RE: WIC-1T [7:63364]
Derek, 12.2(8)T4 has got bugs, CCO recommends upgrading to T5. When I built your kit I could see both interfaces as being up when connected to a DTE device. Cheers, Steve Wilson -Original Message- From: DW [mailto:[EMAIL PROTECTED]] Sent: 19 February 2003 16:43 To: [EMAIL PROTECTED] Subject: WIC-1T [7:63364] Hi all, I have a 2620 series running IOS (C2600-I-M), Version 12.2(8)T4. I also have 2 x WIC-1T installed. When I do this both of the interfaces show as interface down / line protocol down. However when I install either interface on its own (In either slot) they work fine. Is this a limitation of the 2600, I cannot find anything on Cisco site regarding this. Sincerely, Derek Walsh Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63366&t=63364 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ADSL Between Head Office and Remote Branch [7:63711]
Ismail, It does not look possible. Where are you getting the signalling, timing and IP addresses from? If you can build it on your test bench with just a pair of wires, best of luck. Steve Wilson Network Engineer -Original Message- From: Ismail Al-Shelh [mailto:[EMAIL PROTECTED] Sent: 25 February 2003 13:11 To: [EMAIL PROTECTED] Subject: ADSL Between Head Office and Remote Branch [7:63711] I want to connect my branch office with my head office (1.5Km) away via ADSL without any external service provider. Two copper wires are laid physically from the Head Office to the Branch office. Is this design going to achieve my goal? Clients PC--Ethernet--837 ADSL-pair of copper wires837 ADSL---Ethernet--Clients PC Ismail Al-Shelh Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63713&t=63711 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Strange problem with a 2924XL. [7:63680]
Check the device that is connected to the port for speed setting and duplex. If possible fix it to one particular setting at both ends. Start low and then build up to 100 full. The errors are usually caused by a mismatch or cabling that cannot handle it. Steve Wilson Network Engineer -Original Message- From: Ken Diliberto [mailto:[EMAIL PROTECTED] Sent: 25 February 2003 15:52 To: [EMAIL PROTECTED] Subject: Re: Strange problem with a 2924XL. [7:63680] Here's more information I should have included in the first message: #sh int f0/13 FastEthernet0/13 is up, line protocol is up Hardware is Fast Ethernet, address is 00d0.bbd2.260d (bia 00d0.bbd2.260d) MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Auto-duplex (Full), Auto Speed (100), 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:00, output hang never Last clearing of "show interface" counters 12:58:47 Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 6000 bits/sec, 5 packets/sec 218510 packets input, 78936683 bytes Received 1073 broadcasts, 0 runts, 0 giants, 0 throttles 147 input errors, 147 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 538 multicast 0 input packets with dribble condition detected 467270 packets output, 258862433 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out I did a clear count f0/13 last night. Input and CRC errors were rising at a moderate rate. interface FastEthernet0/13 no logging event link-status port storm-control broadcast trap switchport access vlan 8 no snmp trap link-status spanning-tree portfast ! Feb 24 16:02:31.046: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:06:08.951: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:07:29.785: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:12:01.748: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:20:46.733: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:21:51.812: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:25:11.507: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:27:54.890: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:28:55.370: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:30:30.011: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:40:03.346: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:41:24.389: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:42:57.809: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 16:48:08.352: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 17:47:18.451: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 17:48:45.262: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 17:59:49.059: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 18:35:33.480: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 18:37:06.128: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors Feb 24 18:38:06.935: %LINK-4-ERROR: FastEthernet0/13 is experiencing errors >>> "The Long and Winding Road" 02/24/03 11:20PM >>> ""Ken Diliberto"" wrote in message news:[EMAIL PROTECTED] > I had a strange problem this evening with a 2924XL. The server attached > to port f0/13 had been generating errors and finally the switch stopped > talking to it. A shut/no shut combination started everything back up > again. > > The configuration only says to send a trap when a broadcast storm > happens. There isn't anything about excessive errors. > > Any thoughts? I haven't checked CCO. I don't have a good idea what to > search for without getting 10,000,000,000 hits. what is the exact configuration line used? the documentation talks about default rising and falling thresholds. of course it does not indicate whether or not the default is to shutdown or not. http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_35wc3/cref/cl icmds.htm#xtocid51 > > Thanks. > > Ken Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63743&t=63680 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: L3 Switching Huh???? [7:63728]
Charles, The 6509 switch needs some configuration in the background to create a "virtual router". This "virtual router" has virtual interfaces that would mimic the default gateways IP addresses of the physical 2500 router and therefore pass traffic between the virtual interfaces. The two subnets that you list would be on different VLANs on the switch. It would look like the packets are only going from one interface on the switch to the other and back again, but in reality they are passing through the "virtual router" created on a route processing piece of software. This would be on a multi-layer switch module or similar. Layer 2 = MAC addresses, layer 3 = IP addresses. To get between IP subnets you need a routing function which is either provided by a physical router or a "virtual router" which routes between "virtual LANs" created by software. This is not the definitive answer but hopefully it clears away some of the mud. Cheers, Steve Wilson Network Engineer -Original Message- From: DeVoe, Charles (PKI) [mailto:[EMAIL PROTECTED] Sent: 26 February 