RE: Pix - Comparison - Conduit - Access-list [7:34155]
Well I think your doing it the only way that comes to mind, but I'm a little confused why the DMZ is able to go anywhere outbound ? That's not a typical thing ( or is it ???) In our case, the DMZ can't do anything but the machine specific task ( DNS can do udp 53 out, Mail can do SMTP out ) By the same token, those machines can only go to the inside on certain things as well. This is meant to prevent us from becoming an attacker if a machine gets hacked ( gasp ) If you lock down your DMZ to only permit machine specific tasks, then you can add away to the bottom because there is not an DENY ip any x.x.x.x, where x.x.x.x is your inside network ,followed by the ip any any that I am assuming your using and that is allowing access to the outside. If you don't want the DMZ to have access to port 80 inside, you could always block source port 80 on the inside from going to the DMZ. This would allow you to use the tcp any any eq www without allowing access inside. Did I miss something or is this what your looking for? Larry -Original Message- From: Gaz [mailto:[EMAIL PROTECTED]] Sent: Friday, February 01, 2002 7:58 PM To: [EMAIL PROTECTED] Subject: Pix - Comparison - Conduit - Access-list [7:34155] Hi all, I've used conduits for a few years and recently converted my aged mind to access-lists on the Pix. When using conduits on a 3 interface pix for instance: Everything allowed from DMZ to outside by default. Apply conduit from DMZ to inside. Still all traffic would be allowed from DMZ to outside. With access-lists: Everything allowed out from DMZ to outside by default. Access-list applied to dmz in - to allow traffic from DMZ to inside. Now all traffic from DMZ to outside is stopped by this access-list My usual workaround is to add 2 lines to the end of the DMZ access-list denying IP from any to all internal networks, and then permit IP from dmz to any. My only moan is the pain of removing and re-adding these two lines every time you're adding one line during installation/troubleshooting. On top of the fact that it seems to be a bodge. Is there a better way of going about this?? Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34158&t=34155 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Limit Internet BW [7:34201]
What type of connection is between site A and B ? Without knowing you layout, it might be possible to use queuing to limit what address's get a percentage of the bandwidth. If you can't do it internal, and assuming you can assign each site a different external IP address, you could just filter on the external router. Not elegant, and not overly efficient, but a work around. I would look at CBWFQ with 2 separate classes with the 1280 statement under the main or unlimited class. Not elegant but a way to closely accomplish what your looking for. I suppose that you could also use custom queuing and set the byte count as well.not a fan of that though. Keep in mind that queuing is usually meant to assure a minimum amount of bandwidth, not a maximum so you have to look at this from the perspective of give the max I can to Site B, while letting the rest ( 256 K ) be free for site A. Is it critical that site A NEVER gets more that 256 regardless of the other sites needs ? If so then the above is mute, because queuing will only come into play during periods of congestion. When its idle, they can use all that they want. Larry -Original Message- From: Fernando Shiran [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 02, 2002 10:32 AM To: [EMAIL PROTECTED] Subject: Limit Internet BW [7:34201] Hello, I do have a requirment to limit Internet Bandwidth among few sites. I do have a T1 and want to allow site A to be access bandwidth not more than 256K while site B can access full bandwidth without restricting. I do have a Cisco 2620 as the Gatway router. All ideas greatly appreciated. Regards Shiran Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34205&t=34201 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: info on blocking aol im [7:34459]
You need to block access to the login server IP's. If I remember it is login.oscar.aol.com. Just nslookup the ips associated and block them ( I do it via a route to null0) Same process with Yahoo IM, although you have to block about a million address's it seems like. Both services change IP's regularly and you will need to periodically check to see if new address's are brought on line. Be aware that the process of blocking YIM will sometimes break access to yahoo e-mail servers that are in the same range as the login servers. Also, Be sure to find the Java script client IP address of AOL and block it as well. I didn't know that it existed until I walked by someone's desk and they were just a chatting away. Man was I PO'd bout that one. It is not an easy process to block and keep them blocked. Both services are evolving and finding new ways around firewalls so you have to stay vigilant until you can get those that be to press down and say its not authorized and those using it will be disciplined. Larry -Original Message- From: Walls Matthew [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 10:13 AM To: [EMAIL PROTECTED] Subject: info on blocking aol im [7:34459] Looking to block aol im with pix and 2600s router. Seems to use multiple ports, etc Any advice on blocking this?... Matthew J. Walls Sr. Systems Engineer, Systems Development [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34467&t=34459 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-list in pix 520 [7:34512]
Yes there is an implicit deny any any at the end. You can only apply one access-list per interface. If you attempt to place a second one, it will just replace the first on. ( At least with 5.2 and earlier code ) Best link I can give you is: http://www.cisco.com/warp/public/110/pix_command_ref.shtml -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 3:57 PM To: [EMAIL PROTECTED] Subject: access-list in pix 520 [7:34512] access-list 1 deny ip 10.1.0.0 255.255.0.0 host X.X.X.X access-group 1 in interface inside once i apply it i lose outside connectivity I imagine that the same rules apply as routers a explicit deny at the end so i would have to place a allow ip any any at the end right? well what if im creating another access-list 2 for example too should i also have to place another allow statement? any particular links refering to this issue would be greatly apreaciated Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34525&t=34512 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Average afterwork time Tech learning commitment? [7:34634]
Live,eat,breathe,drink the stuff. I don't start until 8:00 or so, but I start at home via VPN. Get the basics out of the way and head to work by 10:00. Stay there till 6-7 to miss traffic, then come home to study for CCIE Security till 12 or so. My commute is only 15 minutes via the back roads however, so not much time is lost there. I typically check e-mail and read some on the weekends, but with NASCAR starting back again, there is going to be no time on Sunday. The guys I work with think I nuts though, so YMMV. -Original Message- From: rtc9 [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 11:10 AM To: [EMAIL PROTECTED] Subject: Average afterwork time Tech learning commitment? [7:34634] I have a three hour commute, a full+ part time job, and I'm wondering, what is the average hours people put in to thier job after hours? Some I think do nothing. Others eat drink sleep and live the stuff. I know work is important.but Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34654&t=34634 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IPSec tunnels [7:34742]
On the concentrator I would go into Monitoring-Filterable Event Log and change the address to be the remote IP address. See if it gathers any errors. On the PIX, there are several commands. 1) Show Crypto Engine. This command will show you if it thinks a tunnel is up. 2) Show crypto ipsec sa. Show the SA that has been negotiated with the VPN concentrator 3) Show crypto isakmp policy. Make sure that both devices agree on the isakmp policy completely. 4) Debug Crypto isakmp. Make sure you have logging debug enabled! Also, if this is a very active PIX, you will need to redirect this to a syslog server and then parse that file. 5) debug crypto ipsec sa ( verify on your PIX ). Same as above on logging. I found a very good book that will go over what it is your doing and some common mistakes. Its brand new ( 2002 ). Cisco Secure Virtual Private Networks. I am in no way affiliated with the author or Cisco Press, I just found it an excellent book for those wanting to really understand IPSec. Thanks Larry Roberts CCNP Expanets 5758 W. 74th St. Indianapolis IN 46278 317.870.2550 Office 317.402.9730 Cell 317.876-6518 Fax -Original Message- From: Patrick Donlon [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 7:50 AM To: [EMAIL PROTECTED] Subject: IPSec tunnels [7:34742] Hi All I'm looking for some information on how to verify the configuration of a PIX with an IPsec tunnel to a VPN concentrator. I have a tunnel that keeps bouncing, I think that instabilities across the internet could be causing some of the problems as I see the path changing quite a lot from the Netherlands to Dubai. I can't find the command(s), or understand the ones I've used, which tells me whether the tunnel is up on the PIX, I can see from the concentrator that it's down but I want to know about the PIX too. Any other advise is appreciated Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34749&t=34742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: problem in int [7:34937]
They are most likely downloading data ( or MP3's ) from/through your location. The only traffic going back , the incoming to you , is the data acknowledgment. Most companies that don't host internet services find this happening. Your customer sends an http request to a server on your end and you send the page back To them, including that 6 meg flash file that you insist everyone sees :) Thanks Larry Roberts CCNP Expanets 5758 W. 74th St. Indianapolis IN 46278 317.870.2550 Office 317.402.9730 Cell 317.876-6518 Fax -Original Message- From: kaushalender [mailto:[EMAIL PROTECTED]] Sent: Friday, February 08, 2002 11:07 PM To: [EMAIL PROTECTED] Subject: problem in int [7:34937] hi group I have strage roblem .The problem is i have a 128 kbps link to my customer.When I see the interface on which customer is connected the incoming traffic is less and outgoing traffic is very high .Why this is happening .Plz tell me This is the int as u seeing clearly 47000 is incoming from customer and 192000 is outgoing to customer Thanx Serial0/2 is up, line protocol is up Hardware is PowerQUICC Serial Description: "RAINBOW AND VERTEC" "REM-2" Internet address is 216.252.243.1/30 MTU 2048 bytes, BW 512 Kbit, DLY 2 usec, reliability 255/255, txload 95/255, rxload 23/255 Encapsulation PPP, loopback not set Keepalive set (10 sec) LCP Open Listen: CDPCP Open: IPCP Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 2d02h Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1769 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/30/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) Available Bandwidth 384 kilobits/sec 5 minute input rate 47000 bits/sec, 68 packets/sec 5 minute output rate 192000 bits/sec, 58 packets/sec 4251918 packets input, 655572206 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 1 giants, 0 throttles 94 input errors, 2 CRC, 87 frame, 0 overrun, 0 ignored, 5 abort 4168853 packets output, 1573135961 bytes, 0 underruns 0 output errors, 0 collisions, 13 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=34941&t=34937 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Support in CW2000 [7:35381]
You have to do 2 things on the PIX. snmp-server community EXAMPLE snmp-server host inside a.b.c.d With a.b.c.d being the address of the CW2K server and EXAMPLE being your SNMP community string Larry -Original Message- From: Danial Morison [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 14, 2002 12:59 AM To: [EMAIL PROTECTED] Subject: PIX Support in CW2000 [7:35381] Hi group, I am trying to add Cisco PIX firewall in CW2000,RME.Error I am getting is Unable to connect to the device.I have used the diagnostics tools and they are showing that PING,NSLOOKUP,TRACEROUTE are ok.Also in Management station to devices UDP,TCP,SNMPR,SNMPW,TFTP,HTTP are fail and TELNET is pass.Any idea where I am doing a mistake. Thanks in advance. Danial _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35393&t=35381 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Secondary ip address and ip helper-address [7:35583]
Are you trying to pull IP's in the range specified by the secondary address? If so, try reversing the primary and secondary addresses. If I remember correctly, the Ethernet interface will show as coming from the primary and the DHCP server will not see a scope for this range, Only for the secondary. No match=No address. Larry -Original Message- From: J-B [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 2:22 PM To: [EMAIL PROTECTED] Subject: Secondary ip address and ip helper-address HELPP [7:35532] Team, I have the following problem: Our network has 10 sites, I am in the process of readdressing current network. I have setup secondary ip address on every site, At the present time I am setting up a wk2000 dhcp/win server in one site. The problem is that I am not able to obtain ip address from the DHCP server via the WAN, it works fine in the site where it is locate. The layout is the following: Hub site interface Ethernet0 ip address 192.168.13.1 255.255.255.0 secondary ip address 192.168.1.1 255.255.255.0 ip helper-address 192.168.12.17 ip directed-broadcast no cdp enable interface Serial0 no ip address ip directed-broadcast encapsulation frame-relay IETF no ip mroute-cache frame-relay lmi-type ansi interface Serial0.3 point-to-point description Spoke site bandwidth 384 ip unnumbered Ethernet0 ip helper-address 192.168.12.17 ip directed-broadcast frame-relay interface-dlci 26 Spoke site interface Ethernet0 ip address 192.168.12.1 255.255.255.0 secondary ip address 192.168.2.1 255.255.255.0 interface Serial0 no ip address encapsulation frame-relay IETF no fair-queue frame-relay lmi-type ansi ! interface Serial0.1 point-to-point description connection to Hub ip unnumbered Ethernet0 bandwidth 384 frame-relay interface-dlci 16 ! The ip address of the DHCP sever is 192.168.12.17 Be aware that I have not problem pinging to the DHCP server from the Hub site. Team, what I am doing wrong here...HELP Thanks (nothing can replace experiencewo) JB Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35583&t=35583 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access-group ## in or out? [7:35578]
OK, Think a 3 Interface Router E0,E1,S0 E0 Ip address 192.168.1.1 255.255.255.0 E1 IP address 192.168.2.1 255.255.255.0 S0 192.168.3.0 255.255.255.252 Access-list 100 deny tcp any any eq 21 Access-list 100 permit ip any any If you wanted to have users be able to FTP between E0 and E1, but not out across the Wan Link S0, you would Apply the access-list as: S0 Ip access-group 100 out This would block all FTP traffic from going out across the S0, but not stop ( or even inspect ) traffic Flowing between the E0 and E1 interfaces. If you were to apply it as an in on S0, it would only block traffic that originated across the WAN. The big issue with this besides it doesn't stop E0 and E1 from FTP'ing is that this traffic still crossed the WAN and used bandwidth only to be dropped at the router. You could re-write the access list to drop traffic with a source port of 21 and that would stop the return Packets and prevent a connection, but once again the traffic still crossed the WAN. First line rewrote as( access-list 100 deny tcp any eq 21 any ) As an alternative you could do this. Access-list 100 permit tcp any 192.168.1.0 0.0.0.255 eq 21 Access-list 100 permit tcp any 192.168.2.0 0.0.0.255 eq 21 Access-list 100 deny tcp any any eq ftp Access-list 100 permit ip any any Then under the E0 and E1 interface: Access-group 100 in On the E0 interface the second line would permit it, while on the E1 interface the first line would. Either way the traffic that wasn't bound for the opposite Ethernet interface would get blocked. The issue with doing this is that if you have a large amount of traffic between the interfaces, and the Router is already running with high utilization, you have killed the router because it will have to do a Lookup on every packet coming into the interface, regardless of protocol and regardless of destination. Most access-list can be re-written to be applied inbound or outbound on any interface, it all Comes down to how efficient and clean you want the config to be. You can usually ( IMO ) tell the skill of The person administrating a router(s) by how "clean" the config is. The less the router has to do to a packet, the faster it will be. Not big on small office routers, but in high speed Datacenter/LAN switching environment, this becomes much more important. Thanks Larry -Original Message- From: none ya [mailto:[EMAIL PROTECTED]] Sent: Friday, February 15, 2002 9:03 PM To: [EMAIL PROTECTED] Subject: access-group ## in or out? [7:35578] Would someone please give me a simple explanation/example that will clarify when to use "in" or "out" when you apply an ACL to a router interface? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35584&t=35578 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dening telnet access [7:35628]
Are you wanting to deny telnet through the router, or to the router? If you are wanting to deny access to the router, You should create a standard access-list and apply that to the vty interfaces. Access-list 10 deny any Line vty 0 4 access-class 10 in Thanks Larry -Original Message- From: McHugh Randy [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 4:49 PM To: [EMAIL PROTECTED] Subject: Dening telnet access [7:35628] Access list problem: Why does this extended access list not work to deny telnet access applied to the internet interface on a 2514? Extended IP access list 199 deny tcp any any eq telnet interface Ethernet0 ip access-group 199 in I have alot more statments than this and of course the statement access-list 199 permit ip any any to take care of the implicit deny all , but I can still access the router from the internet through telnet. Anyone have any ideas what else might be needed to prevent of selectivly allow telnet access to my router. Thanks, Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35636&t=35628 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dening telnet access [7:35628]
The only way that the access-list applied to the inbound interface ( non-vty
) blocked your telnet is if you were trying to telnet
To an address that was not the directly connected address ( loopback or far
side serial/ethernet )
If you were to telnet directly to the interface that the access-list was
applied to you WOULD get in. Only an access-class applied
To the VTY ports will stop that.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 1:05 PM
To: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
I know it does. I have, even fairly recently, locked myself out of a router
via an inbound access list applied to an interface,DOH:( Try again and if
it doesn't work I would like to see the config.
Are you sure the interface on which you applied the access list is the
interface you were telneting to/thru??
Dave
Patrick Ramsey wrote:
>
> really? I have had no luck using inbound acl's to control telnet to
> the
router...I always have to use acc's on the vty's
>
> Is there a trick to this?
>
> -Patrick
>
> >>> MADMAN 02/18/02 12:16PM >>>
> Actually telnet packets are processed by inbound access-list. Now if
> your refering to outbound access-lists then you would be correct.
>
> Dave
>
> "Hire, Ejay" wrote:
> >
> > Because telnet packets destined for the router are not normally
> > processed
> by
> > access-lists. (i don't understand why not, but hey...)
> >
> > instead do this
> >
> > access-list y deny xx.xx.xx.xx xx.xx.xx.xx
> >
> > line vty 0 n (n = the results of a ?, usually 4) access-class y
> >
> > -Original Message-
> > From: McHugh Randy [mailto:[EMAIL PROTECTED]]
> > Sent: Saturday, February 16, 2002 4:49 PM
> > To: [EMAIL PROTECTED]
> > Subject: Dening telnet access [7:35628]
> >
> > Access list problem:
> >
> > Why does this extended access list not work to deny telnet access
> > applied
> to
> > the internet interface on a 2514?
> >
> > Extended IP access list 199
> > deny tcp any any eq telnet
> >
> > interface Ethernet0
> >
> > ip access-group 199 in
> >
> > I have alot more statments than this and of course the statement
> > access-list 199 permit ip any any
> >
> > to take care of the implicit deny all , but I can still access the
> > router from the internet through telnet. Anyone have any ideas what
> > else might be needed to prevent of selectivly allow telnet access to
> > my router. Thanks,
> > Randy
> --
> David Madland
> Sr. Network Engineer
> CCIE# 2016
> Qwest Communications Int. Inc.
> [EMAIL PROTECTED]
> 612-664-3367
>
> "Emotion should reflect reason not guide it"
> > Confidentiality DisclaimerThis email and any files
transmitted with it may contain confidential and /or proprietary information
in the possession of WellStar Health System, Inc. ("WellStar") and is
intended only for the individual or entity to whom addressed. This email
may contain information that is held to be privileged, confidential and
exempt from disclosure under applicable law. If the reader of this message
is not the intended recipient, you are hereby notified that any unauthorized
access, dissemination, distribution or copying of any information from this
email is strictly prohibited, and may subject you to criminal and/or civil
liability. If you have received this email in error, please notify the
sender by reply email and then delete this email and its attachments from
your computer. Thank you.
>
>
--
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367
"Emotion should reflect reason not guide it"
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35758&t=35628
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dening telnet access [7:35628]
And for reference:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fipr
as_r/1rfip1.htm#xtocid1
Note that your source address is NOT on the same Ethernet subnet (
172.28.64.11/26 )
Your coming from 172.28.56.48. A routing decision is being made.
Put your machine on the 172.28.64.11 subnet and show me this getting
dropped.
Thanks
Larry
-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]]
Sent: Monday, February 18, 2002 3:21 PM
To: Roberts, Larry
Cc: [EMAIL PROTECTED]
Subject: Re: Dening telnet access [7:35628]
Not in my world:
interface Ethernet4/0/0
bandwidth 1000
ip address 172.28.64.11 255.255.255.192
ip access-group 150 in
no ip directed-broadcast
no ip mroute-cache
!
access-list 150 deny tcp host 172.28.56.48 any eq telnet log
access-list 150 permit ip any any
*Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp
172.28.56.48(57010) -
> 172.28.64.11(23), 1 packet
Thank you!!
Dave
"Roberts, Larry" wrote:
>
> The only way that the access-list applied to the inbound interface (
> non-vty
> ) blocked your telnet is if you were trying to telnet
> To an address that was not the directly connected address ( loopback or
far
> side serial/ethernet )
>
> If you were to telnet directly to the interface that the access-list
> was applied to you WOULD get in. Only an access-class applied To the
> VTY ports will stop that.
>
> Thanks
>
> Larry
>
> -Original Message-
> From: MADMAN [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 18, 2002 1:05 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Dening telnet access [7:35628]
>
> I know it does. I have, even fairly recently, locked myself out of a
> router via an inbound access list applied to an interface,DOH:( Try
> again and if it doesn't work I would like to see the config.
>
> Are you sure the interface on which you applied the access list is
> the interface you were telneting to/thru??
>
> Dave
>
> Patrick Ramsey wrote:
> >
> > really? I have had no luck using inbound acl's to control telnet to
> > the
> router...I always have to use acc's on the vty's
> >
> > Is there a trick to this?
> >
> > -Patrick
> >
> > >>> MADMAN 02/18/02 12:16PM >>>
> > Actually telnet packets are processed by inbound access-list. Now
> > if your refering to outbound access-lists then you would be correct.
> >
> > Dave
> >
> > "Hire, Ejay" wrote:
> > >
> > > Because telnet packets destined for the router are not normally
> > > processed
> > by
> > > access-lists. (i don't understand why not, but hey...)
> > >
> > > instead do this
> > >
> > > access-list y deny xx.xx.xx.xx xx.xx.xx.xx
> > >
> > > line vty 0 n (n = the results of a ?, usually 4) access-class y
> > >
> > > -Original Message-
> > > From: McHugh Randy [mailto:[EMAIL PROTECTED]]
> > > Sent: Saturday, February 16, 2002 4:49 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Dening telnet access [7:35628]
> > >
> > > Access list problem:
> > >
> > > Why does this extended access list not work to deny telnet access
> > > applied
> > to
> > > the internet interface on a 2514?
> > >
> > > Extended IP access list 199
> > > deny tcp any any eq telnet
> > >
> > > interface Ethernet0
> > >
> > > ip access-group 199 in
> > >
> > > I have alot more statments than this and of course the statement
> > > access-list 199 permit ip any any
> > >
> > > to take care of the implicit deny all , but I can still access the
> > > router from the internet through telnet. Anyone have any ideas
> > > what else might be needed to prevent of selectivly allow telnet
> > > access to my router. Thanks, Randy
> > --
> > David Madland
> > Sr. Network Engineer
> > CCIE# 2016
> > Qwest Communications Int. Inc.
