+ server ?

ie the pix is acting as a tacas+ client to the ACS
server ? is that correct ?
if yes, then the protocol for user authentication and
later access-control between the pix and ACS server
called as TACAS+ protocol ? is this correct ?

lastly if pix is our permiter firewall and set for
aaa, then can we say that the pix is also a NAS,
network access server ? would that be correct to say,
atleast in this scenario where users connect to pix to
say access a web server behind or protected by the
pix.


> ""Kent Hundley""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > IMO, the best way to study TACACS+ is to download
> the free TACACS+ server
> > from Cisco, install it on Linux and play around
> with it.  You'll learn
> much
> > more about how TACACS+ works by implementing it
> and trying different
> things
> > than any WP (it helps a lot if you have a router
> to work with as well).
> If
> > your goal is to learn CiscoSecure ACS, download an
> eval copy of that and
> > install it on Windows and play around.  Either
> way, you'll learn quite a
> bit
> > about AAA and Cisco.
> >
> > Regards,
> > Kent
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: Saturday, March 23, 2002 8:00 AM
> > To: [EMAIL PROTECTED]
> > Subject: TACACS+ [7:39297]
> >
> >
> > I have read the white paper on this.  Does anyone
> know of a good study
> > source on this topic other than the white paper
> itself?
> >
> > Thanks
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards.
http://movies.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39810&t=39297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: NAT [7:39601]

[Kent Hundley]

Yes, you are (lots of good info on NAT can be found by doing a search on CCO
for "NAT tips")

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Wilson, Gavin (KBPB)
Sent: Wednesday, March 27, 2002 6:00 AM
To: [EMAIL PROTECTED]
Subject: NAT [7:39601]


Hi there

Does anyone know if you are allowed more than one outside interface on a NAT
router.

Cheers Gavin

Gavin Wilson
Kleinwort Benson Private Bank
Tel: 0207 4751771
Mobile: 07989441850
email: [EMAIL PROTECTED]




This email and any files transmitted with it are intended solely for the
addressee(s) and may be legally privileged and/or confidential.  If you have
received this email in error you may not copy, forward or use the contents,
attachments or information in any way.  Please destroy it and contact the
sender via our switchboard on +44(0) 20 7475 6600 or via return email.  Any
unauthorised use or disclosure may be unlawful.  Kleinwort Benson Private
Bank
give no warranty as to the accuracy or completeness of this email after it
is
sent over the Internet and accept no responsibility for change made after it
was sent.  Any opinions expressed in this email may be personal to the
author
and may not necessarily reflect the opinions of Dresdner Bank or its
affiliates. They may also be subject to change without notice.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39627&t=39601
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: pix question [7:39560]

[Kent Hundley]

George,

In current versions, it's "show access-list". :-)

pix# sh ver

Cisco Secure PIX Firewall Version 6.0(1)
PIX Device Manager Version 1.0(1)

pix# sh access-list
access-list 1 permit icmp any any (hitcnt=27)
access-list 1 permit ip any host 172.16.1.55 (hitcnt=0)
access-list 1 permit ip any host 172.16.1.60 (hitcnt=16)
access-list 1 permit tcp host 172.16.1.2 host 10.1.1.3 eq bgp (hitcnt=1)
pix#


Regards,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 27, 2002 5:05 AM
To: [EMAIL PROTECTED]
Subject: pix question [7:39560]


whats the equivelent of show access-list on the pix

George Gittins
Internet Systems Manager
Weslaco, Tx 78599
Phone (956)9696557




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39620&t=39560
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to get running-config of cisco routers through SNMP [7:39619]

[Kent Hundley]

You can find this info and lots of other good SNMP info by searching on CCO
for "snmp tips".  Here's the relevant direct url:

http://www.cisco.com/warp/public/477/SNMP/copy_configs_snmp.shtml

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
V\J@>|
Sent: Wednesday, March 27, 2002 5:42 AM
To: [EMAIL PROTECTED]
Subject: How to get running-config of cisco routers through SNMP
[7:39598]


Hello,mrtg#!


Any one can tell me whether I can  get running-config of cisco routers
through SNMP request!#
And if we can ,what is the oid for this purpose?
Thanks .




[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39619&t=39619
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: picture attached-NAT question in BCRAN book-can work?? [7:39444]

[Kent Hundley]

Tong,

There's no magic, you must either advertise a route for 192.168.2.0/24 or
the upstream router(s) must have a static route for the the 192.168.2.0/24
pointing to your router.  One way around this issue is to configure NAT to
overload the routers interface IP or use addresses in the same range as the
routers' IP.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Sim, CT (Chee Tong)
Sent: Monday, March 25, 2002 1:49 AM
To: [EMAIL PROTECTED]
Subject: picture attached-NAT question in BCRAN book-can work??
[7:39410]


Dear friends,



Can I ask you the following question?   It is what I see in the book. The
network diagram and the NAT router config are shown below.  Basically, when
a packet going from a inside host to a outside hosts.  Its source IP will
change from 10.1.1.X to 192.168.2.2 after the NAT router.  When the packet
reply back from outside hosts, the destination IP will be 192.168.2.2.  But
I don't understand how the packet know to route back to the NAT's serial 0?
The IP of router's serial 0 is 172.16.2.1. Unless we add route entry on the
outside hosts, but how can we have the control on the outside hosts?











Tong




==
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en
is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht
onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en
de afzender direct te informeren door het bericht te retourneren.
==
The information contained in this message may be confidential
and is intended to be exclusively for the addressee. Should you
receive this message unintentionally, please do not use the contents
herein and notify the sender immediately by return e-mail.


==

[GroupStudy.com removed an attachment of type image/jpeg which had a name of
image001.jpg]

[GroupStudy.com removed an attachment of type image/jpeg which had a name of
image002.jpg]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39444&t=39444
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: TACACS+ [7:39297]

[Kent Hundley]

The download still works fine for me from ftp-eng.cisco.com/pub/tacacs.
(anonymous login)

ftp> get tac_plus.F4.0.4.alpha.tar.Z
local: tac_plus.F4.0.4.alpha.tar.Z remote: tac_plus.F4.0.4.alpha.tar.Z
200 PORT command successful.
150 Opening BINARY mode data connection for tac_plus.F4.0.4.alpha.tar.Z
(193771 bytes).
226 Transfer complete.
193771 bytes received in 1.64 secs (1.2e+02 Kbytes/sec)
ftp> bye

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Steven A. Ridder
Sent: Saturday, March 23, 2002 10:08 AM
To: [EMAIL PROTECTED]
Subject: Re: TACACS+ [7:39297]


I think cisco stopped the DL of the free tacacs server a while ago.