2003 12:45 To: [EMAIL PROTECTED] Subject: RE: L3 Switching Huh [7:63728] OK, let me try this again. I am trying to figure out the difference between conventional layer 3 routing and layer 3 switching. A little background. I am currently working towards my CCNA (have been for about 3 years). At any rate, everything I read and look at says that switching/bridging is a layer 2 function, routing is a layer 3 function. Either I don't have a good grasp of the OSI model, switching, routing, VLANs or all of the above. The network: Host A 10.1.1.2 MAC 00.AA Host B 10.1.2.2 MAC 00.BB |10.1.1.1 MAC 01.AA 10.1.2.1 MAC 02.BB| switch A---Router-switch B 10.1.1.0/2410.1.2.0/24 This is an ethernet network. Both segments are connected by a traditional router say a 2500. In this instance the router interfaces are subnet A 10.1.1.1, and subnet B 10.1.2.1 For simplicity, assume ARP cache is empty. Host A wishes to ping Host B End user on Host A enters - ping 10.1.2.2 The IP packet places the source address 10.1.1.2 and the destination address 10.1.2.2 into the packet. The IP protocol examines the IP address and based on the IP address determines this is in another subnet. An ARP request goes out for 10.1.1.1 (default gateway) and the MAC address is found. The DLL then places the source MAC address 00.AA and the destination MAC 01.AA into the frame. The frame then goes out the wire to the destination MAC. The router interface sees this frame as destined for itself. It de-encapsulates the frame removing the MAC addresses. The router then examines the IP address, based on the routing table it knows the destination port. The router leaves the same IP source (10.1.1.2) and destination (10.1.2.2) in the packet. The frame is rebuilt with the new MAC address of source 02.BB and destination 00.BB Host B grabs this packet and does it's thing. Now, if I replace the router with a 6509 switch, with routing, how does the process change? Said 6509 would be equipped with a 10/100 card so that the hosts are now directly connected. The router interface is now a virtual interface, there is no physical interface. Which is another question. How does the 6509 determine this virtual address? Am I correct? Inter VLAN communication cannot occur without a router. Switching is based on MAC address. Routing is based on IP address. I believe the term "layer 3 routing" is a marketing term, not scientific or engineering in nature. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63871&t=63728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: L3 Switching Huh???? [7:63728]
Thanks for the definition assistance. The problem with trying to assist in a forum such as this is that if you try to simplify an answer you end up with an answer that is too simple. All I was trying to get across was my way of looking at the difference between a physically separate routing device working at layer3 between subnets and a chassis like a 6509 which can have individual blades perform the functions without the limitation of wires between the physical interfaces. The "wires" are still there, they are just created in software in the chassis. Cheers, Steve Wilson Network Engineer -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED] Sent: 26 February 2003 18:27 To: [EMAIL PROTECTED] Subject: RE: L3 Switching Huh [7:63728] At 3:18 PM + 2/26/03, Steve Wilson wrote: >Charles, >The 6509 switch needs some configuration in the background to create a >"virtual router". A bit of a heads-up on this term. It's conceptually useful, but be aware that "virtual router" was considered to be an alternate VPN model to RFC 2547, generally promoted by Nortel and Lucent. There have been LOTS of IETF arguments about the term. I didn't make myself popular at one meeting by mentioning "we sure can't define virtual router, but it's nice we have a virtual router redundancy protocol (VRRP is the standards track equivalent to HSRP)." I was severely corrected that I needed to distinguish between "virtual router" and "virtual router," depending on whether the emphasis was on "virtual" or "router." In HSRP/VRRP, the virtual router refers to a single conceptual router seen by hosts, but is actually implemented across multiple platforms. The VPN people thought of virtual routers as multiple independent routing (control and forwarding) logical instances on the same platform. VRF is not quite the same concept, as it assumes more shared knowledge between routing instances than does a VR VPN. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63954&t=63728 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX question [7:63892]
Ed, Try clear logging. It depends on what you are trying to clear. Steve Wilson Network Engineer -Original Message- From: Edward Sohn [mailto:[EMAIL PROTECTED] Sent: 26 February 2003 18:30 To: [EMAIL PROTECTED] Subject: PIX question [7:63892] does someone know what the equivalent of "clear counters" is on the PIX? i don't know why, but i can't find a thing... thanks, ed Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63962&t=63892 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cat4006 - Prompt [7:63984]
The following works on my cat4006. Cisco Systems, Inc. Console Fri Feb 28 2003, 02:24:02 Enter password: cat4006> enable Enter password: cat4006> (enable) set prompt eaglesfan> (press return key) eaglesfan> (enable) set prompt cat4006> cat4006> (enable) exit Session Disconnected... Cisco Systems, Inc. Console Fri Feb 28 2003, 02:25:04 Enter password: cat4006> Have fun, Steve Wilson Network Engineer -Original Message- From: Eagles Fan [mailto:[EMAIL PROTECTED] Sent: 27 February 2003 20:51 To: [EMAIL PROTECTED] Subject: Re: Cat4006 - Prompt [7:63984] I have tried that, unfortunately it doesn't take cat4006> (enable) set prompt Usage: set prompt cat4006> (enable) >From: "ericbrouwers" >Reply-To: "ericbrouwers" >To: [EMAIL PROTECTED] >Subject: Re: Cat4006 - Prompt [7:63984] >Date: Thu, 27 Feb 2003 18:02:39 GMT > >Hostnames and prompts can be changed by just entering the command with no >string; hit enter after command: > >Switch(enable) set system name >or >Switch(enable) set prompt > >Eric > >- Original Message - >From: "Eagles Fan" >To: >Sent: Thursday, February 27, 2003 3:32 PM >Subject: Cat4006 - Prompt [7:63984] > > > > is it possible to clear the prompt after manually setting it? > > > > _ > > Protect your PC - get McAfee.com VirusScan Online > > http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ MSN 8 with e-mail virus protection service: 2 months FREE* http://join.msn.com/?page=features/virus Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64061&t=63984 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VPN/IPSEC [7:64016]