> > [EMAIL PROTECTED]
> > 612-664-3367
> >
> > "Emotion should reflect reason not guide it"
> > >>>>>>>>>>>>> Confidentiality DisclaimerThis email and any files
> transmitted with it may contain confidential and /or proprietary
> information in the possession of WellStar Health System, Inc.
> ("WellStar") and is intended only for the individual or entity to whom
> addressed. This email may contain information that is held to be
> privileged, confidential and exempt from disclosure under applicable
> law. If
RE: Dening telnet access [7:35628]
Wow, that makes no sense. It must be a new feature.:) Anyways your right, I'm wrong. I would like to point out that if you are asked by Cisco to restrict access to the router, If you want credit I would strongly Advise using access-class statements. Remember the answer is the Cisco way, not always the right way. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Monday, February 18, 2002 4:42 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: Re: Dening telnet access [7:35628] Heres the proof: interface FastEthernet0/0 ip address 172.28.64.28 255.255.255.192 ip access-group 150 in ip directed-broadcast duplex auto speed auto ! access-list 150 deny tcp host 172.28.64.11 any eq telnet log access-list 150 permit ip any any ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login line vty 5 15 login C2620B# 3w3d: %SEC-6-IPACCESSLOGP: list 150 denied tcp 172.28.64.11(62978) -> 172.28.64.28(23), 1 packet C2620B# Dave "Roberts, Larry" wrote: > > And for reference: > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgc > r/fipr > as_r/1rfip1.htm#xtocid1 > > Note that your source address is NOT on the same Ethernet subnet ( > 172.28.64.11/26 ) Your coming from 172.28.56.48. A routing decision is > being made. > > Put your machine on the 172.28.64.11 subnet and show me this getting > dropped. > > Thanks > > Larry > > -Original Message- > From: MADMAN [mailto:[EMAIL PROTECTED]] > Sent: Monday, February 18, 2002 3:21 PM > To: Roberts, Larry > Cc: [EMAIL PROTECTED] > Subject: Re: Dening telnet access [7:35628] > > Not in my world: > > interface Ethernet4/0/0 > bandwidth 1000 > ip address 172.28.64.11 255.255.255.192 > ip access-group 150 in > no ip directed-broadcast > no ip mroute-cache > ! > access-list 150 deny tcp host 172.28.56.48 any eq telnet log > access-list 150 permit ip any any > > *Feb 18 12:11:42: %SEC-6-IPACCESSLOGP: list 150 denied tcp > 172.28.56.48(57010) - > > 172.28.64.11(23), 1 packet > > Thank you!! > > Dave > > "Roberts, Larry" wrote: > > > > The only way that the access-list applied to the inbound interface ( > > non-vty > > ) blocked your telnet is if you were trying to telnet > > To an address that was not the directly connected address ( loopback > > or > far > > side serial/ethernet ) > > > > If you were to telnet directly to the interface that the access-list > > was applied to you WOULD get in. Only an access-class applied To the > > VTY ports will stop that. > > > > Thanks > > > > Larry > > > > -Original Message- > > From: MADMAN [mailto:[EMAIL PROTECTED]] > > Sent: Monday, February 18, 2002 1:05 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Dening telnet access [7:35628] > > > > I know it does. I have, even fairly recently, locked myself out of > > a router via an inbound access list applied to an interface,DOH:( > > Try again and if it doesn't work I would like to see the config. > > > > Are you sure the interface on which you applied the access list is > > the interface you were telneting to/thru?? > > > > Dave > > > > Patrick Ramsey wrote: > > > > > > really? I have had no luck using inbound acl's to control telnet > > > to the > > router...I always have to use acc's on the vty's > > > > > > Is there a trick to this? > > > > > > -Patrick > > > > > > >>> MADMAN 02/18/02 12:16PM >>> > > > Actually telnet packets are processed by inbound access-list. Now > > > if your refering to outbound access-lists then you would be > > > correct. > > > > > > Dave > > > > > > "Hire, Ejay" wrote: > > > > > > > > Because telnet packets destined for the router are not normally > > > > processed > > > by > > > > access-lists. (i don't understand why not, but hey...) > > > > > > > > instead do this > > > > > > > > access-list y deny xx.xx.xx.xx xx.xx.xx.xx > > > > > > > > line vty 0 n (n = the results of a ?, usually 4) access-class y > > > > > > > > -Original Message- > > > > From: McHugh Randy [mailto:[EMAIL PROTECTED]] > > > > Sent: Saturday, February 16, 2002 4:49 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: De
RE: CCNP [7:35756]
I have to agree with David on this. I don't think that someone could just take the Boson's over and over and pass ( at least not for the higher level tests ) but I think they do a good job of focusing you on what is and isn't the more important parts of the test. I just took ( and passed YEA! ) the CCIE Security written today. I have been studying for what seems an eternity, but was at an impass as to what I would actually need to know for the test. I purchased the CCIE Security practice exam last night and used it for that last minute test my skills check. It brought to light some weak spots in my understanding that I didn't realize where there. On those questions I followed the links to the Cisco documents and re-learned the subject matter over. I don't credit my passing to the test, but I do think that they helped me improve my score , and MOST importantly my understanding of the subject. Only complaint that I have with the Boson tests is that there tends to be a large amount of grammatical errors, some of which can lead to confusion. Although after taking the Security test in which there were some just plain wrong questions, not to mention the ones that make no sense, that might help them feel more similar :) Thanks Larry -Original Message- From: David L. Blair [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 19, 2002 8:08 PM To: [EMAIL PROTECTED] Subject: Re: CCNP [7:35756] I completely DISAGREE!! Boson's test do not simulator the actual testing experience, i.e.. the vagueness of Cisco's test. Boson's do test the level of knowledge needed to pass a given test. Disclaimer: I have done some consulting for Boson in the past and present. I used Boson's test for every Cisco test that I have passed which was before I did any consulting for Boson. "Through Complexity there is Simplicity, Through Simplicity there is Complexity" David L. Blair - CCNP, CCNA, MCSE, CBE, A+, 3Wizard ""Joshua Barnes"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I have found that going through the book a couple of times is the best > thing. The Boson's are heralded but I don't know why. I think they > suck. JMO. > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of Liko Agosta > Sent: Monday, February 18, 2002 2:17 PM > To: [EMAIL PROTECTED] > Subject: CCNP [7:35756] > > Whats the best test practise suite for CCNP > > I am doing the exams in this order > > a. switching > b. routing > c. remote access > d. support > > whats the best for > > a. switching > b. routing Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35919&t=35756 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Question [7:36243]
That's ok, because I'm the President of the United States (F-MLN) (Future-Most Likely Not ) :) Larry -Original Message- From: nrf [mailto:[EMAIL PROTECTED]] Sent: Friday, February 22, 2002 2:46 PM To: [EMAIL PROTECTED] Subject: Re: CCIE Question [7:36243] Cisco has made it clear that passing the written -CCIE exam does not get you a certificate in itself. Only by passing both the written and the lab do you obtain a cert. I don't know how it came to be acceptable that people can claim a certificate that doesn't exist. While you might say that it's not really a big deal - after all, the written is an exam, so it 'sort-of' is like a cert, so what's the harm in pretending that it's another cert? Well, the real problem is that if people are allowed to make up a "CCIE-Q" cert that doesn't exist, then what's to stop them from making up other qualifications that don't exist? It's the classic slippery slope. For example, if the CCIE-Q becomes an accepted pseudo-cert, then later somebody will inevitably say they have a "CCIE-A", because they (A)ttempted the written (but didn't pass). Or a "CCIE-F" for somebody who's never even seen a router in his life, but has heard about the CCIE program and is thinking about doing it in the (F)uture. Or heck, how about a Bachelor's Degree-(F) for somebody who's never stepped into a classroom in his life, but might do it in the future. I don't know about you, but I hold a Ph.D-(F), an MBA-(F), a Law-degree-(F), and a Medical-degree-(F), all from Harvard. ""Michael J. Doherty"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > It seems to be common these days to use that abbreviation to mean that > the individual has taken, and passed, the Written exam, but not yet > challenged/passed the Lab. > > As for me, personally, when I get to that point, I do not plan on > advertising it in this manner. If it comes up in an interview > question, I would answer it. But, I refuse to put any certification > on my resume until > I can honestly claim the entire title. > > > - Original Message - > From: "Brian Zeitz" > To: > Sent: Friday, February 22, 2002 1:54 PM > Subject: CCIE Question [7:36243] > > > > I saw a resume with "CCIE (Q)" after their name, what is the Q mean? > _ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36263&t=36243 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:36500]
Well, if I understand your question correctly, you want to have a specific subnet always get the same external address ? Nat (inside) # 10.20.30.0 255.255.255.0 Global (outside) # a.b.c.d 255.255.255.0 # = unique number that is not used already on your PIX. Most people use 1 as the first group. Just pick a number that is unique and apply it to both the NAT statement for the inside address's and the Global outside address that they get. That is how the NAT is associated with the specific global statement. A.b.c.d is our outside address that they always get. 10.20.30.0 255.255.255.0 is the inside network(s) that get translated. If you want to add multiple internal networks to that specific global address, then you only net to add additional NAT statements using the same unique identifier (#). Thanks Larry -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 10:41 AM To: [EMAIL PROTECTED] Subject: pix question [7:36500] I have a pool of ip address im assigning as they leave my internal network. Is their a way i can assign specific global ip address to inside networks. George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36507&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: pix question [7:36500]
Oops, typo alert. The Global statement should read: Global (outside) # a.b.c.d netmask 255.255.255.0 Thanks Larry -Original Message- From: Roberts, Larry Sent: Tuesday, February 26, 2002 11:34 AM To: 'george gittins'; [EMAIL PROTECTED] Subject: RE: pix question [7:36500] Well, if I understand your question correctly, you want to have a specific subnet always get the same external address ? Nat (inside) # 10.20.30.0 255.255.255.0 Global (outside) # a.b.c.d 255.255.255.0 # = unique number that is not used already on your PIX. Most people use 1 as the first group. Just pick a number that is unique and apply it to both the NAT statement for the inside address's and the Global outside address that they get. That is how the NAT is associated with the specific global statement. A.b.c.d is our outside address that they always get. 10.20.30.0 255.255.255.0 is the inside network(s) that get translated. If you want to add multiple internal networks to that specific global address, then you only net to add additional NAT statements using the same unique identifier (#). Thanks Larry -Original Message- From: george gittins [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 10:41 AM To: [EMAIL PROTECTED] Subject: pix question [7:36500] I have a pool of ip address im assigning as they leave my internal network. Is their a way i can assign specific global ip address to inside networks. George Gittins Internet Systems Manager Weslaco, Tx 78599 Phone (956)9696557 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36508&t=36500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Security certs given by Cisco [7:36834]
Asked the same question 2 days ago to the Cisco rep. I was scheduling the exam with. The number she gave me was between 25 and 50. Apparently Sept. 11th has caused many labs to get cancelled due to travel restrictions. Thanks Larry -Original Message- From: grant sabesky [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 28, 2002 2:35 PM To: [EMAIL PROTECTED] Subject: CCIE Security certs given by Cisco [7:36834] I now know the total number of CCIE's (Congrads - Dipak). Does anyone know the number of CCIE's with the CCIE Security certification? thanks grant Grant A. Sabesky Blue Oasis Technologies Sunny San Diego, CA Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=36844&t=36834 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Access-list Problem. [7:37336]
# 2. # 1 wont won't work as it doesn't specify the eq portion. It should ( at least on 5.2 code ) generate an error. All this is assuming that 200.200.200.0 is the correct source and 10.10.0.0 255.255.0.0 is the correct destination. Thanks Larry -Original Message- From: Ivan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 05, 2002 7:22 PM To: [EMAIL PROTECTED] Subject: PIX Access-list Problem. [7:37336] Hi all, I have a problem, does anyone can give me a answer? Which the following access-list is right to allow only telnet? 1. access-list 100 permit tcp 200.200.200.0 255.255.255.0 10.10.0.0 255.255.0.0 23 2. access-list 100 permit tcp 200.200.200.0 255.255.255.0 10.10.0.0 255.255.0.0 eq 23 Thank you very much. Ivan Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37340&t=37336 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT:RE: Cat 2950-24 [7:37374]
Reminds me of a funny story about this.. I was new to Cisco eq, and switches in general. I searched and searched to find out why this was Happening to me. Finally found the answer of port fast. Was I happy ...until the next morning when The config was blank and problem was back. I put the port fast back in and all was well until the next morning. Same thing kept happening for 2 weeks. I was going nuts trying to figure out what was going on until someone Was kind enough to tell me about the mysterious command " write memory ". That fixed the problem for a week or So until one morning I get a call that nobody can log in again. I go to telnet into the switch and I cant reach it. Hm. Quick walk to the maintenance cage revealed the answer. You see this was a new enclosure that didn't have power directly to it yet, So an extension cord was run to power the 2924's. Turns out that were we plugged into was the location that the night maintenance man Also happened to plug he coffee maker into. Seems he forgot to plug it back in when he left for the night and the cabinet was dead. Since the Building Manager AND the Maintenance Manager all happened to be connected to those switches power was ran that afternoon Like I had originally requested. I bought the night guy a thing of coffee for the assistance! Thanks Larry -Original Message- From: Cebuano [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 7:21 AM To: [EMAIL PROTECTED] Subject: Re: Cat 2950-24 [7:37374] You don't disable STP on the port to the PC because STP is only run between Layer2 devices. I believe you are referring to PortFast. Elmer - Original Message - From: "Brian" To: Sent: Wednesday, March 06, 2002 2:34 AM Subject: Re: Cat 2950-24 [7:37374] > If you connect a computer to a switch port, it takes spanning tree a > bit to > allow traffic to pass. If this is an individual host being connected, > you could try disabling spanning tree on the port.. > > Bri > > - Original Message - > From: "Ismail Al-Shelh" > To: > Sent: Tuesday, March 05, 2002 10:44 PM > Subject: Cat 2950-24 [7:37374] > > > > Dear all > > We have Pc with 3Com 3c90x-Tx 10/100 Network Card. This PC is > > installed with Dos 6.22 Operating System. We used to connect this > > to our 3com Switch1100 with the dos driver provided by 3Com. The > > sequence of loading > > the 3com driver to connect to 3com Switch1100 is as follows: LSL.COM > > 3C90X.EXE > > IPXODI.COM > > NETX.EXE > > F: > > LOGIN > > This is in a batch file and when we run the batch file it will connect > > immediately. > > The problem I am facing while connect to CISCO CATALYST 2950-24 port is > that > > If I am > > running the same batch file it will not connect. > > I have to load the LSL.COM first and port on switch to which this computer > > is connected will be in Green color. But When > > I will load 3c90x.exe immediately the port on the switch color > > becomes amber. I have to wait for 1 to 1.5 minutes for the port > > color to become green and after that if load IPXODI.COM and NETX.EXE > > then it will connect. I can see this because I am sitting in front > > of the Cisco Switch. In > actual > > the end user will run the batch file sitting somewhere in his room > > and he > > will get a message "Novell Netware Server not > > Found". > > Why this delay in connecting to Novell Netware through Cisco Switch. The > > same > > delay is not happening while we are connecting to 3Com Switch. We > > need you help and guidance to sort out this problem. Ismail Al-shelh > > > > [GroupStudy.com removed an attachment of type application/ms-tnef] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37485&t=37374 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF Question [7:37899]
Process ID is of local significance only. That number does not appear anywhere outside the router it resides on. If you were to have multiple OSPF process's running on a box, it is how you would differentiate between them. Thanks Larry -Original Message- From: Justin M. Clark [mailto:[EMAIL PROTECTED]] Sent: Monday, March 11, 2002 5:18 PM To: [EMAIL PROTECTED] Subject: OSPF Question [7:37899] when configuring ospf the first command is: router ospf process-id Does the process id have any signifigance? for instance, If i have one router with pid of 10 and another with pid 12 can both of them function in area 0. If so, where does the process-id come into effect. What is it specified for? Thanks, Justin Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37903&t=37899 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Redundant Internet Connection Questions [7:37908]
Hello folks, I am looking for some ideas on the best way to provide redundant outbound internet connections. We currently have 2 separate Internet connections. We run PIX's at both locations. Inside both PIX's are a set Of 72xx series routers that run OSPF and BGP process's. Do to the nature of our WAN's, the routers are not members of Area 0 for the OSPF network, and they are running EBGP between them on the BGP WAN network. One WAN vendor is Area 0, and the other WAN Vendor is our BGP peering partner. The Internet Vendor for both connections is the same however. I would like to implement redundant, dynamic Outbound connectivity that would use 1 connection as primary, and in case that goes down, failover to the second. I have come up with some Idea's, but I keep running into a snag with the PIX's setting between the Internet Router and the Internal router. EXTRTRA EXTRTRB | | PIXAPIXB | | INTRTRA INTRTRB |\ /| | \ / | | \ / | WAN1 WAN2 WAN2 WAN1 |\ /| | \- OSPF Network - / | | | |--- WAN EBGP PEER --- | ( All internal networks use Private name space ) WAN 2 is the OSPF WAN vendor and we are not in Area 0, WAN2 routers form Area 0 on their backside. WAN 1 is the EBGP network. IE Each location is a separate AS( private AS ) and the WAN EBGP peer is 1 AS number. The EBGP network is used as a failover network between datacenters only ,and currently no traffic is flowing via BGP. All other WAN locations ( 100+) form a fully meshed cloud via OSPF. Our current setup is to have INTRTRA with a static route to PIXA that is redistributed into OSPF. The problem with this is that if EXTRTRA fails, the only way we know is from the phone ringing. We can swing to the secondary Internet connection by injecting the default route to PIXB at INTRTRB , but this is a manual and slow process. I am checking with our Internet Vendor to see if they can peer with us and supply a default route, however, I keep running into a stumbling block on how To inject this into the OSPF network. I have thought about setting up a BGP peer from the inside to the outside, but I think that the route that would be supplied would point to the external routers interface, not the PIX, which should be the next hop. I want/would like to inject the default routes with different costs such that connection A is always used unless it is down. Anybody else doing this, or have ideas or suggestions on the best practice. I am sure I am missing something obvious here, I just am going brain dead and cannot see what it is. Let me know if you need more information or if I have managed to totally confuse you. Thanks Larry Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=37908&t=37908 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Redundant Internet Connection Questions [7:37908]
Our Internal WAN is all OSPF. We have the option of BGP between datacenters only. We don't control area 0. Area 0 consists of about 12-15 peering points, or concentration routers. The actual box's our provider uses are Nortel Shastas. All our locations for Pt. 2 Pt. connections back To the 12-15 different Shastas. Our equipment form 1 area off the each shasta (12-15 separate areas), while the connection between shasta's Across the Providers backbone is Area 0. I don't particularly care for it myself, but under our circumstances it Was the best and easiest way of doing things. My concern isn't about propagating the default through OSPF, but rather how I can have the default route Received through the PIX , and how I can have it dynamically change if one provider connection goes down. I guess I don't see how I can have the Internal router know the status of the externally received default route if that makes sense.. My thought process is that the next hop that will flow from the extrtr to the intrtr will have the next hop specified As the PIX facing interface on the extrtr. Unfortunately the next hop for the internal router is in fact the PIX internal interface itself. Upon further review I think that a static route for the PIX facing interface of the external router that is directed to the Firewall on the internal router would allow this to happen. Extrtr recieves default route from ISP. extrtr (F0) | | (EO) PIX (E1) | | (F1) intrtr How do I propogate the default route from the outside to the inside ? I would most likely form BGP peers , but wouldn't the next hop received for the default route be to (F0). What I need is the next hop to be the Inside interface of the PIX (E1) correct ? Could I put a static route for (F0) pointing to (E1) on intrtr >? Would that work ? I still think that I am making to much out of this. I should have my lab PIX back this weekend so I will build this up and test it then, but Im sure someone is is doing this and I am curious how they have choosen to solve the problem. Thanks Larry -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] Sent: Monday, March 11, 2002 9:20 PM To: [EMAIL PROTECTED] Subject: Re: Redundant Internet Connection Questions [7:37908] If I understand what you are trying to do -- it's a little unclear if you are running all the OSPF or someone else is -- inject OSPF defaults with metric type 2, and the metric on Connection A lower than Connection B. If the management of the OSPF system is under different organizations, I'm afraid. I'm very afraid. >Hello folks, > >I am looking for some ideas on the best way to provide redundant >outbound internet connections. We currently have 2 separate Internet >connections. We run PIX's at both locations. Inside both PIX's are a >set Of 72xx series routers that run OSPF and BGP process's. > >Do to the nature of our WAN's, the routers are not members of Area 0 >for the OSPF network, and they are running EBGP between them on the BGP >WAN network. One WAN vendor is Area 0, and the other WAN Vendor is our >BGP peering partner. The Internet Vendor for both connections is the >same however. > >I would like to implement redundant, dynamic Outbound connectivity that >would use 1 connection as primary, and in case that goes down, failover >to the second. I have come up with some Idea's, but I keep running into >a snag with the PIX's setting between the Internet Router and the >Internal router. > > > > EXTRTRA EXTRTRB > | | > PIXAPIXB > | | > INTRTRA INTRTRB > |\ /| > | \ / | > | \ / | > WAN1 WAN2WAN2 WAN1 > |\ /| > | \- OSPF Network - / | > | | > |--- WAN EBGP PEER --- | > > >( All internal networks use Private name space ) > >WAN 2 is the OSPF WAN vendor and we are not in Area 0, WAN2 routers >form Area 0 on their backside. > >WAN 1 is the EBGP network. IE Each location is a separate AS( private >AS ) and the WAN EBGP peer is 1 AS number. The EBGP network is used as >a failover network between datacenters only ,and currently no traffic >is flowing via BGP. > >All other WAN locations ( 100+) form a fully meshed cloud via OSPF. > >Our current setup is to have INTRTRA with a static route to PIXA that >is redistributed into OSPF. The problem with this is that if EXTRTRA >fails, the only way we know is from the phone ringing. We can swing to >the secondary Internet connection by injecting the default rout
RE: NAT & PIX [7:38633]
