Pix Firewall Issue
Hi Gang, I have a Pix Firewall 520 and wondered if this was a feature or a configuration issue on my firwall. We have an entire class C address say 208.184.23.x to use for our network. We use the 192.168.1.x network for our internal network. I am having problems pinging a machine's Internet ip address say 208.184.23.11 which I noticed is statically mapped to it's internal address say 192.168.1.10 on the pix. For example, If I ping another box 208.184.23.12 and not statically mapped to a internal ip address on the pix, I get a response. Any help or hints would be greatly appreciated. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Best Training Partner
Hi there, I am planning to take two training classes, BSCN and Pix Firewall class. Can somebody give me a recommendation of a good classroom training partner? Only comments I have seen in this group is about GlobalKnowledge. Any other providers or should I go with them for training. I would like to take it in the San Francisco Bay Area. Thanks! _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Closing Ports Part 2 [7:43145]
I know blocking ports isn't really going to stop people who can tunnel through via http or some other open ports. Are there firewalls that will look into specific traffic streams and drop connections that are not really http sessions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43145&t=43145 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Pix Firewall and Sonicwall VPN [7:26195]
Hi All, Can somebody help me out on configuring one of these setups? I have research the web and have documentation on getting Pix to work with Sonicwall using IKE. Basically one side would have a sonicwall while the other would be the Pix. That would work but my boss wants to use 2 Sonicwall boxes and wants one of them to be on the Pix's DMZ. My question is would this be possible. Sonicwall A would be at another company's A site which is providing me with a 192.168.100.1 for our Sonicwall for the LAN and a 205.202.22.12 for the WAN. Company A has given us an internal 194.100.1.230-249 range with 194.100.1.250 being the default gateway for our PCs. For pcs to go out through the VPN to our 192.168.1.x network, I would request that they put a route on their gateway which I think is their firewall to route 192.168.1.x traffic to the our sonicwall box. On the other end is a Pix Firewall with 3 interfaces, inside,outside, and dmz. All traffic going to the outside is Port Address Translated to a specific ip address. The DMZ is in the 172.22.100.x network. The pix is currently setup to do nat from the inside to the dmz via nat command. The Inside network is using private ip address network of 192.168.1.x.Is there a way to allow traffic that is originating from 192.168.1.x and going to 192.168.100.x to be allowed to reach the Sonicwall via the DMZ interface? I know you can do a route 192.168.100.x via 172.22.100.10(sonicwall's ip address on the dmz) but would this work? Would the system on the other side be able to figure out how to route the VPN traffic back? There's an access-list command nonat that I could use but I am not sure how I could get it to work here. Any ideas on whether this is possible or anyone who has done something like this? Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26195&t=26195 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Bridging LANs over VPN [7:49035]
Hi All, Does anybody know of a way to setup VPN to bridge traffic between two LANs using a Cisco router and either a VPN client or something else? I only have one Cisco router and the other end can be anything. I tried setting up IPSEC over VPN under Cisco IOS and it works but it doesn't bridge traffic. Any ideas or advice? Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=49035&t=49035 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
TACACS/RADIUS on CISCO Router [7:53621]
Hey, is there a possibility to set up a router acting as a radius or tacacs server with local authentication without external server ? Please let me know best regards Michael Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53621&t=53621 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IP Address Migration - routing non contiguous networks [7:75138]
Hi All, I have a production site that has a Class C ip address scheme with /28 block giving us 16 ip addresses. However, we need additional public ip addresses and our ISP is unable to provide us with another contiguous block of 32 ip addresses using this specific network. My firewalls are routing traffic to their HSRP routers. The best the ISP can do for us is to offer us a block of 32 public ip addresses but on another network. Is there any way to setup routing to allow for me to use the two networks simultaneously? If so, any ideas on how this can be done? Any help would be greatly appreciated. Thanks! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=75138&t=75138 -- **Please support GroupStudy by purchasing from the GroupStudy Store: http://shop.groupstudy.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Recovered Mails from 23 Jan 2002 [7:35475]