I use the following configuration to allow VPN clients to terminate on PIX. Along with the usual rules about a firewall you need to create a "vpngroup" which contains all the information that is passed to the client and an access control list to list all the internal networks that the clients can pass traffic to. The clients are given an IP address from a pool called "home" in the config. The clients also need to be given the IP address if the servers on the inside that are performing DNS and WINS if you want them to be able to "view" the inside network. The VPN clients only require the outside address of the PIX, the groupname and the password set up to be allowed to connect through to the company network. I have removed some of the company specific stuff, so if it does not make sense either re-post the query or e-mail me direct for clarification. PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password sanfran passwd cisco hostname pix506 fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names name X.X.X.1 default-gateway name 192.168.0.0 inside-network name 192.168.0.1 mail-server access-list 100 permit tcp any host X.X.X.2 eq smtp access-list 110 permit ip inside-network 255.255.255.0 172.16.1.0 255.255.255.224 pager lines 24 logging on interface ethernet0 10baset interface ethernet1 10baset mtu outside 1500 mtu inside 1500 ip address outside X.X.X.3 255.255.255.248 ip address inside 192.168.0.254 255.255.255.0 ip audit info action alarm ip audit attack action alarm ip local pool home 172.16.1.1-172.16.1.31 pdm location mail-server 255.255.255.255 inside pdm logging debugging 100 pdm history enable arp timeout 14400 nat (inside) 0 access-list 110 global (outside) 1 X.X.X.4 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) X.X.X.2 mail-server netmask 255.255.255.255 0 0 conduit permit icmp any any route outside 0.0.0.0 0.0.0.0 default-gateway 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local http server enable http mail-server 255.255.255.255 inside no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec no sysopt route dnat crypto ipsec transform-set glasgow esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set glasgow crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 vpngroup pix506 address-pool home vpngroup pix506 dns-server mail-server vpngroup pix506 wins-server mail-server vpngroup pix506 default-domain "YOUR DOMAIN NAME" vpngroup pix506 split-tunnel 110 vpngroup pix506 idle-time 1800 telnet mail-server 255.255.255.255 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:57078d328d36e851c854b4913142d72e : end Best of luck, Steve Wilson Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 27 February 2003 20:38 To: [EMAIL PROTECTED] Subject: PIX VPN/IPSEC [7:64016] I have a question regarding the configuration of manual IPSEC. I have to create an access list to define the traffice to protect. I want to connect to my office network from home. I have a DHCP assigned address from my ISP so I can't specify a peer address. So I will use isakmp key ** address 0.0.0.0 for now. Now as far as the traffic goes. Should I specify protect all traffic or what? What happens when I have multiple remote users? I would like the PIX to be the end point so I can travel over my entire network (email, shares, printers, etc). I'm a little confused on this.. Thanks in advance... Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64062&t=64016 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Bizzare Routing/VPN Issue [7:64301]
Beware of assuming that a VPN can route traffic in the same way as a proper router would. I have had a similar problem due to the network list associated with tunnels. The "routing Table" built by the VPN 3005 is based upon the information collated from the network lists, but is not used in the same way that a router would use it. A router will forward packets based on which route has the longest match to the IP address. The VPN appears to use the first route that satisfies the destination. This route will be created by which ever tunnel comes up first and gives its network list to the 3005 that it is connecting to. the only way that I have managed to solve the problem is by having completely specific network lists that ensure that there is no dubiety in where packets can be routed to. if you are using super-netting be careful. Steve Wilson Network Engineer -Original Message- From: John Brandis [mailto:[EMAIL PROTECTED] Sent: 04 March 2003 01:55 To: [EMAIL PROTECTED] Subject: Bizzare Routing/VPN Issue [7:64301] Hi All, I am sure one of you will see the problem and be able to offer a solution. I have 2 organisations here, one in Australia the other in NZ. In Australia, we have a hub and spoke point to multi-point config from the hubs perspective. I run OSPF and have all sites in area 0 (yes I know i should break this up so that each region forms its own area, but why at this time ??) My problem, which only started this morning at 5am when the tech in NZ and I decided to up the encryption settings on the VPN, I think is related to routing, or related to a crypto map error. In Sydney, I use a cisco 3005 whilst the office initiating the IPSEC connection uses a little Watchguard box. Until this morning it was simple, I could see his local lan behind the remote peer, and he could see my local networks, but not the office's on my WAN (by design). The goal of this morning was to permit NZ to be able to see all networks in Australia. We dont yet run a nice continuos IP scheme here (yet), so each network had to be delcared line by line rather than a nice summary. We implemented this network by network. I enabled my NZ counterpart access to the Australian hub site and one of the spokes. Thats when the problem started. We tried to put the next spoke site network list in the list of availiable networks, then it all fell to bits. The problem now is that the guy in NZ can ping my spoke sites routers, however from these spoke sites I cant ping him. I trace the packet, and watch it hop through my network with the last hop being the 3005 VPN concentrator that connects NZ to us. From there it times out...From my desk in the hub site in Australia, I can ping both the spoke site, and the NZ techs PC. So at this stage I can confirm that the route that works from sydney to NZ, has been redistributed via OSPF to my spoke sites, however it just does not appear to get through the tunnel, however the guy in NZ says he has 100% ping to my spoke sites. Could any one suggest where a possible problem could be ? I can see IPSEC tunnels for the various networks and I can see traffic going across them, however I have no idea why I cant access anything across the VPN from my spoke sites. The NZ guy said all traffic from Australia has a permit statement. I can only see the problem as access-list like problem on his end, as we had this working for the central site here (hub site) and for one of the spoke sites until we added more. Would appreciate any help. Thanks all Johnny b ** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. * Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64335&t=64301 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 3000 Concentrator behind/in front or parallel to PIX? [7:64455]