Quick note. The second command will only allow 50 NAT translations at a time. Once 50 are full, then everyone else gets denied. If you were to combine the 2 statements into: Global (outside) 1 192.168.1.1-192.168.1.49 netmask 255.255.255.0 Global (outside) 1 192.168.1.50 netmask 255.255.255.0 Nat (inside) 1 0 0 This will cause the first 49 address's to get used for NAT, while the .50 will become an overflow, or overload/PAT address. The NAT will always be used before the PAT session is used as well. Thanks Larry -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 9:27 AM To: [EMAIL PROTECTED] Subject: RE: NAT & PIX [7:38633] Yes, With the two commands NAT and GLOBAL, you can specify exactly what you need: global (outside) 1 192.168.1.200 netmask 255.255.255.255 This will translate the inside address(es) specified with the NAT command to ONE outside address. nat (inside) 1 0 0 This will translate all inside addresses to the address(es) specified with the GLOBAL command. If you want every pc on the inside network to translate to 1 public address (192.168.1.200) use these two commands: global (outside) 1 192.168.1.200 netmask 255.255.255.255 nat (inside) 1 0 0 If you want every pc on the inside network to translate to 1 out of 50 public addresses (192.168.1.201 thru 192.168.1.250) use these two commands: global (outside) 1 192.168.1.201-192.168.1.250 netmask 255.255.255.0 nat (inside) 1 0 0 Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: Arni V. Skarphedinsson [mailto:[EMAIL PROTECTED]] Sent: Monday, March 18, 2002 4:18 AM To: [EMAIL PROTECTED] Subject: NAT & PIX [7:38633] Hi I have a PIX firewall, and am using nat to let my clients access the internet, but now I need to connect about a 100 clients, bases in an wan of more than 50 places, all to the internet through the same ip address, so the question is, can I have some sort of a NAT list letting all the 100 ip addresses get on the net through the one public address ?? Best regards ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38651&t=38633 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BGP Issue... [7:38877]
No need at all. Make a neighbor statement with the remote-as then add another neighbor statement like this: Neighbor a.b.c.d ebgp-multihop http://www.cisco.com/warp/public/459/13.html#A5.0 Thanks Larry -Original Message- From: Stanzin Takpa [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 6:55 PM To: [EMAIL PROTECTED] Subject: BGP Issue... [7:38877] Is it required in eBGP that the two routers should be directly connected (physically) or can be logically connected directly. Stanzin Takpa Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=38885&t=38877 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Upgrade to RME 3.3 [7:39056]
Only experience I have is that we are running it. I did however do a complete rebuild of the CW2K box prior to Installation, but that was out of my choice ( I didn't do the original install and I'm a control freak ) not out Of a CW2K requirement. I have noticed that in general , CW has taken a performance nose-dive, especially in the Java dept. I don't know if I would equate that to RME 3.3 or, just the complete rebuild and upgrade of all components. I took great care this time Though to only install the components that we would actually use, and left the rest off, so I don't think that I installed anything new that would have caused the problem. Thanks Larry -Original Message- From: Richard Tufaro [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 1:02 PM To: [EMAIL PROTECTED] Subject: Upgrade to RME 3.3 [7:39056] Hey been browsing around, and wondered if anyone took the leap to version 3.3 of RME with CiscoWorks 2K. We are using CiscoWorks 2K with RME 2.2 and I wanted to know if anyone could share an experience. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39070&t=39056 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: issue with PIX and dhcp ? [7:39269]
I had the same issue with a 501 that I had. I couldn't get it to work via Time Warner and an associate tried on Comcast and had no luck. I have had success using a Cisco Router, but the PIX just wouldn't work. Something I did was to forge the mac address of the PIX with a linksys so that it would grab a DHCP address. I then swapped out the eq and hard coded the address. It worked for about an hour then it died. With Time warner, the cable modem will see the DHCP reply that is sent to your device and add that to its mac/ip table. They have a private network between the cable modem and their eq, and use NAT translation at the cable modem itself. The cable modem ( at least in my area ) will only hold 2 MAC/IP address combo's so you might need to reset the cable modem To clear out its table. Would be curious if you have success or not, that way I can tell if it was just a local problem , or a Cisco PIX issue. Thanks Larry -Original Message- From: John Green [mailto:[EMAIL PROTECTED]] Sent: Friday, March 22, 2002 10:24 PM To: [EMAIL PROTECTED] Subject: issue with PIX and dhcp ? [7:39269] is any one aware of any issue with PIX501 and connecting via cable modem to get an ip address (dhcp) ? internet-cable-PIXHOST modem 501 without the pix, the HOST is able to get the dhcp ip address fine. the pix is configured to get an ipaddress from dhcp for its outside interface. but it is failing. does anyone know of such issues ? __ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards. http://movies.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39273&t=39269 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Bridging and HSRP [7:39525]
This is more of a question on top of this question? If I have dual Sup's in a 6509, why not just run high availability and not worry about HSRP ? Does HSRP give you something that High Availability doesn't ? Once again, this is a question, not a statement or recommendation. Thanks Larry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 9:26 AM To: [EMAIL PROTECTED] Subject: Bridging and HSRP [7:39525] Greetings all, I've a 6509 with 2 sups and MSFCs, running hsrp between both MSFCs. Routing 5 vlans, two of those 5 vlan are also bridging decnet. When I've the standby interface up, users can't get out, if I shutdown the standby interface all is good. According to Cisco I've to enable "standby use-bia" feature to prevent this problem. Have you guys seen this before, and what causes this problem? Just looking for some education and solutions. Thanks..Nabil - Hope I made my problem clear! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39528&t=39525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Line protocol goes up and down [7:39766]
Can you do a debug serial interface and logg debug 7 and copy those logs back to us. I suspect that the HDLC keepalives might be getting lost. Thanks Larry -Original Message- From: maamun Murangwa [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 11:05 AM To: [EMAIL PROTECTED] Subject: Line protocol goes up and down [7:39766] Hi, I'm having a problem with a serial interface line protocol going up and down every few seconds. All i can see is the the carrier trasitions increasing, this is a fiber link, so i presume, there shouldn't be alot of errors. I have changed the cable, still no luck. Telco still says they have run loops and dont see any thing wrong with the link. I have also changed encap to PPP, still no luck Attached is the show interface output Serial1/5 is up, line protocol is up Hardware is M8T-X.21 Description: Bussiness Systems Ltd Internet address is 212.xx.xx.xx/30 MTU 1500 bytes, BW 1024 Kbit, DLY 2 usec, reliability 172/255, txload 1/255, rxload 1/255 Encapsulation HDLC, crc 16, loopback not set Keepalive set (10 sec) Last input 00:00:02, output 00:00:02, output hang never Last clearing of "show interface" counters 04:58:14 Input queue: 0/75/0 (size/max/drops); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/8/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 208 packets input, 4992 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 3946 input errors, 3059 CRC, 0 frame, 17 overrun, 0 ignored, 870 abort 5703 packets output, 451522 bytes, 0 underruns 0 output errors, 0 collisions, 707 interface resets 0 output buffer failures, 0 output buffers swapped out 707 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up --More-- *Mar 28 03:25:33.997 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to down *Mar 28 03:28:24.013 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to up *Mar 28 03:28:44.025 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to down *Mar 28 03:29:34.029 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to up *Mar 28 03:29:54.029 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to down *Mar 28 03:31:24.037 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to up *Mar 28 03:31:26.029 gmt: %LINK-3-UPDOWN: Interface Serial1/5, changed state to up *Mar 28 03:31:54.061 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to down *Mar 28 03:32:04.057 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to up *Mar 28 03:32:34.065 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to down *Mar 28 03:32:44.065 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to up *Mar 28 03:33:04.065 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to down *Mar 28 03:33:14.065 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to up *Mar 28 03:33:34.073 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to down *Mar 28 03:34:34.081 gmt: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial 1/5, changed state to up *Mar 28 03:34:36.073 gmt: %LINK-3-UPDOWN: Interface Serial1/5, changed state to up Thanx in advance Maamun __ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39791&t=39766 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Unrelated question [7:39788]
Bingo! I receive the list via e-mail and sometimes there are long delay's between the original e-mail and the responses. Rather than wait for several hours to see if anyone answers, I send my response and see how it jives with everyone else's. Thanks Larry -Original Message- From: Chris Charlebois [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 6:22 PM To: [EMAIL PROTECTED] Subject: Unrelated question [7:39788] OK, so at least 3/4 of the response to this question say the exact same thing. Or at least hint at it. (It doesn't make sense to me to take the time to answers someones question and do it with 2 words. "vlans" while correct is not, by itself, an answer.) My point is the redundancy. Do some people not read the upt-teen responses before jumping out with their own? Or do some people access these via some other transport (i.e. e-mail) and so don't see the responses? Or do some people just like seeing their names on a newsgroup? It just doesn't make sense. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39868&t=39788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Router question.. [7:39788]
Several ways. Sub-interfaces and inter-vlan routing ( 802.1q or isl ) or the less secure but easier way of just using secondary IP's on the Ethernet interfaces. Thanks Larry -Original Message- From: Ricky Chan [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 12:43 PM To: [EMAIL PROTECTED] Subject: Router question.. [7:39788] Hi all, My boss just come up and give me a senario question like this. He told me that I owned a company which uses 3 different LANs, for example, 172.27.10.x, 172.27.11.x, 172.27.12.x. But I only have one cisco 2600 series router and 2900 series switch. I can't use the serial ports from the router. Just the two ethernet ports (by default). My question is, is it possible? Please advice. Thanks Ricky Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=39878&t=39788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IOS Firewall Feature Set -Blocking Attacks [7:40141]
Or as a simple solution, put a route for his IP address to Null0. His return traffic will never make it. This will not stop a denial of service, But it will stop any return traffic like port scans and such. This machine will effectively Disappear to him... Thanks Larry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 2:19 AM To: [EMAIL PROTECTED] Subject: Re: IOS Firewall Feature Set -Blocking Attacks [7:40141] Hi, You can configure a simple inbound access-list at your outside interface of your router to deny inbound connection from the specific host to web server. or the other way is to enable "ip audit" on the router and in the action specify it as reset. Kind Regards /Thangavel -- CCIE (qual),CCS,CCDP,CCNP,MCSE 186K Reading,Brkshire Direct No -0118 9064259 Mobile No -07796292416 Post code: RG16LH www.186k.co.uk -- The greatest glory in living lies not in never falling, but in rising every time we fall ." -- Nelson Mandela "Clayton Dukes" To: [EMAIL PROTECTED] Fax to: Sent by: Subject: IOS Firewall Feature Set -Blocking Attacks [7:40141] nobody@groups tudy.com 02/04/2002 06:44 Please respond to "Clayton Dukes" Hi everyone, I have a specific IP address that constantly tries to attack my webserver. How can I block that IP address while allowing all others through? My config uses NAT extendable to translate the outside Ip to port 80 on an internal address. I want to allow the world to access that port EXCEPT for ip z.z.z.z, Can someone recommend a good way? TIA! Clayton Dukes Cisco Info Center SE Micromuse, Inc. CCNA, CCDA, CCDP, CCNP, NCC (h) 904-292-1881 (c) 904-477-7825 ** This e-mail is from 186k Ltd and is intended only for the addressee named above. As this e-mail may contain confidential or priveleged information, if you are not the named addressee or the person responsible for delivering the message to the named addressee, please advise the sender by return e-mail. The contents should not be disclosed to any other person nor copies taken. 186k Ltd is a Lattice Group company, registered in England & Wales No. 3751494 Registered Office 130 Jermyn Street London SW1Y 4UR ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40200&t=40141 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 7206VXR IOS Rec [7:40188]
I have a 7204VXR with both a PA-T3+ and what I believe is the PA-3-TA. We run 12.1.1 and have had no issues in over a year. Not exactly what your looking for, but fairly close. I have a 7206VXR with a PA-T3+ and PA-3-TA running 12.1.3a and it has had no issues either, but the PA-T3+ has only been in for 3-4 months. I suspect that any issues would have cropped up by now, but I wanted to at least put the disclaimer. For the record, each of them have one interface "Riding the Light" as well. Thanks Larry -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 12:16 PM To: [EMAIL PROTECTED] Subject: Re: 7206VXR IOS Rec [7:40188] FWIW I have a couple customers running dual homed Internet connections with 7206VXRs, running 12.2.6 and so far so good. They have PA-A3-T3 and PA-T3. Dave Richard Tufaro wrote: > > Anyone have a good recommendation for an IOS on a 7206VXR with a > PA2-T3+? -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40217&t=40188 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Works 2000 [7:40223]
What version of CiscoWorks 2000 ( RME 3.3 ...) I have CW2K under Windows 2K and have had no issues other than performance ones. ( performance dropped in comparison to NT4 ) When you say it isn't working, can you be more specific ? Does IE bring up a page not found? Does it bring up a login box ? Thanks Larry -Original Message- From: Danny [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 2:26 PM To: [EMAIL PROTECTED] Subject: Cisco Works 2000 [7:40223] Having issues running Cisco Works 2000 on an 2000 server. It was installed but it seems that nothing is working--can't use any functions. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40232&t=40223 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco work2000 [7:40325]
What version of CW2K is it? I would HIGHLY recommend NOT installing on a PDC/BDC even if you find a way around it. I find that I periodically need to reboot the server for different reasons , which you don't what to do with a PDC/BDC. Make sure that your using the latest version of RME as well, as older versions will not work on W2K. I know there is a product Matrix that tells what your minimum req. are but I could only find this generic listing. It does explicitly say that you cannot Install on a PDC/BDC in this doc. Though. http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/3ste ditn/inst_win/ntbegin.htm Thanks Larry -Original Message- From: Ismail Al-Shelh [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 9:03 AM To: [EMAIL PROTECTED] Subject: Cisco work2000 [7:40325] Hi all I have Cisco Works 2000 ,I tried to install it on a PDC with 2000 platform , the program which is called CD-ONE refused to be installed giving me a message saying the CD-ONE cannot complete the installation because of the following reasons - This is not Nt Workstation or NT server - This is a PDC/BDC I am really confused why its giving me this message help please Ismail Al-shelh Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40349&t=40325 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Works and PIX's [7:40580]
snmp-server host inside [ip of CiscoWorks] And of course a valid snmp community Thanks Larry -Original Message- From: Johnson, Richard (NY Int) [mailto:[EMAIL PROTECTED]] Sent: Friday, April 05, 2002 9:00 AM To: [EMAIL PROTECTED] Subject: Cisco Works and PIX's [7:40580] Hi All, I am just setting up Cisco Works. It seems I can add all my switches w/o a problem, but I can not add my PIX to the equipment. I am sure this can be donecare to offer any advice? The error I get is "Could not connect to host:" I do restrict telnet access to the PIX, but I did add the Cisco Works server address to that list. Thanks, Rich Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40590&t=40580 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco VPN Client & PIX [7:40670]
I have had this happen connecting to a concentrator. My issue was do to a misbehaving DHCP client/server. When I would connect the to the concentrator, My Linky FW would re-issue me a different IP address. It would do this several times and then stop. I know of several teammates that have the exact same home setup and they have no problems, so go Figure what is unique about mine. If you using DHCP, check to see if you getting a new DHCP address. I would also recommend using the VPN Client Loggin And turning the debug up to high on all the settings. It will create a big file, but the end of it is where Your disconnect will be. That is how I found the DHCP issue. Thanks Larry -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Saturday, April 06, 2002 1:20 AM To: [EMAIL PROTECTED] Subject: Re: Cisco VPN Client & PIX [7:40670] I encountered the same thing with a customer recently. I've got a case logged with TAC, but haven't yet received a decent answer. I don't know if we're seeing the same thing or if you're seeing something different, but a couple of questions can quickly determine: 1) Is your client behind a firewall of any type, including personal desktop firewall software? 2) If your client is behind a firewall, are any other machines also behind the firewall? 3) Is the connection over the Internet? If so, how does each side connect to the Internet? Leased line, cable, DSL? Thanks, Craig At 11:59 PM 4/5/2002 -0500, you wrote: >I am using Cisco VPN Client to connect with my Office PIX 515 firwall >over IPSEC 3DES encryption. My connection is droping automatically. It >is not because of idle time out or maximum time out. it happens on >radomly. If some one has any information on it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40685&t=40670 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Re: Puzzles -> WAS RE: My interview story [7:40553]
Might I ask how your going to lock his box ? The courier would steal it if he gets his hands on it the dang courier. Thanks Larry -Original Message- From: John Neiberger [mailto:[EMAIL PROTECTED]] Sent: Saturday, April 06, 2002 2:11 PM To: [EMAIL PROTECTED] Subject: Re: Re: Puzzles -> WAS RE: My interview story [7:40553] But the courier will steal anything that isn't locked up, including a key! I believe the solution is as follows: Your friend sends you his box, unlocked, by courier. You place your key inside his box, lock it, and send it back. You then place the diamond into your box, lock it, and send it over. He can unlock your box because he has your key. John On Fri, 5 Apr 2002, Kent Yu ([EMAIL PROTECTED]) wrote: > Daniel, > > I think the first answer could be just lock the stone in the box, give > the > box and your key to the courier. > > Kent > > ""Daniel Cotts"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I'll bite. > > a) Boxes and diamond. Gordian Knot technique. Lock the diamond in your > box > > and send it to your friend. He breaks the lock or cuts open the box. > > b) Poles and rope. The poles are touching. > > > > > -Original Message- > > > From: Dusty Harper [mailto:[EMAIL PROTECTED]] > > > Sent: Friday, April 05, 2002 4:55 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: My interview story [7:40553] > > > > > The goal is to determine how you think. Most real world solutions > to > > > problems can be applied to technological hurdles, or problems. > > > > > > As an example: > > > > > > Prep: > > > You have an empty box, a lock, a key for your lock, and a diamond. > > > Your friend has an empty box, and a lock for his box. > > > > > > Goal: > > > You want to get the diamond to your friend via courier. However > > > the courier will steal anything that is not locked. How do you do > > > this? > > > > > > > > > Another example: > > > > > > If you have 2 20' poles, a 32' rope strung between them, and the > > > lowest point of the rope is 4' off of the ground, how far apart are > > > the poles? > > > > > > It gauges how one thinks and handles situations. [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=40702&t=40553 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT Again: SNMP and TimeWarner Cable [7:41196]
Any access-lists blocking SNMP except certain locations??? Or an access-list blocking SNMP from entering the interface?? I assume you have verified connectivity from home to there. It *should* work as I was able at one time to do SNMP polling on Time Warner. While Off-topic, what do you think about TW going to a usage based charge in the Fall ? I called TW to complain and the cust-serv. People didn't even know about it, but it was all over nwfusion... Thanks Larry -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 11, 2002 11:31 AM To: [EMAIL PROTECTED] Subject: OT Again: SNMP and TimeWarner Cable [7:41196] Have any of you tried using SNMP to monitor routers / servers from inside the Time Warner Cable Network? (Put aside the obvious security risks for the moment.) I'm on the Time Warner Cable Network at home and I need to temporarily install What's Up Gold at home to monitor a 3640. For some reason, I can't connect. I thought that maybe it was a config issue on the router (I didn't set it up), so I tried connecting to another router where I know SNMP is configured properly and was still unable to connect. I thought maybe it was a What'sUp Gold issue, so I tried the connection with Solarwinds and was still unable to connect. Thinking it was a problem with my Windows ME desktop, I repeated the same steps with a Windows XP machine and still couldn't connect. I then configured What'sUp on a 2000 machine machine in my NOC (a completely separate ISP) to connect to the 3640 and had no problem connecting. I contacted Time Warner Cable and they swear that they're not blocking any ports at all and that 161 and 162 should get through. I contacted the ISP that serves the 3640 (in case they were blocking the cable network for some reason) and supposedly they're not blocking any ports either. Maybe I haven't had enough sleep lately, but if TW is telling the truth, I'm stumped. Any ideas on this one? Thanks, Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41205&t=41196 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Kinda OT:Refurb eq. question [7:41838]
Ok, Several phone calls and hours searching on Cisco's web site has not revealed the answer so I hope someone on this list can. My company is about to purchase 2 6509's from a company that went out of business. I have been instructed to place them under A smartnet as they are going to be put into production. My question is what do I need to do to get this eq. certified and covered? Can I just buy the software license and the smartnet, or is there some Other process? I know I can not be the only person who has done this, but every person at Cisco that I talked to was less than helpful due to the part that this cuts into Cisco's profit. Any help or links would be appreciated! Thanks Larry Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=41838&t=41838 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: frame-relay [7:42350]
Once it goes down, does it stay down or does it bounce ? Thanks Larry -Original Message- From: Naafi Matovu [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 1:33 PM To: [EMAIL PROTECTED] Subject: frame-relay [7:42350] Hi all I've been configuring a cisco 2600 dual wic with three subinterfaces on serial 0/1. If i leave the the keepalive to 10 sec, the line protocol on the serial 0/1 keeps coming up but going down after a couple of seconds. The only way i can keep the line protocol up is (no keepalive) on seial 0/1. Iam not sure whether this is the best way of sorting out this problem.Here is the current config on this serial port Serial0/1 is up, line protocol is up Hardware is PowerQUICC Serial MTU 1500 bytes, BW 1544 Kbit, DLY 2 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation FRAME-RELAY IETF, loopback not set Keepalive not set Broadcast queue 0/64, broadcasts sent/dropped 96/227, interface broadcasts 96 Last input 00:00:17, output 00:00:12, output hang never Last clearing of "show interface" counters 01:26:53 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: weighted fair Output queue: 0/1000/64/0 (size/max total/threshold/drops) Conversations 0/2/256 (active/max active/max total) Reserved Conversations 0/0 (allocated/max allocated) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 11467 packets input, 876671 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 33 input errors, 0 CRC, 33 frame, 0 overrun, 0 ignored, 0 abort 11125 packets output, 799491 bytes, 0 underruns 0 output errors, 0 collisions, 45 interface resets 0 output buffer failures, 0 output buffers swapped out 2 carrier transitions DCD=up DSR=up DTR=up RTS=up CTS=up Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42354&t=42350 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security advice - opening ports other than 80 and [7:42333]