--

RFC 1149 Compliant.
Get in my head:
http://sar.dynu.com


""Kent Hundley""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> IMO, the best way to study TACACS+ is to download the free TACACS+ server
> from Cisco, install it on Linux and play around with it.  You'll learn
much
> more about how TACACS+ works by implementing it and trying different
things
> than any WP (it helps a lot if you have a router to work with as well).
If
> your goal is to learn CiscoSecure ACS, download an eval copy of that and
> install it on Windows and play around.  Either way, you'll learn quite a
bit
> about AAA and Cisco.
>
> Regards,
> Kent
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> [EMAIL PROTECTED]
> Sent: Saturday, March 23, 2002 8:00 AM
> To: [EMAIL PROTECTED]
> Subject: TACACS+ [7:39297]
>
>
> I have read the white paper on this.  Does anyone know of a good study
> source on this topic other than the white paper itself?
>
> Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39307&t=39297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: TACACS+ [7:39297]

[Kent Hundley]

IMO, the best way to study TACACS+ is to download the free TACACS+ server
from Cisco, install it on Linux and play around with it.  You'll learn much
more about how TACACS+ works by implementing it and trying different things
than any WP (it helps a lot if you have a router to work with as well).  If
your goal is to learn CiscoSecure ACS, download an eval copy of that and
install it on Windows and play around.  Either way, you'll learn quite a bit
about AAA and Cisco.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
[EMAIL PROTECTED]
Sent: Saturday, March 23, 2002 8:00 AM
To: [EMAIL PROTECTED]
Subject: TACACS+ [7:39297]


I have read the white paper on this.  Does anyone know of a good study
source on this topic other than the white paper itself?

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39300&t=39297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISL Trunking from a h/w's perspective [7:39246]

[Kent Hundley]

Danny,

Sometimes even people who work for Cisco, even SE's who may by CCIE's, make
mistakes.  The router never lies:

3620(config)#int ethernet 0/0.1
3620(config-subif)#encap ?
  dot1Q  IEEE 802.1Q Virtual LAN
  sdeIEEE 802.10 Virtual LAN - Secure Data Exchange

Notice this is an Ethernet, not FastEthernet, and that it does indeed allow
802.1q trunking.

ISL, on the other hand, does require FastEthernet.  So maybe that is where
the confusion lies.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Danny Andaluz, CCNP
Sent: Friday, March 22, 2002 7:25 PM
To: [EMAIL PROTECTED]
Subject: Re: ISL Trunking from a h/w's perspective [7:39246]


no you can't.  I got straight from cisco that they have to be 100 meg
full-dux interfaces.
""MADMAN""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Actually on some platforms with the right IOS you can trunk 10 meg ports:
>
> C3660B(config)#inter e2/0.1
> C3660B(config-subif)#encap dot1 1
> C3660B(config-subif)#
>
>   Dave
>
> danny wrote:
>
> > The router's ethernet must be 100 full dux.  You configure subinterfaces
on
> > the ethernet.  a trunking protocol must be configured on each sub with
the
> > corresponding vlan #.  The router will route between Vlans.
> >
> > Hope this helps.
> >
> > Danny
> > ""George Siaw""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Thanks for all your responses.
> > >
> > > One last question though. For external router, routing between vlans
if
> > > I have just one FastEthernet interface on the router can I route
between
> > > vlans?
> > >
> > > George.
> > >
> > > -Original Message-
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
> > > Scott H.
> > > Sent: 23 March 2002 00:53
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: ISL Trunking from a h/w's perspective [7:39246]
> > >
> > > The only time the SC0 interface comes into play is for telnet into the
> > > box.
> > > If you have any 100 MB ports on your switch, you can run trunking.
> > >
> > > set trunk (mod/port) on isl
> > >
> > > If this trunk is running into a router, you need to create the
> > > subinterfaces
> > > on the router to enable routing between VLANS.
> > >
> > > int fa1/0.100
> > > ip address (the subnet of the vlan)
> > > encap isl (the vlan #)
> > >
> > > HTH,
> > > Scott
> > >
> > > ""George Siaw""  wrote in message
> > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > > Do I need an Sc0 port when routing between Vlans? However, there's
no
> > > > uplink module on neither of my supervisor engines. Would you know a
> > > s/w
> > > > work around without having to buy the module?
> > > >
> > > > George.
> > > >
> > > > -Original Message-
> > > > From: Larry Letterman [mailto:[EMAIL PROTECTED]]
> > > > Sent: 23 March 2002 00:17
> > > > To: George Siaw; [EMAIL PROTECTED]
> > > > Subject: RE: ISL Trunking from a h/w's perspective [7:39246]
> > > >
> > > > You dont have to configure SC0 interface to do isl or dot1q. Its
only
> > > > needed
> > > > for management, telnet etc...
> > > >
> > > >
> > > > Larry Letterman
> > > > Cisco Systems
> > > > [EMAIL PROTECTED]
> > > >
> > > >
> > > > -Original Message-
> > > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf
Of
> > > > George Siaw
> > > > Sent: Friday, March 22, 2002 3:45 PM
> > > > To: [EMAIL PROTECTED]
> > > > Subject: ISL Trunking from a h/w's perspective [7:39246]
> > > >
> > > >
> > > > Guys,
> > > >
> > > >
> > > >
> > > > Any ideas as how I can configure isl trunking without an Sc0 port on
> > > the
> > > > supervisor engines? Can I configure on of the ports to assume this
> > > > position i.e. Sc0? If so what are the cmds?
> > > >
> > > >
> > > >
> > > > Regards,
> > > >
> > > > George.
> > > >
> > > >
> > > >
> > > > Configs as below:
> > > >
> > > >
> > > >
> > > > Console> (enable) sh mod 1
> > > >
> > > > Mod Module-Name Ports Module-Type   Model
> > > Serial-Num
> > > > Status
> > > >
> > > > --- --- - - -
> > > -
> > > > ---
> > > >
> > > > 1   ENGINE-10 Supervisor IIIWS-X5530
> > > 012144234
> > > > ok
> > > >
> > > >
> > > >
> > > > Mod MAC-Address(es)Hw Fw Sw
> > > >
> > > > --- -- -- --
> > > > -
> > > >
> > > > 1   00-50-f0-0c-64-00 to 00-50-f0-0c-67-ff 3.03.1.2  4.3(1a)
> > > >
> > > >
> > > >
> > > > Mod Sub-Type Sub-Model Sub-Serial Sub-Hw
> > > >
> > > > ---  - -- --
> > > >
> > > > 1   NFFC+WS-F5531  0012153640 1.0
> > > >
> > > >
> > > >
> > > > Console> (enable) sh mod
> > > >
> > > > Mod Module-Name Ports Module-Type   Model
> > > Serial-Num
> > > > Status
> > > >
> > > > --- --- - - -
> > > -
> > > > ---
> > > >
> > > > 1  

RE: Catalyst 6509 [7:39192]

[Kent Hundley]

Correct, it's essentially a 802.1q native VLAN issue, not a VLAN 1 issue per
se. I would note though that although the change to make a non-active VLAN
the native VLAN is an obvious fix, it strikes me as a bug that Cisco does
not perform a sanity check on native VLAN frames to ensure that they in
fact, do not have a 802.1q frame tag.  This is what causes the issue since
packets on the native VLAN are not supposed to have a 802.1q frame tag.

