Re: vpn link [7:55771]
unsubcribe Lokesh Khanna Sent by: [EMAIL PROTECTED] 10/17/2002 04:15 AM GMT Please respond to Lokesh Khanna To: [EMAIL PROTECTED] cc: bcc: Subject: vpn link [7:55771] Can any one tell me a link where i can get information abt VPN on cisco boxes.i want to start from very basic things Regards Lokesh Khanna Engineer- IDC (Network Integration) Internet Services Group Message Posted at: http://www.g roupstudy.com/form/read.php?f=7i=55771t=55771 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list /cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55772t=55771 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
But doesn't NAT 0 stop nat for whatever is defined afterwards? If I remember right, and I just might not, I used it when I wanted to avoid NAT on VPN traffic. I would defined VPN traffic with an access-list and then use NAT 0 to tell the PIX to not NAT/PAT VPN traffic. Dude, I still can't figure out why Gurugrasad's config won't work. Got me totally bummed out. Theo Jay Dunn Sent by: [EMAIL PROTECTED] 10/15/2002 05:59 PM Please respond to Jay Dunn To: [EMAIL PROTECTED] cc: Subject:RE: With PIX unable to reach DMZ from LAN [7:55608] Lookup NAT 0 in the PIX command summary (sorry, I don't have a link). The PIX will perform NATing on a packet as soon as it enters an interface. This can create problems when 2 interfaces receive their NAT addresses from the same pool. Create an access list permitting ip between the inside and dmz subnets and then apply it with NAT 0. This will eliminate NATing. This should allow the inside to establish full communication with the dmz. You will still need the appropriate conduits for dmz to inside communication. Jay Dunn IPI*GrammTech, Ltd. www.ipi-gt.com Nunquam Facilis Est -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Guruprasad Sanjeevi Sent: Tuesday, October 15, 2002 12:33 AM To: [EMAIL PROTECTED] Subject: RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 - If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails.. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo Guruprasad Sanjeevi Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to Guruprasad Sanjeevi To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] i=55608t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55621t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Firewall [7:55547]
This is correct. And while you are at it, why not just eliminate pings to the interface once the PIX goes into production for increased security? Just makes it a little little bit harder for the Kiddies. Theo Lidiya White Sent by: [EMAIL PROTECTED] 10/15/2002 03:44 AM Please respond to Lidiya White To: [EMAIL PROTECTED] cc: Subject:RE: Firewall [7:55547] That is the normal behavior of the PIX. You'll not be able to change it... If you want to test the connectivity through the PIX, do not ping the outside interface of the PIX from the inside, but ping the default gateway of the PIX. -- Lidiya White -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Naomi James Sent: Monday, October 14, 2002 8:19 AM To: [EMAIL PROTECTED] Subject: Firewall [7:55547] I have a PIX 525. I am trying bring it up on my network. It is installed virtually betrween my router and my ISP's router. While testing, I noticed that from an inside host, I could ping my inside interface on the PIX, but not the outside interface. From the ISP, they could ping my outside interface but not my inside interface. From the PIX I can ping my outside interface and beyond. Any suggestions? Naomi James Computer Services and Information Technology Savannah State University 912-356-2509 [GroupStudy.com removed an attachment of type image/gif which had a name of Mabelt.gif] [GroupStudy.com removed an attachment of type image/gif which had a name of Mabelb.gif] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55595t=55547 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: outside PAT on a 515e-R? [7:55581]
Check your IOS. I had this problem with 6.0. I downgraded to 5.2 and had no problem. Theo Timur Snoke Sent by: [EMAIL PROTECTED] 10/15/2002 04:27 AM Please respond to Timur Snoke To: [EMAIL PROTECTED] cc: Subject:outside PAT on a 515e-R? [7:55581] Hello all, i am trying to get as much as i can out of a single public IP on the outside interface of a PIX 515e-R-DMZ-Bun (3 interfaces). i have set up static routes and conduits to pass access along for the different ports as shown in the example that follows but i am not able to access the services from the real world... any suggestions? thanks in advance, timur pdm location BO1 255.255.255.255 inside pdm location IMP 255.255.255.255 inside pdm location IVR 255.255.255.255 inside pdm location