Not to be picky, but AH doesn't support NAT/PAT so a FW can pass it, but it doesn't do much good if NAT/PAT is taking place. Thanks Larry -Original Message- From: nrf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 1:57 PM To: [EMAIL PROTECTED] Subject: Re: Security advice - opening ports other than 80 and [7:42333] ""Don Nguyen"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Its generally a good idea only to open ports that necesarry (eg. 80 > for http, 21 for ftp, etc..). Opening up unnecesarry ports and/or > running unnecesarry services just opens your server up to security vulnerabilities. > In your case I don't really understand what you're trying to do. For > a web > server using SSL you only have to allow inbound traffic to port 443, > you don't need port 80 open unless it also serves up unencrypted > pages. If you > want/need to use IPSEC you will need to allow inbound traffic on the > UDP port 500 and allow IP protocols 50 and 51(not ports 50 and 51). Or generally just protocol 50. Because after all, how many people really use AH? Even the standards bodies are thinking of dropping AH because it really doesn't do very much - ESP can also do authentication, and while AH does also does authentication of parts of the packet header, is that really worth the overhead of creating another 2 SA's? > > HTH, > > Don Nguyen Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42375&t=42333 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Out of the Office [7:42887]
2 MONTHS OUT OF THE OFFICE ?? Im talking to my boss about upgrading my vacation plan...:) Thanks Larry -Original Message- From: Robert M Gulledge [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 8:49 AM To: [EMAIL PROTECTED] Subject: Out of the Office [7:42887] I will be out of the office starting 04/29/2002 and will not return until 06/30/2002. Please forward any Notes messages to [EMAIL PROTECTED] until further notice. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=42896&t=42887 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: To The Experts and Gurus [7:42996]
I believe the original e-mail was sarcastic. I don't believe anyone could truly be that closed minded. I suspect that it was a knock at those that who think that someone can only know what they are talking about if they have The 4 letters and 4 numbers after their name. Thanks Larry -Original Message- From: Paul Jin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 01, 2002 1:18 PM To: [EMAIL PROTECTED] Subject: RE: To The Experts and Gurus [7:42996] Hi John, I see your concern, but would have to disagree to a certain degree. Certification is very important, and vast discussion here in groupstudy is dedicated to Cisco cert, but not everything is a cisco world. I am not saying we should start discussing, the difference between VB and C++ here but I still welcome networking discussion in general that is related to being a network engineer. In agreeing with you, I would like to somehow limit posting that is totally irrelevant so we can have some focus but I don't think talking only about Cisco equipment and only by CCIE is an answer. My goal is to be a professional network engineer, and Cisco is my main product, but I don't want to limit my knowledge to just that or listen to CCIEs only. Many Corporate executive jobs require bachelors and masters degrees, but there are presidents and CEOs that never went or finished college, so should we exclude listening to them about running a business? Certs are important, but I don't think we should limit people because they do not have a certain cert. - Paul Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43022&t=42996 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix questions [7:43241]
Both PIX's should be Identical hardware and software wise. Depending upon which code version that you are using, the configuration is slightly different. On the primary you will assigns an interface IP address as well as a failover IP address. The secondary(failover) PIX will pull its IP's from the primary config. On older versions of code (5.x,4.x) you will need to connect every interface regardless of whether it Is enabled or shutdown. This is not a simple thing to understand so I don't want to just post the appropriate commands. If done incorrectly, nothing works. I will however provide some good links! http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/index.htm http://www.cisco.com/warp/public/110/top_issues/pix/pix_index.shtml In the case of a failover, the secondary PIX will assume the IP address assigned to the primary. If configured properly with statefull failover, You will maintain all your sessions through the FW. Private Internetwork eXchange. Thanks Larry -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Friday, May 03, 2002 12:59 PM To: [EMAIL PROTECTED] Subject: Pix questions [7:43241] I am setting up a Pix 515 Unlimited I got the failover unit. If I want to use the 4-port DMZ card, do I need one for each chassis? What about a 1 Port? If I do need on each, how would you configure a web server to be redundant as well? I know you cant use the Same IP on both cards.. Is there some special software that you need to use to load balance between the DMZ interfaces? Maybe like a virtual IP? Also, what does Pix stand for, is it an Acronym for something? Or just the name of the proprietary embedded OS? Thanks for your help everyone. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43250&t=43241 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE communication and services [7:43714]
Only one small flaw in logic. The labs are NOT the same. The security lab only has IP routing , but it also includes a PIX firewall as well as IDS and IOS FW problems. Those are not present in the R&S lab ( Or at least this is what Im told, I haven't actually been to the lab. 45 days and counting ) Thanks Larry -Original Message- From: Jason Owens [mailto:[EMAIL PROTECTED]] Sent: Friday, May 10, 2002 7:07 AM To: [EMAIL PROTECTED] Subject: Re: CCIE communication and services [7:43714] Sorry, I guess that wasn't very clear. Suppose you attain an R/S CCIE and now wish to go for security or C/S. As the lab is the same for all three, is it necessary to keep retaking the lab or will the written be enough? I assume you probably do have to take the lab again, however since it is the same test you have already passed,it just seems redundant. nrf wrote: > > Uh, what? I don't understand your question. If you're saying that > you're thinking that you can just keep getting more than one C/S CCIE > by taking > that lab over and over again (but by passing different C/S > writtens), then > the answer is absolutely not. Contrary to what many people > believe, there > are no different 'flavors' of the C/S. There is only 1 C/S > CCIE, and you're > either a C/S CCIE or you're not. And really, this makes > perfect sense, > since there is only one unified C/S lab which every C/S > candidate takes, no > matter which written he/she passed. > > > > > ""Jason Owens"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > Based on your post above, as the lab is the same general > knowledge, would > > you need to keep taking it, providing you have passed it > once, to get more > > than one CCIE? Or would the various written exams suffice? > Just curious. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43832&t=43714 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 501 Ver 6.1 [7:43896]
On the 501 it only has 2 interfaces. The inside and the outside. The other 4 ports are switch ports and they are not configurable. Thanks Larry -Original Message- From: Jablonski, Michael [mailto:[EMAIL PROTECTED]] Sent: Friday, May 10, 2002 4:44 PM To: [EMAIL PROTECTED] Subject: PIX 501 Ver 6.1 [7:43896] I'm trying to configure ethernet 2-4 on a PIX 501 (3DES), but it comes back saying only 2 interfaces are active. When I do a show version it say "maximum interfaces: 2" Am I missing something or what? Please lemme know!!! Thanx, mkj ~~~ Michael Jablonski ABN AMRO Asset Management Holdings, Inc. 161 North Clark St. 9th Flr Chicago, IL 60601-2468 PH: 312.884.2996 FAX: 312.278.5550 ~~~ This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43907&t=43896 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Configuring router as TFTP server [7:43951]
If I had to guess, its because the file doesn't already exist. I know that with the CiscoWorks TFTP and also the stand alone TFTP server, the file must already exist. IE the TFTP cannot create a file, but it can overwrite it. This is done to keep someone from just starting a tftp download to a server and crashing it by filling up the HD ( or FLASH ). Thanks Larry -Original Message- From: Arjun Das [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 11, 2002 2:10 PM To: [EMAIL PROTECTED] Subject: Configuring router as TFTP server [7:43951] Dear Group Members, I am trying to configure a router with TFTP server, router R_0 is will be the server. Router R_1 will copy its runing config on to R_0. R_0 and R_1 are connected over a x-over Cat V cable, and I have tested the connectivity using ping - it is OK! R_0 is configured as TFTP server, by issuing the following command: tftp-server flash:r0.config when issued the above command I receive an warning, here it is Warning: flash:r0.config does not exist. Command retained. Next, from R_1 I issue the following commands: R_1# copy star tftp Remote host[]? 172.154.2.2 Name of configuration file to write [r_0-config]? r0.config Write file r0.config on host 172.154.2.2? [confirm] Writing r0.config TFTP: error code 2 received - Access denied [Failed] Well there is no ACL on any of the routers. I have looked+searched on Cisco website, nothing so far Group please help me. Regards Arjun Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43955&t=43951 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Wireless LAN for Home [7:44234]
I use the BEFW11S4 and the Orinoco silver/gold cards. I have a couple of the aironet cards on order for testing, but I can say that the WPC11 ( linksys ) Card is something that you DON'T want. My range was doubled just by changing cards. You will want to go with firmware 1.39.2 if your using a version 1 linksys. I have had the 11S4 for over a year now without a problem, so its pretty stable. If you need more range consider a Linksys WAP11. You can hack the WAP to change its output power to 100mw, with only limited distortion. This gives you a Cisco like AP ( range wise ) for a considerably less amount of $$ Needless to say, USE WEP. Before people complain that it is not secure, it is from the casual hacker/war driver. If someone is going to break your WEP key, then you have other issues as to why someone is so interested in your network, IMHO. Thanks Larry -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 14, 2002 11:52 AM To: [EMAIL PROTECTED] Subject: Re: Wireless LAN for Home [7:44234] That's OK. I bought an HP wireless AP/router/FW and that was OK as well. I have heard the linksys card is pretty weak, and if you can get a Cisco aironet card, even better. ""Bolton, Travis D"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Guys, > > Any suggestions/experiences on what to buy for a wireless network > device for > my home? I'm thinking about the Linksys with the 4 port ethernet > model. Thanks for the ideas... > > Travis Bolton > Network Engineer II > CCNP,CCDA > > "Try not to become a man of success, but rather try to become a man of > value." > - Albert Einstein Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44254&t=44234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: How to get internal dns w/MS vpn clients and 3005? [7:44406]
Yep. We had this issue with using PPTP as the VPN supplied DNS/WINS are appended to the end of the list. You can block DNS queries outbound from The concentrator through your FW ( which is a good Idea anyways ) that way the first 2 queries time out, and it is forced to use yours internally. Be careful of users that have a 3COM DSL/Cable FW. I have run into issues where it acts a proxy, so the clients will still be able to reach them, and they will relay the requests. Unfortunately, only remote traffic is sent over the VPN link. Local traffic is still sent our the Ethernet if it is present. You can also switch to the Cisco Secure VPN Client 3.5x which will in fact "rip out" the old DNS/WINS entry and replace them with the concentrator supplied ones. I would recommend this approach as the performance gains are tremendous! Thanks Larry -Original Message- From: BH [mailto:[EMAIL PROTECTED]] Sent: Friday, May 17, 2002 2:54 PM To: [EMAIL PROTECTED] Subject: How to get internal dns w/MS vpn clients and 3005? [7:44401] Hi, I am using Cisco VPN3005 appliance for secured access with MS-Windows clients and cannot get dhcp supplied dns to overide any pre-existing dns server entries ( for instance, dns servers dynamically provided by a dsl provider). DHCP servers for base group client connections are set, tunnel-type is remote access and internal dns servers are configured to be used by all vpn clients. Anyone seen this before? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44406&t=44406 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF inter-area summarization [7:44465]
When specifying the summary address, you need to use the network address of the summarization The address you specified is within the summary, its just not the network address. Appling the mask against your address : 0010=32 1100=192 - 00xx=0 Remember 1's we care about, 0's we don't. Now for the network, we set the don't care about bits to 0, (and for the broadcast they are all 1's) This leads to: 00->00 = 0 Your summary is 137.20.1.0 255.255.255.192 This gives a range of address's from 137.20.1.0-137.20.1.63 (network-broadcast) Soo. Area 11 range 137.20.1.0 255.255.255.192 would be the most exact match that you could advertise Thanks Larry -Original Message- From: Michael Witte [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 18, 2002 7:27 PM To: [EMAIL PROTECTED] Subject: OSPF inter-area summarization [7:44465] I am trying to do a lab that needs a inter-area ospf summary address configured I have two loopbacks 137.20.1.17/28 and 137.20.1.33/28. These are then of course on networks 137.20.1.16 and 137.20.1.32. Taking the last octet of the subnets into binary we have: 16= 0001 32= 0010 Acording to Doyle and everything else I have read I should be able to summarize by masking the first two bits. I should be able to use: area 11 range 137.20.1.32 255.255.255.192. I am not able to and the router says I have a invalid address/mask. Furthermore the solution to the lab uses "area 11 range 137.20.1.0 255.255.255.0" which creates a summary address to all addresses of 137.20.1.X. What am I missing. This does work and I am able to ping the loopbacks but the math doesn't work for me. I should be able to summarize the 16 and 32 subnets. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44480&t=44465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OSPF inter-area summarization [7:44465]
If I follow what you are saying, then yes, whatever the AND'ing process of the subnet mask and the address space is what your summarization is. Just AND your subnet mask and network statement together. That will give you your summarization range. Case in point, 137.20.1.32 255.255.255.192 Using on the last octet 00 10 = 32 11 00 = 192 00 00 = 0 which is your summarization. Now lets get tricky and summarization 137 and 158 for the 4th octet 10001001 = 137 1000 = 158 1110 = 1 equals common bits, 0's unique.. = 224 Soo 10001001 = 137 1110 = 224 100x = 128 So to summarize these 2 address's as close as possible you would use 137.20.1.128 255.255.255.224 (/27) Notice that I didn't use 137.20.1.137/27 or 137.20.1.158 /27 as if you tried you would get the error you previously mentioned. You would need to use: Area ?? Range 137.20.1.128 255.255.255.224 I hope this makes sense. I'm horrible at explaining things. You should learn sub/super-netting backwards and forwards. Not just for the test, but for real live work experience. On a side note, if you are in the habit of using a subnet calc, I would get out of that habit. I think that they are one of the worst things ever invented. It doesn't aide in the understanding of how IP addressing works, and In fact I think that it allows people to get by without the detailed Knowledge they need. JMHO though :) Thanks Larry -Original Message- From: Michael Witte [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 19, 2002 3:08 PM To: [EMAIL PROTECTED] Subject: Re: OSPF inter-area summarization [7:44465] Larry, I had the idea right to use 255.255.255.192 mask because that is where the bit boundary is. My question is why can't you use the 137.20.1.32/26 to summarize from 32-95. What if you had a subnet zero and didn't want that summarized. Why do I have to use the 137.20.1.0 network for summarization? If we use this example: 172.20.8.0/22 1000 >8 172.20.12.0/22 1100 >12 ^Bit boundary=248 1000 >248 1000 >8 subnet 1000 >248 mask 1000 >8 subnet I think I see now.If you binary AND the subnet and mask and get the subnet you can use that subnet in your summarization. If the binary AND becomes zero, then you must use zero as your network in the summary command. Is this correct? I spent too much time on this and need things like this put to bed for the Lab in November. Thanks. area 11 range 172.20.8.0 255.255.248.0 Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44493&t=44465 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: I got it now! [7:44507]
You can actually extend the summary to a .240 since those are all the same. The summary-address stays the same, just the mask changes in this situation. Thanks Larry -Original Message- From: Michael Witte [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 19, 2002 7:37 PM To: [EMAIL PROTECTED] Subject: I got it now! [7:44507] Ok new summary this time with eigrp. Summarize 170.10.10.1/24,161.10.10.1/24,160.10.10.1/24 170=10101010 161=1011 160=1010 ^Bit Boundary Mask=1110 (224) 160=1010 224=1110 AND=1010(160) We can use 160 for Network # Int E0 ip summary-address eigrp 1 160.0.0.0 224.0.0.0 sh ip route O E1 160.0.0.0/3 [110/212] via 137.20.103.1 Weird huh? Pings are successful so I have this down! Thanks Guys! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44509&t=44507 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: debug ppp authentication [7:44575]
I can confirm it exists. If I remembered what Serial links were connected to what in the lab, I would do your experiment as well. Anyone want to drive to my office and look at the rack for me ? :) ROUTER_A#debug ppp ? authentication CHAP and PAP authentication bap BAP protocol transactions cbcpCallback Control Protocol negotiation compression PPP compression error Protocol errors and error statistics multilink Multilink activity negotiation Protocol parameter negotiation packet Low-level PPP packet dump tasks PPP background tasks Thanks Larry -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 6:15 PM To: [EMAIL PROTECTED] Subject: debug ppp authentication [7:44575] Cisco documentation claims that there is a "debug ppp authentication" command. Such a command does not exist on my routers (which are running 11.0). Would anyone be willing to see if it exists on newer routers? Set up two routers connected via a serial link to use PPP encapsulation. Use PAP authentication. Shut down one of the interfaces, enable the debug command, no shut the interface and see what happens! I say to use PAP because I know that the "debug ppp chap" command works. I'm more interested in seeing if you can debug PAP. Thanks! Priscilla Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44576&t=44575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: debug ppp authentication [7:44575]
Almost forgot: 3600 Software (C3640-JO3S56I-M), Version 12.1(3a)T1, RELEASE SOFTWARE Thanks Larry -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 6:15 PM To: [EMAIL PROTECTED] Subject: debug ppp authentication [7:44575] Cisco documentation claims that there is a "debug ppp authentication" command. Such a command does not exist on my routers (which are running 11.0). Would anyone be willing to see if it exists on newer routers? Set up two routers connected via a serial link to use PPP encapsulation. Use PAP authentication. Shut down one of the interfaces, enable the debug command, no shut the interface and see what happens! I say to use PAP because I know that the "debug ppp chap" command works. I'm more interested in seeing if you can debug PAP. Thanks! Priscilla Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44577&t=44575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: debug ppp authentication [7:44575]
Ok, after a little guess work, I have it! Routers are RouterB and RouterE Serial 0/1 on both are connected via a T-1 crossover Chap authentication callin on routerB Chap authentication optional on routerE Username is ROUTERB and ROUTERE respectively. And from router B we have: 2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up 2w4d: Se0/1 CHAP: Using alternate hostname ROUTERB 2w4d: Se0/1 CHAP: O CHALLENGE id 189 len 28 from "ROUTERB" 2w4d: Se0/1 CHAP: I CHALLENGE id 176 len 28 from "ROUTERE" 2w4d: Se0/1 CHAP: Using alternate hostname ROUTERB 2w4d: Se0/1 CHAP: O RESPONSE id 176 len 28 from "ROUTERB" 2w4d: Se0/1 CHAP: I RESPONSE id 189 len 28 from "ROUTERE" 2w4d: Se0/1 CHAP: O SUCCESS id 189 len 4 2w4d: Se0/1 CHAP: I SUCCESS id 176 len 4 ROUTER_B# Now for Router E we have: 2w4d: Se0/1 CHAP: Using alternate hostname ROUTERE 2w4d: Se0/1 CHAP: O CHALLENGE id 177 len 28 from "ROUTERE" 2w4d: Se0/1 CHAP: I CHALLENGE id 190 len 28 from "ROUTERB" 2w4d: Se0/1 CHAP: Using alternate hostname ROUTERE 2w4d: Se0/1 CHAP: O RESPONSE id 190 len 28 from "ROUTERE" 2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up 2w4d: Se0/1 CHAP: I RESPONSE id 177 len 28 from "ROUTERB" 2w4d: Se0/1 CHAP: O SUCCESS id 177 len 4 2w4d: Se0/1 CHAP: I SUCCESS id 190 len 4 ROUTER_E# Next up PPP Pap Router B: ( ppp authen pap optional ) 2w4d: %SYS-5-CONFIG_I: Configured from console by console 2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to down 2w4d: Se0/1 PPP: Treating connection as a dedicated line 2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up 2w4d: Se0/1 PAP: O AUTH-REQ id 2 len 18 from "ROUTERB" 2w4d: Se0/1 PAP: I AUTH-REQ id 2 len 18 from "ROUTERE" 2w4d: Se0/1 PAP: Authenticating peer ROUTERE 2w4d: Se0/1 PAP: O AUTH-ACK id 2 len 5 2w4d: Se0/1 PAP: I AUTH-ACK id 2 len 5 2w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state t o up ROUTER_B# Router E: ( ppp authen pap callin ) 2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up 2w4d: Se0/1 PPP: Treating connection as a dedicated line 2w4d: Se0/1 PAP: O AUTH-REQ id 2 len 18 from "ROUTERE" 2w4d: Se0/1 PAP: I AUTH-REQ id 2 len 18 from "ROUTERB" 2w4d: Se0/1 PAP: Authenticating peer ROUTERB 2w4d: Se0/1 PAP: O AUTH-ACK id 2 len 5 2w4d: Se0/1 PAP: I AUTH-ACK id 2 len 5 2w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, changed state t o up ROUTER_E# Thanks Larry -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 6:15 PM To: [EMAIL PROTECTED] Subject: debug ppp authentication [7:44575] Cisco documentation claims that there is a "debug ppp authentication" command. Such a command does not exist on my routers (which are running 11.0). Would anyone be willing to see if it exists on newer routers? Set up two routers connected via a serial link to use PPP encapsulation. Use PAP authentication. Shut down one of the interfaces, enable the debug command, no shut the interface and see what happens! I say to use PAP because I know that the "debug ppp chap" command works. I'm more interested in seeing if you can debug PAP. Thanks! Priscilla Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44580&t=44575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: debug ppp authentication [7:44575]