On a related note, it _is_ now possible to clear VLAN 1 from a trunk.  It
disallows all non-management related traffic, i.e. anything other than VTP,
CDP, etc.  So this should in theory also "fix" the VLAN hopping issue,
although it's probably cleaner to just assign a non-active VLAN as the
native VLAN.


http://www.cisco.com/warp/public/473/21.html#case

The Case of VLAN 1
VTP pruning cannot be applied to VLANs that need to exist everywhere and to
be allowed on all switches in the campus (to be able to carry VTP, CDP
traffic, and other control traffic). There is a way, however, to limit the
extent of VLAN 1. This is a feature called VLAN 1 disable on trunk, and it
is available on Catalyst 4000, 5000, and 6000 family switches since Cisco
IOS releave 5.4(x). This allow you to prune VLAN 1 from a trunk as you would
do for any other VLAN, but this pruning will not include all of the control
protocol traffic that will still be allowed on the trunk (DTP, PagP, CDP,
VTP, and so on). However, you will block all user traffic on that trunk.
Using this feature, you can completely avoid the VLAN spanning the entire
campus, and as such, STP loops will be limited in extent, even in VLAN 1.
You can configure VLAN 1 to be disabled as you would configure other VLANs
to be cleared from the trunk by issuing the following commands:

Console> (enable) set trunk 2/1 des
Port(s)  2/1 trunk mode set to desirable.
Console> (enable) clear trunk 2/1 1
Removing Vlan(s) 1 from allowed list.
Port  2/1 allowed vlans modified to 2-1005.


Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Steven A. Ridder
Sent: Friday, March 22, 2002 7:18 PM
To: [EMAIL PROTECTED]
Subject: Re: Catalyst 6509 [7:39192]


I'm embarrased to say, I got it wrong, you must use any Vlan but 1 on the
trunk port.  Here's the direct quote from the link below"

"... prolonged discussions took place with the switch vendor to discuss the
implications of the results above. After consultation with their developers
it was concluded that the traffic from VLAN 1 was allowed to hop to other
VLANs because the trunk port was also set (implicitly) to native VLAN 1.
They suggested that by changing the native VLAN of the trunk port the VLAN
hopping could be eliminated. This was tested and was found to be true.."


http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

--

RFC 1149 Compliant.
Get in my head:
http://sar.dynu.com


""MADMAN""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> How??
>
> C6509> (enable) clear vlan 1
> VLAN number must be in the range 2..1000,1025..4094.
> C6509> (enable)
>
>   You can disable it on trunks however
>
>   dave
>
> "Steven A. Ridder" wrote:
> >
> > The big problem with Vlan 1 is that if it exists on your network a
hacker
> > can do VLAN hopping (not a good thing).  Cisco recommends deleting Vlan
1
> > from switches.
> >
> > --
> >
> > RFC 1149 Compliant.
> > Get in my head:
> > http://sar.dynu.com
> >
> > ""maverick hurley""  wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > absoultly it will help for security, The thing to remember is that
your
> > > ports are default for native vlan1. You can specify a different vlan
> > number
> > > for your management like vlan 5. But in case of trunking
mishaps/issues
> > and
> > > vlan pruning issues it is safer using vlan 1.
> --
> David Madland
> Sr. Network Engineer
> CCIE# 2016
> Qwest Communications Int. Inc.
> [EMAIL PROTECTED]
> 612-664-3367
>
> "Emotion should reflect reason not guide it"




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39275&t=39192
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN over Internet [7:39255]

[Kent Hundley]

SS,

Point a route for the other ends LAN subnet to your IPSec peers address.
For example, if the far LAN is 10.1.1.0/24 and your IPSec peer's address is
1.1.1.1:

ip route 10.1.1.0 255.255.255.0 1.1.1.1

Create a similar route on the CES for the LAN subnet attached to the Cisco
2610.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 22, 2002 5:07 PM
To: [EMAIL PROTECTED]
Subject: VPN over Internet [7:39255]


Hi

I have a real bad problem.
I have a Cisco 2610 Router with IPSEC 3DES IOS. On the other side, I have a
Nortel CES 4500. The motive is to establish VPN tunnell between my router
and their switch.
On my Cisco router, I have a default gateway as my internet router's Lan
interface.
So although, the tunnell does build up I do not know how to route my LAN
data to the LAN of the other side.?
How would this data be routed?
Traceroute shows that my data when directed towards the LAN range of the
other side, goes to Internet and gets lost somewhere.

Please help...

SS




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39263&t=39255
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: what is TCP feature ? [7:38987]

[Kent Hundley]

John,

I believe the matrix is a list of TCP features that are implemented on the
router as an end-system and affect only TCP traffic with the router as the
src or dst.

1) Socket API - sockets are a network programming application interface.  To
me this would only be of interest to Cisco code jockeys.

2) SACK - TCP Selective ACKnowledgement.  RFC 2018 and RFC 2883.

I think most of this would be of interest only to Cisco's own coders. It is
interesting to know what versions support FTP and RCP, but the support for
socket API's is largely irrelevant unless you need to write code to those
sockets.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Green
Sent: Wednesday, March 20, 2002 7:27 PM
To: [EMAIL PROTECTED]
Subject: what is TCP feature ? [7:38987]


what is TCP feature in IOS ? (is this related to the
tcp syn attack and is kind of a counter measure
towards it ?)

the closest reference to it in the cisco web site is
in this
http://www.cisco.com/warp/public/732/Tech/matrices/tcp_matrix.html

what is Socket API over TCP ? what exactly is this web
page trying to convey ? what is SACKS ?

