RE: WLAN security matters [7:57160]

[Yonkerbonk]

As far as I know Cisco does support AES on the
Concentrators. It's on the roadmap for the router and
PIX, but already out for the Concentrators.

Michael

--- mike greenberg  wrote:
 paul,
 When I talked about IPSec, I mean to say that AES is
 not currently supported
 on
 on Pix Firewalls on any VPN concentrator.  After I
 established connection
 via
 EAP/TLS on the wireless network, I have to make
 another IPSec connection via
 Cisco VPN client to make a secure connection to the
 internal network or
 surfing
 the Internet from my wireless DMZ segment.  At the
 moment, I know that
 Pix does NOT support AES, only 3DES.  CheckPoint has
 beaten Cisco to 
 the punch with SecureRemote (CheckPoint Client that
 is similar to Cisco VPN
 client) that supports AES.  Now if you know where I
 can get AES for Pix
 firewall
 from Cisco, please let me know so that I can contact
 Cisco for support.
 Mike G.
  Paul Forbes  wrote:Some notes/opinions:
 
 1. A stolen laptop should trigger an employee to
 contact Human
 Resources, Security and/or IS. Anything less on the
 part of said
 employee is cause for termination - period.
 Alternatively, if the
 perceived threat is via corporate/military
 espionage, then the
 short-term solution is IPsec (IMO defeating the
 valuable properties of
 wireless) and long-term PEAP. Better yet, no
 wireless access at all and
 lock the your wired ports down via URT or some such.
 
 2. ACS v3.1 was released and is orderable, but I
 can't find a single
 thing regarding CRL support by the authentication
 server. I'm digging
 around within my Cisco contacts for an answer. If I
 hear anything on
 this front, I'll be sure to toss a up a comment.
 
 3. Mike G. mentioned in a previous email the absence
 of AES in Cisco's
 product plans. This is NOT the case - the AP1200
 product line was
 created so that, among other reasons, the CPU was
 capable of 256-bit
 AES. This was addressed in some detail at the San
 Diego Networkers'
 evening Product Session by Mike McAndrews, the
 Director of Product
 Management for the Wireless Networking BU.
 
 Cheers all.
 
 Paul
 
  -Original Message-
  From: Roberts, Larry
 [mailto:Larry.Roberts;expanets.com] 
  Sent: Monday, November 11, 2002 4:12 PM
  To: [EMAIL PROTECTED]
  Subject: RE: WLAN security matters [7:57160]
  
  
  Going back to the original e-mail question.
  
  I disagree that EAP-TLS is not a solution for
 sniffing. 
  Technically any
  wireless data can be sniffed, regardless of
 encryption. 
  However, it will be
  garbage until decoded. If you use EAP-TLS and set
 the 
  rekeying to a very
  short interval ( say 1 minute ) you would not be
 passing 
  enough data for the
  person to be able to decrypt using the weakness in
 the IV. 
  I'm not saying
  rekey every 1 minute, just that rekeying at 1
 minute would 
  assure you that
  not enough data had passed. You need to weigh the
 load on the 
  server/the
  amount of wireless traffic/the amount of security
 that you 
  need, to come up
  with the rekeying interval. 
  
  The biggest drawback to EAP-TLS has been lack of
 support at 
  the OS level.
  Windows XP supports it natively, but all other
 Microsoft OS's require
  additional software. Supposedly Microsoft is going
 to back 
  fit W2K , but
  they haven't released when. If you want vendor
 neutrality as 
  I am looking to
  do , you either need to be assured that all the
 vendors 
  release software
  that allows you to run EAP-TLS on your PC, or wait
 until MS 
  does it at the
  OS level.
  I know that Cisco and Lucent have EAP-TLS aware
 clients, 
  although I have
  only used Cisco's. Cisco and Lucent/Orinoco also
 have EAP-TLS 
  aware AP's,
  but I have yet to get the spare time to actually
 install my AP-500. 
  
  With EAP-TLS, you must worry about stolen laptops,
 which will have the
  Certificate stored automatically allowing access
 to the 
  network. CSACS 3.0
  doesn't't support CRL's , so until 3.1 comes out
 which I was 
  told will have
  CRL support, you will need to just disable the
 username on 
  the certificate.
  
  The more obstacles that the end user must jump
 over, the more 
  likely that a
  rogue AP will pop up on the network.
  It is critical IMO that the authentication to the
 network be 
  as smooth and
  transparent as possible. LEAP does an excellent
 job of that, but its
  proprietary :(
  
  Just my opinion though
  
  Thanks
  
  Larry
 Do you Yahoo!?
 U2 on LAUNCH - Exclusive medley  videos from
 Greatest Hits CD
[EMAIL PROTECTED]


__
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=57275t=57160
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: General PIX question DES/3DES [7:55200]

[Yonkerbonk]

Upgrade. You can get DES free but 3DES is upgrade.

--- [EMAIL PROTECTED]
 wrote:
 Do any of the PIX firewalls come with 3DES or is it
 an upgrade option on all
 the models  Particularly the PIX-525-UR-BUN.
 
 Thanx,
 mkj
[EMAIL PROTECTED]


__
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos  More
http://faith.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55240t=55200
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Security Lab schedule FYI [7:52281]

[Yonkerbonk]

The only two places that offer this test is San Jose
and Brussels. As you know SJ does not have an opening
until April. Brussels has their first opening next
week! My company only has a certain amount of money
alloted for these test so I can either take it in
October or wait until after February. Since I don't
feel like waiting I've gone ahead and signed up for
Brussels on October 17. That gives me a month and half
to get ready. I wasn't prepared to take it so soon so
I guess I better catch up!

Michael Le, CCIE #6811

--- John Dorffler  wrote:
 I thought I should share some info with the group,
 especially those
 interested in pursuing the Security CCIE. I passed
 the written last week,
 and the system finally updated last night so that I
 could register for the
 lab. By the way, all lab types can be registered for
 on the web now.
 According to the online system, the first available
 date to take the
 Security lab in San Jose (the only North American
 site that offers the
 Security lab) is, ironically, April 1, 2003. That is
 over 7 months away.
 Extrapolating, if I have to schedule another date
 (I'm not so arrogant to
 assume I will pass the first try, but you never
 know...) I won't be able to
 take it again until November 1, 2003. I don't know
 if Cisco is planning to
 add more seats in San Jose or other locations
 anytime soon, so if you are
 thinking about taking the Security lab you better
 plan ahead, way ahead.
 
 My $0.02,
 John Dorffler
 CCIE #6677
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52425t=52281
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: failover only licence on PIX [7:45475]

[Yonkerbonk]

Hi Richard,

The FO is just a license and can be upgraded. The
hardware is all the same. So is the software for that
matter. Its the activation key that lets you use the
software and hardware the way you want or can afford.

Michael

--- nettable_walker  wrote:
 5/30/2002   6:35pm  Thursday
 
 Professionals,
 
 I have seen some deals on ebay for PIX 515's with
 FO license.  I also do a
 lot of work on 2 sets of 525's
 Is the FO license upgradeable to a regular license ?
  Is the FO something in
 the chip set  has anyone tried to modify it ?
 
 Thanks,
 
 Richard
 
 //
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45510t=45475
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX: Active FTP vs Passive FTP [7:43625]

[Yonkerbonk]

The 'fixup protocol ftp strict 21' is generally
suggested for passive ftp. This is to make sure
servers are the only ones that can send the PASV
command. This closed a security hole in the past.

Michael Le, CCIE #6811

--- Jeffrey Reed  wrote:
 Are there any special considerations when allowing
 FTP through a PIX if
 clients can do either passive or active FTP
 sessions?
 
 Jeffrey Reed
 Classic Networking, Inc.
 Cell 717-805-5536
 Office 717-737-8586
 FAX 717-737-0290
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Shopping - Mother's Day is May 12th!
http://shopping.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=43806t=43625
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Async dial access parameters [7:23910]

[Yonkerbonk]

He is right. You can pass DNS and WINS information,
but subnet mask and stuff won't be in there. I don't
believe there is even a field in the IPCP packet for
that. Don't worry about what ipconfig says. It works
right? :)

Michael Le, CCIE #6811

--- nrf  wrote:
 Strange, I was able to pass information like DNS and
 WINS to the client just
 fine on my access-server, using async-bootp.
 
 Note, you generally don't need to pass things like
 subnet mask or GW to the
 client anyway.  If you are using normal IPCP
 negotiations, then the address
 of the access-server gets passed to the client as a
 host route.  And
 whatever address the access-server hands to the
 client,  Windows
 automatically gives it a /32 mask, even if you try
 to negotiate some other
 mask (I'm sure this behavior can be changed
 somewhere in the registry, I
 just don't know how, and besides, I don't know why
 you would want to).   And
 by default in Windows, once a dial PPP session has
 been negotiated, Windows
 uses that PPP session as a default gateway
 automatically, so your
 access-server doesn't need to hand default gateway
 information to the
 client.  You can turn this behavior off, if you
 want.
 
 
 
 
 
 
 
  NetEng wrote:
 
   I have a 2600 w/ NM16AM, I have it configured
 and it works like a champ
   except for one thing. How do I pass network
 parameters to the client? I
  need
   to specify the subnet mask, default gw, dns,
 etc. I tried the
 async-bootp
   command from global config, but that didnt work.
 I created the ip pool
 just
   fine, but I cant find where to set the rest of
 the info. TIA.
[EMAIL PROTECTED]


__
Do You Yahoo!?
Make a great connection at Yahoo! Personals.
http://personals.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=24245t=23910
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN to PIX using Win2000 or Millennium?? [7:16452]

[Yonkerbonk]

I have PPTP running fine with Win2K. I had it working
on 5.3 and am now running 6.1. I recently upgraded to
DES but haven't tried using IPSec.

Michael Le, CCIE #6811

--- Rik Guyler  wrote:
 Yes, PIX supports PPTP acording to CCO.  However, I
 became frustrated with
 PPTP as each version of Windows offers different
 options and interacts with
 the PIX in a different manner.  In other words, I
 have set this up and made
 it work most of the times I tried, but this one
 time, in band camp
 
 Now, my experience is with the 5.x code and maybe,
 just maybe, it's better
 with the 6.x code as this now seems to be the trendy
 way to provide remote
 access.  Despite this, I really recommend purchasing
 the VPN client.  The
 100-user license retails for around $250.
 
 BTW - It used to be that the PPTP configs for the
 PIX on CCO were flawed.
 Maybe this is still the same, maybe not.
 
 ---
 Rik Guyler
 
 -Original Message-
 From: Andy [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, August 18, 2001 6:48 AM
 To: [EMAIL PROTECTED]
 Subject: VPN to PIX using Win2000 or Millennium??
 [7:16452]
 
 
 Hi
 
 Does anyone know if it is possible to set up a VPN
 using either Windows 2000
 or Millennium to connect to a corporate PIX without
 using any Cisco client
 software?
 
 I believe it is possible but haven't had any luck in
 getting it to work.
 
 I have it working great using NT with the Cisco
 Secure VPN client, which
 unfortunately doesn't run on the newer versions of
 Windows. I've also been
 told this is because the newer versions of Windows
 don't need it as they
 have this capability built in.
 
 I've done the usual setting up the VPN part on
 Windows but to my mind there
 seems to be a lot of options missing that would
 allow you to get it to work
 properly, such as ESP and AHP settings, etc.
 
 Any help would be greatly appreciated.
 
 Andy
[EMAIL PROTECTED]


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=16525t=16452
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN to PIX using Win2000 or Millennium?? [7:16452]

[Yonkerbonk]

You need at least 5.1 to do PPTP. Look in Advanced PIX
Configurations for the commands.

Michael Le, CCIE #6811


--- Jose Villatoro  wrote:
 Hi Mike,
 
 Are there any references out there on the net on
 setting this up? Our PIX
 IOS version is 5.0. I've been using the VPN Client
 v1.0.a succesfully, but
 it's not Win2K compatible.
 
 Thanks,
 
 Jose Villatoro
 
 -Original Message-
 From: Yonkerbonk [mailto:[EMAIL PROTECTED]]
 Sent: Monday, August 20, 2001 1:34 AM
 To: [EMAIL PROTECTED]
 Subject: RE: VPN to PIX using Win2000 or
 Millennium?? [7:16452]
 
 
 I have PPTP running fine with Win2K. I had it
 working
 on 5.3 and am now running 6.1. I recently upgraded
 to
 DES but haven't tried using IPSec.
 
 Michael Le, CCIE #6811
 
 --- Rik Guyler  wrote:
  Yes, PIX supports PPTP acording to CCO.  However,
 I
  became frustrated with
  PPTP as each version of Windows offers different
  options and interacts with
  the PIX in a different manner.  In other words, I
  have set this up and made
  it work most of the times I tried, but this one
  time, in band camp
  
  Now, my experience is with the 5.x code and maybe,
  just maybe, it's better
  with the 6.x code as this now seems to be the
 trendy
  way to provide remote
  access.  Despite this, I really recommend
 purchasing
  the VPN client.  The
  100-user license retails for around $250.
  
  BTW - It used to be that the PPTP configs for the
  PIX on CCO were flawed.
  Maybe this is still the same, maybe not.
  
  ---
  Rik Guyler
  
  -Original Message-
  From: Andy [mailto:[EMAIL PROTECTED]]
  Sent: Saturday, August 18, 2001 6:48 AM
  To: [EMAIL PROTECTED]
  Subject: VPN to PIX using Win2000 or Millennium??
  [7:16452]
  
  
  Hi
  
  Does anyone know if it is possible to set up a VPN
  using either Windows 2000
  or Millennium to connect to a corporate PIX
 without
  using any Cisco client
  software?
  
  I believe it is possible but haven't had any luck
 in
  getting it to work.
  
  I have it working great using NT with the Cisco
  Secure VPN client, which
  unfortunately doesn't run on the newer versions of
  Windows. I've also been
  told this is because the newer versions of Windows
  don't need it as they
  have this capability built in.
  
  I've done the usual setting up the VPN part on
  Windows but to my mind there
  seems to be a lot of options missing that would
  allow you to get it to work
  properly, such as ESP and AHP settings, etc.
  
  Any help would be greatly appreciated.
  
  Andy
 [EMAIL PROTECTED]
 
 
 __
 Do You Yahoo!?
 Make international calls for as low as $.04/minute
 with Yahoo! Messenger
 http://phonecard.yahoo.com/
[EMAIL PROTECTED]


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=16569t=16452
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: blocking PORTS ON PIX!!! [7:16275]

[Yonkerbonk]

Well, by default your internal devices will be able to
access anything on the outside. You don't need to open
a port for that.
Allen is correct in just shutting down the port.

Michael Le

--- Magdy H. Ibrahim 
wrote:
 Hi Allen,
 Actually my point it hot to restrict my outbound
 POP3 from access the
 outside mail servers..
 I want to block any internal request for external
 POP3 from accessing that
 target.
 
 you got it??
 I hope you may help me in this???
 
 Magdy
 
 
 Allen May  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Maybe I missed the point of the question, but just
 don't open POP3 on the
  outside interface for inbound and that will
 restrict all outside users
 from
  using POP3.  Unless inside users pass through the
 PIX to get to the POP3
  server you won't need to add anything to the PIX
 to allow inside users
 POP3
  (or anything else for that matter).  The rest of
 the configuration for
 mail
  server restrictions can be done at the mail server
 if you want to tighten
 it
  down even further for inside users.
 