No problem. Turns out it's a useful command to. I was able to see in the log that I had typo'd the sent hostname. I was sure I had the right config, but it wouldn't come up. I looked in the log and kept seeing a challenge >From "ROUTEBR" Huh, useful debug, what will they think of next :) Thanks Larry -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, May 20, 2002 8:40 PM To: [EMAIL PROTECTED] Subject: RE: debug ppp authentication [7:44575] Thanks! My routers only have debug ppp chap, as I mentioned. I've never seen PAP in action! Very exciting. ;-) Thanks to everyone who replied. Sometimes the debug reference manual claims that commands exist when they really don't. I don't always trust it without trying, but my hubby won't let me buy new routers. Sigh. Priscilla At 08:34 PM 5/20/02, Roberts, Larry wrote: >Ok, after a little guess work, I have it! > >Routers are RouterB and RouterE >Serial 0/1 on both are connected via a T-1 crossover >Chap authentication callin on routerB >Chap authentication optional on routerE >Username is ROUTERB and ROUTERE respectively. > >And from router B we have: >2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up >2w4d: Se0/1 CHAP: Using alternate hostname ROUTERB >2w4d: Se0/1 CHAP: O CHALLENGE id 189 len 28 from "ROUTERB" >2w4d: Se0/1 CHAP: I CHALLENGE id 176 len 28 from "ROUTERE" >2w4d: Se0/1 CHAP: Using alternate hostname ROUTERB >2w4d: Se0/1 CHAP: O RESPONSE id 176 len 28 from "ROUTERB" >2w4d: Se0/1 CHAP: I RESPONSE id 189 len 28 from "ROUTERE" >2w4d: Se0/1 CHAP: O SUCCESS id 189 len 4 >2w4d: Se0/1 CHAP: I SUCCESS id 176 len 4 >ROUTER_B# > >Now for Router E we have: > >2w4d: Se0/1 CHAP: Using alternate hostname ROUTERE >2w4d: Se0/1 CHAP: O CHALLENGE id 177 len 28 from "ROUTERE" >2w4d: Se0/1 CHAP: I CHALLENGE id 190 len 28 from "ROUTERB" >2w4d: Se0/1 CHAP: Using alternate hostname ROUTERE >2w4d: Se0/1 CHAP: O RESPONSE id 190 len 28 from "ROUTERE" >2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up >2w4d: Se0/1 CHAP: I RESPONSE id 177 len 28 from "ROUTERB" >2w4d: Se0/1 CHAP: O SUCCESS id 177 len 4 >2w4d: Se0/1 CHAP: I SUCCESS id 190 len 4 >ROUTER_E# > > >Next up PPP Pap >Router B: ( ppp authen pap optional ) >2w4d: %SYS-5-CONFIG_I: Configured from console by console >2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to down >2w4d: Se0/1 PPP: Treating connection as a dedicated line >2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up >2w4d: Se0/1 PAP: O AUTH-REQ id 2 len 18 from "ROUTERB" >2w4d: Se0/1 PAP: I AUTH-REQ id 2 len 18 from "ROUTERE" >2w4d: Se0/1 PAP: Authenticating peer ROUTERE >2w4d: Se0/1 PAP: O AUTH-ACK id 2 len 5 >2w4d: Se0/1 PAP: I AUTH-ACK id 2 len 5 >2w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, >changed state t o up >ROUTER_B# > > >Router E: ( ppp authen pap callin ) >2w4d: %LINK-3-UPDOWN: Interface Serial0/1, changed state to up >2w4d: Se0/1 PPP: Treating connection as a dedicated line >2w4d: Se0/1 PAP: O AUTH-REQ id 2 len 18 from "ROUTERE" >2w4d: Se0/1 PAP: I AUTH-REQ id 2 len 18 from "ROUTERB" >2w4d: Se0/1 PAP: Authenticating peer ROUTERB >2w4d: Se0/1 PAP: O AUTH-ACK id 2 len 5 >2w4d: Se0/1 PAP: I AUTH-ACK id 2 len 5 >2w4d: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/1, >changed state t o up >ROUTER_E# > > >Thanks > >Larry > >-Original Message- >From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] >Sent: Monday, May 20, 2002 6:15 PM >To: [EMAIL PROTECTED] >Subject: debug ppp authentication [7:44575] > > >Cisco documentation claims that there is a "debug ppp authentication" >command. Such a command does not exist on my routers (which are running >11.0). Would anyone be willing to see if it exists on newer routers? > >Set up two routers connected via a serial link to use PPP >encapsulation. Use PAP authentication. Shut down one of the interfaces, >enable the debug command, no shut the interface and see what happens! > >I say to use PAP because I know that the "debug ppp chap" command >works. I'm more interested in seeing if you can debug PAP. > >Thanks! > >Priscilla > > > > >Priscilla Oppenheimer >http://www.priscilla.com Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44592&t=44575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: anybody ever try to make a token ring crossover cable ? [7:44683]
No such thing. Thanks Larry -Original Message- From: nettable_walker [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 21, 2002 9:06 PM To: [EMAIL PROTECTED] Subject: anybody ever try to make a token ring crossover cable ? [7:44682] 5/21/20029:00pm Tuesday Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44683&t=44683 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 515E routing issue [7:44749]
Try to explicitly permit ICMP from the inside to the outside and see if that helps. Thanks Larry -Original Message- From: Jablonski, Michael [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 4:14 PM To: [EMAIL PROTECTED] Subject: FW: PIX 515E routing issue [7:44749] Oh yeah I'm running PIX 6.1(2) -Original Message- From: Jablonski, Michael Sent: Wednesday, May 22, 2002 3:35 PM To: 'Cisco Study List (E-mail)' Subject: PIX 515E routing issue Just recently installed a PIX 515E. I can ping from the PIX to an outside address (and inside box to ethernet on PIX); but trying to ping through the PIX comes back as unreachable. Basic layout as follows: Netopia DSL Router -- PIX 515E-- LAN I'm using the default allow rule, along with the following access list... everything else is pretty much default for now. (just want to try and get connectivity) access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any unreachable pager lines 24 interface ethernet0 10baset interface ethernet1 10full mtu outside 1500 mtu inside 1500 ip address outside 192.168.1.6 255.255.255.252 ip address inside 192.168.200.1 255.255.255.0 ip verify reverse-path interface outside ip audit info action alarm ip audit attack action alarm arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group 100 in interface outside route outside 0.0.0.0 0.0.0.0 192.168.1.5 1 timeout xlate 0:05:00 no sysopt route dnat I've tried running RIP on it; didn't solve the problem. Seems like the PIX doesn't understand the default route. I've cleared the arp table still no luck Any help is GREATLY appreciated thanx ~~~ Michael Jablonski ABN AMRO Asset Management Holdings, Inc. 161 North Clark St. 9th Flr Chicago, IL 60601-2468 PH: 312.884.2996 FAX: 312.278.5550 ~~~ This message (including any attachments) is confidential and may be privileged. If you have received it by mistake please notify the sender by return e-mail and delete this message from your system. Any unauthorized use or dissemination of this message in whole or in part is strictly prohibited. Please note that e-mails are susceptible to change. ABN AMRO Bank N.V. (including its group companies) shall not be responsible nor liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt or damage to your system. ABN AMRO Bank N.V. (or its group companies) does not guarantee that the integrity of this communication has been maintained nor that this communication is free of viruses, interceptions or interference. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44760&t=44749 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Removing stuff from our router [7:44839]
Yes, that will remove the route-map. The ip as-path access-list "stuff" are called regular expressions. If you are running BGP on this router, I would Highly recommend leaving this stuff alone. You really need to provide more information about what this router is doing and include its config ( sans PW'D and use xxx's for IP's ) That ip as-path access-list is most likely restricting the propagation of BGP paths through your network. If this is an edge router that is receiving the full internet routes ( 115K as of yesterday ), this *could* be setup to restrict to certain ones only. If you have a downstream neighbor that is using you as a transit AS, these are most likely the ASN's that they are reaching through you. These would allow ASN's : 1-9,blank(internal routes) and ( I think...) 123400-123499, although Im not sure on the last one without my reference book in front of me. Thanks Larry -Original Message- From: Anil Gupte [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 23, 2002 11:04 AM To: [EMAIL PROTECTED] Subject: Removing stuff from our router [7:44839] To remove this: route-map MyISP-In permit 10 match as-path 6 set local-preference 200 Do I just do this?: no route-map MyISP-In permit 10 Also, to remove: ip as-path access-list 1 permit ^[0-9]* ip as-path access-list 2 permit ^$ ip as-path access-list 3 permit ^1234$ ip as-path access-list 3 permit ^1234_[0-9]*_[0-9]*$ Do I just?: no ip as-path access-list 1 permit ^[0-9]* no ip as-path access-list 2 no ip as-path access-list 3 Also what is that "permit ^$" and "permit ^[0-9]*" for? What does it do? Thanx for the help. Anil Gupte Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44848&t=44839 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX - PAT configuration problem [7:44957]
Hello, That is a pretty standard way of doing PAT overloading. I use it on 4 or 5 firewalls in this manner. I would suggest double,then triple checking The global for typo's. I suspect that the PAT global might have an incorrect address. Try and see if those uses that have a PAT address can ping outside address's. Start with the next hop address, and work from there. Let us know if they can ping , or is everything blocked. Thanks Larry -Original Message- From: Ufuk Yasibeyli [mailto:[EMAIL PROTECTED]] Sent: Friday, May 24, 2002 10:23 AM To: [EMAIL PROTECTED] Subject: PIX - PAT configuration problem [7:44957] Hello everybody, I have configured a PIX 515E v6.1(2) with following for NAT/PAT address translation : ip address outside x.y.z.2 255.255.255.0 ip address inside 192.168.0.1 255.255.255.0 route outside 0.0.0.0 0.0.0.0 x.y.z.1 1 global (outside) 1 x.y.z.100-x.y.z.253 global (outside) 1 x.y.z.254 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 Inside hosts have necessary permissions for initiating web traffic and all the hosts which gets an address from NAT pool(100-253) can browse the web. However, clients which are allocated from PAT address(254), can not browse the web. These clients can resolve DNS names to IP addresses though. when I issue "show xlat" command, PAT addresses are shown as allocated to some clients, which I verify that they can't access to web. I have used Cisco Output interpretter tool. But it didn't give me any warning or configuration error. And I think the config is pretty straight forward. (Which might be the reason of a mistake I can't see) One friend informed that PIX has a problem in a configuration like this, where outside address is in the same segment with the address used for PAT. Can someone confirm this information, and if so, is this behaviour a bug or a configuration mistake I am making. Best regards, Ufuk Yasibeyli Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=44972&t=44957 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: why copy tftp run retain some old config ??? [7:45323]
The router does a merge of the configs. If something is not overwritten ( which is the case of the IP address's on an interface ) the old is still retained. Since you can define multiple ip route commands, they are added. If you were to define a secondary address in both your running and your tftp configs, and then copy tftp run, you would see that you would have both secondary address's still in place. I guess you could call this a "feature" I don't know how you can force your running to be replaced with the tftp config, short of reloading your router and booting from the tftp server config. Thanks Larry -Original Message- From: Sim, CT (Chee Tong) [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 28, 2002 9:43 PM To: [EMAIL PROTECTED] Subject: why copy tftp run retain some old config ??? [7:45323] Hi.. Dear all, Why you I copy the config from the tftp server to replace the old config on the router (copy tftp run) or copy the config from startup to running (copy star run). But the resulting config is not exactly the same as the config that I copy run. It retain some of the old parameter or config. For eg. When I copy start run My start-up config is ip route 10.0.0.0 255.0.0.0 50.100.45.4 My running config is ip route 10.0.0.0 255.0.0.0 50.100.45.3 After I copy start run, the resulting config become ip route 10.0.0.0 255.0.0.0 50.100.45.4 ip route 10.0.0.0 255.0.0.0 50.100.45.3 And when I copy the config from tftp server to my run config (copy tftp run) My tftp config interface Ethernet0 description To Office Ethernet ip address 80.8.200.113 255.255.255.240 no ip directed-broadcast ip accounting output-packets ip route-cache same-interface My running config interface Ethernet0 description To Office Ethernet ip address 70.8.200.113 255.255.255.240 no ip directed-broadcast ip accounting output-packets ip route-cache same-interface traffic-shape group 105 5000 7000 7000 1000 But the resulting config become as below interface Ethernet0 description To Office Ethernet ip address 80.8.200.113 255.255.255.240 no ip directed-broadcast ip accounting output-packets ip route-cache same-interface traffic-shape group 105 5000 7000 7000 1000 WHY??? Why it is not the same as the config that I copy from but the combination. How to solve this?? CT == De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. == The information contained in this message may be confidential and is intended to be exclusively for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. == Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45328&t=45323 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Lab Reading [7:45486]
I would be curious how you ordered them as well. The last set I have is for 11.3. I just got off the phone with Cisco and they were clueless about what I was talking about.. Thanks Larry -Original Message- From: Jeff Harris [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 4:03 PM To: [EMAIL PROTECTED] Subject: Re: CCIE Lab Reading [7:45486] Is this set for all products or just the products that you have a contract on? Just wondering as we don't have any manuals at all (besides the little getting started booklets that come with WIC's and whatnot). We're a Premier Partner as well.. -- Jeff Harris - Cisco/Unix Engineer CCNA, CCNP Routing, Remote Access Passed On Fri, May 31, 2002 at 04:14:10PM -0400, Shawn Heisey wrote: > I have a set of 12.2 IOS documentation at home ordered for free with a > smartnet contract. It would be worth ordering a smartnet contract on > your smallest piece of Cisco hardware just for the documentation you > can get for free. > > http://www.cisco.com/upgrade > > Thanks, > Shawn > > MADMAN wrote: > > > > We have a very large smartnet contract and used to get the hard > > copies as they came out. The last hardcopies I seen were 11.2. I > > don't even know if they print them anymore. > > > > Dave > > > > Brad Ellis wrote: > > > > > > John, > > > > > > I believe if you have a smartnet contract, you can get the IOS > > > manuals > free > > > from Cisco (at least you could a couple years ago). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45569&t=45486 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Lab Reading [7:45486]
I bet Cisco is scratching their heads trying to find out why the sudden demand on IOS manuals... After 45 minutes of searching the Site I found where to order. I don't know that I would ever find it again So I started ordering things left and right I bet I have 25+ books coming... I finally have new books to read! Thanks Larry -Original Message- From: Eric Rogers [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 8:00 PM To: [EMAIL PROTECTED] Subject: Re: CCIE Lab Reading [7:45486] Just ordered the complete copy of manuals for 12.2 IOS Documentation Set :-) THANKS for that info...I knew there was a reason for being on groupstudy... -Eric - Original Message - From: "Brad Ellis" To: Sent: Friday, May 31, 2002 10:38 AM Subject: Re: CCIE Lab Reading [7:45486] > John, > > I believe if you have a smartnet contract, you can get the IOS manuals free > from Cisco (at least you could a couple years ago). > > thanks, > -Brad Ellis > CCIE#5796 (R&S / Security) > Network Learning Inc > [EMAIL PROTECTED] > www.optsys.net (Cisco hardware) > > ""[EMAIL PROTECTED] (John Nemeth)"" wrote in > message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > On Oct 20, 7:01pm, "Chuck" wrote: > > } > > } Someone who passed the lab recently advised me ( as have other > > folks who > > } have posted their success here and elsewhere ) that it remains CRITICAL > > that > > } you spend as much time as possible reading the command references > > as > found > > } on CCO. Print as much out as you can. Study them. Knowing the > > knobs, knowing } where to find things is very helpful. > > > > eBay seller [EMAIL PROTECTED] often has complete sets of > > printed 12.2 manuals. The price seems to range from $100 to $200 > > (of course, shipping is a killer). I bought a set and they are > > quite nice to use for reference; although, they do take up four feet > > of shelf space (I need more book shelves). They are organised just > > like the doc CD, and you quickly learn what is where, since you > > can't just type a command name into a search box (I suppose you > > could cheat and look it up in the master index, but I haven't > > cracked that one open yet). > > > > }-- End of excerpt from "Chuck" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45584&t=45486 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off Topic - inauspicious beginning [7:45592]
Im guessing wrong port You were plugged into the Aux in place of the Console...?? Thanks Larry -Original Message- From: Jason Weden [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 01, 2002 1:49 PM To: [EMAIL PROTECTED] Subject: RE: Off Topic - inauspicious beginning [7:45592] Sounds like it was a physical layer issue: bad rollover or, bad db9, or bad serial port on the computer Swapping out each of the above, one at a time, undoubtedly led to your solutionI think. The other possibility was that your keyboard was messed up and sending the wrong keystoke combos. Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45596&t=45592 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Lab Reading [7:45486]
www.cisco.com/upgrade Click on Product upgrade, then launch product upgrade. Enter your Agreement number... I get a message that I have no hardware upgradeable ( or something to that affect ) and then an option to select documentation. It was so right in front of my face that I missed it... Thanks Larry -Original Message- From: Kunal Bhatia [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 01, 2002 12:18 PM To: Roberts, Larry; [EMAIL PROTECTED] Subject: RE: CCIE Lab Reading [7:45486] Can you provide some rough idea about where you found this on CCO ? -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 01, 2002 10:24 PM To: [EMAIL PROTECTED] Subject: RE: CCIE Lab Reading [7:45486] I bet Cisco is scratching their heads trying to find out why the sudden demand on IOS manuals... After 45 minutes of searching the Site I found where to order. I don't know that I would ever find it again So I started ordering things left and right I bet I have 25+ books coming... I finally have new books to read! Thanks Larry -Original Message- From: Eric Rogers [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 8:00 PM To: [EMAIL PROTECTED] Subject: Re: CCIE Lab Reading [7:45486] Just ordered the complete copy of manuals for 12.2 IOS Documentation Set :-) THANKS for that info...I knew there was a reason for being on groupstudy... -Eric - Original Message - From: "Brad Ellis" To: Sent: Friday, May 31, 2002 10:38 AM Subject: Re: CCIE Lab Reading [7:45486] > John, > > I believe if you have a smartnet contract, you can get the IOS manuals free > from Cisco (at least you could a couple years ago). > > thanks, > -Brad Ellis > CCIE#5796 (R&S / Security) > Network Learning Inc > [EMAIL PROTECTED] > www.optsys.net (Cisco hardware) > > ""[EMAIL PROTECTED] (John Nemeth)"" wrote in > message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > On Oct 20, 7:01pm, "Chuck" wrote: > > } > > } Someone who passed the lab recently advised me ( as have other > > folks who > > } have posted their success here and elsewhere ) that it remains CRITICAL > > that > > } you spend as much time as possible reading the command references > > as > found > > } on CCO. Print as much out as you can. Study them. Knowing the > > knobs, knowing } where to find things is very helpful. > > > > eBay seller [EMAIL PROTECTED] often has complete sets of > > printed 12.2 manuals. The price seems to range from $100 to $200 > > (of course, shipping is a killer). I bought a set and they are > > quite nice to use for reference; although, they do take up four feet > > of shelf space (I need more book shelves). They are organised just > > like the doc CD, and you quickly learn what is where, since you > > can't just type a command name into a search box (I suppose you > > could cheat and look it up in the master index, but I haven't > > cracked that one open yet). > > > > }-- End of excerpt from "Chuck" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45591&t=45486 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Lab Reading [7:45486]
www.cisco.com/upgrade Click on Product upgrade, then launch product upgrade. Enter your Agreement number... I get a message that I have no hardware upgradeable ( or something to that affect ) and then an option to select documentation. It was so right in front of my face that I missed it... Thanks Larry -Original Message- From: Kunal Bhatia [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 01, 2002 12:18 PM To: Roberts, Larry; [EMAIL PROTECTED] Subject: RE: CCIE Lab Reading [7:45486] Can you provide some rough idea about where you found this on CCO ? -Original Message- From: Roberts, Larry [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 01, 2002 10:24 PM To: [EMAIL PROTECTED] Subject: RE: CCIE Lab Reading [7:45486] I bet Cisco is scratching their heads trying to find out why the sudden demand on IOS manuals... After 45 minutes of searching the Site I found where to order. I don't know that I would ever find it again So I started ordering things left and right I bet I have 25+ books coming... I finally have new books to read! Thanks Larry -Original Message- From: Eric Rogers [mailto:[EMAIL PROTECTED]] Sent: Friday, May 31, 2002 8:00 PM To: [EMAIL PROTECTED] Subject: Re: CCIE Lab Reading [7:45486] Just ordered the complete copy of manuals for 12.2 IOS Documentation Set :-) THANKS for that info...I knew there was a reason for being on groupstudy... -Eric - Original Message - From: "Brad Ellis" To: Sent: Friday, May 31, 2002 10:38 AM Subject: Re: CCIE Lab Reading [7:45486] > John, > > I believe if you have a smartnet contract, you can get the IOS manuals free > from Cisco (at least you could a couple years ago). > > thanks, > -Brad Ellis > CCIE#5796 (R&S / Security) > Network Learning Inc > [EMAIL PROTECTED] > www.optsys.net (Cisco hardware) > > ""[EMAIL PROTECTED] (John Nemeth)"" wrote in > message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > On Oct 20, 7:01pm, "Chuck" wrote: > > } > > } Someone who passed the lab recently advised me ( as have other > > folks who > > } have posted their success here and elsewhere ) that it remains CRITICAL > > that > > } you spend as much time as possible reading the command references > > as > found > > } on CCO. Print as much out as you can. Study them. Knowing the > > knobs, knowing } where to find things is very helpful. > > > > eBay seller [EMAIL PROTECTED] often has complete sets of > > printed 12.2 manuals. The price seems to range from $100 to $200 > > (of course, shipping is a killer). I bought a set and they are > > quite nice to use for reference; although, they do take up four feet > > of shelf space (I need more book shelves). They are organised just > > like the doc CD, and you quickly learn what is where, since you > > can't just type a command name into a search box (I suppose you > > could cheat and look it up in the master index, but I haven't > > cracked that one open yet). > > > > }-- End of excerpt from "Chuck" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45591&t=45486 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Off Topic - inauspicious beginning [7:45592]
I win! I win! Thanks Larry -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 02, 2002 10:22 AM To: [EMAIL PROTECTED] Subject: Re: Off Topic - inauspicious beginning [7:45592] Not worth dragging this one out much longer. the router model is 36xx, which alone should be a big clue. the router is situated so I can easily get to the serial ports, leaving the aux and con ports up against the wall, so I have to reach behind, feel around with my fingers, find the port, and fumble around some more to plug in. all other models I have worked with have the con and aux port on the same side of the box as the data ports. I guess the last time I used it I was fooling around with aux port settings. it just never occurred to me that I was in the aux. DOH! On the other hand, all was not lost. I've had a good time simulating my customer network, checking out my policy routing etc. interesting design. on the clever side if I do say so myself. works like a charm, which means the implementation people either aren't getting it, or the vlans are not configured correctly on the switch. more on that another time. Chuck 182 and counting down. ""Kaminski, Shawn G"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Out of curiosity, what model router is the frame switch? > > Shawn K. > > > -Original Message- > > From: Chuck [SMTP:[EMAIL PROTECTED]] > > Sent: Saturday, June 01, 2002 2:32 PM > > To: [EMAIL PROTECTED] > > Subject: Off Topic - inauspicious beginning [7:45592] > > > > 183 days and counting. like the Flying Dutchman, I'll pass the Lab if... > > nope - better not make that threat. you never can tell.. > > > > actually, the gods of the Lab have already started with me. > > > > I haven't had the routers on in quite a few weeks. Been busy at > > work. Had > > some big projects to keep me out of my own lab for a while. > > > > So I have a customer network that I need to clean up a few things > > on. I set up a model in my own lab, cable everything up to emulate > > the customer's situation, and begin. First step - configure the > > frame relay switch. > > > > try to get into enable mode. Keep getting asked for a password. > > Rats! What > > is the enable password? I try the usual suspects, and come up empty. > > > > no problem. I'll just do a quick password recovery. I do a search on CCO, > > quickly locate the procedure, and begin... > > > > power off. power on. control break. no luck - the router just boots > > as normal. > > > > hhm I've done recoveries before. no biggie. why am I > > having the problem? > > > > Now I know the smart guys among you will tell me it's because I use hyper > > terminal. so I close HT, and load up my copy of Tera Term. repeat > > the power off power on sequence, try alt b, and no luck. the router > > loads as usual. > > > > now I'm panicking. I have been trying this via my term server. I go > > directly into the router, replacing the term server cable with a > > direct connection. > > > > still no luck. alt b with Tera term, control break with hyper term. > > the router still loads as normal. > > > > Well, I've figured out the problem. I've gotten into the router. I'm > > happily working on my customer simulation. the frame switch is > > configured as I wish. > > > > the question to all of you - what was the problem? what was the solution? > > > > regards > > > > Chuck > > December 2 - 183 days and counting > > the gods of the Lab permitting ;-> Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45626&t=45592 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Question about the 350 series AP [7:45971]