__
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards.
http://movies.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39040&t=38987
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Stupid Rip/Default Route question [7:38999]

[Kent Hundley]

Aaron,

Do a "debug rip" on each router and see what advertisements its receiving
from the FW's.  It sounds like one FW is not advertising any routes.  You
should see something like this:

RIP: received v1 update from a.b.c.d on 
 0.0.0.0 in 1 hops

If both FW's are advertising the routes, the routers should behave as you
say, they should pick the best route based on metric (hop count).  If they
have equal cost paths, both routes should appear in the routing table:

R*   0.0.0.0/0 [120/1] via a.b.c.d, 00:00:07, 
R0.0.0.0/0 [120/1] via e.f.g.h, 00:00:08, 

Once you have this working, a few things you might also want to consider:

1) Have the Internet router source the default.  The best way to do this
would be to receive a default route via BGP from your upstream provider and
then redistribute the default route into RIP.  There are other ways you
could do this as well. (it keeps you from having to manually intervene to
shut down a FW or an interface)

2) You may want to consider using RIPv2 and authenticated updates, and you
may want to consider tweaking the RIP timers.  RIP can take minutes to
converge, but if you tweak the update, holddown and flush timers you can get
it to converge in a few seconds.

3) You don't say if the outside routers are using the same provider or not
and if you have your own address space.  Depending on your setup, you'll
need to think about a scenario where traffic leaves through one FW but
returns through another FW.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Aaron Bowlsbey
Sent: Wednesday, March 20, 2002 8:09 PM
To: [EMAIL PROTECTED]
Subject: Stupid Rip/Default Route question [7:38999]


Sorry if this is obvious. My network:
Router ---NortelFW--Lan1--router--router--Lan2--NortelFW--Router
RIP is running on the both Firewalls and both internal routers. Both
NortelFW are advertising their default route (out their connected external
router). Users on both Lans are using their closest internal router as their
default gateway.
I had hoped that the internal routers would learn of both default routes and
select the nearest Firewall as their default route. If anything happened to
one of the local loops, I could switch off the connected firewall, which
would end the rip advertisements, and the network would eventually reroute
all external traffic out the working Internet link.
I could've sworn that this was working in my test environment and for at
least a week in production. Now both internal routers are selecting one
default route or the other but not necessarily the best (hop count) route.
Daa whats wrong with this approach? Firewalls aren't routers??




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39036&t=38999
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco's pps claims [7:38956]

[Kent Hundley]

Sam,

IIRC, Cisco uses 64 byte packets as the baseline.  FYI, I have been
conducting some throughput tests on 2 2621's in the lab and here are some
results for you.  I used TTCP between 2 Sparc ultras for the traffic. The
sparc ultras can generate about 90Mbps with no routers between them, so the
2621's are the limiting factor and not TTCP or the sparcs. I used a window
size of 65,535 and the max packet size for my tests:

No fast switching   9.3 Mbps
W/ fast switching   51.2 Mbps
W/ Netflow  46.5 Mbps
W/ Cef  51.2 Mbps

Nat, no fast switching  8.1 Mbps
Nat, w/ fast switching  31.5 Mbps
Nat, w/ netflow 14.1 Mbps
Nat, w/ cef 29.5 Mbps

ACL, no fast switching  8.7 Mbps
ACL, w/ fast switching  40.4 Mbps
ACL, w/ netflow 46.5 Mbps
ACL, w/ cef 43.9 Mbps

The IOS used for this testing was 12.1.5(T9)

(the ACL was 20 entries, all numbers are averages of 5 tests, but the
deviations were very small)

The thing I found most interesting was that for the most part, using simple
fast switching produced as good or better results than netflow or CEF.  The
only exception to this was with the ACL, but fast switching was only a few
Mbps behind netflow and CEF.  Also, notice the suprisingly bad performance
of netflow when using NAT.  I ran this test many times with different NAT
configurations and the results were always consistent.  My local Cisco SE
didn't really have a good explanation, and I haven't tried to really track
down the issue, but I wouldn't use netflow if your using NAT. :-) (also
notice there is a 40% performance hit when using NAT in the best case)

Keep in mind these were single, persistent flows, so they did not simulate
real-world traffic patterns.  However, it does give an idea of the top end
performance of the 2621. (suprisingly better than I expected given the
low-end nature of the box) I should also mention that the CPU hovered around
99% for the duration of the tests.

HTH,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
sam sneed
Sent: Wednesday, March 20, 2002 12:14 PM
To: [EMAIL PROTECTED]
Subject: Cisco's pps claims [7:38956]


I noticed Cisco uses pps when they give their specs for routers, firewalls,
etc. What is the assumed packet size when they come up with these specs? I'm
planning on using 2 2621's in HSRP mode (getting default routes via BGP) and
need to be able to support a constant 10 Mb/sec and would like know if these
routers will do the trick.
thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38976&t=38956
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX performance problem again ! [7:38955]

[Kent Hundley]

Mohannad,

1) Have you taken sniffer traces?  If so, what information did they tell
you?  If you have not taken a sniffer trace, you absolutely need to do this.
You need to look at the TCP windows and MSS values and compare the trace
through the PIX and without the PIX.  If you have the traces you can post a
small sample of each trace.  You need to provide this information if you
want more assistance.

2) Have you opened a case with Cisco TAC?  If so, have you escalated the
case?  This may be a known bug with the code you are running and if you have
not opened a case I strongly suggest that you do so.

-Kent



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mohannad Khuffash
Sent: Wednesday, March 20, 2002 11:47 AM
To: [EMAIL PROTECTED]
Subject: PIX performance problem again ! [7:38955]


Dear all,
My problem with th PIX still present! the throughput between my inside
cleints an the out side ftp server still very low ! the only node between
them is the PIX,and  the speed cann't be more than 50K B/s, i have checked
the two cisco fixing problem for such like these cases: DNS pointer and
IDENT protocols, but the problem is still present  Please can any one
help me ?

Thanks in advance for your efforts

--







Mohannad N. Khuffash
Network Administrator
Palestine Telecommunication Company
Tel: 00972-02-2982330
Fax:00972-02-2980235




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38975&t=38955
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to monitor the bridging traffic at routers [7:38758]

[Kent Hundley]

Some protocols don't have a layer 3 address, examples of this would be LAT
and SNA.  Since they have no layer 3 address, you must bridge them.  The
docs on CCO show how to enable bridging on a router:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/ibm_c
/index.htm

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Green
Sent: Tuesday, March 19, 2002 5:16 AM
To: [EMAIL PROTECTED]
Subject: Re: How to monitor the bridging traffic at routers [7:38758]


can someone explain what does this statement mean ?
(with an example of a non-routable protocol)

"As we need to cater some non-routable protocols,
bridging is also enabled at all routers."

and how is bridging enabled at a router ? (is this
referring to switching being enabled ?)