  Hope that helps.
 
  Allen
 
  - Original Message -
  From: Magdy H. Ibrahim
  To:
  Sent: Thursday, August 16, 2001 7:46 AM
  Subject: blocking PORTS ON PIX!!! [7:16275]
 
 
   Dear All,
  
   I have a question about how to block ports on
 PIX firewall:
   my case is: I have mail server working behind
 PIX so I opened POP3 and
  SMTP
   ports for this mail server.
   my mail server accessed from inside and outside
 interfaces.
   I want to limit my internal IP only to work with
 POP3 using outlook
  express
   or any mail client from my mail server and deny
 any request for POP3
 from
   outside mail servers such as hotmail or yahoo.
   can I do something like that ???
   Please advice me ASAP...
   here is my shortcut of my PIX conf.:
   static (inside,outside) 62.21.55.68 10.0.0.21
 netmask
   255.255.255.255 0 0
   access-group acl_in in interface inside
   conduit permit icmp any any
   conduit permit tcp host 62.21.55.66 eq smtp any
   conduit permit tcp host 62.21.55.66 eq pop3 any
  
   Regards,
  
   Magdy
[EMAIL PROTECTED]


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=16312t=16275
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN 3000 design and PIX [7:15653]

[Yonkerbonk]

Though some Cisco documentation says to put it in
parallel to the PIX, Cisco actually prefers three ways
and they all require you to go through the PIX.
One way is to have the public interface of the VPN to
be in the DMZ. This way the only traffic that hits the
VPN has been through the firewall already. The second
way is to have the private interface of the VPN to be
on the DMZ. This way unecrypted traffic is forced
through the PIX for inspection. The third and best way
is to have both the private and public interface be on
two different DMZs, so that both encrypted and
unencrypted traffic is forced through PIX inspection.
It's all a matter of how many interfaces you have for
DMZs.

Michael Le, CCIE #6811
--- Tom Richs  wrote:
 Can someone tell me if I have a PIX in place, where
 should I install my VPN 
 3000 box (in front of the pix, behind the pix,
 parallel, in the dmz on the 
 pix, etc).  Also, I can't seem to find any
 documentation that has how to do 
 it or how to configure each component.  Any help
 espeically with 
 configuration on both would be greatly appreciated. 
 Thanks.
 
 Tom
 

_
 Get your FREE download of MSN Explorer at
 http://explorer.msn.com/intl.asp
[EMAIL PROTECTED]


__
Do You Yahoo!?
Send instant messages  get email alerts with Yahoo! Messenger.
http://im.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=15888t=15653
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN ...firewall [7:14463]

[Yonkerbonk]

Cisco advises using one of three solutions.
1.) Firewall DMZ one going to VPN outside so that
encrypted traffic can be filtered. Then VPN inside
going to another DMZ on the firewall so that
unencrypted traffic has to go again through firewall.
This is best probably if you have the interfaces.
2.) Only VPN outside is connected to firewall. Once
traffic is unecrypted then it hits network directly.
3.) Only VPN inside is connected to firewall. Traffic
can hit VPN directly, but once unecrypted it will have
to go through firewall.

Stateful inspection is a more thorough inspection of
the IP packet to determine various things like if the
packet is a response packet to something on the
inside. If it is, then it's more likely to be safe.
Basically, it checks the state of sessions between
inside and outside devices. And yes the PIX supports
it.

Proxy server is a device that does something for
another device. Most common is a web proxy that goes
out and makes the http request for an internal PC. The
web server only sees the request coming from the web
proxy. The proxy most times also maintains a cache so
that commonly hit sites are stored locally and thus
data is returned quicker. Some proxies now also try to
do some packet filtering to be more like firewalls.
They don't do as good a job and don't scale as well as
true firewalls.

Michael Le, CCIE #6811
--- RAJESH AGNIHOTRI  wrote:
 Greetings ,
 
 QUESTIONS
 1)If we install a vpn box in the network ... does
 this mean it is  secured 
 ..
 or should we have firewall also ..  if so where
 should the firewall site on 
 the network .. before the vpn box or after vpn
 box...
 
 2) what do you mean by stateful inspection... does
 cisco PIX firewall 
 support it ...
 
 
 3difference between the firewall and proxy server
 ... ??
 
 
 Please let me know ...
 
 Regards
 
 Rajesh Agnihotri
 

_
 Get your FREE download of MSN Explorer at
 http://explorer.msn.com/intl.asp
[EMAIL PROTECTED]


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=14515t=14463
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Weird VPN issue [7:11055]

[Yonkerbonk]

If all the users are having problems accessing the
same server, have you checked to see if it's an issue
with that box?
Do a route print and see what routes are set on that
box? Check the arp cache and nbtstat cache.

--- Mark Smith  wrote:
 I am using several PIX units to tunnel between
 locations for where I work.
 The Pix to Pix tunnels works fine.
 I also have users tunneling in from
 home/dialup/remotely however they chose
 to connect. These connections work almost fine.
 They all share the same
 issue. They cannot see one NT4 server on the
 internal network. They can't
 map drives to it and they can't even ping the IP
 address. Unfortunately
 there are user files on this box. All other internal
 addresses are
 completely accessible through their external
 connection except this one.  I
 called Cisco TAC and they just shrugged their
 shoulders on this one. This
 box is a domain controller, internal DHCP and WINS
 server and has some users
 flat files stored on it (no apps running on it) and
 I have a DFS share
 pointing to a directory it. Don't know if that
 matters any.
 Any ideas as to why I can access the entire
 172.25.1.0 network except for
 172.25.1.21?
 
 Thanks.
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11084t=11055
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN troubles [7:10714]

[Yonkerbonk]

What you need to test with is do an extended ping.
Type in ping ip and then enter. And then follow the
prompts after that. It gives you the choice of picking
which ip address the router will use as the source. By
default is uses the interface the packet leaves from.

Michael Le, CCIE #681

--- Allen May  wrote:
 OK I'll get the configs  forward in a bit.  But for
 now...the inside
 interface has an IP on that subnet.  What would it
 take to get it to work
 from the router itself?  It's got an outside IP
 going to the ISP and an
 inside IP for a 10.43.2.0/24 network with a
 secondary IP on the inside
 interface of 10.43.2.1.
 
 I guess what I'm trying to say is...how DO you make
 it work then? ;)
 
 Allen
 
 - Original Message -
 From: G30RG3 
 To: 
 Sent: Monday, July 02, 2001 7:53 PM
 Subject: Re: VPN troubles [7:10714]
 
 
  The reason you cant ping from the router itself is
 that when you specified
  what traffic to encrypt and send to the tunnel 
 you  only specified the
  subnets behind the firewall and router.  If you
 try and ping the other
 side
  it will not go through the tunnel because it is
 not a match on the
  access-list.  That is one of the reasons.  I cant
 say that is the only
  reason cuz I don't know what your configs look
 like.
 
  Hope that helps
 
  George, Head Janitor, CCNA CCDA
  Cisco Systems
 
  Allen May  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   I have an IPSec tunnel set up between PIX and a
 2600 and it works
  perfectly
   for clients end-to-end.  However, I can't ping
 across the VPN from pix
 or
   router.
  
   I suspect a routing issue.  When I try to add a
 route to tell it
 anything
   going to the other end should use that IP on
 that interface, it gives an
   error saying invalid hop because it's on that
 router.
  
   Any ideas?
  
   A little info:
   Remote network has 10.43.2.0/24 but gateway is a
 secondary IP on the
   internal FastEthernet interface of a 2600.
   Central network is 10.43.1.0/24 on a PIX 515.
   Future networks will be on the 10.x.y.z network
  centralize to the PIX
   rack.
  
   The problem I'm trying to solve is making the
 remote routers
 authenticate
   over the VPN to TACACS+ for the enable password.
  If I can't ping the
 box
   because it's trying to bo out the default route,
 it won't work.
  
   Allen
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10819t=10714
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN troubles [7:10714]

[Yonkerbonk]

I reread the problem you were having. I missed it
before. You are trying to ping an address on the other
side of the VPN that is in the same range as on your
local LAN? That's where you're running into a problem.
You're trying to bridge across the tunnel. If you want
that, you need to specify that. Otherwise, you will
need to do NAT to translate the addresses -
destination or source. The PIX has an alias command
that double NATs for this very problem. Never tried it
with VPN tunnel tho, but I guess it should be the
same.

Michael Le, CCIE #6811

--- Allen May  wrote:
 Doesn't seem to work with 12.0(5).
 
 Here's the config.  FastEthernet0/0 secondary IP is
 in the range capable of
 going over the VPN.  When the router tries to ping
 over the VPN it just uses
 the default gateway out to the internet.
 
 I have a workaround to just give the TACACS+ box an
 internet address but
 it's bugging me that this won't work the way it was
 originally planned.
 
 
 
 Using 2646 out of 29688 bytes
 !
 version 12.0
 service timestamps debug datetime localtime
 service timestamps log datetime localtime
 service password-encryption
 !
 hostname MSI-2621
 !
 logging buffered 4096 debugging
 no logging console
 enable password 7 *
 !
 !
 !
 !
 !
 clock timezone CST -6
 clock summer-time CST recurring
 ip subnet-zero
 ip name-server 209.113.31.100
 !
 ip audit notify log
 ip audit po max-events 100
 !
 !
 crypto isakmp policy 11
  hash md5
  authentication pre-share
 crypto isakmp key * address 207.x.y.70
 !
 !
 crypto ipsec transform-set msiset esp-des
 esp-md5-hmac
 !
 !
 crypto map nolan 11 ipsec-isakmp
  set peer 207.x.y.70
  set transform-set msiset
  match address 120
 !
 !
 !
 process-max-time 200
 !
 interface FastEthernet0/0
  description MSI-LAN  Austin
  ip address 10.43.2.1 255.255.255.0 secondary
  ip address 192.168.103.1 255.255.255.0
  no ip directed-broadcast
  ip nat inside
 !
 interface Serial0/0
  description MSI-Austin to Insync-Houston T1
 (Internet)
  ip address 207.x.y.22 255.255.255.252
  no ip directed-broadcast
  ip nat outside
  no ip route-cache
  no ip mroute-cache
  crypto map nolan
 !
 interface FastEthernet0/1
  description MSI DMZ LAN
  ip address 207.x.y.129 255.255.255.224
  no ip directed-broadcast
 !
 interface Serial0/1
  description MSI-Austin to Microspace-Raleigh T1
  ip address 192.168.254.10 255.255.255.252
  no ip directed-broadcast
  service-module t1 clock source internal
 !
 router ospf 100
  redistribute connected subnets
  redistribute static subnets
  network 192.168.103.0 0.0.0.255 area 0
  network 192.168.254.8 0.0.0.3 area 0
  network 207.x.y.160 0.0.0.31 area 0
 !
 ip nat pool MSI-LAN 207.x.y.129 207.x.y.148 netmask
 255.255.255.224
 ip nat inside source route-map nonat pool MSI-LAN
 overload
 ip classless
 ip route 0.0.0.0 0.0.0.0 207.170.95.21
 ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent
 ip route 207.x.y.120 255.255.255.248 207.x.y.14
 ip route 207.x.y.128 255.255.255.224 207.x.y.14
 no ip http server
 !
 access-list 1 permit 192.168.103.0 0.0.0.255
 access-list 120 permit ip 10.43.2.0 0.0.0.255
 10.43.1.0 0.0.0.255
 access-list 130 deny   ip 10.43.2.0 0.0.0.255
 10.43.1.0 0.0.0.255
 access-list 130 permit ip 10.43.2.0 0.0.0.255 any
 access-list 130 permit ip 192.168.103.0 0.0.0.255
 any
 access-list 198 permit icmp any any
 route-map nonat permit 10
  match ip address 130
 !
 snmp-server engineID local 000902309468D480
 snmp-server community  RO
 snmp-server community  RW
 !
 line con 0
  exec-timeout 30 0
  transport input none
 line aux 0
 line vty 0 4
  password 7 
  login
 !
 ntp clock-period 17180260
 ntp server 192.168.103.242 prefer
 !
 end
 - Original Message -
 From: Yonkerbonk 
 To: Allen May ;
 
 Sent: Tuesday, July 03, 2001 10:14 AM
 Subject: Re: VPN troubles [7:10714]
 
 
  What you need to test with is do an extended ping.
  Type in ping ip and then enter. And then follow
 the
  prompts after that. It gives you the choice of
 picking
  which ip address the router will use as the
 source. By
  default is uses the interface the packet leaves
 from.
 
  Michael Le, CCIE #681
 
  --- Allen May  wrote:
   OK I'll get the configs  forward in a bit.  But
 for
   now...the inside
   interface has an IP on that subnet.  What would
 it
   take to get it to work
   from the router itself?  It's got an outside IP
   going to the ISP and an
   inside IP for a 10.43.2.0/24 network with a
   secondary IP on the inside
   interface of 10.43.2.1.
  
   I guess what I'm trying to say is...how DO you
 make
   it work then? ;)
  
   Allen
  
   - Original Message -
   From: G30RG3
   To:
   Sent: Monday, July 02, 2001 7:53 PM
   Subject: Re: VPN troubles [7:10714]
  
  
The reason you cant ping from the router
 itself is
   that when you specified
what traffic to encrypt and send to the tunnel
   you  only specified the
subnets behind the firewall and router.  If
 you
   try and ping the other
   side

Re: VPN troubles [7:10714]

[Yonkerbonk]

That's what I get for not creating a signature.

Michael

--- Kevin Wigle  wrote:
 can't resist
 
 Hey Michael, that's some CCIE# you go there   :-)
 
 Kevin Wigle
 
 - Original Message -
 From: Yonkerbonk 
 To: 
 Sent: Tuesday, July 03, 2001 11:30 AM
 Subject: Re: VPN troubles [7:10714]
 
 
  What you need to test with is do an extended ping.
  Type in ping ip and then enter. And then follow
 the
  prompts after that. It gives you the choice of
 picking
  which ip address the router will use as the
 source. By
  default is uses the interface the packet leaves
 from.
 
  Michael Le, CCIE #681
 
  --- Allen May  wrote:
   OK I'll get the configs  forward in a bit.  But
 for
   now...the inside
   interface has an IP on that subnet.  What would
 it
   take to get it to work
   from the router itself?  It's got an outside IP
   going to the ISP and an
   inside IP for a 10.43.2.0/24 network with a
   secondary IP on the inside
   interface of 10.43.2.1.
  
   I guess what I'm trying to say is...how DO you
 make
   it work then? ;)
  
   Allen
  
   - Original Message -
   From: G30RG3
   To:
   Sent: Monday, July 02, 2001 7:53 PM
   Subject: Re: VPN troubles [7:10714]
  
  
The reason you cant ping from the router
 itself is
   that when you specified
what traffic to encrypt and send to the tunnel
   you  only specified the
subnets behind the firewall and router.  If
 you
   try and ping the other
   side
it will not go through the tunnel because it
 is
   not a match on the
access-list.  That is one of the reasons.  I
 cant
   say that is the only
reason cuz I don't know what your configs look
   like.
   