OK, Can someone confirm/deny that the 350 will only accept in-line power? Does it come with the in-line power injector, or is this a separate item? I have read everything I can and all points say it only has in-line power, but none say whether this is included ( I can't image it wouldn't be ) Thanks Larry Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45971&t=45971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX525\Web Sense and Chat programs [7:46013]
For aol just block access to the login servers. Login.oscar.aol.com ( it used to be this ) For Yahoo, it much more difficult, and time consuming. You will also inadvertanly block access to some portions of the yahoo website. I used a sniffer and my PC to see what servers that YIM logged into. I would block the one I connected to, and then restart the sniffer and the software. It took about 8 hours, but I managed to block YIM. Of course that was after they told me it couldn't be done :) Yahoo made a bad mistake telling me that. ICQ uses TCP 6667 If I remember correctly. Since I have only allowed certain traffic through the FW, It was already blocked. It takes time to get it figured out, but these programs CAN be blocked. If nothing else, just deny access to all of yahoo, but inserting a bad yahoo.com in your domain server! Thanks Larry -Original Message- From: Mears, Rob [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 9:31 AM To: [EMAIL PROTECTED] Subject: PIX525\Web Sense and Chat programs [7:46013] Hello Cisco people We are using Web Sense to block most of the Sites that we feel necessary but have had problems with programs like AOL, MSN, ICQ chat programs. So I am going to stop this at the PIX and was wonder who out there had blocked Chat programs in the enterprise, and methods used. I fully understand the steps needed to block what is needed on the PIX but was wanting to hear horror storied or problems you might have encountered. I would also like to know what sites (address\protocols) you had to block to stop these programs because some are http based. (AIM, MSN,ect). For those of you who have applied rules to the inside interface of the pix, did you notice any performance issues or any other problem related to having all outbound traffic filtered? Thank you Thanks Rob Mears III, CCNP, MCSE, CNE, NNCDS, NNCSS, NNCPS, MCP+I, A+ Technical Mercenary Valor Telecom.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46052&t=46013 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE Lab Question Mark [7:45980]
Engineering code doesn't have the ? Available. I had heard the same thing though Thanks Larry -Original Message- From: Moffett, Ryan [mailto:[EMAIL PROTECTED]] Sent: Friday, June 07, 2002 9:08 AM To: [EMAIL PROTECTED] Subject: RE: CCIE Lab Question Mark [7:45980] That's absolutely not true. In order to do something like that, they would have to custom compile IOS code specific to the CCIE Lab to have that removed. Believe me, the "?" is an integral part of working with Cisco devices from the command line. -Original Message- From: Robert McBride [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 06, 2002 8:19 PM To: [EMAIL PROTECTED] Subject: CCIE Lab Question Mark [7:45980] Hey, I just heard that there is no question mark availability on the lab. Can anyone give me there experience on this ?? -Thanks- -Robert- Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46068&t=45980 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Poll: What do you use to backup your configs? [7:46229]
Well we have a couple of things. 1) CiscoWorks 2K. It will track configs for several revisions letting you do a side by side comparison. 2) a grunt. The lowest guy on the pole has to telnet to all our routers ( 120 or so ) and save the configs to their respective directory. This is done about every 3 months. 3) We also keep track of any changes made in a change control form. This should match the latest version of the config in ciscoworks. 4) I have the scripts, but have yet to review or test, for using snmpwalk on a linux box. I received them from someone on this list, and they have been slowly making their way to the top for review. 5) Search for kiwi softwares CAT tools. They will allow for the automated polling of configs. I have only used the demo, but it looks nice. Thanks Larry -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Monday, June 10, 2002 5:05 PM To: [EMAIL PROTECTED] Subject: Poll: What do you use to backup your configs? [7:46229] Out of curiosity, what do you use to schedule automated backups of your router / switch configs? Commercial application? Homegrown application? Trained monkey? How often are the configs backed up? How do you implement version control? I was talking with a guy the other day who maintains a fairly large corporate network (about 300 routers), and they don't backup the configs at all. They record the config when it's deployed and trust employees to update the records if they make a change. This got me wondering what others were doing. Craig Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46236&t=46229 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Poll: What do you use to backup your configs? [7:46229]
Its just a word doc with a list of the date,who and what was done. I can sent it to you, but it is a really plain file. We just verify that what ever were the last 2-3 changes made are in the config. That's the extent of it. Thanks Larry -Original Message- From: rick [mailto:[EMAIL PROTECTED]] Sent: Monday, June 10, 2002 11:14 AM To: Roberts, Larry Cc: '[EMAIL PROTECTED]' Subject: RE: Poll: What do you use to backup your configs? [7:46229] On Mon, 10 Jun 2002, Roberts, Larry wrote: :Well we have a couple of things. :3) We also keep track of any changes made in a change control form. This :should match the latest version of the config in ciscoworks. Larry, is the form you use from a vendor/suppliere or is it something you developed in house? If its something you developed would you be allowed to share it? I am looking to upgrade our in house record keeping and am searching for ideas on what to include and how to lay it out. Thanks -- --Rick Meader's Law: Whatever happens to you, it will previously have happened to everyone you know, only more so. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46244&t=46229 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 6.2 [7:46454]
No, but 6.2(1) is :) PDM 2.0 is also available. Have both in my lab and they seem pretty stable so far. Thanks Larry -Original Message- From: Clayton Dukes [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 9:12 AM To: [EMAIL PROTECTED] Subject: PIX 6.2 [7:46454] Howdy, Dows anyone know if the PIX 6.2 software is available yet? Clayton Dukes Cisco Info Center SE CCNA, CCDA, CCDP, CCNP, NCC Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46461&t=46454 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IDS Questions [7:46639]
That's why you always put your own IP as well as the CSPM server on the do not shun list... That's a good point, but that scenario is exactly why they added the do not shun list. Well that and the person who puts a custom signature denying telneting and locks themselves out :) Thanks Larry -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 15, 2002 10:07 AM To: [EMAIL PROTECTED] Subject: Re: IDS Questions [7:46639] I wouldn't use shunning only because a hacker can spoof an address, and you shun it, such as a web server, or IDS console, etc.. ""Hamid"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Maybe a silly question, Can anyone tell me what shunning is? > > > ""John Kaberna"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I don't see why you'd get flamed for that except maybe from a > > die-hard > Cisco > > employee and even then I doubt it. I prefer Snort a lot more than Cisco's > > IDS because of price and I do prefer the fact that you have nearly > > an > entire > > industry of security people that work on Snort. There are very few > seasoned > > security people that don't have a fair amount of experience with > > Snort. There are few shops out there that rely solely on Cisco IDS. > > If I had the > > choice though, I would probably run them both. It wouldn't hurt and > > it > sure > > would make you feel good to catch an alarm on one IDS that was > > missed by > the > > other. > > > > > > ""Peter Walker"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > I hope I dont get flamed for this > > > > > > ... but I would like to ask a similar but different question. > > > > > > What reason is there to choose Cisco IDS over Snort. I just dont > > > see > Cisco > > > IDS as having much in the way of advantages over Snort other than > > > a > Cisco > > > label and a high price tag (and yes both of those can be percieved > > > as > > > advantages) > > > > > > Of all of the Cisco kit I have worked with the IDS system is the > > > only > one > > I > > > cant see myself recommending to someone. > > > > > > Peter Walker > > > > > > --On Friday, June 14, 2002 7:13 PM -0400 Ken Diliberto wrote: > > > > > > > Brian, > > > > > > > > We can both justify and afford a commercial IDS but choose > > > > Snort. > What > > do > > > > see as drawbacks to Snort? > > > > > > > > > > >>> "Brian Zeitz" 06/14/02 03:02PM >>> > > > > > > > > > > So the most people who want IDS who cannot afford > > > > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > > > > and if I read correctly, it has the capabilities to interface to > > > > an > IDS > > > > box, but it is not an IDS box itself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46688&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: STP Question: Root Bridge placement load balancing [7:46703]
Well, I don't have that book but let me go off went you sent. ___ Assumptions made: All 3 switches carry both VLAN's and all 3 switchs have members in both VLAN's. The links between Switches are setup for VLAN trunking ___ Cat-C will have traffic that needs to access servers in both VLANS. Cat-A would be the root bridge for VLAN2 and all traffic would flow through it for this VLAN. Same for Cat-B and VLAN3.However, lets assume that the link between Cat-C and Cat-A fails. Now Cat-C can't send traffic directly to Cat-A, but It can however send to Cat-B which can send traffic across the link between them to get to Cat-A. Reverse the process for VLAN3. Traffic by default will flow towards the root bridge. That being said Traffic for VLAN 2 will always go across the VLAN2 link to Cat-A because that is the shorts distance to the Root bridge. A secondary route exists to Cat-A, via Cat-B, but since its not the shortest, that ports would be in a blocking mode (1/2 on Cat-C) for VLAN2. Only when Cat-C detects a failure, would a new STP algorithm be run, at which point Cat-C would detect that the shortest route to Cat-A would be through Cat-B. Once that happens traffic for that VLAN would begin going across the VLAN3 link even if it is for VLAN2. Now Cat-C has the same scenario for VLAN3 but this time, the shortest route to the Root Bridge for VLAN3 is across the VLAN3 link and the path (port 1/1) would be in a blocking mode for VLAN3. For this to work, the link between Cat-B and Cat-C would need to be a trunk port that carries VLAN2&3. This would provide the failover path for the VLAN's in the event of a link failure between Cat-C and one of the other Cat switches. In the case of a failure of either Cat-B or C, your out of luck for those servers connected to it. I suggest A quick call to TAC ! What I think might be confusing you ( if I haven't!) is that your thinking that if someone on Cat-C needs access to a server in VLAN2 that is physically plugged into Cat-B you might think that traffic would go across the link from Cat-C to Cat-B. Well, it doesn't, it would go from Cat-C to Cat-A to Cat-B. Ok, portion 2. Techically this is load sharing not load balancing BTW. Lets also assume that 2 servers plugged into Cat-A are hogging the BW. One server(SRV2) is in VLAN2 and the other is in VLAN3(SRV3). The traffic for SRV2 would go from Cat-C out port 1/1 directly to Cat-A. The traffic for SRV3 however would go out port 1/2 on Cat-C to Cat-B then from Cat-B across the link to Cat-A. If all links are 100Mbs, both servers would have a dedicated 100Mbs of BW to Cat-C,since each follows a different path to Cat-C. Hope I have not confused you any. I have retyped about 3 times trying to simply but point out the important parts. If you would like me to clear anything up let me know. Hope it helps. Thanks Larry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 15, 2002 9:16 PM To: [EMAIL PROTECTED] Subject: STP Question: Root Bridge placement load balancing [7:46701] Hi, Studying Cisco LAN Switching,(by Hamilton & Clark), I didn't get how exactly this method (Root Bridge placement load balancing)works. He provides such an example (Figure 7-10): ___ |Cat-C (IDF)| |___| 1/1 /\ 1/2 / \ VLAN2 /\ VLAN3 / \ /\ 1/1 / \ 1/1 __/____\ |Cat-A(MDF)|__|Cat-B(MDF)| |__|1/21/2|__| || || Server Farm Server Farm Assuming that CAT-A is the Root bridge for VLAN2 and CAT-B is the Root bridge for VLAN 3, I don't get how this method provides load balancing and redundancy for CAT-C to the server farms. He doen't say anything about the third segment (the segment between CAT-A and CAT-B) Could anyone clearify please ? Thanks in advance, Hamid Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46703&t=46703 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: serial interface down/down or up/down [7:47101]
I have seen down/up on an Ethernet interface before. On the older code of PIX's (5.x) , interfaces were required to be connected even if they were shutdown for a failover config. This was for keepalive purposes... You would end up with an admin down/up, as it was shutdown, but still receiving keepalives... Talk about a condition to make you scratch your head... Thanks Larry -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] Sent: Friday, June 21, 2002 10:23 AM To: [EMAIL PROTECTED] Subject: Re: serial interface down/down or up/down [7:47101] I have seen down/up, but this was on xGS routers around release 9.x. In those cases, it meant there was a main processor hardware (or rarely software) failure. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47164&t=47101 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN CLIENT + Dns [7:47125]
Are these PPTP tunnels or IPSec. PPTP appends those listed in the concentrator, while the cisco client will remove the local ones and replace them with the ones from the concentrator. If you have more than 3 listed, I don't know if they would show up. Thanks Larry -Original Message- From: Smart Student [mailto:[EMAIL PROTECTED]] Sent: Friday, June 21, 2002 5:05 AM To: [EMAIL PROTECTED] Subject: VPN CLIENT + Dns [7:47125] Hi All Guru's , I Need to config dns servers entries for all the VPN clients that login to VPN concentrator but after adding the entries in the appropiate group configuartions also I have not being able to set any dns entries on the VPN client machines .Can anybody out their suggest me what I am doing wrong. regards, Bharat Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy Music, Video, CD-ROM, Audio-Books and Music Accessories from http://www.planetm.co.in Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47166&t=47125 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Repeat Commands [7:47185]
I think its only for the 6000 series running Native IOS though. Let us know your results. Thanks Larry -Original Message- From: Aaron J. Moreau-Cook [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 22, 2002 8:14 AM To: [EMAIL PROTECTED] Subject: RE: Repeat Commands [7:47185] That was EXACTLY what I was looking for. I have included the group study mail list, for everyone else's benefit. I looked on my 3662 running IOS 12.2(6) and sure enough it's there. I'll have to try it out now. thanks -Original Message- From: Glenn Johnson [mailto:[EMAIL PROTECTED]] Sent: 22 June 2002 13:30 To: 'Aaron J. Moreau-Cook' Subject: RE: Repeat Commands [7:47185] That makes sense (being leery of what's on/off) Did you see this? http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/ios121_e/swc g/sw_int.htm#xtocid255273 -Original Message- From: Aaron J. Moreau-Cook [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 22, 2002 8:02 AM To: [EMAIL PROTECTED] Subject: RE: Repeat Commands [7:47185] I feel much better making sure it's not running on all interfaces. The example given was a bad one though, how could I apply the command "no ip directed-broadcast" to all interfaces easily? Thanks -Original Message- From: Glenn Johnson [mailto:[EMAIL PROTECTED]] Sent: 22 June 2002 12:56 To: 'Aaron J. Moreau-Cook' Subject: RE: Repeat Commands [7:47185] Couldn't you just try "no cdp run" in global config? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Aaron J. Moreau-Cook Sent: Saturday, June 22, 2002 8:11 AM To: [EMAIL PROTECTED] Subject: Repeat Commands [7:47185] Is there a way to simplify configurations where interfaces all share the same attributes? I have a router that has 41 interfaces, but for instance, I want ALL of them to have "no cdp enable" on them. Thanks! interface FastEthernet0/0 ip route-cache cef no ip directed-broadcast no ip redirects no ip unreachables no ip proxy-arp no cdp enable ! interface FastEthernet0/1 ip route-cache cef no ip directed-broadcast no ip redirects no ip unreachables no ip proxy-arp no cdp enable ! interface FastEthernet1/0 ip route-cache cef no ip directed-broadcast no ip redirects no ip unreachables no ip proxy-arp no cdp enable ! interface FastEthernet1/1 ip route-cache cef no ip directed-broadcast no ip redirects no ip unreachables no ip proxy-arp no cdp enable ! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47188&t=47185 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: RE: VPN CLIENT + Dns [7:47125]
The VPN Client is an IPSec tunnel. If your using it, and the concentrator is set to hand them out, it should work. We use the 3030 and the VPN Client (3.5) and it works wonderfully. Its really hard to go wrong with this. Under group/general properties, make sure that the Primary and secondary DNS entries are present and that Inherit are checked. That's All I had to do to make it work. You did click on the save icon correct? Thanks Larry -Original Message- From: Smart Student [mailto:[EMAIL PROTECTED]] Sent: Monday, June 24, 2002 1:12 AM To: [EMAIL PROTECTED] Subject: Re: RE: VPN CLIENT + Dns [7:47125] Thanks for the reply Larry , I am using IPSEC tunnels , is it possible to do the same in IPSEC tunnels . regards, Smart Student "Roberts, Larry" wrote: Are these PPTP tunnels or IPSec. PPTP appends those listed in the concentrator, while the cisco client will remove the local ones and replace them with the ones from the concentrator. If you have more than 3 listed, I don't know if they would show up. Thanks Larry -Original Message- From: Smart Student [mailto:[EMAIL PROTECTED]] Sent: Friday, June 21, 2002 5:05 AM To: [EMAIL PROTECTED] Subject: VPN CLIENT + Dns [7:47125] Hi All Guru's , I Need to config dns servers entries for all the VPN clients that login to VPN concentrator but after adding the entries in the appropiate group configuartions also I have not being able to set any dns entries on the VPN client machines .Can anybody out their suggest me what I am doing wrong. regards, Bharat Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy Music, Video, CD-ROM, Audio-Books and Music Accessories from http://www.planetm.co.in Get Your Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy Music, Video, CD-ROM, Audio-Books and Music Accessories from http://www.planetm.co.in Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47285&t=47125 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
1) not that I am aware of 2) Change the access-list name and paste it to the firewall. Then just change the access-group statement to the new one. Its an instant change. 3) I think your on crack. If your using access-lists on all interfaces ( you are aren't you ??? )then there is an implicit deny any any at the end. I find many people who put an permit ip any any for the inside access-list. While it makes administration much easier, it also is a BAD practice. Remember we want to explicitly approve ports, no explicitly deny. You would be surprised the small number of ports that really need to be open! 4) This is a security device. You should always type the full command. I don't want to take any chances of typing one thing and the PIX taking it as another. I realize that you should know exactly what command your entering, but hey, not everyone is competent on the PIX so no chances. 5) Where did you get that info? The PIX 535 will absolutely blow any checkpoint device out of the water. Not to mention that checkpoint still hasn't figured out how to do IPSec tunnels *PROPERLY*. The PIX was only recently made to be a small lightweight FW with the 501. I don't know about you, but I want a firewall to do one thing and one thing only. I don't want a FW that is also a mail gateway, dns server and whatnot that so many devices try to be now. Many FW's are made to be user friendly, and cover the backend stuff that really happens. The PIX didn't take that approach. They want someone to understand what they are doing, and putting a pretty GUI on it will only lead to people who shouldn't be administering it, administrating it. That is why I completely disagree with the PDM. Im not directly these comment at you in particular so please don't take them that way. Im only saying that we need to realize exactly what a FW should do, and what it should not. We also need to realize exactly how a FW works, not how the GUI works! I agree it is a completely different interface, but if you are used to the IOS interface, it will come quickly and you will never look back. But, this is just my opinion! Thanks Larry -Original Message- From: Richard Tufaro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 11:51 AM To: [EMAIL PROTECTED] Subject: PIX Firewall (6.2) General Questions RANT [7:47393] Hey all, just recently got my hands on 4 new PIX firewalls and I am having some issues with them that perhaps may be shortcoming of the PIX or me, but I wanted to throw them out there and see if anyone has any comments: 1. Is there a way in the PIX to !Comment your access-list or conduit lines to tell what the rule is doing. Now don't get me wrong you can look at the rule and its pretty straight forward, but I would like to comment them much like you can do in IOS. The only way that I have found to do this is by taking every external or internal IP address that we have and are denying or allowing and giving it a name. But this also has its shortcomings because of the 16 character limit. 2. What is with the access-list rules and importing? I don't get it. Why do they need to append instead of replace? I am going to assume that the access-list is reading from the top down (just like in IOS) so if I export my config, change around the order then try to paste *does not take*. The workaround I found for this nifty problem is exporting the access-list to Ultraedit, putting a "no" statement infront of all of the statements, clearing them, then making the change and importing them. How do people in a large PIX environment with a multitude of rules, and a dynamic environment manage this? Or the PIX's for that matter as a side. 3. Tell me if im smoken crack here, but the default stance of the PIX is bas acwards, when it comes to internal hosts to the outside. I mean look when I put out the firewall and config my INBOUND lists, why do I want everyone in the company to be able to NETBIOS across the firewall (outbound)?! I have worked with one other firewall (CyberGuard) and there stance IMHO is the best, DENY ALL, permit what I say to permit. Its a firewall, not a router (in the security sense people, I now what it is REALLY, but relating to Cisco). 4. Little things too...like why no command completion? I know that this is a Cisco acquired device, but you would think that they would make it easy to configure from the command line, especially with the influx of making it more IOS'e. Is this going to be available in later versions? Anyone know? 5. I know the PIX was conceived as a small lightweight, "streamline" device that is going to protect your network with but you should not do any WIZ bang stuff with itbut then again Cisco markets to everyone and are competing with the WIZ Bang firewall vendors like checkpoint. I mean come on GROUPING was just added in 6.2! If anyone can shed some light on these issues for me it would be much appreciated. What im really looking for here is some guidance as to people with large PIX de
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