--- dovelet  wrote:
> Hi all,
>
> Our company's network are connected using some Cisco
> 2500 and Cisco 4000
> routers. As we need to cater some non-routable
> protocols, bridging is also
> enabled at all routers. I would like to know, is
> there any methods to
> monitor which hosts are using bridging through the
> routers? Of course, I can
> use a sniffer to capture the traffic, but the
> network is too large for us to
> do so.
>
> Please advise.
>
> Regards,
> Dovelet
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38839&t=38758
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Is cable network really a shared medium? [7:38705]

[Kent Hundley]

Sam,

You can check out the DOCSIS standards here:

http://www.cablemodem.com/

(check out the "specifications" section)

You should, at a minimum, see broadcasts from the other devices on your
cable network. Mostly you will see arp broadcasts, but some Windows users on
"raw" cable may still be out there.  Here's a quick snip of what I see if I
sniff my connection (this is using snoop on solaris):

 10.10.104.1 -> (broadcast)  ARP C Who is 10.10.107.250, 10.10.107.250 ?
 12.220.96.1 -> (broadcast)  ARP C Who is 12.220.97.204, 12.220.97.204 ?
 12.220.96.1 -> (broadcast)  ARP C Who is 12.220.98.16, 12.220.98.16 ?
 10.10.100.1 -> (broadcast)  ARP C Who is 10.10.103.128, 10.10.103.128 ?
12.220.100.1 -> (broadcast)  ARP C Who is 12.220.100.226, 12.220.100.226 ?
(and much more of the same)

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
sam sneed
Sent: Monday, March 18, 2002 11:57 AM
To: [EMAIL PROTECTED]
Subject: Is cable network really a shared medium? [7:38705]


I just changed services from DSL to cable modem. I have heard from people,
including verizon, that cable is not as secure as DSL becuase it is over a
shared medium. I connected to my cable modem and fired up my packet sniffer.
I did not see anyone elses traffic on the line so i am assuming the bandwith
is shared( a known fact about cable access) but is somehow filtered at the
cable modem(bridge). Does anyone know if this assumption is true and the
inside details of the how data is transmitted over the cable network? A link
to a whitepaer would be great.

thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38720&t=38705
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX 515 throughput problem ?! [7:38698]

[Kent Hundley]

Mohannad,

Look at this link, it may be the cause of your problem:

http://www.cisco.com/warp/public/110/21.html

If this is not the reason, try sniffing the connection.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mohannad Khuffash
Sent: Monday, March 18, 2002 10:45 AM
To: [EMAIL PROTECTED]
Subject: PIX 515 throughput problem ?! [7:38698]


Dear All,
I'm  facing a problem for PIX 515 throughput, i have tried to download a
file from an FTP server located directly at the outside subnet, and my PC
located at the Inside subnet, both are connected at catalyst 2948G, so the
only
node between them is the PIX. the max speed i got was 60k B/s. and when i
connect the two machines directly without PIX, the speed go up to 4 M B/s !
i have tried all the cases, i have used static NAT, PAT, but always get the
same result. Activation key set to unlimited throughput, and cisco say the
throughput for this type of machine should 188 M b/s, you can add to your
information that i don't use any type of encrypction or VPN !
Please any one have a comment for this problem ?


Regards,




Mohannad N. Khuffash
Network Administrator
Palestine Telecommunication Company




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38706&t=38698
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Loopback Interfaces..long reply, read carefully please to [7:38335]

[Kent Hundley]

Mark,

You can _advertise_ the whole subnet, but the problem is that once you
assign a subnet to the loopback, you cannot assign another interface an IP
address in the same address space.  I'm still not sure I understand what
your trying to accomplish here.  If you have hosts that will have IP
addresses, they'll have to be able to talk to the router using their IP
addresses, which means the router will have to have an interface in the
devices subnets.  I don't see what the loopback buys you that simply
assigning a secondary IP address to the ethernet interface does not.

-Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Mark Odette II
Sent: Thursday, March 14, 2002 12:23 PM
To: [EMAIL PROTECTED]
Subject: RE: Loopback Interfaces..long reply, read carefully please to
[7:38285]


OK, For some reason, my first time of sending this reply got chopped, so
here it is again.

Brian, et al.,
Please Note the following:

***All I wanted to know was: Can the Loopback Interface be used to host a
complete subnet (and the Router make routing decisions with this inteface),
or is its functionality such that it will always respond like an interface
configured with a 255.255.255.255 mask, and 86 traffic not destined for IT
on the same subnet??

I'm not looking for someone to help me make a completely working config for
all routers in this implementation.

The idea is to do such:

!Interface FastEthernet0
!   description Connected to PIX Outside Interface, and PIX Inside Interface
is subnet for Data traffic.
!   Ip adress x.x.x.x 255.255.255.x

!Interface Loopback0
!   description VoIP subnet with VoIP originating/terminating on this
Router... other hosts also placed on the same subnet at a later date, and
connecting via the Ethernet Port which connects to a switch that the other
hosts are also plugging into.
!   Ip address 192.168.101.1 255.255.255.0

!Interface Serial0
!   NO IP ADDRESS
!   Encap Frame-Relay

!Interface Serial0.1
!   description Connected to the Internet
!   Ip address x.x.x.x x.x.x.252
!   interface-dlci 16

!Interface Serial0.100
!   description Connected to HQ over PVT FR for Voice traffic
!  ip unnumbered loopback0
!   interface-dlci 100
!   {insert Map-Class Tag here}

!{Insert Route-Maps Here}
!{Insert Voice configuration here... a.k.a. Dial Peers}
!{Insert QoS config here... a.k.a. Map Classes}

!Router EIGRP 1750
!Network 192.168.100.0 >>Brian


""Mark Odette II""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> OK, I'll make the question simpler.
>
>
> Can you use a loopback interface in the same respect that you would use an
> ethernet interface?
>
> Create the loopback:  Interface Loopback0
> Assign it an IP with a /24 mask : ip address 192.168.10.1
> Configure the subnet assigned to the loopback interface to a routing
> process, such as EIGRP or RIP.
> Assign many other hosts on a LAN or a WAN an IP address that is in the
same
> subnet as the loopback interface.
> Replicate the above configuration on Router at other end of FR network.
> add subnet assigned to far-end routers' loopback interface to local EIGRP
> AS, or RIP; do the same on the far-end routers' config for the same EIGRP
AS
> or RIP configuration.
>
> And then, configure FR Subinterface with IP Unnumbered Loopback0, and
route
> traffic across the FR network, with the traffic orininating from either
the
> Router, or another host (if configuration above is legal) on the subnet
that
> is assigned to the Loopback interface.
>
> What I want to do, is configure a VoIP enabled router with a loopback
> interface assigned to 192.168.10.1, and several LAN hosts with the same
> subnet assignment, i.e., 192.168.10.2, .3, .4, etc., and a /24 subnet mask
> for all hosts including loopback interface.
> I then want to create and assign IP Unnumbered loopbackX to a FR P-to-P
> subinterface.
>
> Create EIGRP AS to route Subnets assigned to loopback interfaces on each
> respective router.
>
> Mirror image this configuration on the other end of the "wire" (FR
Network).
>
> Configure Dial-Peers with VOIP destinations pointing to the loopback
> interface of the peer router (other end of the FR Network).
>
> Is this Possible??
>
>
> The reason why I want to use Loopback interfaces, is because I plan to
> assign a separate subnet to the FastEthernet Interface, and don't believe
> that the use of the Secondary command will work, i.e., you can't specify
IP
> Unnumbered FastEthernet0 and have the Secondary IP address used ip
> unnumbered fastethernet0 will use the FastEthernets' Primary address,
which
> is not desired.
>
> The Primary Subnet assigned to the FastEthernet Interface will be NAT
> Translating with a PIX FW (PIX will be doing the NAT) to hit the Internet.
>
>
> For Topology description:
> Router HQ  connects to internet on one subinterface, while connecting to 3
> remote offices on a private FR network on a second subinterface.
> 