DVO 255.255.255.255 inside pdm location AS4 255.255.255.255 inside global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp interface smtp BO1 smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp interface www IMP www netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 6502 IVR 6502 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface 6503 DVO 6503 netmask 255.255.255.255 0 0 static (inside,outside) tcp interface telnet AS4 1023 netmask 255.255.255.255 0 0 conduit permit tcp host 1.2.3.4 eq www any conduit permit tcp host 1.2.3.4 eq smtp any conduit permit tcp host 1.2.3.4 eq 6502 any conduit permit tcp host 1.2.3.4 eq 6503 any conduit permit tcp host 1.2.3.4 eq 1023 any route outside 0.0.0.0 0.0.0.0 1.2.3.3 1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55594t=55581 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: With PIX unable to reach DMZ from LAN [7:55608]
Well I will take it that you didn't include the ip address x.x.x.x x.x.x.x commands for convience. I was looking for the NAT commands. They look okay. I can't identify one problem with this although I have to admit that last year I had the same problem. Your global perimeter and nat perimeter ip ranges are a bit strange. Why do you give one a range yet the other no range and they might possibly overlap? Try eliminating the Conduit commands. I assume that you are in a testing phase and are pinging from 192.168.11.x to 66.x.x.x. Again, this shouldn't affect anything because you are able to browse and therefore you should be able to access the DMZ just the same way as the outside interface. You don't have any thing here to permit traffic originating from the DMZ to access your Interal LAN. Keep on going, I got to go to Starbucks for a while. Theo Guruprasad Sanjeevi 10/15/2002 02:34 PM To: 'Theodore Stout' cc: Subject:RE: With PIX unable to reach DMZ from LAN [7:55608] Hi theo, and all, I am giving the configuration. global (outside) 1 66.x.x.x - 66.x.x.x netmask 255.255.255.224 global (perimeter) 1 192.168.23.10-192.168.23.20 nat (inside) 1 192.168.11.0 255.255.255.0 0 0 nat (perimeter) 1 192.168.23.0 255.255.255.0 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside,outside) 66.x.x.x 192.168.11.x netmask 255.255.255.255 0 0 static (inside, perimeter) 192.168.23.0 192.168.11.0 netmask 255.255.255.0 0 0 ? If I am not wrong , this command enables the communication between LAN and DMZ, but here it fails?. conduit permit tcp host 66.x.x.x eq x any conduit permit icmp host 192.168.11.x any conduit permit tcp host 66.x.x.x eq x any conduit permit tcp host 66.x.x.x eq sqlnet any route outside 0.0.0.0 0.0.0.0 66.x.x.x 1 I What is that companion command ? Please help Regards Guruprasad -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 15, 2002 10:21 AM To: Guruprasad Sanjeevi Subject: Re: With PIX unable to reach DMZ from LAN [7:55608] you will need to explictedly grant permission for the DMZ to communicate to the Internal since lower security interfaces are automatically blocked Higher ones. Can you access from the Outside? Try it and see. Can you print out the config without the real IPs? You need to have a companion command to the Static command and I would like to see if you have it. Cheers, Theo Guruprasad Sanjeevi Sent by: [EMAIL PROTECTED] 10/15/2002 03:29 AM GMT Please respond to Guruprasad Sanjeevi To: [EMAIL PROTECTED] cc: bcc: Subject: With PIX unable to reach DMZ from LAN [7:55608] Hi group, I am trying to configure PIX .It has 3 Ethernet Interface and three networks are used. LAN (inside) : 192.168.11.0 DMZ (perimeter)) : 192.168.23.0 Outside:66.x.x.x Problem : users from Inside and Perimeter network are able to browse, but the inside and Perimeter network cannot talk to each other. I have given the static command like this Static(inside, perimeter) 192.168.23.0 192.168.11.0 0 0 What other command is required on the PIX to enable communication from INSIDE network to DMZ(perimeter) and vice-versa. Please help Thanks Guruprasad [GroupStudy.com removed an attachment of type application/ms-tnef which had a name of winmail.dat] = Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55615t=55608 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Looking for a job : Consultant/Architect [7:55249]
I going to go out and get some burgers, hot dogs, and marshmellows and like roast them over the flames which are about to arrive. In fact, maybe I can get some beer on the way back. By then it should be nice and hot! Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55350t=55249 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCNP Remote Access Exam [7:54525]