1)I can look at every single ACL entry and tell you what its doing. I don't use comments in a router either, but that my preference... I understand your point, but I want my ACL's to be as short as possible. 2)How I do it and I have a 200-300 line ACL. If I want to change it, I copy the existing ACL into notepad. I then change the case ACL->acl or visa-versa. I make the changes to the new ACL that I created and copy that back to the firewall. There are then 2 ACL's on the firewall. The running ACL, and the one that I want to apply. I change the access-group command ( their can only be 1 per interface so no need to remove the old one,just type in the new one ) And its done. The PIX goes directly from 1 list to the other. It doesn't kill any existing sessions or even cause a hiccup. 3)access-lists gets you a more "IOS like" interface. You can still use conduits if you wish, but ACL's are the way of the future. 4)Understood. I guess they want you to type out the full command, but Im just guessing. 5)Raw throughput. Dude, If you want raw speed, you wouldn't use a DOS based system at all. When you talk about small lightweight, what did you mean then? I want a FW to do encryption/decryption and raw packet throughput as fast as possible. What does the GUI give you other than a pretty UI? Does it make the FW more secure? Does it give it more features ? It adds nothing and slows it down. If you don't care about performance, then grab that old 486 and run linux on it. It would be secure, and with the newest Xwindows, would give you a pretty interface to administer it. Performance would suck,but you don't care about that. 5)Up until the latest version of Checkpoint, it would not allow you to do IP nat prior to tunnelling for the entire routable space(class A - C ) I would advise that you read up on the mail guard feature. It does NOT act as a SMTP relay/proxy. It acts as a SMTP filter.It prevents none RFC commands (READ ESMTP), from passing through the FW. By blocking ESMTP commands its doing exactly what it should. That's not a tendency to suck, that's a tendency to protect you networks from ESMTP attacks. I would complain bitterly if I didn't have the ability to block ESMTP commands. Does any others give you that ability? ( I don't know anymore ) A FW should be a FW, and that's it. Why add a feature ( SMTP ) that may have a bug in it? The reason that a PIX has never been hacked is because they have avoided the do all/be all approach that throws to many variables into the mix. Thanks Larry -Original Message- From: Richard Tufaro [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 12:32 PM To: [EMAIL PROTECTED] Subject: Re: RE: PIX Firewall (6.2) General Questions RANT [7:47393] ok good answers on some, but you tap around a few things.. 1) why no comments? do competent administrators not need any comments to tell you what the rules are doing and where they are going (or not going?) 2) I don't get that part...change the name of the access-listno not an instant change, there is a second step of applying it to the interface. Let me see...4 step process to change a rule. 3) I understand the IOS access-lists (which 5.1? PIX just recently introduced). Still the administration is a pain. All im doing is making access-listsbig deal. What does PIX get you there "ASA" and "state full" inspection. 4) I ment command completion..just a little thing. Like when im typing: > object-group network. I want to be able to type obje. TAB and ten the IOS complete the command. This is not being "competent" this is being efficient. 5) What basis to you say that the 535 will blow Checkpoint out of the water? Because of speed? Dude little secret if you take Windows...and strip it to DOS...its going to smoke. And please don't harp about doing things "property". Because when you say "properly" you mean the Cisco way. Hate to tell you, but they take "standards" all the time and fit them to there devices. To sum it up on your last comment let me say this. A FIREWALL is only as good as its configuration. That being said, if I can mitigate the risk of making a configuration mistake by having a "user friendly" way of doing it, I don't see why that is so wrong. While I agree that I firewall should not be a ONE ALL BE ALL on the network, having SMTP proxy's and such on your firewall sometimes makes sense for: outside address conservation (all MX records for example are routed back to one IP on the outside then relayed to internal hosts). Oh and PIX does do a chezzbal implementation of this (mailguard). Which has a tendency to suck as far as I have seen (cant do ESMTP?! whats with that?) I have worked on CyberGuards for a long time...they are SCO unix. You want to learn a little somehting about the backend of a firewall, get on the command line
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
vidences? I remembered not too long ago that Pix also suffers from SNMP and SSH vulnerabilities just like any Cisco devices. 6) The pix is faster than CP because you are off-loading the logging (syslog)and authentication (TACACS or RADIUS) to external devices. I can make CP NG just as fast, if not faster, if I also off-load logging and authentication to external devices like Pix. Furthermore, please don't make comments like that without research. Did you know that CP Next Generation can run on SMP (multi-processors) machines and also can run as Active/Active configuration? I know for a fact that Pix can only do Active/ Standby. In that case, CP can beat Pix handily. 7) Pix only supports SSH version 1. There are lot of vulnerabilities in SSH version 1. CP supports both Version 1 and 2. However, version 1 is OFF by default. 8) It is very difficult to automatically backup Pix configuration using script because since SSH in pix does NOT support key authentication, if one write a script to backup hundreds of pix firewalls, username and password have to be embedded into the script. Not a good thing. On the other, CP supports key authentication (RSA and DSA). Because of this, no password needed. Very simple and secure. 9) At the moment, there is NO solution for managing multiple Pix firewalls for Managed Service Providers. Managing a few pix firewalls via CLI might work for a small shop; however, that is NOT a solution for MSP. With CP, you have Provider-1, which can manage hundreds, if not thousands of firewalls. 10)If Pix is a secure platform, how come telnet is ON by default? It doesn't matter if it only open for connection on the inside? 11)The learning curve is much steeper for Pix than for CP, Again, my .02c >From: "Roberts, Larry" >Reply-To: "Roberts, Larry" >To: [EMAIL PROTECTED] >Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393] >Date: Tue, 25 Jun 2002 14:42:33 -0400 > >1)I can look at every single ACL entry and tell you what its doing. I >don't use comments in a router either, but that my preference... I >understand your point, but I want my ACL's to be as short as possible. >2)How I do it and I have a 200-300 line ACL. If I want to change it, I >copy the existing ACL into notepad. I then change the case ACL->acl or >visa-versa. I make the changes to the new ACL that I created and copy >that back to the firewall. There are then 2 ACL's on the firewall. The >running ACL, and the one that I want to apply. I change the >access-group command ( their can only be 1 per interface so no need to >remove the old one,just type in the new one ) And its done. The PIX >goes directly from 1 list to the other. It doesn't kill any existing >sessions or even cause a hiccup. 3)access-lists gets you a more "IOS >like" interface. You can still use conduits if you wish, but ACL's are >the way of the future. 4)Understood. I guess they want you to type out >the full command, but Im just guessing. 5)Raw throughput. Dude, If you >want raw speed, you wouldn't use a DOS based system at all. When you >talk about small lightweight, what did you mean then? I want a FW to do >encryption/decryption and raw packet throughput as fast as possible. >What does the GUI give you other than a pretty UI? Does it >make the FW more secure? Does it give it more features ? It adds nothing >and >slows it down. If you don't care about performance, then grab that old 486 >and run linux on it. It would be secure, and with the newest Xwindows, >would >give you a pretty interface to administer it. Performance would suck,but >you >don't care about that. > >5)Up until the latest version of Checkpoint, it would not allow you to >do >IP >nat prior to tunnelling for the entire routable space(class A - C ) > >I would advise that you read up on the mail guard feature. It does NOT >act as a SMTP relay/proxy. It acts as a SMTP filter.It prevents none >RFC commands (READ ESMTP), from passing through the FW. By blocking >ESMTP commands its doing exactly what it should. That's not a tendency >to suck, that's a tendency to protect you networks from ESMTP attacks. >I would complain bitterly if I didn't have the ability to block ESMTP >commands. Does any others give you that ability? ( I don't know anymore >) > >A FW should be a FW, and that's it. Why add a feature ( SMTP ) that may >have >a bug in it? The reason that a PIX has never been hacked is because they >have avoided the do all/be all approach that throws to many variables into >the mix. > > >Thanks > >Larry > > >-Original Message- >From: Richard Tufaro [mailto:[EMAIL PROTECTED]] >Sent: Tue
RE: PIX Firewall (6.2) General Questions RANT [7:47393]
I don't mind in-band for internal router configuration, but since the FW is the only line of defense between me and the rest of you guys :) I am very very careful about how anyone can access it. Telnet is insecure, and I don't like SSH ( personal preference ) so I am left with no options. I also am concerned that I could loose in-band access to the devices ( a switch fails, or looses power, or better yet the server guys uplug the wrong cables) so I don't even bother accessing them that way anymore. These are MY personal preferences and how I deal with some of the limitations of the PIX ( did I say that ? ) as well as other security concerns. I'm afraid that this might become more of a personal preference attack thread, of which I was finding myself getting involved admittedly. I don't want to make enemies or have people loose respect for my opinion just because I prefer brand A over brand B and I didn't think anyone was all that interested in where it was going. I did however find some additional information that may balance the scales performance wise between the PIX and CP. I'm still researching so some of my concerns might become mute... Thanks Larry -Original Message- From: Craig Columbus [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 25, 2002 4:06 PM To: Roberts, Larry Cc: [EMAIL PROTECTED] Subject: RE: PIX Firewall (6.2) General Questions RANT [7:47393] Actually, I hope you don't take it offline. I enjoy reading both sides of the argument and there is merit to both viewpoints. In my personal opinion, each firewall has its place, depending on the target customer. There are also some customers for which I'd recommend Netscreen or Sonicwall over either PIX or CP-NG. Larry: Out of curiosity, why don't you like in-band management? It seems that with proper configuration (SSH, etc.) that it can be quite secure. Craig At 05:16 PM 6/25/2002 -0400, you wrote: >1) Personal Opinion. The last breakdown I saw ( 5-6 months ago in >network world I believe ) shows Cisco with 70% market share in mid-top >level space. > Type no logg cons or no logg mon. It will break out of the debug. No your >letters aren't typed next to each other, but the PIX doesn't care. >I will give you that the DEBUG could use some work in that it is more >difficult to filter out what you want and what you don't when you logg to >console or monitor > >2) I completely agree. I don't believe in GUI's for Network devices. > >3) I user the pager command all the time. I set it to 5000 to dump the >whole config and then capture the output. I will delete half my config >to get to your scenario and try. I set it to 15 when I am looking at >debug > >4) I user CiscoWorks 2K and can read the messages quite nicely. You >could also use Private-I. > >5) I will search for the article. I didn't bookmark it. I also said the >PIX hadn't been hacked, not IP hasn't been hacked. No one has hacked >Finesse. I am sorry for the confusion. > >6) Will either of those Active Active box's push 1.7Gbps cleartext or >95Mbps 3Des traffic and 1/2Mil connections.. I didn't say combined, I >said individually. I can run 2 PIX's and double my numbers as well. Can >you terminate a tunnel on both box's and load balance traffic over both >of them from the same source ? This is the latest performance briefs >that I could fine. I have included them to show you what I did review. >I can send you the PDF of Cisco's performance to back up my statistics >for them if you would like. Perhaps you should do some research before >you question mine. >http://www.rainfinity.com/products/wp_performance_brief.pdf >Remember we are talking hardware vs. software FW's so CP's results are >bound to be lower. Also to note for CP is that it is a MUCH cheaper >solution. That's a plus for it. > >7) I only manage PIX's OOB so that point is mute for me. > >8) I do it manually,every time I make a change. It helps limit the >number of copies of my config that are floating around. > >9) Really, I don't believe in In-band management, so I assume that CP-1 >will dial-up and manage devices that way ?I also don't have many >universal changes that I can push out to 30+ devices, so that ability >to manage that many from one place is mute for me as well. > >10) first see number 7, secondly its interfaces are all 127.0.0.1 so >you couldn't access it on a PC by default anyways. You also must >specify WHAT hosts can access it prior to it being accessed. Its turned >on, but no one is permitted. > >11) Yes it is. But so is the learning curve for HP-UX over Windows 2k, >but which would you rather have running your daily operations on ? > >This i
RE: pix question [7:47556]
And to top if off, unless your running the newest code, the only way to enable the new code is to reinstall the OS... In 6.2 they have added the ability to change from the command prompt, but in older versions its only possible by reloading the OS, even if it's the same OS. Thanks Larry -Original Message- From: Dan Penn [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 27, 2002 11:37 AM To: [EMAIL PROTECTED] Subject: RE: pix question [7:47556] Wrong, the 3DES isn't like most cisco features that you can just download. They give you a code that you actually have to enter into the pix. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Carpenter Sent: Thursday, June 27, 2002 8:46 AM To: [EMAIL PROTECTED] Subject: Re: pix question [7:47556] I don't think so - Original Message - From: "GEORGE" To: Sent: Thursday, June 27, 2002 9:03 AM Subject: pix question [7:47556] I have the 3des encryption disabled do I have to purchase a license to enable it? VPN-3DES: Disabled Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=47580&t=47556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
4006 IP Phone DHCP problem [7:56049]
Hey folks, Im hoping that one of you can help me with a problem. I have a 4006 with a SUPIII running 2 VLAN's. The Data VLAN is VLAN 1 and the Voice VLAN is VLAN 200. I have a DHCP server on VLAN 1 with the proper scopes defined. My problem is that the phone is getting a VLAN 1 ip address, not a VLAN 200. Standard IP phone config: interface FastEthernet x/x description IP Phone switchport trunk encapsulation dot1q switchport mode trunk switchport voice vlan 200 no snmp trap link-status spanning-tree portfast Now if I hardcode the switchport to VLAN 200 with a switchport access vlan 200 and switchport mode access, it works fine. I did a debug on the SUPIII and I see the bootp request come in on VLAN 200, and I can see the SUP III set the GIADDR to the VLAN 200 address. I had the onsite tech take a look at the phone, and it see's itself as on VLAN 200, so I don't understand why the request is being met with a VLAN 1 ip. I know that the scopes are correct because hard coding the interface makes it work. I know that the VLAN interface configuration is correct because it works when the port is hard coded to the correct interface. I suspected that CEF was preventing the router from setting the GIADDR of the packet, but debug shows it doing it so now I am lost. I tried the standard " no ip route-cache / mroute-cache " but that hasn't helped. I don't know if it's a software bug or what, but I am at a loss. Anybody done this before ? I have several 3500's running this configuration and they work fine, so I am beginning to wonder if it isn't in the SUP III that is causing the issue. Perhaps it says its rewriting the GIADDR, but its not. IOS used: System image file is "bootflash:cat4000-is-mz.121-12c.EW.bin" Any help/thoughts/verbal abuse is appreciated. I have a TAC case open to see what I'm doing wrong, but they aren't seeing anything config wise being the problem so I thought I would try the experts over here. Thanks Larry Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56049&t=56049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 4006 IP Phone DHCP problem [7:56049]
I think the problem is that the 4006 is an IOS switch. I haven't worked with VoIP on a "set" based switch yet, so I don't know much about configuring them for this stuff. Thanks Larry -Original Message- From: Jennifer Mellone [mailto:jmellone@;speakeasy.net] Sent: Wednesday, October 23, 2002 10:45 PM To: [EMAIL PROTECTED] Subject: RE: 4006 IP Phone DHCP problem [7:56049] Larry, I noticed you have the command "switchport trunk encapsulation dot1q". Do you need to configure the interface/port as a trunk when you do the "set port auxiliaryvlan" command (catos) or the "switch voice vlan" command (ios switch)? According to Cisco's website, you don't for a catos switch, but you do for an ios switch: Check this out: http://www.cisco.com/univercd/cc/td/doc/product/voice/ip_tele/network/dgcamp us.htm#xtocid364019 NO TRUNKING HERE ON CATOS SWITCH: Voice VLAN Configuration To configure the VVID from the Catalyst software CLI, use the set port auxiliaryvlan command. You can use this command to set the VVID on a single port, on a range of ports, or for an entire module. The following example shows how to display the command syntax: Console> (enable) set port auxiliaryvlan help Usage: set port auxiliaryvlan (vlan + 1..1000) In the following example, the VVID is set to 222 for ports 2/1 through 2/3. When the phone powers up, the switch instructs it to register with VLAN 222. Console> (enable) set port auxiliaryvlan 2/1-3 222 Auxiliaryvlan 222 configuration successful. The following examples show how to display which ports are in which auxiliary VLAN: Console> show port auxiliaryvlan 222 AuxiliaryVlan auxVlanStatus Mod/Ports - - - 222 222 1/2,2/1-3 Console> show port 2/1 Port AuxiliaryVlan AuxVlan-Status - - -- 2.1 222 active - TRUNKING HERE ON IOS SWITCH: The following is an example of VVID configuration on Catalyst switches running Cisco IOS at the interface level (for example, Catalyst 3524-PWR and 2900XL): interface FastEthernet0/1 switchport trunk encapsulation dot1q switchport trunk native vlan switchport mode trunk switchport voice vlan spanning-tree portfast switchport mode trust - Jennifer PS - are you going to trust the CoS going from phone to switch? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56225&t=56049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 4006 IP Phone DHCP problem [7:56049]
Sorry for the late reply. Our e-mail was backup up and I am not going through over 300 emails from the Groupstudy lists. We have the Cisco eq. working fine and I am currently trying to get the Avaya stuff to work. Unfortunately I don't have access to the eq directly, so I have to work with the on site tech to configure things. Once I get it working I will let everyone know, or if not, why it doesn't work... Thanks Larry -Original Message- From: Jennifer Mellone [mailto:jmellone@;speakeasy.net] Sent: Wednesday, October 23, 2002 10:49 PM To: [EMAIL PROTECTED] Subject: RE: 4006 IP Phone DHCP problem [7:56049] Larry, Don't mind me, I'm not challenging the configs, just trying to learn - sometimes Cisco's website can be very unclear to me ;-) I forgot to ask - How are those Avaya phones working out compared to Cisco phones? - Jennifer Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56224&t=56049 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Dreadful writing on CCNP support exam. [7:56237]
Are you sure you haven't taken any of the Cisco Exams ? You almost nailed it exactly. I passed all the exams with room to spare so Im not bitter, but I found myself trying to figure out which answer was "less wrong" than the others :) Thanks Larry -Original Message- From: Howard C. Berkowitz [mailto:hcb@;gettcomm.com] Sent: Sunday, October 27, 2002 12:37 PM To: [EMAIL PROTECTED] Subject: RE: Dreadful writing on CCNP support exam. [7:56237] At 1:31 PM + 10/27/02, Joshua Barnes wrote: >I thought the routing exam was the worst offender for ambiguity. >CIT a close second. The ultimate ambiguity would be if you couldn't decide which of the two was worse. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56391&t=56237 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Open lab dates... [7:56653]
Yea, they opened up Monday for test taking... Thanks Larry -Original Message- From: Eric R [mailto:nobody@;groupstudy.com] Sent: Thursday, October 31, 2002 11:28 PM To: [EMAIL PROTECTED] Subject: Open lab dates... [7:56653] There sure has been a boat load of seats opening up in the lab lately. Someone know something I don't??? -Eric R. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56682&t=56653 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: configuring NTP [7:56811]
What they mean is that when you copy your NTP configuration to other devices, don't include the ntp clock-period command. This is an automatically generated command that helps the router sync and stay sync'd in case it looses connectivity to the main NTP server. Each router will have a clock frequency that is slightly different. This value is specific to each router, and it tells the router how *off* its clock is and how often it should adjust what time the clock says it is to stay in time with the actual time. If you delete the command from a router, you will see that it will show back up. If you add it to a router that it wasn't generated on, you will instruct that router to change its clock incorrectly. Think of it this way. 2 people , each have a watch on. Each are talking to me ( a person with a very accurate watch ) Person A has a watch that looses 1 minute every hour. Person B has a watch that gains 1 minute every hour. Both people compare their clock to mine and notice that their watch is drifting from my clock, which is a clock they consider accurate. Each make a mental note to adjust their watch every hour , either adding a minute for Person A, or subtracting a minute for person B. Now, they know that if they do this, even if they don't talk to me for days that when we do talk our watches will be sync'd. Now, Person A doesn't know how to adjust his watch so he asked person B, who says " subtract a minute every hour ". While subtracting a minute is correct for person B, it will cause person A to loose 2 minutes every hour, thus getting away from sync very quickly. Hope this helps Thanks Larry -Original Message- From: Tony Chen [mailto:tonychen@;ballfoundation.org] Sent: Monday, November 04, 2002 10:26 AM To: [EMAIL PROTECTED] Subject: configuring NTP [7:56811] I found the reference to the NTP command which states the need to remove one of the commands when copying the config file (I still don't fully understand why): = Caution The ntp clock-period command is automatically generated to reflect the constantly changing correction factor when the copy running-configuration startup-configuration command is entered to save the configuration to NVRAM. Do not attempt to manually use the ntp clock-period command. Ensure that you remove this command line when copying configuration files to other devices. = If anyone know why do they suggest to remove this command, please explain. I thought the start-up config is only passively stored in the NVRAM and waiting to be copy to running-config. Tony Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=56815&t=56811 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: WLAN security matters [7:57160]