Hope that helps
   
George, Head Janitor, CCNA CCDA
Cisco Systems
   
Allen May  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have an IPSec tunnel set up between PIX
 and a
   2600 and it works
perfectly
 for clients end-to-end.  However, I can't
 ping
   across the VPN from pix
   or
 router.

 I suspect a routing issue.  When I try to
 add a
   route to tell it
   anything
 going to the other end should use that IP on
   that interface, it gives an
 error saying invalid hop because it's on
 that
   router.

 Any ideas?

 A little info:
 Remote network has 10.43.2.0/24 but gateway
 is a
   secondary IP on the
 internal FastEthernet interface of a 2600.
 Central network is 10.43.1.0/24 on a PIX
 515.
 Future networks will be on the 10.x.y.z
 network
centralize to the PIX
 rack.

 The problem I'm trying to solve is making
 the
   remote routers
   authenticate
 over the VPN to TACACS+ for the enable
 password.
If I can't ping the
   box
 because it's trying to bo out the default
 route,
   it won't work.

 Allen
  [EMAIL PROTECTED]
 
 
  __
  Do You Yahoo!?
  Get personalized email addresses from Yahoo! Mail
  http://personal.mail.yahoo.com/
 [EMAIL PROTECTED]
 


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10870t=10714
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ARP cache [7:10832]

[Yonkerbonk]

That's not minimum. That's minutes.

Michael Le, CCIE #6811

--- andylow  wrote:
 Hi,
 
 I would like to find out if anyone knows why the age
 min is 133? What cause
 it? Definitely I did not create static ARP.
 Is there a link about ARP information on cisco
 router.
 
 
 
 Protocol  Address  Age (min)  Hardware Addr 
  Type   Interface
 Internet  123.123.123.123 133  
 0090.7f04.4516  ARPA   FastEthernet1
 
 
 Regards,
 
 Andy
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10871t=10832
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: tracking rogue dialup users [7:10859]

[Yonkerbonk]

You tell the devices that are logging how specific you
want them to be, regarding dates and minutes and all
that. The parameter is 'timestamps'. This is also why
you need to have a central timekeeping server that
syncs your devices across the enterprise, so that the
times make sense to everyone. NTP is used for this.

Michael Le, CCIE #6811

---  -  wrote:
 Greetz.
 
 Just a matter of interest.
 
 Say there is user A, he dials up to ISP J.
 User A breaks into server X.
 Server X has the ip, he contacts the isp
 How is the user tracked from there on...
 
 Do servers like CiscoSecure ACS keep track of the ip
 and the time connected.
 The reason I am asking is in my little experience
 that I had with
 CiscoSecure ACS and their radius, I could not find
 such info on the logs.
 Is tacacs perhaps a little better, will it give me
 more info?  Or will this
 user just get away with this -- Doubt it though
 
 Any help will be greatly appreciated.
 
 Ciao
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10872t=10859
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN troubles [7:10714]

[Yonkerbonk]

The only thing I can think of is packets originating
from the router normally don't get passed through
access-lists. But I remember being able to pass
router-originated packets through my tunnel just fine,
so I'm not sure what the rules for VPNs are.
Sorry.

Michael

--- Allen May  wrote:
 Actually it's not in the same range.  The config I
 sent was from a 2600 on
 10.43.2.0/24 and the destination on the other end of
 the tunnel is
 10.43.1.0/24.  It is set up to only allow IP's
 originating from 10.43.2.0/24
 to go through the tunnel (vice-versa on other end). 
 Everything else gets
 routed out to the internet  nat'd.  NAT does not
 work with IPSec tunnels
 according to all the documents I found on cisco.com.
  The whole problem is
 that it won't use the 10.43.2.1 interface as the
 source IP when I try to get
 across the tunnel from the router.
 
 Thanks alot for the help...I do appreciate it.  Any
 other ideas?  I'm about
 to give up  use the work-around of sending TACACS+
 authentication requests
 over the internet via a real IP address.  That will
 just mean I have to add
 another access-list for source IP's allowed into the
 TACACS+ box.  More work
 but it would be do-able.
 
 Allen
 - Original Message -
 From: Yonkerbonk 
 To: Allen May ;
 
 Sent: Tuesday, July 03, 2001 1:40 PM
 Subject: Re: VPN troubles [7:10714]
 
 
  I reread the problem you were having. I missed it
  before. You are trying to ping an address on the
 other
  side of the VPN that is in the same range as on
 your
  local LAN? That's where you're running into a
 problem.
  You're trying to bridge across the tunnel. If you
 want
  that, you need to specify that. Otherwise, you
 will
  need to do NAT to translate the addresses -
  destination or source. The PIX has an alias
 command
  that double NATs for this very problem. Never
 tried it
  with VPN tunnel tho, but I guess it should be the
  same.
 
  Michael Le, CCIE #6811
 
  --- Allen May  wrote:
   Doesn't seem to work with 12.0(5).
  
   Here's the config.  FastEthernet0/0 secondary IP
 is
   in the range capable of
   going over the VPN.  When the router tries to
 ping
   over the VPN it just uses
   the default gateway out to the internet.
  
   I have a workaround to just give the TACACS+ box
 an
   internet address but
   it's bugging me that this won't work the way it
 was
   originally planned.
  
  
  
   Using 2646 out of 29688 bytes
   !
   version 12.0
   service timestamps debug datetime localtime
   service timestamps log datetime localtime
   service password-encryption
   !
   hostname MSI-2621
   !
   logging buffered 4096 debugging
   no logging console
   enable password 7 *
   !
   !
   !
   !
   !
   clock timezone CST -6
   clock summer-time CST recurring
   ip subnet-zero
   ip name-server 209.113.31.100
   !
   ip audit notify log
   ip audit po max-events 100
   !
   !
   crypto isakmp policy 11
hash md5
authentication pre-share
   crypto isakmp key * address 207.x.y.70
   !
   !
   crypto ipsec transform-set msiset esp-des
   esp-md5-hmac
   !
   !
   crypto map nolan 11 ipsec-isakmp
set peer 207.x.y.70
set transform-set msiset
match address 120
   !
   !
   !
   process-max-time 200
   !
   interface FastEthernet0/0
description MSI-LAN  Austin
ip address 10.43.2.1 255.255.255.0 secondary
ip address 192.168.103.1 255.255.255.0
no ip directed-broadcast
ip nat inside
   !
   interface Serial0/0
description MSI-Austin to Insync-Houston T1
   (Internet)
ip address 207.x.y.22 255.255.255.252
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map nolan
   !
   interface FastEthernet0/1
description MSI DMZ LAN
ip address 207.x.y.129 255.255.255.224
no ip directed-broadcast
   !
   interface Serial0/1
description MSI-Austin to Microspace-Raleigh T1
ip address 192.168.254.10 255.255.255.252
no ip directed-broadcast
service-module t1 clock source internal
   !
   router ospf 100
redistribute connected subnets
redistribute static subnets
network 192.168.103.0 0.0.0.255 area 0
network 192.168.254.8 0.0.0.3 area 0
network 207.x.y.160 0.0.0.31 area 0
   !
   ip nat pool MSI-LAN 207.x.y.129 207.x.y.148
 netmask
   255.255.255.224
   ip nat inside source route-map nonat pool
 MSI-LAN
   overload
   ip classless
   ip route 0.0.0.0 0.0.0.0 207.170.95.21
   ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent
   ip route 207.x.y.120 255.255.255.248 207.x.y.14
   ip route 207.x.y.128 255.255.255.224 207.x.y.14
   no ip http server
   !
   access-list 1 permit 192.168.103.0 0.0.0.255
   access-list 120 permit ip 10.43.2.0 0.0.0.255
   10.43.1.0 0.0.0.255
   access-list 130 deny   ip 10.43.2.0 0.0.0.255
   10.43.1.0 0.0.0.255
   access-list 130 permit ip 10.43.2.0 0.0.0.255
 any
   access-list 130 permit ip 192.168.103.0
 0.0.0.255
   any
   access-list 198 permit icmp any any
   route-map nonat permit 10

Re: VPN troubles [7:10714]

[Yonkerbonk]

The only thing I can think of is packets originating
from the router normally don't get passed through
access-lists. But I remember being able to pass
router-originated packets through my tunnel just fine,
so I'm not sure what the rules for VPNs are.
Sorry.

Michael

--- Allen May  wrote:
 Actually it's not in the same range.  The config I
 sent was from a 2600 on
 10.43.2.0/24 and the destination on the other end of
 the tunnel is
 10.43.1.0/24.  It is set up to only allow IP's
 originating from 10.43.2.0/24
 to go through the tunnel (vice-versa on other end). 
 Everything else gets
 routed out to the internet  nat'd.  NAT does not
 work with IPSec tunnels
 according to all the documents I found on cisco.com.
  The whole problem is
 that it won't use the 10.43.2.1 interface as the
 source IP when I try to get
 across the tunnel from the router.
 
 Thanks alot for the help...I do appreciate it.  Any
 other ideas?  I'm about
 to give up  use the work-around of sending TACACS+
 authentication requests
 over the internet via a real IP address.  That will
 just mean I have to add
 another access-list for source IP's allowed into the
 TACACS+ box.  More work
 but it would be do-able.
 
 Allen
 - Original Message -
 From: Yonkerbonk 
 To: Allen May ;
 
 Sent: Tuesday, July 03, 2001 1:40 PM
 Subject: Re: VPN troubles [7:10714]
 
 
  I reread the problem you were having. I missed it
  before. You are trying to ping an address on the
 other
  side of the VPN that is in the same range as on
 your
  local LAN? That's where you're running into a
 problem.
  You're trying to bridge across the tunnel. If you
 want
  that, you need to specify that. Otherwise, you
 will
  need to do NAT to translate the addresses -
  destination or source. The PIX has an alias
 command
  that double NATs for this very problem. Never
 tried it
  with VPN tunnel tho, but I guess it should be the
  same.
 
  Michael Le, CCIE #6811
 
  --- Allen May  wrote:
   Doesn't seem to work with 12.0(5).
  
   Here's the config.  FastEthernet0/0 secondary IP
 is
   in the range capable of
   going over the VPN.  When the router tries to
 ping
   over the VPN it just uses
   the default gateway out to the internet.
  
   I have a workaround to just give the TACACS+ box
 an
   internet address but
   it's bugging me that this won't work the way it
 was
   originally planned.
  
  
  
   Using 2646 out of 29688 bytes
   !
   version 12.0
   service timestamps debug datetime localtime
   service timestamps log datetime localtime
   service password-encryption
   !
   hostname MSI-2621
   !
   logging buffered 4096 debugging
   no logging console
   enable password 7 *
   !
   !
   !
   !
   !
   clock timezone CST -6
   clock summer-time CST recurring
   ip subnet-zero
   ip name-server 209.113.31.100
   !
   ip audit notify log
   ip audit po max-events 100
   !
   !
   crypto isakmp policy 11
hash md5
authentication pre-share
   crypto isakmp key * address 207.x.y.70
   !
   !
   crypto ipsec transform-set msiset esp-des
   esp-md5-hmac
   !
   !
   crypto map nolan 11 ipsec-isakmp
set peer 207.x.y.70
set transform-set msiset
match address 120
   !
   !
   !
   process-max-time 200
   !
   interface FastEthernet0/0
description MSI-LAN  Austin
ip address 10.43.2.1 255.255.255.0 secondary
ip address 192.168.103.1 255.255.255.0
no ip directed-broadcast
ip nat inside
   !
   interface Serial0/0
description MSI-Austin to Insync-Houston T1
   (Internet)
ip address 207.x.y.22 255.255.255.252
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map nolan
   !
   interface FastEthernet0/1
description MSI DMZ LAN
ip address 207.x.y.129 255.255.255.224
no ip directed-broadcast
   !
   interface Serial0/1
description MSI-Austin to Microspace-Raleigh T1
ip address 192.168.254.10 255.255.255.252
no ip directed-broadcast
service-module t1 clock source internal
   !
   router ospf 100
redistribute connected subnets
redistribute static subnets
network 192.168.103.0 0.0.0.255 area 0
network 192.168.254.8 0.0.0.3 area 0
network 207.x.y.160 0.0.0.31 area 0
   !
   ip nat pool MSI-LAN 207.x.y.129 207.x.y.148
 netmask
   255.255.255.224
   ip nat inside source route-map nonat pool
 MSI-LAN
   overload
   ip classless
   ip route 0.0.0.0 0.0.0.0 207.170.95.21
   ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent
   ip route 207.x.y.120 255.255.255.248 207.x.y.14
   ip route 207.x.y.128 255.255.255.224 207.x.y.14
   no ip http server
   !
   access-list 1 permit 192.168.103.0 0.0.0.255
   access-list 120 permit ip 10.43.2.0 0.0.0.255
   10.43.1.0 0.0.0.255
   access-list 130 deny   ip 10.43.2.0 0.0.0.255
   10.43.1.0 0.0.0.255
   access-list 130 permit ip 10.43.2.0 0.0.0.255
 any
   access-list 130 permit ip 192.168.103.0
 0.0.0.255
   any
   access-list 198 permit icmp any any
   route-map nonat permit 10

Re: VPN troubles [7:10714]

[Yonkerbonk]

The only thing I can think of is packets originating
from the router normally don't get passed through
access-lists. But I remember being able to pass
router-originated packets through my tunnel just fine,
so I'm not sure what the rules for VPNs are.
Sorry.

Michael
--- Allen May  wrote:
 Actually it's not in the same range.  The config I
 sent was from a 2600 on
 10.43.2.0/24 and the destination on the other end of
 the tunnel is
 10.43.1.0/24.  It is set up to only allow IP's
 originating from 10.43.2.0/24
 to go through the tunnel (vice-versa on other end). 
 Everything else gets
 routed out to the internet  nat'd.  NAT does not
 work with IPSec tunnels
 according to all the documents I found on cisco.com.
  The whole problem is
 that it won't use the 10.43.2.1 interface as the
 source IP when I try to get
 across the tunnel from the router.
 
 Thanks alot for the help...I do appreciate it.  Any
 other ideas?  I'm about
 to give up  use the work-around of sending TACACS+
 authentication requests
 over the internet via a real IP address.  That will
 just mean I have to add
 another access-list for source IP's allowed into the
 TACACS+ box.  More work
 but it would be do-able.
 
 Allen
 - Original Message -
 From: Yonkerbonk 
 To: Allen May ;
 
 Sent: Tuesday, July 03, 2001 1:40 PM
 Subject: Re: VPN troubles [7:10714]
 
 
  I reread the problem you were having. I missed it
  before. You are trying to ping an address on the
 other
  side of the VPN that is in the same range as on
 your
  local LAN? That's where you're running into a
 problem.
  You're trying to bridge across the tunnel. If you
 want
  that, you need to specify that. Otherwise, you
 will
  need to do NAT to translate the addresses -
  destination or source. The PIX has an alias
 command
  that double NATs for this very problem. Never
 tried it
  with VPN tunnel tho, but I guess it should be the
  same.
 
  Michael Le, CCIE #6811
 
  --- Allen May  wrote:
   Doesn't seem to work with 12.0(5).
  