The 2 remote access books from Cisco will do the trick. I didn't use Boson and still passed. Theo amir tahir Sent by: [EMAIL PROTECTED] 09/30/2002 01:58 PM Please respond to amir tahir To: [EMAIL PROTECTED] cc: Subject:CCNP Remote Access Exam [7:54525] Hi guys... I am going to write CCNP Remote Access exam on tuesday Oct 1,2002. If anybody can give me veluable advise, I'll be thankful for that. Regards Amir - Do you Yahoo!? New DSL Internet Access from SBC Yahoo! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54526t=54525 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MPLS Vs EIGRP [7:54507]
If you can find the e-mail address, go ask Ivan Pepelnjak. If there is one person in Cisco who knows that answer, it is him. Theo Kohli, Jaspreet Sent by: [EMAIL PROTECTED] 09/30/2002 09:15 AM Please respond to Kohli, Jaspreet To: [EMAIL PROTECTED] cc: Subject:MPLS Vs EIGRP [7:54507] I am looking for a comparative design question: Why a large corporation should or should not use MPLS over EIGRP . Any useful links will be greatly appreciated . Thanks as always Jaspreet _ Consultant Andrew NZ Inc Box 50 691, Porirua Wellington 6230, New Zealand Phone+64 4 238 0723 Fax +64 4 238 0701 e-mail [EMAIL PROTECTED] WARNING: The contents of this e-mail and any attached files may contain information that is legally privileged and/or confidential to the named recipient. This information is not to be used by any other person and/or organisation. The views expressed in this document do not necessarily reflect those of Andrew NZ Inc If you have received this e-mail and any attached files in error please notify the sender by reply e-mail and destroy your copy of this message. Thank you. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any unauthorized use of this email is prohibited. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54508t=54507 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE written revised [7:53972]
Larry, I have the same situation. She doesn't like that I have to shell out the money first even though I get re-imbursed. She thinks my money is HER money and has nothing to do with the company. I just passed MCSE/SD and even though it was free, I felt her pain. Should do the CCIE Sec lab sometime in the Winter 03 but I won't say anything to her out of fear :-) Any one else out there have test fee and spouse problems? Theo Larry Letterman Sent by: [EMAIL PROTECTED] 09/25/2002 06:47 AM GMT Please respond to Larry Letterman To: [EMAIL PROTECTED] cc: bcc: Subject: Re: CCIE written revised [7:53972] if the employer re-imburses you, whats the issue with your wife? Tim Medley wrote: So is that how people without experience do it? Just keep failing the ccie written exam until you've memorized all the questions or get lucky? You must be single, or rich, or both. My wife has a fit when I spent $125 on a exam I am well prepared for, let alone spend $300 on the written. And my employer reimburses for the exam. I guess now I know why my employer will only pay for an exam twice. Try picking up a book and learning something, then you could pass the exam on the first try. Tim Medley, CCNP+Voice, CCDP, CWNA Sr. Network Architect VoIP Group iReadyWorld -Original Message- From: Julio Godinez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 2:04 PM To: [EMAIL PROTECTED] Subject: CCIE written revised [7:53972] Passing score 105: First attempt 77, Second attemp (yesterday) 95 =( FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE written revised [7:53972]
OUCH!! Larkin, Richard 09/25/2002 04:04 PM ZE8 To: 'Theodore Stout' , [EMAIL PROTECTED] cc: bcc: Subject: RE: CCIE written revised [7:53972] Yeah I hear you brother. Our company reimburses successful tests and I've just bombed MPLS twice. Every time I bomb, the wife gets to go on a shopping spree worth $AUD190 to balance the equation. Certainly the best incentive to pass I ever had! Rik -Original Message- From: Theodore Stout [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 25 September 2002 3:10 PM To: [EMAIL PROTECTED] Subject: Re: CCIE written revised [7:53972] Larry, I have the same situation. She doesn't like that I have to shell out the money first even though I get re-imbursed. She thinks my money is HER money and has nothing to do with the company. I just passed MCSE/SD and even though it was free, I felt her pain. Should do the CCIE Sec lab sometime in the Winter 03 but I won't say anything to her out of fear :-) Any one else out there have test fee and spouse problems? Theo Larry Letterman Sent by: [EMAIL PROTECTED] 09/25/2002 06:47 AM GMT Please respond to Larry Letterman To: [EMAIL PROTECTED] cc: bcc: Subject: Re: CCIE written revised [7:53972] if the employer re-imburses you, whats the issue with your wife? Tim Medley wrote: So is that how