Re: Smartnet Contract
Your 2523 is listed under Catagory 5. You will also need to chose what level of services you want with your smartnet contract i.e. 8X5XNBD - Parts replacement Next business day. If part fails on Friday you will have your part on Monday. 24X7X4 - Parts replacement will arrive within 4 hours of TAC determining that it is faulty hardware. Onsite 24X7X4 - A Engineer (probably not from Cisco) will deliver part within 4 hours and will install the new part into your router. This engineer will NOT do any software configuration. These are just some examples. Obviously the better the service the higher the price. Hope it helps. ""Shawn P Bolan"" [EMAIL PROTECTED] wrote in message 999gra$4bu$[EMAIL PROTECTED]">news:999gra$4bu$[EMAIL PROTECTED]... I would like to purchase a Smartnet contract for a 2523 I just purchased via ebay (just in case)what type of Smartnet should I be gettingthere are so many and I have not purchased one beforethanks in advance for the advise -- Shawn P Bolan, MCSE/MCT [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IS-IS on Lab Exam
All, Since ISO CLNS has been removed from the lab exam does this include Integrated IS-IS in an IP environment? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN through PIX/tacacs+ via internet
Do a search at CCO with either key words of "extended authentication" or "xauth". "Allen May" [EMAIL PROTECTED] wrote in message 124001c087c5$cee4c4a0$[EMAIL PROTECTED]">news:124001c087c5$cee4c4a0$[EMAIL PROTECTED]... On a similar note, I'm trying to set up CiscoSecure for VPN connections through the pix and authenticated via tacacs+. Most of the docs are related to dial-up for this. I want VPN via the internet. I just want it to grab from a pool of internal IP's and allow internal access. Any clues you guys can give me on what I need to be looking for here? I keep finding vpdn ppp setup docs. - Original Message - From: "Christopher Larson" [EMAIL PROTECTED] To: "'Liwanag, Manolito'" [EMAIL PROTECTED]; "'Cisco Group Study'" [EMAIL PROTECTED] Sent: Friday, January 26, 2001 12:08 PM Subject: RE: VPN through ADSL The problem is not so much the the ISP is assigning an address to your DSL device through DHCP as the problem of letting the PIX get to the peer address(which will be the HOST inside not the DSL device). Since you are using PAT the address from the host will likely always be the same so it should be o.k. If you did not know what the client's address would be each time because you were using NAT (as oppossed to PAT) then you would want to use IKE MODE CONFIG on the PIX with a wildcard key, or dynamic list on the PIX with a wild card key. -Original Message- From: Liwanag, Manolito [mailto:[EMAIL PROTECTED]] Sent: Friday, January 26, 2001 11:38 AM To: 'Cisco Group Study' Subject: VPN through ADSL I want one of our remote branch to access the internet via ADSL. The remote branch will have the Alcatel ADSL router that the ISP will provide as well as a Linksys router behind it for PAT and firewalling capabilities. I also want to place a Cisco VPN client at a workstation in the remote branch t o connect to Corporate. Corporate has a PIX firewall with VPN capabilities. My question is - Since the ISP uses DHCP to lease addresses for the ADSL connection , will this affect my vpn connection? My Answer is - No since the branch workstation will be PATed anyway. Interesting traffic as defined by the VPN policy will allow packets to go through to the Corporate location. Can anyone verify if this train of thought is correct or is there a better way to do this ? Basically the remote branch needs access a Unix server in corporate to be able to send a print job to the branch. Thank you in advanced Rgds, Manolito _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Crypto Map and ACL applied to same interface
Are there ramifications of applying a Crypto Map (which involves creating an ACL for VPN traffic) and a seperate ACL to permit other specific traffic to the same interface? I was unable to get get my Security Associations to come up after implementing this config. Not shown below but I have created a static nat statement from an internal host to and outside address, for NT Terminal server access from terminal server clients. Addresses have been changed in this example to protect the innocen. Example: crypto map mymap 10 ipsec-isakmp set peer 10.10.10.1 set transform-set VPNC1 set pfs group2 match address VPNC interface FastEthernet0/0 decription Inside ip address 192.168.224.195 255.255.240.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto interface FastEthernet0/1 description Outside ip address 10.10.4.195 255.255.255.224 no ip directed-broadcast no ip route-cache no ip mroute-cache ip access-group 199 in duplex auto speed auto crypto map mymap ip access-list extended VPNC permit ip 192.168.224.140 0.0.0.3 192.168.2.0 0.0.0.255 ip access-list extended 199 permit tcp host any host 192.168.1.190 eq 3389 permit ip host 10.10.10.1 255.255.255.0 any _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Frame Relay Security
Here is a document that may help answer your question. http://www.cisco.com/warp/public/cc/so/neso/wnso/power/chzsp_wp.htm "Kevin Welch" [EMAIL PROTECTED] wrote in message 015f01c078cc$c64bece0$2a002a0a@sjc102498">news:015f01c078cc$c64bece0$2a002a0a@sjc102498... I understand most of the benefits of frame relay, but I am wondering if = there are any security problems assoicated with this protocol? Is it = secure enough for unencrypted transfer of financial or sensitive = information? Any help understanding the security risks associated with = frame relay appreciated. -- Kevin _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: NetBios forwarding (Addendum)