> Date: Tue, 22 Jan 2002 17:48:33 -0500 From: "MADMAN" To: [EMAIL PROTECTED] Subject: Re: IPX Network Numbering [7:32335] Reply-To: "MADMAN" Your second thought is the correct thought. Most customers already have a plan/addressing scheme and if they don't it's up to the local field tech and support engineer. Dave "[EMAIL PROTECTED]" wrote: > > Just came across this one again. > I can't think of any technical reasons off-hand, but I can think of a > possible non-technical one. > If Qwest does this sort of thing for many other organisations, giving each > organisation a unique prefix may help them to keep track of which networks > belong to which organisation - it may make it easier for their techos if > they can look at the network address and get an instant reminder of which > organisation they are looking at. > > Might have nothing to do with this, of course... > > JMcL > - Forwarded by Jenny Mcleod/NSO/CSDA on 23/01/2002 09:02 am - > > "John Neiberger" > Sent by: [EMAIL PROTECTED] > 18/01/2002 05:35 am > Please respond to "John Neiberger" > > > To: [EMAIL PROTECTED] > cc: > Subject:IPX Network Numbering [7:32335] > > I have a question that's been in the back of my head for quite a while. > Before I even came into this department a few years ago, Qwest > !nterprise was helping our company with the network configuration. When > they designed the IPX network numbering scheme they began all network > numbers with CCC. I recently realized that they're numbering scheme was > chosen because it could be easily summarized by NLSP, which we weren't > running at the time but I think it was running for a short while. > > My question is why did they start all network addresses with CCC? I > can understand using a scheme that can be summarized but why not simply > use 1, 10001, 11000, 11001 instead of CCC1, CCC10001, etc.? > > Just curious if there is some reason that is eluding me. > > Thanks! > > John -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 "Emotion should reflect reason not guide it" Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=35475&t=35475 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Recovered Mail From 22 Jan 2002 [7:33349]
> From: "Darrell Newcomb" X-GroupStudy-Version: 3.1.1a X-GroupStudy: Network Technical To: [EMAIL PROTECTED] Subject: Re: Stupid Question [7:32591] Sender: [EMAIL PROTECTED] Reply-To: "Darrell Newcomb" Precedence: bulk With the key NT cheap shot being: It doesn't matter how coherent the file system is if the OS isn't executing code, but rather rebooting. 'least those crashes proves they wrote a reasonable filesystem. I really don't have anything against NT. Mainly since I'm not running it on any of my servers. :) Darrell Carroll Kong wrote: > > Reason being that NTFS is a journalled file system. Not sure on > NT 3.51's version of NTFS, but if you say so, probably true. (not meant to > be sarcastic, but sincere) > As for the SQL database, depending if it had good rollback > mechanisms to avoid corruption, it may or may not get corrupted, as you said. > As for the unix systems, most of them use UFS, which is not a > journalled file system. However, I do not know of many OSes or > distributions that let you add in a journalled fs. One that comes to mind > is linux with the reiserfs. (linux comes stock with ext2fs). (you can add > in journalled file systems afterwards, one commercial unix in mind that > comes stock and barrel with a journalled fs is the venerable Irix with it's > XFS). Go ahead, pull the plug on him, he won't care. No fsck on > startup. Just smooth rolling. > If you note the pattern here, it is a function of the file system > (or in the database's case, how it retains data and does integrity checks > and if it has rollback recovery to avoid data loss or undo bad transactions). > Not sure if I can give a definitive reason on why the cisco's do > not fear such things. Probably because it is not usually writing data very > often, and the data it writes is essentially a text file (NVRAM > configurations). The "OS" in itself is a static flash file that never > needs to be overwritten during normal runtime operation, only during > upgrades. This is totally different on a fully blown OS that has crazy > writes usually going on during operation. Or even if it did not, has a > good reason to double check for file integrity. The Cisco router was meant > to be more of an appliance like machine, so it's behavior makes sense, and > so does it's obvious resistance to the occasional power plug pull. > > At 06:42 PM 1/21/02 -0500, Mark Odette II wrote: > >H. > >Funny, last I checked, you could turn off in Mid-Boot process, Pull the plug > >in Mid-Shutdown process, or yank the power to the UPS (and no battery left) > >with all NT Machines running (NT3.51 - W2K), and the system would never miss > >a beat in start-up file system recovery. > > > >Now do that to NT servers with Oracle or some SQL-type application server > >running on it, and it may have data corruption- but that's only with the > >DB's ... and that happens, no matter WHAT the platform. > > > >Now, then again, try doing the above such listed tasks of brutality to a Sun > >Box, an SCO box, or an AT&T Unix box, and watch the games begin as "Inodes" > >fly everywhere and the file system checker starts griping about how unhappy > >it is and I wouldn't be surprised if an AIX or SGI box did the same. > >DB Server or not. > > > >Sorry... just gotta love those MickeySoft stabs that have no meaning other > >than for slander. > > > >-Original Message- > >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > >Sent: Monday, January 21, 2002 12:42 PM > >To: [EMAIL PROTECTED] > >Subject: RE: Stupid Question [7:32591] > > > >Just turn them off or simply unplug them. > > > >Fortunately the IOS was not written by Microsoft and nothing will get > >corrupted!!! > > > >-Serge. > > > >Richard Tufaro wrote: > > > > > > What is the proper way to shutdown a router? not reload, but > > > shutdown? Just flick the switch? Seems to brutal to me. > > > > > > Richard Tufaro - MCSE - GSEC- CCNA > > > Network Engineer - Anda Inc. > > > [EMAIL PROTECTED] > > > MSN IM - [EMAIL PROTECTED] > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33349&t=33349 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]