I usually put them in parallel. This means that the two devices do their job independently of each other. If you put the PIX between the VPN Concentrator and the internet all the traffic for the site will pass through it. If it is parallel the VPN Clients and LAN-LAN tunnels will terminate on the VPN concentrator allowing the PIX to concentrate its processing power on the primary task that it is for. Both devices provide security and fire-walling to a certain degree, it's just horses for courses as to which does which bit better. Steve Wilson Network Engineer -Original Message- From: Chris Penrose [mailto:[EMAIL PROTECTED] Sent: 04 March 2003 19:27 To: [EMAIL PROTECTED] Subject: 3000 Concentrator behind/in front or parallel to PIX? [7:64383] Hi All, I am setting up a VPN to connect remote sites to a Head Office, the head office has a VPN 3000 Concentrator and a PIX 515 Firewall, As I understand it I can place the PIX in front/behind or in Parallel to the 3000 . I was wondering if anyone that has done this has any recommendations as to the best place for the PIX or any advantages/disadvantages of placement. I am thinking in front but I am unsure what repercussions this will have with regard to access across the VPN. I need all IP through the vpn tunnels for each site, so with the PIX in front I would be setting up a static to the outside interface of the 3000 and adding the following acl's Access-list 100 permit ah any vpn3k Access-list 100 permit esp any vpn3k Access-list 100 permit udp any vpn3k eq isakmp Would I still need acl's on the PIX to allow all other IP from each site? Or should I place the PIX somewhere else. any advice appreciated. thanks Chris. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64455&t=64455 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst 3550 SMI or EMI [7:64442]
On the 3550 devices that I have the label on the back indicates whether it is EMI or SMI, beyond that if you can type in the command IP ROUTING it would seem logical that it is an EMI rather than an SMI. Seriously though the software revision has all the information needed, you just need to understand what the filename means. Steve Wilson Network Engineer -Original Message- From: John Tafasi [mailto:[EMAIL PROTECTED] Sent: 05 March 2003 06:33 To: [EMAIL PROTECTED] Subject: Catalyst 3550 SMI or EMI [7:64442] How do I know if a catalyst 3550 is running EMI or SMI image. I tried using show version but that gave me no clue. Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64460&t=64442 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ??? collapsed backbone ??? [7:64467]
This may only be a simple description but it works for me. A collapsed backbone sounds painful but is really a description of the situation where you have a network that conforms to the Cisco model of "Core, Distribution and Access" layers without the core. The core part is basically provided just by a high speed link between the two big sized distribution switches. An example would be two catalyst 6500 type switches as a central distribution fanning out to lots of access switches. The link between the two 6500s could be a group of gigabit fibre links. Steve Wilson Network Engineer -Original Message- From: Steven Aiello [mailto:[EMAIL PROTECTED] Sent: 05 March 2003 14:16 To: [EMAIL PROTECTED] Subject: ??? collapsed backbone ??? [7:64467] Hello all, in a recent post I saw the term "collapsed backbone". I know that the network backbone is usually a high speed connection that a server farm sits on, and could even extend out to your IFD's. However I'm fuzzy on the term collapsed backbone. What dose this imply. Thank you all, Steve Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64481&t=64467 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN Config Problem? [7:65315]
Johan and others, The ISDN configuration that you have listed has a few minor boobies in it. I have configured an 803 to do a similar task after some head scratching. The following may help. As they say it worked for me! 1. You have no authentication type mentioned anywhere. 2. The IP NAT statement seems wrong and in the wrong part of the config. 3. The IP NAT OUTSIDE command should be inside the dialer interface rather than the BRI0 interface. 4. I always use my username as the hostname of the router, just in case. Try the config below and get back to me, online or offline. version 12.2 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname CSTM ! enable secret SECRETPASSWORD enable password ENABLEPASSWORD ! ! ip subnet-zero ! no ip domain-lookup isdn switch-type basic-net3 ! ! interface Ethernet0 ip address 192.168.10.1 255.255.255.0 ip nat insid ! interface BRI0 no ip address encapsulation ppp dialer pool-member 1 isdn switch-type basic-net3 ppp authentication pap callin ! interface Dialer1 ip address negotiated ip nat outside encapsulation ppp dialer pool 1 dialer string xx dialer-group 1 ppp authentication pap callin ppp pap sent-username CSTM password ! ip nat inside source list 1 interface Dialer1 overload no ip http server ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 1 permit 192.168.10.0 0.0.0.255 dialer-list 1 protocol ip permit ! Cheers, Steve Wilson Network Engineer -Original Message- From: Troy Leliard [mailto:[EMAIL PROTECTED] Sent: 14 March 2003 08:45 To: [EMAIL PROTECTED] Subject: RE: ISDN Config Problem? [7:65315] You should definatley be getting output from debug isdn Q921 . This in effect is the D=Channel connectivity to the ISDN switch, and should always be up. If you are not getting SPI's when you debug this, then there is definatley a connectivity issue between your router and the ISDN switch? You also didn't mention where you are ? This could have an impact on the requirement of specifying your SPID's ? > > have u generated interesting traffic? ping to remote site. > > - Original Message - > From: "Johan Bornman" > To: > Sent: Thursday, March 13, 2003 11:52 PM > Subject: ISDN Config Problem? [7:65315] > > > > I am having difficulty getting my Cisco 803 to dial out the > BRI interface. > > If I run the debug > > commands: isdn q921 and q931 with the debug ppp > authentication commands, > > nothing happens. I have > > also tried different configurations but I get the same from > the > > router.nothing. Term mon is > > enabled! The isdn status command shows the line as active or > activated, so > > there is no problem with > > the line. I have tried the router on different ISDN lines to > be sure. > > > > How do I check if my BRI interface is working? > > > > Any feedback/suggestions will be appreciated. > > > > Regards > > > > Johan > > > > > > > > Here is my config: (I have x'd out the username, password and > dialer > string > > number) > > > > CSTM#sh run > > Building configuration... > > > > Current configuration : 1020 bytes > > ! > > version 12.1 > > no service pad > > service timestamps debug uptime > > service timestamps log uptime > > no service password-encryption > > ! > > hostname CSTM > > ! > > enable secret 5 $1$9Y0j$fCPvbvNR8L37mwYBtD66K0 > > ! > > ip subnet-zero > > ! > > no ip domain-lookup > > no ip finger > > isdn switch-type basic-net3 > > ! > > interface Ethernet0 > > ip address 192.168.3.250 255.255.255.0 > > ip nat inside > > ! > > interface BRI0 > > no ip address > > ip nat outside > > encapsulation ppp > > dialer pool-member 1 > > isdn switch-type basic-net3 > > no cdp enable > > ! > > interface Dialer0 > > ip address negotiated > > encapsulation ppp > > dialer pool 1 > > dialer idle-timeout 300 > > dialer string XXX > > dialer load-threshold 128 outbound > > dialer-group 1 > > ppp pap sent-username XX password 7 X > > ! > > ip nat inside source list 1 interface BRI0 overload > > no ip http server > > ip classless > > ip route 0.0.0.0 0.0.0.0 Dialer0 > > ! > > access-list 1 permit 0.0.0.0 255.255.255.0 > > dialer-list 1 protocol ip permit > > ! > > line con 0 > > transport input none > > stopbits 1 > > line vty 0 4 > > password cstm > > login > > ! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65422&t=65315 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Open http: traffic on firewall... [7:65755]
without seeing your router it may be that the ethernet port is e0/0 perchance. It may even be a fastethernet port. Check the physical make up of the router. Cheers, Steve Wilson -Original Message- From: SMAN To: [EMAIL PROTECTED] Sent: 20/03/2003 15:33 Subject: Re: Open http: traffic on firewall... [7:65755] OK...I got to the point of issuing this command (ip route 2.2.2.2 255.255.255.255 ethernet 0) at the configure prompt and got: Internet(config)#ip route 216.224.32.195 255.255.255.240 ethernet 0 % Incomplete command. Any recommendations??? Thanks Ken ""Robert Edmonds"" wrote in message news:[EMAIL PROTECTED] > First, you need to define your inside and outside interfaces for NAT. > Usually, the interface where your webserver is connected will be defined as > inside and all others are outside. This would look something like this, > assuming your web server is on interface ethernet 0: > > interface ethernet 0 > ip address 2.2.2.1 255.255.255.240 > ip nat inside > interface serial 0 (or interface serial 0.1 for frame relay subinterface, > depending on your setup) > ip nat outside > > Next, you'll need to define a static translation between your web server and > your outside IP addresses assigned by your ISP. I will use 10.0.0.1 to > represent your web server address and 2.2.2.2 for your ISP assigned address. > > ip nat inside source static 10.0.0.1 2.2.2.2 > > Or, if you want to get fancy and do PAT: > > ip nat inside source static tcp 10.0.0.1 80 2.2.2.2 80 extendable > > Next, tell your router to send all traffic destined for 2.2.2.2 (the outside > address of your web server) to the proper interface. > > ip route 2.2.2.2 255.255.255.255 ethernet 0 > > Your setup may demand something a little different, but in general I think > this should get you started. > > Robert > > > ""SMAN"" wrote in message > news:[EMAIL PROTECTED] > > I have a cisco 2611 router/firewall that I need to open up for http: > > traffic. I need to configure NAT to point to the static IP on the web > > server. How do I do this? What are the specifics? > > > > Thanks > > > > Ken Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65880&t=65755 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PDM Question [7:65954]
the PDM is a useful tool for a graphical view of the configuration. If you are using your PIX to terminate VPN clients or tunnels you may stillned to use the command line to administer and configure them. This might be improved in the next release of the Operating System. Personally i agree that the CLI is still the best way to program the beast. Best of luck Steve -Original Message- From: Hartnell, George To: [EMAIL PROTECTED] Sent: 21/03/2003 20:34 Subject: PDM Question [7:65954] Hi there, I've got a 515UR failover I jus' upgraded from 5.3(1) to 6.1(4). I'd like to pop PDM on that system(s) and try that interface out. I'm a command line kind of guy, so am comfortable with CLI, but, I've heard that PDM is a worthy utility. Any words of wisdom on PDM installation? Best, G. "Nations have recently been led to borrow billions for war; no nation has ever borrowed largely for education... no nation is rich enough to pay for both war and civilization. We must make our choice; we cannot have both." -- Abraham Flexner Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=65986&t=65954 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: reload 3500XL switch [7:66222]
If all the complicated answers fail try putting a timer switch on the socket that the device is powered from. Steve Wilson Network Engineer -Original Message- From: milind tare [mailto:[EMAIL PROTECTED] Sent: 26 March 2003 04:54 To: [EMAIL PROTECTED] Subject: reload 3500XL switch [7:66222] hi cisco buddy's, I hv 3500 series access switch's in my networ. In that i need shutdown for some access switches. and shutdown time is night time. so i can't do mannually. Can anyone suggest me is there any command so i can get switch shutdown at specific time and it will start automatically. if i mention particular time. Thanks & Regards, Milind Tare __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66232&t=66222 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ping things [7:66155]
Type in ping, press return and follow the on screen prompts. This will allow you to use ping in extended mode to specify the source address or interface. Steve Wilson Network Engineer -Original Message- From: Peter P [mailto:[EMAIL PROTECTED] Sent: 26 March 2003 11:16 To: [EMAIL PROTECTED] Subject: RE: ping things [7:66155] OK If I use the loopback addr then I can see ext trace going right way. Now I need to make the rtr use this addr as the source Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66241&t=66155 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Redistributing Static within RIP version 1 - what is this [7:66254]