people without experience do it? Just keep failing the ccie written exam until you've memorized all the questions or get lucky? You must be single, or rich, or both. My wife has a fit when I spent $125 on a exam I am well prepared for, let alone spend $300 on the written. And my employer reimburses for the exam. I guess now I know why my employer will only pay for an exam twice. Try picking up a book and learning something, then you could pass the exam on the first try. Tim Medley, CCNP+Voice, CCDP, CWNA Sr. Network Architect VoIP Group iReadyWorld -Original Message- From: Julio Godinez [mailto:[EMAIL PROTECTED]] Sent: Tuesday, September 24, 2002 2:04 PM To: [EMAIL PROTECTED] Subject: CCIE written revised [7:53972] Passing score 105: First attempt 77, Second attemp (yesterday) 95 =( FAQ, list archives, and subscription info: http://www.groupstudy.com/list /cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54041t=53972 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE written revised [7:53972]
You are right about this John! When my wife was my girlfriend, she never complained about Cert testing or buying equipment. I was making $70,000 and could not afford to get married yet. When my wife was my fiancee, she started to complain about the certs. I worked 2 part time jobs in addition to my full time job to pay for lab equipment, books, airplane tickets, a PIX 515 and 2621, both used. I was making $85,000 and hated my job came home at 10 pm-did weekends too. I passed the CSS1, CCNP, and CISSP. Wage is now $120,000 and I am the #1 engineer in my company working on wireless network design, policies, and security. I am relaxed and come home at 7 pm no weekends and I pay for everything. My wife now fights with me when I want to buy aironet access points and cards. I have lost this fight totally. She has nearly stopped my Amazon buying, although she doesn't know about the $1000 I just did :-), If I even mention that I am taking a Cisco test, forget love for a week. I figure since I will have to fly to Belgium for the CCIE security, no love for a month. And get this, if I hadn't invested my money like I did, Marriage would have been impossible financially. Now she wants to quit her job and have a kid yet she is stopping me from investing in IT with training/books/devices...etc and she thinks I should be able to earn $150-200,000 a year within 3 years! (Holy Delusions of Grandeur!) I have no idea how I am going to finance next years' changes. How can I possibly make more money without investing in my education be it cert or not cert? Certs are really not that important, I need all the training I can get. Education is necessary to supplement on the job experiences. What is it with these people If only I could be a Cisco Certified Wife Troubleshooter! A call center. Something is wrong with my woman. What is it? She is not functioning normally! When did this start happening? It started back in March. What happened back then? Nothing. Come on! What changes happened then? We got married. Volia! You no longer have the right specs for your woman. But she was functioning properly for so many years. Everything was okay. Sorry, but when you upgrade from Girlfriend 5.0 to Wife 1.0, your entire network must change. What this was not written in the book nor was it on the home page. Ha ha, it's a gotcha! Welcome to Marriage! Theo John Hutchison Sent by: [EMAIL PROTECTED] 09/25/2002 11:38 PM Please respond to John Hutchison To: [EMAIL PROTECTED] cc: Subject:Re: CCIE written revised [7:53972] heheh...you now know the difference between dating and marriage! Where I work, we have a trade agreement with a testing facility, so I get cisco boots and tests for free. Not only do I not have to pay first then get reimbursed. But even though I'm missing work, I still get my 40 hours paycheck when I'm at the boot. Sounds like a win/win situation, right? Wrong, my wife complains because I have to sign an agreement that says I won't get the cert and then quit. She think they should shell out 10k for it all and that I should just be able to leave the next day. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54161t=53972 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCNP exam BSCI now right??? [7:53695]