Going back to the original e-mail question. I disagree that EAP-TLS is not a solution for sniffing. Technically any wireless data can be sniffed, regardless of encryption. However, it will be garbage until decoded. If you use EAP-TLS and set the rekeying to a very short interval ( say 1 minute ) you would not be passing enough data for the person to be able to decrypt using the weakness in the IV. I'm not saying rekey every 1 minute, just that rekeying at 1 minute would assure you that not enough data had passed. You need to weigh the load on the server/the amount of wireless traffic/the amount of security that you need, to come up with the rekeying interval. The biggest drawback to EAP-TLS has been lack of support at the OS level. Windows XP supports it natively, but all other Microsoft OS's require additional software. Supposedly Microsoft is going to back fit W2K , but they haven't released when. If you want vendor neutrality as I am looking to do , you either need to be assured that all the vendors release software that allows you to run EAP-TLS on your PC, or wait until MS does it at the OS level. I know that Cisco and Lucent have EAP-TLS aware clients, although I have only used Cisco's. Cisco and Lucent/Orinoco also have EAP-TLS aware AP's, but I have yet to get the spare time to actually install my AP-500. With EAP-TLS, you must worry about stolen laptops, which will have the Certificate stored automatically allowing access to the network. CSACS 3.0 doesn't't support CRL's , so until 3.1 comes out which I was told will have CRL support, you will need to just disable the username on the certificate. The more obstacles that the end user must jump over, the more likely that a rogue AP will pop up on the network. It is critical IMO that the authentication to the network be as smooth and transparent as possible. LEAP does an excellent job of that, but its proprietary :( Just my opinion though Thanks Larry -Original Message- From: Carlos Fragoso Mariscal [mailto:cfragoso@;terra.es] Sent: Monday, November 11, 2002 6:03 PM To: [EMAIL PROTECTED] Subject: RE: WLAN security matters [7:57160] Hi Vicky, Thank you for your answer but although I'm interested in almost every possible way to secure that kind of network, I rather prefer standard solutions not based on vendor-hardware. Anyway, could you give me and the rest of the list a link about the product you were referring to? Thanks in advance, -- Carlos -Mensaje original- De: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]En nombre de Vicky O. Mair Enviado el: domingo, 10 de noviembre de 2002 1:57 Para: [EMAIL PROTECTED] Asunto: RE: WLAN security matters [7:57160] hi there, ping me offline and i can direct you to folks who have a (hw) solution which not only secures wlans but also does a good job protecting your overall backbone security. /vicky -Original Message- From: [EMAIL PROTECTED] [mailto:nobody@;groupstudy.com]On Behalf Of Carlos Fragoso Mariscal Sent: Saturday, November 09, 2002 9:19 AM To: [EMAIL PROTECTED] Subject: WLAN security matters [7:57160] Hello, I'm doing a research for the deployment of a secure implementation of a wireless 802.11a/b environment. Until WPA (Wireless Protected Access) from the WiFi alliance comes to life next year, I realised that WEP is the only air-side Layer 2 (crackeable) encryption protocol. This lack of security requires other upper-layer protocols to do this job such as IPSec or VPN implementations. Those solutions seem to be not very scalable indeed. I would like to know which kind of implementations are the most preferred and desirable for you. Is there anyone managing any secure deployment similar? I have heard a little bit about Cisco vendor implementation (LEAP) but I suppose it only works with both APs and client cards from Cisco. Authentication is a first step, 802.1x could help us to authenticate users and establish a secure VLAN-based traffic, but it is not a solution for air-side sniffing and spoofing. Is IPSec or VPN the only solution? If anyone has any documentation or slides about LEAP, 802.1x either wireless secure deployments, they will be appreciated. Thank you, -- Carlos Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57254&t=57160 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: WLAN security matters [7:57160]
I wasn't aware that 3.1 was out. I was told way back when that 3.1 would include CRL support by TAC , but considering my recent troubles with TAC, it doesn't surprise me. I agree with the stolen laptop, but your expecting the typical user to actually think. If they do actually ( send them a bonus check and flowers ! ) then you would need to disable, but NOT delete the account listed as the CN of the cert. If 3.1 does support CRL's then you could revoke the cert, but otherwise, change the CN and disable the old account. My approach is going to be issue a single Cert. per wireless location. If it is compromised everyone that uses those AP's will need to get another Cert that is valid and then disable the old one. My reasoning for this is that I don't want to issue everyone a Cert based on their network login, else when its lost, I have to disable their account and assign a new, and non-standard login. I guess you could modify the login for cert purposes, but then you still have an equal number of certs per wireless user. I figure it is more manageable to have 50 certs for 50 locations than 2500 certs for 2500 users. Of course if I could just dictate Cisco and LEAP then all would be well, but alas, it ain't gonna happen. Thanks Larry -Original Message- From: Paul Forbes [mailto:Paul_Forbes@;Trimble.com] Sent: Monday, November 11, 2002 8:40 PM To: [EMAIL PROTECTED] Subject: RE: WLAN security matters [7:57160] Some notes/opinions: 1. A stolen laptop should trigger an employee to contact Human Resources, Security and/or IS. Anything less on the part of said employee is cause for termination - period. Alternatively, if the perceived threat is via corporate/military espionage, then the short-term solution is IPsec (IMO defeating the valuable properties of wireless) and long-term PEAP. Better yet, no wireless access at all and lock the your wired ports down via URT or some such. 2. ACS v3.1 was released and is orderable, but I can't find a single thing regarding CRL support by the authentication server. I'm digging around within my Cisco contacts for an answer. If I hear anything on this front, I'll be sure to toss a up a comment. 3. Mike G. mentioned in a previous email the absence of AES in Cisco's product plans. This is NOT the case - the AP1200 product line was created so that, among other reasons, the CPU was capable of 256-bit AES. This was addressed in some detail at the San Diego Networkers' evening Product Session by Mike McAndrews, the Director of Product Management for the Wireless Networking BU. Cheers all. Paul > -Original Message- > From: Roberts, Larry [mailto:Larry.Roberts@;expanets.com] > Sent: Monday, November 11, 2002 4:12 PM > To: [EMAIL PROTECTED] > Subject: RE: WLAN security matters [7:57160] > > > Going back to the original e-mail question. > > I disagree that EAP-TLS is not a solution for sniffing. > Technically any > wireless data can be sniffed, regardless of encryption. > However, it will be > garbage until decoded. If you use EAP-TLS and set the > rekeying to a very > short interval ( say 1 minute ) you would not be passing > enough data for the > person to be able to decrypt using the weakness in the IV. > I'm not saying > rekey every 1 minute, just that rekeying at 1 minute would > assure you that > not enough data had passed. You need to weigh the load on the > server/the > amount of wireless traffic/the amount of security that you > need, to come up > with the rekeying interval. > > The biggest drawback to EAP-TLS has been lack of support at > the OS level. > Windows XP supports it natively, but all other Microsoft OS's require > additional software. Supposedly Microsoft is going to back > fit W2K , but > they haven't released when. If you want vendor neutrality as > I am looking to > do , you either need to be assured that all the vendors > release software > that allows you to run EAP-TLS on your PC, or wait until MS > does it at the > OS level. > I know that Cisco and Lucent have EAP-TLS aware clients, > although I have > only used Cisco's. Cisco and Lucent/Orinoco also have EAP-TLS > aware AP's, > but I have yet to get the spare time to actually install my AP-500. > > With EAP-TLS, you must worry about stolen laptops, which will have the > Certificate stored automatically allowing access to the network. CSACS > 3.0 doesn't't support CRL's , so until 3.1 comes out which I was > told will have > CRL support, you will need to just disable the username on > the certificate. > > The more obstacles that the end user must jump over, the more > likely that a > rogue AP will pop up on the network. > It is critical IMO that the authenticati
RE: 802.1q trunking [7:57772]
Is this all 1 flat VLAN now ? If so, read below: If so , and you just want to migrate, I would assign a secondary address to the FE port on the Router that is a 10.x.x.x scheme that you want. This will allow you to have both active and not need to worry about what port that a PC is plugged into. Otherwise, you will be changing the IP of the PC then changing its port VLAN membership on the switch. The method that you are trying will work, but it's a more work then you need to do if your just migrating from one IP name space to the other. If you assign a secondary address to the router, all you will need to do is to change the IP of the PC's and reboot. If your running DHCP, change its scope so it hands out 10.x.x.x address's and as the current leases expire, they will get a new one. Once all the old address space is gone, just go into the router and type the ip address 10.x.x.x.x command without secondary on the end. This will move this IP to the primary address and remove the old address from the router. Tada, your done. If you want to use separate subnets on each floor, then you would need to use sub-interfaces which I am sure others will cover in detail. If not, I will jump back in. Thanks Larry -Original Message- From: Kris Waters [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 20, 2002 10:47 AM To: [EMAIL PROTECTED] Subject: 802.1q trunking [7:57772] Everyone, Let me explain what I am trying to do. My main building was set up years ago with a Class C address scheme. I need to change this for a number of reasons and am planning to move it to a 10.X.X.X scheme. I would like to do this on a gradual basis. My building contains the following equipment: 7206VXR router that does internal routing. I have one FastEthernet port on this router. One Catalyst 4006 (Sup2, set based code) switch on the third floor. Both these devices run the latest code. The first and second floors have Catalyst 3500 switches with fiber between floors. A VTP domain is set up between the 3 switches. It was suggested to me to put 3 subinterfaces on the fastethernet port on the router and then trunk them to the switch (or switches). I'm not quite sure of the best way to go about doing this. I've read numerous tac articles, but a little more guidance would be greatly appreciated. Here is a sample of the code I used on the 7206 to create the subinterfaces: interface FastEthernet0/0.1 encapsulation dot1Q 111 ip address 10.50.1.1 255.255.255.0 What do I do now? The router is plugged directly into port 4/10 on the 4006. Do I create a VLAN 111 on the 4006? Any replies can be copies directly to me at [EMAIL PROTECTED] as well as to the board. TIA Kris Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57782&t=57772 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: for PIX VPN gurus... [7:58448]
Taking a guess, but could you specify multiple destination IP's under the
crypto map peer statement?
PIX#(config) crypto map TEST 10 set peer 10.20.30.1 10.20.30.2
PIX#(config) show crypto map
Crypto Map: "TEST" interfaces: { }
Crypto Map "TEST" 10 ipsec-isakmp
Peer = 10.20.30.1
Peer = 10.20.30.2
No matching address list set.
Current peer: 10.20.30.1
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ }
I believe that this will first cause it to build to .1, and if it is
unavailable to .2
I would be curious as to how your going to handle the internal routing back
to the corporate site?
I think that would be a stumbling block from what I can tell.
Thanks
Larry
-Original Message-
From: Edward Sohn [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 03, 2002 11:14 AM
To: [EMAIL PROTECTED]
Subject: for PIX VPN gurus... [7:58448]
I have a requirement in which a single Headquarters PIX needs to VPN over
the internet to a single remote site which have two separate PIXes
(connected the same site LAN). The goal is to introduce redundancy into the
VPN connection to the remote site. Unfortunately, it has to be like this
due to the company's hardware limitations.
This is not a "classic" PIX failover configuration via the serial method
(515, 525, 535), but two separate PIX 506's connected separately to the same
LAN.
I can't find anywhere on CCO whether this config is supported, and the TAC
engineer is also clueless (he even said that he doesn't have a way to LAB it
up--can you believe that?. This is Cisco we're talking about here).
Anyway, anybody ever done something like this? Will this work? Can
somebody test this?
BTW, I need to know ASAP, because the customer wants to implement this
immediately if it will work.
Thanks,
Eddie
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=58455&t=58448
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Secondary IP Addresses [7:58498]
How do you handle when the DHCP server is on the same subnet as the FE with multiple sub-interfaces ? The router never even gets to touch the packet and therefore the Server doesn't know to assign IP's from the secondary scope. Or at least that has been my experience. Im not going to touch the reasonable DHCP server platform statement. That sounds like an MS bashing in the waiting :) -Original Message- From: p b [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 03, 2002 7:22 PM To: [EMAIL PROTECTED] Subject: Re: Secondary IP Addresses [7:58498] Actually using secondaries and DHCP should be a non issue with any reasonable DHCP server platform. As you mention, in many versions of IOS the interface's primary IP address is used as the DHCP giaddr. If an interface has multiple secondaries, one just needs to configure the DHCP server to be aware that there are multiple scopes associated with the giaddr. The use of secondaries and the DHCP server logic to understand what scopes are associated with an interface is a useful feature when one might need to renumber users from one subnet to another. Or if one runs out of IP addresses on an existing subnet, one can simply add on a secondary subnet onto the interface and DHCP server without causing everyone to be renumbered. Darren S. Crawford wrote: > > Secondarys will really hurt you in a DHCP environment. The > workstations on the secondary subnet will get their DHCP request > forwarded with a source > segment of the initial IP address on the interface. This was > good ammo for > me when I was in the same boat. > > HTH > > Darren > > At 10:52 PM 12/3/2002 +, Edward Sohn wrote: > >Thanks to all for the responses to my VPN connections. > > I have pretty much verified it will work in an "active/failover" > >setting... > > > >Now, I have an issue where I need to convince my > >customer that it's better to subinterface a fast > >ethernet port into two separate VLANs rather than add secondary IP > >addressing on the router. > > > >Now, from my understanding I thought that secondary IP addressing is > >"traditionally" not recommended. I thought I read somewhere that it > >creates instability for both networks and increases traffic. Now, > >I'm not certain, so correct me if I'm wrong. > > > >Thanks, > > > >Ed > > > >__ > >Do you Yahoo!? > >Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > >http://mailplus.yahoo.com > + > International Network Services > Darren S. Crawford - CCNP, CCDP, CISSP > Sr. Network Systems Consultant > Northwest Region - Sacramento Office > Voicemail (916) 859-5200 x310 > Pager (800) 467-1467 > mailto:[EMAIL PROTECTED] > + > > Every Job is a Self-Portrait of the person Who Did It...Autograph Your > Work With EXCELLENCE! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58514&t=58498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Secondary IP Addresses [7:58498]
Priscilla, Your exactly correct on sub-interfaces. We use a separate subnet for Voice eq. and we configured our primary DHCP server that is on the first sub interface to hand out those address's. The Router ( in our case a 4006 ) will substitute the sub-interface address. You can actually do some debugs of dhcp server ( even though the router isn't running dhcp ) and see the progression take place. Same thing with debug ip packet against an access-list. Thanks Larry -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 3:11 PM To: [EMAIL PROTECTED] Subject: Re: Secondary IP Addresses [7:58498] Thanks for all the info p b. It's very helpful. Regarding the first situation, where the DHCP server is on another segment and we're using a helper address to get the requests over to the server: We have established that if you use secondaries, the router puts its primary address into the giaddr field. I can see how that might not be a problem in some situations and could work well with a server with multiple scopes. As you mentioned, when increasing the original address space, multiple scopes work well. How about subinterfaces, though? I was under the impression that in that case, the router inserts the address of the subinterface. That way the DHCP server assigns an address in the right scope/subnet. This is helpful when devices are divided up into VLANs/subnets and you want to make sure a device in a particular VLAN ends up with an IP address for the subnet associated with the VLAN. If that's your goal, then you want to use subinterfaces. Secondaries don't work because of the issue with the router putting in its primary address only. But I may be making assumptions about the behavoir with subinterfaces. Let me know if I'm confused. Thanks! Priscilla p b wrote: > > > Argh. Tab and return doesn't work well in when posting through the > web page > > Let me revise the last part of my message: > > If the interface (or sub-interface) looks like: > > int ethernet 4/0.42 >ip address 10.0.1.1 255.255.255.0 >ip address 10.0.2.1 255.255.255.0 sec >ip address 10.0.3.1 255.255.255.0 sec > > Your scope logic in the DHCP server would look something like: > > scope_10.0.1.0: etc.)> > scope_10.0.2.0: primary-scope=scope_10.0.1.0 details> > scope_10.0.3.0: primary-scope=scope_10.0.1.0 details> > > So when the DHCP packet arrived with the giaddr 10.0.1.1, it would > match the "scope_10.0.1.0". The DHCP server would be able to > determine that there are really three scopes which might apply > to > this request. > > Now, if one had secondaries on an interface (or sub-int) and > wanted to vector a device (or particular types of devices) > to a particular secondary, one needs to provide the DHCP server > with more information in order to make the right scope selection > decision. > > There are several places where this additional information might be > found: > > - on the DHCP server. One might encode MAC addresses of the devices > in the DHCP server and specify a "tag" value > for this device. Scopes would also have tags and > a device's DHCP request could only match a scope of their respective > tags matched. Encoding MACs is nasty. > > - look at the DHCP information provided by the client. The client > device might encode information in its DHCP packet which the DHCP > server can use to help make a scope selection decision (see DHCP > Option 60 and many others). > > - look at the DHCP information inserted by the router when the packet > was relayed. In certain environments, the router will insert special > DHCP options (see DHCP Option 82) which the DHCP server can use to > determine the type of device and hence appropriate scope. > > Regarding the question about what happens if the DHCP server > is on the same ethernet segement as your clients. I've > never run this configuration. A couple of thoughts on this: > > * This must be a single network as I don't think you'd want to have > the DHCP server physically connected to each ethernet > segment where DHCP services are being provided. > > * As soon as one wanted to support a second interface (and thus > different set of interface and DHCP addresses) you'd need > to move to a model where there is a giaddr. Otherwise, the > DHCP server would not have sufficient info to pick an appropriate > address. > > * I'd move the DHCP server onto its own subnet and use helpering and > the giaddr approach. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58578&t=58498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Secondary IP Addresses [7:58498]
Priscilla, Your exactly correct on sub-interfaces. We use a separate subnet for Voice eq. and we configured our primary DHCP server that is on the first sub interface to hand out those address's. The Router ( in our case a 4006 ) will substitute the sub-interface address. You can actually do some debugs of dhcp server ( even though the router isn't running dhcp ) and see the progression take place. Same thing with debug ip packet against an access-list. Thanks Larry -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 04, 2002 3:11 PM To: [EMAIL PROTECTED] Subject: Re: Secondary IP Addresses [7:58498] Thanks for all the info p b. It's very helpful. Regarding the first situation, where the DHCP server is on another segment and we're using a helper address to get the requests over to the server: We have established that if you use secondaries, the router puts its primary address into the giaddr field. I can see how that might not be a problem in some situations and could work well with a server with multiple scopes. As you mentioned, when increasing the original address space, multiple scopes work well. How about subinterfaces, though? I was under the impression that in that case, the router inserts the address of the subinterface. That way the DHCP server assigns an address in the right scope/subnet. This is helpful when devices are divided up into VLANs/subnets and you want to make sure a device in a particular VLAN ends up with an IP address for the subnet associated with the VLAN. If that's your goal, then you want to use subinterfaces. Secondaries don't work because of the issue with the router putting in its primary address only. But I may be making assumptions about the behavoir with subinterfaces. Let me know if I'm confused. Thanks! Priscilla p b wrote: > > > Argh. Tab and return doesn't work well in when posting through the > web page > > Let me revise the last part of my message: > > If the interface (or sub-interface) looks like: > > int ethernet 4/0.42 >ip address 10.0.1.1 255.255.255.0 >ip address 10.0.2.1 255.255.255.0 sec >ip address 10.0.3.1 255.255.255.0 sec > > Your scope logic in the DHCP server would look something like: > > scope_10.0.1.0: etc.)> > scope_10.0.2.0: primary-scope=scope_10.0.1.0 details> > scope_10.0.3.0: primary-scope=scope_10.0.1.0 details> > > So when the DHCP packet arrived with the giaddr 10.0.1.1, it would > match the "scope_10.0.1.0". The DHCP server would be able to > determine that there are really three scopes which might apply > to > this request. > > Now, if one had secondaries on an interface (or sub-int) and > wanted to vector a device (or particular types of devices) > to a particular secondary, one needs to provide the DHCP server > with more information in order to make the right scope selection > decision. > > There are several places where this additional information might be > found: > > - on the DHCP server. One might encode MAC addresses of the devices > in the DHCP server and specify a "tag" value > for this device. Scopes would also have tags and > a device's DHCP request could only match a scope of their respective > tags matched. Encoding MACs is nasty. > > - look at the DHCP information provided by the client. The client > device might encode information in its DHCP packet which the DHCP > server can use to help make a scope selection decision (see DHCP > Option 60 and many others). > > - look at the DHCP information inserted by the router when the packet > was relayed. In certain environments, the router will insert special > DHCP options (see DHCP Option 82) which the DHCP server can use to > determine the type of device and hence appropriate scope. > > Regarding the question about what happens if the DHCP server > is on the same ethernet segement as your clients. I've > never run this configuration. A couple of thoughts on this: > > * This must be a single network as I don't think you'd want to have > the DHCP server physically connected to each ethernet > segment where DHCP services are being provided. > > * As soon as one wanted to support a second interface (and thus > different set of interface and DHCP addresses) you'd need > to move to a model where there is a giaddr. Otherwise, the > DHCP server would not have sufficient info to pick an appropriate > address. > > * I'd move the DHCP server onto its own subnet and use helpering and > the giaddr approach. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58579&t=58498 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: more VPN fun... [7:58818]
Share the knowledge I say... OK, this has been edited to protect my information, but other than that its directly off of a PIX that has 2 lan 2 Lan tunnels and also allows VPN remote access... I think I got all the leftover junk cleaned out as well... ! access-list 100 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 100 permit ip m.y.h.o u.s.e.! 192.168.2.0 255.255.255.0 access-list 120 permit ip m.y.h.o u.s.e.! 192.168.1.0 255.255.255.0 access-list 110 permit ip m.y.h.o u.s.e.! 10.0.0.0 255.0.0.0 access-list 110 permit ip m.y.h.o u.s.e.! 172.16.0.0 255.240.0.0 ip local pool REMOTEUSER 192.168.2.1-192.168.2.255 nat (inside) 0 access-list 100 crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac crypto dynamic-map DYNOMAP 30 set transform-set TRANSFORM crypto map MYMAP 10 ipsec-isakmp crypto map MYMAP 10 match address 110 crypto map MYMAP 10 set peer e.f.g.h crypto map MYMAP 10 set transform-set TRANSFORM crypto map MYMAP 30 ipsec-isakmp crypto map MYMAP 30 match address 120 crypto map MYMAP 30 set peer a.b.c.d crypto map MYMAP 30 set transform-set TRANSFORM crypto map MYMAP 100 ipsec-isakmp dynamic DYNOMAP crypto map MYMAP interface outside isakmp enable outside isakmp key address a.b.c.d netmask 255.255.255.255 isakmp key address e.f.g.h netmask 255.255.255.255 isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup DONTTHINK address-pool REMOTEUSER vpngroup DONTTHINK dns-server 192.168.24.22 vpngroup DONTTHINK default-domain groupstudy.rocks vpngroup DONTTHINK idle-time 1800 vpngroup DONTTHINK password Thanks Larry -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED]] Sent: Monday, December 09, 2002 3:44 PM To: [EMAIL PROTECTED] Subject: more VPN fun... [7:58818] anyone have any working configs of a PIX set up for a site-to-site IPSec tunnel with another PIX (at a remote site), as well as set up for mobile user VPN access (through dialup/dsl/cable/etc)? the client will user secure VPN client 3.0 for windows. i have the docs from CCO, but someone told me that their config for the remote user is wrong and does not work right. appreciate your help. please email me directly. ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=58828&t=58818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