Maybe I'm simple but RIP v1 is classfull last time I looked. Also check for the command IP SUBNET-ZERO, it may come in handy. Steve Wilson Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 26 March 2003 13:02 To: [EMAIL PROTECTED] Subject: Redistributing Static within RIP version 1 - what is this mask [7:66245] With the following configuration, RIP do not redistribute the static route; if the static route is changed to /24, it does redistribute. R1 ip route 195.0.0.0 255.255.255.0 null 0 ! router rip version 1 network 192.168.13.0 redistribute static There is no other interfaces using the net 195.x.x.x With the "ip route 195.0.0.0 255.255.255.0 null 0" (/24), the route is advertised: Debug in R1 shows that it does not advertise the route 195.0.0.0 With 195.0.0.0 255.255.255.0 it does advertise: 1d00h: network 10.0.0.0 metric 1 1d00h: network 192.168.13.0 metric 1 1d00h: network 195.0.0.0 metric 1 I did not find any notes about this behavior. The article "Behavior of RIP and IGRP When Sending and Receiving Updates" do not cover this. Any thoughts? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66254&t=66254 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ping things [7:66155]
Type in ping, press return and follow the on screen prompts. This will allow you to use ping in extended mode to specify the source address or interface. Steve Wilson Network Engineer -Original Message- From: Peter P [mailto:[EMAIL PROTECTED] Sent: 26 March 2003 11:16 To: [EMAIL PROTECTED] Subject: RE: ping things [7:66155] OK If I use the loopback addr then I can see ext trace going right way. Now I need to make the rtr use this addr as the source Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66477&t=66155 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: allowing telnet to the outside pix interface [7:66433]
The safest way I have come across is to create a vpngroup with a single IP pool address and then allow telnet from that address only. You will need a vpn client of course. the sample config is available on CCO, or contact me offline for my version. Steve -Original Message- From: Ismail Al-Shelh To: [EMAIL PROTECTED] Sent: 29/03/2003 14:02 Subject: allowing telnet to the outside pix interface [7:66433] Hi all How can I let peoples outside the pix firewall to telnet my outside Pix firewall IP address which is 212.121.211.123 ? ---212.121.211.123(515E-PIX)-10.1.1.1-- I have PIX Firewall Version 6.1(4). Regards, Ismail Al-Shelh Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66506&t=66433 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Nat Traversal / VPN [7:66404]
Last time I looked you could not do NAT-T on a PIX with 6.3 software. Only VPN Gateways can handle it. Next gen of software should be able to do it sez the great god Cisco. I have been looking forward to this for some time as I install both PIX and VPN all the time. Cheers, Steve -Original Message- From: Chris Penrose To: [EMAIL PROTECTED] Sent: 28/03/2003 21:28 Subject: PIX Nat Traversal / VPN [7:66404] I have a requirement to configure a VPN tunnel on pix ver 6.3 using nat traversal. I am wondering if I need to use any special commands and which ports I need to forward from my router to the pix. I am assuming udp port 500. Has anyone done this that could give me some advice? regards Chris This email and any attachments are confidential and intended solely for the individual or organisation to which it is addressed. If you have received this email or any attachments in error please notify us by email or telephone +44 (0) 1872 279727 immediately. Please ensure no further copies of this email or attachments are distributed in any form and that all copies are permanently deleted from your systems. The contents of this email and any attachments shall be of no contractual effect unless otherwise agreed between AC Systems (Danemove Ltd) and the legitimate recipient. AC Systems Danemove House Newham Road Truro Cornwall TR1 2DP www.ac-systems.co.uk Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66504&t=66404 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Debug display to VTY [7:66762]
By default the error messages and all other stuff is sent to the console. But if you type in "NO LOGGING CONSOLE" or any other command to send the logging to the buffer perhaps, you will have no error messages to monitor from the terminal connection. Check the configuration for config lines of this type. Steve Wilson Network Engineer -Original Message- From: James Gosnold [mailto:[EMAIL PROTECTED] Sent: 04 April 2003 09:22 To: [EMAIL PROTECTED] Subject: RE: Debug display to VTY [7:66762] Hi, this seemed to do the trick, thanks. Just found it confusing as having gone through the various CCNA literature it seems to ram home that all you need enter is the 'terminal monitor' command and then debug what you need. This works on my home routers IOS 12.0 on Cisco 3000 but not on these 1721's at work (IOS 12.2). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66834&t=66762 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: allowing telnet to the outside pix interface [7:66433]
ip local pool fortelnet 172.16.1.21 vpngroup telnetaccess address-pool fortelnet vpngroup telnetaccess idle-time 1800 vpngroup telnetaccess password whatever telnet 172.16.1.21 255.255.255.255 outside The lines above will give you a start. You will also require a Cisco VPN Client loaded onto your PC and direct internet access. If we told you everything there would be no challenge. Good luck Cheers, Steve Wilson Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 04 April 2003 14:23 To: [EMAIL PROTECTED] Subject: RE: allowing telnet to the outside pix interface [7:66433] You cannot telnet to the PIX's outside interface normallyBut the only way you can telnet to the outside interface is if you have a IPSec tunnel that terminates onto the PIX. Then telnet is allowed. see link http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/tz.h tm#1025921 Cheers Simon -Original Message- From: Ismail Al-Shelh [mailto:[EMAIL PROTECTED] Sent: Saturday, March 29, 2003 7:32 PM To: [EMAIL PROTECTED] Subject: allowing telnet to the outside pix interface [7:66433] Hi all How can I let peoples outside the pix firewall to telnet my outside Pix firewall IP address which is 212.121.211.123 ? ---212.121.211.123(515E-PIX)-10.1.1.1-- I have PIX Firewall Version 6.1(4). Regards, Ismail Al-Shelh Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66847&t=66433 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX to concentrator Problem ......Urgent [7:69988]