RE: Question on PIX 501 [7:38246]

[Kent Hundley]

Justin,

I think you got your answer, but I just wanted to clarify for you that
contrary to some of the information you were given, you do _not_ need to
configure an access-list on the PIX for outbound traffic.  You _do_ have to
setup, at a minimum, a "nat" statement.  If you are not using nat, you'll
need a "nat (inside) 0 0 0" statement.  If you are using nat, you'll need
something like "nat (inside) 1 0 0" and a corresponding "global (outside) 1
x.x.x.x netmask x.x.x.x" specifying what addresses you are using for your
NAT pool.

Once the nat is setup, IP addresses are assigned to the PIX interfaces and
default routes are setup, traffic will flow from the inside to the outside.
Only return traffic will be allowed from the outside to the inside.

All of this information is on the Cisco site.  There are docs in the PIX
section that walk you through step by step setting up a PIX for the first
time:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/conf
ig.htm

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Justin C
Sent: Thursday, March 14, 2002 10:43 AM
To: [EMAIL PROTECTED]
Subject: RE: Question on PIX 501 [7:38246]


Mark,

My original question that I sent to the group somehow got lost.  Ole was
kind enough to respond to a direct query regarding to some fun I am having
with installing a Pix (501) for the first time.  My firewall background is
SonicWall and Watchguard, both are very simple in configuration and work
directly out of the box.

I was under the impression it was pretty much plug and play, so I decided to
test it by putting it between my PC and the rest of the LAN.  However, after
the initial setup, the Pix passed no information through it.  So I went to a
ping to start the troubleshooting.  The curious (to me) issue was that from
the console or the PDM of the Pix I can ping network addresses on both sides
of the Pix.  From the inside of the Pix, I cannot ping (or browse the web)
through the Pix.  I cannot even ping the outside interface of the Pix from
the inside interface.  The specific question is this ... is additional
configuration of the Pix required to permit access from the inside interface
to the outside interface and beyond?

To expand on the topic you and Ole are discussing, is the use of the
conduits (or access-lists) required for each and every type of service I
want to send from the inside to the outside?  I have no problem researching
the commands to learn how it is done, I just want to make certain I am on
the right path.

Thanks,

Justin


From: "Mark Odette II"
Reply-To: "Mark Odette II"
To: [EMAIL PROTECTED]
Subject: RE: Question on PIX 501 [7:38246]
Date: Thu, 14 Mar 2002 12:45:59 -0500

Forgive me for not reading the book yet, as I've been quite busy too
... but, I have a question in regards to the config line you gave.

I've used the PDM so far to most of the configuration of my PIX, and it
creates access-lists rather than conduits.  I know from others I've talked
with, that Cisco is moving from conduits to access-lists on the PIX
configs... this is the question

I configure to allow ICMP any(Outside) any(Inside) = Echo Reply
   ICMP any(Outside) any(Inside) = Time Exceeded
   ICMP any(Outside) any(Inside) = Unreachable

Does this do the same thing as what you were saying about "conduit permit
any any X"??

I think it does, but just want to make sure that I haven't opened up ICMP
completely with it being initiated from the outside.

Thanks!
Mark

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Ole Drews Jensen
Sent: Thursday, March 14, 2002 10:42 AM
To: [EMAIL PROTECTED]
Subject: RE: Question on PIX 501 [7:38246]


Hi Justin,

When you ping, you use the ICMP protocol.

When A pings B, A sends ICMP echo-request (number 8) to B, and B sends ICMP
echo-reply (number 0) back to A.

The PIX does not allow ICMP traffic to come from the outside to the inside,
so to change that, you will need to open up for ICMP number 0 (echo-reply).

The command for that is:

conduit permit icmp any any 0

This is a good way to do it, because then you allow outside devices to reply
to your request, but they are not allowed to do a PING themself. If you want
PING to work both ways, simply use this command:

conduit permit icmp any any

Hth,

Ole

~~~
  Ole Drews Jensen
  Systems Network Manager
  CCNP, MCSE, MCP+I
  RWR Enterprises, Inc.
  [EMAIL PROTECTED]
~~~
  http://www.RouterChief.com
~~~
  NEED A JOB ???
  http://www.oledrews.com/job
~~~




-Original Message-
From: Justin C [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 14, 2002 10:10 AM
To: [EMAIL PROTECTED]
Subject: RE: Question on PIX 501


Ole,

Thanks for the reply.  I understand being busy.  I normally try to solve

RE: you American need to think [7:38323]

[Kent Hundley]

Jim,

I normally ignore these sorts of wy OT posts, however

I am so glad that individuals such as yourself feel that you can better the
lives of all of us morally degenerate Americans by instructing us on the
proper rules of life and giving us s much to think about.

I am so glad that individuals such as yourself can stand at a distance and
offer your opinions and advice to those of us who are obviously in so dire a
need for it since you, wherever your from, have _such_ an obviously superior
country since you have not had planes drop out of your sky into large
buildings full of innocent people.

Allow me to reciprocate.

Here's my advice:  The next time you feel the need to express your opinions,
buy a dog. I'm sure it will be happy to listen to whatever topics you wish
to expound on. (or a cat, hamster, whooping crane, or whatever pet seems
best for you)  Perhaps you can even get them an email and send them messages
if you can't restrain your idle hands.

Till then, try keeping your non-Cisco related opinions to yourself.  I, for
one, have had about as much Monday morning quarterbacking from non-Americans
on this topic as I can stomach in this life, especially on mailing lists
which have NOTHING WHATSOEVER TO DO WITH THIS BS!

Warmest regards,
Kent

PS Apologies to the list members for the OT post

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jim Bond
Sent: Thursday, March 14, 2002 4:26 PM
To: [EMAIL PROTECTED]
Subject: OT: you American need to think [7:38323]


Sorry for wasting your bandwidth, but I have to say
this.