   Here's the config.  FastEthernet0/0 secondary IP
 is
   in the range capable of
   going over the VPN.  When the router tries to
 ping
   over the VPN it just uses
   the default gateway out to the internet.
  
   I have a workaround to just give the TACACS+ box
 an
   internet address but
   it's bugging me that this won't work the way it
 was
   originally planned.
  
  
  
   Using 2646 out of 29688 bytes
   !
   version 12.0
   service timestamps debug datetime localtime
   service timestamps log datetime localtime
   service password-encryption
   !
   hostname MSI-2621
   !
   logging buffered 4096 debugging
   no logging console
   enable password 7 *
   !
   !
   !
   !
   !
   clock timezone CST -6
   clock summer-time CST recurring
   ip subnet-zero
   ip name-server 209.113.31.100
   !
   ip audit notify log
   ip audit po max-events 100
   !
   !
   crypto isakmp policy 11
hash md5
authentication pre-share
   crypto isakmp key * address 207.x.y.70
   !
   !
   crypto ipsec transform-set msiset esp-des
   esp-md5-hmac
   !
   !
   crypto map nolan 11 ipsec-isakmp
set peer 207.x.y.70
set transform-set msiset
match address 120
   !
   !
   !
   process-max-time 200
   !
   interface FastEthernet0/0
description MSI-LAN  Austin
ip address 10.43.2.1 255.255.255.0 secondary
ip address 192.168.103.1 255.255.255.0
no ip directed-broadcast
ip nat inside
   !
   interface Serial0/0
description MSI-Austin to Insync-Houston T1
   (Internet)
ip address 207.x.y.22 255.255.255.252
no ip directed-broadcast
ip nat outside
no ip route-cache
no ip mroute-cache
crypto map nolan
   !
   interface FastEthernet0/1
description MSI DMZ LAN
ip address 207.x.y.129 255.255.255.224
no ip directed-broadcast
   !
   interface Serial0/1
description MSI-Austin to Microspace-Raleigh T1
ip address 192.168.254.10 255.255.255.252
no ip directed-broadcast
service-module t1 clock source internal
   !
   router ospf 100
redistribute connected subnets
redistribute static subnets
network 192.168.103.0 0.0.0.255 area 0
network 192.168.254.8 0.0.0.3 area 0
network 207.x.y.160 0.0.0.31 area 0
   !
   ip nat pool MSI-LAN 207.x.y.129 207.x.y.148
 netmask
   255.255.255.224
   ip nat inside source route-map nonat pool
 MSI-LAN
   overload
   ip classless
   ip route 0.0.0.0 0.0.0.0 207.170.95.21
   ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent
   ip route 207.x.y.120 255.255.255.248 207.x.y.14
   ip route 207.x.y.128 255.255.255.224 207.x.y.14
   no ip http server
   !
   access-list 1 permit 192.168.103.0 0.0.0.255
   access-list 120 permit ip 10.43.2.0 0.0.0.255
   10.43.1.0 0.0.0.255
   access-list 130 deny   ip 10.43.2.0 0.0.0.255
   10.43.1.0 0.0.0.255
   access-list 130 permit ip 10.43.2.0 0.0.0.255
 any
   access-list 130 permit ip 192.168.103.0
 0.0.0.255
   any
   access-list 198 permit icmp any any
   route-map nonat permit 10

Re: Catalyst 6500 Alteon [7:10895]

[Yonkerbonk]

You need to worry about native vlans if you're doing
802.1q trunking. 
It is trying to talk CDPv2 to the Alteons and probably
expecting something back. Just turn off CDP since you
won't need it with Alteons anyway. At least I don't
think so, unless Alteons do 802.1q trunking.
If they do, then probably it expects native vlan 1 or
something. Make sure your trunk to the device is on
vlan 1 or whatever the Alteon is set to. Turn off
trunking, change port vlan to 1, and then turn
trunking back on.

Michael Le, CCIE #6811

--- Ralph Filippelli  wrote:
 I am receiving an error message on my Cat 6500
 %CDP-4-NVLANMISMATCH:Native vlan mismatch detected .
 It is connected to an Alteon AD2..
 
 Any Ideas
 
 Thanks
 
 __
 Do You Yahoo!?
 Get personalized email addresses from Yahoo! Mail
 http://personal.mail.yahoo.com/
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10905t=10895
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: network security issue [7:9556]

[Yonkerbonk]

Implement soft security tokens. They work like the
hard SecurID tokens, but you have to install them on
all the machines and have an AAA server to
authenticate them.

Michael Le, CCIE #6811

--- Jim Bond  wrote:
 Hello,
 
 My client is a Cisco shop and they have many offices
 all over the world. They want to make sure that only
 authorized person can connect to their network.
 Their
 concern is that someone may just walk into one of
 their offices and plug in a laptop and then is on
 their network. How can we prevent this?
 
 The only thing I can think of is create a MAC
 database
 and implement security on the 6509 switches. But to
 create and manage tens of thousands of MAC addresses
 is a pain. Is there any other way?
 
 Thanks in advance.
 
 Jim
 
 __
 Do You Yahoo!?
 Get personalized email addresses from Yahoo! Mail
 http://personal.mail.yahoo.com/
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=9884t=9556
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PIX static addreess translation updated [7:8090]

[Yonkerbonk]

Have you allowed pings through the PIX?

--- Gary Crouch  wrote:
 config as below
 
 Address translation unable to pass traffic to server
 farm
 Have static and conduits configured
 added static route on fire wall to Internal router
 have statics routes on internal router to ISP router
 also have routes on
 servers
 
 
 Internet router---Outside int /-PIX---Inside
 int---Internal router-ISP
 router-Server farm
 
|
 
   Intern
 al networks
 
 
 I can ping the Server farm from the PIX inside
 interface
 I can ping the PIX inside interface from the server
 farm
 Can not ping server farm from outside network
 tracert from outside traces to ISP router and then
 drops out
 Can ping and access conduited servers on Internal
 networks.
 can ping ISP router from Internal router but can
 ping servers
 can ping and access server from internal network
 can ping internal network from Server farm
 a tracert from server farm hangs at ISP router alt-c
 cause trace to complete
 
 What am I missing??
 
 
 Thanks for your help
 config as below Address translation unable to pass
 traffic to server farm
 Have static and conduits configured added static
 route on fire wall to
 Internal routerhave statics routes on internal
 router to ISP router also
 have routes on servers  Internet router---Outside
 int
 -PIX---Inside int---Internal router-ISP
 router-Server
 farm
  | 
 
 
  Internal networks  I can ping the Server farm from
 the PIX inside
 interfaceI can ping the PIX inside interface from
 the server farmCan not
 ping server farm from outside networktracert from
 outside traces to ISP
 router and then drops outCan ping and access
 conduited servers on
 Internal networks.can ping ISP router from Internal
 router but can ping
 servers can ping and access server from internal
 networkcan ping internal
 network from Server farma tracert from server farm
 hangs at ISP router
 alt-c cause trace to complete What am I missing?? 
 Thanks for your help
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=8164t=8090
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP multi-homed load sharing/balancing and redundancy [7:2107]

[Yonkerbonk]

If you're not running BGP to ISP2 yet and you have a
default route in there, it will take precedence over
the BGP routes to ISP1. So, you will end up only using
the FT3 link.
When you get BGP running to ISP2, in step two, then
things will work fine.

Michael Le, CCIE #6811

--- Kim Seng  wrote:
 Everyone,
 
 I currently have two T-1's to ISP1 and a Fractional
 T3
 to ISP2. I am using static and default routes to
 connect them to the internet. There is no
 automaticaly
 fail-over as you know. Therefore, I am changing our
 ISPs but keep the BW the same. Two T1's to ISP1 and
 FT3 to ISP2 and I would like to run BGP-4 at this
 time
 with multihomed load sharing and load balancing
 across
 these 3 links.
 
 These will be two steps upgrade:
 
 1. Run BGP load sharing/balancing across two T1
 links
 to ISP1. Can I do this while the FT3 link is
 still up and running with default route to ISP2.
 Another word, can I do load sharing/balancing and 
 redundancy at this step across these three links?
 (BGP
 via T1s to ISP1 and FT3 default route to
 ISP2)
 
 2. The second step is changing the fractional T3
 from
 default route to run BGP and do load sharing
 ,balancing and redundancy across these three links.
 
 Can these be done and what would be the appropriate 
 steps.
 
 Many thanks in advance.
 
 Kim.
 
 __
 Do You Yahoo!?
 Yahoo! Auctions - buy the things you want at great
 prices
 http://auctions.yahoo.com/
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=2107t=2107
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ADSL Splits off a 4KHz Region

[Yonkerbonk]

I think it refers to the fact that voice is ran at the
3KHz or abouts spectrum. ADSL runs higher than that so
they don't interfere with each other. That's why you
can surf and talk on the phone at the same time. But
you still need a splitter to send traffic from your
phone line to either the phone or the DSL CPE.

Michael

--- [EMAIL PROTECTED] wrote:
 Can someone explain the following statement to me?
 
 ADSL Splits off a 4 KHz region for basic telephone
 service at the DC end of 
 the band.
 
 I do not understand what they mean by Splits off
 (How)?
 I do not understand; at the DC end of the band?
 
 TIA,
 
 
 Jess
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Any magazine about routers and networks??

[Yonkerbonk]

Network Magazine is great. It's free too if you fill
out the standard forms.
You can find them online too at
http://www.networkmagazine.com/.

Michael Le, CCIE #6811 (RS)

--- xzadio [EMAIL PROTECTED] wrote:
 Did you know any good magazine about network
 technology and routers or
 switches???
 
 Many thanks
 
 xzadio
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Good book on Catalyst Switches

[Yonkerbonk]

Cisco LAN Switching by Cisco Press
Kennedy Clark and Kevin Hamilton

Michael

--- Jon Krabbenschmidt [EMAIL PROTECTED]
wrote:
 Hi All!
 
 I am looking for your recommendations on a(some)
 good book(s) on Catalyst
 switches. I have several 4000 and 5000 switches and
 want to get to know them
 better, in addition to preparing for exams. All
 input greatly appreciated.
 
 Jon
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE salary

[Yonkerbonk]

That's a pretty broad stroke you're painting. The CCIE
is great, but the other certs can get you very good
paying jobs. Especially if you have good experience
with it. I made very good money as a CCNP, alot more
than what was quoted to you - $65K. And I live in city
that has very low cost of living. I have at least 5
CCNP friends making just about the same. None of us
are sys admins.
Now that I'm a CCIE, it is indeed alot easier to ask
for more, but I wouldn't skip the CCNP straight for
the IE. The NP gives you the incremental raises as you
work your way up to IE. It would suck to get 7% per
year for 2-3 years as you tried for the #. The NP gets
your more.

--- Gayathri [EMAIL PROTECTED] wrote:
 Thanks for all the varying thoughts,
 
 It is good to hear first hand information from like
 minded people than to
 visit some recruiters/head hunters web sites and
 make wild guess.
 
 It looks like CCIE is the ultimate. These middle
 level certificates only
 land you in a sys admin job..
 
 
 
 
 "Mask Of Zorro" [EMAIL PROTECTED] wrote in
 message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 
  The DC market rate for CCIE's is around $125. This
 varies with how long
 you
  have been a CCIE and what else you know...
 
  Z
 
  From: Stephane Wantou Siantou
 [EMAIL PROTECTED]
  Reply-To: Stephane Wantou Siantou
 [EMAIL PROTECTED]
  To: [EMAIL PROTECTED]
  Subject: CCIE salary
  Date: Wed, 21 Feb 2001 00:40:02 -0500 (EST)
  
   Hi everybody,
  
   Does anybody know approximately what the average
 CCIE makes in the
  DC area?
   Thanks
  
  
  _
  FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 

_
  Get your FREE download of MSN Explorer at
 http://explorer.msn.com
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Creating Multiple Interfaces on an Ethernet Port

[Yonkerbonk]

You can add IPX addresses to it, so it doesn't seem to
be an issue of layer 3 addresses. I think it just a
matter of Cisco IOS supporting it.

Michael

--- Kenneth [EMAIL PROTECTED] wrote:
 try adding an ip address to it.
 
 "Tim Lovelace" [EMAIL PROTECTED] wrote in
 message

news:[EMAIL PROTECTED]...
  This seems to be incorrect. I tried this on a
 router I had spare and below
  are hte results. It may be a newer feature, I am
 to lazy to look on CCO.
 
  Tim
 
 
  Router2#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C2600 Software (C2600-I-M), Version
 12.0(15), RELEASE SOFTWARE
  (fc1)
 
  
 
  Router2#config t
  Enter configuration commands, one per line.  End
 with CNTL/Z.
  Router2(config)#int e0/0
  Router2(config-if)#int e0/0.1
  Router2(config-subif)#
  00:01:29: %LINK-3-UPDOWN: Interface Ethernet0/0,
 changed state to up
  Router2(config-subif)#^Z
  Router2#sh run
 
  
 
  interface Ethernet0/0
   ip address 10.10.10.1 255.255.255.128
   no ip directed-broadcast
  !
  interface Ethernet0/0.1
   no ip directed-broadcast
  !
 
  -Original Message-
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of
  Brian
  Sent: Monday, February 19, 2001 9:29 PM
  To: Chris Wornell
  Cc: [EMAIL PROTECTED]
  Subject: Re: Creating Multiple Interfaces on an
 Ethernet Port
 
 
 
  the only way you can create sub interfaces on
 ethernet is to use dot1q or
  ISL encapsulation on a FastEthernet interface
 (VLANs)
 
  brian
 
 
  On Mon, 19 Feb 2001, Chris Wornell wrote:
 
   Hello,
  
   I've found out you can't create multiple
 interfaces on an ethernet port
   apparently.  I was wondering why this is
 exactly?  I know you can
  accomplish
   the same on serial lines using pvc's but it
 seems odd you can't do it on
   ethernet.  I know there are ethernet only
 networks and the ip secondary
   command doesn't seem right compared to creating
 a new interface.
  
   Chris Wornell
   Technical Support
   MM Internet http://mminternet.com
   888-654-4971
   CCNA, CCDA, CSE
  
   _
   FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
   Report misconduct and Nondisclosure violations
 to [EMAIL PROTECTED]
  
 
  ---
I'm buying used CISCO gear!!
email me for a quote
 
  Brian Feeny e:[EMAIL PROTECTED]
  CCNP+Voice/ATM/Security p:318.222.2638x109
  CCDP f:318.221.6612
  Network Administrator
  ShreveNet Inc. (ASN 11881)
 
  _
  FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: OSPF config

[Yonkerbonk]

Routes that have their next-hop as being Null0, will
be distributed. The second Null0 seems to be redundant
since it means 'match either interface Null0 or
interface Null0'.
The only reason I can see this being used is if you're
advertising a summary route to your neighbors.

Michael

--- Jon Kuhn [EMAIL PROTECTED] wrote:
 Hi all,
 
 There's a route map for an OSPF configuration I'm
 working on that has a
 line:
 
 match interface Null0 Null0
 
 Does this mean match any interface or no interface? 
 I can't get any
 information from cisco.
 
 Thanks!
 Jon
 
 
 
 
 
 
 
 __
 Jon Kuhn
 IGNYTE Technology, Inc.
 3226 scott boulevard
 santa clara, california 95054
 phone 408.350.2600 ext. 335
 fax 408.350.2601
 [EMAIL PROTECTED]
 www.ignyte.com
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2 default routes on PIX???