Check your network lists on the concentrator. They need to as explicit as possible. If you supernet any contiguous networks, ensure that you do not accidentally include a network that is really down another tunnel. Cheers, Steve Wilson CCNP CCDA Network Engineer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 02 June 2003 12:55 To: [EMAIL PROTECTED] Subject: PIX to concentrator Problem ..Urgent [7:69988] Hi All, We are using site-site Tunnel formed between PIX firewall at one remote location to Cisco VPN concentrator connected at central side. On the central side their are number of subnets that all been added to the network list on both PIX & VPN concentrator to enable remote site to access all the subnets on the central site. Problem is that while Tunnel is running it suddenly drops all packets for one particular subet on the central site. I have tried all possible means of troubleshooting & but nothing seems to work. Pls help me out with any ideas if possible. Thanks Bharat DISCLAIMER: This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=6&t=69988 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IOS Licensing [7:70133]
Yes you are going mad, welcome to the club. Steve Wilson CCNP CCDA Network Engineer -Original Message- From: Lauren Child [mailto:[EMAIL PROTECTED] Sent: 04 June 2003 15:07 To: [EMAIL PROTECTED] Subject: IOS Licensing [7:70133] Hiya Im a tad confused here and would appreciate some input. Ive bought some routers with an IOS license. The routers have come through with the IOS already loaded. I have no physical license etc. Im told by Cisco and our supplier that this is fine, but Im sure I remember routers coming with license stickers to put on them a couple of years back. Am I going mad? TTFN Lauren Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70135&t=70133 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNA certification [7:70400]
To be a CCNP you must have a valid and current CCNA. The CCNP then validates your new status. I found this out when my friend passed all the four exams for CCDP but because he didn't have the CCDA he cannot call himself CCDP until he does. The same applies to CCNP without a CCNA. To get my CCDP I require passing both CCDA and the design exam, not just the design alone. Steve Wilson CCNP CCDA Network Engineer -Original Message- From: Mike Momb [mailto:[EMAIL PROTECTED] Sent: 09 June 2003 14:12 To: [EMAIL PROTECTED] Subject: CCNA certification [7:70400] To All, I have a friend who has a CCNA and its about to expire. He has three tests completed out of the four toward his CCNP. If his CCNA certification expires, can he take the final test and be a CCNP with a expired CCNA. What is Cisco's policy concerning this? Mike Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70405&t=70400 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: RE: RE: RE: number of CCIE??? [7:70328]
Thank you gents, I have come to the conclusion that Jack and NRF is one and the same person. Anyone who has seen, or read, "Fight Club" will recognise the symptoms. Any minute now NRF will shoot himself through the mouth and end it all. Seriously though over the years I have passed exams to get qualifications relevant to the job I am trying to get. The only problem is that the requirements in said job change and the qualifications become out of date. It is a constant merry-go-round. As far as I am concerned it sucks both ways. If you have an old qualification that you have updated, good for you. If you have a nice shiny new one well done, you know the stuff to pass the new exam. Could you pass the original one that the previous guy did, probably not? I have met excellent engineers who had the latest qualifications and also even better ones that didn't. The best that I can do is do my job as well as I can and hope that if I am made redundant again I have the right combination of qualifications and experience to get another job. Can we please now all get off our high horses, get drunk and forget the whole argument? Cheers, Steve Wilson CCNP CCDA Network Engineer -Original Message- From: n rf [mailto:[EMAIL PROTECTED] Sent: 11 June 2003 15:28 To: [EMAIL PROTECTED] Subject: RE: RE: RE: RE: number of CCIE??? [7:70328] >Jack Nalbandian wrote: Boy, for a guy who says that he wants to close the thread, you really have a lot to say. > > 1. Attacking his motives and attacking his character are > mutually exclusive > endeavors. I attack his motive of defaming the certification > process itself > in a series of different topics. I have not criticized any > such commentary > that balances all facts, but NRF's overall commentary does no > such thing. Uh, how's that? At the end of the day you are refusing to deal with the issues at hand. Whether you choose to attack my motives or my character - whatever you want to call it - it's still out of bounds. You are either talking about the actual issues at hand, or you're not. Simple as that. Besides, character and motives are basically one and the same. Wouldn't somebody with bad character necessarily have bad motives? Is there really such a thing as a guy with bad character having good motives? Or vice versa? I don't think so. So really, when you say that you're questioning my motives but not my character, that's really a distinction without a difference. Look, the bottom line is this. I don't question your motives or your character. Don't do it to me. > > 2. There is the issue of devaluation of certifications due to > the "forces > majeur" that you mention, but the actual argument, it seems, > you have missed > as well. The entire focus seems to be on "certification > tracks" and how > "worthless they are," not due to the actual market forces at > play, but due > to the very (alleged) "inherent weakness" of the certification > process > itself. Therefore, your well-thought out and long-winded (not > meant as a > pejorative) is too far off the mark. Why do you keep insisting on telling me what my own focus is? Don't you think I would know the focus of my own posts? When have I said in this particular thread that all certifications were worthless? In fact, you could easily say quite the opposite - I have said several times that certain certifications, namely low-number CCIE's, are in fact quite valuable. So how does that jive with your accusation that I am somehow painting all certifications as worthless, when in fact I have singled out a certification subset as worthy? Oh, but I get it, you keep insisting that I am actually bashing all certs as a "stealth undercurrent thesis", despite the fact that I think everybody in this ng would agree that I don't exactly "do" stealth. If I want to say something, I'm going to say it. Here's an idea, Jack. Instead of debating me on what you believe the undercurrents of my words are saying, why not debate me on what I'm ACTUALLY saying? To do otherwise is really to engage in that character assassination and shooting-of-the-messenger that is simply uncouth. > 2b. The second repetitively implied undertext is that of the > (alleged) > "superiority" of college education, the original method of > degradation and > defamation of the certificiation process itself. I dismissed > this as a > comparison between apples and oranges with the intent to > devalue oranges by > judging their value in apple terms. If you have read my posts > at all, you > will know my position on this. I can repost the relevant > content if you > wish. > There you go again with the implied undertext. How the heck am I supposed to prove a nega