Being rich is good; being smart is good. But if you
treat others like sxxt, others will treat you like
sxxt too. Think about this: if you are a CCNA and your
CCIE co-worker say your "stupid" or "dumb", will you
respect him?

There are so many knowledgeable and friendly people on
this list, but there are some rude and arrogant people
too.

I agree that Bin Laden is a murderer, an evil, but you
American need to think why he only attacks US, not
Germany or Russia or Japan or others.

Show some respect to others, it won't make you poor.
Also remember that there are always someone richer and
smarter than you.

Over. Dismiss.

Jim

__
Do You Yahoo!?
Yahoo! Sports - live college hoops coverage
http://sports.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38333&t=38323
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Aironet to Cable Modem [7:38212]

[Kent Hundley]

The problem is that most likely you are using a subnet for your wireless net
that is not routable.  For example, if your using 192.168.1.0/24 for your
wireless IP's, you cannot use those addresses on the Internet, you'll need a
NATing device like a linksys router or some other low end NAT capable
broadband router.  This device will sit between your cable modem and your
AP.  The outside IP of the router will get its address from the cable
provider and then you can use private addressing on your AP and the NAT
gateway will take care of translating your internal addresses to the routers
legal IP.

You can pick up a linksys router at CompUSA for a little over a $100 that
will work fine.  You can get one with a built-in hub if you don't already
have a hub/switch laying around, but it will cost a little more.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 14, 2002 1:46 AM
To: [EMAIL PROTECTED]
Subject: Aironet to Cable Modem [7:38212]


First off I am not familiar with the aironet line!

I have a cable modem (dynamic ip address) connected to a Aironet 350 AP
(AIR-AP352E2C). I am able to get the aironet dynamic ip assigned to the
ethernet interface (from the cable company dhcp servers). I was able to
assign a static ip to the AP radio interface and connect via my wireless nic
(static ip). But, I cannot access the internet via the cable modem.

My guess is that it is more of a switch then a router. I was hopeful it had
a little bit of routing capabilities. I assume that because the ethernet int
and AP radio int are on different subnets that is the reason I can't talk.
But, again I am not sure and hope someone can help me out!!!


I would like any advice to get this working without any other equipment. I
was hoping to do this without using one of my routers! Also, is there any
way to configure it as a DHCP server? And any config advice would be
helpful!!!


Thanks for any advice you may give me !




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38331&t=38212
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Is this possible? [7:38098]

[Kent Hundley]

Yes, you'll need to configure the PIX to use AAA and have it speak Radius or
TACACS+ to the ACE server:

How to do AAA with the PIX:
http://www.cisco.com/warp/public/110/atp52.html

Info on Cisco talking to ACE server:
http://www.rsasecurity.com/support/guides/imp_pdfs/Cisco_Remote_Access_Serve
rs_and_Pix_FW.pdf

You can probably get more info from the RSA site.

HTH,
Kent


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Johnson, Richard (NY Int)
Sent: Wednesday, March 13, 2002 7:05 AM
To: [EMAIL PROTECTED]
Subject: Is this possible? [7:38098]


Hi All,

Is it possible to do the following.I have a Citrix server on my
internal network which has an outside address via NAT. On the PIX port 1494,
ICA client, is open and is obviously allowed to come in. The user is then
prompted for a user name and password. Upon entering this information, they
are then prompted for the pin and secure ID by our RSA server. My question
is this, as opposed to having the Citrix server prompt them for their RSA
info I would love for them to prompted by the firewall. Any ideas if it can?


Thanks,


Rich




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38138&t=38098
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: EIGRP Metric and Route inconcistence [7:38043]

[Kent Hundley]

What your describing is fairly common and you can "fix" this by adjusting
the delay metric of router interfaces in your path. In your example, you
could adjust the delay between the routers so that the path metrics are
equal.  This is, as you note, the preferred approach with IGRP/EIGRP to
manipulate metrics.

One thing to note though is that by making the paths appear equal, you are,
in fact, "lying" to the router R1.  Since the real bw and delay are not
equal, the router is doing what it should do, pick the path with the most
preferred route based on these factors.

If you have multiple routes with unequal cost, you can use the "variance"
command in IGRP/EIGRP so that you can send a fraction of packets over the
lesser preferred path.  In your case, if you used the command "variance 2"
under the EIGRP statement for R1, it would consider alternative, less
preferred paths as long as they were less than or equal to (2*preferred path
metric).  The router would then send half as many packets along the less
preferred path as the most preferred path. If you used "variance 3" it would
use (3*preferred path metric) and send 1/3 as many packets, etc. etc. for
any n value "variance n".

In your scenario, using the variance command may be preferred since you may
not want a less preferred path getting the same amount of packets as the
most preferred path.  Then again, since the delay values are so close, the
paths may, for all practical purposes, be roughly equal in performance, so
equal sharing of the paths may be better.  That's something you would have
to determine in practice, based on your particular network traffics
characteristics.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 12, 2002 6:30 PM
To: [EMAIL PROTECTED]
Subject: EIGRP Metric and Route inconcistence [7:38043]


Hi,

By default EIGRP uses 2 metric: Bandwidth and Delay to calculate routes. It
is recomended that we should not change the Actual Bandwith, but we can
change the interface delay for the traffic enginering purposes.

The metric is :  Min Bandwidth + Cumulative Delay.

This can end up with a problem of "route non-consiste1nce". Here is my
counter example:

R2
   /  \
  /\
R1  R4-R5
  \/
   \  /
R3


Link
1-2 : Bandwidth = 10M, delay = 10ms
2-4 : Bandwidth = 20M, delay = 5ms
1-3 : Bandwidth = 20M, delay = 15ms
3-4 : Bandwidth = 20M, delay = 5ms

4-5 : Bandwidth = 10M, delay = 10ms

The traffic from R1 to a network directly connected to R4 will be load
balance between routes R1-R2-R4 and R1-R3-R4. because the Metric of the two
routes are the same:

R1-R2-R4 = Bandwidth (i.e. 10^7 / 1) + Delay (i.e 1000  + 500) = = 1000
+ 1000 + 500 = 2500

R1-R3-R4 = 500 + 1500 + 500 = 2500

However, traffic from R1 heading for R5 is not load-balanced because the
Metric R1-R2-R4-R5 is 3500 while the metric R1-R3-R4-R5 = 4000

that means all traffic from R1 -> R5 will go via R2

That's is a kind of inconcistence, which may lead to bottleneck, and cause
difficulty for traffic engineering.

Could you please tell me if I am wrong or right ?

If I am right, how we can overcome this problem.


Thanks a lot.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38118&t=38043
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DHCP across PIX [7:37286]

[Kent Hundley]

You cannot.  The PIX does not support forwarding of DHCP requests (or any
broadcast for that matter).