[Yonkerbonk]

To extend this line of thought - if you had another
2600 inside the PIX, could you point two default
routes through the PIX to the other routers?
I don't think there is a way to run two HSRP groups in
this case for redundancy, but we could have the two
2600 Internet routers point to each other as backup.
This would add an extra hop if one were to go down,
but it might be better than spending money on another
router.

Michael

--- Paul Lalonde [EMAIL PROTECTED] wrote:
 Cory,
 
 I'm afraid the PIX does not support load balancing
 (or multiple default
 routes). You'll need an intermediary router
 (in-between) to handle the
 load-balancing.
 
 Paul
 
 ""Stull, Cory"" [EMAIL PROTECTED] wrote in message

0D7A05A19CE4D211BD050008C7330FE7259076@CCUPDC">news:0D7A05A19CE4D211BD050008C7330FE7259076@CCUPDC...
  Scenario:   2 2600 routers both with T1's to the
 same ISP.
  1 PIX firewall between internal lan and the 2
 2600's.
 
  Can I have 2 default routes in the PIX pointing
 one to one 2600 and the
  other to the other 2600?
  If so is this doing per packet load balancing? and
 what happens when one
 T1
  goes down?
 
 
  I would have set this up in a lab to test it but
 don't have a PIX.  I
 don't
  know if a router and PIX would do the same thing.
 
 
  Thanks in advance.
 
 
 
  Cory
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Firewall design question (was Re: Does a PIX Route)

[Yonkerbonk]

to not allow a firewall to run routing protocols,
could someone give me advice on how to set up my
proposed redundant firewalls.
   Please refer to my ugly ASCII network.

   [BGP]---[BGP]
 |   |
 --[PIX]---[PIX]--
||   ||
|  [ A ]---[ A ]  |
||   ||
 --[CPT]---[CPT]--
 |   |
   [ B ]---[ B ]

   I plan to have two failover PIXs right behind two
BGP routers to the Internet. On the inside of the PIXs
I have one connection going to Network A and another
going to Network B. But right in front of Network B
(critical production network), I have a load balancing
set of Checkpoint firewalls. The Checkpoints are
connected to both Network A  B.
   I want it done so that the Checkpoint will forward
data to A when destined there and send all other
packets to the PIX. However, if the Checkpoint's link
to the PIX goes down, I want it to be able to send
traffic through network A and through the PIX from
there. I want it to work the other way around for the
PIX going to network B.
   My question is, how would I do that if the
firewalls don't run a routing protocol? Do the PIXs
allowing for floating statics?
   Thanks for your help.

   Michael


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Does a PIX Route (was Re: Firewalls and VPNs)

[Yonkerbonk]

Is there any good reason why the PIX doesn't route?
Why it doesn't run OSPF? A Checkpoint firewall running
on a Solaris box would be able to run OSPF or
something, right? Why not a PIX?

Michael

--- anthony kim [EMAIL PROTECTED] wrote:
 Does your pix have a default route?
 Does your pix forward packets between subnets?
 Logically, then, the pix routes. Call it what you
 will, when forwarding
 between disparate networks, you route. I suppose
 cisco misunderstands the
 term "route" too.
 

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pix42cfg/pix42apa.htm#xtocid88422
 
 Here's from Cisco:
 
 route Command
 
 The following are the extensions to the route
 command:
 
  The routing table has been improved to let you
 specify the IP address
 of a PIX Firewall interface in the route command. If
 the route
  command statement uses the IP address from one
 of the PIX Firewall
 unit's interfaces as the gateway IP address, PIX
 Firewall will
  ARP for the destination IP address in the
 packet instead of ARPing
 for the gateway IP address.
 
  PIX Firewall also does not accept duplicate
 routes with different
 metrics for the same gateway.
 
  In version 5.1(1), the CONNECT route entry is
 supported. (This
 identifier appears when you use the show route
 command.) The
  CONNECT identifier is assigned to an
 interface's local network and
 the interface IP address, which is in the IP local
 subnet. PIX
  Firewall will use ARP for the destination
 address. The CONNECT
 identifier cannot be removed, but changes when you
 change the
  IP address on the interface.
 
  You can now enter duplicate route command
 statements with different
 gateways and metrics.
 
  You can now enter static route command
 statements with virtual
 subnets; for example:
 
 route outside 10.2.2.8 255.255.255.248 192.168.1.3
 route outside 10.2.2.8 255.255.255.255 192.168.1.1
  
 --- Jason [EMAIL PROTECTED] wrote:
  As someone said yesterday: The PIX will not route,
 period.  It will NAT
  (including NAT 0), but it will not route packets
 between different
  networks.
  If you need routing off any interface on a PIX,
 you need a router there.
  
  --
  Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA,
 Network+, A+
  List email: [EMAIL PROTECTED]
  Homepage: http://jason.artoo.net/
  Cisco resources: http://r2cisco.artoo.net/
  
  
  "anthony kim" [EMAIL PROTECTED] wrote in
 message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   A device can best be described by its chief
 function. You can use a
   PIX as a router, just allow everything through.
 In fact you can use a
   router as a firewall, be selective with access
 lists. Terminology is
   flexible as long as you're pragmatic about
 function.
  
  
   On Fri, Feb 16, 2001 at 10:52:06AM -0800, Dan
 West wrote:
   PIX - sounds like a router to me - packet
 forwarding
   based on layer 3 addressing. It has extra
 security
   features and all of a sudden it's a
   firewall...marketing fluff? or accurate
 description???
   who will uncover this mystery  ;
   
   --- mtieast [EMAIL PROTECTED] wrote:
I think this comes from the fact that cisco
instructors in class say that
the Pix is not a router. I have heard this as
 well
when I had the class.
   
I know the Pix is not a router, but does it
 route?
Well, if making decisions
about where to send traffic based on layer 3
 info is
routing then I would
argue it does route. It does not forward
 traffic
based on layer 2 info so
..
   
It routes traffic to the appropriate
 interface. Can
someone else shed some
light as to why this is said. If it doesn't
 route
the traffic it recieves
what does it do?
   
   
   
-Original Message-
From: haroldnjoe [EMAIL PROTECTED]
Newsgroups: groupstudy.cisco
To: [EMAIL PROTECTED]
 [EMAIL PROTECTED]
Date: Friday, February 16, 2001 12:41 PM
Subject: Firewalls and VPNs
   
   
I've read here a couple of times that PIX's
 don't
route. Period. In light
of
this I'm left a little confused as to a
 proposed
network map I was given
recently.

The core layer router is a 3640 linking all
 of our
branch offices together.
From the 3640, there is an ethernet
 connection to a
PIX 515R.  From the
PIX,
there is another ethernet connection to a
 1750
router. The 1750 connects
via
T1 to our ISP.  There is yet another
 ethernet
connection from the PIX to
the
isolation lan, on which resides an internet
mail/web server and a VPN 3000
concentrator.

If PIX's don't route, what subnet is the
 isolation
lan going to sit on?  As
I understand it, the PIX will be providing
 NAT
functionality for the 3640
and everything behind it.  So I would assume
 that
the T1 and ethernet
interfaces on the 1750, the outside
 interfaces on
the PIX, and everything
in
the 

Re: VLAN routing

[Yonkerbonk]

Outbound access-lists on each sub-interface, blocking
other VLANs and allowing everything else.

Michael

--- Moiz Badr [EMAIL PROTECTED] wrote:
 Hi all, 
 What is the best way to prevent a router on a stick
 from routing between VLANs, I have to route the
 VLANs
 traffic only to the Internet while keeping each VLAN
 intact and isolated for security reason. Thanks.
 Mo
 
 __
 Do You Yahoo!?
 Get personalized email addresses from Yahoo! Mail -
 only $35 
 a year!  http://personal.mail.yahoo.com/
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DISTURBING: Spanning Tree Protocol Does not Work.

[Yonkerbonk]

Hi Pierre,

You still need to finish setting up trunking on the
2924XL to see if my theory is correct.
The two Catalysts on the segment between Port B on the
C1912 and Fa0/21 on the 2924XL don't seem to be
talking. So Port B shows that it knows who the root
bridge is, but it shows itself as the designated
bridge since it sees itself as the only switch on that
segment and thus the only way to get to the root. One
thing I still can't explain is why Port A on the C1912
shows the root cost as being 0. It should be only 0
only if it sees itself as the root, but it doesn't
because it shows the proper MAC address.
Anyways, give that a shot and let's see where it goes.

Michael 


--- Pierre-Alex [EMAIL PROTECTED] wrote:
 Hi Leigh Anne and others:
 
 Leigh Anne, I hope you did not loose sleep over this
 problem At 8:30 PM
 after a full day on this problem I went to sleep and
 crashed 
 
 So here we again:
 
 You discovered correctly that PORT A is connected to
 f0/20 and PORT B to f
 0/21
 ALL those ports are part of VLAN 1 (see output
 bellow)
 And all the ports are in fowarding mode and the
 lights on the switch are
 glowing GREEN! (see below the span tree)
 Someone suggested the presence of an etherchannel
 configured by default. I
 will look into this
 and will let you know 
 
 Pierre-Alex
 
 Interface Fa0/20 (port 22) in Spanning tree 1 is
 FORWARDING
Port path cost 19, Port priority 128
Designated root has priority 32768, address
 0050.3ef0.3580
Designated bridge has priority 32768, address
 0050.3ef0.3580
Designated port is 22, path cost 0
Timers: message age 0, forward delay 0, hold 0
BPDU: sent 73253, received 5
 
 Interface Fa0/21 (port 23) in Spanning tree 1 is
 FORWARDING
Port path cost 19, Port priority 128
Designated root has priority 32768, address
 0050.3ef0.3580
Designated bridge has priority 32768, address
 0050.3ef0.3580
Designated port is 23, path cost 0
Timers: message age 0, forward delay 0, hold 0
BPDU: sent 73251, received 3
 
  --More--
 
 
 VLAN Name Status   
 Ports
   -
 
 ---
 1default  active   
 Fa0/2, Fa0/3, Fa0/4, Fa0/5,

 Fa0/6, Fa0/7, Fa0/10,
 Fa0/11,

 Fa0/12, Fa0/13, Fa0/14,
 Fa0/15,

 Fa0/17, Fa0/18, Fa0/19,
 Fa0/21,

 Fa0/22, Fa0/23
 2VLAN_A   active   
 Fa0/9, Fa0/16, Fa0/24
 3VLAN_B   active   
 Fa0/1, Fa0/8
 
 
 ___
 
 Port FastEthernet 0/26 of VLAN1 is Forwarding
Port path cost 10, Port priority 128
Designated root has priority 32768, address
 0050.3EF0.3580
Designated bridge has priority 32768, address
 0050.3EF0.3580
Designated port is 22, path cost 0
Timers: message age 20, forward delay 15, hold 1
 --More--
 Port FastEthernet 0/27 of VLAN1 is Forwarding
Port path cost 10, Port priority 128
Designated root has priority 32768, address
 0050.3EF0.3580
Designated bridge has priority 32768, address
 0050.50E2.42C0
Designated port is 27, path cost 10
Timers: message age 20, forward delay 15, hold 1
 
 Pierre-Alex
 
 -Original Message-
 From: Leigh Anne Chisholm [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, February 14, 2001 1:29 AM
 To: Pierre-Alex; Cisco Groupstudy (E-mail)
 Cc: Dale Cunningham
 Subject: RE: DISTURBING: Spanning Tree Protocol Does
 not Work.
 
 Okay, here's the jist of things.
 
 The Catalyst 2924XL is the root bridge:
 
  C2924XL#sh span
 
   Spanning tree 1 is executing the IEEE compatible
 Spanning Tree protocol
 Bridge Identifier has priority 32768, address
 0050.3ef0.3580
 Configured hello time 2, max age 20, forward
 delay 15
 We are the root of the spanning tree
 
 Port 0/26 on the Catalyst 1912 is identifying "Port
 22" as the "designated
 port":
 
  Port FastEthernet 0/26 of VLAN1 is Forwarding
 Port path cost 10, Port priority 128
 Designated root has priority 32768, address
 0050.3EF0.3580
 Designated bridge has priority 32768, address
 0050.3EF0.3580
 Designated port is 22, path cost 0
 Timers: message age 20, forward delay 15, hold
 1
 
 Port 22 is, port 0/20 on the Catalyst 2924XL switch:
 
  Interface Fa0/20 (port 22) in Spanning tree 1 is
 FORWARDING
 Port path cost 19, Port priority 128
 Designated root has priority 32768, address
 0050.3ef0.3580
 Designated bridge has priority 32768, address
 0050.3ef0.3580
 Designated port is 22, path cost 0
 Timers: message age 0, forward delay 0, hold 0
 BPDU: sent 46897, received 5
 
 We can deduce that FastEthernet 0/26 on the 1912
 switch is directly
 connected to FastEthernet 0/20 on the 2924XL switch.
 
 Note that FastEthernet 

Re: DISTURBING: Spanning Tree Protocol Does not Work.

[Yonkerbonk]

Could you send a config for both switches? How about a
fuller show spantree? A show port on the two ports?
Maybe this is caused by some half-duplex, full-duplex
issue... though I can't rationalize that explanation.
The fact that one port shows the switch as being the
root bridge and the other port pointing outwards is
getting me.
Also, who is MAC 0050.50E2.42C0?

Michael

--- Pierre-Alex [EMAIL PROTECTED] wrote:
 Or I am really dumb
 
 I have two switches a Cisco 2924XL-EN and a Cisco
 1912-EN. I have setup port
 A and port B of the 1912 swictch to do ISL trunking
 with the 2924XL
 
 This situation should have created a loop and the
 Spanning Tree protocol
 should have disabled port B.( I have setup the
 2924XL to be the root).
 Instead I am getting the
 
 following output, with both port A and B in the
 fowarding mode (see below)
 So either the Spanning Tree protocol did not do its
 job (with due respect to
 its creator),
 
 or the trunking ports are not part of the spanning
 tree calculation, or I am
 really dumb and I missed something in the story 
 
 Any comment?
 
 
 
 DISL state: On, Trunking: On, Encapsulation type:
 ISL
 C1912#sh trunk b
 DISL state: On, Trunking: On, Encapsulation type:
 ISL
 
 Port FastEthernet 0/26 of VLAN1 is Forwarding
Port path cost 10, Port priority 128
Designated root has priority 32768, address
 0050.3EF0.3580
Designated bridge has priority 32768, address
 0050.3EF0.3580
Designated port is 22, path cost 0
Timers: message age 20, forward delay 15, hold 1
 --More--
 Port FastEthernet 0/27 of VLAN1 is Forwarding
Port path cost 10, Port priority 128
Designated root has priority 32768, address
 0050.3EF0.3580
Designated bridge has priority 32768, address
 0050.50E2.42C0
Designated port is 27, path cost 10
Timers: message age 20, forward delay 15, hold 1
 
 
 Pierre-Alex
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: DISTURBING: Spanning Tree Protocol Does not Work.