I failed BSCI again today. It wasn't so bad actually. It was the first time for me to take the new test in the new format. Some of the questions were really easy. I could do perhaps 4 Qs per minute and actually did. Some were extremely vague. It reminded me more of the old CCIE Written. One point to watch out for. On the test, you have most likely have a lab. In the lab you have to enter commands on a virtual router. This was not a problem for me except that erasing the commands was difficult. I mis-entered a command and tried to erase it and it was impossible! And don't flame and thinking I don't know how to erase a command :-) I did manage to erase it but it was through an indirect method, basically one I use in real life. The material has changed only so slightly but enough to merit a different method to studying. I guess my only real recommendation is to know not only the why and What but also How and much more in depth than before. Many of the questions had answers that I never even thought about before. Of well, back to the books. I want to pass the new CCNP now so I am studying a bit for it. Theo Kaminski, Shawn G Sent by: [EMAIL PROTECTED] 09/20/2002 01:14 PM Please respond to Kaminski, Shawn G To: [EMAIL PROTECTED] cc: Subject:RE: CCNP exam [7:53668] You'll be OK. The old 640-504 exam and the new 640-604 exam cover the same topics. The only difference that I know of is that new, more difficult, questions were written for the new 640-604 exam. Same topics, just more difficult questions. Just make sure you know the material. Shawn K. -Original Message- From: Han Chuan Alex Ang [SMTP:[EMAIL PROTECTED]] Sent: Thursday, September 19, 2002 10:02 PM To:[EMAIL PROTECTED] Subject: CCNP exam [7:53668] hi, I am currently preparing for my CCNP module , however , the course that I took which is Building Cisco Multilayer Switched Networks (BCMSN) was quote as 640-504 and the exam I am taking now is 640-604, can any body tell me if there is any significant different between the two. thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53695t=53695 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 9/11 [7:53084]
I agree with this. Trivializing and generalizing the death of 1000s of people on this day can not be tolerated at all. It was wrong and about the only people who could possibly be considered as non-victims would be those who were working at the Pentagon. But even then, we can not tolerate the usage of innocent civilians to conduct a war-like attack on a military facility. It is simply wrong. When I looked at Sujal's post, I personally thought he was talking about all people throughout time. I can see why some people would protest this. In a French way of thinking, this would necessitate remembering and crying over Osama, Hitler, and other infamous people in history. Perhaps what Sujal wanted to say was all innocent people who died on that day regardless of nationality. As for this debate, come on Jake, don't you know that a bunch of Cisco engineers with time on their hands just love a good fight? :-) Personally, this is quite tame compared to the death and hatred we saw a year ago. Debate and conversation is healthy, being a terrorist is not. May all of us remember the victims, continue on with life and remember to love each otherwhile yes taking jabs at the other person's idiotic configs! Theo Mossburg, Geoff (MAN-Corporate) Sent by: [EMAIL PROTECTED] 09/12/2002 01:45 AM Please respond to Mossburg, Geoff (MAN-Corporate) To: [EMAIL PROTECTED] cc: Subject:RE: 9/11 [7:53084] I don't think it's a good idea to generalize this day as a day to remember all people who have given their lives for their respective countries, because it generalizes and trivializes the tragedy of September 11th. These people didn't give their lives for their country; they were innocents, just living their daily lives, and they were slaughtered. That is what needs to be remembered today; a specific act of murder carried out on a group of people whose only fault that morning was that they came in to work. What nationality they were, doesn't matter. They were all victims, in the purest sense of the word. -Original Message- From: Sujal G. Ajmera [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 11, 2002 8:00 AM To: [EMAIL PROTECTED] Subject: RE: 9/11 [7:53084] Sure. And also for all people who have given their lives for their respective countries. Amen -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jake Sent: Wednesday, September 11, 2002 5:17 PM To: [EMAIL PROTECTED] Subject: 9/11 [7:53084] Lets take a moment to remember are fallen heros, all who have parished, and the families they left behind. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53174t=53084 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Security Exams Textbooks Required [7:27321]
I totally agree with Fahim. You have got to have the MCNS books to pass. IT is like 40 of the PIX ADV and VPN tests. Get a PIX though. You won't pass some parts of the PIX ADV with just the book I think. You don't want to be a paper CSS1. Do IDS last. Read Northcutt, study the material and know how to install in, as the homepage states. I found this test to be the hardest. You need a rather high score to pass. Theo CCSE, CSS1, CCNP, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27517t=27321 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passed BCRAN..... [7:27227]