RE: Internet is very slow behind Pix 515E UR [7:70783]
Try taking the access-lists off the interfaces and try again. The access control list acting on the interfaces means that every single packet going through the interface is inspected. Steve Wilson Network Engineer -Original Message- From: Ismail Al-Shelh [mailto:[EMAIL PROTECTED] Sent: 17 June 2003 16:19 To: [EMAIL PROTECTED] Subject: Internet is very slow behind Pix 515E UR [7:70783] Whenever I access the web site which is behind the Pix firewalls, the speed is really slow. I bypassed the firewall and accessed the same site and it's fast! I checked my settings and made sure all the connected devices are running at 100 and full duplex, they all are! I mean why this is happening ... is it because the pix have to inspect each packet! The Bandwidth from the service provider is 64k. Any Idea Please. Any ideas? The Pix version is 6.1 besides this is satellite connection The internal Address range is 191.1.1.0-191.1.1.254 255.255.0.0 Outside address range is 10.15.9.163-183 255.255.255.224 Default Gateway: 10.15.9.62 255.255.255.224 DNS1: 195.238.62.1 DNS2: 195.238.40.30 AN# show config : Saved : PIX Version 6.1(4) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 intf2 security10 enable password kC9ZDwfWejkBqApp encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname AN domain-name ciscopix.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 names access-list acl_in permit icmp any any access-list acl_in permit udp any any access-list acl_in permit tcp any any pager lines 10 logging buffered debugging interface ethernet0 100basetx interface ethernet1 100basetx interface ethernet2 auto shutdown mtu outside 1500 mtu inside 1500 mtu intf2 1500 ip address outside 10.15.9.163 255.255.255.224 ip address inside 191.1.1.85 255.255.0.0 ip address intf2 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 10.15.9.164-10.15.9.180 global (outside) 1 10.15.9.181 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 access-group acl_out in interface outside access-group acl_in in interface inside route outside 0.0.0.0 0.0.0.0 10.15.9.163 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius http server enable no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable no sysopt route dnat telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh timeout 5 terminal width 80 Cryptochecksum:97ca54591b41f6b215dabb457fe7c9de AN# Ismail Al-Shelh [GroupStudy removed an attachment of type image/gif which had a name of image001.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=70792&t=70783 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Conncetion from Windows Client to nt domain [7:73720]
There are a few things that you can try on the concentrator, like checking all the settings in the group that the client/user is a member of. But the most likely suspect is the settings on the PC. The network connection settings must have "Client for Microsoft Networks" enabled and I would also recommend NetBIOS over TCP/IP in the advanced settings. If you can ping the devices on the LAN, then you will require NetBIOS to browse properly. This is a simple solution to a possibly complicated scenario, but try it out anyway. Regards, Steve Wilson CCNP Network Engineer -Original Message- From: Kai Bovermann [mailto:[EMAIL PROTECTED] Sent: 08 August 2003 13:05 To: [EMAIL PROTECTED] Subject: VPN Conncetion from Windows Client to nt domain [7:73720] Dear all We have a cisco vpn concentrator 3000 series for vpn connection. What we want to do is to establish a vpn conncetion from a windows client(W2k or WinXP Pro) to the concentrator and then log on to our domain and then get the shares connected to the pc. I created a vpn connection and it works proberbly. Only the log on to the domain will not work. It should go like this way that the user is logged on to the pc and then if it is needed establish the vpn connection and get also logged on to the domain and get the shares connected to the pc. How can I do this ? Thanks a lot Kai **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73726&t=73720 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
RE: PIX License upgrade procedure [7:73769]
As far as I know it is only free for partner companies to upgrade service repair stock. This is to allow service engineers to replace faulty devices with a new device and allow it to be upgraded from the default level up to the customer's higher level encryption level. It is not free for the general public company to use on their devices. If you require an upgrade for any other purpose it must be done through the proper channels using an authorised reseller. Steve Wilson Network Engineer -Original Message- From: Wilmes, Rusty [mailto:[EMAIL PROTECTED] Sent: 11 August 2003 13:57 To: [EMAIL PROTECTED] Subject: RE: PIX License upgrade procedure [7:73769] h - how long has it been free ? -Original Message- From: Joshua Vince To: [EMAIL PROTECTED] Sent: 8/11/2003 4:04 AM Subject: RE: PIX License upgrade procedure [7:73769] It is free now. http://www.cisco.com/cgi-bin/Software/FormManager/formgenerator.pl You will need a CCO login. Josh -Original Message- From: Hitesh Pathak R [mailto:[EMAIL PROTECTED] Sent: Saturday, August 09, 2003 6:58 AM To: [EMAIL PROTECTED] Subject: PIX License upgrade procedure [7:73769] Hi , I just need to know what is the procedure if I want to upgrade my PIX license to enable VPN-3DES feature (which is presently disabled). Either thru CCO or by the mean of TAC case with Cisco ?? Is it free from Cisco or chargeable ?? Many thanks in advance Thnx Hitesh **Disclaimer Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged' and 'confidential' and intended for use only by the individual or entity to which it is addressed. You are notified that any use, copying or dissemination of the information contained in the E-MAIL in any manner whatsoever is strictly prohibited. *** [GroupStudy removed an attachment of type image/jpeg which had a name of Glacier Bkgrd.jpg] **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=73878&t=73769 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