Your only options are to hard-code your IP address or use the DHCP server
built into the PIX.

HTH,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
kenairs
Sent: Tuesday, March 05, 2002 9:08 AM
To: [EMAIL PROTECTED]
Subject: DHCP across PIX [7:37286]


Hi,
My pc are located in one of the PIX interface. There is an DHCP server in
the other interface.
How to let the DHCP packet go through ? Broadcast ?

Tks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37329&t=37286
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Another Security Advisory [7:36823]

[Kent Hundley]

I assume that this would have to be a "crafted" packet since, as you say, it
would be awfully strange to see normal traffic matching this description.

For example, assume I created the following packet:

[ethernet header] + 46 data bytes + 4 byte crc = 64 byte packet
Normal IP total length = 46 bytes (20 byte header + 26 bytes of data)

Now I forge the total length field in the IP header and change it to say the
IP packet is actually 100 bytes long instead of only 46 bytes.  This bug
would cause the router to give me 54 bytes of previous packet data.  I could
expand this to "capture" up to 1500-46 = 1454 bytes of possibly useful data
from previous packets. (there are programs that allow you to create packets
in any way you want, such as those at http://www.packetfactory.net)

In order for this to be really useful though, the attacker would have to
have a way of viewing those packets after they transit the router, which
implies that they can establish valid conversations through the router in
question back to a host they have access to view the packets on. (or
something listening on the other side of the router for them)

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Priscilla Oppenheimer
Sent: Thursday, February 28, 2002 10:58 AM
To: [EMAIL PROTECTED]
Subject: Re: Another Security Advisory [7:36823]


This is awfully strange. When would the "packet length described in the IP
header be larger than the physical packet size?" I've never seen such a
thing.

If what they are really trying to say is that the packet must go out on a
data-link that has a minimum size and thus must be padded, then the
description of the problem makes sense. I've seen that. For example when IP
has a packet to send that is shorter than the Ethernet 64-byte minimum,
then padding is required.

And I have seen security issues with this. I have seen hosts (not routers
though) pad with left over data that was sensitive. (I saw a password in
the Ethernet pad once!)

OK, I've typed enough to avoid the GroupStudy bug that filters URLs at the
beginning of messages. I really wanted to say that the URL in the original
message got chopped. The URL to the security advisory is:

http://www.cisco.com/warp/public/707/IOS-CEF-pub.shtml

Priscilla

At 12:38 PM 2/28/02, Kaminski, Shawn G wrote:
>Here's another one:
>
>Cisco Security Advisory: Data Leak with Cisco Express Forwarding Enabled
>
>Revision 1.0
>
>For Public Release 2002 February 27 08:00 (UTC -0800)
>
>- -
-
>
>Summary
>===
>
>All Cisco devices running Cisco IOS(r) and having Cisco Express Forwarding
>(CEF) enabled can leak information from previous packets that have been
>handled by the device. This can happen if the packet length described in
the
>IP header is bigger than the physical packet size. Packets like these will
>be expanded to fit the IP length and, during that expansion, an information
>leak may occur. Please note that an attacker can only collect parts of some
>packets but not the whole session.
>
>No other Cisco product is vulnerable. Devices that are having fast
switching
>enabled are not affected by this vulnerability.
>
>The workaround for this vulnerability is to disable CEF.
>
>This advisory is available at the http://www.cisco.com/warp/public/707/
>
>IOS-CEF-pub.shtml.
>
>Affected Products
>=
>
>All Cisco IOS releases that are supporting CEF are vulnerable. In order to
>trigger this vulnerability CEF or dCEF must be enabled on the device. The
>vulnerable Cisco IOS releases are (this is not an exhaustive list):
>
>   * 11.1CC
>   * 12.0, 12.0S, 12.0T, 12.0ST
>   * 12.1, 12.1E, 12.1T
>   * 12.2, 12.2T
>
>No other Cisco products are affected.
>
>Details
>===
>
>When a router receives a packet where MAC level packet length is shorter
>than is indicated by the IP level, the router will "extend" the packet to
>the size indicated by the IP level. This extension will be done by padding
>the packet with an arbitrary data. The issue here is that padding may
>contain data from a previous packets that has not been erased.
>
>Although it is possible to trigger this vulnerability on command, it is not
>possible to predict what information would be collected this way. It is not
>possible for an attacker to selectively capture desired packets (for
>example, packets with username and password combination).
>
>This vulnerability is specific to CEF. Fast switching is not affected by
it.
>
>This vulnerability is documented as Cisco Bug ID CSCdu20643. For the Cisco
>IOS 11.1CC image, this vulnerability is described as Cisco Bug ID
>CSCdp58360.
>
>Impact
>==
>
>By sending malformed packets, and capturing them after they have been
>processed by CEF, an attacker may find a remnants of a previous packets in
>them. The remnant data may contain whatever the previous packet has
carried.
>That may be parts of a document, mail or any other c

RE: question about stateful inspection [7:36817]

[Kent Hundley]

As far as I can tell, it means essentially nothing.  All SPI is by
definition, "multi layer" since it tracks at least both layer 3 and layer 4.
It looks like a term added to SPI to make it sound like its looking at more
"layers".  It's probably a term cooked up by the marketing departments of
SPI firewall vendors.

You see things like this a lot, especially in the security product arena.
Companies invent terms to make their technology sound new or unique when
they are neither.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Green
Sent: Thursday, February 28, 2002 9:13 AM
To: [EMAIL PROTECTED]
Subject: question about stateful inspection [7:36817]


what is multilayer stateful inspection ?

stateful inspection is understood fine. but what does
the prefix multilayer denote or mean ?

state refers to the state of a session information
that is temporarily kept in a state table for open
connections and is wiped or erased when the session
ends. BUT what does multilayer mean here ?

__
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36832&t=36817
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: firewall feature set not in 4000 series [7:36768]

[Kent Hundley]

John,

Your correct, there is no support for the FFS on the 4x00 platform and there
probably will never be.  Cisco has EOLed the 4x00 series and is not going to
continue development on that platform, although they will continue
supporting it for some time.  The midrange router of choice is the 3600
series.

Regards,
Kent

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Green
Sent: Wednesday, February 27, 2002 9:05 PM
To: [EMAIL PROTECTED]
Subject: firewall feature set not in 4000 series [7:36768]


is it true that there is no support for firewall
feature set for 4000 series cisco routers ?

though they are supported in 7100 and 7200 series.
why not 4000 series ? any specical reason. (rest all
series are supported like 3600, 2500 and 2600 etc)...

__
Do You Yahoo!?
Yahoo! Greetings - Send FREE e-cards for every occasion!
http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36810&t=36768
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]