Just so you know, I am African-American, got a Master's in Linguistics, and still I don't understand Cisco's test questions totally. Perhaps Cali-talk? Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27301t=27227 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Is Pix failover can be Load balancer ? [7:26673]
Jenny you are right. Pix does the state information transmission but does not do load balancing. As someone else said above, get Stonebeat if you want a firewall that can do it all. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26950t=26673 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIP certification - who else is doing it? [7:26605]
Hello there! What's up with the Boson statement? I just bought their MPLS and BCSI tests today. They got QoS as well. It is all in the router test v4. I too am attempting the CCIP. I just got Security done and am working on MPLS since it is like a VPN. I think I will be ready on Thursday. After that I figure the BCSI will be a breeze. The only think I am worried about is QoS. Like you, I too bought the book as well. This test looks fun. I am trying to pass it just because there are so many cool technologies intergrated together into it. Additionally, I am competing with a CCIE to see who can get it first! Peace, Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26778t=26605 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: What a Ride......Finally CCNP [7:26604]
Personally, if I were you, I would get Top-Down Network Design and Designing Routing and Switching Architectures and Designing Addressing Architectures before you set foot in the testing lab. Those two books are REALLY good and I really don't see the value of the CCDA and CID without knowing those two books first solidly. After that, just pass both tests on the same day. I plan on doing this but I am on Chapter 12 of Berkowitz's DRSA book and a punk stole my Top-Down Network Design book so I am waiting for it to come again from Amazon. Cisco gets more of my money.but it is worth it :-) Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26780t=26604 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: OT: Thoughts from CCIE#8387 (longish) [7:26577]
Good Job Nigel! And also from me, thanks for the support you gave me in getting my career going forward. It is only a matter of time before I follow the same path albeit down the security path. Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26791t=26577 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Starting CCNP [7:26734]
I have to agree with Larry though. Most of the time people say to took in another location and don't give real leads. And when they do give any help it is with a Holier Than Thou attitude. It just makes the road so much harder. My recommendation: Get all of Cisco Presses CCNP books, get routers or bribe network administrators for router time, get boson and get a study pal. Lastly, give yourself goals and follow up on them. If you do this I think you can get it done. And as for archives, I never used them and I still got my certification, although I use the technologies on a daily basis. Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26809t=26734 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NSA Cisco Router Security Guides [7:26655]
Nice, thanks :-) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26812t=26655 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Salary Expectations/CCNP's!!!!!!!!! [7:25805]
Hey Tribavan, what country are you in? I might fly out there LOL! I wish I could but I am getting married here, to a Japanese woman, so I am stuck here in Japan. As for my friend, his last job was at Merryl Lynch as the security guru and he was making over $100,000. He was terminated in May, I think, and looked and looked and he was about to sign with another bank on 9/12 and yepyou know what happened. You do have a point about the wage expectation however, what I said about not being able to get a computer assembly job is true. He is currently trying to get outsourced for only $25 an hour! To put that in perspective, when I teach English I get $30 an hour! Theo C blah blah +Internet #1001 ;-) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25893t=25805 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IPSEC Question [7:25589]