[Yonkerbonk]

The 2924XL doesn't have trunking configured on Fa0/21,
while it is configured on Fa0/27 of the C1912 it is
connected to. I would have thought this would cause
baby giant errors on 2924XL's Fa0/21, but it doesn't
look like there are any.
But anyways, try to set it up and see if that works.
The C1912 'show spantree' output still doesn't look
right. I don't know why the C1912 shows the root port
as having a cost of 0 instead of 10.

Michael

--- Pierre-Alex [EMAIL PROTECTED] wrote:
 Hi Yonkerbonk,
 
 As you requested, I did a show interface on the
 ports that are used on both
 switches.
 
 Regards,
 
 - on THE 1912--
 
 sh int f 0/26
 
 
 FastEthernet 0/26 is Enabled
 Hardware is Built-in 100Base-TX
 Address is 0050.50E2.42DA
 MTU 1500 bytes, BW 10 Kbits
 Port monitoring: Disabled
 Unknown unicast flooding: Enabled
 Unregistered multicast flooding: Enabled
 Description:
 Duplex/Flow Control setting: Auto-negotiate
 Auto-negotiation status:  Full duplex
 Enhanced Congestion Control: Disabled
 
 
 
 
 --More--
 
 Receive Statistics Transmit
 Statistics
 - 
 -
 Total good frames   45739  Total frames 
8243
 Total octets  4758190  Total octets 
  935475
 Broadcast/multicast frames  45687 
 Broadcast/multicast frames   8206
 Broadcast/multicast octets4752684 
 Broadcast/multicast octets 930237
 Good frames forwarded   27228  Deferrals
   0
 Frames filtered 18511  Single
 collisions   0
 Runt frames 0  Multiple
 collisions 0
 No buffer discards  0  Excessive
 collisions0
Queue full
 discards 0
 Errors:Errors:
   FCS errors0Late
 collisions   0
   Alignment errors  0Excessive
 deferrals   0
   Giant frames  0Jabber
 errors 0
   Address violations0Other
 transmit errors 0
 C1912#sh int f 0/27
 
 
 FastEthernet 0/27 is Enabled
 Hardware is Built-in 100Base-TX
 Address is 0050.50E2.42DB
 MTU 1500 bytes, BW 10 Kbits
 Port monitoring: Disabled
 Unknown unicast flooding: Enabled
 Unregistered multicast flooding: Enabled
 Description:
 Duplex/Flow Control setting: Auto-negotiate
 Auto-negotiation status:  Full duplex
 Enhanced Congestion Control: Disabled
 
 
 
 
 --More--
 
 Receive Statistics Transmit
 Statistics
 - 
 -
 Total good frames4788  Total frames 
   28073
 Total octets   366300  Total octets 
 2553093
 Broadcast/multicast frames   4788 
 Broadcast/multicast frames  28064
 Broadcast/multicast octets 366300 
 Broadcast/multicast octets2552388
 Good frames forwarded4788  Deferrals
   0
 Frames filtered 0  Single
 collisions   0
 Runt frames 0  Multiple
 collisions 0
 No buffer discards  0  Excessive
 collisions0
Queue full
 discards 0
 Errors:Errors:
   FCS errors0Late
 collisions   0
   Alignment errors  0Excessive
 deferrals   0
   Giant frames  0Jabber
 errors 0
   Address violations0Other
 transmit errors 0
 C1912#
 
  ON THE 2924XL
 
 sh int f 0/1
 FastEthernet0/1 is up, line protocol is up
   Hardware is Fast Ethernet, address is
 0050.3ef0.3581 (bia 0050.3ef0.3581)
   MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, rely
 255/255, load 1/255
   Encapsulation ARPA, loopback not set, keepalive
 not set
   Duplex setting unknown, Unknown Speed,
 100BaseTX/FX
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:00:31, output 00:00:01, output hang
 never
   Last clearing of "show interface" counters never
   Queueing strategy: fifo
   Output queue 0/40, 0 drops; input queue 0/75, 0
 drops
   5 minute input rate 0 bits/sec, 0 packets/sec
   5 minute output rate 0 bits/sec, 1 packets/sec
  30444 packets input, 5042703 bytes, 0 no buffer
  Received 20759 broadcasts, 0 runts, 0 giants, 0
 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0
 ignored, 0 abort
  0 watchdog, 8294 multicast
  0 input packets with dribble condition detected
  100788 packets output, 3850388 bytes, 0
 underruns
  0 output errors, 0 collisions, 1 interface
 resets
  0 babbl

Re: Are Traditional Routing Protocols going to DIE

[Yonkerbonk]

I'm not sure increased bandwidth would affect routing
policy. That's an interesting question though.
As far as the granularity of the delay formula, they
will probably do the same as they did with calculating
Spanning-Tree path costs. With the old calculations
(1000MB/Bandwidth), Fastethernet would be 10
(1000/100) and anything a Gig or higher would be 1 or
fractional. So they instituted non-linear numbers such
as a cost of 19 for a 100MB link and 4 for a 1 GB link
and 2 for a 10 GB link.
I would like to hear discussions about the first part
of the question though.

Michael

--- Santosh Koshy [EMAIL PROTECTED] wrote:
 With new  emerging technologies like (Gig Eth, 10
 Gig Eth, e.t.c), I am
 beggining to wonder how scalable or well suited
 today's routing protocols
 (OSPF, IGRP, EIGRP, e.tc. ) are to manage them
 effectively.
 
 I stubled across something while reading about delay
 calculations on a IGRP
 / EIGRP network... maybe you guys can help..
 
 The bandwith component of a metric is calculated by
 dividing 10,000,000 by
 bandwith in Kbps.
 Eth = 10,000,000 / 10,000 = 1000
 Fast Eth = 10,000,000 / 100,000 = 100
 Gig Eth = 10,000,000 / 1,000,000 = 10
 10 Gig Eth = 10,000,000 / 10,000,000 = 1
 New Fangled Eth (not yet invented) = 10,000,000 / 
 100,000,000 = 0.1
 
 As you can see delay will be calculated in thousands
 of microseconds and we
 end up getting fractional numbers.. I highly
 doubt  IOS can use
 fractional numbers to calulate delay.. Are
 todays's routers capable of
 making such calculations with an easy IOS
 upgrade
 
 Thanks,
 Santosh Koshy
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Load Balancing Advice

[Yonkerbonk]

[MCI][Cat5K  w/RSM][UUNet]
   |
  Internal LAN


   I have a client with two Internet routers running
BGP multihomed to the ISPs, MCI and UUNET. Inbound
traffic to their AS is pretty much balanced between
MCI and UUNET. On the inside however, where MCI and
UUNET connect into a Cat5K, the MCI is the HSRP active
router and thus handles most of the outbound traffic.
The client wants to load balance outbound traffic
between the two.
   So when the client recently added an RSM to the
Cat5K, I proposed to remove HSRP totally and run OSPF
so that the RSM sees two equal-cost default routes to
the routers.
   My question is, can you run default-information
originate on two routers? And would that work in this
scenario?
   Thanks.
  
   Michael

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Recertification UPDATE (Networkers not needed anymore)

[Yonkerbonk]

That means we have no more excuses to tell our
managers we need to go to New Orleans or Vegas. :)

Michael

--- Brad Ellis [EMAIL PROTECTED] wrote:
 Thanks to Mr. Zudal, CCIEs are no longered required
 to attend Networkers to
 recert for their CCIE status.
 
 -Brad Ellis
 CCIE#5796
 Cisco Hardware:  www.optsys.net
 
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, February 08, 2001 12:19 PM
 To: szudal@
 Subject: CCIE Recertification Changes
 
 
 Dear CCIE,
 
 In 1997, we introduced the CCIE recertification
 program. At that time
 there were two requirements: attend 5 CCIE-level
 sessions at Networkers
 and successfully complete a CCIE recertification
 exam every two years.
 
 In response to your feedback, we have decided to
 drop the Networkers
 session requirement for recertification. We will
 still have CCIE-level
 sessions at selected Networkers, however effective
 February 1, 2001,
 attendance will no longer be mandatory for
 recertification.
 
 All CCIE recertification deadlines will remain the
 same. Effective
 February 1, 2001, a CCIE will be required to
 successfully complete one
 CCIE recertification exam every two years in
 accordance with your current
 deadline.
 
 As part of this program update, we will no longer be
 issuing
 recertification certificates. Exam results are
 downloaded automatically
 into the CCIE database. When the CCIE team receives
 your successful exam
 result, an email notification will be sent to you
 verifying your
 recertification status.
 
 If you have any questions, please write to
 [EMAIL PROTECTED]  Good Luck
 with your CCIE recertification!
 
 Regards,
 
 CCIE Team
 
 
 
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Token Ring White Paper

[Yonkerbonk]

I originall found it on ccprep.com and it's still
there. So check that out under Resources.

Michael

--- Hal White [EMAIL PROTECTED] wrote:
 Several people have asked me where I got the Token
 Ring white paper that I 
 used to study for the CCIE written.  I got the paper
 from 
 www.certificationzone.com when it was free for
 download a few months ago.  
 Unfortunately, it is not free this month.  If you
 have a membership you 
 should definitely read this white paper.  If you are
 not a member then go to 
 their site and decide if it is worth spending the
 money.  I was not a 
 member, but others on the list have said it was a
 good investment.
 Caslow's book and the exam cram both have chapters
 about bridging and token 
 ring that are also helpful although they do not
 explain it as well and as 
 clearly as the white paper on certification zone.
 
 There is another document about Token Ring that is
 also helpful which can be 
 found at
 http://www.groupstudy.com/notes/notepages/rif2.html
 
 I hope this helps everyone who is preparing for the
 CCIE Written.
 
 Hal

_
 Get your FREE download of MSN Explorer at
 http://explorer.msn.com
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Load Balancing Advice

[Yonkerbonk]

There is BGP running on the Internet routers and they
have their own AS.
So now that I know default-information originate is
the way to go, can it be put on two routers on the
same segment at the same time? And also, since the
command requires the router to have a default route
itself, should I put in a static route pointing
towards the ISP peer? Would this be counter-productive
since I'm taking in so many BGP routes already? I
don't want to use the 'always' parameter because what
if my link goes down. I don't want to rely on icmp
redirect to point back to the other Internet router.
Thanks for your advice.

Michael

--- "Howard C. Berkowitz" [EMAIL PROTECTED] wrote:
 [MCI][Cat5K  w/RSM][UUNet]
 |
Internal LAN
 
 
 I have a client with two Internet routers
 running
 BGP multihomed to the ISPs, MCI and UUNET. Inbound
 traffic to their AS is pretty much balanced between
 MCI and UUNET. On the inside however, where MCI and
 UUNET connect into a Cat5K, the MCI is the HSRP
 active
 router and thus handles most of the outbound
 traffic.
 The client wants to load balance outbound traffic
 between the two.
 So when the client recently added an RSM to the
 Cat5K, I proposed to remove HSRP totally and run
 OSPF
 so that the RSM sees two equal-cost default routes
 to
 the routers.
 My question is, can you run default-information
 originate on two routers? And would that work in
 this
 scenario?
 
 
 It's a good approach, at least for load-balancing
 your outgoing 
 traffic. To have any chance of affecting incoming
 traffic, you need 
 to play BGP games. Since you speak of their AS, I
 assume there is BGP.
 
 Default-information originate works quite well.   If
 the Cat5K is the 
 only layer 3 aware hop, the next caveat may not be
 that important, 
 but if it feeds additional router hops, be sure that
 the default 
 originated is of OSPF external type 1, not type 2,
 so internal 
 reachability is considered in the interest of load
 balancing.
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: HSRP on my WKS subnet

[Yonkerbonk]

Well, the 6509s will past broadcasts and multicasts
through so your hosts off each VLAN will see that.
The only thing that I can think of (and I have no idea
if it would work) is to run CGMP on the switch to
denote which ports should and should not get the
multicast traffic.

Michael

--- Stephen Skinner [EMAIL PROTECTED] wrote:
 
 is there a way of blocking them because i
 thought that as long as the 
 clients can link to the virtual addressthen
 there would be no need for 
 the hsrp hello (which are just for the cat`s and
 no-one else needs to know 
 about them ) to be seen by all workstations...surely
 this is shoving 
 un-neccasery packetsa into my Vlan...
 
 or am i completely off the mark
 
 many thanks
 
 steve
 
 
 From: "Brant Stevens" [EMAIL PROTECTED]
 Reply-To: "Brant Stevens" [EMAIL PROTECTED]
 To: "Stephen Skinner" [EMAIL PROTECTED],
 [EMAIL PROTECTED]
 Subject: RE: HSRP on my WKS subnet
 Date: Thu, 8 Feb 2001 11:02:46 -0500
 
 Yes, you should be seeing them...  That is proper
 multicast behavior, and
 these packets would be seen for any VLAN that is
 running HSRP...
 
 Brant I. Stevens
 Internetwork Solutions Engineer
 Thrupoint, Inc.
 545 Fifth Avenue, 14th Floor
 New York, NY. 10017
 646-562-6540
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of
 Stephen Skinner
 Sent: Thursday, February 08, 2001 8:00 AM
 To: [EMAIL PROTECTED]
 Subject: HSRP on my WKS subnet
 
 
 Guys,
 
 i have a slight problem ... i have 2 6509`s running
 HSRP on my comms vlan 4
 these 65`s do all routing between Vlan`s
 
 i have sniffer pro on my local workstation , vlan 5
 
 i am seeing multicast traffic from 224.0.0.2 which
 has HSRP packet headers
 (that are hello`s)every 3 seconds
 Should i be seeing these  i don`t think i
 should
 i think the only Vlan that these should be seen on
 is the comms vlan 4
 ? answers please..
 
 also if i am right how can i stop the HSRP hello
 bieng sent to all the 
 other
 vlan`s
 
 many thanks in advance
 
 steve

_
 Get Your Private, Free E-mail from MSN Hotmail at
 http://www.hotmail.com.
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 _
 FAQ, list archives, and subscription info: 
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 

_
 Get Your Private, Free E-mail from MSN Hotmail at
 http://www.hotmail.com.
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Help me Urgent all CCIES please !!!!!!!!!!!!!!!

[Yonkerbonk]

What do you consider a paper CCIE? I've known some
not-so-impressive CCIEs, but I don't know of any I'd
consider paper.

Michael

--- Circusnuts [EMAIL PROTECTED] wrote:
 EEEKKK !!!  I'd have to agree...  I work with a
 couple paper CCIE's
 
 Phil
 CCNA Lot's of hands on- closing in on CCNP
 
 - Original Message -
 From: "Chris Supino" [EMAIL PROTECTED]
 To: "Ravi N Varma" [EMAIL PROTECTED];
 [EMAIL PROTECTED]
 Sent: Saturday, February 03, 2001 4:39 PM
 Subject: RE: Help me Urgent all CCIES please
 !!!
 
 
  Sounds like you may want to postpone that test, my
 friend. I personally
  believe that one of the biggest problems with  our
 industry is paper
 certs.
  Do us all a favor and KNOW the material before you
 pass the exam. Just my
  two cents.
 
  Christopher Supino
  CCNA, MCSE, CNA 5, ASE
  Senior Systems Engineer
  TransNet Corp.
 
  -Original Message-
  From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of
  Ravi N Varma
  Sent: Saturday, February 03, 2001 12:53 PM
  To: [EMAIL PROTECTED]
  Subject: Help me Urgent all CCIES please
 !!!
 