I've never used the "ip directed-broadcast" config to do what your trying to do. You may need to use the "ip helper-address" config to forward your netbios traffic. Check out the attached URL. Hope this helps. http://www.cisco.com/univercd/cc/td/doc/product/software/ssr83/rpc_r/48383.h tm#xtocid670622 "John Neiberger" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Okay, after a tad more research, I've come up with the following config, which corrects some mistakes and misunderstandings in my previous config. interface Serial0 ip address 10.1.1.254 255.255.255.0 ip directed-broadcast 101 ! interface Serial1 ip address 10.2.2.254 255.255.255.0 ip directed-broadcast 102 ! access-list 101 permit udp host 10.1.1.1 any eq netbios-ns access-list 101 permit udp host 10.1.1.1 any eq netbios-dgm access-list 102 permit udp host 10.2.2.2 any eq netbios-ns access-list 102 permit udp host 10.2.2.2 any eq netbios-dgm Now, from what I can tell, this will do what I'm attempting, but I'd still love to have your opinions because I have *zero* experience with netbios or broadcast forwarding. I'd hate to break one thing while trying to fix another. (gee, I've never done that before!) Thanks again, John We have some new software running on a single workstation that is trying to use netbios to communicate with a server on a different subnet. We do not currently allow this type of forwarding, and I've never configured it before. We'd like to limit netbios forwarding to just these two machines. Here is my idea, let me know if this would be the way to do it. access-list 1 permit 10.1.1.1 (workstation) access-list 2 permit 10.2.2.2 (server) ip forward-protocol udp 137 ip forward-protocol udp 138 ip forward-protocol udp 139 int fastethernet1/0 ip add 10.1.1.254 255.255.255.0 ip directed-broadcast 1 ip helper-address 10.2.2.2 int fastethernet2/0 ip add 10.2.2.254 255.255.255.0 ip directed-broadcast 2 ip helper-address 10.1.1.1 Would this do what I'm trying to accomplish? If not, please let me know, or if anyone has any tips for this sort of thing, I'd love to hear them. Thanks a million, as usual! John ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] ___ Send a cool gift with your E-Card http://www.bluemountain.com/giftcenter/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cert tracking question
The CCDP 1.0 Track no longer exist. All of the CCDP exams you took were for the CCDP 2.0 track. http://www.cisco.com/warp/public/10/wwtraining/certprog/lan2/programs/ccdp.h tml ""Donald B Johnson Jr"" [EMAIL PROTECTED] wrote in message 007f01c071c2$96dfd720$[EMAIL PROTECTED]">news:007f01c071c2$96dfd720$[EMAIL PROTECTED]... I was just on the cert tracking system and it said i was a CCNP 2.0 and a CCDP 1.0. How do you get to be CCDP 2.0. These are my tests passed. CCNA 1.0 CCDA 1.0 640-503 Routing 640-504 Switching 640-505 Remote Access 640-506 CIT 640-025 CID Duck _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Switch preference (network topology) question
You may concider a Catalyst 4000 series which will save you some cost. http://www.cisco.com/warp/public/cc/pd/si/casi/ca4000/ ""Jeff Walzer"" [EMAIL PROTECTED] wrote in message 005901c05973$6c8599e0$[EMAIL PROTECTED]">news:005901c05973$6c8599e0$[EMAIL PROTECTED]... By next year our office will have over 50 people. This does not include people who will be in our building and working for other companies. That number will be around 15 and it will grow. Basically, our building hosts our company and various other companies and I am part of a two-man IT staff that runs everything for all companies. Currently, we are using three 3548 XL switches and a 2620 for interVLAN routing. In this scenario, would it be feasible (and cost-effective) for me to roll out a 5000 (or a 5505) with a GBIC module and an RSM to take the load off the 2620 (which also does routing for our Frame Relay network)? Thanks, Jeff _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access-list Problem with UDP Port 53
Title: Access-list Problem with UDP Port 53 Try the followin: access-list 100 permit udp any eq domain any DNS queries go out on a dynamic UDP source port and the destination UDP port is53. On the response to the DNS query, the UDP datagram is source UDP port 53, and the destination port is whatever dynamic UDP port that was originally the source going out. Your original entry would work fine if it was an outbound access-list, but since it is inbound from the ISP, you need to make the adjustment. Hope this helps ""Richie, Nathan"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am having a problem with an access-list on a 2600 router. It used for the clients T1 connection. the access-list as follows: access-list 100 deny ip 10.0.0.0 0.255.255.255 any access-list 100 deny ip 172.16.128.0 0.0.15.255 any access-list 100 deny ip 192.168.0.0 0.0.255.255 any access-list 100 permit tcp any any established access-list 100 deny icmp any any timestamp-request access-list 100 permit icmp any any access-list 100 permit tcp any any eq www access-list 100 permit tcp any any eq smtp access-list 100 permit tcp any any eq pop3 access-list 100 permit udp any any eq domain access-list 100 deny udp any any log access-list 100 deny tcp any any log When this acl is applied inbound on the serial interface, all web browsing stops. Looking at the logs and acl counters, it shows that UDP port 53 is being denied via the "access-list 100 deny udp any any log" statement. From my understanding, TCP port 53 is used between DNS servers and UDP port 53 is used for DNS queries between clients and DNS servers. The client is not hosting a DNS server, so they only need DNS queries and replies to pass. Upon changing "access-list 100 deny udp any any log" to "access-list 100 permit udp any any log", all web browsing is enabled. Could someone please shed some light on what I am missing here? Thanks in advance, Nathan Richie