Maybe it is a stupid question but did you try altering your access-lists. When this usually happens to me, it is because my access-lists are too restrictive. Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25638t=25589 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Passed Cisco Secure VPN! [7:25635]
Just go read RFC 2401-9 They will help you a lot. I would give you my texts but they are sacred to me now. :-) I am sure that the official Cisco Study book for this is coming out soon. Just get that and read it, sleep with it, propose marriage...blah! Study tactic look here http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exams/9E0-570.html As you can see from the headlines, it is all about CAs and Pre-shared keys and how you use them in the client, 3000 Concentrator, IOS, and PIX. That is all. If you can organize your thinking about this then everything will work well for you. Khan-just go buy Boson and get 90% before you step foot in. It is worth the $40. Peace Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25724t=25635 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: FW: PIX advanced exam [7:24478]
I took the test today and failed. 731 but 751 necessary. I can not believe that I failed it. I thought I had studied everything perfectly and with work and all There is a secret section...I can not say it because of that stupid NDS but that it not been for that one section I would have passed. just on that section I got 33%. Of well, I can take it again on Monday. Why is this so much the case? Every time I take these tests I am always like 20 or 30 points away on the first attempt. I even took the CISSP. Got 682 but 700 was necessary out of 1000 points and 225 questions. Another weekend poor because all of my money is going to these tests and lonely because all I do is study study study. Blah! Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24918t=24478 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: FW: PIX advanced exam [7:24478]
I agree with Matthew above. I am taking the Advanced PIX tomorrow and fortunely I had the course materials so All I needed to do was study that. Honestly speaking, that Cisco Secure Internet Security Solutions is damn good! I use it to enforce what I learned from the official training materials. It is very percise. Given that my boss has passed all 4 tests and taught the official MCNS course I have simply followed his recommendations and it always works. Know the points from the following link: http://www.cisco.com/warp/public/10/wwtraining/certprog/testing/current_exams/9E0-571.html They aren't joking when they list the points to study for. On each point make sure that you know the theory and know the real commands. Then read the official training materials. Then read Cisco Press After that if you got the money and you are still worried, get Boson. This also assumes that you are working with PIXs everyday. I just had my PAT-VPN-PIX nightmare solved and it was with a solution which Cisco said would not work! Peace, Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24744t=24478 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IPSec and IKE [7:23599]
Personally speaking I am confused too. I am a CCSE and passed MCNS with perfect points on both on the IPSEC section and I still don't understand it perfectly. I can use the isakmp, crypto, and FW-1 commands effortlessly yet I really still don't know what the real difference is between IPSEC and IKE. I even read that like 70 page file from Cisco, deploying IPSec blah blah and I was just more confused. What I do really understand it ESP and AH. That is really clear and necessary to understand for transform sets. Watch me get a perfect on this section tomorrow on the Advanced PIX and still not really have a clue! Peace Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24758t=23599 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX with PAT and VPN [7:23490]
Thanks Hansraj! I looked at your config. There is only one command that I do not have isakmp identity outside I am downgrading my IOS to 5.2(5) and 5.2(3) to see if it works. I have had problems with the VPN concentrator 6.x IOS with partner and client tunneling and did the same thing, downgraded to 5.2.21 and got things to work I am confident that this will cause it to work. I additionally got the PAT-VPN and Internet access to work on one side. With a IOS Firewall Router VPN PIX 6.01 VPN PAT. I got 3 devices to encrypt and use the Internet at the same time from the PIX side. I think that to get it working I will need the 5.2 and above IOS. I looked at http://www.cisco.com/warp/public/110/pixhubspoke.html of course. What I found is that there are not Global commands for the PIX's there so it really didn't help me. However, Internet access was available and that configs and the isakmp identity outside command as did your config. If this works and you are ever in Japan I will get you a beer! To everyone else, remember that I have always used the NAT 0 and Global interface commands. Peace Theo Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24203t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX with PAT and VPN [7:23490]