 
  Hi there ,
 
  I am having trouble getting answers for these
 questions could you please
  help me planing to take exam day after
  please help me out
 
  1.ip datagram contain which of the following
a,arp packet
b,bits
icmp messages
udp,tcp data
 
 
 
  2. difference between tacas  tacas+
 
  3.in dlsw environment  when all route explorer
 sent between dlsw peers how
  it will be sent
   a directed broadcast
   b explorer frame
  etc
  4 in x.25 environment if frame error occurs  which
 one will reset
 connection
  There is diagram two routers separated by serial
 link both ends one host
 at
  each end
 
  A, Router or Host
 
  5 same as above but protocol is HDLC in this
 situation what will happen
  6 what is result of sending a loop up signal to
 csu/dsu?
  7 what lane resolution protocol do
all nw protocols address to nsap
  ip address to nsap
  etc
 8  nlsp  is-is link sate or distance vector
  9 when bridge receive a frame how it will be
 forwarded
   to all ports or except disabled ports it will
 forward to all ports
  10 when tacas does not contain user account what
 it wiil do
  11 frames are unable to transmit from router
 though serial link what
 happen
output error
   connection reset etc
  12 characteristics of 4B/5B encoding in fddi
  13 what is meant by tcp slow start
  14 tacas+ has what advantages over tacas?
 
   waitning for your reply
 
  Regards,
 
  sun
 
 

_
  Chat with your friends as soon as they come
 online. Get Rediff Bol at
  http://bol.rediff.com
 
 
 
 
  _
  FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Get personalized email addresses from Yahoo! Mail - only $35 
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Altiga Question

[Yonkerbonk]

Make sure if you have the right level of encryption
running on both the VPN concentrator and your clients.
I had to upgrade my IE Explorer with the high
encryption pack to make it 128-bit.

Michael

--- Dave [EMAIL PROTECTED] wrote:
 Open a case with Cisco.
 
 I am working with the VPN 3000 series, but not with
 Win2K or the PIX.  I use
 the Cisco client software and it works fine.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of
 Manoj Ghorpade
 Sent: Friday, January 19, 2001 12:06 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Altiga Question
 
 
 Hi Group,
 
 Does it mean that nobodys worked on Altiga / doesn't
  want to share on
 Altiga ?
 
 Regards
 
 Manoj Ghorpade
 ([EMAIL PROTECTED])
 
 
 Manoj Ghorpade wrote:
 
  Hi Group,
  I'm facing problems setting up a VPN connection
 with Altiga and Windows
  2000 CA server. (Using L2TP)
  Can anyone advise/suggest  the correct procedure
 of implementing the
  solutions ?
  Componets of of my Network are :-
 
  1. A Cisco Router 3640
  2. A Pix Firewall 515
  3. Altiga 3000 VPN Concentrator
  4. Switch 2948G- L3
  5. Windows 2000 Advance Server.
 
  I run the NAT on PIX and currently have only ports
 80,443,22 1352 open.
 
  I followed the procedures :
  "Installing Digital Certificates on Cisco VPN 3000
 Concentrator" ,
  "Configuring the Cisco VPN 3000 Concentrator for
 Microsoft Windows 2000
  Support"  "Using a Microsoft Windows 2000 Client
 to Connect to  the
  Cisco VPN 3000 Concentrator"
 
  These all references are download from the offical
 Cisco Web Site.
 
  After doing these a protocol error
  "Error 789 : The L2TP connection attempt  failed
 because the security
  layer encountered a processing error during
 initial negotiations with
  the remote computer."
  Also from the design perspective advise me where
 to keep the Certificate
  Server, like should it be in the DMZ or running in
 the internal network
  (does it really matter ?)
 
  On the Alitga, in the ESP-L2TP-TRANSPORT template,
 what are the settings
  that should be there ?
  The error may be related to the fact, that we
 accidently deleted the
  transport template and re-added it .
 
  Also advice the on how to setup the Windows 2000
 Certificate Server ?
 
  Regards
 
  Manoj Ghorpade.
  ([EMAIL PROTECTED])
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices. 
http://auctions.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP Reg Expressions

[Yonkerbonk]

Your method should work, but if you want to be exact
then you can filter by using ^\(65001\)_. The \ allows
you to use the parentheses.

--- Katson PN Yeung [EMAIL PROTECTED] wrote:
 I use a very very stupid method to do it. But it
 works I found that
 all private AS path cannot be identified simply by
 the AS number That
 is, you apply an ASpath filtering list likes "sh ip
 bgp reg ^65001_" will
 not be able to display path beginning with 65001.
 
 I tried serveral methods at last I found this.
 
 "sh ip bgp reg ^.65001._".
 
 Is this what you want?
 
 
 "root" [EMAIL PROTECTED] wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hello,
 
  Does anyone know how to tell the router to allow
 all AS's except for
  Private AS's for Ingress traffic?  I know that .*
 tells it to allow all
  paths, but how do I exclude 65xxx (Private AS's)?
 
  I know about the keyword "remove-private-as", but
 this is for Egress
  (outbound) traffic.  As far as I know it's for
 when your using
  confederations and such.
 
  Is this something I need to be concerned with? 
 I'm not sure if this is
  something I should be spending my time on or not. 
  Is it necessary to
  block inbound Private AS's?  Please excuse my
 ignorance, I'm still
  learning!
 
  Thank You,
  Andre
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Auctions - Buy the things you want at great prices. 
http://auctions.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Any body know about Cisco Content Switch

[Yonkerbonk]

Actually, before I found out about the CSS, I had
intended to put two Alteons in front of the PIX and
two behind for a total of four. So yes, there would be
redundancy at that level too. And behind the PIXs
would be two Checkpoints, using Stonebeat to load
balance.
I'm just wondering if local director and CSS will be
able to do this too.

--- Christopher Larson [EMAIL PROTECTED] wrote:
 I suppose maybe you could still get this to work
 through a combination of
 the discussed and some DNS manipulation, but I would
 have to think to much
 to figure it out, and I suppose that is part of what
 the CSS is addressing.
 I can see where if the CSS had a single address that
 pointed to multiple
 advertised globals on seperate pix's this would be
 easier, but then for high
 availability won't you also need 2 CSS'? Now my
 cusriosity is peaked. I
 think I should research the CSS' and what they do
 exactly to allow for
 firewall load balancing.  
 
 
 
 
 
 Original Message-
 From: Christopher Larson 
 Sent: Friday, January 12, 2001 11:14 AM
 To: 'Yonkerbonk'; Christopher Larson; Tim O'Brien;
 [EMAIL PROTECTED]
 Subject: RE: Any body know about Cisco Content
 Switch
 
 
 For statefull PIX failovers they do need to share
 info. In the scenario
 below, a downed PIX would cause people to need to
 reconnect. In Pix's
 statefull failover that would not happen. I guess
 there is a lot more at
 issue here then I first thought. Like the static's
 and nat on the pix's. You
 could not maintain that info in this scenario. You
 could not have both pix's
 advertising the same global address either so it
 would not work.
 
 -Original Message-
 From: Yonkerbonk [mailto:[EMAIL PROTECTED]]
 Sent: Friday, January 12, 2001 10:26 AM
 To: Christopher Larson; Tim O'Brien;
 [EMAIL PROTECTED]
 Subject: RE: Any body know about Cisco Content
 Switch
 
 
 I imagine the problem comes when the PIX needs to
 know
 the state of the data flow, like if it's an ongoing
 TCP session or just random data. I'm not sure if
 this
 is an issue. Do the PIXs need to share information?
 Do
 the CSS do that for them?
 
 --- Christopher Larson [EMAIL PROTECTED] wrote:
  I am not sure about CSS switches, and maybe your
  needs are special, but
  couldn't you just add a default route to both
 PIX's
  on each switch's RSM and
  turn off fast-switching. You will then get per
  packet load balancing between
  the switches and the pix's. 
  
  I have done this before between 6500's and routers
  in for high
  avail/reliability but not between the switches and
  PIX's. I don't know why
  it wouldn't work with the pix though .
  
  
  
  
   
  
  -Original Message-
  From: Yonkerbonk [mailto:[EMAIL PROTECTED]]
  Sent: Thursday, January 11, 2001 8:39 PM
  To: Tim O'Brien; [EMAIL PROTECTED]
  Subject: Re: Any body know about Cisco Content
  Switch
  
  
  We currently have our PIXs side by side right
 behind
  the internet routers. Then the PIXs connect into
 two
  redundant 6509s, which is our core.
  We are trying for high availibility, which the
  failover software already does for us. But I was
  thinking it probably was better to use both of
 them
  at
  the same time, more efficient and more throughput
  without having to buy 535. So I'm looking to load
  balance the two PIXs, which we can do with
  Checkpoint/Stonebeat combo.
  From the link you sent me on the 6509, it seems
  perhaps that I can use them to load balance to the
  PIXs from the inside? What is better for traffic
  coming from the internet to be load balanced on
 the
  PIX? The CSS or Local Director? The both seem to
 be
  for web or server traffic, but I can see them
 being
  used in other ways.
  Got any advice?
  Thanks.
  
  --- Tim O'Brien [EMAIL PROTECTED] wrote:
   Here are some links for the CSS switches. For
 the
   application that it
   appears that you are trying to run you will need
  the
   switches in front and
   behind the PIX boxes. The PIX 535 is out now and
   will do a Gig of
   throughput. What are you trying to accomplish?
 You
   can run PIXes in a
   active/passive config if it is high availability
   that you are looking for.
   Give me a little more on the design that you are
   doing.
   
  
 

http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/
   
   
   or load balance on the 6500
  
 

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/ios6k_wp.htm
  
 

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/aslb_wp.htm
   
   - Original Message -
   From: "Yonkerbonk" [EMAIL PROTECTED]
   To: "Wayne Lawson" [EMAIL PROTECTED]; "Tommy
   Mitchell"
   [EMAIL PROTECTED];
  "cisco@groupstudy.
   com (E-mail)"
   [EMAIL PROTECTED]
   Sent: Thursday, January 11, 2001 5:46 PM
   Subject: RE: Any body know about Cisco Content
   Switch
   
   
   Hi Wayne,
   
   Could you point me to some information on the
  CSSes
   and how to configure for load balancing? I was
   looking
   

RE: Any body know about Cisco Content Switch

[Yonkerbonk]

I imagine the problem comes when the PIX needs to know
the state of the data flow, like if it's an ongoing
TCP session or just random data. I'm not sure if this
is an issue. Do the PIXs need to share information? Do
the CSS do that for them?

--- Christopher Larson [EMAIL PROTECTED] wrote:
 I am not sure about CSS switches, and maybe your
 needs are special, but
 couldn't you just add a default route to both PIX's
 on each switch's RSM and
 turn off fast-switching. You will then get per
 packet load balancing between
 the switches and the pix's. 
 
 I have done this before between 6500's and routers
 in for high
 avail/reliability but not between the switches and
 PIX's. I don't know why
 it wouldn't work with the pix though .
 
 
 
 
  
 
 -Original Message-
 From: Yonkerbonk [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, January 11, 2001 8:39 PM
 To: Tim O'Brien; [EMAIL PROTECTED]
 Subject: Re: Any body know about Cisco Content
 Switch
 
 
 We currently have our PIXs side by side right behind
 the internet routers. Then the PIXs connect into two
 redundant 6509s, which is our core.
 We are trying for high availibility, which the
 failover software already does for us. But I was
 thinking it probably was better to use both of them
 at
 the same time, more efficient and more throughput
 without having to buy 535. So I'm looking to load
 balance the two PIXs, which we can do with
 Checkpoint/Stonebeat combo.
 From the link you sent me on the 6509, it seems
 perhaps that I can use them to load balance to the
 PIXs from the inside? What is better for traffic
 coming from the internet to be load balanced on the
 PIX? The CSS or Local Director? The both seem to be
 for web or server traffic, but I can see them being
 used in other ways.
 Got any advice?
 Thanks.
 
 --- Tim O'Brien [EMAIL PROTECTED] wrote:
  Here are some links for the CSS switches. For the
  application that it
  appears that you are trying to run you will need
 the
  switches in front and
  behind the PIX boxes. The PIX 535 is out now and
  will do a Gig of
  throughput. What are you trying to accomplish? You
  can run PIXes in a
  active/passive config if it is high availability
  that you are looking for.
  Give me a little more on the design that you are
  doing.
  
 

http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/
  
  
  or load balance on the 6500
 

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/ios6k_wp.htm
 

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/aslb_wp.htm
  
  - Original Message -
  From: "Yonkerbonk" [EMAIL PROTECTED]
  To: "Wayne Lawson" [EMAIL PROTECTED]; "Tommy
  Mitchell"
  [EMAIL PROTECTED];
 "cisco@groupstudy.
  com (E-mail)"
  [EMAIL PROTECTED]
  Sent: Thursday, January 11, 2001 5:46 PM
  Subject: RE: Any body know about Cisco Content
  Switch
  
  
  Hi Wayne,
  
  Could you point me to some information on the
 CSSes
  and how to configure for load balancing? I was
  looking
  at Local Director and Alteon boxes to do that for
  two
  PIXs. Do I need them on both he outside and
 inside?
  Thanks.
  
  
  --- Wayne Lawson [EMAIL PROTECTED] wrote:
   Tommy,
  
 Actually you CAN have the CSS in an "active /
   active" mode
   with true firewall load balancing.
  
   Wayne Lawson, CCIE # 5244
   Systems Engineer - Cisco Systems, Inc.
   2000 Town Center, Suite 450
   Southfield, Michigan 48075
  
   Voice:  (248) 455 - 1663
   Cell:  (248) 709 - 5797
   Pager: (800) 365 - 4578
  
  
   -Original Message-
   From: [EMAIL PROTECTED]
   [mailto:[EMAIL PROTECTED]]On Behalf Of
   Tommy Mitchell
   Sent: Wednesday, January 10, 2001 8:15 AM
   To: cisco@groupstudy. com (E-mail)
   Subject: Re: Any body know about Cisco Content
   Switch
  
  
   Yes, they can unless you're trying to
 load-balance
   firewalls.  Try to
   load-balance firewalls and you have to go
   active-standby.
  
   Tommy
  
   - Original Message -
   From: "Muhammad Faheem" [EMAIL PROTECTED]
   To: "cisco@groupstudy. com (E-mail)"
   [EMAIL PROTECTED]
   Sent: Wednesday, January 10, 2001 7:26 AM
   Subject: Any body know about Cisco Content
 Switch
  
  
Hi All
   
Just wanted to know that Cisco Content Switch
   (CSS-11000  CSS-11800) can
work as Active - Active or not.
   
Thanks for Input
   
Muhammad Faheem
Systems Engineer
Afcomp
Hello : (9714)-3933878 / 3027338
Fax   : (9714)-3933832
Web  : www.afcomp.com
   
_
FAQ, list archives, and subscription info:
   http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations
  to
   [EMAIL PROTECTED]
   
  
   _
   FAQ, list archives, and subscription info:
   http://www.groupstudy.com/list/cisco.html
   Report misconduct and Nondisclosure violations
 to
   [EMAIL PROTECTED]
  
   _
   FAQ, l

Re: Checkpoint Cisco VPN 5000 Concentrator

[Yonkerbonk]

I installed a VPN 3010 and it goes parallel with the
firewall, in my case a PIX. I didn't use the VPN 3000
client, but rather Windows 2000 built-in VPN adapter.
It does have the abilitity to do all the things you
listed. I did run into some issues with the box
talking MS-CHAPv2 and our NT server only talking v1,
but overall it seemed like a good box. Bought from
Altiga back in April 2000 I think.