I got the same access-lists on both sides and they have been verified by other people. I know this will not take me down. If you can e-mail me the config it would be great! I would like to see how it works in real life. So far 2 ISPs have failed to give me a working config. Everything is theoritical and promises but it doesn't work like Checkpoint. What I am fearing is that it is the command Global (outside) 1 interface), that is giving me the grief. I think that I will need another IP address for PAT instead of using the same IP for the interface and PAT. In your response, you said that the negociation is between (an) public IP address. Yes this is true, but what if it is the same as the interface? So far I have only seen this work with a pool a public IPs.Hansraj Patil wrote: I have seen this working. You have to use nat (inside) 0 access-list 101. The IPSec IKE negotiation is between public IP address. So the question of port limitation does not arise. The internal IP addresses are not involved in IPSec negotiation. You use above statement to avoid routing problem between two LAN segments. Just make sure access-list is mirror image on both peers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 1:41 AM To: [EMAIL PROTECTED] Subject: Re: PIX with PAT and VPN [7:23490] I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23997t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX with PAT and VPN [7:23490]
I tried this and it did not work. When IPSEC negociates a VPN session between the two PIX's, it will PAT an internal device from Network A as 206.112.71.5 and use 206.112.71.5:500 for the negociation. Once another device wishes to access a device behind 206.112.71.6, it will have to use 206.112.71.5:500 as well. Cisco IPSEC will only allow one port 500 per IP. This means the original device will be moved from port 500 to a different port. IPSEC only uses port 500 for the negociation and therefore the original connection fails. I did as you said but I added another command like this. Global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0. Nat (inside) 0 access-list 101 Access-list 101 is the traffic to be encrypted. I have tried not to use PAT with encrypted data because of the IP:Port limitation problem. However, it still won't work. Any more suggestions?[EMAIL PROTECTED] wrote: With PIX you must have one legal address for the outside interface on BOTH PIXs. That's actually enough to do what you want to do. Say that your legal address on PIX1 is 206.112.71.5/30. Go to PIX2 startup ipsec and input isakmp key 'your key' address 206.112.71.5. Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.5 Say that your legal address on PIX2 is 206.112.71.6/30. Go to PIX1 startup ipsec and input isakmp key 'your key' address 206.112.71.6 Then input crypto map 'your map-name' 'your sequence number' set peer 206.112.71.6 Now on PIX1 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.5 Now on PIX2 input nat (inside) 1 0.0.0.0 0.0.0.0 0 0.Then input global (outside) 1 206.112.71.6 Now just complete your isakmp and crypto-map settings and you will be doing one single VPN between peers and PAT to the Internet. That's the best you can do on PIX with only a 30 bit legal subnet mask. John Squeo Technical Specialist Papa John's Corporation (502) 261-4035 Theodore stout To: [EMAIL PROTECTED] cc: tudy.comSubject: PIX with PAT and VPN [7:23490] Sent by: nobody@groupst udy.com 10/19/01 02:23 AM Please respond to Theodore stout Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23755t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX with PAT and VPN [7:23490]
Hello everyone. I am trying to implement 2 Internet connectivity solutions while at the same time creating 2 VPN solutions between two sites. What I would like to do it use a PIX 515 at both sites, tunnel IPSEC between the sites and still have normal access to the Internet. What my problem is that I only have one IP address per-site. In all of the solutions provided by Cisco, I would need a pool of registered IP addresses for NAT. PAT is not even possible. I know that this VPN-PAT-FW1FW1-PAT-VPN solution is available with Checkpoint. However, I would prefer a Cisco only solution. Any suggestions? Theodore Stout Security Engineer CCSE, CCNA, MCSE Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23490t=23490 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]