--- pat [EMAIL PROTECTED] wrote:
 HellO Everyone:
 
 Does this box works with Checkpoint to establish
 IPSec tunnels..? 
 I am new to this VPN 5002 box, though I have
 good
 hands on on other VPN. Can anybody through some
 light
 on how this box works with the client software that
 comes with the box. I am not looking for
 configuration
 details at this stage. My concern is I have seen VPN
 client software where in you can configure IPSec
 details such as AH,ESP,des,3des,md5,sha. But in this
 client software (which can be installed on Win98/NT)
 I don't see any options to do this. Does it detect
 from VPN 5000 box automatically? 
  I am planning to place this VPN box behind the
 checkpoint firewall. Is this correct way of doing
 it..? The box has only one ethernet interface.Does
 it
 suppose to be like this or it needs to have min of
 two
 interfaces..?
 If somebody can help me out with answers it will
 really be great.
 
 thanks.
  
 
 
 
  
 
 __
 Do You Yahoo!?
 Yahoo! Photos - Share your holiday photos online!
 http://photos.yahoo.com/
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Any body know about Cisco Content Switch

[Yonkerbonk]

Hi Wayne,

Could you point me to some information on the CSSes
and how to configure for load balancing? I was looking
at Local Director and Alteon boxes to do that for two
PIXs. Do I need them on both he outside and inside?
Thanks.


--- Wayne Lawson [EMAIL PROTECTED] wrote:
 Tommy,
 
   Actually you CAN have the CSS in an "active /
 active" mode
 with true firewall load balancing.
 
 Wayne Lawson, CCIE # 5244
 Systems Engineer - Cisco Systems, Inc.
 2000 Town Center, Suite 450
 Southfield, Michigan 48075
 
 Voice:  (248) 455 - 1663
 Cell:  (248) 709 - 5797
 Pager: (800) 365 - 4578
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of
 Tommy Mitchell
 Sent: Wednesday, January 10, 2001 8:15 AM
 To: cisco@groupstudy. com (E-mail)
 Subject: Re: Any body know about Cisco Content
 Switch
 
 
 Yes, they can unless you're trying to load-balance
 firewalls.  Try to
 load-balance firewalls and you have to go
 active-standby.
 
 Tommy
 
 - Original Message -
 From: "Muhammad Faheem" [EMAIL PROTECTED]
 To: "cisco@groupstudy. com (E-mail)"
 [EMAIL PROTECTED]
 Sent: Wednesday, January 10, 2001 7:26 AM
 Subject: Any body know about Cisco Content Switch
 
 
  Hi All
 
  Just wanted to know that Cisco Content Switch
 (CSS-11000  CSS-11800) can
  work as Active - Active or not.
 
  Thanks for Input
 
  Muhammad Faheem
  Systems Engineer
  Afcomp
  Hello : (9714)-3933878 / 3027338
  Fax   : (9714)-3933832
  Web  : www.afcomp.com
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Any body know about Cisco Content Switch

[Yonkerbonk]

We currently have our PIXs side by side right behind
the internet routers. Then the PIXs connect into two
redundant 6509s, which is our core.
We are trying for high availibility, which the
failover software already does for us. But I was
thinking it probably was better to use both of them at
the same time, more efficient and more throughput
without having to buy 535. So I'm looking to load
balance the two PIXs, which we can do with
Checkpoint/Stonebeat combo.
From the link you sent me on the 6509, it seems
perhaps that I can use them to load balance to the
PIXs from the inside? What is better for traffic
coming from the internet to be load balanced on the
PIX? The CSS or Local Director? The both seem to be
for web or server traffic, but I can see them being
used in other ways.
Got any advice?
Thanks.

--- Tim O'Brien [EMAIL PROTECTED] wrote:
 Here are some links for the CSS switches. For the
 application that it
 appears that you are trying to run you will need the
 switches in front and
 behind the PIX boxes. The PIX 535 is out now and
 will do a Gig of
 throughput. What are you trying to accomplish? You
 can run PIXes in a
 active/passive config if it is high availability
 that you are looking for.
 Give me a little more on the design that you are
 doing.
 

http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/
 
 
 or load balance on the 6500

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/ios6k_wp.htm

http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/aslb_wp.htm
 
 - Original Message -
 From: "Yonkerbonk" [EMAIL PROTECTED]
 To: "Wayne Lawson" [EMAIL PROTECTED]; "Tommy
 Mitchell"
 [EMAIL PROTECTED]; "cisco@groupstudy.
 com (E-mail)"
 [EMAIL PROTECTED]
 Sent: Thursday, January 11, 2001 5:46 PM
 Subject: RE: Any body know about Cisco Content
 Switch
 
 
 Hi Wayne,
 
 Could you point me to some information on the CSSes
 and how to configure for load balancing? I was
 looking
 at Local Director and Alteon boxes to do that for
 two
 PIXs. Do I need them on both he outside and inside?
 Thanks.
 
 
 --- Wayne Lawson [EMAIL PROTECTED] wrote:
  Tommy,
 
Actually you CAN have the CSS in an "active /
  active" mode
  with true firewall load balancing.
 
  Wayne Lawson, CCIE # 5244
  Systems Engineer - Cisco Systems, Inc.
  2000 Town Center, Suite 450
  Southfield, Michigan 48075
 
  Voice:  (248) 455 - 1663
  Cell:  (248) 709 - 5797
  Pager: (800) 365 - 4578
 
 
  -Original Message-
  From: [EMAIL PROTECTED]
  [mailto:[EMAIL PROTECTED]]On Behalf Of
  Tommy Mitchell
  Sent: Wednesday, January 10, 2001 8:15 AM
  To: cisco@groupstudy. com (E-mail)
  Subject: Re: Any body know about Cisco Content
  Switch
 
 
  Yes, they can unless you're trying to load-balance
  firewalls.  Try to
  load-balance firewalls and you have to go
  active-standby.
 
  Tommy
 
  - Original Message -
  From: "Muhammad Faheem" [EMAIL PROTECTED]
  To: "cisco@groupstudy. com (E-mail)"
  [EMAIL PROTECTED]
  Sent: Wednesday, January 10, 2001 7:26 AM
  Subject: Any body know about Cisco Content Switch
 
 
   Hi All
  
   Just wanted to know that Cisco Content Switch
  (CSS-11000  CSS-11800) can
   work as Active - Active or not.
  
   Thanks for Input
  
   Muhammad Faheem
   Systems Engineer
   Afcomp
   Hello : (9714)-3933878 / 3027338
   Fax   : (9714)-3933832
   Web  : www.afcomp.com
  
   _
   FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
   Report misconduct and Nondisclosure violations
 to
  [EMAIL PROTECTED]
  
 
  _
  FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
  [EMAIL PROTECTED]
 
  _
  FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 
 __
 Do You Yahoo!?
 Yahoo! Photos - Share your holiday photos online!
 http://photos.yahoo.com/
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 


__
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: VPN location

[Yonkerbonk]

Typically it runs parallel to the PIX.
Check out the Cisco page on that. The Getting Started
link will tell you where Cisco thinks you should put
it, which is in parallel.
http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/vpn3kco/vcogs/index.htm

--- SH Wesson [EMAIL PROTECTED] wrote:
 I'm installing a new VPN box.  Traditionally, where
 in the network does the 
 VPN box reside.  Does it run parallel to the PIX
 firewall and be connected 
 to the inside the same way as the pix or should the
 VPN box be located in 
 the DMZ with a secure tunnel created between the VPN
 box and the PIX 
 firewall and all requests to the inside network
 would go through PIX firwall 
 via conduits, etc.  Thanks.
 
 

_
 Get your FREE download of MSN Explorer at
 http://explorer.msn.com
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: crossover or straight cable?

[Yonkerbonk]

A trunk port is simply a port that has traffic from
more than one VLAN running over it. It is a function
of the software to combine and split the data. That
has nothing to do with how the cabling is done.
If you have a trunk running from switch to switch, it
will be crossover. If you have a trunk running from
switch to router, it will be straight through. Normal
cabling scheme.

--- sean [EMAIL PROTECTED] wrote:
 Tony,
 
 Are you saying that, to connect  "trunk" ports
 between switches, crossover
 cable is required?
 
 I know for "switch" ports that's the case, I am
 wondering if it is true for
 trunk as well.
 
 Tks
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Photos - Share your holiday photos online!
http://photos.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: W2K and 98, off subject sorry but I need help

[Yonkerbonk]

This should do it.

[boot loader]
timeout=30
default=multi(0)disk(1)rdisk(0)partition(1)\C:\="Microsoft
Windows 98"
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft
Windows 2000 Advanced
Server"
multi(0)disk(1)rdisk(0)partition(1)\C:\="Microsoft
Windows 98"

--- Brandon Peyton [EMAIL PROTECTED] wrote:
 Hi,
 
 Im trying to figure out how to configure my boot.ini
 file so it will
 boot into win98.
 
 I have 2 40 gig drives in my server, on 1 HD is W2K
 Advanced Server
 on the second HD was in98.
 
 Currently I have:
 
 [boot loader]
 timeout=30
 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
 [operating systems]
 multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft
 Windows 2000 Advanced
 Server"
 multi(0)disk(1)rdisk(0)partition(1)\C:\="Microsoft
 Windows 98"
 
 I've also tried "\Windows" and "C:\WINDOWS" both
 fail and have fatal error.
 
 Would someone who has dual boot NT and 98 please
 show me a copy of your
 boot.ini
 file?
 
 it would be in your c: dir.  I've looked in tons of
 how to's but none offer
 2 disk
 assistance only partition.
 
 Thanks for your help
 
 Brandon
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Salary article

[Yonkerbonk]

Quoted from article: "For example, Cisco frowns on
competing solutions providers raiding each other in
search of CCIEs. Should one company lure another's
CCIE, Cisco will not recognize that engineer's
certification for a year, meaning the company that
scored the new employee cannot count on him or her in
its effort to climb the Cisco Partner Certification
Program."

I have never heard of this. How does Cisco determine
if they've left or were lured away?
That's dumb.

Michael

--- Daniel Cotts [EMAIL PROTECTED] wrote:

http://www.zdnet.com/sp/stories/issue/0,4537,2664303,00.html
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Salary article

[Yonkerbonk]

It's easy to figure out that someone has left the
company, but how do they determine the reason someone
left? If I got my CCIE and after 6 months I decide my
company is not making use of me, and then I go to
another Cisco partner... that does not mean the new
company lured me away. I left for my own reasons.
Should my new company be penalized?

--- Austin [EMAIL PROTECTED] wrote:
 Yonker Bonk,
 
 Cisco knows that they have left because the reseller
 notifies Cisco as to
 the amount of Cisco Certified individuals they have
 on staff, because the
 reseller discount from Ciscois determined by the
 number of Cisco Certified
 SEs.
 So when a CCIE leaves Company A for Company B,
 Company B submits to Cisco
 that they have another CCIE ... this is how Cisco
 knows. The same goes for
 Compaq ASEs.
 
 Hope this explains it to you.
 "Yonkerbonk" [EMAIL PROTECTED] wrote in message

[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Quoted from article: "For example, Cisco frowns on
  competing solutions providers raiding each other
 in
  search of CCIEs. Should one company lure another's
  CCIE, Cisco will not recognize that engineer's
  certification for a year, meaning the company that
  scored the new employee cannot count on him or her
 in
  its effort to climb the Cisco Partner
 Certification
  Program."
 
  I have never heard of this. How does Cisco
 determine
  if they've left or were lured away?
  That's dumb.
 
  Michael
 
  --- Daniel Cotts [EMAIL PROTECTED] wrote:
  
 

http://www.zdnet.com/sp/stories/issue/0,4537,2664303,00.html
  
   _
   FAQ, list archives, and subscription info:
   http://www.groupstudy.com/list/cisco.html
   Report misconduct and Nondisclosure violations
 to
  [EMAIL PROTECTED]
 
 
  __
  Do You Yahoo!?
  Yahoo! Shopping - Thousands of Stores. Millions of
 Products.
  http://shopping.yahoo.com/
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
 [EMAIL PROTECTED]
 
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Can any one explain this Ping problem...

[Yonkerbonk]

Yahoo load balances it's traffic across two web
servers, with different ip addresses. If you run
nslookup to www.yahoo.fr you get this:

nslookup www.yahoo.fr
Server:  houdhcp1.houston.rr.com
Address:  24.28.99.64

Non-authoritative answer:
Name:homerc.europe.yahoo.com
Addresses:  217.12.6.16, 217.12.6.17
Aliases:  www.yahoo.fr


--- karthikeyan [EMAIL PROTECTED] wrote:
 Hi,
 When i execute ping www.yahoo.fr -t -l 2 -w 500
 
 i got reult as=20
 
 c:\ping www.yahoo.fr -t -l 2 -w 500
 
 Pinging homerc.europe.yahoo.com [217.12.6.16] with 2
 bytes of data:
 
 Reply from 217.12.6.16: bytes=3D2 time=3D471ms
 TTL=3D234
 Reply from 217.12.6.16: bytes=3D2 time=3D461ms
 TTL=3D234
 Reply from 217.12.6.16: bytes=3D2 time=3D451ms
 TTL=3D234
 ^C
 
 
 
 But when i tried to change the size to 1, ie when i
 tried ping =
 www.yahoo.fr -t -l 1 -w 500
 
 I got result as=20
 
 
 c:\ping www.yahoo.fr -t -l 1 -w 500
 
 Pinging homerc.europe.yahoo.com [217.12.6.17] with 1
 bytes of data:
 
 Reply from 217.12.6.17: bytes=3D1 time=3D521ms
 TTL=3D234
 Reply from 217.12.6.17: bytes=3D1 time=3D450ms
 TTL=3D234
 Reply from 217.12.6.17: bytes=3D1 time=3D481ms
 TTL=3D234
 ^C
 
 
 The ip address are differingcan you explain it
 ...?
 
 
 Thx,
 karthi
 
 
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ISL to 2600 series router

[Yonkerbonk]

Ethernet running at 100mb *is* FastEthernet.
For the 2620s and 2621s you need to run IOS with
"plus" feature set.

--- Michael Everett [EMAIL PROTECTED]
wrote:
 In my lab at work I have 2 2924xl switches, 1
 cat5509, and a Cisco 2600
 router with a 10/100 ethernet port.  The router will
 not enable me to enter
 an encapsulation command on the ethernet interface. 
 Is ISL not an option on
 plan old 10/100 ethernet?  Will it only work on a
 fast ethernet interface?
 Dumb question, what is the functional difference
 between an ethernet
 interface configured to run at 100m full duplex and
 a fast ethernet
 interface?  If you wish to respond to me directly
 please send replies to,
 [EMAIL PROTECTED]
 
 Thanks Mike
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]


__
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]